xref: /freebsd/sys/netinet/sctp_output.c (revision fa38579f317d5c2ff2926fab9b12ee6d429bd155) 
1 /*-
2  * SPDX-License-Identifier: BSD-3-Clause
3  *
4  * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved.
5  * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved.
6  * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions are met:
10  *
11  * a) Redistributions of source code must retain the above copyright notice,
12  *    this list of conditions and the following disclaimer.
13  *
14  * b) Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in
16  *    the documentation and/or other materials provided with the distribution.
17  *
18  * c) Neither the name of Cisco Systems, Inc. nor the names of its
19  *    contributors may be used to endorse or promote products derived
20  *    from this software without specific prior written permission.
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
23  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
24  * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
26  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
27  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
28  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
29  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
30  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
31  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
32  * THE POSSIBILITY OF SUCH DAMAGE.
33  */
34 
35 #include <netinet/sctp_os.h>
36 #include <sys/proc.h>
37 #include <netinet/sctp_var.h>
38 #include <netinet/sctp_sysctl.h>
39 #include <netinet/sctp_header.h>
40 #include <netinet/sctp_pcb.h>
41 #include <netinet/sctputil.h>
42 #include <netinet/sctp_output.h>
43 #include <netinet/sctp_uio.h>
44 #include <netinet/sctputil.h>
45 #include <netinet/sctp_auth.h>
46 #include <netinet/sctp_timer.h>
47 #include <netinet/sctp_asconf.h>
48 #include <netinet/sctp_indata.h>
49 #include <netinet/sctp_bsd_addr.h>
50 #include <netinet/sctp_input.h>
51 #include <netinet/sctp_crc32.h>
52 #include <netinet/sctp_kdtrace.h>
53 #if defined(INET) || defined(INET6)
54 #include <netinet/udp.h>
55 #endif
56 #include <netinet/udp_var.h>
57 #include <machine/in_cksum.h>
58 
59 #define SCTP_MAX_GAPS_INARRAY 4
60 struct sack_track {
61 	uint8_t right_edge;	/* mergable on the right edge */
62 	uint8_t left_edge;	/* mergable on the left edge */
63 	uint8_t num_entries;
64 	uint8_t spare;
65 	struct sctp_gap_ack_block gaps[SCTP_MAX_GAPS_INARRAY];
66 };
67 
68 const struct sack_track sack_array[256] = {
69 	{0, 0, 0, 0,		/* 0x00 */
70 		{{0, 0},
71 		{0, 0},
72 		{0, 0},
73 		{0, 0}
74 		}
75 	},
76 	{1, 0, 1, 0,		/* 0x01 */
77 		{{0, 0},
78 		{0, 0},
79 		{0, 0},
80 		{0, 0}
81 		}
82 	},
83 	{0, 0, 1, 0,		/* 0x02 */
84 		{{1, 1},
85 		{0, 0},
86 		{0, 0},
87 		{0, 0}
88 		}
89 	},
90 	{1, 0, 1, 0,		/* 0x03 */
91 		{{0, 1},
92 		{0, 0},
93 		{0, 0},
94 		{0, 0}
95 		}
96 	},
97 	{0, 0, 1, 0,		/* 0x04 */
98 		{{2, 2},
99 		{0, 0},
100 		{0, 0},
101 		{0, 0}
102 		}
103 	},
104 	{1, 0, 2, 0,		/* 0x05 */
105 		{{0, 0},
106 		{2, 2},
107 		{0, 0},
108 		{0, 0}
109 		}
110 	},
111 	{0, 0, 1, 0,		/* 0x06 */
112 		{{1, 2},
113 		{0, 0},
114 		{0, 0},
115 		{0, 0}
116 		}
117 	},
118 	{1, 0, 1, 0,		/* 0x07 */
119 		{{0, 2},
120 		{0, 0},
121 		{0, 0},
122 		{0, 0}
123 		}
124 	},
125 	{0, 0, 1, 0,		/* 0x08 */
126 		{{3, 3},
127 		{0, 0},
128 		{0, 0},
129 		{0, 0}
130 		}
131 	},
132 	{1, 0, 2, 0,		/* 0x09 */
133 		{{0, 0},
134 		{3, 3},
135 		{0, 0},
136 		{0, 0}
137 		}
138 	},
139 	{0, 0, 2, 0,		/* 0x0a */
140 		{{1, 1},
141 		{3, 3},
142 		{0, 0},
143 		{0, 0}
144 		}
145 	},
146 	{1, 0, 2, 0,		/* 0x0b */
147 		{{0, 1},
148 		{3, 3},
149 		{0, 0},
150 		{0, 0}
151 		}
152 	},
153 	{0, 0, 1, 0,		/* 0x0c */
154 		{{2, 3},
155 		{0, 0},
156 		{0, 0},
157 		{0, 0}
158 		}
159 	},
160 	{1, 0, 2, 0,		/* 0x0d */
161 		{{0, 0},
162 		{2, 3},
163 		{0, 0},
164 		{0, 0}
165 		}
166 	},
167 	{0, 0, 1, 0,		/* 0x0e */
168 		{{1, 3},
169 		{0, 0},
170 		{0, 0},
171 		{0, 0}
172 		}
173 	},
174 	{1, 0, 1, 0,		/* 0x0f */
175 		{{0, 3},
176 		{0, 0},
177 		{0, 0},
178 		{0, 0}
179 		}
180 	},
181 	{0, 0, 1, 0,		/* 0x10 */
182 		{{4, 4},
183 		{0, 0},
184 		{0, 0},
185 		{0, 0}
186 		}
187 	},
188 	{1, 0, 2, 0,		/* 0x11 */
189 		{{0, 0},
190 		{4, 4},
191 		{0, 0},
192 		{0, 0}
193 		}
194 	},
195 	{0, 0, 2, 0,		/* 0x12 */
196 		{{1, 1},
197 		{4, 4},
198 		{0, 0},
199 		{0, 0}
200 		}
201 	},
202 	{1, 0, 2, 0,		/* 0x13 */
203 		{{0, 1},
204 		{4, 4},
205 		{0, 0},
206 		{0, 0}
207 		}
208 	},
209 	{0, 0, 2, 0,		/* 0x14 */
210 		{{2, 2},
211 		{4, 4},
212 		{0, 0},
213 		{0, 0}
214 		}
215 	},
216 	{1, 0, 3, 0,		/* 0x15 */
217 		{{0, 0},
218 		{2, 2},
219 		{4, 4},
220 		{0, 0}
221 		}
222 	},
223 	{0, 0, 2, 0,		/* 0x16 */
224 		{{1, 2},
225 		{4, 4},
226 		{0, 0},
227 		{0, 0}
228 		}
229 	},
230 	{1, 0, 2, 0,		/* 0x17 */
231 		{{0, 2},
232 		{4, 4},
233 		{0, 0},
234 		{0, 0}
235 		}
236 	},
237 	{0, 0, 1, 0,		/* 0x18 */
238 		{{3, 4},
239 		{0, 0},
240 		{0, 0},
241 		{0, 0}
242 		}
243 	},
244 	{1, 0, 2, 0,		/* 0x19 */
245 		{{0, 0},
246 		{3, 4},
247 		{0, 0},
248 		{0, 0}
249 		}
250 	},
251 	{0, 0, 2, 0,		/* 0x1a */
252 		{{1, 1},
253 		{3, 4},
254 		{0, 0},
255 		{0, 0}
256 		}
257 	},
258 	{1, 0, 2, 0,		/* 0x1b */
259 		{{0, 1},
260 		{3, 4},
261 		{0, 0},
262 		{0, 0}
263 		}
264 	},
265 	{0, 0, 1, 0,		/* 0x1c */
266 		{{2, 4},
267 		{0, 0},
268 		{0, 0},
269 		{0, 0}
270 		}
271 	},
272 	{1, 0, 2, 0,		/* 0x1d */
273 		{{0, 0},
274 		{2, 4},
275 		{0, 0},
276 		{0, 0}
277 		}
278 	},
279 	{0, 0, 1, 0,		/* 0x1e */
280 		{{1, 4},
281 		{0, 0},
282 		{0, 0},
283 		{0, 0}
284 		}
285 	},
286 	{1, 0, 1, 0,		/* 0x1f */
287 		{{0, 4},
288 		{0, 0},
289 		{0, 0},
290 		{0, 0}
291 		}
292 	},
293 	{0, 0, 1, 0,		/* 0x20 */
294 		{{5, 5},
295 		{0, 0},
296 		{0, 0},
297 		{0, 0}
298 		}
299 	},
300 	{1, 0, 2, 0,		/* 0x21 */
301 		{{0, 0},
302 		{5, 5},
303 		{0, 0},
304 		{0, 0}
305 		}
306 	},
307 	{0, 0, 2, 0,		/* 0x22 */
308 		{{1, 1},
309 		{5, 5},
310 		{0, 0},
311 		{0, 0}
312 		}
313 	},
314 	{1, 0, 2, 0,		/* 0x23 */
315 		{{0, 1},
316 		{5, 5},
317 		{0, 0},
318 		{0, 0}
319 		}
320 	},
321 	{0, 0, 2, 0,		/* 0x24 */
322 		{{2, 2},
323 		{5, 5},
324 		{0, 0},
325 		{0, 0}
326 		}
327 	},
328 	{1, 0, 3, 0,		/* 0x25 */
329 		{{0, 0},
330 		{2, 2},
331 		{5, 5},
332 		{0, 0}
333 		}
334 	},
335 	{0, 0, 2, 0,		/* 0x26 */
336 		{{1, 2},
337 		{5, 5},
338 		{0, 0},
339 		{0, 0}
340 		}
341 	},
342 	{1, 0, 2, 0,		/* 0x27 */
343 		{{0, 2},
344 		{5, 5},
345 		{0, 0},
346 		{0, 0}
347 		}
348 	},
349 	{0, 0, 2, 0,		/* 0x28 */
350 		{{3, 3},
351 		{5, 5},
352 		{0, 0},
353 		{0, 0}
354 		}
355 	},
356 	{1, 0, 3, 0,		/* 0x29 */
357 		{{0, 0},
358 		{3, 3},
359 		{5, 5},
360 		{0, 0}
361 		}
362 	},
363 	{0, 0, 3, 0,		/* 0x2a */
364 		{{1, 1},
365 		{3, 3},
366 		{5, 5},
367 		{0, 0}
368 		}
369 	},
370 	{1, 0, 3, 0,		/* 0x2b */
371 		{{0, 1},
372 		{3, 3},
373 		{5, 5},
374 		{0, 0}
375 		}
376 	},
377 	{0, 0, 2, 0,		/* 0x2c */
378 		{{2, 3},
379 		{5, 5},
380 		{0, 0},
381 		{0, 0}
382 		}
383 	},
384 	{1, 0, 3, 0,		/* 0x2d */
385 		{{0, 0},
386 		{2, 3},
387 		{5, 5},
388 		{0, 0}
389 		}
390 	},
391 	{0, 0, 2, 0,		/* 0x2e */
392 		{{1, 3},
393 		{5, 5},
394 		{0, 0},
395 		{0, 0}
396 		}
397 	},
398 	{1, 0, 2, 0,		/* 0x2f */
399 		{{0, 3},
400 		{5, 5},
401 		{0, 0},
402 		{0, 0}
403 		}
404 	},
405 	{0, 0, 1, 0,		/* 0x30 */
406 		{{4, 5},
407 		{0, 0},
408 		{0, 0},
409 		{0, 0}
410 		}
411 	},
412 	{1, 0, 2, 0,		/* 0x31 */
413 		{{0, 0},
414 		{4, 5},
415 		{0, 0},
416 		{0, 0}
417 		}
418 	},
419 	{0, 0, 2, 0,		/* 0x32 */
420 		{{1, 1},
421 		{4, 5},
422 		{0, 0},
423 		{0, 0}
424 		}
425 	},
426 	{1, 0, 2, 0,		/* 0x33 */
427 		{{0, 1},
428 		{4, 5},
429 		{0, 0},
430 		{0, 0}
431 		}
432 	},
433 	{0, 0, 2, 0,		/* 0x34 */
434 		{{2, 2},
435 		{4, 5},
436 		{0, 0},
437 		{0, 0}
438 		}
439 	},
440 	{1, 0, 3, 0,		/* 0x35 */
441 		{{0, 0},
442 		{2, 2},
443 		{4, 5},
444 		{0, 0}
445 		}
446 	},
447 	{0, 0, 2, 0,		/* 0x36 */
448 		{{1, 2},
449 		{4, 5},
450 		{0, 0},
451 		{0, 0}
452 		}
453 	},
454 	{1, 0, 2, 0,		/* 0x37 */
455 		{{0, 2},
456 		{4, 5},
457 		{0, 0},
458 		{0, 0}
459 		}
460 	},
461 	{0, 0, 1, 0,		/* 0x38 */
462 		{{3, 5},
463 		{0, 0},
464 		{0, 0},
465 		{0, 0}
466 		}
467 	},
468 	{1, 0, 2, 0,		/* 0x39 */
469 		{{0, 0},
470 		{3, 5},
471 		{0, 0},
472 		{0, 0}
473 		}
474 	},
475 	{0, 0, 2, 0,		/* 0x3a */
476 		{{1, 1},
477 		{3, 5},
478 		{0, 0},
479 		{0, 0}
480 		}
481 	},
482 	{1, 0, 2, 0,		/* 0x3b */
483 		{{0, 1},
484 		{3, 5},
485 		{0, 0},
486 		{0, 0}
487 		}
488 	},
489 	{0, 0, 1, 0,		/* 0x3c */
490 		{{2, 5},
491 		{0, 0},
492 		{0, 0},
493 		{0, 0}
494 		}
495 	},
496 	{1, 0, 2, 0,		/* 0x3d */
497 		{{0, 0},
498 		{2, 5},
499 		{0, 0},
500 		{0, 0}
501 		}
502 	},
503 	{0, 0, 1, 0,		/* 0x3e */
504 		{{1, 5},
505 		{0, 0},
506 		{0, 0},
507 		{0, 0}
508 		}
509 	},
510 	{1, 0, 1, 0,		/* 0x3f */
511 		{{0, 5},
512 		{0, 0},
513 		{0, 0},
514 		{0, 0}
515 		}
516 	},
517 	{0, 0, 1, 0,		/* 0x40 */
518 		{{6, 6},
519 		{0, 0},
520 		{0, 0},
521 		{0, 0}
522 		}
523 	},
524 	{1, 0, 2, 0,		/* 0x41 */
525 		{{0, 0},
526 		{6, 6},
527 		{0, 0},
528 		{0, 0}
529 		}
530 	},
531 	{0, 0, 2, 0,		/* 0x42 */
532 		{{1, 1},
533 		{6, 6},
534 		{0, 0},
535 		{0, 0}
536 		}
537 	},
538 	{1, 0, 2, 0,		/* 0x43 */
539 		{{0, 1},
540 		{6, 6},
541 		{0, 0},
542 		{0, 0}
543 		}
544 	},
545 	{0, 0, 2, 0,		/* 0x44 */
546 		{{2, 2},
547 		{6, 6},
548 		{0, 0},
549 		{0, 0}
550 		}
551 	},
552 	{1, 0, 3, 0,		/* 0x45 */
553 		{{0, 0},
554 		{2, 2},
555 		{6, 6},
556 		{0, 0}
557 		}
558 	},
559 	{0, 0, 2, 0,		/* 0x46 */
560 		{{1, 2},
561 		{6, 6},
562 		{0, 0},
563 		{0, 0}
564 		}
565 	},
566 	{1, 0, 2, 0,		/* 0x47 */
567 		{{0, 2},
568 		{6, 6},
569 		{0, 0},
570 		{0, 0}
571 		}
572 	},
573 	{0, 0, 2, 0,		/* 0x48 */
574 		{{3, 3},
575 		{6, 6},
576 		{0, 0},
577 		{0, 0}
578 		}
579 	},
580 	{1, 0, 3, 0,		/* 0x49 */
581 		{{0, 0},
582 		{3, 3},
583 		{6, 6},
584 		{0, 0}
585 		}
586 	},
587 	{0, 0, 3, 0,		/* 0x4a */
588 		{{1, 1},
589 		{3, 3},
590 		{6, 6},
591 		{0, 0}
592 		}
593 	},
594 	{1, 0, 3, 0,		/* 0x4b */
595 		{{0, 1},
596 		{3, 3},
597 		{6, 6},
598 		{0, 0}
599 		}
600 	},
601 	{0, 0, 2, 0,		/* 0x4c */
602 		{{2, 3},
603 		{6, 6},
604 		{0, 0},
605 		{0, 0}
606 		}
607 	},
608 	{1, 0, 3, 0,		/* 0x4d */
609 		{{0, 0},
610 		{2, 3},
611 		{6, 6},
612 		{0, 0}
613 		}
614 	},
615 	{0, 0, 2, 0,		/* 0x4e */
616 		{{1, 3},
617 		{6, 6},
618 		{0, 0},
619 		{0, 0}
620 		}
621 	},
622 	{1, 0, 2, 0,		/* 0x4f */
623 		{{0, 3},
624 		{6, 6},
625 		{0, 0},
626 		{0, 0}
627 		}
628 	},
629 	{0, 0, 2, 0,		/* 0x50 */
630 		{{4, 4},
631 		{6, 6},
632 		{0, 0},
633 		{0, 0}
634 		}
635 	},
636 	{1, 0, 3, 0,		/* 0x51 */
637 		{{0, 0},
638 		{4, 4},
639 		{6, 6},
640 		{0, 0}
641 		}
642 	},
643 	{0, 0, 3, 0,		/* 0x52 */
644 		{{1, 1},
645 		{4, 4},
646 		{6, 6},
647 		{0, 0}
648 		}
649 	},
650 	{1, 0, 3, 0,		/* 0x53 */
651 		{{0, 1},
652 		{4, 4},
653 		{6, 6},
654 		{0, 0}
655 		}
656 	},
657 	{0, 0, 3, 0,		/* 0x54 */
658 		{{2, 2},
659 		{4, 4},
660 		{6, 6},
661 		{0, 0}
662 		}
663 	},
664 	{1, 0, 4, 0,		/* 0x55 */
665 		{{0, 0},
666 		{2, 2},
667 		{4, 4},
668 		{6, 6}
669 		}
670 	},
671 	{0, 0, 3, 0,		/* 0x56 */
672 		{{1, 2},
673 		{4, 4},
674 		{6, 6},
675 		{0, 0}
676 		}
677 	},
678 	{1, 0, 3, 0,		/* 0x57 */
679 		{{0, 2},
680 		{4, 4},
681 		{6, 6},
682 		{0, 0}
683 		}
684 	},
685 	{0, 0, 2, 0,		/* 0x58 */
686 		{{3, 4},
687 		{6, 6},
688 		{0, 0},
689 		{0, 0}
690 		}
691 	},
692 	{1, 0, 3, 0,		/* 0x59 */
693 		{{0, 0},
694 		{3, 4},
695 		{6, 6},
696 		{0, 0}
697 		}
698 	},
699 	{0, 0, 3, 0,		/* 0x5a */
700 		{{1, 1},
701 		{3, 4},
702 		{6, 6},
703 		{0, 0}
704 		}
705 	},
706 	{1, 0, 3, 0,		/* 0x5b */
707 		{{0, 1},
708 		{3, 4},
709 		{6, 6},
710 		{0, 0}
711 		}
712 	},
713 	{0, 0, 2, 0,		/* 0x5c */
714 		{{2, 4},
715 		{6, 6},
716 		{0, 0},
717 		{0, 0}
718 		}
719 	},
720 	{1, 0, 3, 0,		/* 0x5d */
721 		{{0, 0},
722 		{2, 4},
723 		{6, 6},
724 		{0, 0}
725 		}
726 	},
727 	{0, 0, 2, 0,		/* 0x5e */
728 		{{1, 4},
729 		{6, 6},
730 		{0, 0},
731 		{0, 0}
732 		}
733 	},
734 	{1, 0, 2, 0,		/* 0x5f */
735 		{{0, 4},
736 		{6, 6},
737 		{0, 0},
738 		{0, 0}
739 		}
740 	},
741 	{0, 0, 1, 0,		/* 0x60 */
742 		{{5, 6},
743 		{0, 0},
744 		{0, 0},
745 		{0, 0}
746 		}
747 	},
748 	{1, 0, 2, 0,		/* 0x61 */
749 		{{0, 0},
750 		{5, 6},
751 		{0, 0},
752 		{0, 0}
753 		}
754 	},
755 	{0, 0, 2, 0,		/* 0x62 */
756 		{{1, 1},
757 		{5, 6},
758 		{0, 0},
759 		{0, 0}
760 		}
761 	},
762 	{1, 0, 2, 0,		/* 0x63 */
763 		{{0, 1},
764 		{5, 6},
765 		{0, 0},
766 		{0, 0}
767 		}
768 	},
769 	{0, 0, 2, 0,		/* 0x64 */
770 		{{2, 2},
771 		{5, 6},
772 		{0, 0},
773 		{0, 0}
774 		}
775 	},
776 	{1, 0, 3, 0,		/* 0x65 */
777 		{{0, 0},
778 		{2, 2},
779 		{5, 6},
780 		{0, 0}
781 		}
782 	},
783 	{0, 0, 2, 0,		/* 0x66 */
784 		{{1, 2},
785 		{5, 6},
786 		{0, 0},
787 		{0, 0}
788 		}
789 	},
790 	{1, 0, 2, 0,		/* 0x67 */
791 		{{0, 2},
792 		{5, 6},
793 		{0, 0},
794 		{0, 0}
795 		}
796 	},
797 	{0, 0, 2, 0,		/* 0x68 */
798 		{{3, 3},
799 		{5, 6},
800 		{0, 0},
801 		{0, 0}
802 		}
803 	},
804 	{1, 0, 3, 0,		/* 0x69 */
805 		{{0, 0},
806 		{3, 3},
807 		{5, 6},
808 		{0, 0}
809 		}
810 	},
811 	{0, 0, 3, 0,		/* 0x6a */
812 		{{1, 1},
813 		{3, 3},
814 		{5, 6},
815 		{0, 0}
816 		}
817 	},
818 	{1, 0, 3, 0,		/* 0x6b */
819 		{{0, 1},
820 		{3, 3},
821 		{5, 6},
822 		{0, 0}
823 		}
824 	},
825 	{0, 0, 2, 0,		/* 0x6c */
826 		{{2, 3},
827 		{5, 6},
828 		{0, 0},
829 		{0, 0}
830 		}
831 	},
832 	{1, 0, 3, 0,		/* 0x6d */
833 		{{0, 0},
834 		{2, 3},
835 		{5, 6},
836 		{0, 0}
837 		}
838 	},
839 	{0, 0, 2, 0,		/* 0x6e */
840 		{{1, 3},
841 		{5, 6},
842 		{0, 0},
843 		{0, 0}
844 		}
845 	},
846 	{1, 0, 2, 0,		/* 0x6f */
847 		{{0, 3},
848 		{5, 6},
849 		{0, 0},
850 		{0, 0}
851 		}
852 	},
853 	{0, 0, 1, 0,		/* 0x70 */
854 		{{4, 6},
855 		{0, 0},
856 		{0, 0},
857 		{0, 0}
858 		}
859 	},
860 	{1, 0, 2, 0,		/* 0x71 */
861 		{{0, 0},
862 		{4, 6},
863 		{0, 0},
864 		{0, 0}
865 		}
866 	},
867 	{0, 0, 2, 0,		/* 0x72 */
868 		{{1, 1},
869 		{4, 6},
870 		{0, 0},
871 		{0, 0}
872 		}
873 	},
874 	{1, 0, 2, 0,		/* 0x73 */
875 		{{0, 1},
876 		{4, 6},
877 		{0, 0},
878 		{0, 0}
879 		}
880 	},
881 	{0, 0, 2, 0,		/* 0x74 */
882 		{{2, 2},
883 		{4, 6},
884 		{0, 0},
885 		{0, 0}
886 		}
887 	},
888 	{1, 0, 3, 0,		/* 0x75 */
889 		{{0, 0},
890 		{2, 2},
891 		{4, 6},
892 		{0, 0}
893 		}
894 	},
895 	{0, 0, 2, 0,		/* 0x76 */
896 		{{1, 2},
897 		{4, 6},
898 		{0, 0},
899 		{0, 0}
900 		}
901 	},
902 	{1, 0, 2, 0,		/* 0x77 */
903 		{{0, 2},
904 		{4, 6},
905 		{0, 0},
906 		{0, 0}
907 		}
908 	},
909 	{0, 0, 1, 0,		/* 0x78 */
910 		{{3, 6},
911 		{0, 0},
912 		{0, 0},
913 		{0, 0}
914 		}
915 	},
916 	{1, 0, 2, 0,		/* 0x79 */
917 		{{0, 0},
918 		{3, 6},
919 		{0, 0},
920 		{0, 0}
921 		}
922 	},
923 	{0, 0, 2, 0,		/* 0x7a */
924 		{{1, 1},
925 		{3, 6},
926 		{0, 0},
927 		{0, 0}
928 		}
929 	},
930 	{1, 0, 2, 0,		/* 0x7b */
931 		{{0, 1},
932 		{3, 6},
933 		{0, 0},
934 		{0, 0}
935 		}
936 	},
937 	{0, 0, 1, 0,		/* 0x7c */
938 		{{2, 6},
939 		{0, 0},
940 		{0, 0},
941 		{0, 0}
942 		}
943 	},
944 	{1, 0, 2, 0,		/* 0x7d */
945 		{{0, 0},
946 		{2, 6},
947 		{0, 0},
948 		{0, 0}
949 		}
950 	},
951 	{0, 0, 1, 0,		/* 0x7e */
952 		{{1, 6},
953 		{0, 0},
954 		{0, 0},
955 		{0, 0}
956 		}
957 	},
958 	{1, 0, 1, 0,		/* 0x7f */
959 		{{0, 6},
960 		{0, 0},
961 		{0, 0},
962 		{0, 0}
963 		}
964 	},
965 	{0, 1, 1, 0,		/* 0x80 */
966 		{{7, 7},
967 		{0, 0},
968 		{0, 0},
969 		{0, 0}
970 		}
971 	},
972 	{1, 1, 2, 0,		/* 0x81 */
973 		{{0, 0},
974 		{7, 7},
975 		{0, 0},
976 		{0, 0}
977 		}
978 	},
979 	{0, 1, 2, 0,		/* 0x82 */
980 		{{1, 1},
981 		{7, 7},
982 		{0, 0},
983 		{0, 0}
984 		}
985 	},
986 	{1, 1, 2, 0,		/* 0x83 */
987 		{{0, 1},
988 		{7, 7},
989 		{0, 0},
990 		{0, 0}
991 		}
992 	},
993 	{0, 1, 2, 0,		/* 0x84 */
994 		{{2, 2},
995 		{7, 7},
996 		{0, 0},
997 		{0, 0}
998 		}
999 	},
1000 	{1, 1, 3, 0,		/* 0x85 */
1001 		{{0, 0},
1002 		{2, 2},
1003 		{7, 7},
1004 		{0, 0}
1005 		}
1006 	},
1007 	{0, 1, 2, 0,		/* 0x86 */
1008 		{{1, 2},
1009 		{7, 7},
1010 		{0, 0},
1011 		{0, 0}
1012 		}
1013 	},
1014 	{1, 1, 2, 0,		/* 0x87 */
1015 		{{0, 2},
1016 		{7, 7},
1017 		{0, 0},
1018 		{0, 0}
1019 		}
1020 	},
1021 	{0, 1, 2, 0,		/* 0x88 */
1022 		{{3, 3},
1023 		{7, 7},
1024 		{0, 0},
1025 		{0, 0}
1026 		}
1027 	},
1028 	{1, 1, 3, 0,		/* 0x89 */
1029 		{{0, 0},
1030 		{3, 3},
1031 		{7, 7},
1032 		{0, 0}
1033 		}
1034 	},
1035 	{0, 1, 3, 0,		/* 0x8a */
1036 		{{1, 1},
1037 		{3, 3},
1038 		{7, 7},
1039 		{0, 0}
1040 		}
1041 	},
1042 	{1, 1, 3, 0,		/* 0x8b */
1043 		{{0, 1},
1044 		{3, 3},
1045 		{7, 7},
1046 		{0, 0}
1047 		}
1048 	},
1049 	{0, 1, 2, 0,		/* 0x8c */
1050 		{{2, 3},
1051 		{7, 7},
1052 		{0, 0},
1053 		{0, 0}
1054 		}
1055 	},
1056 	{1, 1, 3, 0,		/* 0x8d */
1057 		{{0, 0},
1058 		{2, 3},
1059 		{7, 7},
1060 		{0, 0}
1061 		}
1062 	},
1063 	{0, 1, 2, 0,		/* 0x8e */
1064 		{{1, 3},
1065 		{7, 7},
1066 		{0, 0},
1067 		{0, 0}
1068 		}
1069 	},
1070 	{1, 1, 2, 0,		/* 0x8f */
1071 		{{0, 3},
1072 		{7, 7},
1073 		{0, 0},
1074 		{0, 0}
1075 		}
1076 	},
1077 	{0, 1, 2, 0,		/* 0x90 */
1078 		{{4, 4},
1079 		{7, 7},
1080 		{0, 0},
1081 		{0, 0}
1082 		}
1083 	},
1084 	{1, 1, 3, 0,		/* 0x91 */
1085 		{{0, 0},
1086 		{4, 4},
1087 		{7, 7},
1088 		{0, 0}
1089 		}
1090 	},
1091 	{0, 1, 3, 0,		/* 0x92 */
1092 		{{1, 1},
1093 		{4, 4},
1094 		{7, 7},
1095 		{0, 0}
1096 		}
1097 	},
1098 	{1, 1, 3, 0,		/* 0x93 */
1099 		{{0, 1},
1100 		{4, 4},
1101 		{7, 7},
1102 		{0, 0}
1103 		}
1104 	},
1105 	{0, 1, 3, 0,		/* 0x94 */
1106 		{{2, 2},
1107 		{4, 4},
1108 		{7, 7},
1109 		{0, 0}
1110 		}
1111 	},
1112 	{1, 1, 4, 0,		/* 0x95 */
1113 		{{0, 0},
1114 		{2, 2},
1115 		{4, 4},
1116 		{7, 7}
1117 		}
1118 	},
1119 	{0, 1, 3, 0,		/* 0x96 */
1120 		{{1, 2},
1121 		{4, 4},
1122 		{7, 7},
1123 		{0, 0}
1124 		}
1125 	},
1126 	{1, 1, 3, 0,		/* 0x97 */
1127 		{{0, 2},
1128 		{4, 4},
1129 		{7, 7},
1130 		{0, 0}
1131 		}
1132 	},
1133 	{0, 1, 2, 0,		/* 0x98 */
1134 		{{3, 4},
1135 		{7, 7},
1136 		{0, 0},
1137 		{0, 0}
1138 		}
1139 	},
1140 	{1, 1, 3, 0,		/* 0x99 */
1141 		{{0, 0},
1142 		{3, 4},
1143 		{7, 7},
1144 		{0, 0}
1145 		}
1146 	},
1147 	{0, 1, 3, 0,		/* 0x9a */
1148 		{{1, 1},
1149 		{3, 4},
1150 		{7, 7},
1151 		{0, 0}
1152 		}
1153 	},
1154 	{1, 1, 3, 0,		/* 0x9b */
1155 		{{0, 1},
1156 		{3, 4},
1157 		{7, 7},
1158 		{0, 0}
1159 		}
1160 	},
1161 	{0, 1, 2, 0,		/* 0x9c */
1162 		{{2, 4},
1163 		{7, 7},
1164 		{0, 0},
1165 		{0, 0}
1166 		}
1167 	},
1168 	{1, 1, 3, 0,		/* 0x9d */
1169 		{{0, 0},
1170 		{2, 4},
1171 		{7, 7},
1172 		{0, 0}
1173 		}
1174 	},
1175 	{0, 1, 2, 0,		/* 0x9e */
1176 		{{1, 4},
1177 		{7, 7},
1178 		{0, 0},
1179 		{0, 0}
1180 		}
1181 	},
1182 	{1, 1, 2, 0,		/* 0x9f */
1183 		{{0, 4},
1184 		{7, 7},
1185 		{0, 0},
1186 		{0, 0}
1187 		}
1188 	},
1189 	{0, 1, 2, 0,		/* 0xa0 */
1190 		{{5, 5},
1191 		{7, 7},
1192 		{0, 0},
1193 		{0, 0}
1194 		}
1195 	},
1196 	{1, 1, 3, 0,		/* 0xa1 */
1197 		{{0, 0},
1198 		{5, 5},
1199 		{7, 7},
1200 		{0, 0}
1201 		}
1202 	},
1203 	{0, 1, 3, 0,		/* 0xa2 */
1204 		{{1, 1},
1205 		{5, 5},
1206 		{7, 7},
1207 		{0, 0}
1208 		}
1209 	},
1210 	{1, 1, 3, 0,		/* 0xa3 */
1211 		{{0, 1},
1212 		{5, 5},
1213 		{7, 7},
1214 		{0, 0}
1215 		}
1216 	},
1217 	{0, 1, 3, 0,		/* 0xa4 */
1218 		{{2, 2},
1219 		{5, 5},
1220 		{7, 7},
1221 		{0, 0}
1222 		}
1223 	},
1224 	{1, 1, 4, 0,		/* 0xa5 */
1225 		{{0, 0},
1226 		{2, 2},
1227 		{5, 5},
1228 		{7, 7}
1229 		}
1230 	},
1231 	{0, 1, 3, 0,		/* 0xa6 */
1232 		{{1, 2},
1233 		{5, 5},
1234 		{7, 7},
1235 		{0, 0}
1236 		}
1237 	},
1238 	{1, 1, 3, 0,		/* 0xa7 */
1239 		{{0, 2},
1240 		{5, 5},
1241 		{7, 7},
1242 		{0, 0}
1243 		}
1244 	},
1245 	{0, 1, 3, 0,		/* 0xa8 */
1246 		{{3, 3},
1247 		{5, 5},
1248 		{7, 7},
1249 		{0, 0}
1250 		}
1251 	},
1252 	{1, 1, 4, 0,		/* 0xa9 */
1253 		{{0, 0},
1254 		{3, 3},
1255 		{5, 5},
1256 		{7, 7}
1257 		}
1258 	},
1259 	{0, 1, 4, 0,		/* 0xaa */
1260 		{{1, 1},
1261 		{3, 3},
1262 		{5, 5},
1263 		{7, 7}
1264 		}
1265 	},
1266 	{1, 1, 4, 0,		/* 0xab */
1267 		{{0, 1},
1268 		{3, 3},
1269 		{5, 5},
1270 		{7, 7}
1271 		}
1272 	},
1273 	{0, 1, 3, 0,		/* 0xac */
1274 		{{2, 3},
1275 		{5, 5},
1276 		{7, 7},
1277 		{0, 0}
1278 		}
1279 	},
1280 	{1, 1, 4, 0,		/* 0xad */
1281 		{{0, 0},
1282 		{2, 3},
1283 		{5, 5},
1284 		{7, 7}
1285 		}
1286 	},
1287 	{0, 1, 3, 0,		/* 0xae */
1288 		{{1, 3},
1289 		{5, 5},
1290 		{7, 7},
1291 		{0, 0}
1292 		}
1293 	},
1294 	{1, 1, 3, 0,		/* 0xaf */
1295 		{{0, 3},
1296 		{5, 5},
1297 		{7, 7},
1298 		{0, 0}
1299 		}
1300 	},
1301 	{0, 1, 2, 0,		/* 0xb0 */
1302 		{{4, 5},
1303 		{7, 7},
1304 		{0, 0},
1305 		{0, 0}
1306 		}
1307 	},
1308 	{1, 1, 3, 0,		/* 0xb1 */
1309 		{{0, 0},
1310 		{4, 5},
1311 		{7, 7},
1312 		{0, 0}
1313 		}
1314 	},
1315 	{0, 1, 3, 0,		/* 0xb2 */
1316 		{{1, 1},
1317 		{4, 5},
1318 		{7, 7},
1319 		{0, 0}
1320 		}
1321 	},
1322 	{1, 1, 3, 0,		/* 0xb3 */
1323 		{{0, 1},
1324 		{4, 5},
1325 		{7, 7},
1326 		{0, 0}
1327 		}
1328 	},
1329 	{0, 1, 3, 0,		/* 0xb4 */
1330 		{{2, 2},
1331 		{4, 5},
1332 		{7, 7},
1333 		{0, 0}
1334 		}
1335 	},
1336 	{1, 1, 4, 0,		/* 0xb5 */
1337 		{{0, 0},
1338 		{2, 2},
1339 		{4, 5},
1340 		{7, 7}
1341 		}
1342 	},
1343 	{0, 1, 3, 0,		/* 0xb6 */
1344 		{{1, 2},
1345 		{4, 5},
1346 		{7, 7},
1347 		{0, 0}
1348 		}
1349 	},
1350 	{1, 1, 3, 0,		/* 0xb7 */
1351 		{{0, 2},
1352 		{4, 5},
1353 		{7, 7},
1354 		{0, 0}
1355 		}
1356 	},
1357 	{0, 1, 2, 0,		/* 0xb8 */
1358 		{{3, 5},
1359 		{7, 7},
1360 		{0, 0},
1361 		{0, 0}
1362 		}
1363 	},
1364 	{1, 1, 3, 0,		/* 0xb9 */
1365 		{{0, 0},
1366 		{3, 5},
1367 		{7, 7},
1368 		{0, 0}
1369 		}
1370 	},
1371 	{0, 1, 3, 0,		/* 0xba */
1372 		{{1, 1},
1373 		{3, 5},
1374 		{7, 7},
1375 		{0, 0}
1376 		}
1377 	},
1378 	{1, 1, 3, 0,		/* 0xbb */
1379 		{{0, 1},
1380 		{3, 5},
1381 		{7, 7},
1382 		{0, 0}
1383 		}
1384 	},
1385 	{0, 1, 2, 0,		/* 0xbc */
1386 		{{2, 5},
1387 		{7, 7},
1388 		{0, 0},
1389 		{0, 0}
1390 		}
1391 	},
1392 	{1, 1, 3, 0,		/* 0xbd */
1393 		{{0, 0},
1394 		{2, 5},
1395 		{7, 7},
1396 		{0, 0}
1397 		}
1398 	},
1399 	{0, 1, 2, 0,		/* 0xbe */
1400 		{{1, 5},
1401 		{7, 7},
1402 		{0, 0},
1403 		{0, 0}
1404 		}
1405 	},
1406 	{1, 1, 2, 0,		/* 0xbf */
1407 		{{0, 5},
1408 		{7, 7},
1409 		{0, 0},
1410 		{0, 0}
1411 		}
1412 	},
1413 	{0, 1, 1, 0,		/* 0xc0 */
1414 		{{6, 7},
1415 		{0, 0},
1416 		{0, 0},
1417 		{0, 0}
1418 		}
1419 	},
1420 	{1, 1, 2, 0,		/* 0xc1 */
1421 		{{0, 0},
1422 		{6, 7},
1423 		{0, 0},
1424 		{0, 0}
1425 		}
1426 	},
1427 	{0, 1, 2, 0,		/* 0xc2 */
1428 		{{1, 1},
1429 		{6, 7},
1430 		{0, 0},
1431 		{0, 0}
1432 		}
1433 	},
1434 	{1, 1, 2, 0,		/* 0xc3 */
1435 		{{0, 1},
1436 		{6, 7},
1437 		{0, 0},
1438 		{0, 0}
1439 		}
1440 	},
1441 	{0, 1, 2, 0,		/* 0xc4 */
1442 		{{2, 2},
1443 		{6, 7},
1444 		{0, 0},
1445 		{0, 0}
1446 		}
1447 	},
1448 	{1, 1, 3, 0,		/* 0xc5 */
1449 		{{0, 0},
1450 		{2, 2},
1451 		{6, 7},
1452 		{0, 0}
1453 		}
1454 	},
1455 	{0, 1, 2, 0,		/* 0xc6 */
1456 		{{1, 2},
1457 		{6, 7},
1458 		{0, 0},
1459 		{0, 0}
1460 		}
1461 	},
1462 	{1, 1, 2, 0,		/* 0xc7 */
1463 		{{0, 2},
1464 		{6, 7},
1465 		{0, 0},
1466 		{0, 0}
1467 		}
1468 	},
1469 	{0, 1, 2, 0,		/* 0xc8 */
1470 		{{3, 3},
1471 		{6, 7},
1472 		{0, 0},
1473 		{0, 0}
1474 		}
1475 	},
1476 	{1, 1, 3, 0,		/* 0xc9 */
1477 		{{0, 0},
1478 		{3, 3},
1479 		{6, 7},
1480 		{0, 0}
1481 		}
1482 	},
1483 	{0, 1, 3, 0,		/* 0xca */
1484 		{{1, 1},
1485 		{3, 3},
1486 		{6, 7},
1487 		{0, 0}
1488 		}
1489 	},
1490 	{1, 1, 3, 0,		/* 0xcb */
1491 		{{0, 1},
1492 		{3, 3},
1493 		{6, 7},
1494 		{0, 0}
1495 		}
1496 	},
1497 	{0, 1, 2, 0,		/* 0xcc */
1498 		{{2, 3},
1499 		{6, 7},
1500 		{0, 0},
1501 		{0, 0}
1502 		}
1503 	},
1504 	{1, 1, 3, 0,		/* 0xcd */
1505 		{{0, 0},
1506 		{2, 3},
1507 		{6, 7},
1508 		{0, 0}
1509 		}
1510 	},
1511 	{0, 1, 2, 0,		/* 0xce */
1512 		{{1, 3},
1513 		{6, 7},
1514 		{0, 0},
1515 		{0, 0}
1516 		}
1517 	},
1518 	{1, 1, 2, 0,		/* 0xcf */
1519 		{{0, 3},
1520 		{6, 7},
1521 		{0, 0},
1522 		{0, 0}
1523 		}
1524 	},
1525 	{0, 1, 2, 0,		/* 0xd0 */
1526 		{{4, 4},
1527 		{6, 7},
1528 		{0, 0},
1529 		{0, 0}
1530 		}
1531 	},
1532 	{1, 1, 3, 0,		/* 0xd1 */
1533 		{{0, 0},
1534 		{4, 4},
1535 		{6, 7},
1536 		{0, 0}
1537 		}
1538 	},
1539 	{0, 1, 3, 0,		/* 0xd2 */
1540 		{{1, 1},
1541 		{4, 4},
1542 		{6, 7},
1543 		{0, 0}
1544 		}
1545 	},
1546 	{1, 1, 3, 0,		/* 0xd3 */
1547 		{{0, 1},
1548 		{4, 4},
1549 		{6, 7},
1550 		{0, 0}
1551 		}
1552 	},
1553 	{0, 1, 3, 0,		/* 0xd4 */
1554 		{{2, 2},
1555 		{4, 4},
1556 		{6, 7},
1557 		{0, 0}
1558 		}
1559 	},
1560 	{1, 1, 4, 0,		/* 0xd5 */
1561 		{{0, 0},
1562 		{2, 2},
1563 		{4, 4},
1564 		{6, 7}
1565 		}
1566 	},
1567 	{0, 1, 3, 0,		/* 0xd6 */
1568 		{{1, 2},
1569 		{4, 4},
1570 		{6, 7},
1571 		{0, 0}
1572 		}
1573 	},
1574 	{1, 1, 3, 0,		/* 0xd7 */
1575 		{{0, 2},
1576 		{4, 4},
1577 		{6, 7},
1578 		{0, 0}
1579 		}
1580 	},
1581 	{0, 1, 2, 0,		/* 0xd8 */
1582 		{{3, 4},
1583 		{6, 7},
1584 		{0, 0},
1585 		{0, 0}
1586 		}
1587 	},
1588 	{1, 1, 3, 0,		/* 0xd9 */
1589 		{{0, 0},
1590 		{3, 4},
1591 		{6, 7},
1592 		{0, 0}
1593 		}
1594 	},
1595 	{0, 1, 3, 0,		/* 0xda */
1596 		{{1, 1},
1597 		{3, 4},
1598 		{6, 7},
1599 		{0, 0}
1600 		}
1601 	},
1602 	{1, 1, 3, 0,		/* 0xdb */
1603 		{{0, 1},
1604 		{3, 4},
1605 		{6, 7},
1606 		{0, 0}
1607 		}
1608 	},
1609 	{0, 1, 2, 0,		/* 0xdc */
1610 		{{2, 4},
1611 		{6, 7},
1612 		{0, 0},
1613 		{0, 0}
1614 		}
1615 	},
1616 	{1, 1, 3, 0,		/* 0xdd */
1617 		{{0, 0},
1618 		{2, 4},
1619 		{6, 7},
1620 		{0, 0}
1621 		}
1622 	},
1623 	{0, 1, 2, 0,		/* 0xde */
1624 		{{1, 4},
1625 		{6, 7},
1626 		{0, 0},
1627 		{0, 0}
1628 		}
1629 	},
1630 	{1, 1, 2, 0,		/* 0xdf */
1631 		{{0, 4},
1632 		{6, 7},
1633 		{0, 0},
1634 		{0, 0}
1635 		}
1636 	},
1637 	{0, 1, 1, 0,		/* 0xe0 */
1638 		{{5, 7},
1639 		{0, 0},
1640 		{0, 0},
1641 		{0, 0}
1642 		}
1643 	},
1644 	{1, 1, 2, 0,		/* 0xe1 */
1645 		{{0, 0},
1646 		{5, 7},
1647 		{0, 0},
1648 		{0, 0}
1649 		}
1650 	},
1651 	{0, 1, 2, 0,		/* 0xe2 */
1652 		{{1, 1},
1653 		{5, 7},
1654 		{0, 0},
1655 		{0, 0}
1656 		}
1657 	},
1658 	{1, 1, 2, 0,		/* 0xe3 */
1659 		{{0, 1},
1660 		{5, 7},
1661 		{0, 0},
1662 		{0, 0}
1663 		}
1664 	},
1665 	{0, 1, 2, 0,		/* 0xe4 */
1666 		{{2, 2},
1667 		{5, 7},
1668 		{0, 0},
1669 		{0, 0}
1670 		}
1671 	},
1672 	{1, 1, 3, 0,		/* 0xe5 */
1673 		{{0, 0},
1674 		{2, 2},
1675 		{5, 7},
1676 		{0, 0}
1677 		}
1678 	},
1679 	{0, 1, 2, 0,		/* 0xe6 */
1680 		{{1, 2},
1681 		{5, 7},
1682 		{0, 0},
1683 		{0, 0}
1684 		}
1685 	},
1686 	{1, 1, 2, 0,		/* 0xe7 */
1687 		{{0, 2},
1688 		{5, 7},
1689 		{0, 0},
1690 		{0, 0}
1691 		}
1692 	},
1693 	{0, 1, 2, 0,		/* 0xe8 */
1694 		{{3, 3},
1695 		{5, 7},
1696 		{0, 0},
1697 		{0, 0}
1698 		}
1699 	},
1700 	{1, 1, 3, 0,		/* 0xe9 */
1701 		{{0, 0},
1702 		{3, 3},
1703 		{5, 7},
1704 		{0, 0}
1705 		}
1706 	},
1707 	{0, 1, 3, 0,		/* 0xea */
1708 		{{1, 1},
1709 		{3, 3},
1710 		{5, 7},
1711 		{0, 0}
1712 		}
1713 	},
1714 	{1, 1, 3, 0,		/* 0xeb */
1715 		{{0, 1},
1716 		{3, 3},
1717 		{5, 7},
1718 		{0, 0}
1719 		}
1720 	},
1721 	{0, 1, 2, 0,		/* 0xec */
1722 		{{2, 3},
1723 		{5, 7},
1724 		{0, 0},
1725 		{0, 0}
1726 		}
1727 	},
1728 	{1, 1, 3, 0,		/* 0xed */
1729 		{{0, 0},
1730 		{2, 3},
1731 		{5, 7},
1732 		{0, 0}
1733 		}
1734 	},
1735 	{0, 1, 2, 0,		/* 0xee */
1736 		{{1, 3},
1737 		{5, 7},
1738 		{0, 0},
1739 		{0, 0}
1740 		}
1741 	},
1742 	{1, 1, 2, 0,		/* 0xef */
1743 		{{0, 3},
1744 		{5, 7},
1745 		{0, 0},
1746 		{0, 0}
1747 		}
1748 	},
1749 	{0, 1, 1, 0,		/* 0xf0 */
1750 		{{4, 7},
1751 		{0, 0},
1752 		{0, 0},
1753 		{0, 0}
1754 		}
1755 	},
1756 	{1, 1, 2, 0,		/* 0xf1 */
1757 		{{0, 0},
1758 		{4, 7},
1759 		{0, 0},
1760 		{0, 0}
1761 		}
1762 	},
1763 	{0, 1, 2, 0,		/* 0xf2 */
1764 		{{1, 1},
1765 		{4, 7},
1766 		{0, 0},
1767 		{0, 0}
1768 		}
1769 	},
1770 	{1, 1, 2, 0,		/* 0xf3 */
1771 		{{0, 1},
1772 		{4, 7},
1773 		{0, 0},
1774 		{0, 0}
1775 		}
1776 	},
1777 	{0, 1, 2, 0,		/* 0xf4 */
1778 		{{2, 2},
1779 		{4, 7},
1780 		{0, 0},
1781 		{0, 0}
1782 		}
1783 	},
1784 	{1, 1, 3, 0,		/* 0xf5 */
1785 		{{0, 0},
1786 		{2, 2},
1787 		{4, 7},
1788 		{0, 0}
1789 		}
1790 	},
1791 	{0, 1, 2, 0,		/* 0xf6 */
1792 		{{1, 2},
1793 		{4, 7},
1794 		{0, 0},
1795 		{0, 0}
1796 		}
1797 	},
1798 	{1, 1, 2, 0,		/* 0xf7 */
1799 		{{0, 2},
1800 		{4, 7},
1801 		{0, 0},
1802 		{0, 0}
1803 		}
1804 	},
1805 	{0, 1, 1, 0,		/* 0xf8 */
1806 		{{3, 7},
1807 		{0, 0},
1808 		{0, 0},
1809 		{0, 0}
1810 		}
1811 	},
1812 	{1, 1, 2, 0,		/* 0xf9 */
1813 		{{0, 0},
1814 		{3, 7},
1815 		{0, 0},
1816 		{0, 0}
1817 		}
1818 	},
1819 	{0, 1, 2, 0,		/* 0xfa */
1820 		{{1, 1},
1821 		{3, 7},
1822 		{0, 0},
1823 		{0, 0}
1824 		}
1825 	},
1826 	{1, 1, 2, 0,		/* 0xfb */
1827 		{{0, 1},
1828 		{3, 7},
1829 		{0, 0},
1830 		{0, 0}
1831 		}
1832 	},
1833 	{0, 1, 1, 0,		/* 0xfc */
1834 		{{2, 7},
1835 		{0, 0},
1836 		{0, 0},
1837 		{0, 0}
1838 		}
1839 	},
1840 	{1, 1, 2, 0,		/* 0xfd */
1841 		{{0, 0},
1842 		{2, 7},
1843 		{0, 0},
1844 		{0, 0}
1845 		}
1846 	},
1847 	{0, 1, 1, 0,		/* 0xfe */
1848 		{{1, 7},
1849 		{0, 0},
1850 		{0, 0},
1851 		{0, 0}
1852 		}
1853 	},
1854 	{1, 1, 1, 0,		/* 0xff */
1855 		{{0, 7},
1856 		{0, 0},
1857 		{0, 0},
1858 		{0, 0}
1859 		}
1860 	}
1861 };
1862 
1863 int
1864 sctp_is_address_in_scope(struct sctp_ifa *ifa,
1865     struct sctp_scoping *scope,
1866     int do_update)
1867 {
1868 	if ((scope->loopback_scope == 0) &&
1869 	    (ifa->ifn_p) && SCTP_IFN_IS_IFT_LOOP(ifa->ifn_p)) {
1870 		/*
1871 		 * skip loopback if not in scope *
1872 		 */
1873 		return (0);
1874 	}
1875 	switch (ifa->address.sa.sa_family) {
1876 #ifdef INET
1877 	case AF_INET:
1878 		if (scope->ipv4_addr_legal) {
1879 			struct sockaddr_in *sin;
1880 
1881 			sin = &ifa->address.sin;
1882 			if (sin->sin_addr.s_addr == 0) {
1883 				/* not in scope , unspecified */
1884 				return (0);
1885 			}
1886 			if ((scope->ipv4_local_scope == 0) &&
1887 			    (IN4_ISPRIVATE_ADDRESS(&sin->sin_addr))) {
1888 				/* private address not in scope */
1889 				return (0);
1890 			}
1891 		} else {
1892 			return (0);
1893 		}
1894 		break;
1895 #endif
1896 #ifdef INET6
1897 	case AF_INET6:
1898 		if (scope->ipv6_addr_legal) {
1899 			struct sockaddr_in6 *sin6;
1900 
1901 			/*
1902 			 * Must update the flags,  bummer, which means any
1903 			 * IFA locks must now be applied HERE <->
1904 			 */
1905 			if (do_update) {
1906 				sctp_gather_internal_ifa_flags(ifa);
1907 			}
1908 			if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
1909 				return (0);
1910 			}
1911 			/* ok to use deprecated addresses? */
1912 			sin6 = &ifa->address.sin6;
1913 			if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) {
1914 				/* skip unspecified addresses */
1915 				return (0);
1916 			}
1917 			if (	/* (local_scope == 0) && */
1918 			    (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))) {
1919 				return (0);
1920 			}
1921 			if ((scope->site_scope == 0) &&
1922 			    (IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr))) {
1923 				return (0);
1924 			}
1925 		} else {
1926 			return (0);
1927 		}
1928 		break;
1929 #endif
1930 	default:
1931 		return (0);
1932 	}
1933 	return (1);
1934 }
1935 
1936 static struct mbuf *
1937 sctp_add_addr_to_mbuf(struct mbuf *m, struct sctp_ifa *ifa, uint16_t *len)
1938 {
1939 #if defined(INET) || defined(INET6)
1940 	struct sctp_paramhdr *paramh;
1941 	struct mbuf *mret;
1942 	uint16_t plen;
1943 #endif
1944 
1945 	switch (ifa->address.sa.sa_family) {
1946 #ifdef INET
1947 	case AF_INET:
1948 		plen = (uint16_t)sizeof(struct sctp_ipv4addr_param);
1949 		break;
1950 #endif
1951 #ifdef INET6
1952 	case AF_INET6:
1953 		plen = (uint16_t)sizeof(struct sctp_ipv6addr_param);
1954 		break;
1955 #endif
1956 	default:
1957 		return (m);
1958 	}
1959 #if defined(INET) || defined(INET6)
1960 	if (M_TRAILINGSPACE(m) >= plen) {
1961 		/* easy side we just drop it on the end */
1962 		paramh = (struct sctp_paramhdr *)(SCTP_BUF_AT(m, SCTP_BUF_LEN(m)));
1963 		mret = m;
1964 	} else {
1965 		/* Need more space */
1966 		mret = m;
1967 		while (SCTP_BUF_NEXT(mret) != NULL) {
1968 			mret = SCTP_BUF_NEXT(mret);
1969 		}
1970 		SCTP_BUF_NEXT(mret) = sctp_get_mbuf_for_msg(plen, 0, M_NOWAIT, 1, MT_DATA);
1971 		if (SCTP_BUF_NEXT(mret) == NULL) {
1972 			/* We are hosed, can't add more addresses */
1973 			return (m);
1974 		}
1975 		mret = SCTP_BUF_NEXT(mret);
1976 		paramh = mtod(mret, struct sctp_paramhdr *);
1977 	}
1978 	/* now add the parameter */
1979 	switch (ifa->address.sa.sa_family) {
1980 #ifdef INET
1981 	case AF_INET:
1982 		{
1983 			struct sctp_ipv4addr_param *ipv4p;
1984 			struct sockaddr_in *sin;
1985 
1986 			sin = &ifa->address.sin;
1987 			ipv4p = (struct sctp_ipv4addr_param *)paramh;
1988 			paramh->param_type = htons(SCTP_IPV4_ADDRESS);
1989 			paramh->param_length = htons(plen);
1990 			ipv4p->addr = sin->sin_addr.s_addr;
1991 			SCTP_BUF_LEN(mret) += plen;
1992 			break;
1993 		}
1994 #endif
1995 #ifdef INET6
1996 	case AF_INET6:
1997 		{
1998 			struct sctp_ipv6addr_param *ipv6p;
1999 			struct sockaddr_in6 *sin6;
2000 
2001 			sin6 = &ifa->address.sin6;
2002 			ipv6p = (struct sctp_ipv6addr_param *)paramh;
2003 			paramh->param_type = htons(SCTP_IPV6_ADDRESS);
2004 			paramh->param_length = htons(plen);
2005 			memcpy(ipv6p->addr, &sin6->sin6_addr,
2006 			    sizeof(ipv6p->addr));
2007 			/* clear embedded scope in the address */
2008 			in6_clearscope((struct in6_addr *)ipv6p->addr);
2009 			SCTP_BUF_LEN(mret) += plen;
2010 			break;
2011 		}
2012 #endif
2013 	default:
2014 		return (m);
2015 	}
2016 	if (len != NULL) {
2017 		*len += plen;
2018 	}
2019 	return (mret);
2020 #endif
2021 }
2022 
2023 struct mbuf *
2024 sctp_add_addresses_to_i_ia(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
2025     struct sctp_scoping *scope,
2026     struct mbuf *m_at, int cnt_inits_to,
2027     uint16_t *padding_len, uint16_t *chunk_len)
2028 {
2029 	struct sctp_vrf *vrf = NULL;
2030 	int cnt, limit_out = 0, total_count;
2031 	uint32_t vrf_id;
2032 
2033 	vrf_id = inp->def_vrf_id;
2034 	SCTP_IPI_ADDR_RLOCK();
2035 	vrf = sctp_find_vrf(vrf_id);
2036 	if (vrf == NULL) {
2037 		SCTP_IPI_ADDR_RUNLOCK();
2038 		return (m_at);
2039 	}
2040 	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) {
2041 		struct sctp_ifa *sctp_ifap;
2042 		struct sctp_ifn *sctp_ifnp;
2043 
2044 		cnt = cnt_inits_to;
2045 		if (vrf->total_ifa_count > SCTP_COUNT_LIMIT) {
2046 			limit_out = 1;
2047 			cnt = SCTP_ADDRESS_LIMIT;
2048 			goto skip_count;
2049 		}
2050 		LIST_FOREACH(sctp_ifnp, &vrf->ifnlist, next_ifn) {
2051 			if ((scope->loopback_scope == 0) &&
2052 			    SCTP_IFN_IS_IFT_LOOP(sctp_ifnp)) {
2053 				/*
2054 				 * Skip loopback devices if loopback_scope
2055 				 * not set
2056 				 */
2057 				continue;
2058 			}
2059 			LIST_FOREACH(sctp_ifap, &sctp_ifnp->ifalist, next_ifa) {
2060 #ifdef INET
2061 				if ((sctp_ifap->address.sa.sa_family == AF_INET) &&
2062 				    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2063 				    &sctp_ifap->address.sin.sin_addr) != 0)) {
2064 					continue;
2065 				}
2066 #endif
2067 #ifdef INET6
2068 				if ((sctp_ifap->address.sa.sa_family == AF_INET6) &&
2069 				    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2070 				    &sctp_ifap->address.sin6.sin6_addr) != 0)) {
2071 					continue;
2072 				}
2073 #endif
2074 				if (sctp_is_addr_restricted(stcb, sctp_ifap)) {
2075 					continue;
2076 				}
2077 				if (sctp_is_address_in_scope(sctp_ifap, scope, 1) == 0) {
2078 					continue;
2079 				}
2080 				cnt++;
2081 				if (cnt > SCTP_ADDRESS_LIMIT) {
2082 					break;
2083 				}
2084 			}
2085 			if (cnt > SCTP_ADDRESS_LIMIT) {
2086 				break;
2087 			}
2088 		}
2089 skip_count:
2090 		if (cnt > 1) {
2091 			total_count = 0;
2092 			LIST_FOREACH(sctp_ifnp, &vrf->ifnlist, next_ifn) {
2093 				cnt = 0;
2094 				if ((scope->loopback_scope == 0) &&
2095 				    SCTP_IFN_IS_IFT_LOOP(sctp_ifnp)) {
2096 					/*
2097 					 * Skip loopback devices if
2098 					 * loopback_scope not set
2099 					 */
2100 					continue;
2101 				}
2102 				LIST_FOREACH(sctp_ifap, &sctp_ifnp->ifalist, next_ifa) {
2103 #ifdef INET
2104 					if ((sctp_ifap->address.sa.sa_family == AF_INET) &&
2105 					    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2106 					    &sctp_ifap->address.sin.sin_addr) != 0)) {
2107 						continue;
2108 					}
2109 #endif
2110 #ifdef INET6
2111 					if ((sctp_ifap->address.sa.sa_family == AF_INET6) &&
2112 					    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2113 					    &sctp_ifap->address.sin6.sin6_addr) != 0)) {
2114 						continue;
2115 					}
2116 #endif
2117 					if (sctp_is_addr_restricted(stcb, sctp_ifap)) {
2118 						continue;
2119 					}
2120 					if (sctp_is_address_in_scope(sctp_ifap,
2121 					    scope, 0) == 0) {
2122 						continue;
2123 					}
2124 					if ((chunk_len != NULL) &&
2125 					    (padding_len != NULL) &&
2126 					    (*padding_len > 0)) {
2127 						memset(mtod(m_at, caddr_t)+*chunk_len, 0, *padding_len);
2128 						SCTP_BUF_LEN(m_at) += *padding_len;
2129 						*chunk_len += *padding_len;
2130 						*padding_len = 0;
2131 					}
2132 					m_at = sctp_add_addr_to_mbuf(m_at, sctp_ifap, chunk_len);
2133 					if (limit_out) {
2134 						cnt++;
2135 						total_count++;
2136 						if (cnt >= 2) {
2137 							/*
2138 							 * two from each
2139 							 * address
2140 							 */
2141 							break;
2142 						}
2143 						if (total_count > SCTP_ADDRESS_LIMIT) {
2144 							/* No more addresses */
2145 							break;
2146 						}
2147 					}
2148 				}
2149 			}
2150 		}
2151 	} else {
2152 		struct sctp_laddr *laddr;
2153 
2154 		cnt = cnt_inits_to;
2155 		/* First, how many ? */
2156 		LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2157 			if (laddr->ifa == NULL) {
2158 				continue;
2159 			}
2160 			if (laddr->ifa->localifa_flags & SCTP_BEING_DELETED)
2161 				/*
2162 				 * Address being deleted by the system, dont
2163 				 * list.
2164 				 */
2165 				continue;
2166 			if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2167 				/*
2168 				 * Address being deleted on this ep don't
2169 				 * list.
2170 				 */
2171 				continue;
2172 			}
2173 			if (sctp_is_address_in_scope(laddr->ifa,
2174 			    scope, 1) == 0) {
2175 				continue;
2176 			}
2177 			cnt++;
2178 		}
2179 		/*
2180 		 * To get through a NAT we only list addresses if we have
2181 		 * more than one. That way if you just bind a single address
2182 		 * we let the source of the init dictate our address.
2183 		 */
2184 		if (cnt > 1) {
2185 			cnt = cnt_inits_to;
2186 			LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2187 				if (laddr->ifa == NULL) {
2188 					continue;
2189 				}
2190 				if (laddr->ifa->localifa_flags & SCTP_BEING_DELETED) {
2191 					continue;
2192 				}
2193 				if (sctp_is_address_in_scope(laddr->ifa,
2194 				    scope, 0) == 0) {
2195 					continue;
2196 				}
2197 				if ((chunk_len != NULL) &&
2198 				    (padding_len != NULL) &&
2199 				    (*padding_len > 0)) {
2200 					memset(mtod(m_at, caddr_t)+*chunk_len, 0, *padding_len);
2201 					SCTP_BUF_LEN(m_at) += *padding_len;
2202 					*chunk_len += *padding_len;
2203 					*padding_len = 0;
2204 				}
2205 				m_at = sctp_add_addr_to_mbuf(m_at, laddr->ifa, chunk_len);
2206 				cnt++;
2207 				if (cnt >= SCTP_ADDRESS_LIMIT) {
2208 					break;
2209 				}
2210 			}
2211 		}
2212 	}
2213 	SCTP_IPI_ADDR_RUNLOCK();
2214 	return (m_at);
2215 }
2216 
2217 static struct sctp_ifa *
2218 sctp_is_ifa_addr_preferred(struct sctp_ifa *ifa,
2219     uint8_t dest_is_loop,
2220     uint8_t dest_is_priv,
2221     sa_family_t fam)
2222 {
2223 	uint8_t dest_is_global = 0;
2224 
2225 	/* dest_is_priv is true if destination is a private address */
2226 	/* dest_is_loop is true if destination is a loopback addresses */
2227 
2228 	/**
2229 	 * Here we determine if its a preferred address. A preferred address
2230 	 * means it is the same scope or higher scope then the destination.
2231 	 * L = loopback, P = private, G = global
2232 	 * -----------------------------------------
2233 	 *    src    |  dest | result
2234 	 *  ----------------------------------------
2235 	 *     L     |    L  |    yes
2236 	 *  -----------------------------------------
2237 	 *     P     |    L  |    yes-v4 no-v6
2238 	 *  -----------------------------------------
2239 	 *     G     |    L  |    yes-v4 no-v6
2240 	 *  -----------------------------------------
2241 	 *     L     |    P  |    no
2242 	 *  -----------------------------------------
2243 	 *     P     |    P  |    yes
2244 	 *  -----------------------------------------
2245 	 *     G     |    P  |    no
2246 	 *   -----------------------------------------
2247 	 *     L     |    G  |    no
2248 	 *   -----------------------------------------
2249 	 *     P     |    G  |    no
2250 	 *    -----------------------------------------
2251 	 *     G     |    G  |    yes
2252 	 *    -----------------------------------------
2253 	 */
2254 
2255 	if (ifa->address.sa.sa_family != fam) {
2256 		/* forget mis-matched family */
2257 		return (NULL);
2258 	}
2259 	if ((dest_is_priv == 0) && (dest_is_loop == 0)) {
2260 		dest_is_global = 1;
2261 	}
2262 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Is destination preferred:");
2263 	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &ifa->address.sa);
2264 	/* Ok the address may be ok */
2265 #ifdef INET6
2266 	if (fam == AF_INET6) {
2267 		/* ok to use deprecated addresses? no lets not! */
2268 		if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
2269 			SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:1\n");
2270 			return (NULL);
2271 		}
2272 		if (ifa->src_is_priv && !ifa->src_is_loop) {
2273 			if (dest_is_loop) {
2274 				SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:2\n");
2275 				return (NULL);
2276 			}
2277 		}
2278 		if (ifa->src_is_glob) {
2279 			if (dest_is_loop) {
2280 				SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:3\n");
2281 				return (NULL);
2282 			}
2283 		}
2284 	}
2285 #endif
2286 	/*
2287 	 * Now that we know what is what, implement or table this could in
2288 	 * theory be done slicker (it used to be), but this is
2289 	 * straightforward and easier to validate :-)
2290 	 */
2291 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "src_loop:%d src_priv:%d src_glob:%d\n",
2292 	    ifa->src_is_loop, ifa->src_is_priv, ifa->src_is_glob);
2293 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "dest_loop:%d dest_priv:%d dest_glob:%d\n",
2294 	    dest_is_loop, dest_is_priv, dest_is_global);
2295 
2296 	if ((ifa->src_is_loop) && (dest_is_priv)) {
2297 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:4\n");
2298 		return (NULL);
2299 	}
2300 	if ((ifa->src_is_glob) && (dest_is_priv)) {
2301 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:5\n");
2302 		return (NULL);
2303 	}
2304 	if ((ifa->src_is_loop) && (dest_is_global)) {
2305 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:6\n");
2306 		return (NULL);
2307 	}
2308 	if ((ifa->src_is_priv) && (dest_is_global)) {
2309 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:7\n");
2310 		return (NULL);
2311 	}
2312 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "YES\n");
2313 	/* its a preferred address */
2314 	return (ifa);
2315 }
2316 
2317 static struct sctp_ifa *
2318 sctp_is_ifa_addr_acceptable(struct sctp_ifa *ifa,
2319     uint8_t dest_is_loop,
2320     uint8_t dest_is_priv,
2321     sa_family_t fam)
2322 {
2323 	uint8_t dest_is_global = 0;
2324 
2325 	/**
2326 	 * Here we determine if its a acceptable address. A acceptable
2327 	 * address means it is the same scope or higher scope but we can
2328 	 * allow for NAT which means its ok to have a global dest and a
2329 	 * private src.
2330 	 *
2331 	 * L = loopback, P = private, G = global
2332 	 * -----------------------------------------
2333 	 *  src    |  dest | result
2334 	 * -----------------------------------------
2335 	 *   L     |   L   |    yes
2336 	 *  -----------------------------------------
2337 	 *   P     |   L   |    yes-v4 no-v6
2338 	 *  -----------------------------------------
2339 	 *   G     |   L   |    yes
2340 	 * -----------------------------------------
2341 	 *   L     |   P   |    no
2342 	 * -----------------------------------------
2343 	 *   P     |   P   |    yes
2344 	 * -----------------------------------------
2345 	 *   G     |   P   |    yes - May not work
2346 	 * -----------------------------------------
2347 	 *   L     |   G   |    no
2348 	 * -----------------------------------------
2349 	 *   P     |   G   |    yes - May not work
2350 	 * -----------------------------------------
2351 	 *   G     |   G   |    yes
2352 	 * -----------------------------------------
2353 	 */
2354 
2355 	if (ifa->address.sa.sa_family != fam) {
2356 		/* forget non matching family */
2357 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "ifa_fam:%d fam:%d\n",
2358 		    ifa->address.sa.sa_family, fam);
2359 		return (NULL);
2360 	}
2361 	/* Ok the address may be ok */
2362 	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT3, &ifa->address.sa);
2363 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "dst_is_loop:%d dest_is_priv:%d\n",
2364 	    dest_is_loop, dest_is_priv);
2365 	if ((dest_is_loop == 0) && (dest_is_priv == 0)) {
2366 		dest_is_global = 1;
2367 	}
2368 #ifdef INET6
2369 	if (fam == AF_INET6) {
2370 		/* ok to use deprecated addresses? */
2371 		if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
2372 			return (NULL);
2373 		}
2374 		if (ifa->src_is_priv) {
2375 			/* Special case, linklocal to loop */
2376 			if (dest_is_loop)
2377 				return (NULL);
2378 		}
2379 	}
2380 #endif
2381 	/*
2382 	 * Now that we know what is what, implement our table. This could in
2383 	 * theory be done slicker (it used to be), but this is
2384 	 * straightforward and easier to validate :-)
2385 	 */
2386 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "ifa->src_is_loop:%d dest_is_priv:%d\n",
2387 	    ifa->src_is_loop,
2388 	    dest_is_priv);
2389 	if ((ifa->src_is_loop == 1) && (dest_is_priv)) {
2390 		return (NULL);
2391 	}
2392 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "ifa->src_is_loop:%d dest_is_glob:%d\n",
2393 	    ifa->src_is_loop,
2394 	    dest_is_global);
2395 	if ((ifa->src_is_loop == 1) && (dest_is_global)) {
2396 		return (NULL);
2397 	}
2398 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "address is acceptable\n");
2399 	/* its an acceptable address */
2400 	return (ifa);
2401 }
2402 
2403 int
2404 sctp_is_addr_restricted(struct sctp_tcb *stcb, struct sctp_ifa *ifa)
2405 {
2406 	struct sctp_laddr *laddr;
2407 
2408 	if (stcb == NULL) {
2409 		/* There are no restrictions, no TCB :-) */
2410 		return (0);
2411 	}
2412 	LIST_FOREACH(laddr, &stcb->asoc.sctp_restricted_addrs, sctp_nxt_addr) {
2413 		if (laddr->ifa == NULL) {
2414 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "%s: NULL ifa\n",
2415 			    __func__);
2416 			continue;
2417 		}
2418 		if (laddr->ifa == ifa) {
2419 			/* Yes it is on the list */
2420 			return (1);
2421 		}
2422 	}
2423 	return (0);
2424 }
2425 
2426 int
2427 sctp_is_addr_in_ep(struct sctp_inpcb *inp, struct sctp_ifa *ifa)
2428 {
2429 	struct sctp_laddr *laddr;
2430 
2431 	if (ifa == NULL)
2432 		return (0);
2433 	LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2434 		if (laddr->ifa == NULL) {
2435 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "%s: NULL ifa\n",
2436 			    __func__);
2437 			continue;
2438 		}
2439 		if ((laddr->ifa == ifa) && laddr->action == 0)
2440 			/* same pointer */
2441 			return (1);
2442 	}
2443 	return (0);
2444 }
2445 
2446 static struct sctp_ifa *
2447 sctp_choose_boundspecific_inp(struct sctp_inpcb *inp,
2448     sctp_route_t *ro,
2449     uint32_t vrf_id,
2450     int non_asoc_addr_ok,
2451     uint8_t dest_is_priv,
2452     uint8_t dest_is_loop,
2453     sa_family_t fam)
2454 {
2455 	struct sctp_laddr *laddr, *starting_point;
2456 	void *ifn;
2457 	int resettotop = 0;
2458 	struct sctp_ifn *sctp_ifn;
2459 	struct sctp_ifa *sctp_ifa, *sifa;
2460 	struct sctp_vrf *vrf;
2461 	uint32_t ifn_index;
2462 
2463 	vrf = sctp_find_vrf(vrf_id);
2464 	if (vrf == NULL)
2465 		return (NULL);
2466 
2467 	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
2468 	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
2469 	sctp_ifn = sctp_find_ifn(ifn, ifn_index);
2470 	/*
2471 	 * first question, is the ifn we will emit on in our list, if so, we
2472 	 * want such an address. Note that we first looked for a preferred
2473 	 * address.
2474 	 */
2475 	if (sctp_ifn) {
2476 		/* is a preferred one on the interface we route out? */
2477 		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2478 #ifdef INET
2479 			if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
2480 			    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2481 			    &sctp_ifa->address.sin.sin_addr) != 0)) {
2482 				continue;
2483 			}
2484 #endif
2485 #ifdef INET6
2486 			if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
2487 			    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2488 			    &sctp_ifa->address.sin6.sin6_addr) != 0)) {
2489 				continue;
2490 			}
2491 #endif
2492 			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2493 			    (non_asoc_addr_ok == 0))
2494 				continue;
2495 			sifa = sctp_is_ifa_addr_preferred(sctp_ifa,
2496 			    dest_is_loop,
2497 			    dest_is_priv, fam);
2498 			if (sifa == NULL)
2499 				continue;
2500 			if (sctp_is_addr_in_ep(inp, sifa)) {
2501 				atomic_add_int(&sifa->refcount, 1);
2502 				return (sifa);
2503 			}
2504 		}
2505 	}
2506 	/*
2507 	 * ok, now we now need to find one on the list of the addresses. We
2508 	 * can't get one on the emitting interface so let's find first a
2509 	 * preferred one. If not that an acceptable one otherwise... we
2510 	 * return NULL.
2511 	 */
2512 	starting_point = inp->next_addr_touse;
2513 once_again:
2514 	if (inp->next_addr_touse == NULL) {
2515 		inp->next_addr_touse = LIST_FIRST(&inp->sctp_addr_list);
2516 		resettotop = 1;
2517 	}
2518 	for (laddr = inp->next_addr_touse; laddr;
2519 	    laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2520 		if (laddr->ifa == NULL) {
2521 			/* address has been removed */
2522 			continue;
2523 		}
2524 		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2525 			/* address is being deleted */
2526 			continue;
2527 		}
2528 		sifa = sctp_is_ifa_addr_preferred(laddr->ifa, dest_is_loop,
2529 		    dest_is_priv, fam);
2530 		if (sifa == NULL)
2531 			continue;
2532 		atomic_add_int(&sifa->refcount, 1);
2533 		return (sifa);
2534 	}
2535 	if (resettotop == 0) {
2536 		inp->next_addr_touse = NULL;
2537 		goto once_again;
2538 	}
2539 
2540 	inp->next_addr_touse = starting_point;
2541 	resettotop = 0;
2542 once_again_too:
2543 	if (inp->next_addr_touse == NULL) {
2544 		inp->next_addr_touse = LIST_FIRST(&inp->sctp_addr_list);
2545 		resettotop = 1;
2546 	}
2547 
2548 	/* ok, what about an acceptable address in the inp */
2549 	for (laddr = inp->next_addr_touse; laddr;
2550 	    laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2551 		if (laddr->ifa == NULL) {
2552 			/* address has been removed */
2553 			continue;
2554 		}
2555 		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2556 			/* address is being deleted */
2557 			continue;
2558 		}
2559 		sifa = sctp_is_ifa_addr_acceptable(laddr->ifa, dest_is_loop,
2560 		    dest_is_priv, fam);
2561 		if (sifa == NULL)
2562 			continue;
2563 		atomic_add_int(&sifa->refcount, 1);
2564 		return (sifa);
2565 	}
2566 	if (resettotop == 0) {
2567 		inp->next_addr_touse = NULL;
2568 		goto once_again_too;
2569 	}
2570 
2571 	/*
2572 	 * no address bound can be a source for the destination we are in
2573 	 * trouble
2574 	 */
2575 	return (NULL);
2576 }
2577 
2578 static struct sctp_ifa *
2579 sctp_choose_boundspecific_stcb(struct sctp_inpcb *inp,
2580     struct sctp_tcb *stcb,
2581     sctp_route_t *ro,
2582     uint32_t vrf_id,
2583     uint8_t dest_is_priv,
2584     uint8_t dest_is_loop,
2585     int non_asoc_addr_ok,
2586     sa_family_t fam)
2587 {
2588 	struct sctp_laddr *laddr, *starting_point;
2589 	void *ifn;
2590 	struct sctp_ifn *sctp_ifn;
2591 	struct sctp_ifa *sctp_ifa, *sifa;
2592 	uint8_t start_at_beginning = 0;
2593 	struct sctp_vrf *vrf;
2594 	uint32_t ifn_index;
2595 
2596 	/*
2597 	 * first question, is the ifn we will emit on in our list, if so, we
2598 	 * want that one.
2599 	 */
2600 	vrf = sctp_find_vrf(vrf_id);
2601 	if (vrf == NULL)
2602 		return (NULL);
2603 
2604 	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
2605 	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
2606 	sctp_ifn = sctp_find_ifn(ifn, ifn_index);
2607 
2608 	/*
2609 	 * first question, is the ifn we will emit on in our list?  If so,
2610 	 * we want that one. First we look for a preferred. Second, we go
2611 	 * for an acceptable.
2612 	 */
2613 	if (sctp_ifn) {
2614 		/* first try for a preferred address on the ep */
2615 		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2616 #ifdef INET
2617 			if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
2618 			    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2619 			    &sctp_ifa->address.sin.sin_addr) != 0)) {
2620 				continue;
2621 			}
2622 #endif
2623 #ifdef INET6
2624 			if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
2625 			    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2626 			    &sctp_ifa->address.sin6.sin6_addr) != 0)) {
2627 				continue;
2628 			}
2629 #endif
2630 			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) && (non_asoc_addr_ok == 0))
2631 				continue;
2632 			if (sctp_is_addr_in_ep(inp, sctp_ifa)) {
2633 				sifa = sctp_is_ifa_addr_preferred(sctp_ifa, dest_is_loop, dest_is_priv, fam);
2634 				if (sifa == NULL)
2635 					continue;
2636 				if (((non_asoc_addr_ok == 0) &&
2637 				    (sctp_is_addr_restricted(stcb, sifa))) ||
2638 				    (non_asoc_addr_ok &&
2639 				    (sctp_is_addr_restricted(stcb, sifa)) &&
2640 				    (!sctp_is_addr_pending(stcb, sifa)))) {
2641 					/* on the no-no list */
2642 					continue;
2643 				}
2644 				atomic_add_int(&sifa->refcount, 1);
2645 				return (sifa);
2646 			}
2647 		}
2648 		/* next try for an acceptable address on the ep */
2649 		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2650 #ifdef INET
2651 			if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
2652 			    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2653 			    &sctp_ifa->address.sin.sin_addr) != 0)) {
2654 				continue;
2655 			}
2656 #endif
2657 #ifdef INET6
2658 			if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
2659 			    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2660 			    &sctp_ifa->address.sin6.sin6_addr) != 0)) {
2661 				continue;
2662 			}
2663 #endif
2664 			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) && (non_asoc_addr_ok == 0))
2665 				continue;
2666 			if (sctp_is_addr_in_ep(inp, sctp_ifa)) {
2667 				sifa = sctp_is_ifa_addr_acceptable(sctp_ifa, dest_is_loop, dest_is_priv, fam);
2668 				if (sifa == NULL)
2669 					continue;
2670 				if (((non_asoc_addr_ok == 0) &&
2671 				    (sctp_is_addr_restricted(stcb, sifa))) ||
2672 				    (non_asoc_addr_ok &&
2673 				    (sctp_is_addr_restricted(stcb, sifa)) &&
2674 				    (!sctp_is_addr_pending(stcb, sifa)))) {
2675 					/* on the no-no list */
2676 					continue;
2677 				}
2678 				atomic_add_int(&sifa->refcount, 1);
2679 				return (sifa);
2680 			}
2681 		}
2682 	}
2683 	/*
2684 	 * if we can't find one like that then we must look at all addresses
2685 	 * bound to pick one at first preferable then secondly acceptable.
2686 	 */
2687 	starting_point = stcb->asoc.last_used_address;
2688 sctp_from_the_top:
2689 	if (stcb->asoc.last_used_address == NULL) {
2690 		start_at_beginning = 1;
2691 		stcb->asoc.last_used_address = LIST_FIRST(&inp->sctp_addr_list);
2692 	}
2693 	/* search beginning with the last used address */
2694 	for (laddr = stcb->asoc.last_used_address; laddr;
2695 	    laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2696 		if (laddr->ifa == NULL) {
2697 			/* address has been removed */
2698 			continue;
2699 		}
2700 		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2701 			/* address is being deleted */
2702 			continue;
2703 		}
2704 		sifa = sctp_is_ifa_addr_preferred(laddr->ifa, dest_is_loop, dest_is_priv, fam);
2705 		if (sifa == NULL)
2706 			continue;
2707 		if (((non_asoc_addr_ok == 0) &&
2708 		    (sctp_is_addr_restricted(stcb, sifa))) ||
2709 		    (non_asoc_addr_ok &&
2710 		    (sctp_is_addr_restricted(stcb, sifa)) &&
2711 		    (!sctp_is_addr_pending(stcb, sifa)))) {
2712 			/* on the no-no list */
2713 			continue;
2714 		}
2715 		stcb->asoc.last_used_address = laddr;
2716 		atomic_add_int(&sifa->refcount, 1);
2717 		return (sifa);
2718 	}
2719 	if (start_at_beginning == 0) {
2720 		stcb->asoc.last_used_address = NULL;
2721 		goto sctp_from_the_top;
2722 	}
2723 	/* now try for any higher scope than the destination */
2724 	stcb->asoc.last_used_address = starting_point;
2725 	start_at_beginning = 0;
2726 sctp_from_the_top2:
2727 	if (stcb->asoc.last_used_address == NULL) {
2728 		start_at_beginning = 1;
2729 		stcb->asoc.last_used_address = LIST_FIRST(&inp->sctp_addr_list);
2730 	}
2731 	/* search beginning with the last used address */
2732 	for (laddr = stcb->asoc.last_used_address; laddr;
2733 	    laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2734 		if (laddr->ifa == NULL) {
2735 			/* address has been removed */
2736 			continue;
2737 		}
2738 		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2739 			/* address is being deleted */
2740 			continue;
2741 		}
2742 		sifa = sctp_is_ifa_addr_acceptable(laddr->ifa, dest_is_loop,
2743 		    dest_is_priv, fam);
2744 		if (sifa == NULL)
2745 			continue;
2746 		if (((non_asoc_addr_ok == 0) &&
2747 		    (sctp_is_addr_restricted(stcb, sifa))) ||
2748 		    (non_asoc_addr_ok &&
2749 		    (sctp_is_addr_restricted(stcb, sifa)) &&
2750 		    (!sctp_is_addr_pending(stcb, sifa)))) {
2751 			/* on the no-no list */
2752 			continue;
2753 		}
2754 		stcb->asoc.last_used_address = laddr;
2755 		atomic_add_int(&sifa->refcount, 1);
2756 		return (sifa);
2757 	}
2758 	if (start_at_beginning == 0) {
2759 		stcb->asoc.last_used_address = NULL;
2760 		goto sctp_from_the_top2;
2761 	}
2762 	return (NULL);
2763 }
2764 
2765 static struct sctp_ifa *
2766 sctp_select_nth_preferred_addr_from_ifn_boundall(struct sctp_ifn *ifn,
2767     struct sctp_inpcb *inp,
2768     struct sctp_tcb *stcb,
2769     int non_asoc_addr_ok,
2770     uint8_t dest_is_loop,
2771     uint8_t dest_is_priv,
2772     int addr_wanted,
2773     sa_family_t fam,
2774     sctp_route_t *ro)
2775 {
2776 	struct sctp_ifa *ifa, *sifa;
2777 	int num_eligible_addr = 0;
2778 #ifdef INET6
2779 	struct sockaddr_in6 sin6, lsa6;
2780 
2781 	if (fam == AF_INET6) {
2782 		memcpy(&sin6, &ro->ro_dst, sizeof(struct sockaddr_in6));
2783 		(void)sa6_recoverscope(&sin6);
2784 	}
2785 #endif				/* INET6 */
2786 	LIST_FOREACH(ifa, &ifn->ifalist, next_ifa) {
2787 #ifdef INET
2788 		if ((ifa->address.sa.sa_family == AF_INET) &&
2789 		    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2790 		    &ifa->address.sin.sin_addr) != 0)) {
2791 			continue;
2792 		}
2793 #endif
2794 #ifdef INET6
2795 		if ((ifa->address.sa.sa_family == AF_INET6) &&
2796 		    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2797 		    &ifa->address.sin6.sin6_addr) != 0)) {
2798 			continue;
2799 		}
2800 #endif
2801 		if ((ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2802 		    (non_asoc_addr_ok == 0))
2803 			continue;
2804 		sifa = sctp_is_ifa_addr_preferred(ifa, dest_is_loop,
2805 		    dest_is_priv, fam);
2806 		if (sifa == NULL)
2807 			continue;
2808 #ifdef INET6
2809 		if (fam == AF_INET6 &&
2810 		    dest_is_loop &&
2811 		    sifa->src_is_loop && sifa->src_is_priv) {
2812 			/*
2813 			 * don't allow fe80::1 to be a src on loop ::1, we
2814 			 * don't list it to the peer so we will get an
2815 			 * abort.
2816 			 */
2817 			continue;
2818 		}
2819 		if (fam == AF_INET6 &&
2820 		    IN6_IS_ADDR_LINKLOCAL(&sifa->address.sin6.sin6_addr) &&
2821 		    IN6_IS_ADDR_LINKLOCAL(&sin6.sin6_addr)) {
2822 			/*
2823 			 * link-local <-> link-local must belong to the same
2824 			 * scope.
2825 			 */
2826 			memcpy(&lsa6, &sifa->address.sin6, sizeof(struct sockaddr_in6));
2827 			(void)sa6_recoverscope(&lsa6);
2828 			if (sin6.sin6_scope_id != lsa6.sin6_scope_id) {
2829 				continue;
2830 			}
2831 		}
2832 #endif				/* INET6 */
2833 
2834 		/*
2835 		 * Check if the IPv6 address matches to next-hop. In the
2836 		 * mobile case, old IPv6 address may be not deleted from the
2837 		 * interface. Then, the interface has previous and new
2838 		 * addresses.  We should use one corresponding to the
2839 		 * next-hop.  (by micchie)
2840 		 */
2841 #ifdef INET6
2842 		if (stcb && fam == AF_INET6 &&
2843 		    sctp_is_mobility_feature_on(stcb->sctp_ep, SCTP_MOBILITY_BASE)) {
2844 			if (sctp_v6src_match_nexthop(&sifa->address.sin6, ro) == 0) {
2845 				continue;
2846 			}
2847 		}
2848 #endif
2849 #ifdef INET
2850 		/* Avoid topologically incorrect IPv4 address */
2851 		if (stcb && fam == AF_INET &&
2852 		    sctp_is_mobility_feature_on(stcb->sctp_ep, SCTP_MOBILITY_BASE)) {
2853 			if (sctp_v4src_match_nexthop(sifa, ro) == 0) {
2854 				continue;
2855 			}
2856 		}
2857 #endif
2858 		if (stcb) {
2859 			if (sctp_is_address_in_scope(ifa, &stcb->asoc.scope, 0) == 0) {
2860 				continue;
2861 			}
2862 			if (((non_asoc_addr_ok == 0) &&
2863 			    (sctp_is_addr_restricted(stcb, sifa))) ||
2864 			    (non_asoc_addr_ok &&
2865 			    (sctp_is_addr_restricted(stcb, sifa)) &&
2866 			    (!sctp_is_addr_pending(stcb, sifa)))) {
2867 				/*
2868 				 * It is restricted for some reason..
2869 				 * probably not yet added.
2870 				 */
2871 				continue;
2872 			}
2873 		}
2874 		if (num_eligible_addr >= addr_wanted) {
2875 			return (sifa);
2876 		}
2877 		num_eligible_addr++;
2878 	}
2879 	return (NULL);
2880 }
2881 
2882 static int
2883 sctp_count_num_preferred_boundall(struct sctp_ifn *ifn,
2884     struct sctp_inpcb *inp,
2885     struct sctp_tcb *stcb,
2886     int non_asoc_addr_ok,
2887     uint8_t dest_is_loop,
2888     uint8_t dest_is_priv,
2889     sa_family_t fam)
2890 {
2891 	struct sctp_ifa *ifa, *sifa;
2892 	int num_eligible_addr = 0;
2893 
2894 	LIST_FOREACH(ifa, &ifn->ifalist, next_ifa) {
2895 #ifdef INET
2896 		if ((ifa->address.sa.sa_family == AF_INET) &&
2897 		    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2898 		    &ifa->address.sin.sin_addr) != 0)) {
2899 			continue;
2900 		}
2901 #endif
2902 #ifdef INET6
2903 		if ((ifa->address.sa.sa_family == AF_INET6) &&
2904 		    (stcb != NULL) &&
2905 		    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2906 		    &ifa->address.sin6.sin6_addr) != 0)) {
2907 			continue;
2908 		}
2909 #endif
2910 		if ((ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2911 		    (non_asoc_addr_ok == 0)) {
2912 			continue;
2913 		}
2914 		sifa = sctp_is_ifa_addr_preferred(ifa, dest_is_loop,
2915 		    dest_is_priv, fam);
2916 		if (sifa == NULL) {
2917 			continue;
2918 		}
2919 		if (stcb) {
2920 			if (sctp_is_address_in_scope(ifa, &stcb->asoc.scope, 0) == 0) {
2921 				continue;
2922 			}
2923 			if (((non_asoc_addr_ok == 0) &&
2924 			    (sctp_is_addr_restricted(stcb, sifa))) ||
2925 			    (non_asoc_addr_ok &&
2926 			    (sctp_is_addr_restricted(stcb, sifa)) &&
2927 			    (!sctp_is_addr_pending(stcb, sifa)))) {
2928 				/*
2929 				 * It is restricted for some reason..
2930 				 * probably not yet added.
2931 				 */
2932 				continue;
2933 			}
2934 		}
2935 		num_eligible_addr++;
2936 	}
2937 	return (num_eligible_addr);
2938 }
2939 
2940 static struct sctp_ifa *
2941 sctp_choose_boundall(struct sctp_inpcb *inp,
2942     struct sctp_tcb *stcb,
2943     struct sctp_nets *net,
2944     sctp_route_t *ro,
2945     uint32_t vrf_id,
2946     uint8_t dest_is_priv,
2947     uint8_t dest_is_loop,
2948     int non_asoc_addr_ok,
2949     sa_family_t fam)
2950 {
2951 	int cur_addr_num = 0, num_preferred = 0;
2952 	void *ifn;
2953 	struct sctp_ifn *sctp_ifn, *looked_at = NULL, *emit_ifn;
2954 	struct sctp_ifa *sctp_ifa, *sifa;
2955 	uint32_t ifn_index;
2956 	struct sctp_vrf *vrf;
2957 #ifdef INET
2958 	int retried = 0;
2959 #endif
2960 
2961 	/*-
2962 	 * For boundall we can use any address in the association.
2963 	 * If non_asoc_addr_ok is set we can use any address (at least in
2964 	 * theory). So we look for preferred addresses first. If we find one,
2965 	 * we use it. Otherwise we next try to get an address on the
2966 	 * interface, which we should be able to do (unless non_asoc_addr_ok
2967 	 * is false and we are routed out that way). In these cases where we
2968 	 * can't use the address of the interface we go through all the
2969 	 * ifn's looking for an address we can use and fill that in. Punting
2970 	 * means we send back address 0, which will probably cause problems
2971 	 * actually since then IP will fill in the address of the route ifn,
2972 	 * which means we probably already rejected it.. i.e. here comes an
2973 	 * abort :-<.
2974 	 */
2975 	vrf = sctp_find_vrf(vrf_id);
2976 	if (vrf == NULL)
2977 		return (NULL);
2978 
2979 	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
2980 	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
2981 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "ifn from route:%p ifn_index:%d\n", ifn, ifn_index);
2982 	emit_ifn = looked_at = sctp_ifn = sctp_find_ifn(ifn, ifn_index);
2983 	if (sctp_ifn == NULL) {
2984 		/* ?? We don't have this guy ?? */
2985 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "No ifn emit interface?\n");
2986 		goto bound_all_plan_b;
2987 	}
2988 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "ifn_index:%d name:%s is emit interface\n",
2989 	    ifn_index, sctp_ifn->ifn_name);
2990 
2991 	if (net) {
2992 		cur_addr_num = net->indx_of_eligible_next_to_use;
2993 	}
2994 	num_preferred = sctp_count_num_preferred_boundall(sctp_ifn,
2995 	    inp, stcb,
2996 	    non_asoc_addr_ok,
2997 	    dest_is_loop,
2998 	    dest_is_priv, fam);
2999 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Found %d preferred source addresses for intf:%s\n",
3000 	    num_preferred, sctp_ifn->ifn_name);
3001 	if (num_preferred == 0) {
3002 		/*
3003 		 * no eligible addresses, we must use some other interface
3004 		 * address if we can find one.
3005 		 */
3006 		goto bound_all_plan_b;
3007 	}
3008 	/*
3009 	 * Ok we have num_eligible_addr set with how many we can use, this
3010 	 * may vary from call to call due to addresses being deprecated
3011 	 * etc..
3012 	 */
3013 	if (cur_addr_num >= num_preferred) {
3014 		cur_addr_num = 0;
3015 	}
3016 	/*
3017 	 * select the nth address from the list (where cur_addr_num is the
3018 	 * nth) and 0 is the first one, 1 is the second one etc...
3019 	 */
3020 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "cur_addr_num:%d\n", cur_addr_num);
3021 
3022 	sctp_ifa = sctp_select_nth_preferred_addr_from_ifn_boundall(sctp_ifn, inp, stcb, non_asoc_addr_ok, dest_is_loop,
3023 	    dest_is_priv, cur_addr_num, fam, ro);
3024 
3025 	/* if sctp_ifa is NULL something changed??, fall to plan b. */
3026 	if (sctp_ifa) {
3027 		atomic_add_int(&sctp_ifa->refcount, 1);
3028 		if (net) {
3029 			/* save off where the next one we will want */
3030 			net->indx_of_eligible_next_to_use = cur_addr_num + 1;
3031 		}
3032 		return (sctp_ifa);
3033 	}
3034 	/*
3035 	 * plan_b: Look at all interfaces and find a preferred address. If
3036 	 * no preferred fall through to plan_c.
3037 	 */
3038 bound_all_plan_b:
3039 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Trying Plan B\n");
3040 	LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
3041 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "Examine interface %s\n",
3042 		    sctp_ifn->ifn_name);
3043 		if (dest_is_loop == 0 && SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
3044 			/* wrong base scope */
3045 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "skip\n");
3046 			continue;
3047 		}
3048 		if ((sctp_ifn == looked_at) && looked_at) {
3049 			/* already looked at this guy */
3050 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "already seen\n");
3051 			continue;
3052 		}
3053 		num_preferred = sctp_count_num_preferred_boundall(sctp_ifn, inp, stcb, non_asoc_addr_ok,
3054 		    dest_is_loop, dest_is_priv, fam);
3055 		SCTPDBG(SCTP_DEBUG_OUTPUT2,
3056 		    "Found ifn:%p %d preferred source addresses\n",
3057 		    ifn, num_preferred);
3058 		if (num_preferred == 0) {
3059 			/* None on this interface. */
3060 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "No preferred -- skipping to next\n");
3061 			continue;
3062 		}
3063 		SCTPDBG(SCTP_DEBUG_OUTPUT2,
3064 		    "num preferred:%d on interface:%p cur_addr_num:%d\n",
3065 		    num_preferred, (void *)sctp_ifn, cur_addr_num);
3066 
3067 		/*
3068 		 * Ok we have num_eligible_addr set with how many we can
3069 		 * use, this may vary from call to call due to addresses
3070 		 * being deprecated etc..
3071 		 */
3072 		if (cur_addr_num >= num_preferred) {
3073 			cur_addr_num = 0;
3074 		}
3075 		sifa = sctp_select_nth_preferred_addr_from_ifn_boundall(sctp_ifn, inp, stcb, non_asoc_addr_ok, dest_is_loop,
3076 		    dest_is_priv, cur_addr_num, fam, ro);
3077 		if (sifa == NULL)
3078 			continue;
3079 		if (net) {
3080 			net->indx_of_eligible_next_to_use = cur_addr_num + 1;
3081 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "we selected %d\n",
3082 			    cur_addr_num);
3083 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Source:");
3084 			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &sifa->address.sa);
3085 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Dest:");
3086 			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &net->ro._l_addr.sa);
3087 		}
3088 		atomic_add_int(&sifa->refcount, 1);
3089 		return (sifa);
3090 	}
3091 #ifdef INET
3092 again_with_private_addresses_allowed:
3093 #endif
3094 	/* plan_c: do we have an acceptable address on the emit interface */
3095 	sifa = NULL;
3096 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Trying Plan C: find acceptable on interface\n");
3097 	if (emit_ifn == NULL) {
3098 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "Jump to Plan D - no emit_ifn\n");
3099 		goto plan_d;
3100 	}
3101 	LIST_FOREACH(sctp_ifa, &emit_ifn->ifalist, next_ifa) {
3102 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "ifa:%p\n", (void *)sctp_ifa);
3103 #ifdef INET
3104 		if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
3105 		    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
3106 		    &sctp_ifa->address.sin.sin_addr) != 0)) {
3107 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Jailed\n");
3108 			continue;
3109 		}
3110 #endif
3111 #ifdef INET6
3112 		if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
3113 		    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
3114 		    &sctp_ifa->address.sin6.sin6_addr) != 0)) {
3115 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Jailed\n");
3116 			continue;
3117 		}
3118 #endif
3119 		if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
3120 		    (non_asoc_addr_ok == 0)) {
3121 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Defer\n");
3122 			continue;
3123 		}
3124 		sifa = sctp_is_ifa_addr_acceptable(sctp_ifa, dest_is_loop,
3125 		    dest_is_priv, fam);
3126 		if (sifa == NULL) {
3127 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "IFA not acceptable\n");
3128 			continue;
3129 		}
3130 		if (stcb) {
3131 			if (sctp_is_address_in_scope(sifa, &stcb->asoc.scope, 0) == 0) {
3132 				SCTPDBG(SCTP_DEBUG_OUTPUT2, "NOT in scope\n");
3133 				sifa = NULL;
3134 				continue;
3135 			}
3136 			if (((non_asoc_addr_ok == 0) &&
3137 			    (sctp_is_addr_restricted(stcb, sifa))) ||
3138 			    (non_asoc_addr_ok &&
3139 			    (sctp_is_addr_restricted(stcb, sifa)) &&
3140 			    (!sctp_is_addr_pending(stcb, sifa)))) {
3141 				/*
3142 				 * It is restricted for some reason..
3143 				 * probably not yet added.
3144 				 */
3145 				SCTPDBG(SCTP_DEBUG_OUTPUT2, "Its restricted\n");
3146 				sifa = NULL;
3147 				continue;
3148 			}
3149 		}
3150 		atomic_add_int(&sifa->refcount, 1);
3151 		goto out;
3152 	}
3153 plan_d:
3154 	/*
3155 	 * plan_d: We are in trouble. No preferred address on the emit
3156 	 * interface. And not even a preferred address on all interfaces. Go
3157 	 * out and see if we can find an acceptable address somewhere
3158 	 * amongst all interfaces.
3159 	 */
3160 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Trying Plan D looked_at is %p\n", (void *)looked_at);
3161 	LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
3162 		if (dest_is_loop == 0 && SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
3163 			/* wrong base scope */
3164 			continue;
3165 		}
3166 		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
3167 #ifdef INET
3168 			if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
3169 			    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
3170 			    &sctp_ifa->address.sin.sin_addr) != 0)) {
3171 				continue;
3172 			}
3173 #endif
3174 #ifdef INET6
3175 			if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
3176 			    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
3177 			    &sctp_ifa->address.sin6.sin6_addr) != 0)) {
3178 				continue;
3179 			}
3180 #endif
3181 			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
3182 			    (non_asoc_addr_ok == 0))
3183 				continue;
3184 			sifa = sctp_is_ifa_addr_acceptable(sctp_ifa,
3185 			    dest_is_loop,
3186 			    dest_is_priv, fam);
3187 			if (sifa == NULL)
3188 				continue;
3189 			if (stcb) {
3190 				if (sctp_is_address_in_scope(sifa, &stcb->asoc.scope, 0) == 0) {
3191 					sifa = NULL;
3192 					continue;
3193 				}
3194 				if (((non_asoc_addr_ok == 0) &&
3195 				    (sctp_is_addr_restricted(stcb, sifa))) ||
3196 				    (non_asoc_addr_ok &&
3197 				    (sctp_is_addr_restricted(stcb, sifa)) &&
3198 				    (!sctp_is_addr_pending(stcb, sifa)))) {
3199 					/*
3200 					 * It is restricted for some
3201 					 * reason.. probably not yet added.
3202 					 */
3203 					sifa = NULL;
3204 					continue;
3205 				}
3206 			}
3207 			goto out;
3208 		}
3209 	}
3210 #ifdef INET
3211 	if (stcb) {
3212 		if ((retried == 0) && (stcb->asoc.scope.ipv4_local_scope == 0)) {
3213 			stcb->asoc.scope.ipv4_local_scope = 1;
3214 			retried = 1;
3215 			goto again_with_private_addresses_allowed;
3216 		} else if (retried == 1) {
3217 			stcb->asoc.scope.ipv4_local_scope = 0;
3218 		}
3219 	}
3220 #endif
3221 out:
3222 #ifdef INET
3223 	if (sifa) {
3224 		if (retried == 1) {
3225 			LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
3226 				if (dest_is_loop == 0 && SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
3227 					/* wrong base scope */
3228 					continue;
3229 				}
3230 				LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
3231 					struct sctp_ifa *tmp_sifa;
3232 
3233 #ifdef INET
3234 					if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
3235 					    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
3236 					    &sctp_ifa->address.sin.sin_addr) != 0)) {
3237 						continue;
3238 					}
3239 #endif
3240 #ifdef INET6
3241 					if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
3242 					    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
3243 					    &sctp_ifa->address.sin6.sin6_addr) != 0)) {
3244 						continue;
3245 					}
3246 #endif
3247 					if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
3248 					    (non_asoc_addr_ok == 0))
3249 						continue;
3250 					tmp_sifa = sctp_is_ifa_addr_acceptable(sctp_ifa,
3251 					    dest_is_loop,
3252 					    dest_is_priv, fam);
3253 					if (tmp_sifa == NULL) {
3254 						continue;
3255 					}
3256 					if (tmp_sifa == sifa) {
3257 						continue;
3258 					}
3259 					if (stcb) {
3260 						if (sctp_is_address_in_scope(tmp_sifa,
3261 						    &stcb->asoc.scope, 0) == 0) {
3262 							continue;
3263 						}
3264 						if (((non_asoc_addr_ok == 0) &&
3265 						    (sctp_is_addr_restricted(stcb, tmp_sifa))) ||
3266 						    (non_asoc_addr_ok &&
3267 						    (sctp_is_addr_restricted(stcb, tmp_sifa)) &&
3268 						    (!sctp_is_addr_pending(stcb, tmp_sifa)))) {
3269 							/*
3270 							 * It is restricted
3271 							 * for some reason..
3272 							 * probably not yet
3273 							 * added.
3274 							 */
3275 							continue;
3276 						}
3277 					}
3278 					if ((tmp_sifa->address.sin.sin_family == AF_INET) &&
3279 					    (IN4_ISPRIVATE_ADDRESS(&(tmp_sifa->address.sin.sin_addr)))) {
3280 						sctp_add_local_addr_restricted(stcb, tmp_sifa);
3281 					}
3282 				}
3283 			}
3284 		}
3285 		atomic_add_int(&sifa->refcount, 1);
3286 	}
3287 #endif
3288 	return (sifa);
3289 }
3290 
3291 /* tcb may be NULL */
3292 struct sctp_ifa *
3293 sctp_source_address_selection(struct sctp_inpcb *inp,
3294     struct sctp_tcb *stcb,
3295     sctp_route_t *ro,
3296     struct sctp_nets *net,
3297     int non_asoc_addr_ok, uint32_t vrf_id)
3298 {
3299 	struct sctp_ifa *answer;
3300 	uint8_t dest_is_priv, dest_is_loop;
3301 	sa_family_t fam;
3302 #ifdef INET
3303 	struct sockaddr_in *to = (struct sockaddr_in *)&ro->ro_dst;
3304 #endif
3305 #ifdef INET6
3306 	struct sockaddr_in6 *to6 = (struct sockaddr_in6 *)&ro->ro_dst;
3307 #endif
3308 
3309 	/**
3310 	 * Rules:
3311 	 * - Find the route if needed, cache if I can.
3312 	 * - Look at interface address in route, Is it in the bound list. If so we
3313 	 *   have the best source.
3314 	 * - If not we must rotate amongst the addresses.
3315 	 *
3316 	 * Caveats and issues
3317 	 *
3318 	 * Do we need to pay attention to scope. We can have a private address
3319 	 * or a global address we are sourcing or sending to. So if we draw
3320 	 * it out
3321 	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3322 	 * For V4
3323 	 * ------------------------------------------
3324 	 *      source     *      dest  *  result
3325 	 * -----------------------------------------
3326 	 * <a>  Private    *    Global  *  NAT
3327 	 * -----------------------------------------
3328 	 * <b>  Private    *    Private *  No problem
3329 	 * -----------------------------------------
3330 	 * <c>  Global     *    Private *  Huh, How will this work?
3331 	 * -----------------------------------------
3332 	 * <d>  Global     *    Global  *  No Problem
3333 	 *------------------------------------------
3334 	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3335 	 * For V6
3336 	 *------------------------------------------
3337 	 *      source     *      dest  *  result
3338 	 * -----------------------------------------
3339 	 * <a>  Linklocal  *    Global  *
3340 	 * -----------------------------------------
3341 	 * <b>  Linklocal  * Linklocal  *  No problem
3342 	 * -----------------------------------------
3343 	 * <c>  Global     * Linklocal  *  Huh, How will this work?
3344 	 * -----------------------------------------
3345 	 * <d>  Global     *    Global  *  No Problem
3346 	 *------------------------------------------
3347 	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3348 	 *
3349 	 * And then we add to that what happens if there are multiple addresses
3350 	 * assigned to an interface. Remember the ifa on a ifn is a linked
3351 	 * list of addresses. So one interface can have more than one IP
3352 	 * address. What happens if we have both a private and a global
3353 	 * address? Do we then use context of destination to sort out which
3354 	 * one is best? And what about NAT's sending P->G may get you a NAT
3355 	 * translation, or should you select the G thats on the interface in
3356 	 * preference.
3357 	 *
3358 	 * Decisions:
3359 	 *
3360 	 * - count the number of addresses on the interface.
3361 	 * - if it is one, no problem except case <c>.
3362 	 *   For <a> we will assume a NAT out there.
3363 	 * - if there are more than one, then we need to worry about scope P
3364 	 *   or G. We should prefer G -> G and P -> P if possible.
3365 	 *   Then as a secondary fall back to mixed types G->P being a last
3366 	 *   ditch one.
3367 	 * - The above all works for bound all, but bound specific we need to
3368 	 *   use the same concept but instead only consider the bound
3369 	 *   addresses. If the bound set is NOT assigned to the interface then
3370 	 *   we must use rotation amongst the bound addresses..
3371 	 */
3372 	if (ro->ro_nh == NULL) {
3373 		/*
3374 		 * Need a route to cache.
3375 		 */
3376 		SCTP_RTALLOC(ro, vrf_id, inp->fibnum);
3377 	}
3378 	if (ro->ro_nh == NULL) {
3379 		return (NULL);
3380 	}
3381 	fam = ro->ro_dst.sa_family;
3382 	dest_is_priv = dest_is_loop = 0;
3383 	/* Setup our scopes for the destination */
3384 	switch (fam) {
3385 #ifdef INET
3386 	case AF_INET:
3387 		/* Scope based on outbound address */
3388 		if (IN4_ISLOOPBACK_ADDRESS(&to->sin_addr)) {
3389 			dest_is_loop = 1;
3390 			if (net != NULL) {
3391 				/* mark it as local */
3392 				net->addr_is_local = 1;
3393 			}
3394 		} else if ((IN4_ISPRIVATE_ADDRESS(&to->sin_addr))) {
3395 			dest_is_priv = 1;
3396 		}
3397 		break;
3398 #endif
3399 #ifdef INET6
3400 	case AF_INET6:
3401 		/* Scope based on outbound address */
3402 		if (IN6_IS_ADDR_LOOPBACK(&to6->sin6_addr) ||
3403 		    SCTP_ROUTE_IS_REAL_LOOP(ro)) {
3404 			/*
3405 			 * If the address is a loopback address, which
3406 			 * consists of "::1" OR "fe80::1%lo0", we are
3407 			 * loopback scope. But we don't use dest_is_priv
3408 			 * (link local addresses).
3409 			 */
3410 			dest_is_loop = 1;
3411 			if (net != NULL) {
3412 				/* mark it as local */
3413 				net->addr_is_local = 1;
3414 			}
3415 		} else if (IN6_IS_ADDR_LINKLOCAL(&to6->sin6_addr)) {
3416 			dest_is_priv = 1;
3417 		}
3418 		break;
3419 #endif
3420 	}
3421 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Select source addr for:");
3422 	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)&ro->ro_dst);
3423 	SCTP_IPI_ADDR_RLOCK();
3424 	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) {
3425 		/*
3426 		 * Bound all case
3427 		 */
3428 		answer = sctp_choose_boundall(inp, stcb, net, ro, vrf_id,
3429 		    dest_is_priv, dest_is_loop,
3430 		    non_asoc_addr_ok, fam);
3431 		SCTP_IPI_ADDR_RUNLOCK();
3432 		return (answer);
3433 	}
3434 	/*
3435 	 * Subset bound case
3436 	 */
3437 	if (stcb) {
3438 		answer = sctp_choose_boundspecific_stcb(inp, stcb, ro,
3439 		    vrf_id, dest_is_priv,
3440 		    dest_is_loop,
3441 		    non_asoc_addr_ok, fam);
3442 	} else {
3443 		answer = sctp_choose_boundspecific_inp(inp, ro, vrf_id,
3444 		    non_asoc_addr_ok,
3445 		    dest_is_priv,
3446 		    dest_is_loop, fam);
3447 	}
3448 	SCTP_IPI_ADDR_RUNLOCK();
3449 	return (answer);
3450 }
3451 
3452 static bool
3453 sctp_find_cmsg(int c_type, void *data, struct mbuf *control, size_t cpsize)
3454 {
3455 	struct cmsghdr cmh;
3456 	struct sctp_sndinfo sndinfo;
3457 	struct sctp_prinfo prinfo;
3458 	struct sctp_authinfo authinfo;
3459 	int tot_len, rem_len, cmsg_data_len, cmsg_data_off, off;
3460 	bool found;
3461 
3462 	/*
3463 	 * Independent of how many mbufs, find the c_type inside the control
3464 	 * structure and copy out the data.
3465 	 */
3466 	found = false;
3467 	tot_len = SCTP_BUF_LEN(control);
3468 	for (off = 0; off < tot_len; off += CMSG_ALIGN(cmh.cmsg_len)) {
3469 		rem_len = tot_len - off;
3470 		if (rem_len < (int)CMSG_ALIGN(sizeof(cmh))) {
3471 			/* There is not enough room for one more. */
3472 			return (found);
3473 		}
3474 		m_copydata(control, off, sizeof(cmh), (caddr_t)&cmh);
3475 		if (cmh.cmsg_len < CMSG_ALIGN(sizeof(cmh))) {
3476 			/* We dont't have a complete CMSG header. */
3477 			return (found);
3478 		}
3479 		if ((cmh.cmsg_len > INT_MAX) || ((int)cmh.cmsg_len > rem_len)) {
3480 			/* We don't have the complete CMSG. */
3481 			return (found);
3482 		}
3483 		cmsg_data_len = (int)cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh));
3484 		cmsg_data_off = off + CMSG_ALIGN(sizeof(cmh));
3485 		if ((cmh.cmsg_level == IPPROTO_SCTP) &&
3486 		    ((c_type == cmh.cmsg_type) ||
3487 		    ((c_type == SCTP_SNDRCV) &&
3488 		    ((cmh.cmsg_type == SCTP_SNDINFO) ||
3489 		    (cmh.cmsg_type == SCTP_PRINFO) ||
3490 		    (cmh.cmsg_type == SCTP_AUTHINFO))))) {
3491 			if (c_type == cmh.cmsg_type) {
3492 				if (cpsize > INT_MAX) {
3493 					return (found);
3494 				}
3495 				if (cmsg_data_len < (int)cpsize) {
3496 					return (found);
3497 				}
3498 				/* It is exactly what we want. Copy it out. */
3499 				m_copydata(control, cmsg_data_off, (int)cpsize, (caddr_t)data);
3500 				return (1);
3501 			} else {
3502 				struct sctp_sndrcvinfo *sndrcvinfo;
3503 
3504 				sndrcvinfo = (struct sctp_sndrcvinfo *)data;
3505 				if (!found) {
3506 					if (cpsize < sizeof(struct sctp_sndrcvinfo)) {
3507 						return (found);
3508 					}
3509 					memset(sndrcvinfo, 0, sizeof(struct sctp_sndrcvinfo));
3510 				}
3511 				switch (cmh.cmsg_type) {
3512 				case SCTP_SNDINFO:
3513 					if (cmsg_data_len < (int)sizeof(struct sctp_sndinfo)) {
3514 						return (found);
3515 					}
3516 					m_copydata(control, cmsg_data_off, sizeof(struct sctp_sndinfo), (caddr_t)&sndinfo);
3517 					sndrcvinfo->sinfo_stream = sndinfo.snd_sid;
3518 					sndrcvinfo->sinfo_flags = sndinfo.snd_flags;
3519 					sndrcvinfo->sinfo_ppid = sndinfo.snd_ppid;
3520 					sndrcvinfo->sinfo_context = sndinfo.snd_context;
3521 					sndrcvinfo->sinfo_assoc_id = sndinfo.snd_assoc_id;
3522 					break;
3523 				case SCTP_PRINFO:
3524 					if (cmsg_data_len < (int)sizeof(struct sctp_prinfo)) {
3525 						return (found);
3526 					}
3527 					m_copydata(control, cmsg_data_off, sizeof(struct sctp_prinfo), (caddr_t)&prinfo);
3528 					if (prinfo.pr_policy != SCTP_PR_SCTP_NONE) {
3529 						sndrcvinfo->sinfo_timetolive = prinfo.pr_value;
3530 					} else {
3531 						sndrcvinfo->sinfo_timetolive = 0;
3532 					}
3533 					sndrcvinfo->sinfo_flags |= prinfo.pr_policy;
3534 					break;
3535 				case SCTP_AUTHINFO:
3536 					if (cmsg_data_len < (int)sizeof(struct sctp_authinfo)) {
3537 						return (found);
3538 					}
3539 					m_copydata(control, cmsg_data_off, sizeof(struct sctp_authinfo), (caddr_t)&authinfo);
3540 					sndrcvinfo->sinfo_keynumber_valid = 1;
3541 					sndrcvinfo->sinfo_keynumber = authinfo.auth_keynumber;
3542 					break;
3543 				default:
3544 					return (found);
3545 				}
3546 				found = true;
3547 			}
3548 		}
3549 	}
3550 	return (found);
3551 }
3552 
3553 static int
3554 sctp_process_cmsgs_for_init(struct sctp_tcb *stcb, struct mbuf *control, int *error)
3555 {
3556 	struct cmsghdr cmh;
3557 	struct sctp_initmsg initmsg;
3558 #ifdef INET
3559 	struct sockaddr_in sin;
3560 #endif
3561 #ifdef INET6
3562 	struct sockaddr_in6 sin6;
3563 #endif
3564 	int tot_len, rem_len, cmsg_data_len, cmsg_data_off, off;
3565 
3566 	tot_len = SCTP_BUF_LEN(control);
3567 	for (off = 0; off < tot_len; off += CMSG_ALIGN(cmh.cmsg_len)) {
3568 		rem_len = tot_len - off;
3569 		if (rem_len < (int)CMSG_ALIGN(sizeof(cmh))) {
3570 			/* There is not enough room for one more. */
3571 			*error = EINVAL;
3572 			return (1);
3573 		}
3574 		m_copydata(control, off, sizeof(cmh), (caddr_t)&cmh);
3575 		if (cmh.cmsg_len < CMSG_ALIGN(sizeof(cmh))) {
3576 			/* We dont't have a complete CMSG header. */
3577 			*error = EINVAL;
3578 			return (1);
3579 		}
3580 		if ((cmh.cmsg_len > INT_MAX) || ((int)cmh.cmsg_len > rem_len)) {
3581 			/* We don't have the complete CMSG. */
3582 			*error = EINVAL;
3583 			return (1);
3584 		}
3585 		cmsg_data_len = (int)cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh));
3586 		cmsg_data_off = off + CMSG_ALIGN(sizeof(cmh));
3587 		if (cmh.cmsg_level == IPPROTO_SCTP) {
3588 			switch (cmh.cmsg_type) {
3589 			case SCTP_INIT:
3590 				if (cmsg_data_len < (int)sizeof(struct sctp_initmsg)) {
3591 					*error = EINVAL;
3592 					return (1);
3593 				}
3594 				m_copydata(control, cmsg_data_off, sizeof(struct sctp_initmsg), (caddr_t)&initmsg);
3595 				if (initmsg.sinit_max_attempts)
3596 					stcb->asoc.max_init_times = initmsg.sinit_max_attempts;
3597 				if (initmsg.sinit_num_ostreams)
3598 					stcb->asoc.pre_open_streams = initmsg.sinit_num_ostreams;
3599 				if (initmsg.sinit_max_instreams)
3600 					stcb->asoc.max_inbound_streams = initmsg.sinit_max_instreams;
3601 				if (initmsg.sinit_max_init_timeo)
3602 					stcb->asoc.initial_init_rto_max = initmsg.sinit_max_init_timeo;
3603 				if (stcb->asoc.streamoutcnt < stcb->asoc.pre_open_streams) {
3604 					struct sctp_stream_out *tmp_str;
3605 					unsigned int i;
3606 #if defined(SCTP_DETAILED_STR_STATS)
3607 					int j;
3608 #endif
3609 
3610 					/* Default is NOT correct */
3611 					SCTPDBG(SCTP_DEBUG_OUTPUT1, "Ok, default:%d pre_open:%d\n",
3612 					    stcb->asoc.streamoutcnt, stcb->asoc.pre_open_streams);
3613 					SCTP_TCB_UNLOCK(stcb);
3614 					SCTP_MALLOC(tmp_str,
3615 					    struct sctp_stream_out *,
3616 					    (stcb->asoc.pre_open_streams * sizeof(struct sctp_stream_out)),
3617 					    SCTP_M_STRMO);
3618 					SCTP_TCB_LOCK(stcb);
3619 					if (tmp_str != NULL) {
3620 						SCTP_FREE(stcb->asoc.strmout, SCTP_M_STRMO);
3621 						stcb->asoc.strmout = tmp_str;
3622 						stcb->asoc.strm_realoutsize = stcb->asoc.streamoutcnt = stcb->asoc.pre_open_streams;
3623 					} else {
3624 						stcb->asoc.pre_open_streams = stcb->asoc.streamoutcnt;
3625 					}
3626 					for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
3627 						TAILQ_INIT(&stcb->asoc.strmout[i].outqueue);
3628 						stcb->asoc.ss_functions.sctp_ss_init_stream(stcb, &stcb->asoc.strmout[i], NULL);
3629 						stcb->asoc.strmout[i].chunks_on_queues = 0;
3630 #if defined(SCTP_DETAILED_STR_STATS)
3631 						for (j = 0; j < SCTP_PR_SCTP_MAX + 1; j++) {
3632 							stcb->asoc.strmout[i].abandoned_sent[j] = 0;
3633 							stcb->asoc.strmout[i].abandoned_unsent[j] = 0;
3634 						}
3635 #else
3636 						stcb->asoc.strmout[i].abandoned_sent[0] = 0;
3637 						stcb->asoc.strmout[i].abandoned_unsent[0] = 0;
3638 #endif
3639 						stcb->asoc.strmout[i].next_mid_ordered = 0;
3640 						stcb->asoc.strmout[i].next_mid_unordered = 0;
3641 						stcb->asoc.strmout[i].sid = i;
3642 						stcb->asoc.strmout[i].last_msg_incomplete = 0;
3643 						stcb->asoc.strmout[i].state = SCTP_STREAM_OPENING;
3644 					}
3645 				}
3646 				break;
3647 #ifdef INET
3648 			case SCTP_DSTADDRV4:
3649 				if (cmsg_data_len < (int)sizeof(struct in_addr)) {
3650 					*error = EINVAL;
3651 					return (1);
3652 				}
3653 				memset(&sin, 0, sizeof(struct sockaddr_in));
3654 				sin.sin_family = AF_INET;
3655 				sin.sin_len = sizeof(struct sockaddr_in);
3656 				sin.sin_port = stcb->rport;
3657 				m_copydata(control, cmsg_data_off, sizeof(struct in_addr), (caddr_t)&sin.sin_addr);
3658 				if (in_broadcast(sin.sin_addr) ||
3659 				    IN_MULTICAST(ntohl(sin.sin_addr.s_addr))) {
3660 					*error = EINVAL;
3661 					return (1);
3662 				}
3663 				if (sctp_add_remote_addr(stcb, (struct sockaddr *)&sin, NULL, stcb->asoc.port,
3664 				    SCTP_DONOT_SETSCOPE, SCTP_ADDR_IS_CONFIRMED)) {
3665 					*error = ENOBUFS;
3666 					return (1);
3667 				}
3668 				break;
3669 #endif
3670 #ifdef INET6
3671 			case SCTP_DSTADDRV6:
3672 				if (cmsg_data_len < (int)sizeof(struct in6_addr)) {
3673 					*error = EINVAL;
3674 					return (1);
3675 				}
3676 				memset(&sin6, 0, sizeof(struct sockaddr_in6));
3677 				sin6.sin6_family = AF_INET6;
3678 				sin6.sin6_len = sizeof(struct sockaddr_in6);
3679 				sin6.sin6_port = stcb->rport;
3680 				m_copydata(control, cmsg_data_off, sizeof(struct in6_addr), (caddr_t)&sin6.sin6_addr);
3681 				if (IN6_IS_ADDR_UNSPECIFIED(&sin6.sin6_addr) ||
3682 				    IN6_IS_ADDR_MULTICAST(&sin6.sin6_addr)) {
3683 					*error = EINVAL;
3684 					return (1);
3685 				}
3686 #ifdef INET
3687 				if (IN6_IS_ADDR_V4MAPPED(&sin6.sin6_addr)) {
3688 					in6_sin6_2_sin(&sin, &sin6);
3689 					if (in_broadcast(sin.sin_addr) ||
3690 					    IN_MULTICAST(ntohl(sin.sin_addr.s_addr))) {
3691 						*error = EINVAL;
3692 						return (1);
3693 					}
3694 					if (sctp_add_remote_addr(stcb, (struct sockaddr *)&sin, NULL, stcb->asoc.port,
3695 					    SCTP_DONOT_SETSCOPE, SCTP_ADDR_IS_CONFIRMED)) {
3696 						*error = ENOBUFS;
3697 						return (1);
3698 					}
3699 				} else
3700 #endif
3701 					if (sctp_add_remote_addr(stcb, (struct sockaddr *)&sin6, NULL, stcb->asoc.port,
3702 				    SCTP_DONOT_SETSCOPE, SCTP_ADDR_IS_CONFIRMED)) {
3703 					*error = ENOBUFS;
3704 					return (1);
3705 				}
3706 				break;
3707 #endif
3708 			default:
3709 				break;
3710 			}
3711 		}
3712 	}
3713 	return (0);
3714 }
3715 
3716 #if defined(INET) || defined(INET6)
3717 static struct sctp_tcb *
3718 sctp_findassociation_cmsgs(struct sctp_inpcb **inp_p,
3719     uint16_t port,
3720     struct mbuf *control,
3721     struct sctp_nets **net_p,
3722     int *error)
3723 {
3724 	struct cmsghdr cmh;
3725 	struct sctp_tcb *stcb;
3726 	struct sockaddr *addr;
3727 #ifdef INET
3728 	struct sockaddr_in sin;
3729 #endif
3730 #ifdef INET6
3731 	struct sockaddr_in6 sin6;
3732 #endif
3733 	int tot_len, rem_len, cmsg_data_len, cmsg_data_off, off;
3734 
3735 	tot_len = SCTP_BUF_LEN(control);
3736 	for (off = 0; off < tot_len; off += CMSG_ALIGN(cmh.cmsg_len)) {
3737 		rem_len = tot_len - off;
3738 		if (rem_len < (int)CMSG_ALIGN(sizeof(cmh))) {
3739 			/* There is not enough room for one more. */
3740 			*error = EINVAL;
3741 			return (NULL);
3742 		}
3743 		m_copydata(control, off, sizeof(cmh), (caddr_t)&cmh);
3744 		if (cmh.cmsg_len < CMSG_ALIGN(sizeof(cmh))) {
3745 			/* We dont't have a complete CMSG header. */
3746 			*error = EINVAL;
3747 			return (NULL);
3748 		}
3749 		if ((cmh.cmsg_len > INT_MAX) || ((int)cmh.cmsg_len > rem_len)) {
3750 			/* We don't have the complete CMSG. */
3751 			*error = EINVAL;
3752 			return (NULL);
3753 		}
3754 		cmsg_data_len = (int)cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh));
3755 		cmsg_data_off = off + CMSG_ALIGN(sizeof(cmh));
3756 		if (cmh.cmsg_level == IPPROTO_SCTP) {
3757 			switch (cmh.cmsg_type) {
3758 #ifdef INET
3759 			case SCTP_DSTADDRV4:
3760 				if (cmsg_data_len < (int)sizeof(struct in_addr)) {
3761 					*error = EINVAL;
3762 					return (NULL);
3763 				}
3764 				memset(&sin, 0, sizeof(struct sockaddr_in));
3765 				sin.sin_family = AF_INET;
3766 				sin.sin_len = sizeof(struct sockaddr_in);
3767 				sin.sin_port = port;
3768 				m_copydata(control, cmsg_data_off, sizeof(struct in_addr), (caddr_t)&sin.sin_addr);
3769 				addr = (struct sockaddr *)&sin;
3770 				break;
3771 #endif
3772 #ifdef INET6
3773 			case SCTP_DSTADDRV6:
3774 				if (cmsg_data_len < (int)sizeof(struct in6_addr)) {
3775 					*error = EINVAL;
3776 					return (NULL);
3777 				}
3778 				memset(&sin6, 0, sizeof(struct sockaddr_in6));
3779 				sin6.sin6_family = AF_INET6;
3780 				sin6.sin6_len = sizeof(struct sockaddr_in6);
3781 				sin6.sin6_port = port;
3782 				m_copydata(control, cmsg_data_off, sizeof(struct in6_addr), (caddr_t)&sin6.sin6_addr);
3783 #ifdef INET
3784 				if (IN6_IS_ADDR_V4MAPPED(&sin6.sin6_addr)) {
3785 					in6_sin6_2_sin(&sin, &sin6);
3786 					addr = (struct sockaddr *)&sin;
3787 				} else
3788 #endif
3789 					addr = (struct sockaddr *)&sin6;
3790 				break;
3791 #endif
3792 			default:
3793 				addr = NULL;
3794 				break;
3795 			}
3796 			if (addr) {
3797 				stcb = sctp_findassociation_ep_addr(inp_p, addr, net_p, NULL, NULL);
3798 				if (stcb != NULL) {
3799 					return (stcb);
3800 				}
3801 			}
3802 		}
3803 	}
3804 	return (NULL);
3805 }
3806 #endif
3807 
3808 static struct mbuf *
3809 sctp_add_cookie(struct mbuf *init, int init_offset,
3810     struct mbuf *initack, int initack_offset, struct sctp_state_cookie *stc_in, uint8_t **signature)
3811 {
3812 	struct mbuf *copy_init, *copy_initack, *m_at, *sig, *mret;
3813 	struct sctp_state_cookie *stc;
3814 	struct sctp_paramhdr *ph;
3815 	uint16_t cookie_sz;
3816 
3817 	mret = sctp_get_mbuf_for_msg((sizeof(struct sctp_state_cookie) +
3818 	    sizeof(struct sctp_paramhdr)), 0,
3819 	    M_NOWAIT, 1, MT_DATA);
3820 	if (mret == NULL) {
3821 		return (NULL);
3822 	}
3823 	copy_init = SCTP_M_COPYM(init, init_offset, M_COPYALL, M_NOWAIT);
3824 	if (copy_init == NULL) {
3825 		sctp_m_freem(mret);
3826 		return (NULL);
3827 	}
3828 #ifdef SCTP_MBUF_LOGGING
3829 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
3830 		sctp_log_mbc(copy_init, SCTP_MBUF_ICOPY);
3831 	}
3832 #endif
3833 	copy_initack = SCTP_M_COPYM(initack, initack_offset, M_COPYALL,
3834 	    M_NOWAIT);
3835 	if (copy_initack == NULL) {
3836 		sctp_m_freem(mret);
3837 		sctp_m_freem(copy_init);
3838 		return (NULL);
3839 	}
3840 #ifdef SCTP_MBUF_LOGGING
3841 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
3842 		sctp_log_mbc(copy_initack, SCTP_MBUF_ICOPY);
3843 	}
3844 #endif
3845 	/* easy side we just drop it on the end */
3846 	ph = mtod(mret, struct sctp_paramhdr *);
3847 	SCTP_BUF_LEN(mret) = sizeof(struct sctp_state_cookie) +
3848 	    sizeof(struct sctp_paramhdr);
3849 	stc = (struct sctp_state_cookie *)((caddr_t)ph +
3850 	    sizeof(struct sctp_paramhdr));
3851 	ph->param_type = htons(SCTP_STATE_COOKIE);
3852 	ph->param_length = 0;	/* fill in at the end */
3853 	/* Fill in the stc cookie data */
3854 	memcpy(stc, stc_in, sizeof(struct sctp_state_cookie));
3855 
3856 	/* tack the INIT and then the INIT-ACK onto the chain */
3857 	cookie_sz = 0;
3858 	for (m_at = mret; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
3859 		cookie_sz += SCTP_BUF_LEN(m_at);
3860 		if (SCTP_BUF_NEXT(m_at) == NULL) {
3861 			SCTP_BUF_NEXT(m_at) = copy_init;
3862 			break;
3863 		}
3864 	}
3865 	for (m_at = copy_init; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
3866 		cookie_sz += SCTP_BUF_LEN(m_at);
3867 		if (SCTP_BUF_NEXT(m_at) == NULL) {
3868 			SCTP_BUF_NEXT(m_at) = copy_initack;
3869 			break;
3870 		}
3871 	}
3872 	for (m_at = copy_initack; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
3873 		cookie_sz += SCTP_BUF_LEN(m_at);
3874 		if (SCTP_BUF_NEXT(m_at) == NULL) {
3875 			break;
3876 		}
3877 	}
3878 	sig = sctp_get_mbuf_for_msg(SCTP_SIGNATURE_SIZE, 0, M_NOWAIT, 1, MT_DATA);
3879 	if (sig == NULL) {
3880 		/* no space, so free the entire chain */
3881 		sctp_m_freem(mret);
3882 		return (NULL);
3883 	}
3884 	SCTP_BUF_NEXT(m_at) = sig;
3885 	SCTP_BUF_LEN(sig) = SCTP_SIGNATURE_SIZE;
3886 	cookie_sz += SCTP_SIGNATURE_SIZE;
3887 	ph->param_length = htons(cookie_sz);
3888 	*signature = (uint8_t *)mtod(sig, caddr_t);
3889 	memset(*signature, 0, SCTP_SIGNATURE_SIZE);
3890 	return (mret);
3891 }
3892 
3893 static uint8_t
3894 sctp_get_ect(struct sctp_tcb *stcb)
3895 {
3896 	if ((stcb != NULL) && (stcb->asoc.ecn_supported == 1)) {
3897 		return (SCTP_ECT0_BIT);
3898 	} else {
3899 		return (0);
3900 	}
3901 }
3902 
3903 #if defined(INET) || defined(INET6)
3904 static void
3905 sctp_handle_no_route(struct sctp_tcb *stcb,
3906     struct sctp_nets *net,
3907     int so_locked)
3908 {
3909 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "dropped packet - no valid source addr\n");
3910 
3911 	if (net) {
3912 		SCTPDBG(SCTP_DEBUG_OUTPUT1, "Destination was ");
3913 		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT1, &net->ro._l_addr.sa);
3914 		if (net->dest_state & SCTP_ADDR_CONFIRMED) {
3915 			if ((net->dest_state & SCTP_ADDR_REACHABLE) && stcb) {
3916 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "no route takes interface %p down\n", (void *)net);
3917 				sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_DOWN,
3918 				    stcb, 0,
3919 				    (void *)net,
3920 				    so_locked);
3921 				net->dest_state &= ~SCTP_ADDR_REACHABLE;
3922 				net->dest_state &= ~SCTP_ADDR_PF;
3923 			}
3924 		}
3925 		if (stcb) {
3926 			if (net == stcb->asoc.primary_destination) {
3927 				/* need a new primary */
3928 				struct sctp_nets *alt;
3929 
3930 				alt = sctp_find_alternate_net(stcb, net, 0);
3931 				if (alt != net) {
3932 					if (stcb->asoc.alternate) {
3933 						sctp_free_remote_addr(stcb->asoc.alternate);
3934 					}
3935 					stcb->asoc.alternate = alt;
3936 					atomic_add_int(&stcb->asoc.alternate->ref_count, 1);
3937 					if (net->ro._s_addr) {
3938 						sctp_free_ifa(net->ro._s_addr);
3939 						net->ro._s_addr = NULL;
3940 					}
3941 					net->src_addr_selected = 0;
3942 				}
3943 			}
3944 		}
3945 	}
3946 }
3947 #endif
3948 
3949 static int
3950 sctp_lowlevel_chunk_output(struct sctp_inpcb *inp,
3951     struct sctp_tcb *stcb,	/* may be NULL */
3952     struct sctp_nets *net,
3953     struct sockaddr *to,
3954     struct mbuf *m,
3955     uint32_t auth_offset,
3956     struct sctp_auth_chunk *auth,
3957     uint16_t auth_keyid,
3958     int nofragment_flag,
3959     int ecn_ok,
3960     int out_of_asoc_ok,
3961     uint16_t src_port,
3962     uint16_t dest_port,
3963     uint32_t v_tag,
3964     uint16_t port,
3965     union sctp_sockstore *over_addr,
3966     uint8_t mflowtype, uint32_t mflowid,
3967     bool use_zero_crc,
3968     int so_locked)
3969 {
3970 /* nofragment_flag to tell if IP_DF should be set (IPv4 only) */
3971 	/**
3972 	 * Given a mbuf chain (via SCTP_BUF_NEXT()) that holds a packet header
3973 	 * WITH an SCTPHDR but no IP header, endpoint inp and sa structure:
3974 	 * - fill in the HMAC digest of any AUTH chunk in the packet.
3975 	 * - calculate and fill in the SCTP checksum.
3976 	 * - prepend an IP address header.
3977 	 * - if boundall use INADDR_ANY.
3978 	 * - if boundspecific do source address selection.
3979 	 * - set fragmentation option for ipV4.
3980 	 * - On return from IP output, check/adjust mtu size of output
3981 	 *   interface and smallest_mtu size as well.
3982 	 */
3983 	/* Will need ifdefs around this */
3984 	struct mbuf *newm;
3985 	struct sctphdr *sctphdr;
3986 	int packet_length;
3987 	int ret;
3988 #if defined(INET) || defined(INET6)
3989 	uint32_t vrf_id;
3990 #endif
3991 #if defined(INET) || defined(INET6)
3992 	struct mbuf *o_pak;
3993 	sctp_route_t *ro = NULL;
3994 	struct udphdr *udp = NULL;
3995 #endif
3996 	uint8_t tos_value;
3997 
3998 	if ((net) && (net->dest_state & SCTP_ADDR_OUT_OF_SCOPE)) {
3999 		SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EFAULT);
4000 		sctp_m_freem(m);
4001 		return (EFAULT);
4002 	}
4003 #if defined(INET) || defined(INET6)
4004 	if (stcb) {
4005 		vrf_id = stcb->asoc.vrf_id;
4006 	} else {
4007 		vrf_id = inp->def_vrf_id;
4008 	}
4009 #endif
4010 	/* fill in the HMAC digest for any AUTH chunk in the packet */
4011 	if ((auth != NULL) && (stcb != NULL)) {
4012 		sctp_fill_hmac_digest_m(m, auth_offset, auth, stcb, auth_keyid);
4013 	}
4014 
4015 	if (net) {
4016 		tos_value = net->dscp;
4017 	} else if (stcb) {
4018 		tos_value = stcb->asoc.default_dscp;
4019 	} else {
4020 		tos_value = inp->sctp_ep.default_dscp;
4021 	}
4022 
4023 	switch (to->sa_family) {
4024 #ifdef INET
4025 	case AF_INET:
4026 		{
4027 			struct ip *ip = NULL;
4028 			sctp_route_t iproute;
4029 			int len;
4030 
4031 			len = SCTP_MIN_V4_OVERHEAD;
4032 			if (port) {
4033 				len += sizeof(struct udphdr);
4034 			}
4035 			newm = sctp_get_mbuf_for_msg(len, 1, M_NOWAIT, 1, MT_DATA);
4036 			if (newm == NULL) {
4037 				sctp_m_freem(m);
4038 				SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4039 				return (ENOMEM);
4040 			}
4041 			SCTP_ALIGN_TO_END(newm, len);
4042 			SCTP_BUF_LEN(newm) = len;
4043 			SCTP_BUF_NEXT(newm) = m;
4044 			m = newm;
4045 			if (net != NULL) {
4046 				m->m_pkthdr.flowid = net->flowid;
4047 				M_HASHTYPE_SET(m, net->flowtype);
4048 			} else {
4049 				m->m_pkthdr.flowid = mflowid;
4050 				M_HASHTYPE_SET(m, mflowtype);
4051 			}
4052 			packet_length = sctp_calculate_len(m);
4053 			ip = mtod(m, struct ip *);
4054 			ip->ip_v = IPVERSION;
4055 			ip->ip_hl = (sizeof(struct ip) >> 2);
4056 			if (tos_value == 0) {
4057 				/*
4058 				 * This means especially, that it is not set
4059 				 * at the SCTP layer. So use the value from
4060 				 * the IP layer.
4061 				 */
4062 				tos_value = inp->ip_inp.inp.inp_ip_tos;
4063 			}
4064 			tos_value &= 0xfc;
4065 			if (ecn_ok) {
4066 				tos_value |= sctp_get_ect(stcb);
4067 			}
4068 			if ((nofragment_flag) && (port == 0)) {
4069 				ip->ip_off = htons(IP_DF);
4070 			} else {
4071 				ip->ip_off = htons(0);
4072 			}
4073 			/* FreeBSD has a function for ip_id's */
4074 			ip_fillid(ip, V_ip_random_id);
4075 
4076 			ip->ip_ttl = inp->ip_inp.inp.inp_ip_ttl;
4077 			ip->ip_len = htons(packet_length);
4078 			ip->ip_tos = tos_value;
4079 			if (port) {
4080 				ip->ip_p = IPPROTO_UDP;
4081 			} else {
4082 				ip->ip_p = IPPROTO_SCTP;
4083 			}
4084 			ip->ip_sum = 0;
4085 			if (net == NULL) {
4086 				ro = &iproute;
4087 				memset(&iproute, 0, sizeof(iproute));
4088 				memcpy(&ro->ro_dst, to, to->sa_len);
4089 			} else {
4090 				ro = (sctp_route_t *)&net->ro;
4091 			}
4092 			/* Now the address selection part */
4093 			ip->ip_dst.s_addr = ((struct sockaddr_in *)to)->sin_addr.s_addr;
4094 
4095 			/* call the routine to select the src address */
4096 			if (net && out_of_asoc_ok == 0) {
4097 				if (net->ro._s_addr && (net->ro._s_addr->localifa_flags & (SCTP_BEING_DELETED | SCTP_ADDR_IFA_UNUSEABLE))) {
4098 					sctp_free_ifa(net->ro._s_addr);
4099 					net->ro._s_addr = NULL;
4100 					net->src_addr_selected = 0;
4101 					RO_NHFREE(ro);
4102 				}
4103 				if (net->src_addr_selected == 0) {
4104 					/* Cache the source address */
4105 					net->ro._s_addr = sctp_source_address_selection(inp, stcb,
4106 					    ro, net, 0,
4107 					    vrf_id);
4108 					net->src_addr_selected = 1;
4109 				}
4110 				if (net->ro._s_addr == NULL) {
4111 					/* No route to host */
4112 					net->src_addr_selected = 0;
4113 					sctp_handle_no_route(stcb, net, so_locked);
4114 					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4115 					sctp_m_freem(m);
4116 					return (EHOSTUNREACH);
4117 				}
4118 				ip->ip_src = net->ro._s_addr->address.sin.sin_addr;
4119 			} else {
4120 				if (over_addr == NULL) {
4121 					struct sctp_ifa *_lsrc;
4122 
4123 					_lsrc = sctp_source_address_selection(inp, stcb, ro,
4124 					    net,
4125 					    out_of_asoc_ok,
4126 					    vrf_id);
4127 					if (_lsrc == NULL) {
4128 						sctp_handle_no_route(stcb, net, so_locked);
4129 						SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4130 						sctp_m_freem(m);
4131 						return (EHOSTUNREACH);
4132 					}
4133 					ip->ip_src = _lsrc->address.sin.sin_addr;
4134 					sctp_free_ifa(_lsrc);
4135 				} else {
4136 					ip->ip_src = over_addr->sin.sin_addr;
4137 					SCTP_RTALLOC(ro, vrf_id, inp->fibnum);
4138 				}
4139 			}
4140 			if (port) {
4141 				if (htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port)) == 0) {
4142 					sctp_handle_no_route(stcb, net, so_locked);
4143 					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4144 					sctp_m_freem(m);
4145 					return (EHOSTUNREACH);
4146 				}
4147 				udp = (struct udphdr *)((caddr_t)ip + sizeof(struct ip));
4148 				udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
4149 				udp->uh_dport = port;
4150 				udp->uh_ulen = htons((uint16_t)(packet_length - sizeof(struct ip)));
4151 				if (V_udp_cksum) {
4152 					udp->uh_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
4153 				} else {
4154 					udp->uh_sum = 0;
4155 				}
4156 				sctphdr = (struct sctphdr *)((caddr_t)udp + sizeof(struct udphdr));
4157 			} else {
4158 				sctphdr = (struct sctphdr *)((caddr_t)ip + sizeof(struct ip));
4159 			}
4160 
4161 			sctphdr->src_port = src_port;
4162 			sctphdr->dest_port = dest_port;
4163 			sctphdr->v_tag = v_tag;
4164 			sctphdr->checksum = 0;
4165 
4166 			/*
4167 			 * If source address selection fails and we find no
4168 			 * route then the ip_output should fail as well with
4169 			 * a NO_ROUTE_TO_HOST type error. We probably should
4170 			 * catch that somewhere and abort the association
4171 			 * right away (assuming this is an INIT being sent).
4172 			 */
4173 			if (ro->ro_nh == NULL) {
4174 				/*
4175 				 * src addr selection failed to find a route
4176 				 * (or valid source addr), so we can't get
4177 				 * there from here (yet)!
4178 				 */
4179 				sctp_handle_no_route(stcb, net, so_locked);
4180 				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4181 				sctp_m_freem(m);
4182 				return (EHOSTUNREACH);
4183 			}
4184 			if (ro != &iproute) {
4185 				memcpy(&iproute, ro, sizeof(*ro));
4186 			}
4187 			SCTPDBG(SCTP_DEBUG_OUTPUT3, "Calling ipv4 output routine from low level src addr:%x\n",
4188 			    (uint32_t)(ntohl(ip->ip_src.s_addr)));
4189 			SCTPDBG(SCTP_DEBUG_OUTPUT3, "Destination is %x\n",
4190 			    (uint32_t)(ntohl(ip->ip_dst.s_addr)));
4191 			SCTPDBG(SCTP_DEBUG_OUTPUT3, "RTP route is %p through\n",
4192 			    (void *)ro->ro_nh);
4193 
4194 			if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
4195 				/* failed to prepend data, give up */
4196 				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4197 				sctp_m_freem(m);
4198 				return (ENOMEM);
4199 			}
4200 			SCTP_ATTACH_CHAIN(o_pak, m, packet_length);
4201 			if (port) {
4202 				if (use_zero_crc) {
4203 					SCTP_STAT_INCR(sctps_sendzerocrc);
4204 				} else {
4205 					sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip) + sizeof(struct udphdr));
4206 					SCTP_STAT_INCR(sctps_sendswcrc);
4207 				}
4208 				if (V_udp_cksum) {
4209 					SCTP_ENABLE_UDP_CSUM(o_pak);
4210 				}
4211 			} else {
4212 				if (use_zero_crc) {
4213 					SCTP_STAT_INCR(sctps_sendzerocrc);
4214 				} else {
4215 					m->m_pkthdr.csum_flags = CSUM_SCTP;
4216 					m->m_pkthdr.csum_data = offsetof(struct sctphdr, checksum);
4217 					SCTP_STAT_INCR(sctps_sendhwcrc);
4218 				}
4219 			}
4220 #ifdef SCTP_PACKET_LOGGING
4221 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
4222 				sctp_packet_log(o_pak);
4223 #endif
4224 			/* send it out.  table id is taken from stcb */
4225 			SCTP_PROBE5(send, NULL, stcb, ip, stcb, sctphdr);
4226 			SCTP_IP_OUTPUT(ret, o_pak, ro, inp, vrf_id);
4227 			if (port) {
4228 				UDPSTAT_INC(udps_opackets);
4229 			}
4230 			SCTP_STAT_INCR(sctps_sendpackets);
4231 			SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
4232 			if (ret)
4233 				SCTP_STAT_INCR(sctps_senderrors);
4234 
4235 			SCTPDBG(SCTP_DEBUG_OUTPUT3, "IP output returns %d\n", ret);
4236 			if (net == NULL) {
4237 				/* free tempy routes */
4238 				RO_NHFREE(ro);
4239 			} else {
4240 				if ((ro->ro_nh != NULL) && (net->ro._s_addr) &&
4241 				    ((net->dest_state & SCTP_ADDR_NO_PMTUD) == 0)) {
4242 					uint32_t mtu;
4243 
4244 					mtu = SCTP_GATHER_MTU_FROM_ROUTE(net->ro._s_addr, &net->ro._l_addr.sa, ro->ro_nh);
4245 					if (mtu > 0) {
4246 						if (net->port) {
4247 							mtu -= sizeof(struct udphdr);
4248 						}
4249 						if (mtu < net->mtu) {
4250 							net->mtu = mtu;
4251 							if ((stcb != NULL) && (stcb->asoc.smallest_mtu > mtu)) {
4252 								sctp_pathmtu_adjustment(stcb, mtu, true);
4253 							}
4254 						}
4255 					}
4256 				} else if (ro->ro_nh == NULL) {
4257 					/* route was freed */
4258 					if (net->ro._s_addr &&
4259 					    net->src_addr_selected) {
4260 						sctp_free_ifa(net->ro._s_addr);
4261 						net->ro._s_addr = NULL;
4262 					}
4263 					net->src_addr_selected = 0;
4264 				}
4265 			}
4266 			return (ret);
4267 		}
4268 #endif
4269 #ifdef INET6
4270 	case AF_INET6:
4271 		{
4272 			uint32_t flowlabel, flowinfo;
4273 			struct ip6_hdr *ip6h;
4274 			struct route_in6 ip6route;
4275 			struct ifnet *ifp;
4276 			struct sockaddr_in6 *sin6, tmp, *lsa6, lsa6_tmp;
4277 			int prev_scope = 0;
4278 			struct sockaddr_in6 lsa6_storage;
4279 			int error;
4280 			u_short prev_port = 0;
4281 			int len;
4282 
4283 			if (net) {
4284 				flowlabel = net->flowlabel;
4285 			} else if (stcb) {
4286 				flowlabel = stcb->asoc.default_flowlabel;
4287 			} else {
4288 				flowlabel = inp->sctp_ep.default_flowlabel;
4289 			}
4290 			if (flowlabel == 0) {
4291 				/*
4292 				 * This means especially, that it is not set
4293 				 * at the SCTP layer. So use the value from
4294 				 * the IP layer.
4295 				 */
4296 				flowlabel = ntohl(((struct inpcb *)inp)->inp_flow);
4297 			}
4298 			flowlabel &= 0x000fffff;
4299 			len = SCTP_MIN_OVERHEAD;
4300 			if (port) {
4301 				len += sizeof(struct udphdr);
4302 			}
4303 			newm = sctp_get_mbuf_for_msg(len, 1, M_NOWAIT, 1, MT_DATA);
4304 			if (newm == NULL) {
4305 				sctp_m_freem(m);
4306 				SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4307 				return (ENOMEM);
4308 			}
4309 			SCTP_ALIGN_TO_END(newm, len);
4310 			SCTP_BUF_LEN(newm) = len;
4311 			SCTP_BUF_NEXT(newm) = m;
4312 			m = newm;
4313 			if (net != NULL) {
4314 				m->m_pkthdr.flowid = net->flowid;
4315 				M_HASHTYPE_SET(m, net->flowtype);
4316 			} else {
4317 				m->m_pkthdr.flowid = mflowid;
4318 				M_HASHTYPE_SET(m, mflowtype);
4319 			}
4320 			packet_length = sctp_calculate_len(m);
4321 
4322 			ip6h = mtod(m, struct ip6_hdr *);
4323 			/* protect *sin6 from overwrite */
4324 			sin6 = (struct sockaddr_in6 *)to;
4325 			tmp = *sin6;
4326 			sin6 = &tmp;
4327 
4328 			/* KAME hack: embed scopeid */
4329 			if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0) {
4330 				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
4331 				sctp_m_freem(m);
4332 				return (EINVAL);
4333 			}
4334 			if (net == NULL) {
4335 				memset(&ip6route, 0, sizeof(ip6route));
4336 				ro = (sctp_route_t *)&ip6route;
4337 				memcpy(&ro->ro_dst, sin6, sin6->sin6_len);
4338 			} else {
4339 				ro = (sctp_route_t *)&net->ro;
4340 			}
4341 			/*
4342 			 * We assume here that inp_flow is in host byte
4343 			 * order within the TCB!
4344 			 */
4345 			if (tos_value == 0) {
4346 				/*
4347 				 * This means especially, that it is not set
4348 				 * at the SCTP layer. So use the value from
4349 				 * the IP layer.
4350 				 */
4351 				tos_value = (ntohl(((struct inpcb *)inp)->inp_flow) >> 20) & 0xff;
4352 			}
4353 			tos_value &= 0xfc;
4354 			if (ecn_ok) {
4355 				tos_value |= sctp_get_ect(stcb);
4356 			}
4357 			flowinfo = 0x06;
4358 			flowinfo <<= 8;
4359 			flowinfo |= tos_value;
4360 			flowinfo <<= 20;
4361 			flowinfo |= flowlabel;
4362 			ip6h->ip6_flow = htonl(flowinfo);
4363 			if (port) {
4364 				ip6h->ip6_nxt = IPPROTO_UDP;
4365 			} else {
4366 				ip6h->ip6_nxt = IPPROTO_SCTP;
4367 			}
4368 			ip6h->ip6_plen = htons((uint16_t)(packet_length - sizeof(struct ip6_hdr)));
4369 			ip6h->ip6_dst = sin6->sin6_addr;
4370 
4371 			/*
4372 			 * Add SRC address selection here: we can only reuse
4373 			 * to a limited degree the kame src-addr-sel, since
4374 			 * we can try their selection but it may not be
4375 			 * bound.
4376 			 */
4377 			memset(&lsa6_tmp, 0, sizeof(lsa6_tmp));
4378 			lsa6_tmp.sin6_family = AF_INET6;
4379 			lsa6_tmp.sin6_len = sizeof(lsa6_tmp);
4380 			lsa6 = &lsa6_tmp;
4381 			if (net && out_of_asoc_ok == 0) {
4382 				if (net->ro._s_addr && (net->ro._s_addr->localifa_flags & (SCTP_BEING_DELETED | SCTP_ADDR_IFA_UNUSEABLE))) {
4383 					sctp_free_ifa(net->ro._s_addr);
4384 					net->ro._s_addr = NULL;
4385 					net->src_addr_selected = 0;
4386 					RO_NHFREE(ro);
4387 				}
4388 				if (net->src_addr_selected == 0) {
4389 					sin6 = (struct sockaddr_in6 *)&net->ro._l_addr;
4390 					/* KAME hack: embed scopeid */
4391 					if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0) {
4392 						SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
4393 						sctp_m_freem(m);
4394 						return (EINVAL);
4395 					}
4396 					/* Cache the source address */
4397 					net->ro._s_addr = sctp_source_address_selection(inp,
4398 					    stcb,
4399 					    ro,
4400 					    net,
4401 					    0,
4402 					    vrf_id);
4403 					(void)sa6_recoverscope(sin6);
4404 					net->src_addr_selected = 1;
4405 				}
4406 				if (net->ro._s_addr == NULL) {
4407 					SCTPDBG(SCTP_DEBUG_OUTPUT3, "V6:No route to host\n");
4408 					net->src_addr_selected = 0;
4409 					sctp_handle_no_route(stcb, net, so_locked);
4410 					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4411 					sctp_m_freem(m);
4412 					return (EHOSTUNREACH);
4413 				}
4414 				lsa6->sin6_addr = net->ro._s_addr->address.sin6.sin6_addr;
4415 			} else {
4416 				sin6 = (struct sockaddr_in6 *)&ro->ro_dst;
4417 				/* KAME hack: embed scopeid */
4418 				if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0) {
4419 					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
4420 					sctp_m_freem(m);
4421 					return (EINVAL);
4422 				}
4423 				if (over_addr == NULL) {
4424 					struct sctp_ifa *_lsrc;
4425 
4426 					_lsrc = sctp_source_address_selection(inp, stcb, ro,
4427 					    net,
4428 					    out_of_asoc_ok,
4429 					    vrf_id);
4430 					if (_lsrc == NULL) {
4431 						sctp_handle_no_route(stcb, net, so_locked);
4432 						SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4433 						sctp_m_freem(m);
4434 						return (EHOSTUNREACH);
4435 					}
4436 					lsa6->sin6_addr = _lsrc->address.sin6.sin6_addr;
4437 					sctp_free_ifa(_lsrc);
4438 				} else {
4439 					lsa6->sin6_addr = over_addr->sin6.sin6_addr;
4440 					SCTP_RTALLOC(ro, vrf_id, inp->fibnum);
4441 				}
4442 				(void)sa6_recoverscope(sin6);
4443 			}
4444 			lsa6->sin6_port = inp->sctp_lport;
4445 
4446 			if (ro->ro_nh == NULL) {
4447 				/*
4448 				 * src addr selection failed to find a route
4449 				 * (or valid source addr), so we can't get
4450 				 * there from here!
4451 				 */
4452 				sctp_handle_no_route(stcb, net, so_locked);
4453 				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4454 				sctp_m_freem(m);
4455 				return (EHOSTUNREACH);
4456 			}
4457 			/*
4458 			 * XXX: sa6 may not have a valid sin6_scope_id in
4459 			 * the non-SCOPEDROUTING case.
4460 			 */
4461 			memset(&lsa6_storage, 0, sizeof(lsa6_storage));
4462 			lsa6_storage.sin6_family = AF_INET6;
4463 			lsa6_storage.sin6_len = sizeof(lsa6_storage);
4464 			lsa6_storage.sin6_addr = lsa6->sin6_addr;
4465 			if ((error = sa6_recoverscope(&lsa6_storage)) != 0) {
4466 				SCTPDBG(SCTP_DEBUG_OUTPUT3, "recover scope fails error %d\n", error);
4467 				sctp_m_freem(m);
4468 				return (error);
4469 			}
4470 			/* XXX */
4471 			lsa6_storage.sin6_addr = lsa6->sin6_addr;
4472 			lsa6_storage.sin6_port = inp->sctp_lport;
4473 			lsa6 = &lsa6_storage;
4474 			ip6h->ip6_src = lsa6->sin6_addr;
4475 
4476 			if (port) {
4477 				if (htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port)) == 0) {
4478 					sctp_handle_no_route(stcb, net, so_locked);
4479 					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4480 					sctp_m_freem(m);
4481 					return (EHOSTUNREACH);
4482 				}
4483 				udp = (struct udphdr *)((caddr_t)ip6h + sizeof(struct ip6_hdr));
4484 				udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
4485 				udp->uh_dport = port;
4486 				udp->uh_ulen = htons((uint16_t)(packet_length - sizeof(struct ip6_hdr)));
4487 				udp->uh_sum = 0;
4488 				sctphdr = (struct sctphdr *)((caddr_t)udp + sizeof(struct udphdr));
4489 			} else {
4490 				sctphdr = (struct sctphdr *)((caddr_t)ip6h + sizeof(struct ip6_hdr));
4491 			}
4492 
4493 			sctphdr->src_port = src_port;
4494 			sctphdr->dest_port = dest_port;
4495 			sctphdr->v_tag = v_tag;
4496 			sctphdr->checksum = 0;
4497 
4498 			/*
4499 			 * We set the hop limit now since there is a good
4500 			 * chance that our ro pointer is now filled
4501 			 */
4502 			ip6h->ip6_hlim = SCTP_GET_HLIM(inp, ro);
4503 			ifp = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
4504 
4505 #ifdef SCTP_DEBUG
4506 			/* Copy to be sure something bad is not happening */
4507 			sin6->sin6_addr = ip6h->ip6_dst;
4508 			lsa6->sin6_addr = ip6h->ip6_src;
4509 #endif
4510 
4511 			SCTPDBG(SCTP_DEBUG_OUTPUT3, "Calling ipv6 output routine from low level\n");
4512 			SCTPDBG(SCTP_DEBUG_OUTPUT3, "src: ");
4513 			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT3, (struct sockaddr *)lsa6);
4514 			SCTPDBG(SCTP_DEBUG_OUTPUT3, "dst: ");
4515 			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT3, (struct sockaddr *)sin6);
4516 			if (net) {
4517 				sin6 = (struct sockaddr_in6 *)&net->ro._l_addr;
4518 				/*
4519 				 * preserve the port and scope for link
4520 				 * local send
4521 				 */
4522 				prev_scope = sin6->sin6_scope_id;
4523 				prev_port = sin6->sin6_port;
4524 			}
4525 
4526 			if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
4527 				/* failed to prepend data, give up */
4528 				sctp_m_freem(m);
4529 				SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4530 				return (ENOMEM);
4531 			}
4532 			SCTP_ATTACH_CHAIN(o_pak, m, packet_length);
4533 			if (port) {
4534 				sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip6_hdr) + sizeof(struct udphdr));
4535 				SCTP_STAT_INCR(sctps_sendswcrc);
4536 				if ((udp->uh_sum = in6_cksum(o_pak, IPPROTO_UDP, sizeof(struct ip6_hdr), packet_length - sizeof(struct ip6_hdr))) == 0) {
4537 					udp->uh_sum = 0xffff;
4538 				}
4539 			} else {
4540 				m->m_pkthdr.csum_flags = CSUM_SCTP_IPV6;
4541 				m->m_pkthdr.csum_data = offsetof(struct sctphdr, checksum);
4542 				SCTP_STAT_INCR(sctps_sendhwcrc);
4543 			}
4544 			/* send it out. table id is taken from stcb */
4545 #ifdef SCTP_PACKET_LOGGING
4546 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
4547 				sctp_packet_log(o_pak);
4548 #endif
4549 			SCTP_PROBE5(send, NULL, stcb, ip6h, stcb, sctphdr);
4550 			SCTP_IP6_OUTPUT(ret, o_pak, (struct route_in6 *)ro, &ifp, inp, vrf_id);
4551 			if (net) {
4552 				/* for link local this must be done */
4553 				sin6->sin6_scope_id = prev_scope;
4554 				sin6->sin6_port = prev_port;
4555 			}
4556 			SCTPDBG(SCTP_DEBUG_OUTPUT3, "return from send is %d\n", ret);
4557 			if (port) {
4558 				UDPSTAT_INC(udps_opackets);
4559 			}
4560 			SCTP_STAT_INCR(sctps_sendpackets);
4561 			SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
4562 			if (ret) {
4563 				SCTP_STAT_INCR(sctps_senderrors);
4564 			}
4565 			if (net == NULL) {
4566 				/* Now if we had a temp route free it */
4567 				RO_NHFREE(ro);
4568 			} else {
4569 				/*
4570 				 * PMTU check versus smallest asoc MTU goes
4571 				 * here
4572 				 */
4573 				if (ro->ro_nh == NULL) {
4574 					/* Route was freed */
4575 					if (net->ro._s_addr &&
4576 					    net->src_addr_selected) {
4577 						sctp_free_ifa(net->ro._s_addr);
4578 						net->ro._s_addr = NULL;
4579 					}
4580 					net->src_addr_selected = 0;
4581 				}
4582 				if ((ro->ro_nh != NULL) && (net->ro._s_addr) &&
4583 				    ((net->dest_state & SCTP_ADDR_NO_PMTUD) == 0)) {
4584 					uint32_t mtu;
4585 
4586 					mtu = SCTP_GATHER_MTU_FROM_ROUTE(net->ro._s_addr, &net->ro._l_addr.sa, ro->ro_nh);
4587 					if (mtu > 0) {
4588 						if (net->port) {
4589 							mtu -= sizeof(struct udphdr);
4590 						}
4591 						if (mtu < net->mtu) {
4592 							net->mtu = mtu;
4593 							if ((stcb != NULL) && (stcb->asoc.smallest_mtu > mtu)) {
4594 								sctp_pathmtu_adjustment(stcb, mtu, false);
4595 							}
4596 						}
4597 					}
4598 				} else if (ifp != NULL) {
4599 					if ((ND_IFINFO(ifp)->linkmtu > 0) &&
4600 					    (stcb->asoc.smallest_mtu > ND_IFINFO(ifp)->linkmtu)) {
4601 						sctp_pathmtu_adjustment(stcb, ND_IFINFO(ifp)->linkmtu, false);
4602 					}
4603 				}
4604 			}
4605 			return (ret);
4606 		}
4607 #endif
4608 	default:
4609 		SCTPDBG(SCTP_DEBUG_OUTPUT1, "Unknown protocol (TSNH) type %d\n",
4610 		    ((struct sockaddr *)to)->sa_family);
4611 		sctp_m_freem(m);
4612 		SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EFAULT);
4613 		return (EFAULT);
4614 	}
4615 }
4616 
4617 void
4618 sctp_send_initiate(struct sctp_inpcb *inp, struct sctp_tcb *stcb, int so_locked)
4619 {
4620 	struct mbuf *m, *m_last;
4621 	struct sctp_nets *net;
4622 	struct sctp_init_chunk *init;
4623 	struct sctp_supported_addr_param *sup_addr;
4624 	struct sctp_adaptation_layer_indication *ali;
4625 	struct sctp_zero_checksum_acceptable *zero_chksum;
4626 	struct sctp_supported_chunk_types_param *pr_supported;
4627 	struct sctp_paramhdr *ph;
4628 	int cnt_inits_to = 0;
4629 	int error;
4630 	uint16_t num_ext, chunk_len, padding_len, parameter_len;
4631 
4632 	/* INIT's always go to the primary (and usually ONLY address) */
4633 	net = stcb->asoc.primary_destination;
4634 	if (net == NULL) {
4635 		net = TAILQ_FIRST(&stcb->asoc.nets);
4636 		if (net == NULL) {
4637 			/* TSNH */
4638 			return;
4639 		}
4640 		/* we confirm any address we send an INIT to */
4641 		net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
4642 		(void)sctp_set_primary_addr(stcb, NULL, net);
4643 	} else {
4644 		/* we confirm any address we send an INIT to */
4645 		net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
4646 	}
4647 	SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT\n");
4648 #ifdef INET6
4649 	if (net->ro._l_addr.sa.sa_family == AF_INET6) {
4650 		/*
4651 		 * special hook, if we are sending to link local it will not
4652 		 * show up in our private address count.
4653 		 */
4654 		if (IN6_IS_ADDR_LINKLOCAL(&net->ro._l_addr.sin6.sin6_addr))
4655 			cnt_inits_to = 1;
4656 	}
4657 #endif
4658 	if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
4659 		/* This case should not happen */
4660 		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - failed timer?\n");
4661 		return;
4662 	}
4663 	/* start the INIT timer */
4664 	sctp_timer_start(SCTP_TIMER_TYPE_INIT, inp, stcb, net);
4665 
4666 	m = sctp_get_mbuf_for_msg(MCLBYTES, 1, M_NOWAIT, 1, MT_DATA);
4667 	if (m == NULL) {
4668 		/* No memory, INIT timer will re-attempt. */
4669 		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - mbuf?\n");
4670 		return;
4671 	}
4672 	chunk_len = (uint16_t)sizeof(struct sctp_init_chunk);
4673 	padding_len = 0;
4674 	/* Now lets put the chunk header in place */
4675 	init = mtod(m, struct sctp_init_chunk *);
4676 	/* now the chunk header */
4677 	init->ch.chunk_type = SCTP_INITIATION;
4678 	init->ch.chunk_flags = 0;
4679 	/* fill in later from mbuf we build */
4680 	init->ch.chunk_length = 0;
4681 	/* place in my tag */
4682 	init->init.initiate_tag = htonl(stcb->asoc.my_vtag);
4683 	/* set up some of the credits. */
4684 	init->init.a_rwnd = htonl(max(inp->sctp_socket ? SCTP_SB_LIMIT_RCV(inp->sctp_socket) : 0,
4685 	    SCTP_MINIMAL_RWND));
4686 	init->init.num_outbound_streams = htons(stcb->asoc.pre_open_streams);
4687 	init->init.num_inbound_streams = htons(stcb->asoc.max_inbound_streams);
4688 	init->init.initial_tsn = htonl(stcb->asoc.init_seq_number);
4689 
4690 	/* Adaptation layer indication parameter */
4691 	if (inp->sctp_ep.adaptation_layer_indicator_provided) {
4692 		parameter_len = (uint16_t)sizeof(struct sctp_adaptation_layer_indication);
4693 		ali = (struct sctp_adaptation_layer_indication *)(mtod(m, caddr_t)+chunk_len);
4694 		ali->ph.param_type = htons(SCTP_ULP_ADAPTATION);
4695 		ali->ph.param_length = htons(parameter_len);
4696 		ali->indication = htonl(inp->sctp_ep.adaptation_layer_indicator);
4697 		chunk_len += parameter_len;
4698 	}
4699 
4700 	/* ECN parameter */
4701 	if (stcb->asoc.ecn_supported == 1) {
4702 		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
4703 		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t)+chunk_len);
4704 		ph->param_type = htons(SCTP_ECN_CAPABLE);
4705 		ph->param_length = htons(parameter_len);
4706 		chunk_len += parameter_len;
4707 	}
4708 
4709 	/* PR-SCTP supported parameter */
4710 	if (stcb->asoc.prsctp_supported == 1) {
4711 		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
4712 		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t)+chunk_len);
4713 		ph->param_type = htons(SCTP_PRSCTP_SUPPORTED);
4714 		ph->param_length = htons(parameter_len);
4715 		chunk_len += parameter_len;
4716 	}
4717 
4718 	/* Zero checksum acceptable parameter */
4719 	if (stcb->asoc.rcv_edmid != SCTP_EDMID_NONE) {
4720 		parameter_len = (uint16_t)sizeof(struct sctp_zero_checksum_acceptable);
4721 		zero_chksum = (struct sctp_zero_checksum_acceptable *)(mtod(m, caddr_t)+chunk_len);
4722 		zero_chksum->ph.param_type = htons(SCTP_ZERO_CHECKSUM_ACCEPTABLE);
4723 		zero_chksum->ph.param_length = htons(parameter_len);
4724 		zero_chksum->edmid = htonl(stcb->asoc.rcv_edmid);
4725 		chunk_len += parameter_len;
4726 	}
4727 
4728 	/* Add NAT friendly parameter. */
4729 	if (SCTP_BASE_SYSCTL(sctp_inits_include_nat_friendly)) {
4730 		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
4731 		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t)+chunk_len);
4732 		ph->param_type = htons(SCTP_HAS_NAT_SUPPORT);
4733 		ph->param_length = htons(parameter_len);
4734 		chunk_len += parameter_len;
4735 	}
4736 
4737 	/* And now tell the peer which extensions we support */
4738 	num_ext = 0;
4739 	pr_supported = (struct sctp_supported_chunk_types_param *)(mtod(m, caddr_t)+chunk_len);
4740 	if (stcb->asoc.prsctp_supported == 1) {
4741 		pr_supported->chunk_types[num_ext++] = SCTP_FORWARD_CUM_TSN;
4742 		if (stcb->asoc.idata_supported) {
4743 			pr_supported->chunk_types[num_ext++] = SCTP_IFORWARD_CUM_TSN;
4744 		}
4745 	}
4746 	if (stcb->asoc.auth_supported == 1) {
4747 		pr_supported->chunk_types[num_ext++] = SCTP_AUTHENTICATION;
4748 	}
4749 	if (stcb->asoc.asconf_supported == 1) {
4750 		pr_supported->chunk_types[num_ext++] = SCTP_ASCONF;
4751 		pr_supported->chunk_types[num_ext++] = SCTP_ASCONF_ACK;
4752 	}
4753 	if (stcb->asoc.reconfig_supported == 1) {
4754 		pr_supported->chunk_types[num_ext++] = SCTP_STREAM_RESET;
4755 	}
4756 	if (stcb->asoc.idata_supported) {
4757 		pr_supported->chunk_types[num_ext++] = SCTP_IDATA;
4758 	}
4759 	if (stcb->asoc.nrsack_supported == 1) {
4760 		pr_supported->chunk_types[num_ext++] = SCTP_NR_SELECTIVE_ACK;
4761 	}
4762 	if (stcb->asoc.pktdrop_supported == 1) {
4763 		pr_supported->chunk_types[num_ext++] = SCTP_PACKET_DROPPED;
4764 	}
4765 	if (num_ext > 0) {
4766 		parameter_len = (uint16_t)sizeof(struct sctp_supported_chunk_types_param) + num_ext;
4767 		pr_supported->ph.param_type = htons(SCTP_SUPPORTED_CHUNK_EXT);
4768 		pr_supported->ph.param_length = htons(parameter_len);
4769 		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
4770 		chunk_len += parameter_len;
4771 	}
4772 	/* add authentication parameters */
4773 	if (stcb->asoc.auth_supported) {
4774 		/* attach RANDOM parameter, if available */
4775 		if (stcb->asoc.authinfo.random != NULL) {
4776 			struct sctp_auth_random *randp;
4777 
4778 			if (padding_len > 0) {
4779 				memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
4780 				chunk_len += padding_len;
4781 				padding_len = 0;
4782 			}
4783 			randp = (struct sctp_auth_random *)(mtod(m, caddr_t)+chunk_len);
4784 			parameter_len = (uint16_t)sizeof(struct sctp_auth_random) + stcb->asoc.authinfo.random_len;
4785 			/* random key already contains the header */
4786 			memcpy(randp, stcb->asoc.authinfo.random->key, parameter_len);
4787 			padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
4788 			chunk_len += parameter_len;
4789 		}
4790 		/* add HMAC_ALGO parameter */
4791 		if (stcb->asoc.local_hmacs != NULL) {
4792 			struct sctp_auth_hmac_algo *hmacs;
4793 
4794 			if (padding_len > 0) {
4795 				memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
4796 				chunk_len += padding_len;
4797 				padding_len = 0;
4798 			}
4799 			hmacs = (struct sctp_auth_hmac_algo *)(mtod(m, caddr_t)+chunk_len);
4800 			parameter_len = (uint16_t)(sizeof(struct sctp_auth_hmac_algo) +
4801 			    stcb->asoc.local_hmacs->num_algo * sizeof(uint16_t));
4802 			hmacs->ph.param_type = htons(SCTP_HMAC_LIST);
4803 			hmacs->ph.param_length = htons(parameter_len);
4804 			sctp_serialize_hmaclist(stcb->asoc.local_hmacs, (uint8_t *)hmacs->hmac_ids);
4805 			padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
4806 			chunk_len += parameter_len;
4807 		}
4808 		/* add CHUNKS parameter */
4809 		if (stcb->asoc.local_auth_chunks != NULL) {
4810 			struct sctp_auth_chunk_list *chunks;
4811 
4812 			if (padding_len > 0) {
4813 				memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
4814 				chunk_len += padding_len;
4815 				padding_len = 0;
4816 			}
4817 			chunks = (struct sctp_auth_chunk_list *)(mtod(m, caddr_t)+chunk_len);
4818 			parameter_len = (uint16_t)(sizeof(struct sctp_auth_chunk_list) +
4819 			    sctp_auth_get_chklist_size(stcb->asoc.local_auth_chunks));
4820 			chunks->ph.param_type = htons(SCTP_CHUNK_LIST);
4821 			chunks->ph.param_length = htons(parameter_len);
4822 			sctp_serialize_auth_chunks(stcb->asoc.local_auth_chunks, chunks->chunk_types);
4823 			padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
4824 			chunk_len += parameter_len;
4825 		}
4826 	}
4827 
4828 	/* now any cookie time extensions */
4829 	if (stcb->asoc.cookie_preserve_req > 0) {
4830 		struct sctp_cookie_perserve_param *cookie_preserve;
4831 
4832 		if (padding_len > 0) {
4833 			memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
4834 			chunk_len += padding_len;
4835 			padding_len = 0;
4836 		}
4837 		parameter_len = (uint16_t)sizeof(struct sctp_cookie_perserve_param);
4838 		cookie_preserve = (struct sctp_cookie_perserve_param *)(mtod(m, caddr_t)+chunk_len);
4839 		cookie_preserve->ph.param_type = htons(SCTP_COOKIE_PRESERVE);
4840 		cookie_preserve->ph.param_length = htons(parameter_len);
4841 		cookie_preserve->time = htonl(stcb->asoc.cookie_preserve_req);
4842 		stcb->asoc.cookie_preserve_req = 0;
4843 		chunk_len += parameter_len;
4844 	}
4845 
4846 	if (stcb->asoc.scope.ipv4_addr_legal || stcb->asoc.scope.ipv6_addr_legal) {
4847 		uint8_t i;
4848 
4849 		if (padding_len > 0) {
4850 			memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
4851 			chunk_len += padding_len;
4852 			padding_len = 0;
4853 		}
4854 		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
4855 		if (stcb->asoc.scope.ipv4_addr_legal) {
4856 			parameter_len += (uint16_t)sizeof(uint16_t);
4857 		}
4858 		if (stcb->asoc.scope.ipv6_addr_legal) {
4859 			parameter_len += (uint16_t)sizeof(uint16_t);
4860 		}
4861 		sup_addr = (struct sctp_supported_addr_param *)(mtod(m, caddr_t)+chunk_len);
4862 		sup_addr->ph.param_type = htons(SCTP_SUPPORTED_ADDRTYPE);
4863 		sup_addr->ph.param_length = htons(parameter_len);
4864 		i = 0;
4865 		if (stcb->asoc.scope.ipv4_addr_legal) {
4866 			sup_addr->addr_type[i++] = htons(SCTP_IPV4_ADDRESS);
4867 		}
4868 		if (stcb->asoc.scope.ipv6_addr_legal) {
4869 			sup_addr->addr_type[i++] = htons(SCTP_IPV6_ADDRESS);
4870 		}
4871 		padding_len = 4 - 2 * i;
4872 		chunk_len += parameter_len;
4873 	}
4874 
4875 	SCTP_BUF_LEN(m) = chunk_len;
4876 	/* now the addresses */
4877 	/*
4878 	 * To optimize this we could put the scoping stuff into a structure
4879 	 * and remove the individual uint8's from the assoc structure. Then
4880 	 * we could just sifa in the address within the stcb. But for now
4881 	 * this is a quick hack to get the address stuff teased apart.
4882 	 */
4883 	m_last = sctp_add_addresses_to_i_ia(inp, stcb, &stcb->asoc.scope,
4884 	    m, cnt_inits_to,
4885 	    &padding_len, &chunk_len);
4886 
4887 	init->ch.chunk_length = htons(chunk_len);
4888 	if (padding_len > 0) {
4889 		if (sctp_add_pad_tombuf(m_last, padding_len) == NULL) {
4890 			sctp_m_freem(m);
4891 			return;
4892 		}
4893 	}
4894 	SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - calls lowlevel_output\n");
4895 	if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
4896 	    (struct sockaddr *)&net->ro._l_addr,
4897 	    m, 0, NULL, 0, 0, 0, 0,
4898 	    inp->sctp_lport, stcb->rport, htonl(0),
4899 	    net->port, NULL,
4900 	    0, 0,
4901 	    false, so_locked))) {
4902 		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Gak send error %d\n", error);
4903 		if (error == ENOBUFS) {
4904 			stcb->asoc.ifp_had_enobuf = 1;
4905 			SCTP_STAT_INCR(sctps_lowlevelerr);
4906 		}
4907 	} else {
4908 		stcb->asoc.ifp_had_enobuf = 0;
4909 	}
4910 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
4911 	(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
4912 }
4913 
4914 struct mbuf *
4915 sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt,
4916     int param_offset, int *abort_processing,
4917     struct sctp_chunkhdr *cp,
4918     int *nat_friendly,
4919     int *cookie_found,
4920     uint32_t *edmid)
4921 {
4922 	/*
4923 	 * Given a mbuf containing an INIT or INIT-ACK with the param_offset
4924 	 * being equal to the beginning of the params i.e. (iphlen +
4925 	 * sizeof(struct sctp_init_msg) parse through the parameters to the
4926 	 * end of the mbuf verifying that all parameters are known.
4927 	 *
4928 	 * For unknown parameters build and return a mbuf with
4929 	 * UNRECOGNIZED_PARAMETER errors. If the flags indicate to stop
4930 	 * processing this chunk stop, and set *abort_processing to 1.
4931 	 *
4932 	 * By having param_offset be pre-set to where parameters begin it is
4933 	 * hoped that this routine may be reused in the future by new
4934 	 * features.
4935 	 */
4936 	struct sctp_zero_checksum_acceptable zero_chksum, *zero_chksum_p;
4937 	struct sctp_paramhdr *phdr, params;
4938 	struct mbuf *mat, *m_tmp, *op_err, *op_err_last;
4939 	int at, limit, pad_needed;
4940 	uint16_t ptype, plen, padded_size;
4941 
4942 	*abort_processing = 0;
4943 	if (cookie_found != NULL) {
4944 		*cookie_found = 0;
4945 	}
4946 	if (edmid != NULL) {
4947 		*edmid = SCTP_EDMID_NONE;
4948 	}
4949 	mat = in_initpkt;
4950 	limit = ntohs(cp->chunk_length) - sizeof(struct sctp_init_chunk);
4951 	at = param_offset;
4952 	op_err = NULL;
4953 	op_err_last = NULL;
4954 	pad_needed = 0;
4955 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "Check for unrecognized param's\n");
4956 	phdr = sctp_get_next_param(mat, at, &params, sizeof(params));
4957 	while ((phdr != NULL) && ((size_t)limit >= sizeof(struct sctp_paramhdr))) {
4958 		ptype = ntohs(phdr->param_type);
4959 		plen = ntohs(phdr->param_length);
4960 		if ((plen > limit) || (plen < sizeof(struct sctp_paramhdr))) {
4961 			/* wacked parameter */
4962 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error %d\n", plen);
4963 			goto invalid_size;
4964 		}
4965 		limit -= SCTP_SIZE32(plen);
4966 		/*-
4967 		 * All parameters for all chunks that we know/understand are
4968 		 * listed here. We process them other places and make
4969 		 * appropriate stop actions per the upper bits. However this
4970 		 * is the generic routine processor's can call to get back
4971 		 * an operr.. to either incorporate (init-ack) or send.
4972 		 */
4973 		padded_size = SCTP_SIZE32(plen);
4974 		switch (ptype) {
4975 			/* Param's with variable size */
4976 		case SCTP_HEARTBEAT_INFO:
4977 		case SCTP_UNRECOG_PARAM:
4978 		case SCTP_ERROR_CAUSE_IND:
4979 			/* ok skip fwd */
4980 			at += padded_size;
4981 			break;
4982 		case SCTP_STATE_COOKIE:
4983 			if (cookie_found != NULL) {
4984 				*cookie_found = 1;
4985 			}
4986 			at += padded_size;
4987 			break;
4988 			/* Param's with variable size within a range */
4989 		case SCTP_CHUNK_LIST:
4990 		case SCTP_SUPPORTED_CHUNK_EXT:
4991 			if (padded_size > (sizeof(struct sctp_supported_chunk_types_param) + (sizeof(uint8_t) * SCTP_MAX_SUPPORTED_EXT))) {
4992 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error chklist %d\n", plen);
4993 				goto invalid_size;
4994 			}
4995 			at += padded_size;
4996 			break;
4997 		case SCTP_SUPPORTED_ADDRTYPE:
4998 			if (padded_size > SCTP_MAX_ADDR_PARAMS_SIZE) {
4999 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error supaddrtype %d\n", plen);
5000 				goto invalid_size;
5001 			}
5002 			at += padded_size;
5003 			break;
5004 		case SCTP_ZERO_CHECKSUM_ACCEPTABLE:
5005 			if (padded_size != sizeof(struct sctp_zero_checksum_acceptable)) {
5006 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error checksum acceptable %d\n", plen);
5007 				goto invalid_size;
5008 			}
5009 			if (edmid != NULL) {
5010 				phdr = sctp_get_next_param(mat, at,
5011 				    (struct sctp_paramhdr *)&zero_chksum,
5012 				    sizeof(struct sctp_zero_checksum_acceptable));
5013 				if (phdr != NULL) {
5014 					zero_chksum_p = (struct sctp_zero_checksum_acceptable *)phdr;
5015 					*edmid = ntohl(zero_chksum_p->edmid);
5016 				}
5017 			}
5018 			at += padded_size;
5019 			break;
5020 		case SCTP_RANDOM:
5021 			if (padded_size > (sizeof(struct sctp_auth_random) + SCTP_RANDOM_MAX_SIZE)) {
5022 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error random %d\n", plen);
5023 				goto invalid_size;
5024 			}
5025 			at += padded_size;
5026 			break;
5027 		case SCTP_SET_PRIM_ADDR:
5028 		case SCTP_DEL_IP_ADDRESS:
5029 		case SCTP_ADD_IP_ADDRESS:
5030 			if ((padded_size != sizeof(struct sctp_asconf_addrv4_param)) &&
5031 			    (padded_size != sizeof(struct sctp_asconf_addr_param))) {
5032 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error setprim %d\n", plen);
5033 				goto invalid_size;
5034 			}
5035 			at += padded_size;
5036 			break;
5037 			/* Param's with a fixed size */
5038 		case SCTP_IPV4_ADDRESS:
5039 			if (padded_size != sizeof(struct sctp_ipv4addr_param)) {
5040 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ipv4 addr %d\n", plen);
5041 				goto invalid_size;
5042 			}
5043 			at += padded_size;
5044 			break;
5045 		case SCTP_IPV6_ADDRESS:
5046 			if (padded_size != sizeof(struct sctp_ipv6addr_param)) {
5047 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ipv6 addr %d\n", plen);
5048 				goto invalid_size;
5049 			}
5050 			at += padded_size;
5051 			break;
5052 		case SCTP_COOKIE_PRESERVE:
5053 			if (padded_size != sizeof(struct sctp_cookie_perserve_param)) {
5054 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error cookie-preserve %d\n", plen);
5055 				goto invalid_size;
5056 			}
5057 			at += padded_size;
5058 			break;
5059 		case SCTP_HAS_NAT_SUPPORT:
5060 			if (padded_size != sizeof(struct sctp_paramhdr)) {
5061 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error nat support %d\n", plen);
5062 				goto invalid_size;
5063 			}
5064 			*nat_friendly = 1;
5065 			at += padded_size;
5066 			break;
5067 		case SCTP_PRSCTP_SUPPORTED:
5068 			if (padded_size != sizeof(struct sctp_paramhdr)) {
5069 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error prsctp %d\n", plen);
5070 				goto invalid_size;
5071 			}
5072 			at += padded_size;
5073 			break;
5074 		case SCTP_ECN_CAPABLE:
5075 			if (padded_size != sizeof(struct sctp_paramhdr)) {
5076 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ecn %d\n", plen);
5077 				goto invalid_size;
5078 			}
5079 			at += padded_size;
5080 			break;
5081 		case SCTP_ULP_ADAPTATION:
5082 			if (padded_size != sizeof(struct sctp_adaptation_layer_indication)) {
5083 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error adapatation %d\n", plen);
5084 				goto invalid_size;
5085 			}
5086 			at += padded_size;
5087 			break;
5088 		case SCTP_SUCCESS_REPORT:
5089 			if (padded_size != sizeof(struct sctp_asconf_paramhdr)) {
5090 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error success %d\n", plen);
5091 				goto invalid_size;
5092 			}
5093 			at += padded_size;
5094 			break;
5095 		case SCTP_HOSTNAME_ADDRESS:
5096 			{
5097 				/* Hostname parameters are deprecated. */
5098 				struct sctp_gen_error_cause *cause;
5099 				int l_len;
5100 
5101 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Can't handle hostname addresses.. abort processing\n");
5102 				*abort_processing = 1;
5103 				sctp_m_freem(op_err);
5104 				op_err = NULL;
5105 				op_err_last = NULL;
5106 #ifdef INET6
5107 				l_len = SCTP_MIN_OVERHEAD;
5108 #else
5109 				l_len = SCTP_MIN_V4_OVERHEAD;
5110 #endif
5111 				l_len += sizeof(struct sctp_chunkhdr);
5112 				l_len += sizeof(struct sctp_gen_error_cause);
5113 				op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
5114 				if (op_err != NULL) {
5115 					/*
5116 					 * Pre-reserve space for IP, SCTP,
5117 					 * and chunk header.
5118 					 */
5119 #ifdef INET6
5120 					SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
5121 #else
5122 					SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
5123 #endif
5124 					SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
5125 					SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
5126 					SCTP_BUF_LEN(op_err) = sizeof(struct sctp_gen_error_cause);
5127 					cause = mtod(op_err, struct sctp_gen_error_cause *);
5128 					cause->code = htons(SCTP_CAUSE_UNRESOLVABLE_ADDR);
5129 					cause->length = htons((uint16_t)(sizeof(struct sctp_gen_error_cause) + plen));
5130 					SCTP_BUF_NEXT(op_err) = SCTP_M_COPYM(mat, at, plen, M_NOWAIT);
5131 					if (SCTP_BUF_NEXT(op_err) == NULL) {
5132 						sctp_m_freem(op_err);
5133 						op_err = NULL;
5134 						op_err_last = NULL;
5135 					}
5136 				}
5137 				return (op_err);
5138 			}
5139 		default:
5140 			/*
5141 			 * we do not recognize the parameter figure out what
5142 			 * we do.
5143 			 */
5144 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Hit default param %x\n", ptype);
5145 			if ((ptype & 0x4000) == 0x4000) {
5146 				/* Report bit is set?? */
5147 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "report op err\n");
5148 				if (op_err == NULL) {
5149 					int l_len;
5150 
5151 					/* Ok need to try to get an mbuf */
5152 #ifdef INET6
5153 					l_len = SCTP_MIN_OVERHEAD;
5154 #else
5155 					l_len = SCTP_MIN_V4_OVERHEAD;
5156 #endif
5157 					l_len += sizeof(struct sctp_chunkhdr);
5158 					l_len += sizeof(struct sctp_paramhdr);
5159 					op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
5160 					if (op_err) {
5161 						SCTP_BUF_LEN(op_err) = 0;
5162 #ifdef INET6
5163 						SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
5164 #else
5165 						SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
5166 #endif
5167 						SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
5168 						SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
5169 						op_err_last = op_err;
5170 					}
5171 				}
5172 				if (op_err != NULL) {
5173 					/* If we have space */
5174 					struct sctp_paramhdr *param;
5175 
5176 					if (pad_needed > 0) {
5177 						op_err_last = sctp_add_pad_tombuf(op_err_last, pad_needed);
5178 					}
5179 					if (op_err_last == NULL) {
5180 						sctp_m_freem(op_err);
5181 						op_err = NULL;
5182 						op_err_last = NULL;
5183 						goto more_processing;
5184 					}
5185 					if (M_TRAILINGSPACE(op_err_last) < (int)sizeof(struct sctp_paramhdr)) {
5186 						m_tmp = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 0, M_NOWAIT, 1, MT_DATA);
5187 						if (m_tmp == NULL) {
5188 							sctp_m_freem(op_err);
5189 							op_err = NULL;
5190 							op_err_last = NULL;
5191 							goto more_processing;
5192 						}
5193 						SCTP_BUF_LEN(m_tmp) = 0;
5194 						SCTP_BUF_NEXT(m_tmp) = NULL;
5195 						SCTP_BUF_NEXT(op_err_last) = m_tmp;
5196 						op_err_last = m_tmp;
5197 					}
5198 					param = (struct sctp_paramhdr *)(mtod(op_err_last, caddr_t)+SCTP_BUF_LEN(op_err_last));
5199 					param->param_type = htons(SCTP_UNRECOG_PARAM);
5200 					param->param_length = htons((uint16_t)sizeof(struct sctp_paramhdr) + plen);
5201 					SCTP_BUF_LEN(op_err_last) += sizeof(struct sctp_paramhdr);
5202 					SCTP_BUF_NEXT(op_err_last) = SCTP_M_COPYM(mat, at, plen, M_NOWAIT);
5203 					if (SCTP_BUF_NEXT(op_err_last) == NULL) {
5204 						sctp_m_freem(op_err);
5205 						op_err = NULL;
5206 						op_err_last = NULL;
5207 						goto more_processing;
5208 					} else {
5209 						while (SCTP_BUF_NEXT(op_err_last) != NULL) {
5210 							op_err_last = SCTP_BUF_NEXT(op_err_last);
5211 						}
5212 					}
5213 					if (plen % 4 != 0) {
5214 						pad_needed = 4 - (plen % 4);
5215 					} else {
5216 						pad_needed = 0;
5217 					}
5218 				}
5219 			}
5220 	more_processing:
5221 			if ((ptype & 0x8000) == 0x0000) {
5222 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "stop proc\n");
5223 				return (op_err);
5224 			} else {
5225 				/* skip this chunk and continue processing */
5226 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "move on\n");
5227 				at += SCTP_SIZE32(plen);
5228 			}
5229 			break;
5230 		}
5231 		phdr = sctp_get_next_param(mat, at, &params, sizeof(params));
5232 	}
5233 	return (op_err);
5234 invalid_size:
5235 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "abort flag set\n");
5236 	*abort_processing = 1;
5237 	sctp_m_freem(op_err);
5238 	op_err = NULL;
5239 	op_err_last = NULL;
5240 	if (phdr != NULL) {
5241 		struct sctp_paramhdr *param;
5242 		int l_len;
5243 #ifdef INET6
5244 		l_len = SCTP_MIN_OVERHEAD;
5245 #else
5246 		l_len = SCTP_MIN_V4_OVERHEAD;
5247 #endif
5248 		l_len += sizeof(struct sctp_chunkhdr);
5249 		l_len += (2 * sizeof(struct sctp_paramhdr));
5250 		op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
5251 		if (op_err) {
5252 			SCTP_BUF_LEN(op_err) = 0;
5253 #ifdef INET6
5254 			SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
5255 #else
5256 			SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
5257 #endif
5258 			SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
5259 			SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
5260 			SCTP_BUF_LEN(op_err) = 2 * sizeof(struct sctp_paramhdr);
5261 			param = mtod(op_err, struct sctp_paramhdr *);
5262 			param->param_type = htons(SCTP_CAUSE_PROTOCOL_VIOLATION);
5263 			param->param_length = htons(2 * sizeof(struct sctp_paramhdr));
5264 			param++;
5265 			param->param_type = htons(ptype);
5266 			param->param_length = htons(plen);
5267 		}
5268 	}
5269 	return (op_err);
5270 }
5271 
5272 /*
5273  * Given a INIT chunk, look through the parameters to verify that there
5274  * are no new addresses.
5275  * Return true, if there is a new address or there is a problem parsing
5276    the parameters. Provide an optional error cause used when sending an ABORT.
5277  * Return false, if there are no new addresses and there is no problem in
5278    parameter processing.
5279  */
5280 static bool
5281 sctp_are_there_new_addresses(struct sctp_association *asoc,
5282     struct mbuf *in_initpkt, int offset, int limit, struct sockaddr *src,
5283     struct mbuf **op_err)
5284 {
5285 	struct sockaddr *sa_touse;
5286 	struct sockaddr *sa;
5287 	struct sctp_paramhdr *phdr, params;
5288 	struct sctp_nets *net;
5289 #ifdef INET
5290 	struct sockaddr_in sin4, *sa4;
5291 #endif
5292 #ifdef INET6
5293 	struct sockaddr_in6 sin6, *sa6;
5294 #endif
5295 	uint16_t ptype, plen;
5296 	bool fnd, check_src;
5297 
5298 	*op_err = NULL;
5299 #ifdef INET
5300 	memset(&sin4, 0, sizeof(sin4));
5301 	sin4.sin_family = AF_INET;
5302 	sin4.sin_len = sizeof(sin4);
5303 #endif
5304 #ifdef INET6
5305 	memset(&sin6, 0, sizeof(sin6));
5306 	sin6.sin6_family = AF_INET6;
5307 	sin6.sin6_len = sizeof(sin6);
5308 #endif
5309 	/* First what about the src address of the pkt ? */
5310 	check_src = false;
5311 	switch (src->sa_family) {
5312 #ifdef INET
5313 	case AF_INET:
5314 		if (asoc->scope.ipv4_addr_legal) {
5315 			check_src = true;
5316 		}
5317 		break;
5318 #endif
5319 #ifdef INET6
5320 	case AF_INET6:
5321 		if (asoc->scope.ipv6_addr_legal) {
5322 			check_src = true;
5323 		}
5324 		break;
5325 #endif
5326 	default:
5327 		/* TSNH */
5328 		break;
5329 	}
5330 	if (check_src) {
5331 		fnd = false;
5332 		TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
5333 			sa = (struct sockaddr *)&net->ro._l_addr;
5334 			if (sa->sa_family == src->sa_family) {
5335 #ifdef INET
5336 				if (sa->sa_family == AF_INET) {
5337 					struct sockaddr_in *src4;
5338 
5339 					sa4 = (struct sockaddr_in *)sa;
5340 					src4 = (struct sockaddr_in *)src;
5341 					if (sa4->sin_addr.s_addr == src4->sin_addr.s_addr) {
5342 						fnd = true;
5343 						break;
5344 					}
5345 				}
5346 #endif
5347 #ifdef INET6
5348 				if (sa->sa_family == AF_INET6) {
5349 					struct sockaddr_in6 *src6;
5350 
5351 					sa6 = (struct sockaddr_in6 *)sa;
5352 					src6 = (struct sockaddr_in6 *)src;
5353 					if (SCTP6_ARE_ADDR_EQUAL(sa6, src6)) {
5354 						fnd = true;
5355 						break;
5356 					}
5357 				}
5358 #endif
5359 			}
5360 		}
5361 		if (!fnd) {
5362 			/*
5363 			 * If sending an ABORT in case of an additional
5364 			 * address, don't use the new address error cause.
5365 			 * This looks no different than if no listener was
5366 			 * present.
5367 			 */
5368 			*op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code), "Address added");
5369 			return (true);
5370 		}
5371 	}
5372 	/* Ok so far lets munge through the rest of the packet */
5373 	offset += sizeof(struct sctp_init_chunk);
5374 	phdr = sctp_get_next_param(in_initpkt, offset, &params, sizeof(params));
5375 	while (phdr) {
5376 		sa_touse = NULL;
5377 		ptype = ntohs(phdr->param_type);
5378 		plen = ntohs(phdr->param_length);
5379 		if (offset + plen > limit) {
5380 			*op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, "Partial parameter");
5381 			return (true);
5382 		}
5383 		if (plen < sizeof(struct sctp_paramhdr)) {
5384 			*op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, "Parameter length too small");
5385 			return (true);
5386 		}
5387 		switch (ptype) {
5388 #ifdef INET
5389 		case SCTP_IPV4_ADDRESS:
5390 			{
5391 				struct sctp_ipv4addr_param *p4, p4_buf;
5392 
5393 				if (plen != sizeof(struct sctp_ipv4addr_param)) {
5394 					*op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, "Parameter length illegal");
5395 					return (true);
5396 				}
5397 				phdr = sctp_get_next_param(in_initpkt, offset,
5398 				    (struct sctp_paramhdr *)&p4_buf, sizeof(p4_buf));
5399 				if (phdr == NULL) {
5400 					*op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, "");
5401 					return (true);
5402 				}
5403 				if (asoc->scope.ipv4_addr_legal) {
5404 					p4 = (struct sctp_ipv4addr_param *)phdr;
5405 					sin4.sin_addr.s_addr = p4->addr;
5406 					sa_touse = (struct sockaddr *)&sin4;
5407 				}
5408 				break;
5409 			}
5410 #endif
5411 #ifdef INET6
5412 		case SCTP_IPV6_ADDRESS:
5413 			{
5414 				struct sctp_ipv6addr_param *p6, p6_buf;
5415 
5416 				if (plen != sizeof(struct sctp_ipv6addr_param)) {
5417 					*op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, "Parameter length illegal");
5418 					return (true);
5419 				}
5420 				phdr = sctp_get_next_param(in_initpkt, offset,
5421 				    (struct sctp_paramhdr *)&p6_buf, sizeof(p6_buf));
5422 				if (phdr == NULL) {
5423 					*op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, "");
5424 					return (true);
5425 				}
5426 				if (asoc->scope.ipv6_addr_legal) {
5427 					p6 = (struct sctp_ipv6addr_param *)phdr;
5428 					memcpy((caddr_t)&sin6.sin6_addr, p6->addr,
5429 					    sizeof(p6->addr));
5430 					sa_touse = (struct sockaddr *)&sin6;
5431 				}
5432 				break;
5433 			}
5434 #endif
5435 		default:
5436 			sa_touse = NULL;
5437 			break;
5438 		}
5439 		if (sa_touse) {
5440 			/* ok, sa_touse points to one to check */
5441 			fnd = false;
5442 			TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
5443 				sa = (struct sockaddr *)&net->ro._l_addr;
5444 				if (sa->sa_family != sa_touse->sa_family) {
5445 					continue;
5446 				}
5447 #ifdef INET
5448 				if (sa->sa_family == AF_INET) {
5449 					sa4 = (struct sockaddr_in *)sa;
5450 					if (sa4->sin_addr.s_addr ==
5451 					    sin4.sin_addr.s_addr) {
5452 						fnd = true;
5453 						break;
5454 					}
5455 				}
5456 #endif
5457 #ifdef INET6
5458 				if (sa->sa_family == AF_INET6) {
5459 					sa6 = (struct sockaddr_in6 *)sa;
5460 					if (SCTP6_ARE_ADDR_EQUAL(
5461 					    sa6, &sin6)) {
5462 						fnd = true;
5463 						break;
5464 					}
5465 				}
5466 #endif
5467 			}
5468 			if (!fnd) {
5469 				/*
5470 				 * If sending an ABORT in case of an
5471 				 * additional address, don't use the new
5472 				 * address error cause. This looks no
5473 				 * different than if no listener was
5474 				 * present.
5475 				 */
5476 				*op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code), "Address added");
5477 				return (true);
5478 			}
5479 		}
5480 		offset += SCTP_SIZE32(plen);
5481 		if (offset >= limit) {
5482 			break;
5483 		}
5484 		phdr = sctp_get_next_param(in_initpkt, offset, &params, sizeof(params));
5485 	}
5486 	return (false);
5487 }
5488 
5489 /*
5490  * Given a MBUF chain that was sent into us containing an INIT. Build a
5491  * INIT-ACK with COOKIE and send back. We assume that the in_initpkt has done
5492  * a pullup to include IPv6/4header, SCTP header and initial part of INIT
5493  * message (i.e. the struct sctp_init_msg).
5494  */
5495 void
5496 sctp_send_initiate_ack(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
5497     struct sctp_nets *src_net, struct mbuf *init_pkt,
5498     int iphlen, int offset,
5499     struct sockaddr *src, struct sockaddr *dst,
5500     struct sctphdr *sh, struct sctp_init_chunk *init_chk,
5501     uint8_t mflowtype, uint32_t mflowid,
5502     uint32_t vrf_id, uint16_t port)
5503 {
5504 	struct sctp_association *asoc;
5505 	struct mbuf *m, *m_tmp, *m_last, *m_cookie, *op_err;
5506 	struct sctp_init_ack_chunk *initack;
5507 	struct sctp_adaptation_layer_indication *ali;
5508 	struct sctp_zero_checksum_acceptable *zero_chksum;
5509 	struct sctp_supported_chunk_types_param *pr_supported;
5510 	struct sctp_paramhdr *ph;
5511 	union sctp_sockstore *over_addr;
5512 	struct sctp_scoping scp;
5513 	struct timeval now;
5514 #ifdef INET
5515 	struct sockaddr_in *dst4 = (struct sockaddr_in *)dst;
5516 	struct sockaddr_in *src4 = (struct sockaddr_in *)src;
5517 	struct sockaddr_in *sin;
5518 #endif
5519 #ifdef INET6
5520 	struct sockaddr_in6 *dst6 = (struct sockaddr_in6 *)dst;
5521 	struct sockaddr_in6 *src6 = (struct sockaddr_in6 *)src;
5522 	struct sockaddr_in6 *sin6;
5523 #endif
5524 	struct sockaddr *to;
5525 	struct sctp_state_cookie stc;
5526 	struct sctp_nets *net = NULL;
5527 	uint8_t *signature = NULL;
5528 	int cnt_inits_to = 0;
5529 	uint16_t his_limit, i_want;
5530 	int abort_flag;
5531 	int nat_friendly = 0;
5532 	int error;
5533 	struct socket *so;
5534 	uint32_t edmid;
5535 	uint16_t num_ext, chunk_len, padding_len, parameter_len;
5536 	bool use_zero_crc;
5537 
5538 	if (stcb) {
5539 		asoc = &stcb->asoc;
5540 	} else {
5541 		asoc = NULL;
5542 	}
5543 	if ((asoc != NULL) &&
5544 	    (SCTP_GET_STATE(stcb) != SCTP_STATE_COOKIE_WAIT)) {
5545 		if (sctp_are_there_new_addresses(asoc, init_pkt, offset, offset + ntohs(init_chk->ch.chunk_length), src, &op_err)) {
5546 			/*
5547 			 * new addresses, out of here in non-cookie-wait
5548 			 * states
5549 			 */
5550 			sctp_send_abort(init_pkt, iphlen, src, dst, sh, 0, op_err,
5551 			    mflowtype, mflowid, inp->fibnum,
5552 			    vrf_id, port);
5553 			return;
5554 		}
5555 		if (src_net != NULL && (src_net->port != port)) {
5556 			/*
5557 			 * change of remote encapsulation port, out of here
5558 			 * in non-cookie-wait states
5559 			 *
5560 			 * Send an ABORT, without an specific error cause.
5561 			 * This looks no different than if no listener was
5562 			 * present.
5563 			 */
5564 			op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5565 			    "Remote encapsulation port changed");
5566 			sctp_send_abort(init_pkt, iphlen, src, dst, sh, 0, op_err,
5567 			    mflowtype, mflowid, inp->fibnum,
5568 			    vrf_id, port);
5569 			return;
5570 		}
5571 	}
5572 	abort_flag = 0;
5573 	op_err = sctp_arethere_unrecognized_parameters(init_pkt,
5574 	    (offset + sizeof(struct sctp_init_chunk)),
5575 	    &abort_flag,
5576 	    (struct sctp_chunkhdr *)init_chk,
5577 	    &nat_friendly, NULL, &edmid);
5578 	if (abort_flag) {
5579 do_a_abort:
5580 		if (op_err == NULL) {
5581 			char msg[SCTP_DIAG_INFO_LEN];
5582 
5583 			SCTP_SNPRINTF(msg, sizeof(msg), "%s:%d at %s", __FILE__, __LINE__, __func__);
5584 			op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5585 			    msg);
5586 		}
5587 		sctp_send_abort(init_pkt, iphlen, src, dst, sh,
5588 		    init_chk->init.initiate_tag, op_err,
5589 		    mflowtype, mflowid, inp->fibnum,
5590 		    vrf_id, port);
5591 		return;
5592 	}
5593 	m = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
5594 	if (m == NULL) {
5595 		/* No memory, INIT timer will re-attempt. */
5596 		sctp_m_freem(op_err);
5597 		return;
5598 	}
5599 	chunk_len = (uint16_t)sizeof(struct sctp_init_ack_chunk);
5600 	padding_len = 0;
5601 
5602 	/*
5603 	 * We might not overwrite the identification[] completely and on
5604 	 * some platforms time_entered will contain some padding. Therefore
5605 	 * zero out the cookie to avoid putting uninitialized memory on the
5606 	 * wire.
5607 	 */
5608 	memset(&stc, 0, sizeof(struct sctp_state_cookie));
5609 
5610 	/* the time I built cookie */
5611 	(void)SCTP_GETTIME_TIMEVAL(&now);
5612 	stc.time_entered.tv_sec = now.tv_sec;
5613 	stc.time_entered.tv_usec = now.tv_usec;
5614 
5615 	/* populate any tie tags */
5616 	if (asoc != NULL) {
5617 		/* unlock before tag selections */
5618 		stc.tie_tag_my_vtag = asoc->my_vtag_nonce;
5619 		stc.tie_tag_peer_vtag = asoc->peer_vtag_nonce;
5620 		stc.cookie_life = asoc->cookie_life;
5621 		net = asoc->primary_destination;
5622 	} else {
5623 		stc.tie_tag_my_vtag = 0;
5624 		stc.tie_tag_peer_vtag = 0;
5625 		/* life I will award this cookie */
5626 		stc.cookie_life = inp->sctp_ep.def_cookie_life;
5627 	}
5628 
5629 	/* copy in the ports for later check */
5630 	stc.myport = sh->dest_port;
5631 	stc.peerport = sh->src_port;
5632 
5633 	/*
5634 	 * If we wanted to honor cookie life extensions, we would add to
5635 	 * stc.cookie_life. For now we should NOT honor any extension
5636 	 */
5637 	stc.site_scope = stc.local_scope = stc.loopback_scope = 0;
5638 	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
5639 		stc.ipv6_addr_legal = 1;
5640 		if (SCTP_IPV6_V6ONLY(inp)) {
5641 			stc.ipv4_addr_legal = 0;
5642 		} else {
5643 			stc.ipv4_addr_legal = 1;
5644 		}
5645 	} else {
5646 		stc.ipv6_addr_legal = 0;
5647 		stc.ipv4_addr_legal = 1;
5648 	}
5649 	stc.ipv4_scope = 0;
5650 	if (net == NULL) {
5651 		to = src;
5652 		switch (dst->sa_family) {
5653 #ifdef INET
5654 		case AF_INET:
5655 			{
5656 				/* lookup address */
5657 				stc.address[0] = src4->sin_addr.s_addr;
5658 				stc.address[1] = 0;
5659 				stc.address[2] = 0;
5660 				stc.address[3] = 0;
5661 				stc.addr_type = SCTP_IPV4_ADDRESS;
5662 				/* local from address */
5663 				stc.laddress[0] = dst4->sin_addr.s_addr;
5664 				stc.laddress[1] = 0;
5665 				stc.laddress[2] = 0;
5666 				stc.laddress[3] = 0;
5667 				stc.laddr_type = SCTP_IPV4_ADDRESS;
5668 				/* scope_id is only for v6 */
5669 				stc.scope_id = 0;
5670 				if ((IN4_ISPRIVATE_ADDRESS(&src4->sin_addr)) ||
5671 				    (IN4_ISPRIVATE_ADDRESS(&dst4->sin_addr))) {
5672 					stc.ipv4_scope = 1;
5673 				}
5674 				/* Must use the address in this case */
5675 				if (sctp_is_address_on_local_host(src, vrf_id)) {
5676 					stc.loopback_scope = 1;
5677 					stc.ipv4_scope = 1;
5678 					stc.site_scope = 1;
5679 					stc.local_scope = 0;
5680 				}
5681 				break;
5682 			}
5683 #endif
5684 #ifdef INET6
5685 		case AF_INET6:
5686 			{
5687 				stc.addr_type = SCTP_IPV6_ADDRESS;
5688 				memcpy(&stc.address, &src6->sin6_addr, sizeof(struct in6_addr));
5689 				stc.scope_id = ntohs(in6_getscope(&src6->sin6_addr));
5690 				if (sctp_is_address_on_local_host(src, vrf_id)) {
5691 					stc.loopback_scope = 1;
5692 					stc.local_scope = 0;
5693 					stc.site_scope = 1;
5694 					stc.ipv4_scope = 1;
5695 				} else if (IN6_IS_ADDR_LINKLOCAL(&src6->sin6_addr) ||
5696 				    IN6_IS_ADDR_LINKLOCAL(&dst6->sin6_addr)) {
5697 					/*
5698 					 * If the new destination or source
5699 					 * is a LINK_LOCAL we must have
5700 					 * common both site and local scope.
5701 					 * Don't set local scope though
5702 					 * since we must depend on the
5703 					 * source to be added implicitly. We
5704 					 * cannot assure just because we
5705 					 * share one link that all links are
5706 					 * common.
5707 					 */
5708 					stc.local_scope = 0;
5709 					stc.site_scope = 1;
5710 					stc.ipv4_scope = 1;
5711 					/*
5712 					 * we start counting for the private
5713 					 * address stuff at 1. since the
5714 					 * link local we source from won't
5715 					 * show up in our scoped count.
5716 					 */
5717 					cnt_inits_to = 1;
5718 					/*
5719 					 * pull out the scope_id from
5720 					 * incoming pkt
5721 					 */
5722 				} else if (IN6_IS_ADDR_SITELOCAL(&src6->sin6_addr) ||
5723 				    IN6_IS_ADDR_SITELOCAL(&dst6->sin6_addr)) {
5724 					/*
5725 					 * If the new destination or source
5726 					 * is SITE_LOCAL then we must have
5727 					 * site scope in common.
5728 					 */
5729 					stc.site_scope = 1;
5730 				}
5731 				memcpy(&stc.laddress, &dst6->sin6_addr, sizeof(struct in6_addr));
5732 				stc.laddr_type = SCTP_IPV6_ADDRESS;
5733 				break;
5734 			}
5735 #endif
5736 		default:
5737 			/* TSNH */
5738 			goto do_a_abort;
5739 			break;
5740 		}
5741 	} else {
5742 		/* set the scope per the existing tcb */
5743 
5744 #ifdef INET6
5745 		struct sctp_nets *lnet;
5746 #endif
5747 
5748 		stc.loopback_scope = asoc->scope.loopback_scope;
5749 		stc.ipv4_scope = asoc->scope.ipv4_local_scope;
5750 		stc.site_scope = asoc->scope.site_scope;
5751 		stc.local_scope = asoc->scope.local_scope;
5752 #ifdef INET6
5753 		/* Why do we not consider IPv4 LL addresses? */
5754 		TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) {
5755 			if (lnet->ro._l_addr.sin6.sin6_family == AF_INET6) {
5756 				if (IN6_IS_ADDR_LINKLOCAL(&lnet->ro._l_addr.sin6.sin6_addr)) {
5757 					/*
5758 					 * if we have a LL address, start
5759 					 * counting at 1.
5760 					 */
5761 					cnt_inits_to = 1;
5762 				}
5763 			}
5764 		}
5765 #endif
5766 		/* use the net pointer */
5767 		to = (struct sockaddr *)&net->ro._l_addr;
5768 		switch (to->sa_family) {
5769 #ifdef INET
5770 		case AF_INET:
5771 			sin = (struct sockaddr_in *)to;
5772 			stc.address[0] = sin->sin_addr.s_addr;
5773 			stc.address[1] = 0;
5774 			stc.address[2] = 0;
5775 			stc.address[3] = 0;
5776 			stc.addr_type = SCTP_IPV4_ADDRESS;
5777 			if (net->src_addr_selected == 0) {
5778 				/*
5779 				 * strange case here, the INIT should have
5780 				 * did the selection.
5781 				 */
5782 				net->ro._s_addr = sctp_source_address_selection(inp,
5783 				    stcb, (sctp_route_t *)&net->ro,
5784 				    net, 0, vrf_id);
5785 				if (net->ro._s_addr == NULL) {
5786 					sctp_m_freem(op_err);
5787 					sctp_m_freem(m);
5788 					return;
5789 				}
5790 
5791 				net->src_addr_selected = 1;
5792 			}
5793 			stc.laddress[0] = net->ro._s_addr->address.sin.sin_addr.s_addr;
5794 			stc.laddress[1] = 0;
5795 			stc.laddress[2] = 0;
5796 			stc.laddress[3] = 0;
5797 			stc.laddr_type = SCTP_IPV4_ADDRESS;
5798 			/* scope_id is only for v6 */
5799 			stc.scope_id = 0;
5800 			break;
5801 #endif
5802 #ifdef INET6
5803 		case AF_INET6:
5804 			sin6 = (struct sockaddr_in6 *)to;
5805 			memcpy(&stc.address, &sin6->sin6_addr,
5806 			    sizeof(struct in6_addr));
5807 			stc.addr_type = SCTP_IPV6_ADDRESS;
5808 			stc.scope_id = sin6->sin6_scope_id;
5809 			if (net->src_addr_selected == 0) {
5810 				/*
5811 				 * strange case here, the INIT should have
5812 				 * done the selection.
5813 				 */
5814 				net->ro._s_addr = sctp_source_address_selection(inp,
5815 				    stcb, (sctp_route_t *)&net->ro,
5816 				    net, 0, vrf_id);
5817 				if (net->ro._s_addr == NULL) {
5818 					sctp_m_freem(op_err);
5819 					sctp_m_freem(m);
5820 					return;
5821 				}
5822 
5823 				net->src_addr_selected = 1;
5824 			}
5825 			memcpy(&stc.laddress, &net->ro._s_addr->address.sin6.sin6_addr,
5826 			    sizeof(struct in6_addr));
5827 			stc.laddr_type = SCTP_IPV6_ADDRESS;
5828 			break;
5829 #endif
5830 		}
5831 	}
5832 	if (asoc != NULL) {
5833 		stc.rcv_edmid = asoc->rcv_edmid;
5834 	} else {
5835 		stc.rcv_edmid = inp->rcv_edmid;
5836 	}
5837 	/* Now lets put the SCTP header in place */
5838 	initack = mtod(m, struct sctp_init_ack_chunk *);
5839 	/* Save it off for quick ref */
5840 	stc.peers_vtag = ntohl(init_chk->init.initiate_tag);
5841 	/* who are we */
5842 	memcpy(stc.identification, SCTP_VERSION_STRING,
5843 	    min(strlen(SCTP_VERSION_STRING), sizeof(stc.identification)));
5844 	memset(stc.reserved, 0, SCTP_RESERVE_SPACE);
5845 	/* now the chunk header */
5846 	initack->ch.chunk_type = SCTP_INITIATION_ACK;
5847 	initack->ch.chunk_flags = 0;
5848 	/* fill in later from mbuf we build */
5849 	initack->ch.chunk_length = 0;
5850 	/* place in my tag */
5851 	if ((asoc != NULL) &&
5852 	    ((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) ||
5853 	    (SCTP_GET_STATE(stcb) == SCTP_STATE_INUSE) ||
5854 	    (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED))) {
5855 		/* re-use the v-tags and init-seq here */
5856 		initack->init.initiate_tag = htonl(asoc->my_vtag);
5857 		initack->init.initial_tsn = htonl(asoc->init_seq_number);
5858 	} else {
5859 		uint32_t vtag, itsn;
5860 
5861 		if (asoc) {
5862 			atomic_add_int(&asoc->refcnt, 1);
5863 			SCTP_TCB_UNLOCK(stcb);
5864 	new_tag:
5865 			SCTP_INP_INFO_RLOCK();
5866 			vtag = sctp_select_a_tag(inp, inp->sctp_lport, sh->src_port, 1);
5867 			SCTP_INP_INFO_RUNLOCK();
5868 			if ((asoc->peer_supports_nat) && (vtag == asoc->my_vtag)) {
5869 				/*
5870 				 * Got a duplicate vtag on some guy behind a
5871 				 * nat make sure we don't use it.
5872 				 */
5873 				goto new_tag;
5874 			}
5875 			initack->init.initiate_tag = htonl(vtag);
5876 			/* get a TSN to use too */
5877 			itsn = sctp_select_initial_TSN(&inp->sctp_ep);
5878 			initack->init.initial_tsn = htonl(itsn);
5879 			SCTP_TCB_LOCK(stcb);
5880 			atomic_subtract_int(&asoc->refcnt, 1);
5881 		} else {
5882 			SCTP_INP_INCR_REF(inp);
5883 			SCTP_INP_RUNLOCK(inp);
5884 			SCTP_INP_INFO_RLOCK();
5885 			vtag = sctp_select_a_tag(inp, inp->sctp_lport, sh->src_port, 1);
5886 			SCTP_INP_INFO_RUNLOCK();
5887 			initack->init.initiate_tag = htonl(vtag);
5888 			/* get a TSN to use too */
5889 			initack->init.initial_tsn = htonl(sctp_select_initial_TSN(&inp->sctp_ep));
5890 			SCTP_INP_RLOCK(inp);
5891 			SCTP_INP_DECR_REF(inp);
5892 		}
5893 	}
5894 	/* save away my tag to */
5895 	stc.my_vtag = initack->init.initiate_tag;
5896 
5897 	/* set up some of the credits. */
5898 	so = inp->sctp_socket;
5899 	if (so == NULL) {
5900 		/* memory problem */
5901 		sctp_m_freem(op_err);
5902 		sctp_m_freem(m);
5903 		return;
5904 	} else {
5905 		initack->init.a_rwnd = htonl(max(SCTP_SB_LIMIT_RCV(so), SCTP_MINIMAL_RWND));
5906 	}
5907 	/* set what I want */
5908 	his_limit = ntohs(init_chk->init.num_inbound_streams);
5909 	/* choose what I want */
5910 	if (asoc != NULL) {
5911 		if (asoc->streamoutcnt > asoc->pre_open_streams) {
5912 			i_want = asoc->streamoutcnt;
5913 		} else {
5914 			i_want = asoc->pre_open_streams;
5915 		}
5916 	} else {
5917 		i_want = inp->sctp_ep.pre_open_stream_count;
5918 	}
5919 	if (his_limit < i_want) {
5920 		/* I Want more :< */
5921 		initack->init.num_outbound_streams = init_chk->init.num_inbound_streams;
5922 	} else {
5923 		/* I can have what I want :> */
5924 		initack->init.num_outbound_streams = htons(i_want);
5925 	}
5926 	/* tell him his limit. */
5927 	initack->init.num_inbound_streams =
5928 	    htons(inp->sctp_ep.max_open_streams_intome);
5929 
5930 	/* adaptation layer indication parameter */
5931 	if (inp->sctp_ep.adaptation_layer_indicator_provided) {
5932 		parameter_len = (uint16_t)sizeof(struct sctp_adaptation_layer_indication);
5933 		ali = (struct sctp_adaptation_layer_indication *)(mtod(m, caddr_t)+chunk_len);
5934 		ali->ph.param_type = htons(SCTP_ULP_ADAPTATION);
5935 		ali->ph.param_length = htons(parameter_len);
5936 		ali->indication = htonl(inp->sctp_ep.adaptation_layer_indicator);
5937 		chunk_len += parameter_len;
5938 	}
5939 
5940 	/* ECN parameter */
5941 	if (((asoc != NULL) && (asoc->ecn_supported == 1)) ||
5942 	    ((asoc == NULL) && (inp->ecn_supported == 1))) {
5943 		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
5944 		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t)+chunk_len);
5945 		ph->param_type = htons(SCTP_ECN_CAPABLE);
5946 		ph->param_length = htons(parameter_len);
5947 		chunk_len += parameter_len;
5948 	}
5949 
5950 	/* PR-SCTP supported parameter */
5951 	if (((asoc != NULL) && (asoc->prsctp_supported == 1)) ||
5952 	    ((asoc == NULL) && (inp->prsctp_supported == 1))) {
5953 		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
5954 		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t)+chunk_len);
5955 		ph->param_type = htons(SCTP_PRSCTP_SUPPORTED);
5956 		ph->param_length = htons(parameter_len);
5957 		chunk_len += parameter_len;
5958 	}
5959 
5960 	/* Zero checksum acceptable parameter */
5961 	if (((asoc != NULL) && (asoc->rcv_edmid != SCTP_EDMID_NONE)) ||
5962 	    ((asoc == NULL) && (inp->rcv_edmid != SCTP_EDMID_NONE))) {
5963 		parameter_len = (uint16_t)sizeof(struct sctp_zero_checksum_acceptable);
5964 		zero_chksum = (struct sctp_zero_checksum_acceptable *)(mtod(m, caddr_t)+chunk_len);
5965 		zero_chksum->ph.param_type = htons(SCTP_ZERO_CHECKSUM_ACCEPTABLE);
5966 		zero_chksum->ph.param_length = htons(parameter_len);
5967 		if (asoc != NULL) {
5968 			zero_chksum->edmid = htonl(asoc->rcv_edmid);
5969 		} else {
5970 			zero_chksum->edmid = htonl(inp->rcv_edmid);
5971 		}
5972 		chunk_len += parameter_len;
5973 	}
5974 
5975 	/* Add NAT friendly parameter */
5976 	if (nat_friendly) {
5977 		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
5978 		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t)+chunk_len);
5979 		ph->param_type = htons(SCTP_HAS_NAT_SUPPORT);
5980 		ph->param_length = htons(parameter_len);
5981 		chunk_len += parameter_len;
5982 	}
5983 
5984 	/* And now tell the peer which extensions we support */
5985 	num_ext = 0;
5986 	pr_supported = (struct sctp_supported_chunk_types_param *)(mtod(m, caddr_t)+chunk_len);
5987 	if (((asoc != NULL) && (asoc->prsctp_supported == 1)) ||
5988 	    ((asoc == NULL) && (inp->prsctp_supported == 1))) {
5989 		pr_supported->chunk_types[num_ext++] = SCTP_FORWARD_CUM_TSN;
5990 		if (((asoc != NULL) && (asoc->idata_supported == 1)) ||
5991 		    ((asoc == NULL) && (inp->idata_supported == 1))) {
5992 			pr_supported->chunk_types[num_ext++] = SCTP_IFORWARD_CUM_TSN;
5993 		}
5994 	}
5995 	if (((asoc != NULL) && (asoc->auth_supported == 1)) ||
5996 	    ((asoc == NULL) && (inp->auth_supported == 1))) {
5997 		pr_supported->chunk_types[num_ext++] = SCTP_AUTHENTICATION;
5998 	}
5999 	if (((asoc != NULL) && (asoc->asconf_supported == 1)) ||
6000 	    ((asoc == NULL) && (inp->asconf_supported == 1))) {
6001 		pr_supported->chunk_types[num_ext++] = SCTP_ASCONF;
6002 		pr_supported->chunk_types[num_ext++] = SCTP_ASCONF_ACK;
6003 	}
6004 	if (((asoc != NULL) && (asoc->reconfig_supported == 1)) ||
6005 	    ((asoc == NULL) && (inp->reconfig_supported == 1))) {
6006 		pr_supported->chunk_types[num_ext++] = SCTP_STREAM_RESET;
6007 	}
6008 	if (((asoc != NULL) && (asoc->idata_supported == 1)) ||
6009 	    ((asoc == NULL) && (inp->idata_supported == 1))) {
6010 		pr_supported->chunk_types[num_ext++] = SCTP_IDATA;
6011 	}
6012 	if (((asoc != NULL) && (asoc->nrsack_supported == 1)) ||
6013 	    ((asoc == NULL) && (inp->nrsack_supported == 1))) {
6014 		pr_supported->chunk_types[num_ext++] = SCTP_NR_SELECTIVE_ACK;
6015 	}
6016 	if (((asoc != NULL) && (asoc->pktdrop_supported == 1)) ||
6017 	    ((asoc == NULL) && (inp->pktdrop_supported == 1))) {
6018 		pr_supported->chunk_types[num_ext++] = SCTP_PACKET_DROPPED;
6019 	}
6020 	if (num_ext > 0) {
6021 		parameter_len = (uint16_t)sizeof(struct sctp_supported_chunk_types_param) + num_ext;
6022 		pr_supported->ph.param_type = htons(SCTP_SUPPORTED_CHUNK_EXT);
6023 		pr_supported->ph.param_length = htons(parameter_len);
6024 		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6025 		chunk_len += parameter_len;
6026 	}
6027 
6028 	/* add authentication parameters */
6029 	if (((asoc != NULL) && (asoc->auth_supported == 1)) ||
6030 	    ((asoc == NULL) && (inp->auth_supported == 1))) {
6031 		struct sctp_auth_random *randp;
6032 		struct sctp_auth_hmac_algo *hmacs;
6033 		struct sctp_auth_chunk_list *chunks;
6034 
6035 		if (padding_len > 0) {
6036 			memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
6037 			chunk_len += padding_len;
6038 			padding_len = 0;
6039 		}
6040 		/* generate and add RANDOM parameter */
6041 		randp = (struct sctp_auth_random *)(mtod(m, caddr_t)+chunk_len);
6042 		parameter_len = (uint16_t)sizeof(struct sctp_auth_random) +
6043 		    SCTP_AUTH_RANDOM_SIZE_DEFAULT;
6044 		randp->ph.param_type = htons(SCTP_RANDOM);
6045 		randp->ph.param_length = htons(parameter_len);
6046 		SCTP_READ_RANDOM(randp->random_data, SCTP_AUTH_RANDOM_SIZE_DEFAULT);
6047 		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6048 		chunk_len += parameter_len;
6049 
6050 		if (padding_len > 0) {
6051 			memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
6052 			chunk_len += padding_len;
6053 			padding_len = 0;
6054 		}
6055 		/* add HMAC_ALGO parameter */
6056 		hmacs = (struct sctp_auth_hmac_algo *)(mtod(m, caddr_t)+chunk_len);
6057 		parameter_len = (uint16_t)sizeof(struct sctp_auth_hmac_algo) +
6058 		    sctp_serialize_hmaclist(inp->sctp_ep.local_hmacs,
6059 		    (uint8_t *)hmacs->hmac_ids);
6060 		hmacs->ph.param_type = htons(SCTP_HMAC_LIST);
6061 		hmacs->ph.param_length = htons(parameter_len);
6062 		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6063 		chunk_len += parameter_len;
6064 
6065 		if (padding_len > 0) {
6066 			memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
6067 			chunk_len += padding_len;
6068 			padding_len = 0;
6069 		}
6070 		/* add CHUNKS parameter */
6071 		chunks = (struct sctp_auth_chunk_list *)(mtod(m, caddr_t)+chunk_len);
6072 		parameter_len = (uint16_t)sizeof(struct sctp_auth_chunk_list) +
6073 		    sctp_serialize_auth_chunks(inp->sctp_ep.local_auth_chunks,
6074 		    chunks->chunk_types);
6075 		chunks->ph.param_type = htons(SCTP_CHUNK_LIST);
6076 		chunks->ph.param_length = htons(parameter_len);
6077 		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6078 		chunk_len += parameter_len;
6079 	}
6080 	SCTP_BUF_LEN(m) = chunk_len;
6081 	m_last = m;
6082 	/* now the addresses */
6083 	/*
6084 	 * To optimize this we could put the scoping stuff into a structure
6085 	 * and remove the individual uint8's from the stc structure. Then we
6086 	 * could just sifa in the address within the stc.. but for now this
6087 	 * is a quick hack to get the address stuff teased apart.
6088 	 */
6089 	scp.ipv4_addr_legal = stc.ipv4_addr_legal;
6090 	scp.ipv6_addr_legal = stc.ipv6_addr_legal;
6091 	scp.loopback_scope = stc.loopback_scope;
6092 	scp.ipv4_local_scope = stc.ipv4_scope;
6093 	scp.local_scope = stc.local_scope;
6094 	scp.site_scope = stc.site_scope;
6095 	m_last = sctp_add_addresses_to_i_ia(inp, stcb, &scp, m_last,
6096 	    cnt_inits_to,
6097 	    &padding_len, &chunk_len);
6098 	/* padding_len can only be positive, if no addresses have been added */
6099 	if (padding_len > 0) {
6100 		memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
6101 		chunk_len += padding_len;
6102 		SCTP_BUF_LEN(m) += padding_len;
6103 		padding_len = 0;
6104 	}
6105 
6106 	/* tack on the operational error if present */
6107 	if (op_err) {
6108 		parameter_len = 0;
6109 		for (m_tmp = op_err; m_tmp != NULL; m_tmp = SCTP_BUF_NEXT(m_tmp)) {
6110 			parameter_len += SCTP_BUF_LEN(m_tmp);
6111 		}
6112 		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6113 		SCTP_BUF_NEXT(m_last) = op_err;
6114 		while (SCTP_BUF_NEXT(m_last) != NULL) {
6115 			m_last = SCTP_BUF_NEXT(m_last);
6116 		}
6117 		chunk_len += parameter_len;
6118 	}
6119 	if (padding_len > 0) {
6120 		m_last = sctp_add_pad_tombuf(m_last, padding_len);
6121 		if (m_last == NULL) {
6122 			/* Houston we have a problem, no space */
6123 			sctp_m_freem(m);
6124 			return;
6125 		}
6126 		chunk_len += padding_len;
6127 		padding_len = 0;
6128 	}
6129 	/* Now we must build a cookie */
6130 	m_cookie = sctp_add_cookie(init_pkt, offset, m, 0, &stc, &signature);
6131 	if (m_cookie == NULL) {
6132 		/* memory problem */
6133 		sctp_m_freem(m);
6134 		return;
6135 	}
6136 	/* Now append the cookie to the end and update the space/size */
6137 	SCTP_BUF_NEXT(m_last) = m_cookie;
6138 	parameter_len = 0;
6139 	for (m_tmp = m_cookie; m_tmp != NULL; m_tmp = SCTP_BUF_NEXT(m_tmp)) {
6140 		parameter_len += SCTP_BUF_LEN(m_tmp);
6141 		if (SCTP_BUF_NEXT(m_tmp) == NULL) {
6142 			m_last = m_tmp;
6143 		}
6144 	}
6145 	padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6146 	chunk_len += parameter_len;
6147 
6148 	/*
6149 	 * Place in the size, but we don't include the last pad (if any) in
6150 	 * the INIT-ACK.
6151 	 */
6152 	initack->ch.chunk_length = htons(chunk_len);
6153 
6154 	/*
6155 	 * Time to sign the cookie, we don't sign over the cookie signature
6156 	 * though thus we set trailer.
6157 	 */
6158 	(void)sctp_hmac_m(SCTP_HMAC,
6159 	    (uint8_t *)inp->sctp_ep.secret_key[(int)(inp->sctp_ep.current_secret_number)],
6160 	    SCTP_SECRET_SIZE, m_cookie, sizeof(struct sctp_paramhdr),
6161 	    (uint8_t *)signature, SCTP_SIGNATURE_SIZE);
6162 	/*
6163 	 * We sifa 0 here to NOT set IP_DF if its IPv4, we ignore the return
6164 	 * here since the timer will drive a retranmission.
6165 	 */
6166 	if (padding_len > 0) {
6167 		if (sctp_add_pad_tombuf(m_last, padding_len) == NULL) {
6168 			sctp_m_freem(m);
6169 			return;
6170 		}
6171 	}
6172 	if (stc.loopback_scope) {
6173 		over_addr = (union sctp_sockstore *)dst;
6174 	} else {
6175 		over_addr = NULL;
6176 	}
6177 
6178 	if (asoc != NULL) {
6179 		use_zero_crc = (asoc->rcv_edmid != SCTP_EDMID_NONE) && (asoc->rcv_edmid == edmid);
6180 	} else {
6181 		use_zero_crc = (inp->rcv_edmid != SCTP_EDMID_NONE) && (inp->rcv_edmid == edmid);
6182 	}
6183 
6184 	if ((error = sctp_lowlevel_chunk_output(inp, NULL, NULL, to, m, 0, NULL, 0, 0,
6185 	    0, 0,
6186 	    inp->sctp_lport, sh->src_port, init_chk->init.initiate_tag,
6187 	    port, over_addr,
6188 	    mflowtype, mflowid,
6189 	    use_zero_crc,
6190 	    SCTP_SO_NOT_LOCKED))) {
6191 		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Gak send error %d\n", error);
6192 		if (error == ENOBUFS) {
6193 			if (asoc != NULL) {
6194 				asoc->ifp_had_enobuf = 1;
6195 			}
6196 			SCTP_STAT_INCR(sctps_lowlevelerr);
6197 		}
6198 	} else {
6199 		if (asoc != NULL) {
6200 			asoc->ifp_had_enobuf = 0;
6201 		}
6202 	}
6203 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
6204 }
6205 
6206 static void
6207 sctp_prune_prsctp(struct sctp_tcb *stcb,
6208     struct sctp_association *asoc,
6209     struct sctp_nonpad_sndrcvinfo *srcv,
6210     int dataout)
6211 {
6212 	int freed_spc = 0;
6213 	struct sctp_tmit_chunk *chk, *nchk;
6214 
6215 	SCTP_TCB_LOCK_ASSERT(stcb);
6216 	if ((asoc->prsctp_supported) &&
6217 	    (asoc->sent_queue_cnt_removeable > 0)) {
6218 		TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) {
6219 			/*
6220 			 * Look for chunks marked with the PR_SCTP flag AND
6221 			 * the buffer space flag. If the one being sent is
6222 			 * equal or greater priority then purge the old one
6223 			 * and free some space.
6224 			 */
6225 			if (PR_SCTP_BUF_ENABLED(chk->flags)) {
6226 				/*
6227 				 * This one is PR-SCTP AND buffer space
6228 				 * limited type
6229 				 */
6230 				if (chk->rec.data.timetodrop.tv_sec > (long)srcv->sinfo_timetolive) {
6231 					/*
6232 					 * Lower numbers equates to higher
6233 					 * priority. So if the one we are
6234 					 * looking at has a larger priority,
6235 					 * we want to drop the data and NOT
6236 					 * retransmit it.
6237 					 */
6238 					if (chk->data) {
6239 						/*
6240 						 * We release the book_size
6241 						 * if the mbuf is here
6242 						 */
6243 						int ret_spc;
6244 						uint8_t sent;
6245 
6246 						if (chk->sent > SCTP_DATAGRAM_UNSENT)
6247 							sent = 1;
6248 						else
6249 							sent = 0;
6250 						ret_spc = sctp_release_pr_sctp_chunk(stcb, chk,
6251 						    sent,
6252 						    SCTP_SO_LOCKED);
6253 						freed_spc += ret_spc;
6254 						if (freed_spc >= dataout) {
6255 							return;
6256 						}
6257 					}	/* if chunk was present */
6258 				}	/* if of sufficient priority */
6259 			}	/* if chunk has enabled */
6260 		}		/* tailqforeach */
6261 
6262 		TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
6263 			/* Here we must move to the sent queue and mark */
6264 			if (PR_SCTP_BUF_ENABLED(chk->flags)) {
6265 				if (chk->rec.data.timetodrop.tv_sec > (long)srcv->sinfo_timetolive) {
6266 					if (chk->data) {
6267 						/*
6268 						 * We release the book_size
6269 						 * if the mbuf is here
6270 						 */
6271 						int ret_spc;
6272 
6273 						ret_spc = sctp_release_pr_sctp_chunk(stcb, chk,
6274 						    0, SCTP_SO_LOCKED);
6275 
6276 						freed_spc += ret_spc;
6277 						if (freed_spc >= dataout) {
6278 							return;
6279 						}
6280 					}	/* end if chk->data */
6281 				}	/* end if right class */
6282 			}	/* end if chk pr-sctp */
6283 		}		/* tailqforeachsafe (chk) */
6284 	}			/* if enabled in asoc */
6285 }
6286 
6287 uint32_t
6288 sctp_get_frag_point(struct sctp_tcb *stcb)
6289 {
6290 	struct sctp_association *asoc;
6291 	uint32_t frag_point, overhead;
6292 
6293 	asoc = &stcb->asoc;
6294 	/* Consider IP header and SCTP common header. */
6295 	if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
6296 		overhead = SCTP_MIN_OVERHEAD;
6297 	} else {
6298 		overhead = SCTP_MIN_V4_OVERHEAD;
6299 	}
6300 	/* Consider DATA/IDATA chunk header and AUTH header, if needed. */
6301 	if (asoc->idata_supported) {
6302 		overhead += sizeof(struct sctp_idata_chunk);
6303 		if (sctp_auth_is_required_chunk(SCTP_IDATA, asoc->peer_auth_chunks)) {
6304 			overhead += sctp_get_auth_chunk_len(asoc->peer_hmac_id);
6305 		}
6306 	} else {
6307 		overhead += sizeof(struct sctp_data_chunk);
6308 		if (sctp_auth_is_required_chunk(SCTP_DATA, asoc->peer_auth_chunks)) {
6309 			overhead += sctp_get_auth_chunk_len(asoc->peer_hmac_id);
6310 		}
6311 	}
6312 	KASSERT(overhead % 4 == 0,
6313 	    ("overhead (%u) not a multiple of 4", overhead));
6314 	/* Consider padding. */
6315 	if (asoc->smallest_mtu % 4 > 0) {
6316 		overhead += (asoc->smallest_mtu % 4);
6317 	}
6318 	KASSERT(asoc->smallest_mtu > overhead,
6319 	    ("Association MTU (%u) too small for overhead (%u)",
6320 	    asoc->smallest_mtu, overhead));
6321 	frag_point = asoc->smallest_mtu - overhead;
6322 	KASSERT(frag_point % 4 == 0,
6323 	    ("frag_point (%u) not a multiple of 4", frag_point));
6324 	/* Honor MAXSEG socket option. */
6325 	if ((asoc->sctp_frag_point > 0) &&
6326 	    (asoc->sctp_frag_point < frag_point)) {
6327 		frag_point = asoc->sctp_frag_point;
6328 	}
6329 	return (frag_point);
6330 }
6331 
6332 static void
6333 sctp_set_prsctp_policy(struct sctp_stream_queue_pending *sp)
6334 {
6335 	/*
6336 	 * We assume that the user wants PR_SCTP_TTL if the user provides a
6337 	 * positive lifetime but does not specify any PR_SCTP policy.
6338 	 */
6339 	if (PR_SCTP_ENABLED(sp->sinfo_flags)) {
6340 		sp->act_flags |= PR_SCTP_POLICY(sp->sinfo_flags);
6341 	} else if (sp->timetolive > 0) {
6342 		sp->sinfo_flags |= SCTP_PR_SCTP_TTL;
6343 		sp->act_flags |= PR_SCTP_POLICY(sp->sinfo_flags);
6344 	} else {
6345 		return;
6346 	}
6347 	switch (PR_SCTP_POLICY(sp->sinfo_flags)) {
6348 	case CHUNK_FLAGS_PR_SCTP_BUF:
6349 		/*
6350 		 * Time to live is a priority stored in tv_sec when doing
6351 		 * the buffer drop thing.
6352 		 */
6353 		sp->ts.tv_sec = sp->timetolive;
6354 		sp->ts.tv_usec = 0;
6355 		break;
6356 	case CHUNK_FLAGS_PR_SCTP_TTL:
6357 		{
6358 			struct timeval tv;
6359 
6360 			(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
6361 			tv.tv_sec = sp->timetolive / 1000;
6362 			tv.tv_usec = (sp->timetolive * 1000) % 1000000;
6363 			/*
6364 			 * TODO sctp_constants.h needs alternative time
6365 			 * macros when _KERNEL is undefined.
6366 			 */
6367 			timevaladd(&sp->ts, &tv);
6368 		}
6369 		break;
6370 	case CHUNK_FLAGS_PR_SCTP_RTX:
6371 		/*
6372 		 * Time to live is a the number or retransmissions stored in
6373 		 * tv_sec.
6374 		 */
6375 		sp->ts.tv_sec = sp->timetolive;
6376 		sp->ts.tv_usec = 0;
6377 		break;
6378 	default:
6379 		SCTPDBG(SCTP_DEBUG_USRREQ1,
6380 		    "Unknown PR_SCTP policy %u.\n",
6381 		    PR_SCTP_POLICY(sp->sinfo_flags));
6382 		break;
6383 	}
6384 }
6385 
6386 static int
6387 sctp_msg_append(struct sctp_tcb *stcb,
6388     struct sctp_nets *net,
6389     struct mbuf *m,
6390     struct sctp_nonpad_sndrcvinfo *srcv)
6391 {
6392 	int error = 0;
6393 	struct mbuf *at;
6394 	struct sctp_stream_queue_pending *sp = NULL;
6395 	struct sctp_stream_out *strm;
6396 
6397 	SCTP_TCB_LOCK_ASSERT(stcb);
6398 
6399 	/*
6400 	 * Given an mbuf chain, put it into the association send queue and
6401 	 * place it on the wheel
6402 	 */
6403 	if (srcv->sinfo_stream >= stcb->asoc.streamoutcnt) {
6404 		/* Invalid stream number */
6405 		SCTP_LTRACE_ERR_RET_PKT(m, NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
6406 		error = EINVAL;
6407 		goto out_now;
6408 	}
6409 	if ((stcb->asoc.stream_locked) &&
6410 	    (stcb->asoc.stream_locked_on != srcv->sinfo_stream)) {
6411 		SCTP_LTRACE_ERR_RET_PKT(m, NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
6412 		error = EINVAL;
6413 		goto out_now;
6414 	}
6415 	if ((stcb->asoc.strmout[srcv->sinfo_stream].state != SCTP_STREAM_OPEN) &&
6416 	    (stcb->asoc.strmout[srcv->sinfo_stream].state != SCTP_STREAM_OPENING)) {
6417 		/*
6418 		 * Can't queue any data while stream reset is underway.
6419 		 */
6420 		if (stcb->asoc.strmout[srcv->sinfo_stream].state > SCTP_STREAM_OPEN) {
6421 			error = EAGAIN;
6422 		} else {
6423 			error = EINVAL;
6424 		}
6425 		goto out_now;
6426 	}
6427 	/* Now can we send this? */
6428 	if ((SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_SENT) ||
6429 	    (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
6430 	    (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
6431 	    (stcb->asoc.state & SCTP_STATE_SHUTDOWN_PENDING)) {
6432 		/* got data while shutting down */
6433 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EPIPE);
6434 		error = EPIPE;
6435 		goto out_now;
6436 	}
6437 	sctp_alloc_a_strmoq(stcb, sp);
6438 	if (sp == NULL) {
6439 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
6440 		error = ENOMEM;
6441 		goto out_now;
6442 	}
6443 	sp->sinfo_flags = srcv->sinfo_flags;
6444 	sp->timetolive = srcv->sinfo_timetolive;
6445 	sp->ppid = srcv->sinfo_ppid;
6446 	sp->context = srcv->sinfo_context;
6447 	sp->fsn = 0;
6448 	if (sp->sinfo_flags & SCTP_ADDR_OVER) {
6449 		sp->net = net;
6450 		atomic_add_int(&sp->net->ref_count, 1);
6451 	} else {
6452 		sp->net = NULL;
6453 	}
6454 	(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
6455 	sp->sid = srcv->sinfo_stream;
6456 	sp->msg_is_complete = 1;
6457 	sp->sender_all_done = 1;
6458 	sp->some_taken = 0;
6459 	sp->data = m;
6460 	sp->tail_mbuf = NULL;
6461 	sctp_set_prsctp_policy(sp);
6462 	/*
6463 	 * We could in theory (for sendall) sifa the length in, but we would
6464 	 * still have to hunt through the chain since we need to setup the
6465 	 * tail_mbuf
6466 	 */
6467 	sp->length = 0;
6468 	for (at = m; at; at = SCTP_BUF_NEXT(at)) {
6469 		if (SCTP_BUF_NEXT(at) == NULL)
6470 			sp->tail_mbuf = at;
6471 		sp->length += SCTP_BUF_LEN(at);
6472 	}
6473 	if (srcv->sinfo_keynumber_valid) {
6474 		sp->auth_keyid = srcv->sinfo_keynumber;
6475 	} else {
6476 		sp->auth_keyid = stcb->asoc.authinfo.active_keyid;
6477 	}
6478 	if (sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks)) {
6479 		sctp_auth_key_acquire(stcb, sp->auth_keyid);
6480 		sp->holds_key_ref = 1;
6481 	}
6482 	strm = &stcb->asoc.strmout[srcv->sinfo_stream];
6483 	sctp_snd_sb_alloc(stcb, sp->length);
6484 	atomic_add_int(&stcb->asoc.stream_queue_cnt, 1);
6485 	TAILQ_INSERT_TAIL(&strm->outqueue, sp, next);
6486 	stcb->asoc.ss_functions.sctp_ss_add_to_stream(stcb, &stcb->asoc, strm, sp);
6487 	m = NULL;
6488 out_now:
6489 	if (m) {
6490 		sctp_m_freem(m);
6491 	}
6492 	return (error);
6493 }
6494 
6495 static struct mbuf *
6496 sctp_copy_mbufchain(struct mbuf *clonechain,
6497     struct mbuf *outchain,
6498     struct mbuf **endofchain,
6499     int can_take_mbuf,
6500     int sizeofcpy,
6501     uint8_t copy_by_ref)
6502 {
6503 	struct mbuf *m;
6504 	struct mbuf *appendchain;
6505 	caddr_t cp;
6506 	int len;
6507 
6508 	if (endofchain == NULL) {
6509 		/* error */
6510 error_out:
6511 		if (outchain)
6512 			sctp_m_freem(outchain);
6513 		return (NULL);
6514 	}
6515 	if (can_take_mbuf) {
6516 		appendchain = clonechain;
6517 	} else {
6518 		if (!copy_by_ref &&
6519 		    (sizeofcpy <= (int)((((SCTP_BASE_SYSCTL(sctp_mbuf_threshold_count) - 1) * MLEN) + MHLEN)))) {
6520 			/* Its not in a cluster */
6521 			if (*endofchain == NULL) {
6522 				/* lets get a mbuf cluster */
6523 				if (outchain == NULL) {
6524 					/* This is the general case */
6525 			new_mbuf:
6526 					outchain = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_HEADER);
6527 					if (outchain == NULL) {
6528 						goto error_out;
6529 					}
6530 					SCTP_BUF_LEN(outchain) = 0;
6531 					*endofchain = outchain;
6532 					/* get the prepend space */
6533 					SCTP_BUF_RESV_UF(outchain, (SCTP_FIRST_MBUF_RESV + 4));
6534 				} else {
6535 					/*
6536 					 * We really should not get a NULL
6537 					 * in endofchain
6538 					 */
6539 					/* find end */
6540 					m = outchain;
6541 					while (m) {
6542 						if (SCTP_BUF_NEXT(m) == NULL) {
6543 							*endofchain = m;
6544 							break;
6545 						}
6546 						m = SCTP_BUF_NEXT(m);
6547 					}
6548 					/* sanity */
6549 					if (*endofchain == NULL) {
6550 						/*
6551 						 * huh, TSNH XXX maybe we
6552 						 * should panic
6553 						 */
6554 						sctp_m_freem(outchain);
6555 						goto new_mbuf;
6556 					}
6557 				}
6558 				/* get the new end of length */
6559 				len = (int)M_TRAILINGSPACE(*endofchain);
6560 			} else {
6561 				/* how much is left at the end? */
6562 				len = (int)M_TRAILINGSPACE(*endofchain);
6563 			}
6564 			/* Find the end of the data, for appending */
6565 			cp = (mtod((*endofchain), caddr_t)+SCTP_BUF_LEN((*endofchain)));
6566 
6567 			/* Now lets copy it out */
6568 			if (len >= sizeofcpy) {
6569 				/* It all fits, copy it in */
6570 				m_copydata(clonechain, 0, sizeofcpy, cp);
6571 				SCTP_BUF_LEN((*endofchain)) += sizeofcpy;
6572 			} else {
6573 				/* fill up the end of the chain */
6574 				if (len > 0) {
6575 					m_copydata(clonechain, 0, len, cp);
6576 					SCTP_BUF_LEN((*endofchain)) += len;
6577 					/* now we need another one */
6578 					sizeofcpy -= len;
6579 				}
6580 				m = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_HEADER);
6581 				if (m == NULL) {
6582 					/* We failed */
6583 					goto error_out;
6584 				}
6585 				SCTP_BUF_NEXT((*endofchain)) = m;
6586 				*endofchain = m;
6587 				cp = mtod((*endofchain), caddr_t);
6588 				m_copydata(clonechain, len, sizeofcpy, cp);
6589 				SCTP_BUF_LEN((*endofchain)) += sizeofcpy;
6590 			}
6591 			return (outchain);
6592 		} else {
6593 			/* copy the old fashion way */
6594 			appendchain = SCTP_M_COPYM(clonechain, 0, M_COPYALL, M_NOWAIT);
6595 #ifdef SCTP_MBUF_LOGGING
6596 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
6597 				sctp_log_mbc(appendchain, SCTP_MBUF_ICOPY);
6598 			}
6599 #endif
6600 		}
6601 	}
6602 	if (appendchain == NULL) {
6603 		/* error */
6604 		if (outchain)
6605 			sctp_m_freem(outchain);
6606 		return (NULL);
6607 	}
6608 	if (outchain) {
6609 		/* tack on to the end */
6610 		if (*endofchain != NULL) {
6611 			SCTP_BUF_NEXT(((*endofchain))) = appendchain;
6612 		} else {
6613 			m = outchain;
6614 			while (m) {
6615 				if (SCTP_BUF_NEXT(m) == NULL) {
6616 					SCTP_BUF_NEXT(m) = appendchain;
6617 					break;
6618 				}
6619 				m = SCTP_BUF_NEXT(m);
6620 			}
6621 		}
6622 		/*
6623 		 * save off the end and update the end-chain position
6624 		 */
6625 		m = appendchain;
6626 		while (m) {
6627 			if (SCTP_BUF_NEXT(m) == NULL) {
6628 				*endofchain = m;
6629 				break;
6630 			}
6631 			m = SCTP_BUF_NEXT(m);
6632 		}
6633 		return (outchain);
6634 	} else {
6635 		/* save off the end and update the end-chain position */
6636 		m = appendchain;
6637 		while (m) {
6638 			if (SCTP_BUF_NEXT(m) == NULL) {
6639 				*endofchain = m;
6640 				break;
6641 			}
6642 			m = SCTP_BUF_NEXT(m);
6643 		}
6644 		return (appendchain);
6645 	}
6646 }
6647 
6648 static int
6649 sctp_med_chunk_output(struct sctp_inpcb *inp,
6650     struct sctp_tcb *stcb,
6651     struct sctp_association *asoc,
6652     int *num_out,
6653     int *reason_code,
6654     int control_only, int from_where,
6655     struct timeval *now, int *now_filled,
6656     uint32_t frag_point, int so_locked);
6657 
6658 static void
6659 sctp_sendall_iterator(struct sctp_inpcb *inp, struct sctp_tcb *stcb, void *ptr,
6660     uint32_t val SCTP_UNUSED)
6661 {
6662 	struct sctp_copy_all *ca;
6663 	struct mbuf *m;
6664 	int ret = 0;
6665 	int added_control = 0;
6666 	int un_sent, do_chunk_output = 1;
6667 	struct sctp_association *asoc;
6668 	struct sctp_nets *net;
6669 
6670 	ca = (struct sctp_copy_all *)ptr;
6671 	if (ca->m == NULL) {
6672 		return;
6673 	}
6674 	if (ca->inp != inp) {
6675 		/* TSNH */
6676 		return;
6677 	}
6678 	if (ca->sndlen > 0) {
6679 		m = SCTP_M_COPYM(ca->m, 0, M_COPYALL, M_NOWAIT);
6680 		if (m == NULL) {
6681 			/* can't copy so we are done */
6682 			ca->cnt_failed++;
6683 			return;
6684 		}
6685 #ifdef SCTP_MBUF_LOGGING
6686 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
6687 			sctp_log_mbc(m, SCTP_MBUF_ICOPY);
6688 		}
6689 #endif
6690 	} else {
6691 		m = NULL;
6692 	}
6693 	SCTP_TCB_LOCK_ASSERT(stcb);
6694 	if (stcb->asoc.alternate) {
6695 		net = stcb->asoc.alternate;
6696 	} else {
6697 		net = stcb->asoc.primary_destination;
6698 	}
6699 	if (ca->sndrcv.sinfo_flags & SCTP_ABORT) {
6700 		/* Abort this assoc with m as the user defined reason */
6701 		if (m != NULL) {
6702 			SCTP_BUF_PREPEND(m, sizeof(struct sctp_paramhdr), M_NOWAIT);
6703 		} else {
6704 			m = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
6705 			    0, M_NOWAIT, 1, MT_DATA);
6706 			if (m != NULL) {
6707 				SCTP_BUF_LEN(m) = sizeof(struct sctp_paramhdr);
6708 			}
6709 		}
6710 		if (m != NULL) {
6711 			struct sctp_paramhdr *ph;
6712 
6713 			ph = mtod(m, struct sctp_paramhdr *);
6714 			ph->param_type = htons(SCTP_CAUSE_USER_INITIATED_ABT);
6715 			ph->param_length = htons((uint16_t)(sizeof(struct sctp_paramhdr) + ca->sndlen));
6716 		}
6717 		/*
6718 		 * We add one here to keep the assoc from dis-appearing on
6719 		 * us.
6720 		 */
6721 		atomic_add_int(&stcb->asoc.refcnt, 1);
6722 		sctp_abort_an_association(inp, stcb, m, false, SCTP_SO_NOT_LOCKED);
6723 		/*
6724 		 * sctp_abort_an_association calls sctp_free_asoc() free
6725 		 * association will NOT free it since we incremented the
6726 		 * refcnt .. we do this to prevent it being freed and things
6727 		 * getting tricky since we could end up (from free_asoc)
6728 		 * calling inpcb_free which would get a recursive lock call
6729 		 * to the iterator lock.. But as a consequence of that the
6730 		 * stcb will return to us un-locked.. since free_asoc
6731 		 * returns with either no TCB or the TCB unlocked, we must
6732 		 * relock.. to unlock in the iterator timer :-0
6733 		 */
6734 		SCTP_TCB_LOCK(stcb);
6735 		atomic_subtract_int(&stcb->asoc.refcnt, 1);
6736 		goto no_chunk_output;
6737 	} else {
6738 		if (m != NULL) {
6739 			ret = sctp_msg_append(stcb, net, m, &ca->sndrcv);
6740 		}
6741 		asoc = &stcb->asoc;
6742 		if (ca->sndrcv.sinfo_flags & SCTP_EOF) {
6743 			/* shutdown this assoc */
6744 			if (TAILQ_EMPTY(&asoc->send_queue) &&
6745 			    TAILQ_EMPTY(&asoc->sent_queue) &&
6746 			    sctp_is_there_unsent_data(stcb, SCTP_SO_NOT_LOCKED) == 0) {
6747 				if ((*asoc->ss_functions.sctp_ss_is_user_msgs_incomplete) (stcb, asoc)) {
6748 					goto abort_anyway;
6749 				}
6750 				/*
6751 				 * there is nothing queued to send, so I'm
6752 				 * done...
6753 				 */
6754 				if ((SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT) &&
6755 				    (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
6756 				    (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
6757 					/*
6758 					 * only send SHUTDOWN the first time
6759 					 * through
6760 					 */
6761 					if (SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) {
6762 						SCTP_STAT_DECR_GAUGE32(sctps_currestab);
6763 					}
6764 					SCTP_SET_STATE(stcb, SCTP_STATE_SHUTDOWN_SENT);
6765 					sctp_stop_timers_for_shutdown(stcb);
6766 					sctp_send_shutdown(stcb, net);
6767 					sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb,
6768 					    net);
6769 					sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
6770 					    NULL);
6771 					added_control = 1;
6772 					do_chunk_output = 0;
6773 				}
6774 			} else {
6775 				/*
6776 				 * we still got (or just got) data to send,
6777 				 * so set SHUTDOWN_PENDING
6778 				 */
6779 				/*
6780 				 * XXX sockets draft says that SCTP_EOF
6781 				 * should be sent with no data.  currently,
6782 				 * we will allow user data to be sent first
6783 				 * and move to SHUTDOWN-PENDING
6784 				 */
6785 				if ((SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT) &&
6786 				    (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
6787 				    (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
6788 					if ((*asoc->ss_functions.sctp_ss_is_user_msgs_incomplete) (stcb, asoc)) {
6789 						SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_PARTIAL_MSG_LEFT);
6790 					}
6791 					SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_SHUTDOWN_PENDING);
6792 					if (TAILQ_EMPTY(&asoc->send_queue) &&
6793 					    TAILQ_EMPTY(&asoc->sent_queue) &&
6794 					    (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) {
6795 						struct mbuf *op_err;
6796 						char msg[SCTP_DIAG_INFO_LEN];
6797 
6798 				abort_anyway:
6799 						SCTP_SNPRINTF(msg, sizeof(msg),
6800 						    "%s:%d at %s", __FILE__, __LINE__, __func__);
6801 						op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
6802 						    msg);
6803 						atomic_add_int(&stcb->asoc.refcnt, 1);
6804 						sctp_abort_an_association(stcb->sctp_ep, stcb,
6805 						    op_err, false, SCTP_SO_NOT_LOCKED);
6806 						atomic_subtract_int(&stcb->asoc.refcnt, 1);
6807 						goto no_chunk_output;
6808 					}
6809 				}
6810 			}
6811 		}
6812 	}
6813 	un_sent = ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) +
6814 	    (stcb->asoc.stream_queue_cnt * SCTP_DATA_CHUNK_OVERHEAD(stcb)));
6815 
6816 	if ((sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY)) &&
6817 	    (stcb->asoc.total_flight > 0) &&
6818 	    (un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD))) {
6819 		do_chunk_output = 0;
6820 	}
6821 	if (do_chunk_output)
6822 		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_NOT_LOCKED);
6823 	else if (added_control) {
6824 		struct timeval now;
6825 		int num_out, reason, now_filled = 0;
6826 
6827 		(void)sctp_med_chunk_output(inp, stcb, &stcb->asoc, &num_out,
6828 		    &reason, 1, 1, &now, &now_filled,
6829 		    sctp_get_frag_point(stcb),
6830 		    SCTP_SO_NOT_LOCKED);
6831 	}
6832 no_chunk_output:
6833 	if (ret) {
6834 		ca->cnt_failed++;
6835 	} else {
6836 		ca->cnt_sent++;
6837 	}
6838 }
6839 
6840 static void
6841 sctp_sendall_completes(void *ptr, uint32_t val SCTP_UNUSED)
6842 {
6843 	struct sctp_copy_all *ca;
6844 
6845 	ca = (struct sctp_copy_all *)ptr;
6846 	/*
6847 	 * Do a notify here? Kacheong suggests that the notify be done at
6848 	 * the send time.. so you would push up a notification if any send
6849 	 * failed. Don't know if this is feasible since the only failures we
6850 	 * have is "memory" related and if you cannot get an mbuf to send
6851 	 * the data you surely can't get an mbuf to send up to notify the
6852 	 * user you can't send the data :->
6853 	 */
6854 
6855 	/* now free everything */
6856 	if (ca->inp) {
6857 		/* Lets clear the flag to allow others to run. */
6858 		SCTP_INP_WLOCK(ca->inp);
6859 		ca->inp->sctp_flags &= ~SCTP_PCB_FLAGS_SND_ITERATOR_UP;
6860 		SCTP_INP_WUNLOCK(ca->inp);
6861 	}
6862 	sctp_m_freem(ca->m);
6863 	SCTP_FREE(ca, SCTP_M_COPYAL);
6864 }
6865 
6866 static struct mbuf *
6867 sctp_copy_out_all(struct uio *uio, ssize_t len)
6868 {
6869 	struct mbuf *ret, *at;
6870 	ssize_t left, willcpy, cancpy, error;
6871 
6872 	ret = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_WAITOK, 1, MT_DATA);
6873 	if (ret == NULL) {
6874 		/* TSNH */
6875 		return (NULL);
6876 	}
6877 	left = len;
6878 	SCTP_BUF_LEN(ret) = 0;
6879 	/* save space for the data chunk header */
6880 	cancpy = (int)M_TRAILINGSPACE(ret);
6881 	willcpy = min(cancpy, left);
6882 	at = ret;
6883 	while (left > 0) {
6884 		/* Align data to the end */
6885 		error = uiomove(mtod(at, caddr_t), (int)willcpy, uio);
6886 		if (error) {
6887 	err_out_now:
6888 			sctp_m_freem(at);
6889 			return (NULL);
6890 		}
6891 		SCTP_BUF_LEN(at) = (int)willcpy;
6892 		SCTP_BUF_NEXT_PKT(at) = SCTP_BUF_NEXT(at) = 0;
6893 		left -= willcpy;
6894 		if (left > 0) {
6895 			SCTP_BUF_NEXT(at) = sctp_get_mbuf_for_msg((unsigned int)left, 0, M_WAITOK, 1, MT_DATA);
6896 			if (SCTP_BUF_NEXT(at) == NULL) {
6897 				goto err_out_now;
6898 			}
6899 			at = SCTP_BUF_NEXT(at);
6900 			SCTP_BUF_LEN(at) = 0;
6901 			cancpy = (int)M_TRAILINGSPACE(at);
6902 			willcpy = min(cancpy, left);
6903 		}
6904 	}
6905 	return (ret);
6906 }
6907 
6908 static int
6909 sctp_sendall(struct sctp_inpcb *inp, struct uio *uio, struct mbuf *m,
6910     struct sctp_nonpad_sndrcvinfo *srcv)
6911 {
6912 	struct sctp_copy_all *ca;
6913 	struct mbuf *mat;
6914 	ssize_t sndlen;
6915 	int ret;
6916 
6917 	if (uio != NULL) {
6918 		sndlen = uio->uio_resid;
6919 	} else {
6920 		sndlen = 0;
6921 		for (mat = m; mat; mat = SCTP_BUF_NEXT(mat)) {
6922 			sndlen += SCTP_BUF_LEN(mat);
6923 		}
6924 	}
6925 	if (sndlen > (ssize_t)SCTP_BASE_SYSCTL(sctp_sendall_limit)) {
6926 		/* You must not be larger than the limit! */
6927 		return (EMSGSIZE);
6928 	}
6929 	SCTP_MALLOC(ca, struct sctp_copy_all *, sizeof(struct sctp_copy_all),
6930 	    SCTP_M_COPYAL);
6931 	if (ca == NULL) {
6932 		sctp_m_freem(m);
6933 		SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
6934 		return (ENOMEM);
6935 	}
6936 	memset(ca, 0, sizeof(struct sctp_copy_all));
6937 	ca->inp = inp;
6938 	if (srcv != NULL) {
6939 		memcpy(&ca->sndrcv, srcv, sizeof(struct sctp_nonpad_sndrcvinfo));
6940 	}
6941 	/* Serialize. */
6942 	SCTP_INP_WLOCK(inp);
6943 	if ((inp->sctp_flags & SCTP_PCB_FLAGS_SND_ITERATOR_UP) != 0) {
6944 		SCTP_INP_WUNLOCK(inp);
6945 		sctp_m_freem(m);
6946 		SCTP_FREE(ca, SCTP_M_COPYAL);
6947 		return (EBUSY);
6948 	}
6949 	inp->sctp_flags |= SCTP_PCB_FLAGS_SND_ITERATOR_UP;
6950 	SCTP_INP_WUNLOCK(inp);
6951 	/*
6952 	 * take off the sendall flag, it would be bad if we failed to do
6953 	 * this :-0
6954 	 */
6955 	ca->sndrcv.sinfo_flags &= ~SCTP_SENDALL;
6956 	/* get length and mbuf chain */
6957 	ca->sndlen = sndlen;
6958 	if (uio != NULL) {
6959 		ca->m = sctp_copy_out_all(uio, ca->sndlen);
6960 		if (ca->m == NULL) {
6961 			SCTP_FREE(ca, SCTP_M_COPYAL);
6962 			sctp_m_freem(m);
6963 			SCTP_INP_WLOCK(inp);
6964 			inp->sctp_flags &= ~SCTP_PCB_FLAGS_SND_ITERATOR_UP;
6965 			SCTP_INP_WUNLOCK(inp);
6966 			SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
6967 			return (ENOMEM);
6968 		}
6969 	} else {
6970 		ca->m = m;
6971 	}
6972 	ret = sctp_initiate_iterator(NULL, sctp_sendall_iterator, NULL,
6973 	    SCTP_PCB_ANY_FLAGS, SCTP_PCB_ANY_FEATURES,
6974 	    SCTP_ASOC_ANY_STATE,
6975 	    (void *)ca, 0,
6976 	    sctp_sendall_completes, inp, 1);
6977 	if (ret != 0) {
6978 		SCTP_INP_WLOCK(inp);
6979 		inp->sctp_flags &= ~SCTP_PCB_FLAGS_SND_ITERATOR_UP;
6980 		SCTP_INP_WUNLOCK(inp);
6981 		SCTP_FREE(ca, SCTP_M_COPYAL);
6982 		SCTP_LTRACE_ERR_RET_PKT(m, inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EFAULT);
6983 		return (EFAULT);
6984 	}
6985 	return (0);
6986 }
6987 
6988 void
6989 sctp_toss_old_cookies(struct sctp_tcb *stcb, struct sctp_association *asoc)
6990 {
6991 	struct sctp_tmit_chunk *chk, *nchk;
6992 
6993 	TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
6994 		if (chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
6995 			TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
6996 			asoc->ctrl_queue_cnt--;
6997 			if (chk->data) {
6998 				sctp_m_freem(chk->data);
6999 				chk->data = NULL;
7000 			}
7001 			sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
7002 		}
7003 	}
7004 }
7005 
7006 void
7007 sctp_toss_old_asconf(struct sctp_tcb *stcb)
7008 {
7009 	struct sctp_association *asoc;
7010 	struct sctp_tmit_chunk *chk, *nchk;
7011 	struct sctp_asconf_chunk *acp;
7012 
7013 	asoc = &stcb->asoc;
7014 	TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) {
7015 		/* find SCTP_ASCONF chunk in queue */
7016 		if (chk->rec.chunk_id.id == SCTP_ASCONF) {
7017 			if (chk->data) {
7018 				acp = mtod(chk->data, struct sctp_asconf_chunk *);
7019 				if (SCTP_TSN_GT(ntohl(acp->serial_number), asoc->asconf_seq_out_acked)) {
7020 					/* Not Acked yet */
7021 					break;
7022 				}
7023 			}
7024 			TAILQ_REMOVE(&asoc->asconf_send_queue, chk, sctp_next);
7025 			asoc->ctrl_queue_cnt--;
7026 			if (chk->data) {
7027 				sctp_m_freem(chk->data);
7028 				chk->data = NULL;
7029 			}
7030 			sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
7031 		}
7032 	}
7033 }
7034 
7035 static void
7036 sctp_clean_up_datalist(struct sctp_tcb *stcb,
7037     struct sctp_association *asoc,
7038     struct sctp_tmit_chunk **data_list,
7039     int bundle_at,
7040     struct sctp_nets *net)
7041 {
7042 	int i;
7043 	struct sctp_tmit_chunk *tp1;
7044 
7045 	for (i = 0; i < bundle_at; i++) {
7046 		/* off of the send queue */
7047 		TAILQ_REMOVE(&asoc->send_queue, data_list[i], sctp_next);
7048 		asoc->send_queue_cnt--;
7049 		if (i > 0) {
7050 			/*
7051 			 * Any chunk NOT 0 you zap the time chunk 0 gets
7052 			 * zapped or set based on if a RTO measurement is
7053 			 * needed.
7054 			 */
7055 			data_list[i]->do_rtt = 0;
7056 		}
7057 		/* record time */
7058 		data_list[i]->sent_rcv_time = net->last_sent_time;
7059 		data_list[i]->rec.data.cwnd_at_send = net->cwnd;
7060 		data_list[i]->rec.data.fast_retran_tsn = data_list[i]->rec.data.tsn;
7061 		if (data_list[i]->whoTo == NULL) {
7062 			data_list[i]->whoTo = net;
7063 			atomic_add_int(&net->ref_count, 1);
7064 		}
7065 		/* on to the sent queue */
7066 		tp1 = TAILQ_LAST(&asoc->sent_queue, sctpchunk_listhead);
7067 		if ((tp1) && SCTP_TSN_GT(tp1->rec.data.tsn, data_list[i]->rec.data.tsn)) {
7068 			struct sctp_tmit_chunk *tpp;
7069 
7070 			/* need to move back */
7071 	back_up_more:
7072 			tpp = TAILQ_PREV(tp1, sctpchunk_listhead, sctp_next);
7073 			if (tpp == NULL) {
7074 				TAILQ_INSERT_BEFORE(tp1, data_list[i], sctp_next);
7075 				goto all_done;
7076 			}
7077 			tp1 = tpp;
7078 			if (SCTP_TSN_GT(tp1->rec.data.tsn, data_list[i]->rec.data.tsn)) {
7079 				goto back_up_more;
7080 			}
7081 			TAILQ_INSERT_AFTER(&asoc->sent_queue, tp1, data_list[i], sctp_next);
7082 		} else {
7083 			TAILQ_INSERT_TAIL(&asoc->sent_queue,
7084 			    data_list[i],
7085 			    sctp_next);
7086 		}
7087 all_done:
7088 		/* This does not lower until the cum-ack passes it */
7089 		asoc->sent_queue_cnt++;
7090 		if ((asoc->peers_rwnd <= 0) &&
7091 		    (asoc->total_flight == 0) &&
7092 		    (bundle_at == 1)) {
7093 			/* Mark the chunk as being a window probe */
7094 			SCTP_STAT_INCR(sctps_windowprobed);
7095 		}
7096 #ifdef SCTP_AUDITING_ENABLED
7097 		sctp_audit_log(0xC2, 3);
7098 #endif
7099 		data_list[i]->sent = SCTP_DATAGRAM_SENT;
7100 		data_list[i]->snd_count = 1;
7101 		data_list[i]->rec.data.chunk_was_revoked = 0;
7102 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
7103 			sctp_misc_ints(SCTP_FLIGHT_LOG_UP,
7104 			    data_list[i]->whoTo->flight_size,
7105 			    data_list[i]->book_size,
7106 			    (uint32_t)(uintptr_t)data_list[i]->whoTo,
7107 			    data_list[i]->rec.data.tsn);
7108 		}
7109 		sctp_flight_size_increase(data_list[i]);
7110 		sctp_total_flight_increase(stcb, data_list[i]);
7111 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
7112 			sctp_log_rwnd(SCTP_DECREASE_PEER_RWND,
7113 			    asoc->peers_rwnd, data_list[i]->send_size, SCTP_BASE_SYSCTL(sctp_peer_chunk_oh));
7114 		}
7115 		asoc->peers_rwnd = sctp_sbspace_sub(asoc->peers_rwnd,
7116 		    (uint32_t)(data_list[i]->send_size + SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)));
7117 		if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
7118 			/* SWS sender side engages */
7119 			asoc->peers_rwnd = 0;
7120 		}
7121 	}
7122 	if (asoc->cc_functions.sctp_cwnd_update_packet_transmitted) {
7123 		(*asoc->cc_functions.sctp_cwnd_update_packet_transmitted) (stcb, net);
7124 	}
7125 }
7126 
7127 static void
7128 sctp_clean_up_ctl(struct sctp_tcb *stcb, struct sctp_association *asoc, int so_locked)
7129 {
7130 	struct sctp_tmit_chunk *chk, *nchk;
7131 
7132 	TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
7133 		if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
7134 		    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK) ||	/* EY */
7135 		    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_REQUEST) ||
7136 		    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_ACK) ||
7137 		    (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) ||
7138 		    (chk->rec.chunk_id.id == SCTP_SHUTDOWN) ||
7139 		    (chk->rec.chunk_id.id == SCTP_SHUTDOWN_ACK) ||
7140 		    (chk->rec.chunk_id.id == SCTP_OPERATION_ERROR) ||
7141 		    (chk->rec.chunk_id.id == SCTP_PACKET_DROPPED) ||
7142 		    (chk->rec.chunk_id.id == SCTP_COOKIE_ACK) ||
7143 		    (chk->rec.chunk_id.id == SCTP_ECN_CWR) ||
7144 		    (chk->rec.chunk_id.id == SCTP_ASCONF_ACK)) {
7145 			/* Stray chunks must be cleaned up */
7146 	clean_up_anyway:
7147 			TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
7148 			asoc->ctrl_queue_cnt--;
7149 			if (chk->data) {
7150 				sctp_m_freem(chk->data);
7151 				chk->data = NULL;
7152 			}
7153 			if (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) {
7154 				asoc->fwd_tsn_cnt--;
7155 			}
7156 			sctp_free_a_chunk(stcb, chk, so_locked);
7157 		} else if (chk->rec.chunk_id.id == SCTP_STREAM_RESET) {
7158 			/* special handling, we must look into the param */
7159 			if (chk != asoc->str_reset) {
7160 				goto clean_up_anyway;
7161 			}
7162 		}
7163 	}
7164 }
7165 
7166 static uint32_t
7167 sctp_can_we_split_this(struct sctp_tcb *stcb, uint32_t length,
7168     uint32_t space_left, uint32_t frag_point, int eeor_on)
7169 {
7170 	/*
7171 	 * Make a decision on if I should split a msg into multiple parts.
7172 	 * This is only asked of incomplete messages.
7173 	 */
7174 	if (eeor_on) {
7175 		/*
7176 		 * If we are doing EEOR we need to always send it if its the
7177 		 * entire thing, since it might be all the guy is putting in
7178 		 * the hopper.
7179 		 */
7180 		if (space_left >= length) {
7181 			/*-
7182 			 * If we have data outstanding,
7183 			 * we get another chance when the sack
7184 			 * arrives to transmit - wait for more data
7185 			 */
7186 			if (stcb->asoc.total_flight == 0) {
7187 				/*
7188 				 * If nothing is in flight, we zero the
7189 				 * packet counter.
7190 				 */
7191 				return (length);
7192 			}
7193 			return (0);
7194 
7195 		} else {
7196 			/* You can fill the rest */
7197 			return (space_left);
7198 		}
7199 	}
7200 	/*-
7201 	 * For those strange folk that make the send buffer
7202 	 * smaller than our fragmentation point, we can't
7203 	 * get a full msg in so we have to allow splitting.
7204 	 */
7205 	if (SCTP_SB_LIMIT_SND(stcb->sctp_socket) < frag_point) {
7206 		return (length);
7207 	}
7208 	if ((length <= space_left) ||
7209 	    ((length - space_left) < SCTP_BASE_SYSCTL(sctp_min_residual))) {
7210 		/* Sub-optimal residual don't split in non-eeor mode. */
7211 		return (0);
7212 	}
7213 	/*
7214 	 * If we reach here length is larger than the space_left. Do we wish
7215 	 * to split it for the sake of packet putting together?
7216 	 */
7217 	if (space_left >= min(SCTP_BASE_SYSCTL(sctp_min_split_point), frag_point)) {
7218 		/* Its ok to split it */
7219 		return (min(space_left, frag_point));
7220 	}
7221 	/* Nope, can't split */
7222 	return (0);
7223 }
7224 
7225 static uint32_t
7226 sctp_move_to_outqueue(struct sctp_tcb *stcb,
7227     struct sctp_nets *net,
7228     struct sctp_stream_out *strq,
7229     uint32_t space_left,
7230     uint32_t frag_point,
7231     int *giveup,
7232     int eeor_mode,
7233     int *bail,
7234     int so_locked)
7235 {
7236 	/* Move from the stream to the send_queue keeping track of the total */
7237 	struct sctp_association *asoc;
7238 	struct sctp_stream_queue_pending *sp;
7239 	struct sctp_tmit_chunk *chk;
7240 	struct sctp_data_chunk *dchkh = NULL;
7241 	struct sctp_idata_chunk *ndchkh = NULL;
7242 	uint32_t to_move, length;
7243 	int leading;
7244 	uint8_t rcv_flags = 0;
7245 	uint8_t some_taken;
7246 
7247 	SCTP_TCB_LOCK_ASSERT(stcb);
7248 	asoc = &stcb->asoc;
7249 one_more_time:
7250 	/* sa_ignore FREED_MEMORY */
7251 	sp = TAILQ_FIRST(&strq->outqueue);
7252 	if (sp == NULL) {
7253 		sp = TAILQ_FIRST(&strq->outqueue);
7254 		if (sp) {
7255 			goto one_more_time;
7256 		}
7257 		if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_EXPLICIT_EOR) == 0) &&
7258 		    (stcb->asoc.idata_supported == 0) &&
7259 		    (strq->last_msg_incomplete)) {
7260 			SCTP_PRINTF("Huh? Stream:%d lm_in_c=%d but queue is NULL\n",
7261 			    strq->sid,
7262 			    strq->last_msg_incomplete);
7263 			strq->last_msg_incomplete = 0;
7264 		}
7265 		to_move = 0;
7266 		goto out_of;
7267 	}
7268 	if ((sp->msg_is_complete) && (sp->length == 0)) {
7269 		if (sp->sender_all_done) {
7270 			/*
7271 			 * We are doing deferred cleanup. Last time through
7272 			 * when we took all the data the sender_all_done was
7273 			 * not set.
7274 			 */
7275 			if ((sp->put_last_out == 0) && (sp->discard_rest == 0)) {
7276 				SCTP_PRINTF("Gak, put out entire msg with NO end!-1\n");
7277 				SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d\n",
7278 				    sp->sender_all_done,
7279 				    sp->length,
7280 				    sp->msg_is_complete,
7281 				    sp->put_last_out);
7282 			}
7283 			atomic_subtract_int(&asoc->stream_queue_cnt, 1);
7284 			TAILQ_REMOVE(&strq->outqueue, sp, next);
7285 			stcb->asoc.ss_functions.sctp_ss_remove_from_stream(stcb, asoc, strq, sp);
7286 			if ((strq->state == SCTP_STREAM_RESET_PENDING) &&
7287 			    (strq->chunks_on_queues == 0) &&
7288 			    TAILQ_EMPTY(&strq->outqueue)) {
7289 				stcb->asoc.trigger_reset = 1;
7290 			}
7291 			if (sp->net) {
7292 				sctp_free_remote_addr(sp->net);
7293 				sp->net = NULL;
7294 			}
7295 			if (sp->data) {
7296 				sctp_m_freem(sp->data);
7297 				sp->data = NULL;
7298 			}
7299 			sctp_free_a_strmoq(stcb, sp, so_locked);
7300 			/* back to get the next msg */
7301 			goto one_more_time;
7302 		} else {
7303 			/*
7304 			 * sender just finished this but still holds a
7305 			 * reference
7306 			 */
7307 			*giveup = 1;
7308 			to_move = 0;
7309 			goto out_of;
7310 		}
7311 	} else {
7312 		/* is there some to get */
7313 		if (sp->length == 0) {
7314 			/* no */
7315 			*giveup = 1;
7316 			to_move = 0;
7317 			goto out_of;
7318 		} else if (sp->discard_rest) {
7319 			/* Whack down the size */
7320 			atomic_subtract_int(&stcb->asoc.total_output_queue_size, sp->length);
7321 			if ((stcb->sctp_socket != NULL) &&
7322 			    ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
7323 			    (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL))) {
7324 				SCTP_SB_DECR(&stcb->sctp_socket->so_snd, sp->length);
7325 			}
7326 			if (sp->data) {
7327 				sctp_m_freem(sp->data);
7328 				sp->data = NULL;
7329 				sp->tail_mbuf = NULL;
7330 			}
7331 			sp->length = 0;
7332 			sp->some_taken = 1;
7333 			*giveup = 1;
7334 			to_move = 0;
7335 			goto out_of;
7336 		}
7337 	}
7338 	some_taken = sp->some_taken;
7339 	length = sp->length;
7340 	if (sp->msg_is_complete) {
7341 		/* The message is complete */
7342 		to_move = min(length, frag_point);
7343 		if (to_move == length) {
7344 			/* All of it fits in the MTU */
7345 			if (sp->some_taken) {
7346 				rcv_flags |= SCTP_DATA_LAST_FRAG;
7347 			} else {
7348 				rcv_flags |= SCTP_DATA_NOT_FRAG;
7349 			}
7350 			sp->put_last_out = 1;
7351 			if (sp->sinfo_flags & SCTP_SACK_IMMEDIATELY) {
7352 				rcv_flags |= SCTP_DATA_SACK_IMMEDIATELY;
7353 			}
7354 		} else {
7355 			/* Not all of it fits, we fragment */
7356 			if (sp->some_taken == 0) {
7357 				rcv_flags |= SCTP_DATA_FIRST_FRAG;
7358 			}
7359 			sp->some_taken = 1;
7360 		}
7361 	} else {
7362 		to_move = sctp_can_we_split_this(stcb, length, space_left, frag_point, eeor_mode);
7363 		if (to_move > 0) {
7364 			if (to_move >= length) {
7365 				to_move = length;
7366 			}
7367 			if (sp->some_taken == 0) {
7368 				rcv_flags |= SCTP_DATA_FIRST_FRAG;
7369 				sp->some_taken = 1;
7370 			}
7371 		} else {
7372 			/* Nothing to take. */
7373 			*giveup = 1;
7374 			to_move = 0;
7375 			goto out_of;
7376 		}
7377 	}
7378 
7379 	/* If we reach here, we can copy out a chunk */
7380 	sctp_alloc_a_chunk(stcb, chk);
7381 	if (chk == NULL) {
7382 		/* No chunk memory */
7383 		*giveup = 1;
7384 		to_move = 0;
7385 		goto out_of;
7386 	}
7387 	/*
7388 	 * Setup for unordered if needed by looking at the user sent info
7389 	 * flags.
7390 	 */
7391 	if (sp->sinfo_flags & SCTP_UNORDERED) {
7392 		rcv_flags |= SCTP_DATA_UNORDERED;
7393 	}
7394 	if (SCTP_BASE_SYSCTL(sctp_enable_sack_immediately) &&
7395 	    (sp->sinfo_flags & SCTP_EOF) == SCTP_EOF) {
7396 		rcv_flags |= SCTP_DATA_SACK_IMMEDIATELY;
7397 	}
7398 	/* clear out the chunk before setting up */
7399 	memset(chk, 0, sizeof(*chk));
7400 	chk->rec.data.rcv_flags = rcv_flags;
7401 
7402 	if (to_move >= length) {
7403 		/* we think we can steal the whole thing */
7404 		if (to_move < sp->length) {
7405 			/* bail, it changed */
7406 			goto dont_do_it;
7407 		}
7408 		chk->data = sp->data;
7409 		chk->last_mbuf = sp->tail_mbuf;
7410 		/* register the stealing */
7411 		sp->data = sp->tail_mbuf = NULL;
7412 	} else {
7413 		struct mbuf *m;
7414 
7415 dont_do_it:
7416 		chk->data = SCTP_M_COPYM(sp->data, 0, to_move, M_NOWAIT);
7417 		chk->last_mbuf = NULL;
7418 		if (chk->data == NULL) {
7419 			sp->some_taken = some_taken;
7420 			sctp_free_a_chunk(stcb, chk, so_locked);
7421 			*bail = 1;
7422 			to_move = 0;
7423 			goto out_of;
7424 		}
7425 #ifdef SCTP_MBUF_LOGGING
7426 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
7427 			sctp_log_mbc(chk->data, SCTP_MBUF_ICOPY);
7428 		}
7429 #endif
7430 		/* Pull off the data */
7431 		m_adj(sp->data, to_move);
7432 		/* Now lets work our way down and compact it */
7433 		m = sp->data;
7434 		while (m && (SCTP_BUF_LEN(m) == 0)) {
7435 			sp->data = SCTP_BUF_NEXT(m);
7436 			SCTP_BUF_NEXT(m) = NULL;
7437 			if (sp->tail_mbuf == m) {
7438 				/*-
7439 				 * Freeing tail? TSNH since
7440 				 * we supposedly were taking less
7441 				 * than the sp->length.
7442 				 */
7443 #ifdef INVARIANTS
7444 				panic("Huh, freeing tail? - TSNH");
7445 #else
7446 				SCTP_PRINTF("Huh, freeing tail? - TSNH\n");
7447 				sp->tail_mbuf = sp->data = NULL;
7448 				sp->length = 0;
7449 #endif
7450 			}
7451 			sctp_m_free(m);
7452 			m = sp->data;
7453 		}
7454 	}
7455 	if (SCTP_BUF_IS_EXTENDED(chk->data)) {
7456 		chk->copy_by_ref = 1;
7457 	} else {
7458 		chk->copy_by_ref = 0;
7459 	}
7460 	/*
7461 	 * get last_mbuf and counts of mb usage This is ugly but hopefully
7462 	 * its only one mbuf.
7463 	 */
7464 	if (chk->last_mbuf == NULL) {
7465 		chk->last_mbuf = chk->data;
7466 		while (SCTP_BUF_NEXT(chk->last_mbuf) != NULL) {
7467 			chk->last_mbuf = SCTP_BUF_NEXT(chk->last_mbuf);
7468 		}
7469 	}
7470 
7471 	if (to_move > length) {
7472 		/*- This should not happen either
7473 		 * since we always lower to_move to the size
7474 		 * of sp->length if its larger.
7475 		 */
7476 #ifdef INVARIANTS
7477 		panic("Huh, how can to_move be larger?");
7478 #else
7479 		SCTP_PRINTF("Huh, how can to_move be larger?\n");
7480 		sp->length = 0;
7481 #endif
7482 	} else {
7483 		atomic_subtract_int(&sp->length, to_move);
7484 	}
7485 	leading = SCTP_DATA_CHUNK_OVERHEAD(stcb);
7486 	if (M_LEADINGSPACE(chk->data) < leading) {
7487 		/* Not enough room for a chunk header, get some */
7488 		struct mbuf *m;
7489 
7490 		m = sctp_get_mbuf_for_msg(1, 0, M_NOWAIT, 1, MT_DATA);
7491 		if (m == NULL) {
7492 			/*
7493 			 * we're in trouble here. _PREPEND below will free
7494 			 * all the data if there is no leading space, so we
7495 			 * must put the data back and restore.
7496 			 */
7497 			if (sp->data == NULL) {
7498 				/* unsteal the data */
7499 				sp->data = chk->data;
7500 				sp->tail_mbuf = chk->last_mbuf;
7501 			} else {
7502 				struct mbuf *m_tmp;
7503 
7504 				/* reassemble the data */
7505 				m_tmp = sp->data;
7506 				sp->data = chk->data;
7507 				SCTP_BUF_NEXT(chk->last_mbuf) = m_tmp;
7508 			}
7509 			sp->some_taken = some_taken;
7510 			atomic_add_int(&sp->length, to_move);
7511 			chk->data = NULL;
7512 			*bail = 1;
7513 			sctp_free_a_chunk(stcb, chk, so_locked);
7514 			to_move = 0;
7515 			goto out_of;
7516 		} else {
7517 			SCTP_BUF_LEN(m) = 0;
7518 			SCTP_BUF_NEXT(m) = chk->data;
7519 			chk->data = m;
7520 			M_ALIGN(chk->data, 4);
7521 		}
7522 	}
7523 	SCTP_BUF_PREPEND(chk->data, SCTP_DATA_CHUNK_OVERHEAD(stcb), M_NOWAIT);
7524 	if (chk->data == NULL) {
7525 		/* HELP, TSNH since we assured it would not above? */
7526 #ifdef INVARIANTS
7527 		panic("prepend fails HELP?");
7528 #else
7529 		SCTP_PRINTF("prepend fails HELP?\n");
7530 		sctp_free_a_chunk(stcb, chk, so_locked);
7531 #endif
7532 		*bail = 1;
7533 		to_move = 0;
7534 		goto out_of;
7535 	}
7536 	sctp_snd_sb_alloc(stcb, SCTP_DATA_CHUNK_OVERHEAD(stcb));
7537 	chk->book_size = chk->send_size = (uint16_t)(to_move + SCTP_DATA_CHUNK_OVERHEAD(stcb));
7538 	chk->book_size_scale = 0;
7539 	chk->sent = SCTP_DATAGRAM_UNSENT;
7540 
7541 	chk->flags = 0;
7542 	chk->asoc = &stcb->asoc;
7543 	chk->pad_inplace = 0;
7544 	chk->no_fr_allowed = 0;
7545 	if (stcb->asoc.idata_supported == 0) {
7546 		if (rcv_flags & SCTP_DATA_UNORDERED) {
7547 			/* Just use 0. The receiver ignores the values. */
7548 			chk->rec.data.mid = 0;
7549 		} else {
7550 			chk->rec.data.mid = strq->next_mid_ordered;
7551 			if (rcv_flags & SCTP_DATA_LAST_FRAG) {
7552 				strq->next_mid_ordered++;
7553 			}
7554 		}
7555 	} else {
7556 		if (rcv_flags & SCTP_DATA_UNORDERED) {
7557 			chk->rec.data.mid = strq->next_mid_unordered;
7558 			if (rcv_flags & SCTP_DATA_LAST_FRAG) {
7559 				strq->next_mid_unordered++;
7560 			}
7561 		} else {
7562 			chk->rec.data.mid = strq->next_mid_ordered;
7563 			if (rcv_flags & SCTP_DATA_LAST_FRAG) {
7564 				strq->next_mid_ordered++;
7565 			}
7566 		}
7567 	}
7568 	chk->rec.data.sid = sp->sid;
7569 	chk->rec.data.ppid = sp->ppid;
7570 	chk->rec.data.context = sp->context;
7571 	chk->rec.data.doing_fast_retransmit = 0;
7572 
7573 	chk->rec.data.timetodrop = sp->ts;
7574 	chk->flags = sp->act_flags;
7575 
7576 	if (sp->net) {
7577 		chk->whoTo = sp->net;
7578 		atomic_add_int(&chk->whoTo->ref_count, 1);
7579 	} else
7580 		chk->whoTo = NULL;
7581 
7582 	if (sp->holds_key_ref) {
7583 		chk->auth_keyid = sp->auth_keyid;
7584 		sctp_auth_key_acquire(stcb, chk->auth_keyid);
7585 		chk->holds_key_ref = 1;
7586 	}
7587 	stcb->asoc.ss_functions.sctp_ss_scheduled(stcb, net, asoc, strq, to_move);
7588 	chk->rec.data.tsn = atomic_fetchadd_int(&asoc->sending_seq, 1);
7589 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_AT_SEND_2_OUTQ) {
7590 		sctp_misc_ints(SCTP_STRMOUT_LOG_SEND,
7591 		    (uint32_t)(uintptr_t)stcb, sp->length,
7592 		    (uint32_t)((chk->rec.data.sid << 16) | (0x0000ffff & chk->rec.data.mid)),
7593 		    chk->rec.data.tsn);
7594 	}
7595 	if (stcb->asoc.idata_supported == 0) {
7596 		dchkh = mtod(chk->data, struct sctp_data_chunk *);
7597 	} else {
7598 		ndchkh = mtod(chk->data, struct sctp_idata_chunk *);
7599 	}
7600 	/*
7601 	 * Put the rest of the things in place now. Size was done earlier in
7602 	 * previous loop prior to padding.
7603 	 */
7604 
7605 	SCTP_TCB_LOCK_ASSERT(stcb);
7606 #ifdef SCTP_ASOCLOG_OF_TSNS
7607 	if (asoc->tsn_out_at >= SCTP_TSN_LOG_SIZE) {
7608 		asoc->tsn_out_at = 0;
7609 		asoc->tsn_out_wrapped = 1;
7610 	}
7611 	asoc->out_tsnlog[asoc->tsn_out_at].tsn = chk->rec.data.tsn;
7612 	asoc->out_tsnlog[asoc->tsn_out_at].strm = chk->rec.data.sid;
7613 	asoc->out_tsnlog[asoc->tsn_out_at].seq = chk->rec.data.mid;
7614 	asoc->out_tsnlog[asoc->tsn_out_at].sz = chk->send_size;
7615 	asoc->out_tsnlog[asoc->tsn_out_at].flgs = chk->rec.data.rcv_flags;
7616 	asoc->out_tsnlog[asoc->tsn_out_at].stcb = (void *)stcb;
7617 	asoc->out_tsnlog[asoc->tsn_out_at].in_pos = asoc->tsn_out_at;
7618 	asoc->out_tsnlog[asoc->tsn_out_at].in_out = 2;
7619 	asoc->tsn_out_at++;
7620 #endif
7621 	if (stcb->asoc.idata_supported == 0) {
7622 		dchkh->ch.chunk_type = SCTP_DATA;
7623 		dchkh->ch.chunk_flags = chk->rec.data.rcv_flags;
7624 		dchkh->dp.tsn = htonl(chk->rec.data.tsn);
7625 		dchkh->dp.sid = htons(strq->sid);
7626 		dchkh->dp.ssn = htons((uint16_t)chk->rec.data.mid);
7627 		dchkh->dp.ppid = chk->rec.data.ppid;
7628 		dchkh->ch.chunk_length = htons(chk->send_size);
7629 	} else {
7630 		ndchkh->ch.chunk_type = SCTP_IDATA;
7631 		ndchkh->ch.chunk_flags = chk->rec.data.rcv_flags;
7632 		ndchkh->dp.tsn = htonl(chk->rec.data.tsn);
7633 		ndchkh->dp.sid = htons(strq->sid);
7634 		ndchkh->dp.reserved = htons(0);
7635 		ndchkh->dp.mid = htonl(chk->rec.data.mid);
7636 		if (sp->fsn == 0)
7637 			ndchkh->dp.ppid_fsn.ppid = chk->rec.data.ppid;
7638 		else
7639 			ndchkh->dp.ppid_fsn.fsn = htonl(sp->fsn);
7640 		sp->fsn++;
7641 		ndchkh->ch.chunk_length = htons(chk->send_size);
7642 	}
7643 	/* Now advance the chk->send_size by the actual pad needed. */
7644 	if (chk->send_size < SCTP_SIZE32(chk->book_size)) {
7645 		/* need a pad */
7646 		struct mbuf *lm;
7647 		int pads;
7648 
7649 		pads = SCTP_SIZE32(chk->book_size) - chk->send_size;
7650 		lm = sctp_pad_lastmbuf(chk->data, pads, chk->last_mbuf);
7651 		if (lm != NULL) {
7652 			chk->last_mbuf = lm;
7653 			chk->pad_inplace = 1;
7654 		}
7655 		chk->send_size += pads;
7656 	}
7657 	if (PR_SCTP_ENABLED(chk->flags)) {
7658 		asoc->pr_sctp_cnt++;
7659 	}
7660 	if (sp->msg_is_complete && (sp->length == 0) && (sp->sender_all_done)) {
7661 		/* All done pull and kill the message */
7662 		if (sp->put_last_out == 0) {
7663 			SCTP_PRINTF("Gak, put out entire msg with NO end!-2\n");
7664 			SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d\n",
7665 			    sp->sender_all_done,
7666 			    sp->length,
7667 			    sp->msg_is_complete,
7668 			    sp->put_last_out);
7669 		}
7670 		atomic_subtract_int(&asoc->stream_queue_cnt, 1);
7671 		TAILQ_REMOVE(&strq->outqueue, sp, next);
7672 		stcb->asoc.ss_functions.sctp_ss_remove_from_stream(stcb, asoc, strq, sp);
7673 		if ((strq->state == SCTP_STREAM_RESET_PENDING) &&
7674 		    (strq->chunks_on_queues == 0) &&
7675 		    TAILQ_EMPTY(&strq->outqueue)) {
7676 			stcb->asoc.trigger_reset = 1;
7677 		}
7678 		if (sp->net) {
7679 			sctp_free_remote_addr(sp->net);
7680 			sp->net = NULL;
7681 		}
7682 		if (sp->data) {
7683 			sctp_m_freem(sp->data);
7684 			sp->data = NULL;
7685 		}
7686 		sctp_free_a_strmoq(stcb, sp, so_locked);
7687 	}
7688 	asoc->chunks_on_out_queue++;
7689 	strq->chunks_on_queues++;
7690 	TAILQ_INSERT_TAIL(&asoc->send_queue, chk, sctp_next);
7691 	asoc->send_queue_cnt++;
7692 out_of:
7693 	return (to_move);
7694 }
7695 
7696 static void
7697 sctp_fill_outqueue(struct sctp_tcb *stcb, struct sctp_nets *net,
7698     uint32_t frag_point, int eeor_mode, int *quit_now,
7699     int so_locked)
7700 {
7701 	struct sctp_association *asoc;
7702 	struct sctp_stream_out *strq;
7703 	uint32_t space_left, moved, total_moved;
7704 	int bail, giveup;
7705 
7706 	SCTP_TCB_LOCK_ASSERT(stcb);
7707 	asoc = &stcb->asoc;
7708 	total_moved = 0;
7709 	switch (net->ro._l_addr.sa.sa_family) {
7710 #ifdef INET
7711 	case AF_INET:
7712 		space_left = net->mtu - SCTP_MIN_V4_OVERHEAD;
7713 		break;
7714 #endif
7715 #ifdef INET6
7716 	case AF_INET6:
7717 		space_left = net->mtu - SCTP_MIN_OVERHEAD;
7718 		break;
7719 #endif
7720 	default:
7721 		/* TSNH */
7722 		space_left = net->mtu;
7723 		break;
7724 	}
7725 	/* Need an allowance for the data chunk header too */
7726 	space_left -= SCTP_DATA_CHUNK_OVERHEAD(stcb);
7727 
7728 	/* must make even word boundary */
7729 	space_left &= 0xfffffffc;
7730 	strq = stcb->asoc.ss_functions.sctp_ss_select_stream(stcb, net, asoc);
7731 	giveup = 0;
7732 	bail = 0;
7733 	while ((space_left > 0) && (strq != NULL)) {
7734 		moved = sctp_move_to_outqueue(stcb, net, strq, space_left,
7735 		    frag_point, &giveup, eeor_mode,
7736 		    &bail, so_locked);
7737 		if ((giveup != 0) || (bail != 0)) {
7738 			break;
7739 		}
7740 		strq = stcb->asoc.ss_functions.sctp_ss_select_stream(stcb, net, asoc);
7741 		total_moved += moved;
7742 		if (space_left >= moved) {
7743 			space_left -= moved;
7744 		} else {
7745 			space_left = 0;
7746 		}
7747 		if (space_left >= SCTP_DATA_CHUNK_OVERHEAD(stcb)) {
7748 			space_left -= SCTP_DATA_CHUNK_OVERHEAD(stcb);
7749 		} else {
7750 			space_left = 0;
7751 		}
7752 		space_left &= 0xfffffffc;
7753 	}
7754 	if (bail != 0)
7755 		*quit_now = 1;
7756 
7757 	stcb->asoc.ss_functions.sctp_ss_packet_done(stcb, net, asoc);
7758 
7759 	if (total_moved == 0) {
7760 		if ((stcb->asoc.sctp_cmt_on_off == 0) &&
7761 		    (net == stcb->asoc.primary_destination)) {
7762 			/* ran dry for primary network net */
7763 			SCTP_STAT_INCR(sctps_primary_randry);
7764 		} else if (stcb->asoc.sctp_cmt_on_off > 0) {
7765 			/* ran dry with CMT on */
7766 			SCTP_STAT_INCR(sctps_cmt_randry);
7767 		}
7768 	}
7769 }
7770 
7771 void
7772 sctp_fix_ecn_echo(struct sctp_association *asoc)
7773 {
7774 	struct sctp_tmit_chunk *chk;
7775 
7776 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
7777 		if (chk->rec.chunk_id.id == SCTP_ECN_ECHO) {
7778 			chk->sent = SCTP_DATAGRAM_UNSENT;
7779 		}
7780 	}
7781 }
7782 
7783 void
7784 sctp_move_chunks_from_net(struct sctp_tcb *stcb, struct sctp_nets *net)
7785 {
7786 	struct sctp_association *asoc;
7787 	struct sctp_tmit_chunk *chk;
7788 	struct sctp_stream_queue_pending *sp;
7789 	unsigned int i;
7790 
7791 	if (net == NULL) {
7792 		return;
7793 	}
7794 	asoc = &stcb->asoc;
7795 	for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
7796 		TAILQ_FOREACH(sp, &stcb->asoc.strmout[i].outqueue, next) {
7797 			if (sp->net == net) {
7798 				sctp_free_remote_addr(sp->net);
7799 				sp->net = NULL;
7800 			}
7801 		}
7802 	}
7803 	TAILQ_FOREACH(chk, &asoc->send_queue, sctp_next) {
7804 		if (chk->whoTo == net) {
7805 			sctp_free_remote_addr(chk->whoTo);
7806 			chk->whoTo = NULL;
7807 		}
7808 	}
7809 }
7810 
7811 int
7812 sctp_med_chunk_output(struct sctp_inpcb *inp,
7813     struct sctp_tcb *stcb,
7814     struct sctp_association *asoc,
7815     int *num_out,
7816     int *reason_code,
7817     int control_only, int from_where,
7818     struct timeval *now, int *now_filled,
7819     uint32_t frag_point, int so_locked)
7820 {
7821 	/**
7822 	 * Ok this is the generic chunk service queue. we must do the
7823 	 * following:
7824 	 * - Service the stream queue that is next, moving any
7825 	 *   message (note I must get a complete message i.e. FIRST/MIDDLE and
7826 	 *   LAST to the out queue in one pass) and assigning TSN's. This
7827 	 *   only applies though if the peer does not support NDATA. For NDATA
7828 	 *   chunks its ok to not send the entire message ;-)
7829 	 * - Check to see if the cwnd/rwnd allows any output, if so we go ahead and
7830 	 *   formulate and send the low level chunks. Making sure to combine
7831 	 *   any control in the control chunk queue also.
7832 	 */
7833 	struct sctp_nets *net, *start_at, *sack_goes_to = NULL, *old_start_at = NULL;
7834 	struct mbuf *outchain, *endoutchain;
7835 	struct sctp_tmit_chunk *chk, *nchk;
7836 
7837 	/* temp arrays for unlinking */
7838 	struct sctp_tmit_chunk *data_list[SCTP_MAX_DATA_BUNDLING];
7839 	int no_fragmentflg, error;
7840 	unsigned int max_rwnd_per_dest, max_send_per_dest;
7841 	int one_chunk, hbflag, skip_data_for_this_net;
7842 	int asconf, cookie, no_out_cnt;
7843 	int bundle_at, ctl_cnt, no_data_chunks, eeor_mode;
7844 	unsigned int mtu, r_mtu, omtu, mx_mtu, to_out;
7845 	int tsns_sent = 0;
7846 	uint32_t auth_offset;
7847 	struct sctp_auth_chunk *auth;
7848 	uint16_t auth_keyid;
7849 	int override_ok = 1;
7850 	int skip_fill_up = 0;
7851 	int data_auth_reqd = 0;
7852 
7853 	/*
7854 	 * JRS 5/14/07 - Add flag for whether a heartbeat is sent to the
7855 	 * destination.
7856 	 */
7857 	int quit_now = 0;
7858 	bool use_zero_crc;
7859 
7860 	*num_out = 0;
7861 	*reason_code = 0;
7862 	auth_keyid = stcb->asoc.authinfo.active_keyid;
7863 	if ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) ||
7864 	    (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
7865 	    (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXPLICIT_EOR))) {
7866 		eeor_mode = 1;
7867 	} else {
7868 		eeor_mode = 0;
7869 	}
7870 	ctl_cnt = no_out_cnt = asconf = cookie = 0;
7871 	/*
7872 	 * First lets prime the pump. For each destination, if there is room
7873 	 * in the flight size, attempt to pull an MTU's worth out of the
7874 	 * stream queues into the general send_queue
7875 	 */
7876 #ifdef SCTP_AUDITING_ENABLED
7877 	sctp_audit_log(0xC2, 2);
7878 #endif
7879 	SCTP_TCB_LOCK_ASSERT(stcb);
7880 	hbflag = 0;
7881 	if (control_only)
7882 		no_data_chunks = 1;
7883 	else
7884 		no_data_chunks = 0;
7885 
7886 	/* Nothing to possible to send? */
7887 	if ((TAILQ_EMPTY(&asoc->control_send_queue) ||
7888 	    (asoc->ctrl_queue_cnt == stcb->asoc.ecn_echo_cnt_onq)) &&
7889 	    TAILQ_EMPTY(&asoc->asconf_send_queue) &&
7890 	    TAILQ_EMPTY(&asoc->send_queue) &&
7891 	    sctp_is_there_unsent_data(stcb, so_locked) == 0) {
7892 nothing_to_send:
7893 		*reason_code = 9;
7894 		return (0);
7895 	}
7896 	if (asoc->peers_rwnd == 0) {
7897 		/* No room in peers rwnd */
7898 		*reason_code = 1;
7899 		if (asoc->total_flight > 0) {
7900 			/* we are allowed one chunk in flight */
7901 			no_data_chunks = 1;
7902 		}
7903 	}
7904 	if (stcb->asoc.ecn_echo_cnt_onq) {
7905 		/* Record where a sack goes, if any */
7906 		if (no_data_chunks &&
7907 		    (asoc->ctrl_queue_cnt == stcb->asoc.ecn_echo_cnt_onq)) {
7908 			/* Nothing but ECNe to send - we don't do that */
7909 			goto nothing_to_send;
7910 		}
7911 		TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
7912 			if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
7913 			    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK)) {
7914 				sack_goes_to = chk->whoTo;
7915 				break;
7916 			}
7917 		}
7918 	}
7919 	max_rwnd_per_dest = ((asoc->peers_rwnd + asoc->total_flight) / asoc->numnets);
7920 	if (stcb->sctp_socket)
7921 		max_send_per_dest = SCTP_SB_LIMIT_SND(stcb->sctp_socket) / asoc->numnets;
7922 	else
7923 		max_send_per_dest = 0;
7924 	if (no_data_chunks == 0) {
7925 		/* How many non-directed chunks are there? */
7926 		TAILQ_FOREACH(chk, &asoc->send_queue, sctp_next) {
7927 			if (chk->whoTo == NULL) {
7928 				/*
7929 				 * We already have non-directed chunks on
7930 				 * the queue, no need to do a fill-up.
7931 				 */
7932 				skip_fill_up = 1;
7933 				break;
7934 			}
7935 		}
7936 	}
7937 	if ((no_data_chunks == 0) &&
7938 	    (skip_fill_up == 0) &&
7939 	    (!stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc))) {
7940 		TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
7941 			/*
7942 			 * This for loop we are in takes in each net, if
7943 			 * its's got space in cwnd and has data sent to it
7944 			 * (when CMT is off) then it calls
7945 			 * sctp_fill_outqueue for the net. This gets data on
7946 			 * the send queue for that network.
7947 			 *
7948 			 * In sctp_fill_outqueue TSN's are assigned and data
7949 			 * is copied out of the stream buffers. Note mostly
7950 			 * copy by reference (we hope).
7951 			 */
7952 			net->window_probe = 0;
7953 			if ((net != stcb->asoc.alternate) &&
7954 			    ((net->dest_state & SCTP_ADDR_PF) ||
7955 			    ((net->dest_state & SCTP_ADDR_REACHABLE) == 0) ||
7956 			    (net->dest_state & SCTP_ADDR_UNCONFIRMED))) {
7957 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
7958 					sctp_log_cwnd(stcb, net, 1,
7959 					    SCTP_CWND_LOG_FILL_OUTQ_CALLED);
7960 				}
7961 				continue;
7962 			}
7963 			if ((stcb->asoc.cc_functions.sctp_cwnd_new_transmission_begins) &&
7964 			    (net->flight_size == 0)) {
7965 				(*stcb->asoc.cc_functions.sctp_cwnd_new_transmission_begins) (stcb, net);
7966 			}
7967 			if (net->flight_size >= net->cwnd) {
7968 				/* skip this network, no room - can't fill */
7969 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
7970 					sctp_log_cwnd(stcb, net, 3,
7971 					    SCTP_CWND_LOG_FILL_OUTQ_CALLED);
7972 				}
7973 				continue;
7974 			}
7975 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
7976 				sctp_log_cwnd(stcb, net, 4, SCTP_CWND_LOG_FILL_OUTQ_CALLED);
7977 			}
7978 			sctp_fill_outqueue(stcb, net, frag_point, eeor_mode, &quit_now, so_locked);
7979 			if (quit_now) {
7980 				/* memory alloc failure */
7981 				no_data_chunks = 1;
7982 				break;
7983 			}
7984 		}
7985 	}
7986 	/* now service each destination and send out what we can for it */
7987 	/* Nothing to send? */
7988 	if (TAILQ_EMPTY(&asoc->control_send_queue) &&
7989 	    TAILQ_EMPTY(&asoc->asconf_send_queue) &&
7990 	    TAILQ_EMPTY(&asoc->send_queue)) {
7991 		*reason_code = 8;
7992 		return (0);
7993 	}
7994 
7995 	if (asoc->sctp_cmt_on_off > 0) {
7996 		/* get the last start point */
7997 		start_at = asoc->last_net_cmt_send_started;
7998 		if (start_at == NULL) {
7999 			/* null so to beginning */
8000 			start_at = TAILQ_FIRST(&asoc->nets);
8001 		} else {
8002 			start_at = TAILQ_NEXT(asoc->last_net_cmt_send_started, sctp_next);
8003 			if (start_at == NULL) {
8004 				start_at = TAILQ_FIRST(&asoc->nets);
8005 			}
8006 		}
8007 		asoc->last_net_cmt_send_started = start_at;
8008 	} else {
8009 		start_at = TAILQ_FIRST(&asoc->nets);
8010 	}
8011 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
8012 		if (chk->whoTo == NULL) {
8013 			if (asoc->alternate) {
8014 				chk->whoTo = asoc->alternate;
8015 			} else {
8016 				chk->whoTo = asoc->primary_destination;
8017 			}
8018 			atomic_add_int(&chk->whoTo->ref_count, 1);
8019 		}
8020 	}
8021 	old_start_at = NULL;
8022 again_one_more_time:
8023 	for (net = start_at; net != NULL; net = TAILQ_NEXT(net, sctp_next)) {
8024 		/* how much can we send? */
8025 		/* SCTPDBG("Examine for sending net:%x\n", (uint32_t)net); */
8026 		if (old_start_at && (old_start_at == net)) {
8027 			/* through list completely. */
8028 			break;
8029 		}
8030 		tsns_sent = 0xa;
8031 		if (TAILQ_EMPTY(&asoc->control_send_queue) &&
8032 		    TAILQ_EMPTY(&asoc->asconf_send_queue) &&
8033 		    (net->flight_size >= net->cwnd)) {
8034 			/*
8035 			 * Nothing on control or asconf and flight is full,
8036 			 * we can skip even in the CMT case.
8037 			 */
8038 			continue;
8039 		}
8040 		bundle_at = 0;
8041 		endoutchain = outchain = NULL;
8042 		auth = NULL;
8043 		auth_offset = 0;
8044 		no_fragmentflg = 1;
8045 		one_chunk = 0;
8046 		if (net->dest_state & SCTP_ADDR_UNCONFIRMED) {
8047 			skip_data_for_this_net = 1;
8048 		} else {
8049 			skip_data_for_this_net = 0;
8050 		}
8051 		switch (((struct sockaddr *)&net->ro._l_addr)->sa_family) {
8052 #ifdef INET
8053 		case AF_INET:
8054 			mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
8055 			break;
8056 #endif
8057 #ifdef INET6
8058 		case AF_INET6:
8059 			mtu = net->mtu - SCTP_MIN_OVERHEAD;
8060 			break;
8061 #endif
8062 		default:
8063 			/* TSNH */
8064 			mtu = net->mtu;
8065 			break;
8066 		}
8067 		mx_mtu = mtu;
8068 		to_out = 0;
8069 		if (mtu > asoc->peers_rwnd) {
8070 			if (asoc->total_flight > 0) {
8071 				/* We have a packet in flight somewhere */
8072 				r_mtu = asoc->peers_rwnd;
8073 			} else {
8074 				/* We are always allowed to send one MTU out */
8075 				one_chunk = 1;
8076 				r_mtu = mtu;
8077 			}
8078 		} else {
8079 			r_mtu = mtu;
8080 		}
8081 		error = 0;
8082 		/************************/
8083 		/* ASCONF transmission */
8084 		/************************/
8085 		/* Now first lets go through the asconf queue */
8086 		TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) {
8087 			if (chk->rec.chunk_id.id != SCTP_ASCONF) {
8088 				continue;
8089 			}
8090 			if (chk->whoTo == NULL) {
8091 				if (asoc->alternate == NULL) {
8092 					if (asoc->primary_destination != net) {
8093 						break;
8094 					}
8095 				} else {
8096 					if (asoc->alternate != net) {
8097 						break;
8098 					}
8099 				}
8100 			} else {
8101 				if (chk->whoTo != net) {
8102 					break;
8103 				}
8104 			}
8105 			if (chk->data == NULL) {
8106 				break;
8107 			}
8108 			if (chk->sent != SCTP_DATAGRAM_UNSENT &&
8109 			    chk->sent != SCTP_DATAGRAM_RESEND) {
8110 				break;
8111 			}
8112 			/*
8113 			 * if no AUTH is yet included and this chunk
8114 			 * requires it, make sure to account for it.  We
8115 			 * don't apply the size until the AUTH chunk is
8116 			 * actually added below in case there is no room for
8117 			 * this chunk. NOTE: we overload the use of "omtu"
8118 			 * here
8119 			 */
8120 			if ((auth == NULL) &&
8121 			    sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
8122 			    stcb->asoc.peer_auth_chunks)) {
8123 				omtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
8124 			} else
8125 				omtu = 0;
8126 			/* Here we do NOT factor the r_mtu */
8127 			if ((chk->send_size < (int)(mtu - omtu)) ||
8128 			    (chk->flags & CHUNK_FLAGS_FRAGMENT_OK)) {
8129 				/*
8130 				 * We probably should glom the mbuf chain
8131 				 * from the chk->data for control but the
8132 				 * problem is it becomes yet one more level
8133 				 * of tracking to do if for some reason
8134 				 * output fails. Then I have got to
8135 				 * reconstruct the merged control chain.. el
8136 				 * yucko.. for now we take the easy way and
8137 				 * do the copy
8138 				 */
8139 				/*
8140 				 * Add an AUTH chunk, if chunk requires it
8141 				 * save the offset into the chain for AUTH
8142 				 */
8143 				if ((auth == NULL) &&
8144 				    (sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
8145 				    stcb->asoc.peer_auth_chunks))) {
8146 					outchain = sctp_add_auth_chunk(outchain,
8147 					    &endoutchain,
8148 					    &auth,
8149 					    &auth_offset,
8150 					    stcb,
8151 					    chk->rec.chunk_id.id);
8152 					SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8153 				}
8154 				outchain = sctp_copy_mbufchain(chk->data, outchain, &endoutchain,
8155 				    (int)chk->rec.chunk_id.can_take_data,
8156 				    chk->send_size, chk->copy_by_ref);
8157 				if (outchain == NULL) {
8158 					*reason_code = 8;
8159 					SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
8160 					return (ENOMEM);
8161 				}
8162 				SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8163 				/* update our MTU size */
8164 				if (mtu > (chk->send_size + omtu))
8165 					mtu -= (chk->send_size + omtu);
8166 				else
8167 					mtu = 0;
8168 				to_out += (chk->send_size + omtu);
8169 				/* Do clear IP_DF ? */
8170 				if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
8171 					no_fragmentflg = 0;
8172 				}
8173 				if (chk->rec.chunk_id.can_take_data)
8174 					chk->data = NULL;
8175 				/*
8176 				 * set hb flag since we can use these for
8177 				 * RTO
8178 				 */
8179 				hbflag = 1;
8180 				asconf = 1;
8181 				/*
8182 				 * should sysctl this: don't bundle data
8183 				 * with ASCONF since it requires AUTH
8184 				 */
8185 				no_data_chunks = 1;
8186 				chk->sent = SCTP_DATAGRAM_SENT;
8187 				if (chk->whoTo == NULL) {
8188 					chk->whoTo = net;
8189 					atomic_add_int(&net->ref_count, 1);
8190 				}
8191 				chk->snd_count++;
8192 				if (mtu == 0) {
8193 					/*
8194 					 * Ok we are out of room but we can
8195 					 * output without effecting the
8196 					 * flight size since this little guy
8197 					 * is a control only packet.
8198 					 */
8199 					sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp, stcb, net);
8200 					/*
8201 					 * do NOT clear the asconf flag as
8202 					 * it is used to do appropriate
8203 					 * source address selection.
8204 					 */
8205 					if (*now_filled == 0) {
8206 						(void)SCTP_GETTIME_TIMEVAL(now);
8207 						*now_filled = 1;
8208 					}
8209 					net->last_sent_time = *now;
8210 					hbflag = 0;
8211 					if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
8212 					    (struct sockaddr *)&net->ro._l_addr,
8213 					    outchain, auth_offset, auth,
8214 					    stcb->asoc.authinfo.active_keyid,
8215 					    no_fragmentflg, 0, asconf,
8216 					    inp->sctp_lport, stcb->rport,
8217 					    htonl(stcb->asoc.peer_vtag),
8218 					    net->port, NULL,
8219 					    0, 0,
8220 					    false, so_locked))) {
8221 						/*
8222 						 * error, we could not
8223 						 * output
8224 						 */
8225 						SCTPDBG(SCTP_DEBUG_OUTPUT3, "Gak send error %d\n", error);
8226 						if (from_where == 0) {
8227 							SCTP_STAT_INCR(sctps_lowlevelerrusr);
8228 						}
8229 						if (error == ENOBUFS) {
8230 							asoc->ifp_had_enobuf = 1;
8231 							SCTP_STAT_INCR(sctps_lowlevelerr);
8232 						}
8233 						/* error, could not output */
8234 						if (error == EHOSTUNREACH) {
8235 							/*
8236 							 * Destination went
8237 							 * unreachable
8238 							 * during this send
8239 							 */
8240 							sctp_move_chunks_from_net(stcb, net);
8241 						}
8242 						asconf = 0;
8243 						*reason_code = 7;
8244 						break;
8245 					} else {
8246 						asoc->ifp_had_enobuf = 0;
8247 					}
8248 					/*
8249 					 * increase the number we sent, if a
8250 					 * cookie is sent we don't tell them
8251 					 * any was sent out.
8252 					 */
8253 					outchain = endoutchain = NULL;
8254 					auth = NULL;
8255 					auth_offset = 0;
8256 					asconf = 0;
8257 					if (!no_out_cnt)
8258 						*num_out += ctl_cnt;
8259 					/* recalc a clean slate and setup */
8260 					switch (net->ro._l_addr.sa.sa_family) {
8261 #ifdef INET
8262 					case AF_INET:
8263 						mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
8264 						break;
8265 #endif
8266 #ifdef INET6
8267 					case AF_INET6:
8268 						mtu = net->mtu - SCTP_MIN_OVERHEAD;
8269 						break;
8270 #endif
8271 					default:
8272 						/* TSNH */
8273 						mtu = net->mtu;
8274 						break;
8275 					}
8276 					to_out = 0;
8277 					no_fragmentflg = 1;
8278 				}
8279 			}
8280 		}
8281 		if (error != 0) {
8282 			/* try next net */
8283 			continue;
8284 		}
8285 		/************************/
8286 		/* Control transmission */
8287 		/************************/
8288 		/* Now first lets go through the control queue */
8289 		TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
8290 			if ((sack_goes_to) &&
8291 			    (chk->rec.chunk_id.id == SCTP_ECN_ECHO) &&
8292 			    (chk->whoTo != sack_goes_to)) {
8293 				/*
8294 				 * if we have a sack in queue, and we are
8295 				 * looking at an ecn echo that is NOT queued
8296 				 * to where the sack is going..
8297 				 */
8298 				if (chk->whoTo == net) {
8299 					/*
8300 					 * Don't transmit it to where its
8301 					 * going (current net)
8302 					 */
8303 					continue;
8304 				} else if (sack_goes_to == net) {
8305 					/*
8306 					 * But do transmit it to this
8307 					 * address
8308 					 */
8309 					goto skip_net_check;
8310 				}
8311 			}
8312 			if (chk->whoTo == NULL) {
8313 				if (asoc->alternate == NULL) {
8314 					if (asoc->primary_destination != net) {
8315 						continue;
8316 					}
8317 				} else {
8318 					if (asoc->alternate != net) {
8319 						continue;
8320 					}
8321 				}
8322 			} else {
8323 				if (chk->whoTo != net) {
8324 					continue;
8325 				}
8326 			}
8327 	skip_net_check:
8328 			if (chk->data == NULL) {
8329 				continue;
8330 			}
8331 			if (chk->sent != SCTP_DATAGRAM_UNSENT) {
8332 				/*
8333 				 * It must be unsent. Cookies and ASCONF's
8334 				 * hang around but there timers will force
8335 				 * when marked for resend.
8336 				 */
8337 				continue;
8338 			}
8339 			/*
8340 			 * if no AUTH is yet included and this chunk
8341 			 * requires it, make sure to account for it.  We
8342 			 * don't apply the size until the AUTH chunk is
8343 			 * actually added below in case there is no room for
8344 			 * this chunk. NOTE: we overload the use of "omtu"
8345 			 * here
8346 			 */
8347 			if ((auth == NULL) &&
8348 			    sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
8349 			    stcb->asoc.peer_auth_chunks)) {
8350 				omtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
8351 			} else
8352 				omtu = 0;
8353 			/* Here we do NOT factor the r_mtu */
8354 			if ((chk->send_size <= (int)(mtu - omtu)) ||
8355 			    (chk->flags & CHUNK_FLAGS_FRAGMENT_OK)) {
8356 				/*
8357 				 * We probably should glom the mbuf chain
8358 				 * from the chk->data for control but the
8359 				 * problem is it becomes yet one more level
8360 				 * of tracking to do if for some reason
8361 				 * output fails. Then I have got to
8362 				 * reconstruct the merged control chain.. el
8363 				 * yucko.. for now we take the easy way and
8364 				 * do the copy
8365 				 */
8366 				/*
8367 				 * Add an AUTH chunk, if chunk requires it
8368 				 * save the offset into the chain for AUTH
8369 				 */
8370 				if ((auth == NULL) &&
8371 				    (sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
8372 				    stcb->asoc.peer_auth_chunks))) {
8373 					outchain = sctp_add_auth_chunk(outchain,
8374 					    &endoutchain,
8375 					    &auth,
8376 					    &auth_offset,
8377 					    stcb,
8378 					    chk->rec.chunk_id.id);
8379 					SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8380 				}
8381 				outchain = sctp_copy_mbufchain(chk->data, outchain, &endoutchain,
8382 				    (int)chk->rec.chunk_id.can_take_data,
8383 				    chk->send_size, chk->copy_by_ref);
8384 				if (outchain == NULL) {
8385 					*reason_code = 8;
8386 					SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
8387 					return (ENOMEM);
8388 				}
8389 				SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8390 				/* update our MTU size */
8391 				if (mtu > (chk->send_size + omtu))
8392 					mtu -= (chk->send_size + omtu);
8393 				else
8394 					mtu = 0;
8395 				to_out += (chk->send_size + omtu);
8396 				/* Do clear IP_DF ? */
8397 				if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
8398 					no_fragmentflg = 0;
8399 				}
8400 				if (chk->rec.chunk_id.can_take_data)
8401 					chk->data = NULL;
8402 				/* Mark things to be removed, if needed */
8403 				if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
8404 				    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK) ||	/* EY */
8405 				    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_REQUEST) ||
8406 				    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_ACK) ||
8407 				    (chk->rec.chunk_id.id == SCTP_SHUTDOWN) ||
8408 				    (chk->rec.chunk_id.id == SCTP_SHUTDOWN_ACK) ||
8409 				    (chk->rec.chunk_id.id == SCTP_OPERATION_ERROR) ||
8410 				    (chk->rec.chunk_id.id == SCTP_COOKIE_ACK) ||
8411 				    (chk->rec.chunk_id.id == SCTP_ECN_CWR) ||
8412 				    (chk->rec.chunk_id.id == SCTP_PACKET_DROPPED) ||
8413 				    (chk->rec.chunk_id.id == SCTP_ASCONF_ACK)) {
8414 					if (chk->rec.chunk_id.id == SCTP_HEARTBEAT_REQUEST) {
8415 						hbflag = 1;
8416 					}
8417 					/* remove these chunks at the end */
8418 					if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
8419 					    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK)) {
8420 						/* turn off the timer */
8421 						if (SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) {
8422 							sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
8423 							    inp, stcb, NULL,
8424 							    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_1);
8425 						}
8426 					}
8427 					ctl_cnt++;
8428 				} else {
8429 					/*
8430 					 * Other chunks, since they have
8431 					 * timers running (i.e. COOKIE) we
8432 					 * just "trust" that it gets sent or
8433 					 * retransmitted.
8434 					 */
8435 					ctl_cnt++;
8436 					if (chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
8437 						cookie = 1;
8438 						no_out_cnt = 1;
8439 					} else if (chk->rec.chunk_id.id == SCTP_ECN_ECHO) {
8440 						/*
8441 						 * Increment ecne send count
8442 						 * here this means we may be
8443 						 * over-zealous in our
8444 						 * counting if the send
8445 						 * fails, but its the best
8446 						 * place to do it (we used
8447 						 * to do it in the queue of
8448 						 * the chunk, but that did
8449 						 * not tell how many times
8450 						 * it was sent.
8451 						 */
8452 						SCTP_STAT_INCR(sctps_sendecne);
8453 					}
8454 					chk->sent = SCTP_DATAGRAM_SENT;
8455 					if (chk->whoTo == NULL) {
8456 						chk->whoTo = net;
8457 						atomic_add_int(&net->ref_count, 1);
8458 					}
8459 					chk->snd_count++;
8460 				}
8461 				if (mtu == 0) {
8462 					/*
8463 					 * Ok we are out of room but we can
8464 					 * output without effecting the
8465 					 * flight size since this little guy
8466 					 * is a control only packet.
8467 					 */
8468 					switch (asoc->snd_edmid) {
8469 					case SCTP_EDMID_LOWER_LAYER_DTLS:
8470 						use_zero_crc = true;
8471 						break;
8472 					default:
8473 						use_zero_crc = false;
8474 						break;
8475 					}
8476 					if (asconf) {
8477 						sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp, stcb, net);
8478 						use_zero_crc = false;
8479 						/*
8480 						 * do NOT clear the asconf
8481 						 * flag as it is used to do
8482 						 * appropriate source
8483 						 * address selection.
8484 						 */
8485 					}
8486 					if (cookie) {
8487 						sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net);
8488 						use_zero_crc = false;
8489 						cookie = 0;
8490 					}
8491 					/* Only HB or ASCONF advances time */
8492 					if (hbflag) {
8493 						if (*now_filled == 0) {
8494 							(void)SCTP_GETTIME_TIMEVAL(now);
8495 							*now_filled = 1;
8496 						}
8497 						net->last_sent_time = *now;
8498 						hbflag = 0;
8499 					}
8500 					if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
8501 					    (struct sockaddr *)&net->ro._l_addr,
8502 					    outchain,
8503 					    auth_offset, auth,
8504 					    stcb->asoc.authinfo.active_keyid,
8505 					    no_fragmentflg, 0, asconf,
8506 					    inp->sctp_lport, stcb->rport,
8507 					    htonl(stcb->asoc.peer_vtag),
8508 					    net->port, NULL,
8509 					    0, 0,
8510 					    use_zero_crc, so_locked))) {
8511 						/*
8512 						 * error, we could not
8513 						 * output
8514 						 */
8515 						SCTPDBG(SCTP_DEBUG_OUTPUT3, "Gak send error %d\n", error);
8516 						if (from_where == 0) {
8517 							SCTP_STAT_INCR(sctps_lowlevelerrusr);
8518 						}
8519 						if (error == ENOBUFS) {
8520 							asoc->ifp_had_enobuf = 1;
8521 							SCTP_STAT_INCR(sctps_lowlevelerr);
8522 						}
8523 						if (error == EHOSTUNREACH) {
8524 							/*
8525 							 * Destination went
8526 							 * unreachable
8527 							 * during this send
8528 							 */
8529 							sctp_move_chunks_from_net(stcb, net);
8530 						}
8531 						asconf = 0;
8532 						*reason_code = 7;
8533 						break;
8534 					} else {
8535 						asoc->ifp_had_enobuf = 0;
8536 					}
8537 					/*
8538 					 * increase the number we sent, if a
8539 					 * cookie is sent we don't tell them
8540 					 * any was sent out.
8541 					 */
8542 					outchain = endoutchain = NULL;
8543 					auth = NULL;
8544 					auth_offset = 0;
8545 					asconf = 0;
8546 					if (!no_out_cnt)
8547 						*num_out += ctl_cnt;
8548 					/* recalc a clean slate and setup */
8549 					switch (net->ro._l_addr.sa.sa_family) {
8550 #ifdef INET
8551 					case AF_INET:
8552 						mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
8553 						break;
8554 #endif
8555 #ifdef INET6
8556 					case AF_INET6:
8557 						mtu = net->mtu - SCTP_MIN_OVERHEAD;
8558 						break;
8559 #endif
8560 					default:
8561 						/* TSNH */
8562 						mtu = net->mtu;
8563 						break;
8564 					}
8565 					to_out = 0;
8566 					no_fragmentflg = 1;
8567 				}
8568 			}
8569 		}
8570 		if (error != 0) {
8571 			/* try next net */
8572 			continue;
8573 		}
8574 		/* JRI: if dest is in PF state, do not send data to it */
8575 		if ((asoc->sctp_cmt_on_off > 0) &&
8576 		    (net != stcb->asoc.alternate) &&
8577 		    (net->dest_state & SCTP_ADDR_PF)) {
8578 			goto no_data_fill;
8579 		}
8580 		if (net->flight_size >= net->cwnd) {
8581 			goto no_data_fill;
8582 		}
8583 		if ((asoc->sctp_cmt_on_off > 0) &&
8584 		    (SCTP_BASE_SYSCTL(sctp_buffer_splitting) & SCTP_RECV_BUFFER_SPLITTING) &&
8585 		    (net->flight_size > max_rwnd_per_dest)) {
8586 			goto no_data_fill;
8587 		}
8588 		/*
8589 		 * We need a specific accounting for the usage of the send
8590 		 * buffer. We also need to check the number of messages per
8591 		 * net. For now, this is better than nothing and it disabled
8592 		 * by default...
8593 		 */
8594 		if ((asoc->sctp_cmt_on_off > 0) &&
8595 		    (SCTP_BASE_SYSCTL(sctp_buffer_splitting) & SCTP_SEND_BUFFER_SPLITTING) &&
8596 		    (max_send_per_dest > 0) &&
8597 		    (net->flight_size > max_send_per_dest)) {
8598 			goto no_data_fill;
8599 		}
8600 		/*********************/
8601 		/* Data transmission */
8602 		/*********************/
8603 		/*
8604 		 * if AUTH for DATA is required and no AUTH has been added
8605 		 * yet, account for this in the mtu now... if no data can be
8606 		 * bundled, this adjustment won't matter anyways since the
8607 		 * packet will be going out...
8608 		 */
8609 		data_auth_reqd = sctp_auth_is_required_chunk(SCTP_DATA,
8610 		    stcb->asoc.peer_auth_chunks);
8611 		if (data_auth_reqd && (auth == NULL)) {
8612 			mtu -= sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
8613 		}
8614 		/* now lets add any data within the MTU constraints */
8615 		switch (((struct sockaddr *)&net->ro._l_addr)->sa_family) {
8616 #ifdef INET
8617 		case AF_INET:
8618 			if (net->mtu > SCTP_MIN_V4_OVERHEAD)
8619 				omtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
8620 			else
8621 				omtu = 0;
8622 			break;
8623 #endif
8624 #ifdef INET6
8625 		case AF_INET6:
8626 			if (net->mtu > SCTP_MIN_OVERHEAD)
8627 				omtu = net->mtu - SCTP_MIN_OVERHEAD;
8628 			else
8629 				omtu = 0;
8630 			break;
8631 #endif
8632 		default:
8633 			/* TSNH */
8634 			omtu = 0;
8635 			break;
8636 		}
8637 		if ((((SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) ||
8638 		    (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) &&
8639 		    (skip_data_for_this_net == 0)) ||
8640 		    (cookie)) {
8641 			TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
8642 				if (no_data_chunks) {
8643 					/* let only control go out */
8644 					*reason_code = 1;
8645 					break;
8646 				}
8647 				if (net->flight_size >= net->cwnd) {
8648 					/* skip this net, no room for data */
8649 					*reason_code = 2;
8650 					break;
8651 				}
8652 				if ((chk->whoTo != NULL) &&
8653 				    (chk->whoTo != net)) {
8654 					/* Don't send the chunk on this net */
8655 					continue;
8656 				}
8657 
8658 				if (asoc->sctp_cmt_on_off == 0) {
8659 					if ((asoc->alternate) &&
8660 					    (asoc->alternate != net) &&
8661 					    (chk->whoTo == NULL)) {
8662 						continue;
8663 					} else if ((net != asoc->primary_destination) &&
8664 						    (asoc->alternate == NULL) &&
8665 					    (chk->whoTo == NULL)) {
8666 						continue;
8667 					}
8668 				}
8669 				if ((chk->send_size > omtu) && ((chk->flags & CHUNK_FLAGS_FRAGMENT_OK) == 0)) {
8670 					/*-
8671 					 * strange, we have a chunk that is
8672 					 * to big for its destination and
8673 					 * yet no fragment ok flag.
8674 					 * Something went wrong when the
8675 					 * PMTU changed...we did not mark
8676 					 * this chunk for some reason?? I
8677 					 * will fix it here by letting IP
8678 					 * fragment it for now and printing
8679 					 * a warning. This really should not
8680 					 * happen ...
8681 					 */
8682 					SCTP_PRINTF("Warning chunk of %d bytes > mtu:%d and yet PMTU disc missed\n",
8683 					    chk->send_size, mtu);
8684 					chk->flags |= CHUNK_FLAGS_FRAGMENT_OK;
8685 				}
8686 				if (SCTP_BASE_SYSCTL(sctp_enable_sack_immediately) &&
8687 				    (asoc->state & SCTP_STATE_SHUTDOWN_PENDING)) {
8688 					struct sctp_data_chunk *dchkh;
8689 
8690 					dchkh = mtod(chk->data, struct sctp_data_chunk *);
8691 					dchkh->ch.chunk_flags |= SCTP_DATA_SACK_IMMEDIATELY;
8692 				}
8693 				if (((chk->send_size <= mtu) && (chk->send_size <= r_mtu)) ||
8694 				    ((chk->flags & CHUNK_FLAGS_FRAGMENT_OK) && (chk->send_size <= asoc->peers_rwnd))) {
8695 					/* ok we will add this one */
8696 
8697 					/*
8698 					 * Add an AUTH chunk, if chunk
8699 					 * requires it, save the offset into
8700 					 * the chain for AUTH
8701 					 */
8702 					if (data_auth_reqd) {
8703 						if (auth == NULL) {
8704 							outchain = sctp_add_auth_chunk(outchain,
8705 							    &endoutchain,
8706 							    &auth,
8707 							    &auth_offset,
8708 							    stcb,
8709 							    SCTP_DATA);
8710 							auth_keyid = chk->auth_keyid;
8711 							override_ok = 0;
8712 							SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8713 						} else if (override_ok) {
8714 							/*
8715 							 * use this data's
8716 							 * keyid
8717 							 */
8718 							auth_keyid = chk->auth_keyid;
8719 							override_ok = 0;
8720 						} else if (auth_keyid != chk->auth_keyid) {
8721 							/*
8722 							 * different keyid,
8723 							 * so done bundling
8724 							 */
8725 							break;
8726 						}
8727 					}
8728 					outchain = sctp_copy_mbufchain(chk->data, outchain, &endoutchain, 0,
8729 					    chk->send_size, chk->copy_by_ref);
8730 					if (outchain == NULL) {
8731 						SCTPDBG(SCTP_DEBUG_OUTPUT3, "No memory?\n");
8732 						if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
8733 							sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
8734 						}
8735 						*reason_code = 3;
8736 						SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
8737 						return (ENOMEM);
8738 					}
8739 					/* update our MTU size */
8740 					/* Do clear IP_DF ? */
8741 					if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
8742 						no_fragmentflg = 0;
8743 					}
8744 					/* unsigned subtraction of mtu */
8745 					if (mtu > chk->send_size)
8746 						mtu -= chk->send_size;
8747 					else
8748 						mtu = 0;
8749 					/* unsigned subtraction of r_mtu */
8750 					if (r_mtu > chk->send_size)
8751 						r_mtu -= chk->send_size;
8752 					else
8753 						r_mtu = 0;
8754 
8755 					to_out += chk->send_size;
8756 					if ((to_out > mx_mtu) && no_fragmentflg) {
8757 #ifdef INVARIANTS
8758 						panic("Exceeding mtu of %d out size is %d", mx_mtu, to_out);
8759 #else
8760 						SCTP_PRINTF("Exceeding mtu of %d out size is %d\n",
8761 						    mx_mtu, to_out);
8762 #endif
8763 					}
8764 					chk->window_probe = 0;
8765 					data_list[bundle_at++] = chk;
8766 					if (bundle_at >= SCTP_MAX_DATA_BUNDLING) {
8767 						break;
8768 					}
8769 					if (chk->sent == SCTP_DATAGRAM_UNSENT) {
8770 						if ((chk->rec.data.rcv_flags & SCTP_DATA_UNORDERED) == 0) {
8771 							SCTP_STAT_INCR_COUNTER64(sctps_outorderchunks);
8772 						} else {
8773 							SCTP_STAT_INCR_COUNTER64(sctps_outunorderchunks);
8774 						}
8775 						if (((chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) == SCTP_DATA_LAST_FRAG) &&
8776 						    ((chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) == 0))
8777 							/*
8778 							 * Count number of
8779 							 * user msg's that
8780 							 * were fragmented
8781 							 * we do this by
8782 							 * counting when we
8783 							 * see a LAST
8784 							 * fragment only.
8785 							 */
8786 							SCTP_STAT_INCR_COUNTER64(sctps_fragusrmsgs);
8787 					}
8788 					if ((mtu == 0) || (r_mtu == 0) || (one_chunk)) {
8789 						if ((one_chunk) && (stcb->asoc.total_flight == 0)) {
8790 							data_list[0]->window_probe = 1;
8791 							net->window_probe = 1;
8792 						}
8793 						break;
8794 					}
8795 				} else {
8796 					/*
8797 					 * Must be sent in order of the
8798 					 * TSN's (on a network)
8799 					 */
8800 					break;
8801 				}
8802 			}	/* for (chunk gather loop for this net) */
8803 		}		/* if asoc.state OPEN */
8804 no_data_fill:
8805 		/* Is there something to send for this destination? */
8806 		if (outchain) {
8807 			switch (asoc->snd_edmid) {
8808 			case SCTP_EDMID_LOWER_LAYER_DTLS:
8809 				use_zero_crc = true;
8810 				break;
8811 			default:
8812 				use_zero_crc = false;
8813 				break;
8814 			}
8815 			/* We may need to start a control timer or two */
8816 			if (asconf) {
8817 				sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp,
8818 				    stcb, net);
8819 				use_zero_crc = false;
8820 				/*
8821 				 * do NOT clear the asconf flag as it is
8822 				 * used to do appropriate source address
8823 				 * selection.
8824 				 */
8825 			}
8826 			if (cookie) {
8827 				sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net);
8828 				use_zero_crc = false;
8829 				cookie = 0;
8830 			}
8831 			/* must start a send timer if data is being sent */
8832 			if (bundle_at && (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer))) {
8833 				/*
8834 				 * no timer running on this destination
8835 				 * restart it.
8836 				 */
8837 				sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
8838 			}
8839 			if (bundle_at || hbflag) {
8840 				/* For data/asconf and hb set time */
8841 				if (*now_filled == 0) {
8842 					(void)SCTP_GETTIME_TIMEVAL(now);
8843 					*now_filled = 1;
8844 				}
8845 				net->last_sent_time = *now;
8846 			}
8847 			/* Now send it, if there is anything to send :> */
8848 			if ((error = sctp_lowlevel_chunk_output(inp,
8849 			    stcb,
8850 			    net,
8851 			    (struct sockaddr *)&net->ro._l_addr,
8852 			    outchain,
8853 			    auth_offset,
8854 			    auth,
8855 			    auth_keyid,
8856 			    no_fragmentflg,
8857 			    bundle_at,
8858 			    asconf,
8859 			    inp->sctp_lport, stcb->rport,
8860 			    htonl(stcb->asoc.peer_vtag),
8861 			    net->port, NULL,
8862 			    0, 0,
8863 			    use_zero_crc,
8864 			    so_locked))) {
8865 				/* error, we could not output */
8866 				SCTPDBG(SCTP_DEBUG_OUTPUT3, "Gak send error %d\n", error);
8867 				if (from_where == 0) {
8868 					SCTP_STAT_INCR(sctps_lowlevelerrusr);
8869 				}
8870 				if (error == ENOBUFS) {
8871 					asoc->ifp_had_enobuf = 1;
8872 					SCTP_STAT_INCR(sctps_lowlevelerr);
8873 				}
8874 				if (error == EHOSTUNREACH) {
8875 					/*
8876 					 * Destination went unreachable
8877 					 * during this send
8878 					 */
8879 					sctp_move_chunks_from_net(stcb, net);
8880 				}
8881 				asconf = 0;
8882 				*reason_code = 6;
8883 				/*-
8884 				 * I add this line to be paranoid. As far as
8885 				 * I can tell the continue, takes us back to
8886 				 * the top of the for, but just to make sure
8887 				 * I will reset these again here.
8888 				 */
8889 				ctl_cnt = 0;
8890 				continue;	/* This takes us back to the
8891 						 * for() for the nets. */
8892 			} else {
8893 				asoc->ifp_had_enobuf = 0;
8894 			}
8895 			endoutchain = NULL;
8896 			auth = NULL;
8897 			auth_offset = 0;
8898 			asconf = 0;
8899 			if (!no_out_cnt) {
8900 				*num_out += (ctl_cnt + bundle_at);
8901 			}
8902 			if (bundle_at) {
8903 				/* setup for a RTO measurement */
8904 				tsns_sent = data_list[0]->rec.data.tsn;
8905 				/* fill time if not already filled */
8906 				if (*now_filled == 0) {
8907 					(void)SCTP_GETTIME_TIMEVAL(&asoc->time_last_sent);
8908 					*now_filled = 1;
8909 					*now = asoc->time_last_sent;
8910 				} else {
8911 					asoc->time_last_sent = *now;
8912 				}
8913 				if (net->rto_needed) {
8914 					data_list[0]->do_rtt = 1;
8915 					net->rto_needed = 0;
8916 				}
8917 				SCTP_STAT_INCR_BY(sctps_senddata, bundle_at);
8918 				sctp_clean_up_datalist(stcb, asoc, data_list, bundle_at, net);
8919 			}
8920 			if (one_chunk) {
8921 				break;
8922 			}
8923 		}
8924 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
8925 			sctp_log_cwnd(stcb, net, tsns_sent, SCTP_CWND_LOG_FROM_SEND);
8926 		}
8927 	}
8928 	if (old_start_at == NULL) {
8929 		old_start_at = start_at;
8930 		start_at = TAILQ_FIRST(&asoc->nets);
8931 		if (old_start_at)
8932 			goto again_one_more_time;
8933 	}
8934 
8935 	/*
8936 	 * At the end there should be no NON timed chunks hanging on this
8937 	 * queue.
8938 	 */
8939 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
8940 		sctp_log_cwnd(stcb, net, *num_out, SCTP_CWND_LOG_FROM_SEND);
8941 	}
8942 	if ((*num_out == 0) && (*reason_code == 0)) {
8943 		*reason_code = 4;
8944 	} else {
8945 		*reason_code = 5;
8946 	}
8947 	sctp_clean_up_ctl(stcb, asoc, so_locked);
8948 	return (0);
8949 }
8950 
8951 void
8952 sctp_queue_op_err(struct sctp_tcb *stcb, struct mbuf *op_err)
8953 {
8954 	/*-
8955 	 * Prepend a OPERATIONAL_ERROR chunk header and put on the end of
8956 	 * the control chunk queue.
8957 	 */
8958 	struct sctp_chunkhdr *hdr;
8959 	struct sctp_tmit_chunk *chk;
8960 	struct mbuf *mat, *last_mbuf;
8961 	uint32_t chunk_length;
8962 	uint16_t padding_length;
8963 
8964 	SCTP_TCB_LOCK_ASSERT(stcb);
8965 	SCTP_BUF_PREPEND(op_err, sizeof(struct sctp_chunkhdr), M_NOWAIT);
8966 	if (op_err == NULL) {
8967 		return;
8968 	}
8969 	last_mbuf = NULL;
8970 	chunk_length = 0;
8971 	for (mat = op_err; mat != NULL; mat = SCTP_BUF_NEXT(mat)) {
8972 		chunk_length += SCTP_BUF_LEN(mat);
8973 		if (SCTP_BUF_NEXT(mat) == NULL) {
8974 			last_mbuf = mat;
8975 		}
8976 	}
8977 	if (chunk_length > SCTP_MAX_CHUNK_LENGTH) {
8978 		sctp_m_freem(op_err);
8979 		return;
8980 	}
8981 	padding_length = chunk_length % 4;
8982 	if (padding_length != 0) {
8983 		padding_length = 4 - padding_length;
8984 	}
8985 	if (padding_length != 0) {
8986 		if (sctp_add_pad_tombuf(last_mbuf, padding_length) == NULL) {
8987 			sctp_m_freem(op_err);
8988 			return;
8989 		}
8990 	}
8991 	sctp_alloc_a_chunk(stcb, chk);
8992 	if (chk == NULL) {
8993 		/* no memory */
8994 		sctp_m_freem(op_err);
8995 		return;
8996 	}
8997 	chk->copy_by_ref = 0;
8998 	chk->rec.chunk_id.id = SCTP_OPERATION_ERROR;
8999 	chk->rec.chunk_id.can_take_data = 0;
9000 	chk->flags = 0;
9001 	chk->send_size = (uint16_t)chunk_length;
9002 	chk->sent = SCTP_DATAGRAM_UNSENT;
9003 	chk->snd_count = 0;
9004 	chk->asoc = &stcb->asoc;
9005 	chk->data = op_err;
9006 	chk->whoTo = NULL;
9007 	hdr = mtod(op_err, struct sctp_chunkhdr *);
9008 	hdr->chunk_type = SCTP_OPERATION_ERROR;
9009 	hdr->chunk_flags = 0;
9010 	hdr->chunk_length = htons(chk->send_size);
9011 	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9012 	chk->asoc->ctrl_queue_cnt++;
9013 }
9014 
9015 int
9016 sctp_send_cookie_echo(struct mbuf *m,
9017     int offset, int limit,
9018     struct sctp_tcb *stcb,
9019     struct sctp_nets *net)
9020 {
9021 	/*-
9022 	 * pull out the cookie and put it at the front of the control chunk
9023 	 * queue.
9024 	 */
9025 	int at;
9026 	struct mbuf *cookie;
9027 	struct sctp_paramhdr param, *phdr;
9028 	struct sctp_chunkhdr *hdr;
9029 	struct sctp_tmit_chunk *chk;
9030 	uint16_t ptype, plen;
9031 
9032 	SCTP_TCB_LOCK_ASSERT(stcb);
9033 	/* First find the cookie in the param area */
9034 	cookie = NULL;
9035 	at = offset + sizeof(struct sctp_init_chunk);
9036 	for (;;) {
9037 		phdr = sctp_get_next_param(m, at, &param, sizeof(param));
9038 		if (phdr == NULL) {
9039 			return (-3);
9040 		}
9041 		ptype = ntohs(phdr->param_type);
9042 		plen = ntohs(phdr->param_length);
9043 		if (plen < sizeof(struct sctp_paramhdr)) {
9044 			return (-6);
9045 		}
9046 		if (ptype == SCTP_STATE_COOKIE) {
9047 			int pad;
9048 
9049 			/* found the cookie */
9050 			if (at + plen > limit) {
9051 				return (-7);
9052 			}
9053 			cookie = SCTP_M_COPYM(m, at, plen, M_NOWAIT);
9054 			if (cookie == NULL) {
9055 				/* No memory */
9056 				return (-2);
9057 			}
9058 			if ((pad = (plen % 4)) > 0) {
9059 				pad = 4 - pad;
9060 			}
9061 			if (pad > 0) {
9062 				if (sctp_pad_lastmbuf(cookie, pad, NULL) == NULL) {
9063 					return (-8);
9064 				}
9065 			}
9066 #ifdef SCTP_MBUF_LOGGING
9067 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
9068 				sctp_log_mbc(cookie, SCTP_MBUF_ICOPY);
9069 			}
9070 #endif
9071 			break;
9072 		}
9073 		at += SCTP_SIZE32(plen);
9074 	}
9075 	/* ok, we got the cookie lets change it into a cookie echo chunk */
9076 	/* first the change from param to cookie */
9077 	hdr = mtod(cookie, struct sctp_chunkhdr *);
9078 	hdr->chunk_type = SCTP_COOKIE_ECHO;
9079 	hdr->chunk_flags = 0;
9080 	/* get the chunk stuff now and place it in the FRONT of the queue */
9081 	sctp_alloc_a_chunk(stcb, chk);
9082 	if (chk == NULL) {
9083 		/* no memory */
9084 		sctp_m_freem(cookie);
9085 		return (-5);
9086 	}
9087 	chk->copy_by_ref = 0;
9088 	chk->rec.chunk_id.id = SCTP_COOKIE_ECHO;
9089 	chk->rec.chunk_id.can_take_data = 0;
9090 	chk->flags = CHUNK_FLAGS_FRAGMENT_OK;
9091 	chk->send_size = SCTP_SIZE32(plen);
9092 	chk->sent = SCTP_DATAGRAM_UNSENT;
9093 	chk->snd_count = 0;
9094 	chk->asoc = &stcb->asoc;
9095 	chk->data = cookie;
9096 	chk->whoTo = net;
9097 	atomic_add_int(&chk->whoTo->ref_count, 1);
9098 	TAILQ_INSERT_HEAD(&chk->asoc->control_send_queue, chk, sctp_next);
9099 	chk->asoc->ctrl_queue_cnt++;
9100 	return (0);
9101 }
9102 
9103 void
9104 sctp_send_heartbeat_ack(struct sctp_tcb *stcb,
9105     struct mbuf *m,
9106     int offset,
9107     int chk_length,
9108     struct sctp_nets *net)
9109 {
9110 	/*
9111 	 * take a HB request and make it into a HB ack and send it.
9112 	 */
9113 	struct mbuf *outchain;
9114 	struct sctp_chunkhdr *chdr;
9115 	struct sctp_tmit_chunk *chk;
9116 
9117 	if (net == NULL)
9118 		/* must have a net pointer */
9119 		return;
9120 
9121 	outchain = SCTP_M_COPYM(m, offset, chk_length, M_NOWAIT);
9122 	if (outchain == NULL) {
9123 		/* gak out of memory */
9124 		return;
9125 	}
9126 #ifdef SCTP_MBUF_LOGGING
9127 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
9128 		sctp_log_mbc(outchain, SCTP_MBUF_ICOPY);
9129 	}
9130 #endif
9131 	chdr = mtod(outchain, struct sctp_chunkhdr *);
9132 	chdr->chunk_type = SCTP_HEARTBEAT_ACK;
9133 	chdr->chunk_flags = 0;
9134 	if (chk_length % 4 != 0) {
9135 		sctp_pad_lastmbuf(outchain, 4 - (chk_length % 4), NULL);
9136 	}
9137 	sctp_alloc_a_chunk(stcb, chk);
9138 	if (chk == NULL) {
9139 		/* no memory */
9140 		sctp_m_freem(outchain);
9141 		return;
9142 	}
9143 	chk->copy_by_ref = 0;
9144 	chk->rec.chunk_id.id = SCTP_HEARTBEAT_ACK;
9145 	chk->rec.chunk_id.can_take_data = 1;
9146 	chk->flags = 0;
9147 	chk->send_size = chk_length;
9148 	chk->sent = SCTP_DATAGRAM_UNSENT;
9149 	chk->snd_count = 0;
9150 	chk->asoc = &stcb->asoc;
9151 	chk->data = outchain;
9152 	chk->whoTo = net;
9153 	atomic_add_int(&chk->whoTo->ref_count, 1);
9154 	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9155 	chk->asoc->ctrl_queue_cnt++;
9156 }
9157 
9158 void
9159 sctp_send_cookie_ack(struct sctp_tcb *stcb)
9160 {
9161 	/* formulate and queue a cookie-ack back to sender */
9162 	struct mbuf *cookie_ack;
9163 	struct sctp_chunkhdr *hdr;
9164 	struct sctp_tmit_chunk *chk;
9165 
9166 	SCTP_TCB_LOCK_ASSERT(stcb);
9167 
9168 	cookie_ack = sctp_get_mbuf_for_msg(sizeof(struct sctp_chunkhdr), 0, M_NOWAIT, 1, MT_HEADER);
9169 	if (cookie_ack == NULL) {
9170 		/* no mbuf's */
9171 		return;
9172 	}
9173 	SCTP_BUF_RESV_UF(cookie_ack, SCTP_MIN_OVERHEAD);
9174 	sctp_alloc_a_chunk(stcb, chk);
9175 	if (chk == NULL) {
9176 		/* no memory */
9177 		sctp_m_freem(cookie_ack);
9178 		return;
9179 	}
9180 	chk->copy_by_ref = 0;
9181 	chk->rec.chunk_id.id = SCTP_COOKIE_ACK;
9182 	chk->rec.chunk_id.can_take_data = 1;
9183 	chk->flags = 0;
9184 	chk->send_size = sizeof(struct sctp_chunkhdr);
9185 	chk->sent = SCTP_DATAGRAM_UNSENT;
9186 	chk->snd_count = 0;
9187 	chk->asoc = &stcb->asoc;
9188 	chk->data = cookie_ack;
9189 	if (chk->asoc->last_control_chunk_from != NULL) {
9190 		chk->whoTo = chk->asoc->last_control_chunk_from;
9191 		atomic_add_int(&chk->whoTo->ref_count, 1);
9192 	} else {
9193 		chk->whoTo = NULL;
9194 	}
9195 	hdr = mtod(cookie_ack, struct sctp_chunkhdr *);
9196 	hdr->chunk_type = SCTP_COOKIE_ACK;
9197 	hdr->chunk_flags = 0;
9198 	hdr->chunk_length = htons(chk->send_size);
9199 	SCTP_BUF_LEN(cookie_ack) = chk->send_size;
9200 	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9201 	chk->asoc->ctrl_queue_cnt++;
9202 	return;
9203 }
9204 
9205 void
9206 sctp_send_shutdown_ack(struct sctp_tcb *stcb, struct sctp_nets *net)
9207 {
9208 	/* formulate and queue a SHUTDOWN-ACK back to the sender */
9209 	struct mbuf *m_shutdown_ack;
9210 	struct sctp_shutdown_ack_chunk *ack_cp;
9211 	struct sctp_tmit_chunk *chk;
9212 
9213 	m_shutdown_ack = sctp_get_mbuf_for_msg(sizeof(struct sctp_shutdown_ack_chunk), 0, M_NOWAIT, 1, MT_HEADER);
9214 	if (m_shutdown_ack == NULL) {
9215 		/* no mbuf's */
9216 		return;
9217 	}
9218 	SCTP_BUF_RESV_UF(m_shutdown_ack, SCTP_MIN_OVERHEAD);
9219 	sctp_alloc_a_chunk(stcb, chk);
9220 	if (chk == NULL) {
9221 		/* no memory */
9222 		sctp_m_freem(m_shutdown_ack);
9223 		return;
9224 	}
9225 	chk->copy_by_ref = 0;
9226 	chk->rec.chunk_id.id = SCTP_SHUTDOWN_ACK;
9227 	chk->rec.chunk_id.can_take_data = 1;
9228 	chk->flags = 0;
9229 	chk->send_size = sizeof(struct sctp_chunkhdr);
9230 	chk->sent = SCTP_DATAGRAM_UNSENT;
9231 	chk->snd_count = 0;
9232 	chk->asoc = &stcb->asoc;
9233 	chk->data = m_shutdown_ack;
9234 	chk->whoTo = net;
9235 	if (chk->whoTo) {
9236 		atomic_add_int(&chk->whoTo->ref_count, 1);
9237 	}
9238 	ack_cp = mtod(m_shutdown_ack, struct sctp_shutdown_ack_chunk *);
9239 	ack_cp->ch.chunk_type = SCTP_SHUTDOWN_ACK;
9240 	ack_cp->ch.chunk_flags = 0;
9241 	ack_cp->ch.chunk_length = htons(chk->send_size);
9242 	SCTP_BUF_LEN(m_shutdown_ack) = chk->send_size;
9243 	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9244 	chk->asoc->ctrl_queue_cnt++;
9245 	return;
9246 }
9247 
9248 void
9249 sctp_send_shutdown(struct sctp_tcb *stcb, struct sctp_nets *net)
9250 {
9251 	/* formulate and queue a SHUTDOWN to the sender */
9252 	struct mbuf *m_shutdown;
9253 	struct sctp_shutdown_chunk *shutdown_cp;
9254 	struct sctp_tmit_chunk *chk;
9255 
9256 	TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) {
9257 		if (chk->rec.chunk_id.id == SCTP_SHUTDOWN) {
9258 			/* We already have a SHUTDOWN queued. Reuse it. */
9259 			if (chk->whoTo) {
9260 				sctp_free_remote_addr(chk->whoTo);
9261 				chk->whoTo = NULL;
9262 			}
9263 			break;
9264 		}
9265 	}
9266 	if (chk == NULL) {
9267 		m_shutdown = sctp_get_mbuf_for_msg(sizeof(struct sctp_shutdown_chunk), 0, M_NOWAIT, 1, MT_HEADER);
9268 		if (m_shutdown == NULL) {
9269 			/* no mbuf's */
9270 			return;
9271 		}
9272 		SCTP_BUF_RESV_UF(m_shutdown, SCTP_MIN_OVERHEAD);
9273 		sctp_alloc_a_chunk(stcb, chk);
9274 		if (chk == NULL) {
9275 			/* no memory */
9276 			sctp_m_freem(m_shutdown);
9277 			return;
9278 		}
9279 		chk->copy_by_ref = 0;
9280 		chk->rec.chunk_id.id = SCTP_SHUTDOWN;
9281 		chk->rec.chunk_id.can_take_data = 1;
9282 		chk->flags = 0;
9283 		chk->send_size = sizeof(struct sctp_shutdown_chunk);
9284 		chk->sent = SCTP_DATAGRAM_UNSENT;
9285 		chk->snd_count = 0;
9286 		chk->asoc = &stcb->asoc;
9287 		chk->data = m_shutdown;
9288 		chk->whoTo = net;
9289 		if (chk->whoTo) {
9290 			atomic_add_int(&chk->whoTo->ref_count, 1);
9291 		}
9292 		shutdown_cp = mtod(m_shutdown, struct sctp_shutdown_chunk *);
9293 		shutdown_cp->ch.chunk_type = SCTP_SHUTDOWN;
9294 		shutdown_cp->ch.chunk_flags = 0;
9295 		shutdown_cp->ch.chunk_length = htons(chk->send_size);
9296 		shutdown_cp->cumulative_tsn_ack = htonl(stcb->asoc.cumulative_tsn);
9297 		SCTP_BUF_LEN(m_shutdown) = chk->send_size;
9298 		TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9299 		chk->asoc->ctrl_queue_cnt++;
9300 	} else {
9301 		TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, sctp_next);
9302 		chk->whoTo = net;
9303 		if (chk->whoTo) {
9304 			atomic_add_int(&chk->whoTo->ref_count, 1);
9305 		}
9306 		shutdown_cp = mtod(chk->data, struct sctp_shutdown_chunk *);
9307 		shutdown_cp->cumulative_tsn_ack = htonl(stcb->asoc.cumulative_tsn);
9308 		TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, chk, sctp_next);
9309 	}
9310 	return;
9311 }
9312 
9313 void
9314 sctp_send_asconf(struct sctp_tcb *stcb, struct sctp_nets *net, int addr_locked)
9315 {
9316 	/*
9317 	 * formulate and queue an ASCONF to the peer. ASCONF parameters
9318 	 * should be queued on the assoc queue.
9319 	 */
9320 	struct sctp_tmit_chunk *chk;
9321 	struct mbuf *m_asconf;
9322 	int len;
9323 
9324 	SCTP_TCB_LOCK_ASSERT(stcb);
9325 
9326 	if ((!TAILQ_EMPTY(&stcb->asoc.asconf_send_queue)) &&
9327 	    (!sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_MULTIPLE_ASCONFS))) {
9328 		/* can't send a new one if there is one in flight already */
9329 		return;
9330 	}
9331 
9332 	/* compose an ASCONF chunk, maximum length is PMTU */
9333 	m_asconf = sctp_compose_asconf(stcb, &len, addr_locked);
9334 	if (m_asconf == NULL) {
9335 		return;
9336 	}
9337 
9338 	sctp_alloc_a_chunk(stcb, chk);
9339 	if (chk == NULL) {
9340 		/* no memory */
9341 		sctp_m_freem(m_asconf);
9342 		return;
9343 	}
9344 
9345 	chk->copy_by_ref = 0;
9346 	chk->rec.chunk_id.id = SCTP_ASCONF;
9347 	chk->rec.chunk_id.can_take_data = 0;
9348 	chk->flags = CHUNK_FLAGS_FRAGMENT_OK;
9349 	chk->data = m_asconf;
9350 	chk->send_size = len;
9351 	chk->sent = SCTP_DATAGRAM_UNSENT;
9352 	chk->snd_count = 0;
9353 	chk->asoc = &stcb->asoc;
9354 	chk->whoTo = net;
9355 	if (chk->whoTo) {
9356 		atomic_add_int(&chk->whoTo->ref_count, 1);
9357 	}
9358 	TAILQ_INSERT_TAIL(&chk->asoc->asconf_send_queue, chk, sctp_next);
9359 	chk->asoc->ctrl_queue_cnt++;
9360 	return;
9361 }
9362 
9363 void
9364 sctp_send_asconf_ack(struct sctp_tcb *stcb)
9365 {
9366 	/*
9367 	 * formulate and queue a asconf-ack back to sender. the asconf-ack
9368 	 * must be stored in the tcb.
9369 	 */
9370 	struct sctp_tmit_chunk *chk;
9371 	struct sctp_asconf_ack *ack, *latest_ack;
9372 	struct mbuf *m_ack;
9373 	struct sctp_nets *net = NULL;
9374 
9375 	SCTP_TCB_LOCK_ASSERT(stcb);
9376 	/* Get the latest ASCONF-ACK */
9377 	latest_ack = TAILQ_LAST(&stcb->asoc.asconf_ack_sent, sctp_asconf_ackhead);
9378 	if (latest_ack == NULL) {
9379 		return;
9380 	}
9381 	if (latest_ack->last_sent_to != NULL &&
9382 	    latest_ack->last_sent_to == stcb->asoc.last_control_chunk_from) {
9383 		/* we're doing a retransmission */
9384 		net = sctp_find_alternate_net(stcb, stcb->asoc.last_control_chunk_from, 0);
9385 		if (net == NULL) {
9386 			/* no alternate */
9387 			if (stcb->asoc.last_control_chunk_from == NULL) {
9388 				if (stcb->asoc.alternate) {
9389 					net = stcb->asoc.alternate;
9390 				} else {
9391 					net = stcb->asoc.primary_destination;
9392 				}
9393 			} else {
9394 				net = stcb->asoc.last_control_chunk_from;
9395 			}
9396 		}
9397 	} else {
9398 		/* normal case */
9399 		if (stcb->asoc.last_control_chunk_from == NULL) {
9400 			if (stcb->asoc.alternate) {
9401 				net = stcb->asoc.alternate;
9402 			} else {
9403 				net = stcb->asoc.primary_destination;
9404 			}
9405 		} else {
9406 			net = stcb->asoc.last_control_chunk_from;
9407 		}
9408 	}
9409 	latest_ack->last_sent_to = net;
9410 
9411 	TAILQ_FOREACH(ack, &stcb->asoc.asconf_ack_sent, next) {
9412 		if (ack->data == NULL) {
9413 			continue;
9414 		}
9415 
9416 		/* copy the asconf_ack */
9417 		m_ack = SCTP_M_COPYM(ack->data, 0, M_COPYALL, M_NOWAIT);
9418 		if (m_ack == NULL) {
9419 			/* couldn't copy it */
9420 			return;
9421 		}
9422 #ifdef SCTP_MBUF_LOGGING
9423 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
9424 			sctp_log_mbc(m_ack, SCTP_MBUF_ICOPY);
9425 		}
9426 #endif
9427 
9428 		sctp_alloc_a_chunk(stcb, chk);
9429 		if (chk == NULL) {
9430 			/* no memory */
9431 			if (m_ack)
9432 				sctp_m_freem(m_ack);
9433 			return;
9434 		}
9435 		chk->copy_by_ref = 0;
9436 		chk->rec.chunk_id.id = SCTP_ASCONF_ACK;
9437 		chk->rec.chunk_id.can_take_data = 1;
9438 		chk->flags = CHUNK_FLAGS_FRAGMENT_OK;
9439 		chk->whoTo = net;
9440 		if (chk->whoTo) {
9441 			atomic_add_int(&chk->whoTo->ref_count, 1);
9442 		}
9443 		chk->data = m_ack;
9444 		chk->send_size = ack->len;
9445 		chk->sent = SCTP_DATAGRAM_UNSENT;
9446 		chk->snd_count = 0;
9447 		chk->asoc = &stcb->asoc;
9448 
9449 		TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9450 		chk->asoc->ctrl_queue_cnt++;
9451 	}
9452 	return;
9453 }
9454 
9455 static int
9456 sctp_chunk_retransmission(struct sctp_inpcb *inp,
9457     struct sctp_tcb *stcb,
9458     struct sctp_association *asoc,
9459     int *cnt_out, struct timeval *now, int *now_filled, int *fr_done, int so_locked)
9460 {
9461 	/*-
9462 	 * send out one MTU of retransmission. If fast_retransmit is
9463 	 * happening we ignore the cwnd. Otherwise we obey the cwnd and
9464 	 * rwnd. For a Cookie or Asconf in the control chunk queue we
9465 	 * retransmit them by themselves.
9466 	 *
9467 	 * For data chunks we will pick out the lowest TSN's in the sent_queue
9468 	 * marked for resend and bundle them all together (up to a MTU of
9469 	 * destination). The address to send to should have been
9470 	 * selected/changed where the retransmission was marked (i.e. in FR
9471 	 * or t3-timeout routines).
9472 	 */
9473 	struct sctp_tmit_chunk *data_list[SCTP_MAX_DATA_BUNDLING];
9474 	struct sctp_tmit_chunk *chk, *fwd;
9475 	struct mbuf *m, *endofchain;
9476 	struct sctp_nets *net = NULL;
9477 	uint32_t tsns_sent = 0;
9478 	int no_fragmentflg, bundle_at;
9479 	unsigned int mtu;
9480 	int error, i, one_chunk, fwd_tsn, ctl_cnt, tmr_started;
9481 	struct sctp_auth_chunk *auth = NULL;
9482 	uint32_t auth_offset = 0;
9483 	uint16_t auth_keyid;
9484 	int override_ok = 1;
9485 	int data_auth_reqd = 0;
9486 	uint32_t dmtu = 0;
9487 	bool use_zero_crc;
9488 
9489 	SCTP_TCB_LOCK_ASSERT(stcb);
9490 	tmr_started = ctl_cnt = 0;
9491 	no_fragmentflg = 1;
9492 	fwd_tsn = 0;
9493 	*cnt_out = 0;
9494 	fwd = NULL;
9495 	endofchain = m = NULL;
9496 	auth_keyid = stcb->asoc.authinfo.active_keyid;
9497 #ifdef SCTP_AUDITING_ENABLED
9498 	sctp_audit_log(0xC3, 1);
9499 #endif
9500 	if ((TAILQ_EMPTY(&asoc->sent_queue)) &&
9501 	    (TAILQ_EMPTY(&asoc->control_send_queue))) {
9502 		SCTPDBG(SCTP_DEBUG_OUTPUT1, "SCTP hits empty queue with cnt set to %d?\n",
9503 		    asoc->sent_queue_retran_cnt);
9504 		asoc->sent_queue_cnt = 0;
9505 		asoc->sent_queue_cnt_removeable = 0;
9506 		/* send back 0/0 so we enter normal transmission */
9507 		*cnt_out = 0;
9508 		return (0);
9509 	}
9510 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
9511 		if ((chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) ||
9512 		    (chk->rec.chunk_id.id == SCTP_STREAM_RESET) ||
9513 		    (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN)) {
9514 			if (chk->sent != SCTP_DATAGRAM_RESEND) {
9515 				continue;
9516 			}
9517 			if (chk->rec.chunk_id.id == SCTP_STREAM_RESET) {
9518 				if (chk != asoc->str_reset) {
9519 					/*
9520 					 * not eligible for retran if its
9521 					 * not ours
9522 					 */
9523 					continue;
9524 				}
9525 			}
9526 			ctl_cnt++;
9527 			if (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) {
9528 				fwd_tsn = 1;
9529 			}
9530 			/*
9531 			 * Add an AUTH chunk, if chunk requires it save the
9532 			 * offset into the chain for AUTH
9533 			 */
9534 			if ((auth == NULL) &&
9535 			    (sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
9536 			    stcb->asoc.peer_auth_chunks))) {
9537 				m = sctp_add_auth_chunk(m, &endofchain,
9538 				    &auth, &auth_offset,
9539 				    stcb,
9540 				    chk->rec.chunk_id.id);
9541 				SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
9542 			}
9543 			m = sctp_copy_mbufchain(chk->data, m, &endofchain, 0, chk->send_size, chk->copy_by_ref);
9544 			break;
9545 		}
9546 	}
9547 	one_chunk = 0;
9548 	/* do we have control chunks to retransmit? */
9549 	if (m != NULL) {
9550 		/* Start a timer no matter if we succeed or fail */
9551 		switch (asoc->snd_edmid) {
9552 		case SCTP_EDMID_LOWER_LAYER_DTLS:
9553 			use_zero_crc = true;
9554 			break;
9555 		default:
9556 			use_zero_crc = false;
9557 			break;
9558 		}
9559 		if (chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
9560 			sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, inp, stcb, chk->whoTo);
9561 			use_zero_crc = false;
9562 		} else if (chk->rec.chunk_id.id == SCTP_ASCONF) {
9563 			/* XXXMT: Can this happen? */
9564 			sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp, stcb, chk->whoTo);
9565 			use_zero_crc = false;
9566 		}
9567 		chk->snd_count++;	/* update our count */
9568 		if ((error = sctp_lowlevel_chunk_output(inp, stcb, chk->whoTo,
9569 		    (struct sockaddr *)&chk->whoTo->ro._l_addr, m,
9570 		    auth_offset, auth, stcb->asoc.authinfo.active_keyid,
9571 		    no_fragmentflg, 0, 0,
9572 		    inp->sctp_lport, stcb->rport, htonl(stcb->asoc.peer_vtag),
9573 		    chk->whoTo->port, NULL,
9574 		    0, 0,
9575 		    use_zero_crc,
9576 		    so_locked))) {
9577 			SCTPDBG(SCTP_DEBUG_OUTPUT3, "Gak send error %d\n", error);
9578 			if (error == ENOBUFS) {
9579 				asoc->ifp_had_enobuf = 1;
9580 				SCTP_STAT_INCR(sctps_lowlevelerr);
9581 			}
9582 			return (error);
9583 		} else {
9584 			asoc->ifp_had_enobuf = 0;
9585 		}
9586 		endofchain = NULL;
9587 		auth = NULL;
9588 		auth_offset = 0;
9589 		/*
9590 		 * We don't want to mark the net->sent time here since this
9591 		 * we use this for HB and retrans cannot measure RTT
9592 		 */
9593 		/* (void)SCTP_GETTIME_TIMEVAL(&chk->whoTo->last_sent_time); */
9594 		*cnt_out += 1;
9595 		chk->sent = SCTP_DATAGRAM_SENT;
9596 		sctp_ucount_decr(stcb->asoc.sent_queue_retran_cnt);
9597 		if (fwd_tsn == 0) {
9598 			return (0);
9599 		} else {
9600 			/* Clean up the fwd-tsn list */
9601 			sctp_clean_up_ctl(stcb, asoc, so_locked);
9602 			return (0);
9603 		}
9604 	}
9605 	/*
9606 	 * Ok, it is just data retransmission we need to do or that and a
9607 	 * fwd-tsn with it all.
9608 	 */
9609 	if (TAILQ_EMPTY(&asoc->sent_queue)) {
9610 		return (SCTP_RETRAN_DONE);
9611 	}
9612 	if ((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED) ||
9613 	    (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT)) {
9614 		/* not yet open, resend the cookie and that is it */
9615 		return (1);
9616 	}
9617 #ifdef SCTP_AUDITING_ENABLED
9618 	sctp_auditing(20, inp, stcb, NULL);
9619 #endif
9620 	data_auth_reqd = sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks);
9621 	TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) {
9622 		if (chk->sent != SCTP_DATAGRAM_RESEND) {
9623 			/* No, not sent to this net or not ready for rtx */
9624 			continue;
9625 		}
9626 		if (chk->data == NULL) {
9627 			SCTP_PRINTF("TSN:%x chk->snd_count:%d chk->sent:%d can't retran - no data\n",
9628 			    chk->rec.data.tsn, chk->snd_count, chk->sent);
9629 			continue;
9630 		}
9631 		if ((SCTP_BASE_SYSCTL(sctp_max_retran_chunk)) &&
9632 		    (chk->snd_count >= SCTP_BASE_SYSCTL(sctp_max_retran_chunk))) {
9633 			struct mbuf *op_err;
9634 			char msg[SCTP_DIAG_INFO_LEN];
9635 
9636 			SCTP_SNPRINTF(msg, sizeof(msg), "TSN %8.8x retransmitted %d times, giving up",
9637 			    chk->rec.data.tsn, chk->snd_count);
9638 			op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
9639 			    msg);
9640 			atomic_add_int(&stcb->asoc.refcnt, 1);
9641 			sctp_abort_an_association(stcb->sctp_ep, stcb, op_err,
9642 			    false, so_locked);
9643 			SCTP_TCB_LOCK(stcb);
9644 			atomic_subtract_int(&stcb->asoc.refcnt, 1);
9645 			return (SCTP_RETRAN_EXIT);
9646 		}
9647 		/* pick up the net */
9648 		net = chk->whoTo;
9649 		switch (net->ro._l_addr.sa.sa_family) {
9650 #ifdef INET
9651 		case AF_INET:
9652 			mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
9653 			break;
9654 #endif
9655 #ifdef INET6
9656 		case AF_INET6:
9657 			mtu = net->mtu - SCTP_MIN_OVERHEAD;
9658 			break;
9659 #endif
9660 		default:
9661 			/* TSNH */
9662 			mtu = net->mtu;
9663 			break;
9664 		}
9665 
9666 		if ((asoc->peers_rwnd < mtu) && (asoc->total_flight > 0)) {
9667 			/* No room in peers rwnd */
9668 			uint32_t tsn;
9669 
9670 			tsn = asoc->last_acked_seq + 1;
9671 			if (tsn == chk->rec.data.tsn) {
9672 				/*
9673 				 * we make a special exception for this
9674 				 * case. The peer has no rwnd but is missing
9675 				 * the lowest chunk.. which is probably what
9676 				 * is holding up the rwnd.
9677 				 */
9678 				goto one_chunk_around;
9679 			}
9680 			return (1);
9681 		}
9682 one_chunk_around:
9683 		if (asoc->peers_rwnd < mtu) {
9684 			one_chunk = 1;
9685 			if ((asoc->peers_rwnd == 0) &&
9686 			    (asoc->total_flight == 0)) {
9687 				chk->window_probe = 1;
9688 				chk->whoTo->window_probe = 1;
9689 			}
9690 		}
9691 #ifdef SCTP_AUDITING_ENABLED
9692 		sctp_audit_log(0xC3, 2);
9693 #endif
9694 		bundle_at = 0;
9695 		m = NULL;
9696 		net->fast_retran_ip = 0;
9697 		if (chk->rec.data.doing_fast_retransmit == 0) {
9698 			/*
9699 			 * if no FR in progress skip destination that have
9700 			 * flight_size > cwnd.
9701 			 */
9702 			if (net->flight_size >= net->cwnd) {
9703 				continue;
9704 			}
9705 		} else {
9706 			/*
9707 			 * Mark the destination net to have FR recovery
9708 			 * limits put on it.
9709 			 */
9710 			*fr_done = 1;
9711 			net->fast_retran_ip = 1;
9712 		}
9713 
9714 		/*
9715 		 * if no AUTH is yet included and this chunk requires it,
9716 		 * make sure to account for it.  We don't apply the size
9717 		 * until the AUTH chunk is actually added below in case
9718 		 * there is no room for this chunk.
9719 		 */
9720 		if (data_auth_reqd && (auth == NULL)) {
9721 			dmtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
9722 		} else
9723 			dmtu = 0;
9724 
9725 		if ((chk->send_size <= (mtu - dmtu)) ||
9726 		    (chk->flags & CHUNK_FLAGS_FRAGMENT_OK)) {
9727 			/* ok we will add this one */
9728 			if (data_auth_reqd) {
9729 				if (auth == NULL) {
9730 					m = sctp_add_auth_chunk(m,
9731 					    &endofchain,
9732 					    &auth,
9733 					    &auth_offset,
9734 					    stcb,
9735 					    SCTP_DATA);
9736 					auth_keyid = chk->auth_keyid;
9737 					override_ok = 0;
9738 					SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
9739 				} else if (override_ok) {
9740 					auth_keyid = chk->auth_keyid;
9741 					override_ok = 0;
9742 				} else if (chk->auth_keyid != auth_keyid) {
9743 					/* different keyid, so done bundling */
9744 					break;
9745 				}
9746 			}
9747 			m = sctp_copy_mbufchain(chk->data, m, &endofchain, 0, chk->send_size, chk->copy_by_ref);
9748 			if (m == NULL) {
9749 				SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
9750 				return (ENOMEM);
9751 			}
9752 			/* Do clear IP_DF ? */
9753 			if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
9754 				no_fragmentflg = 0;
9755 			}
9756 			/* update our MTU size */
9757 			if (mtu > (chk->send_size + dmtu))
9758 				mtu -= (chk->send_size + dmtu);
9759 			else
9760 				mtu = 0;
9761 			data_list[bundle_at++] = chk;
9762 			if (one_chunk && (asoc->total_flight <= 0)) {
9763 				SCTP_STAT_INCR(sctps_windowprobed);
9764 			}
9765 		}
9766 		if (one_chunk == 0) {
9767 			/*
9768 			 * now are there anymore forward from chk to pick
9769 			 * up?
9770 			 */
9771 			for (fwd = TAILQ_NEXT(chk, sctp_next); fwd != NULL; fwd = TAILQ_NEXT(fwd, sctp_next)) {
9772 				if (fwd->sent != SCTP_DATAGRAM_RESEND) {
9773 					/* Nope, not for retran */
9774 					continue;
9775 				}
9776 				if (fwd->whoTo != net) {
9777 					/* Nope, not the net in question */
9778 					continue;
9779 				}
9780 				if (data_auth_reqd && (auth == NULL)) {
9781 					dmtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
9782 				} else
9783 					dmtu = 0;
9784 				if (fwd->send_size <= (mtu - dmtu)) {
9785 					if (data_auth_reqd) {
9786 						if (auth == NULL) {
9787 							m = sctp_add_auth_chunk(m,
9788 							    &endofchain,
9789 							    &auth,
9790 							    &auth_offset,
9791 							    stcb,
9792 							    SCTP_DATA);
9793 							auth_keyid = fwd->auth_keyid;
9794 							override_ok = 0;
9795 							SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
9796 						} else if (override_ok) {
9797 							auth_keyid = fwd->auth_keyid;
9798 							override_ok = 0;
9799 						} else if (fwd->auth_keyid != auth_keyid) {
9800 							/*
9801 							 * different keyid,
9802 							 * so done bundling
9803 							 */
9804 							break;
9805 						}
9806 					}
9807 					m = sctp_copy_mbufchain(fwd->data, m, &endofchain, 0, fwd->send_size, fwd->copy_by_ref);
9808 					if (m == NULL) {
9809 						SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
9810 						return (ENOMEM);
9811 					}
9812 					/* Do clear IP_DF ? */
9813 					if (fwd->flags & CHUNK_FLAGS_FRAGMENT_OK) {
9814 						no_fragmentflg = 0;
9815 					}
9816 					/* update our MTU size */
9817 					if (mtu > (fwd->send_size + dmtu))
9818 						mtu -= (fwd->send_size + dmtu);
9819 					else
9820 						mtu = 0;
9821 					data_list[bundle_at++] = fwd;
9822 					if (bundle_at >= SCTP_MAX_DATA_BUNDLING) {
9823 						break;
9824 					}
9825 				} else {
9826 					/* can't fit so we are done */
9827 					break;
9828 				}
9829 			}
9830 		}
9831 		/* Is there something to send for this destination? */
9832 		if (m) {
9833 			/*
9834 			 * No matter if we fail/or succeed we should start a
9835 			 * timer. A failure is like a lost IP packet :-)
9836 			 */
9837 			if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
9838 				/*
9839 				 * no timer running on this destination
9840 				 * restart it.
9841 				 */
9842 				sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
9843 				tmr_started = 1;
9844 			}
9845 			switch (asoc->snd_edmid) {
9846 			case SCTP_EDMID_LOWER_LAYER_DTLS:
9847 				use_zero_crc = true;
9848 				break;
9849 			default:
9850 				use_zero_crc = false;
9851 				break;
9852 			}
9853 			/* Now lets send it, if there is anything to send :> */
9854 			if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
9855 			    (struct sockaddr *)&net->ro._l_addr, m,
9856 			    auth_offset, auth, auth_keyid,
9857 			    no_fragmentflg, 0, 0,
9858 			    inp->sctp_lport, stcb->rport, htonl(stcb->asoc.peer_vtag),
9859 			    net->port, NULL,
9860 			    0, 0,
9861 			    use_zero_crc,
9862 			    so_locked))) {
9863 				/* error, we could not output */
9864 				SCTPDBG(SCTP_DEBUG_OUTPUT3, "Gak send error %d\n", error);
9865 				if (error == ENOBUFS) {
9866 					asoc->ifp_had_enobuf = 1;
9867 					SCTP_STAT_INCR(sctps_lowlevelerr);
9868 				}
9869 				return (error);
9870 			} else {
9871 				asoc->ifp_had_enobuf = 0;
9872 			}
9873 			endofchain = NULL;
9874 			auth = NULL;
9875 			auth_offset = 0;
9876 			/* For HB's */
9877 			/*
9878 			 * We don't want to mark the net->sent time here
9879 			 * since this we use this for HB and retrans cannot
9880 			 * measure RTT
9881 			 */
9882 			/* (void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time); */
9883 
9884 			/* For auto-close */
9885 			if (*now_filled == 0) {
9886 				(void)SCTP_GETTIME_TIMEVAL(&asoc->time_last_sent);
9887 				*now = asoc->time_last_sent;
9888 				*now_filled = 1;
9889 			} else {
9890 				asoc->time_last_sent = *now;
9891 			}
9892 			*cnt_out += bundle_at;
9893 #ifdef SCTP_AUDITING_ENABLED
9894 			sctp_audit_log(0xC4, bundle_at);
9895 #endif
9896 			if (bundle_at) {
9897 				tsns_sent = data_list[0]->rec.data.tsn;
9898 			}
9899 			for (i = 0; i < bundle_at; i++) {
9900 				SCTP_STAT_INCR(sctps_sendretransdata);
9901 				data_list[i]->sent = SCTP_DATAGRAM_SENT;
9902 				/*
9903 				 * When we have a revoked data, and we
9904 				 * retransmit it, then we clear the revoked
9905 				 * flag since this flag dictates if we
9906 				 * subtracted from the fs
9907 				 */
9908 				if (data_list[i]->rec.data.chunk_was_revoked) {
9909 					/* Deflate the cwnd */
9910 					data_list[i]->whoTo->cwnd -= data_list[i]->book_size;
9911 					data_list[i]->rec.data.chunk_was_revoked = 0;
9912 				}
9913 				data_list[i]->snd_count++;
9914 				sctp_ucount_decr(asoc->sent_queue_retran_cnt);
9915 				/* record the time */
9916 				data_list[i]->sent_rcv_time = asoc->time_last_sent;
9917 				if (data_list[i]->book_size_scale) {
9918 					/*
9919 					 * need to double the book size on
9920 					 * this one
9921 					 */
9922 					data_list[i]->book_size_scale = 0;
9923 					/*
9924 					 * Since we double the booksize, we
9925 					 * must also double the output queue
9926 					 * size, since this get shrunk when
9927 					 * we free by this amount.
9928 					 */
9929 					atomic_add_int(&((asoc)->total_output_queue_size), data_list[i]->book_size);
9930 					data_list[i]->book_size *= 2;
9931 				} else {
9932 					if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
9933 						sctp_log_rwnd(SCTP_DECREASE_PEER_RWND,
9934 						    asoc->peers_rwnd, data_list[i]->send_size, SCTP_BASE_SYSCTL(sctp_peer_chunk_oh));
9935 					}
9936 					asoc->peers_rwnd = sctp_sbspace_sub(asoc->peers_rwnd,
9937 					    (uint32_t)(data_list[i]->send_size +
9938 					    SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)));
9939 				}
9940 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
9941 					sctp_misc_ints(SCTP_FLIGHT_LOG_UP_RSND,
9942 					    data_list[i]->whoTo->flight_size,
9943 					    data_list[i]->book_size,
9944 					    (uint32_t)(uintptr_t)data_list[i]->whoTo,
9945 					    data_list[i]->rec.data.tsn);
9946 				}
9947 				sctp_flight_size_increase(data_list[i]);
9948 				sctp_total_flight_increase(stcb, data_list[i]);
9949 				if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
9950 					/* SWS sender side engages */
9951 					asoc->peers_rwnd = 0;
9952 				}
9953 				if ((i == 0) &&
9954 				    (data_list[i]->rec.data.doing_fast_retransmit)) {
9955 					SCTP_STAT_INCR(sctps_sendfastretrans);
9956 					if ((data_list[i] == TAILQ_FIRST(&asoc->sent_queue)) &&
9957 					    (tmr_started == 0)) {
9958 						/*-
9959 						 * ok we just fast-retrans'd
9960 						 * the lowest TSN, i.e the
9961 						 * first on the list. In
9962 						 * this case we want to give
9963 						 * some more time to get a
9964 						 * SACK back without a
9965 						 * t3-expiring.
9966 						 */
9967 						sctp_timer_stop(SCTP_TIMER_TYPE_SEND, inp, stcb, net,
9968 						    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_2);
9969 						sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
9970 					}
9971 				}
9972 			}
9973 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
9974 				sctp_log_cwnd(stcb, net, tsns_sent, SCTP_CWND_LOG_FROM_RESEND);
9975 			}
9976 #ifdef SCTP_AUDITING_ENABLED
9977 			sctp_auditing(21, inp, stcb, NULL);
9978 #endif
9979 		} else {
9980 			/* None will fit */
9981 			return (1);
9982 		}
9983 		if (asoc->sent_queue_retran_cnt <= 0) {
9984 			/* all done we have no more to retran */
9985 			asoc->sent_queue_retran_cnt = 0;
9986 			break;
9987 		}
9988 		if (one_chunk) {
9989 			/* No more room in rwnd */
9990 			return (1);
9991 		}
9992 		/* stop the for loop here. we sent out a packet */
9993 		break;
9994 	}
9995 	return (0);
9996 }
9997 
9998 static void
9999 sctp_timer_validation(struct sctp_inpcb *inp,
10000     struct sctp_tcb *stcb,
10001     struct sctp_association *asoc)
10002 {
10003 	struct sctp_nets *net;
10004 
10005 	/* Validate that a timer is running somewhere */
10006 	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
10007 		if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
10008 			/* Here is a timer */
10009 			return;
10010 		}
10011 	}
10012 	SCTP_TCB_LOCK_ASSERT(stcb);
10013 	/* Gak, we did not have a timer somewhere */
10014 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "Deadlock avoided starting timer on a dest at retran\n");
10015 	if (asoc->alternate) {
10016 		sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, asoc->alternate);
10017 	} else {
10018 		sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, asoc->primary_destination);
10019 	}
10020 	return;
10021 }
10022 
10023 void
10024 sctp_chunk_output(struct sctp_inpcb *inp,
10025     struct sctp_tcb *stcb,
10026     int from_where,
10027     int so_locked)
10028 {
10029 	/*-
10030 	 * Ok this is the generic chunk service queue. we must do the
10031 	 * following:
10032 	 * - See if there are retransmits pending, if so we must
10033 	 *   do these first.
10034 	 * - Service the stream queue that is next, moving any
10035 	 *   message (note I must get a complete message i.e.
10036 	 *   FIRST/MIDDLE and LAST to the out queue in one pass) and assigning
10037 	 *   TSN's
10038 	 * - Check to see if the cwnd/rwnd allows any output, if so we
10039 	 *   go ahead and formulate and send the low level chunks. Making sure
10040 	 *   to combine any control in the control chunk queue also.
10041 	 */
10042 	struct sctp_association *asoc;
10043 	struct sctp_nets *net;
10044 	int error = 0, num_out, tot_out = 0, ret = 0, reason_code;
10045 	unsigned int burst_cnt = 0;
10046 	struct timeval now;
10047 	int now_filled = 0;
10048 	int nagle_on;
10049 	uint32_t frag_point = sctp_get_frag_point(stcb);
10050 	int un_sent = 0;
10051 	int fr_done;
10052 	unsigned int tot_frs = 0;
10053 
10054 	asoc = &stcb->asoc;
10055 do_it_again:
10056 	/* The Nagle algorithm is only applied when handling a send call. */
10057 	if (from_where == SCTP_OUTPUT_FROM_USR_SEND) {
10058 		if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_NODELAY)) {
10059 			nagle_on = 0;
10060 		} else {
10061 			nagle_on = 1;
10062 		}
10063 	} else {
10064 		nagle_on = 0;
10065 	}
10066 	SCTP_TCB_LOCK_ASSERT(stcb);
10067 
10068 	un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight);
10069 
10070 	if ((un_sent <= 0) &&
10071 	    (TAILQ_EMPTY(&asoc->control_send_queue)) &&
10072 	    (TAILQ_EMPTY(&asoc->asconf_send_queue)) &&
10073 	    (asoc->sent_queue_retran_cnt == 0) &&
10074 	    (asoc->trigger_reset == 0)) {
10075 		/* Nothing to do unless there is something to be sent left */
10076 		return;
10077 	}
10078 	/*
10079 	 * Do we have something to send, data or control AND a sack timer
10080 	 * running, if so piggy-back the sack.
10081 	 */
10082 	if (SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) {
10083 		sctp_send_sack(stcb, so_locked);
10084 		sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, NULL,
10085 		    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_3);
10086 	}
10087 	while (asoc->sent_queue_retran_cnt) {
10088 		/*-
10089 		 * Ok, it is retransmission time only, we send out only ONE
10090 		 * packet with a single call off to the retran code.
10091 		 */
10092 		if (from_where == SCTP_OUTPUT_FROM_COOKIE_ACK) {
10093 			/*-
10094 			 * Special hook for handling cookies discarded
10095 			 * by peer that carried data. Send cookie-ack only
10096 			 * and then the next call with get the retran's.
10097 			 */
10098 			(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out, &reason_code, 1,
10099 			    from_where,
10100 			    &now, &now_filled, frag_point, so_locked);
10101 			return;
10102 		} else if (from_where != SCTP_OUTPUT_FROM_HB_TMR) {
10103 			/* if its not from a HB then do it */
10104 			fr_done = 0;
10105 			ret = sctp_chunk_retransmission(inp, stcb, asoc, &num_out, &now, &now_filled, &fr_done, so_locked);
10106 			if (fr_done) {
10107 				tot_frs++;
10108 			}
10109 		} else {
10110 			/*
10111 			 * its from any other place, we don't allow retran
10112 			 * output (only control)
10113 			 */
10114 			ret = 1;
10115 		}
10116 		if (ret > 0) {
10117 			/* Can't send anymore */
10118 			/*-
10119 			 * now lets push out control by calling med-level
10120 			 * output once. this assures that we WILL send HB's
10121 			 * if queued too.
10122 			 */
10123 			(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out, &reason_code, 1,
10124 			    from_where,
10125 			    &now, &now_filled, frag_point, so_locked);
10126 #ifdef SCTP_AUDITING_ENABLED
10127 			sctp_auditing(8, inp, stcb, NULL);
10128 #endif
10129 			sctp_timer_validation(inp, stcb, asoc);
10130 			return;
10131 		}
10132 		if (ret < 0) {
10133 			/*-
10134 			 * The count was off.. retran is not happening so do
10135 			 * the normal retransmission.
10136 			 */
10137 #ifdef SCTP_AUDITING_ENABLED
10138 			sctp_auditing(9, inp, stcb, NULL);
10139 #endif
10140 			if (ret == SCTP_RETRAN_EXIT) {
10141 				return;
10142 			}
10143 			break;
10144 		}
10145 		if (from_where == SCTP_OUTPUT_FROM_T3) {
10146 			/* Only one transmission allowed out of a timeout */
10147 #ifdef SCTP_AUDITING_ENABLED
10148 			sctp_auditing(10, inp, stcb, NULL);
10149 #endif
10150 			/* Push out any control */
10151 			(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out, &reason_code, 1, from_where,
10152 			    &now, &now_filled, frag_point, so_locked);
10153 			return;
10154 		}
10155 		if ((asoc->fr_max_burst > 0) && (tot_frs >= asoc->fr_max_burst)) {
10156 			/* Hit FR burst limit */
10157 			return;
10158 		}
10159 		if ((num_out == 0) && (ret == 0)) {
10160 			/* No more retrans to send */
10161 			break;
10162 		}
10163 	}
10164 #ifdef SCTP_AUDITING_ENABLED
10165 	sctp_auditing(12, inp, stcb, NULL);
10166 #endif
10167 	/* Check for bad destinations, if they exist move chunks around. */
10168 	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
10169 		if ((net->dest_state & SCTP_ADDR_REACHABLE) == 0) {
10170 			/*-
10171 			 * if possible move things off of this address we
10172 			 * still may send below due to the dormant state but
10173 			 * we try to find an alternate address to send to
10174 			 * and if we have one we move all queued data on the
10175 			 * out wheel to this alternate address.
10176 			 */
10177 			if (net->ref_count > 1)
10178 				sctp_move_chunks_from_net(stcb, net);
10179 		} else {
10180 			/*-
10181 			 * if ((asoc->sat_network) || (net->addr_is_local))
10182 			 * { burst_limit = asoc->max_burst *
10183 			 * SCTP_SAT_NETWORK_BURST_INCR; }
10184 			 */
10185 			if (asoc->max_burst > 0) {
10186 				if (SCTP_BASE_SYSCTL(sctp_use_cwnd_based_maxburst)) {
10187 					if ((net->flight_size + (asoc->max_burst * net->mtu)) < net->cwnd) {
10188 						/*
10189 						 * JRS - Use the congestion
10190 						 * control given in the
10191 						 * congestion control module
10192 						 */
10193 						asoc->cc_functions.sctp_cwnd_update_after_output(stcb, net, asoc->max_burst);
10194 						if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
10195 							sctp_log_maxburst(stcb, net, 0, asoc->max_burst, SCTP_MAX_BURST_APPLIED);
10196 						}
10197 						SCTP_STAT_INCR(sctps_maxburstqueued);
10198 					}
10199 					net->fast_retran_ip = 0;
10200 				} else {
10201 					if (net->flight_size == 0) {
10202 						/*
10203 						 * Should be decaying the
10204 						 * cwnd here
10205 						 */
10206 						;
10207 					}
10208 				}
10209 			}
10210 		}
10211 	}
10212 	burst_cnt = 0;
10213 	do {
10214 		error = sctp_med_chunk_output(inp, stcb, asoc, &num_out,
10215 		    &reason_code, 0, from_where,
10216 		    &now, &now_filled, frag_point, so_locked);
10217 		if (error) {
10218 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Error %d was returned from med-c-op\n", error);
10219 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
10220 				sctp_log_maxburst(stcb, asoc->primary_destination, error, burst_cnt, SCTP_MAX_BURST_ERROR_STOP);
10221 			}
10222 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
10223 				sctp_log_cwnd(stcb, NULL, error, SCTP_SEND_NOW_COMPLETES);
10224 				sctp_log_cwnd(stcb, NULL, 0xdeadbeef, SCTP_SEND_NOW_COMPLETES);
10225 			}
10226 			break;
10227 		}
10228 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "m-c-o put out %d\n", num_out);
10229 
10230 		tot_out += num_out;
10231 		burst_cnt++;
10232 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
10233 			sctp_log_cwnd(stcb, NULL, num_out, SCTP_SEND_NOW_COMPLETES);
10234 			if (num_out == 0) {
10235 				sctp_log_cwnd(stcb, NULL, reason_code, SCTP_SEND_NOW_COMPLETES);
10236 			}
10237 		}
10238 		if (nagle_on) {
10239 			/*
10240 			 * When the Nagle algorithm is used, look at how
10241 			 * much is unsent, then if its smaller than an MTU
10242 			 * and we have data in flight we stop, except if we
10243 			 * are handling a fragmented user message.
10244 			 */
10245 			un_sent = stcb->asoc.total_output_queue_size - stcb->asoc.total_flight;
10246 			if ((un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD)) &&
10247 			    (stcb->asoc.total_flight > 0)) {
10248 /*	&&		     sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXPLICIT_EOR))) {*/
10249 				break;
10250 			}
10251 		}
10252 		if (TAILQ_EMPTY(&asoc->control_send_queue) &&
10253 		    TAILQ_EMPTY(&asoc->send_queue) &&
10254 		    sctp_is_there_unsent_data(stcb, so_locked) == 0) {
10255 			/* Nothing left to send */
10256 			break;
10257 		}
10258 		if ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) <= 0) {
10259 			/* Nothing left to send */
10260 			break;
10261 		}
10262 	} while (num_out &&
10263 	    ((asoc->max_burst == 0) ||
10264 	    SCTP_BASE_SYSCTL(sctp_use_cwnd_based_maxburst) ||
10265 	    (burst_cnt < asoc->max_burst)));
10266 
10267 	if (SCTP_BASE_SYSCTL(sctp_use_cwnd_based_maxburst) == 0) {
10268 		if ((asoc->max_burst > 0) && (burst_cnt >= asoc->max_burst)) {
10269 			SCTP_STAT_INCR(sctps_maxburstqueued);
10270 			asoc->burst_limit_applied = 1;
10271 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
10272 				sctp_log_maxburst(stcb, asoc->primary_destination, 0, burst_cnt, SCTP_MAX_BURST_APPLIED);
10273 			}
10274 		} else {
10275 			asoc->burst_limit_applied = 0;
10276 		}
10277 	}
10278 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
10279 		sctp_log_cwnd(stcb, NULL, tot_out, SCTP_SEND_NOW_COMPLETES);
10280 	}
10281 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "Ok, we have put out %d chunks\n",
10282 	    tot_out);
10283 
10284 	/*-
10285 	 * Now we need to clean up the control chunk chain if a ECNE is on
10286 	 * it. It must be marked as UNSENT again so next call will continue
10287 	 * to send it until such time that we get a CWR, to remove it.
10288 	 */
10289 	if (stcb->asoc.ecn_echo_cnt_onq)
10290 		sctp_fix_ecn_echo(asoc);
10291 
10292 	if (stcb->asoc.trigger_reset) {
10293 		if (sctp_send_stream_reset_out_if_possible(stcb, so_locked) == 0) {
10294 			goto do_it_again;
10295 		}
10296 	}
10297 	return;
10298 }
10299 
10300 int
10301 sctp_output(
10302     struct sctp_inpcb *inp,
10303     struct mbuf *m,
10304     struct sockaddr *addr,
10305     struct mbuf *control,
10306     struct thread *p,
10307     int flags)
10308 {
10309 	if (inp == NULL) {
10310 		SCTP_LTRACE_ERR_RET_PKT(m, inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
10311 		return (EINVAL);
10312 	}
10313 
10314 	if (inp->sctp_socket == NULL) {
10315 		SCTP_LTRACE_ERR_RET_PKT(m, inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
10316 		return (EINVAL);
10317 	}
10318 	return (sctp_sosend(inp->sctp_socket,
10319 	    addr,
10320 	    (struct uio *)NULL,
10321 	    m,
10322 	    control,
10323 	    flags, p
10324 	    ));
10325 }
10326 
10327 void
10328 send_forward_tsn(struct sctp_tcb *stcb,
10329     struct sctp_association *asoc)
10330 {
10331 	struct sctp_tmit_chunk *chk, *at, *tp1, *last;
10332 	struct sctp_forward_tsn_chunk *fwdtsn;
10333 	struct sctp_strseq *strseq;
10334 	struct sctp_strseq_mid *strseq_m;
10335 	uint32_t advance_peer_ack_point;
10336 	unsigned int cnt_of_space, i, ovh;
10337 	unsigned int space_needed;
10338 	unsigned int cnt_of_skipped = 0;
10339 
10340 	SCTP_TCB_LOCK_ASSERT(stcb);
10341 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
10342 		if (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) {
10343 			/* mark it to unsent */
10344 			chk->sent = SCTP_DATAGRAM_UNSENT;
10345 			chk->snd_count = 0;
10346 			/* Do we correct its output location? */
10347 			if (chk->whoTo) {
10348 				sctp_free_remote_addr(chk->whoTo);
10349 				chk->whoTo = NULL;
10350 			}
10351 			goto sctp_fill_in_rest;
10352 		}
10353 	}
10354 	/* Ok if we reach here we must build one */
10355 	sctp_alloc_a_chunk(stcb, chk);
10356 	if (chk == NULL) {
10357 		return;
10358 	}
10359 	asoc->fwd_tsn_cnt++;
10360 	chk->copy_by_ref = 0;
10361 	/*
10362 	 * We don't do the old thing here since this is used not for on-wire
10363 	 * but to tell if we are sending a fwd-tsn by the stack during
10364 	 * output. And if its a IFORWARD or a FORWARD it is a fwd-tsn.
10365 	 */
10366 	chk->rec.chunk_id.id = SCTP_FORWARD_CUM_TSN;
10367 	chk->rec.chunk_id.can_take_data = 0;
10368 	chk->flags = 0;
10369 	chk->asoc = asoc;
10370 	chk->whoTo = NULL;
10371 	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
10372 	if (chk->data == NULL) {
10373 		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
10374 		return;
10375 	}
10376 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
10377 	chk->sent = SCTP_DATAGRAM_UNSENT;
10378 	chk->snd_count = 0;
10379 	TAILQ_INSERT_TAIL(&asoc->control_send_queue, chk, sctp_next);
10380 	asoc->ctrl_queue_cnt++;
10381 sctp_fill_in_rest:
10382 	/*-
10383 	 * Here we go through and fill out the part that deals with
10384 	 * stream/seq of the ones we skip.
10385 	 */
10386 	SCTP_BUF_LEN(chk->data) = 0;
10387 	TAILQ_FOREACH(at, &asoc->sent_queue, sctp_next) {
10388 		if ((at->sent != SCTP_FORWARD_TSN_SKIP) &&
10389 		    (at->sent != SCTP_DATAGRAM_NR_ACKED)) {
10390 			/* no more to look at */
10391 			break;
10392 		}
10393 		if (!asoc->idata_supported && (at->rec.data.rcv_flags & SCTP_DATA_UNORDERED)) {
10394 			/* We don't report these */
10395 			continue;
10396 		}
10397 		cnt_of_skipped++;
10398 	}
10399 	if (asoc->idata_supported) {
10400 		space_needed = (sizeof(struct sctp_forward_tsn_chunk) +
10401 		    (cnt_of_skipped * sizeof(struct sctp_strseq_mid)));
10402 	} else {
10403 		space_needed = (sizeof(struct sctp_forward_tsn_chunk) +
10404 		    (cnt_of_skipped * sizeof(struct sctp_strseq)));
10405 	}
10406 	cnt_of_space = (unsigned int)M_TRAILINGSPACE(chk->data);
10407 
10408 	if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
10409 		ovh = SCTP_MIN_OVERHEAD;
10410 	} else {
10411 		ovh = SCTP_MIN_V4_OVERHEAD;
10412 	}
10413 	if (cnt_of_space > (asoc->smallest_mtu - ovh)) {
10414 		/* trim to a mtu size */
10415 		cnt_of_space = asoc->smallest_mtu - ovh;
10416 	}
10417 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
10418 		sctp_misc_ints(SCTP_FWD_TSN_CHECK,
10419 		    0xff, 0, cnt_of_skipped,
10420 		    asoc->advanced_peer_ack_point);
10421 	}
10422 	advance_peer_ack_point = asoc->advanced_peer_ack_point;
10423 	if (cnt_of_space < space_needed) {
10424 		/*-
10425 		 * ok we must trim down the chunk by lowering the
10426 		 * advance peer ack point.
10427 		 */
10428 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
10429 			sctp_misc_ints(SCTP_FWD_TSN_CHECK,
10430 			    0xff, 0xff, cnt_of_space,
10431 			    space_needed);
10432 		}
10433 		cnt_of_skipped = cnt_of_space - sizeof(struct sctp_forward_tsn_chunk);
10434 		if (asoc->idata_supported) {
10435 			cnt_of_skipped /= sizeof(struct sctp_strseq_mid);
10436 		} else {
10437 			cnt_of_skipped /= sizeof(struct sctp_strseq);
10438 		}
10439 		/*-
10440 		 * Go through and find the TSN that will be the one
10441 		 * we report.
10442 		 */
10443 		at = TAILQ_FIRST(&asoc->sent_queue);
10444 		if (at != NULL) {
10445 			for (i = 0; i < cnt_of_skipped; i++) {
10446 				tp1 = TAILQ_NEXT(at, sctp_next);
10447 				if (tp1 == NULL) {
10448 					break;
10449 				}
10450 				at = tp1;
10451 			}
10452 		}
10453 		if (at && SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
10454 			sctp_misc_ints(SCTP_FWD_TSN_CHECK,
10455 			    0xff, cnt_of_skipped, at->rec.data.tsn,
10456 			    asoc->advanced_peer_ack_point);
10457 		}
10458 		last = at;
10459 		/*-
10460 		 * last now points to last one I can report, update
10461 		 * peer ack point
10462 		 */
10463 		if (last) {
10464 			advance_peer_ack_point = last->rec.data.tsn;
10465 		}
10466 		if (asoc->idata_supported) {
10467 			space_needed = sizeof(struct sctp_forward_tsn_chunk) +
10468 			    cnt_of_skipped * sizeof(struct sctp_strseq_mid);
10469 		} else {
10470 			space_needed = sizeof(struct sctp_forward_tsn_chunk) +
10471 			    cnt_of_skipped * sizeof(struct sctp_strseq);
10472 		}
10473 	}
10474 	chk->send_size = space_needed;
10475 	/* Setup the chunk */
10476 	fwdtsn = mtod(chk->data, struct sctp_forward_tsn_chunk *);
10477 	fwdtsn->ch.chunk_length = htons(chk->send_size);
10478 	fwdtsn->ch.chunk_flags = 0;
10479 	if (asoc->idata_supported) {
10480 		fwdtsn->ch.chunk_type = SCTP_IFORWARD_CUM_TSN;
10481 	} else {
10482 		fwdtsn->ch.chunk_type = SCTP_FORWARD_CUM_TSN;
10483 	}
10484 	fwdtsn->new_cumulative_tsn = htonl(advance_peer_ack_point);
10485 	SCTP_BUF_LEN(chk->data) = chk->send_size;
10486 	fwdtsn++;
10487 	/*-
10488 	 * Move pointer to after the fwdtsn and transfer to the
10489 	 * strseq pointer.
10490 	 */
10491 	if (asoc->idata_supported) {
10492 		strseq_m = (struct sctp_strseq_mid *)fwdtsn;
10493 		strseq = NULL;
10494 	} else {
10495 		strseq = (struct sctp_strseq *)fwdtsn;
10496 		strseq_m = NULL;
10497 	}
10498 	/*-
10499 	 * Now populate the strseq list. This is done blindly
10500 	 * without pulling out duplicate stream info. This is
10501 	 * inefficient but won't harm the process since the peer will
10502 	 * look at these in sequence and will thus release anything.
10503 	 * It could mean we exceed the PMTU and chop off some that
10504 	 * we could have included.. but this is unlikely (aka 1432/4
10505 	 * would mean 300+ stream seq's would have to be reported in
10506 	 * one FWD-TSN. With a bit of work we can later FIX this to
10507 	 * optimize and pull out duplicates.. but it does add more
10508 	 * overhead. So for now... not!
10509 	 */
10510 	i = 0;
10511 	TAILQ_FOREACH(at, &asoc->sent_queue, sctp_next) {
10512 		if (i >= cnt_of_skipped) {
10513 			break;
10514 		}
10515 		if (!asoc->idata_supported && (at->rec.data.rcv_flags & SCTP_DATA_UNORDERED)) {
10516 			/* We don't report these */
10517 			continue;
10518 		}
10519 		if (at->rec.data.tsn == advance_peer_ack_point) {
10520 			at->rec.data.fwd_tsn_cnt = 0;
10521 		}
10522 		if (asoc->idata_supported) {
10523 			strseq_m->sid = htons(at->rec.data.sid);
10524 			if (at->rec.data.rcv_flags & SCTP_DATA_UNORDERED) {
10525 				strseq_m->flags = htons(PR_SCTP_UNORDERED_FLAG);
10526 			} else {
10527 				strseq_m->flags = 0;
10528 			}
10529 			strseq_m->mid = htonl(at->rec.data.mid);
10530 			strseq_m++;
10531 		} else {
10532 			strseq->sid = htons(at->rec.data.sid);
10533 			strseq->ssn = htons((uint16_t)at->rec.data.mid);
10534 			strseq++;
10535 		}
10536 		i++;
10537 	}
10538 	return;
10539 }
10540 
10541 void
10542 sctp_send_sack(struct sctp_tcb *stcb, int so_locked)
10543 {
10544 	/*-
10545 	 * Queue up a SACK or NR-SACK in the control queue.
10546 	 * We must first check to see if a SACK or NR-SACK is
10547 	 * somehow on the control queue.
10548 	 * If so, we will take and and remove the old one.
10549 	 */
10550 	struct sctp_association *asoc;
10551 	struct sctp_tmit_chunk *chk, *a_chk;
10552 	struct sctp_sack_chunk *sack;
10553 	struct sctp_nr_sack_chunk *nr_sack;
10554 	struct sctp_gap_ack_block *gap_descriptor;
10555 	const struct sack_track *selector;
10556 	int mergeable = 0;
10557 	int offset;
10558 	caddr_t limit;
10559 	uint32_t *dup;
10560 	int limit_reached = 0;
10561 	unsigned int i, siz, j;
10562 	unsigned int num_gap_blocks = 0, num_nr_gap_blocks = 0, space;
10563 	int num_dups = 0;
10564 	int space_req;
10565 	uint32_t highest_tsn;
10566 	uint8_t flags;
10567 	uint8_t type;
10568 	uint8_t tsn_map;
10569 
10570 	if (stcb->asoc.nrsack_supported == 1) {
10571 		type = SCTP_NR_SELECTIVE_ACK;
10572 	} else {
10573 		type = SCTP_SELECTIVE_ACK;
10574 	}
10575 	a_chk = NULL;
10576 	asoc = &stcb->asoc;
10577 	SCTP_TCB_LOCK_ASSERT(stcb);
10578 	if (asoc->last_data_chunk_from == NULL) {
10579 		/* Hmm we never received anything */
10580 		return;
10581 	}
10582 	sctp_slide_mapping_arrays(stcb);
10583 	sctp_set_rwnd(stcb, asoc);
10584 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
10585 		if (chk->rec.chunk_id.id == type) {
10586 			/* Hmm, found a sack already on queue, remove it */
10587 			TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
10588 			asoc->ctrl_queue_cnt--;
10589 			a_chk = chk;
10590 			if (a_chk->data) {
10591 				sctp_m_freem(a_chk->data);
10592 				a_chk->data = NULL;
10593 			}
10594 			if (a_chk->whoTo) {
10595 				sctp_free_remote_addr(a_chk->whoTo);
10596 				a_chk->whoTo = NULL;
10597 			}
10598 			break;
10599 		}
10600 	}
10601 	if (a_chk == NULL) {
10602 		sctp_alloc_a_chunk(stcb, a_chk);
10603 		if (a_chk == NULL) {
10604 			/* No memory so we drop the idea, and set a timer */
10605 			if (stcb->asoc.delayed_ack) {
10606 				sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
10607 				    stcb->sctp_ep, stcb, NULL,
10608 				    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_4);
10609 				sctp_timer_start(SCTP_TIMER_TYPE_RECV,
10610 				    stcb->sctp_ep, stcb, NULL);
10611 			} else {
10612 				stcb->asoc.send_sack = 1;
10613 			}
10614 			return;
10615 		}
10616 		a_chk->copy_by_ref = 0;
10617 		a_chk->rec.chunk_id.id = type;
10618 		a_chk->rec.chunk_id.can_take_data = 1;
10619 	}
10620 	/* Clear our pkt counts */
10621 	asoc->data_pkts_seen = 0;
10622 
10623 	a_chk->flags = 0;
10624 	a_chk->asoc = asoc;
10625 	a_chk->snd_count = 0;
10626 	a_chk->send_size = 0;	/* fill in later */
10627 	a_chk->sent = SCTP_DATAGRAM_UNSENT;
10628 	a_chk->whoTo = NULL;
10629 
10630 	if ((asoc->last_data_chunk_from->dest_state & SCTP_ADDR_REACHABLE) == 0) {
10631 		/*-
10632 		 * Ok, the destination for the SACK is unreachable, lets see if
10633 		 * we can select an alternate to asoc->last_data_chunk_from
10634 		 */
10635 		a_chk->whoTo = sctp_find_alternate_net(stcb, asoc->last_data_chunk_from, 0);
10636 		if (a_chk->whoTo == NULL) {
10637 			/* Nope, no alternate */
10638 			a_chk->whoTo = asoc->last_data_chunk_from;
10639 		}
10640 	} else {
10641 		a_chk->whoTo = asoc->last_data_chunk_from;
10642 	}
10643 	if (a_chk->whoTo) {
10644 		atomic_add_int(&a_chk->whoTo->ref_count, 1);
10645 	}
10646 	if (SCTP_TSN_GT(asoc->highest_tsn_inside_map, asoc->highest_tsn_inside_nr_map)) {
10647 		highest_tsn = asoc->highest_tsn_inside_map;
10648 	} else {
10649 		highest_tsn = asoc->highest_tsn_inside_nr_map;
10650 	}
10651 	if (highest_tsn == asoc->cumulative_tsn) {
10652 		/* no gaps */
10653 		if (type == SCTP_SELECTIVE_ACK) {
10654 			space_req = sizeof(struct sctp_sack_chunk);
10655 		} else {
10656 			space_req = sizeof(struct sctp_nr_sack_chunk);
10657 		}
10658 	} else {
10659 		/* gaps get a cluster */
10660 		space_req = MCLBYTES;
10661 	}
10662 	/* Ok now lets formulate a MBUF with our sack */
10663 	a_chk->data = sctp_get_mbuf_for_msg(space_req, 0, M_NOWAIT, 1, MT_DATA);
10664 	if ((a_chk->data == NULL) ||
10665 	    (a_chk->whoTo == NULL)) {
10666 		/* rats, no mbuf memory */
10667 		if (a_chk->data) {
10668 			/* was a problem with the destination */
10669 			sctp_m_freem(a_chk->data);
10670 			a_chk->data = NULL;
10671 		}
10672 		sctp_free_a_chunk(stcb, a_chk, so_locked);
10673 		/* sa_ignore NO_NULL_CHK */
10674 		if (stcb->asoc.delayed_ack) {
10675 			sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
10676 			    stcb->sctp_ep, stcb, NULL,
10677 			    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_5);
10678 			sctp_timer_start(SCTP_TIMER_TYPE_RECV,
10679 			    stcb->sctp_ep, stcb, NULL);
10680 		} else {
10681 			stcb->asoc.send_sack = 1;
10682 		}
10683 		return;
10684 	}
10685 	/* ok, lets go through and fill it in */
10686 	SCTP_BUF_RESV_UF(a_chk->data, SCTP_MIN_OVERHEAD);
10687 	space = (unsigned int)M_TRAILINGSPACE(a_chk->data);
10688 	if (space > (a_chk->whoTo->mtu - SCTP_MIN_OVERHEAD)) {
10689 		space = (a_chk->whoTo->mtu - SCTP_MIN_OVERHEAD);
10690 	}
10691 	limit = mtod(a_chk->data, caddr_t);
10692 	limit += space;
10693 
10694 	flags = 0;
10695 
10696 	if ((asoc->sctp_cmt_on_off > 0) &&
10697 	    SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
10698 		/*-
10699 		 * CMT DAC algorithm: If 2 (i.e., 0x10) packets have been
10700 		 * received, then set high bit to 1, else 0. Reset
10701 		 * pkts_rcvd.
10702 		 */
10703 		flags |= (asoc->cmt_dac_pkts_rcvd << 6);
10704 		asoc->cmt_dac_pkts_rcvd = 0;
10705 	}
10706 #ifdef SCTP_ASOCLOG_OF_TSNS
10707 	stcb->asoc.cumack_logsnt[stcb->asoc.cumack_log_atsnt] = asoc->cumulative_tsn;
10708 	stcb->asoc.cumack_log_atsnt++;
10709 	if (stcb->asoc.cumack_log_atsnt >= SCTP_TSN_LOG_SIZE) {
10710 		stcb->asoc.cumack_log_atsnt = 0;
10711 	}
10712 #endif
10713 	/* reset the readers interpretation */
10714 	stcb->freed_by_sorcv_sincelast = 0;
10715 
10716 	if (type == SCTP_SELECTIVE_ACK) {
10717 		sack = mtod(a_chk->data, struct sctp_sack_chunk *);
10718 		nr_sack = NULL;
10719 		gap_descriptor = (struct sctp_gap_ack_block *)((caddr_t)sack + sizeof(struct sctp_sack_chunk));
10720 		if (highest_tsn > asoc->mapping_array_base_tsn) {
10721 			siz = (((highest_tsn - asoc->mapping_array_base_tsn) + 1) + 7) / 8;
10722 		} else {
10723 			siz = (((MAX_TSN - asoc->mapping_array_base_tsn) + 1) + highest_tsn + 7) / 8;
10724 		}
10725 	} else {
10726 		sack = NULL;
10727 		nr_sack = mtod(a_chk->data, struct sctp_nr_sack_chunk *);
10728 		gap_descriptor = (struct sctp_gap_ack_block *)((caddr_t)nr_sack + sizeof(struct sctp_nr_sack_chunk));
10729 		if (asoc->highest_tsn_inside_map > asoc->mapping_array_base_tsn) {
10730 			siz = (((asoc->highest_tsn_inside_map - asoc->mapping_array_base_tsn) + 1) + 7) / 8;
10731 		} else {
10732 			siz = (((MAX_TSN - asoc->mapping_array_base_tsn) + 1) + asoc->highest_tsn_inside_map + 7) / 8;
10733 		}
10734 	}
10735 
10736 	if (SCTP_TSN_GT(asoc->mapping_array_base_tsn, asoc->cumulative_tsn)) {
10737 		offset = 1;
10738 	} else {
10739 		offset = asoc->mapping_array_base_tsn - asoc->cumulative_tsn;
10740 	}
10741 	if (((type == SCTP_SELECTIVE_ACK) &&
10742 	    SCTP_TSN_GT(highest_tsn, asoc->cumulative_tsn)) ||
10743 	    ((type == SCTP_NR_SELECTIVE_ACK) &&
10744 	    SCTP_TSN_GT(asoc->highest_tsn_inside_map, asoc->cumulative_tsn))) {
10745 		/* we have a gap .. maybe */
10746 		for (i = 0; i < siz; i++) {
10747 			tsn_map = asoc->mapping_array[i];
10748 			if (type == SCTP_SELECTIVE_ACK) {
10749 				tsn_map |= asoc->nr_mapping_array[i];
10750 			}
10751 			if (i == 0) {
10752 				/*
10753 				 * Clear all bits corresponding to TSNs
10754 				 * smaller or equal to the cumulative TSN.
10755 				 */
10756 				tsn_map &= (~0U << (1 - offset));
10757 			}
10758 			selector = &sack_array[tsn_map];
10759 			if (mergeable && selector->right_edge) {
10760 				/*
10761 				 * Backup, left and right edges were ok to
10762 				 * merge.
10763 				 */
10764 				num_gap_blocks--;
10765 				gap_descriptor--;
10766 			}
10767 			if (selector->num_entries == 0)
10768 				mergeable = 0;
10769 			else {
10770 				for (j = 0; j < selector->num_entries; j++) {
10771 					if (mergeable && selector->right_edge) {
10772 						/*
10773 						 * do a merge by NOT setting
10774 						 * the left side
10775 						 */
10776 						mergeable = 0;
10777 					} else {
10778 						/*
10779 						 * no merge, set the left
10780 						 * side
10781 						 */
10782 						mergeable = 0;
10783 						gap_descriptor->start = htons((selector->gaps[j].start + offset));
10784 					}
10785 					gap_descriptor->end = htons((selector->gaps[j].end + offset));
10786 					num_gap_blocks++;
10787 					gap_descriptor++;
10788 					if (((caddr_t)gap_descriptor + sizeof(struct sctp_gap_ack_block)) > limit) {
10789 						/* no more room */
10790 						limit_reached = 1;
10791 						break;
10792 					}
10793 				}
10794 				if (selector->left_edge) {
10795 					mergeable = 1;
10796 				}
10797 			}
10798 			if (limit_reached) {
10799 				/* Reached the limit stop */
10800 				break;
10801 			}
10802 			offset += 8;
10803 		}
10804 	}
10805 	if ((type == SCTP_NR_SELECTIVE_ACK) &&
10806 	    (limit_reached == 0)) {
10807 		mergeable = 0;
10808 
10809 		if (asoc->highest_tsn_inside_nr_map > asoc->mapping_array_base_tsn) {
10810 			siz = (((asoc->highest_tsn_inside_nr_map - asoc->mapping_array_base_tsn) + 1) + 7) / 8;
10811 		} else {
10812 			siz = (((MAX_TSN - asoc->mapping_array_base_tsn) + 1) + asoc->highest_tsn_inside_nr_map + 7) / 8;
10813 		}
10814 
10815 		if (SCTP_TSN_GT(asoc->mapping_array_base_tsn, asoc->cumulative_tsn)) {
10816 			offset = 1;
10817 		} else {
10818 			offset = asoc->mapping_array_base_tsn - asoc->cumulative_tsn;
10819 		}
10820 		if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->cumulative_tsn)) {
10821 			/* we have a gap .. maybe */
10822 			for (i = 0; i < siz; i++) {
10823 				tsn_map = asoc->nr_mapping_array[i];
10824 				if (i == 0) {
10825 					/*
10826 					 * Clear all bits corresponding to
10827 					 * TSNs smaller or equal to the
10828 					 * cumulative TSN.
10829 					 */
10830 					tsn_map &= (~0U << (1 - offset));
10831 				}
10832 				selector = &sack_array[tsn_map];
10833 				if (mergeable && selector->right_edge) {
10834 					/*
10835 					 * Backup, left and right edges were
10836 					 * ok to merge.
10837 					 */
10838 					num_nr_gap_blocks--;
10839 					gap_descriptor--;
10840 				}
10841 				if (selector->num_entries == 0)
10842 					mergeable = 0;
10843 				else {
10844 					for (j = 0; j < selector->num_entries; j++) {
10845 						if (mergeable && selector->right_edge) {
10846 							/*
10847 							 * do a merge by NOT
10848 							 * setting the left
10849 							 * side
10850 							 */
10851 							mergeable = 0;
10852 						} else {
10853 							/*
10854 							 * no merge, set the
10855 							 * left side
10856 							 */
10857 							mergeable = 0;
10858 							gap_descriptor->start = htons((selector->gaps[j].start + offset));
10859 						}
10860 						gap_descriptor->end = htons((selector->gaps[j].end + offset));
10861 						num_nr_gap_blocks++;
10862 						gap_descriptor++;
10863 						if (((caddr_t)gap_descriptor + sizeof(struct sctp_gap_ack_block)) > limit) {
10864 							/* no more room */
10865 							limit_reached = 1;
10866 							break;
10867 						}
10868 					}
10869 					if (selector->left_edge) {
10870 						mergeable = 1;
10871 					}
10872 				}
10873 				if (limit_reached) {
10874 					/* Reached the limit stop */
10875 					break;
10876 				}
10877 				offset += 8;
10878 			}
10879 		}
10880 	}
10881 	/* now we must add any dups we are going to report. */
10882 	if ((limit_reached == 0) && (asoc->numduptsns)) {
10883 		dup = (uint32_t *)gap_descriptor;
10884 		for (i = 0; i < asoc->numduptsns; i++) {
10885 			*dup = htonl(asoc->dup_tsns[i]);
10886 			dup++;
10887 			num_dups++;
10888 			if (((caddr_t)dup + sizeof(uint32_t)) > limit) {
10889 				/* no more room */
10890 				break;
10891 			}
10892 		}
10893 		asoc->numduptsns = 0;
10894 	}
10895 	/*
10896 	 * now that the chunk is prepared queue it to the control chunk
10897 	 * queue.
10898 	 */
10899 	if (type == SCTP_SELECTIVE_ACK) {
10900 		a_chk->send_size = (uint16_t)(sizeof(struct sctp_sack_chunk) +
10901 		    (num_gap_blocks + num_nr_gap_blocks) * sizeof(struct sctp_gap_ack_block) +
10902 		    num_dups * sizeof(int32_t));
10903 		SCTP_BUF_LEN(a_chk->data) = a_chk->send_size;
10904 		sack->sack.cum_tsn_ack = htonl(asoc->cumulative_tsn);
10905 		sack->sack.a_rwnd = htonl(asoc->my_rwnd);
10906 		sack->sack.num_gap_ack_blks = htons(num_gap_blocks);
10907 		sack->sack.num_dup_tsns = htons(num_dups);
10908 		sack->ch.chunk_type = type;
10909 		sack->ch.chunk_flags = flags;
10910 		sack->ch.chunk_length = htons(a_chk->send_size);
10911 	} else {
10912 		a_chk->send_size = (uint16_t)(sizeof(struct sctp_nr_sack_chunk) +
10913 		    (num_gap_blocks + num_nr_gap_blocks) * sizeof(struct sctp_gap_ack_block) +
10914 		    num_dups * sizeof(int32_t));
10915 		SCTP_BUF_LEN(a_chk->data) = a_chk->send_size;
10916 		nr_sack->nr_sack.cum_tsn_ack = htonl(asoc->cumulative_tsn);
10917 		nr_sack->nr_sack.a_rwnd = htonl(asoc->my_rwnd);
10918 		nr_sack->nr_sack.num_gap_ack_blks = htons(num_gap_blocks);
10919 		nr_sack->nr_sack.num_nr_gap_ack_blks = htons(num_nr_gap_blocks);
10920 		nr_sack->nr_sack.num_dup_tsns = htons(num_dups);
10921 		nr_sack->nr_sack.reserved = 0;
10922 		nr_sack->ch.chunk_type = type;
10923 		nr_sack->ch.chunk_flags = flags;
10924 		nr_sack->ch.chunk_length = htons(a_chk->send_size);
10925 	}
10926 	TAILQ_INSERT_TAIL(&asoc->control_send_queue, a_chk, sctp_next);
10927 	asoc->my_last_reported_rwnd = asoc->my_rwnd;
10928 	asoc->ctrl_queue_cnt++;
10929 	asoc->send_sack = 0;
10930 	SCTP_STAT_INCR(sctps_sendsacks);
10931 	return;
10932 }
10933 
10934 void
10935 sctp_send_abort_tcb(struct sctp_tcb *stcb, struct mbuf *operr, int so_locked)
10936 {
10937 	struct mbuf *m_abort, *m, *m_last;
10938 	struct mbuf *m_out, *m_end = NULL;
10939 	struct sctp_abort_chunk *abort;
10940 	struct sctp_auth_chunk *auth = NULL;
10941 	struct sctp_nets *net;
10942 	uint32_t vtag;
10943 	uint32_t auth_offset = 0;
10944 	int error;
10945 	uint16_t cause_len, chunk_len, padding_len;
10946 	bool use_zero_crc;
10947 
10948 	SCTP_TCB_LOCK_ASSERT(stcb);
10949 	/*-
10950 	 * Add an AUTH chunk, if chunk requires it and save the offset into
10951 	 * the chain for AUTH
10952 	 */
10953 	if (sctp_auth_is_required_chunk(SCTP_ABORT_ASSOCIATION,
10954 	    stcb->asoc.peer_auth_chunks)) {
10955 		m_out = sctp_add_auth_chunk(NULL, &m_end, &auth, &auth_offset,
10956 		    stcb, SCTP_ABORT_ASSOCIATION);
10957 		SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
10958 	} else {
10959 		m_out = NULL;
10960 	}
10961 	switch (stcb->asoc.snd_edmid) {
10962 	case SCTP_EDMID_LOWER_LAYER_DTLS:
10963 		use_zero_crc = true;
10964 		break;
10965 	default:
10966 		use_zero_crc = false;
10967 		break;
10968 	}
10969 	m_abort = sctp_get_mbuf_for_msg(sizeof(struct sctp_abort_chunk), 0, M_NOWAIT, 1, MT_HEADER);
10970 	if (m_abort == NULL) {
10971 		if (m_out) {
10972 			sctp_m_freem(m_out);
10973 		}
10974 		if (operr) {
10975 			sctp_m_freem(operr);
10976 		}
10977 		return;
10978 	}
10979 	/* link in any error */
10980 	SCTP_BUF_NEXT(m_abort) = operr;
10981 	cause_len = 0;
10982 	m_last = NULL;
10983 	for (m = operr; m; m = SCTP_BUF_NEXT(m)) {
10984 		cause_len += (uint16_t)SCTP_BUF_LEN(m);
10985 		if (SCTP_BUF_NEXT(m) == NULL) {
10986 			m_last = m;
10987 		}
10988 	}
10989 	SCTP_BUF_LEN(m_abort) = sizeof(struct sctp_abort_chunk);
10990 	chunk_len = (uint16_t)sizeof(struct sctp_abort_chunk) + cause_len;
10991 	padding_len = SCTP_SIZE32(chunk_len) - chunk_len;
10992 	if (m_out == NULL) {
10993 		/* NO Auth chunk prepended, so reserve space in front */
10994 		SCTP_BUF_RESV_UF(m_abort, SCTP_MIN_OVERHEAD);
10995 		m_out = m_abort;
10996 	} else {
10997 		/* Put AUTH chunk at the front of the chain */
10998 		SCTP_BUF_NEXT(m_end) = m_abort;
10999 	}
11000 	if (stcb->asoc.alternate) {
11001 		net = stcb->asoc.alternate;
11002 	} else {
11003 		net = stcb->asoc.primary_destination;
11004 	}
11005 	/* Fill in the ABORT chunk header. */
11006 	abort = mtod(m_abort, struct sctp_abort_chunk *);
11007 	abort->ch.chunk_type = SCTP_ABORT_ASSOCIATION;
11008 	if (stcb->asoc.peer_vtag == 0) {
11009 		/* This happens iff the assoc is in COOKIE-WAIT state. */
11010 		vtag = stcb->asoc.my_vtag;
11011 		abort->ch.chunk_flags = SCTP_HAD_NO_TCB;
11012 	} else {
11013 		vtag = stcb->asoc.peer_vtag;
11014 		abort->ch.chunk_flags = 0;
11015 	}
11016 	abort->ch.chunk_length = htons(chunk_len);
11017 	/* Add padding, if necessary. */
11018 	if (padding_len > 0) {
11019 		if ((m_last == NULL) ||
11020 		    (sctp_add_pad_tombuf(m_last, padding_len) == NULL)) {
11021 			sctp_m_freem(m_out);
11022 			return;
11023 		}
11024 	}
11025 	if ((error = sctp_lowlevel_chunk_output(stcb->sctp_ep, stcb, net,
11026 	    (struct sockaddr *)&net->ro._l_addr,
11027 	    m_out, auth_offset, auth, stcb->asoc.authinfo.active_keyid, 1, 0, 0,
11028 	    stcb->sctp_ep->sctp_lport, stcb->rport, htonl(vtag),
11029 	    stcb->asoc.primary_destination->port, NULL,
11030 	    0, 0,
11031 	    use_zero_crc,
11032 	    so_locked))) {
11033 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "Gak send error %d\n", error);
11034 		if (error == ENOBUFS) {
11035 			stcb->asoc.ifp_had_enobuf = 1;
11036 			SCTP_STAT_INCR(sctps_lowlevelerr);
11037 		}
11038 	} else {
11039 		stcb->asoc.ifp_had_enobuf = 0;
11040 	}
11041 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
11042 }
11043 
11044 void
11045 sctp_send_shutdown_complete(struct sctp_tcb *stcb,
11046     struct sctp_nets *net,
11047     int reflect_vtag)
11048 {
11049 	/* formulate and SEND a SHUTDOWN-COMPLETE */
11050 	struct mbuf *m_shutdown_comp;
11051 	struct sctp_shutdown_complete_chunk *shutdown_complete;
11052 	uint32_t vtag;
11053 	int error;
11054 	uint8_t flags;
11055 	bool use_zero_crc;
11056 
11057 	m_shutdown_comp = sctp_get_mbuf_for_msg(sizeof(struct sctp_chunkhdr), 0, M_NOWAIT, 1, MT_HEADER);
11058 	if (m_shutdown_comp == NULL) {
11059 		/* no mbuf's */
11060 		return;
11061 	}
11062 	if (reflect_vtag) {
11063 		flags = SCTP_HAD_NO_TCB;
11064 		vtag = stcb->asoc.my_vtag;
11065 	} else {
11066 		flags = 0;
11067 		vtag = stcb->asoc.peer_vtag;
11068 	}
11069 	switch (stcb->asoc.snd_edmid) {
11070 	case SCTP_EDMID_LOWER_LAYER_DTLS:
11071 		use_zero_crc = true;
11072 		break;
11073 	default:
11074 		use_zero_crc = false;
11075 		break;
11076 	}
11077 	shutdown_complete = mtod(m_shutdown_comp, struct sctp_shutdown_complete_chunk *);
11078 	shutdown_complete->ch.chunk_type = SCTP_SHUTDOWN_COMPLETE;
11079 	shutdown_complete->ch.chunk_flags = flags;
11080 	shutdown_complete->ch.chunk_length = htons(sizeof(struct sctp_shutdown_complete_chunk));
11081 	SCTP_BUF_LEN(m_shutdown_comp) = sizeof(struct sctp_shutdown_complete_chunk);
11082 	if ((error = sctp_lowlevel_chunk_output(stcb->sctp_ep, stcb, net,
11083 	    (struct sockaddr *)&net->ro._l_addr,
11084 	    m_shutdown_comp, 0, NULL, 0, 1, 0, 0,
11085 	    stcb->sctp_ep->sctp_lport, stcb->rport,
11086 	    htonl(vtag),
11087 	    net->port, NULL,
11088 	    0, 0,
11089 	    use_zero_crc,
11090 	    SCTP_SO_NOT_LOCKED))) {
11091 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "Gak send error %d\n", error);
11092 		if (error == ENOBUFS) {
11093 			stcb->asoc.ifp_had_enobuf = 1;
11094 			SCTP_STAT_INCR(sctps_lowlevelerr);
11095 		}
11096 	} else {
11097 		stcb->asoc.ifp_had_enobuf = 0;
11098 	}
11099 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
11100 	return;
11101 }
11102 
11103 static void
11104 sctp_send_resp_msg(struct sockaddr *src, struct sockaddr *dst,
11105     struct sctphdr *sh, uint32_t vtag,
11106     uint8_t type, struct mbuf *cause,
11107     uint8_t mflowtype, uint32_t mflowid, uint16_t fibnum,
11108     uint32_t vrf_id, uint16_t port)
11109 {
11110 	struct mbuf *o_pak;
11111 	struct mbuf *mout;
11112 	struct sctphdr *shout;
11113 	struct sctp_chunkhdr *ch;
11114 #if defined(INET) || defined(INET6)
11115 	struct udphdr *udp;
11116 #endif
11117 	int ret, len, cause_len, padding_len;
11118 #ifdef INET
11119 	struct sockaddr_in *src_sin, *dst_sin;
11120 	struct ip *ip;
11121 #endif
11122 #ifdef INET6
11123 	struct sockaddr_in6 *src_sin6, *dst_sin6;
11124 	struct ip6_hdr *ip6;
11125 #endif
11126 
11127 	/* Compute the length of the cause and add final padding. */
11128 	cause_len = 0;
11129 	if (cause != NULL) {
11130 		struct mbuf *m_at, *m_last = NULL;
11131 
11132 		for (m_at = cause; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
11133 			if (SCTP_BUF_NEXT(m_at) == NULL)
11134 				m_last = m_at;
11135 			cause_len += SCTP_BUF_LEN(m_at);
11136 		}
11137 		padding_len = cause_len % 4;
11138 		if (padding_len != 0) {
11139 			padding_len = 4 - padding_len;
11140 		}
11141 		if (padding_len != 0) {
11142 			if (sctp_add_pad_tombuf(m_last, padding_len) == NULL) {
11143 				sctp_m_freem(cause);
11144 				return;
11145 			}
11146 		}
11147 	} else {
11148 		padding_len = 0;
11149 	}
11150 	/* Get an mbuf for the header. */
11151 	len = sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
11152 	switch (dst->sa_family) {
11153 #ifdef INET
11154 	case AF_INET:
11155 		len += sizeof(struct ip);
11156 		break;
11157 #endif
11158 #ifdef INET6
11159 	case AF_INET6:
11160 		len += sizeof(struct ip6_hdr);
11161 		break;
11162 #endif
11163 	default:
11164 		break;
11165 	}
11166 #if defined(INET) || defined(INET6)
11167 	if (port) {
11168 		len += sizeof(struct udphdr);
11169 	}
11170 #endif
11171 	mout = sctp_get_mbuf_for_msg(len + max_linkhdr, 1, M_NOWAIT, 1, MT_DATA);
11172 	if (mout == NULL) {
11173 		if (cause) {
11174 			sctp_m_freem(cause);
11175 		}
11176 		return;
11177 	}
11178 	SCTP_BUF_RESV_UF(mout, max_linkhdr);
11179 	SCTP_BUF_LEN(mout) = len;
11180 	SCTP_BUF_NEXT(mout) = cause;
11181 	M_SETFIB(mout, fibnum);
11182 	mout->m_pkthdr.flowid = mflowid;
11183 	M_HASHTYPE_SET(mout, mflowtype);
11184 #ifdef INET
11185 	ip = NULL;
11186 #endif
11187 #ifdef INET6
11188 	ip6 = NULL;
11189 #endif
11190 	switch (dst->sa_family) {
11191 #ifdef INET
11192 	case AF_INET:
11193 		src_sin = (struct sockaddr_in *)src;
11194 		dst_sin = (struct sockaddr_in *)dst;
11195 		ip = mtod(mout, struct ip *);
11196 		ip->ip_v = IPVERSION;
11197 		ip->ip_hl = (sizeof(struct ip) >> 2);
11198 		ip->ip_tos = 0;
11199 		ip->ip_off = htons(IP_DF);
11200 		ip_fillid(ip, V_ip_random_id);
11201 		ip->ip_ttl = MODULE_GLOBAL(ip_defttl);
11202 		if (port) {
11203 			ip->ip_p = IPPROTO_UDP;
11204 		} else {
11205 			ip->ip_p = IPPROTO_SCTP;
11206 		}
11207 		ip->ip_src.s_addr = dst_sin->sin_addr.s_addr;
11208 		ip->ip_dst.s_addr = src_sin->sin_addr.s_addr;
11209 		ip->ip_sum = 0;
11210 		len = sizeof(struct ip);
11211 		shout = (struct sctphdr *)((caddr_t)ip + len);
11212 		break;
11213 #endif
11214 #ifdef INET6
11215 	case AF_INET6:
11216 		src_sin6 = (struct sockaddr_in6 *)src;
11217 		dst_sin6 = (struct sockaddr_in6 *)dst;
11218 		ip6 = mtod(mout, struct ip6_hdr *);
11219 		ip6->ip6_flow = htonl(0x60000000);
11220 		if (V_ip6_auto_flowlabel) {
11221 			ip6->ip6_flow |= (htonl(ip6_randomflowlabel()) & IPV6_FLOWLABEL_MASK);
11222 		}
11223 		ip6->ip6_hlim = MODULE_GLOBAL(ip6_defhlim);
11224 		if (port) {
11225 			ip6->ip6_nxt = IPPROTO_UDP;
11226 		} else {
11227 			ip6->ip6_nxt = IPPROTO_SCTP;
11228 		}
11229 		ip6->ip6_src = dst_sin6->sin6_addr;
11230 		ip6->ip6_dst = src_sin6->sin6_addr;
11231 		len = sizeof(struct ip6_hdr);
11232 		shout = (struct sctphdr *)((caddr_t)ip6 + len);
11233 		break;
11234 #endif
11235 	default:
11236 		len = 0;
11237 		shout = mtod(mout, struct sctphdr *);
11238 		break;
11239 	}
11240 #if defined(INET) || defined(INET6)
11241 	if (port) {
11242 		if (htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port)) == 0) {
11243 			sctp_m_freem(mout);
11244 			return;
11245 		}
11246 		udp = (struct udphdr *)shout;
11247 		udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
11248 		udp->uh_dport = port;
11249 		udp->uh_sum = 0;
11250 		udp->uh_ulen = htons((uint16_t)(sizeof(struct udphdr) +
11251 		    sizeof(struct sctphdr) +
11252 		    sizeof(struct sctp_chunkhdr) +
11253 		    cause_len + padding_len));
11254 		len += sizeof(struct udphdr);
11255 		shout = (struct sctphdr *)((caddr_t)shout + sizeof(struct udphdr));
11256 	} else {
11257 		udp = NULL;
11258 	}
11259 #endif
11260 	shout->src_port = sh->dest_port;
11261 	shout->dest_port = sh->src_port;
11262 	shout->checksum = 0;
11263 	if (vtag) {
11264 		shout->v_tag = htonl(vtag);
11265 	} else {
11266 		shout->v_tag = sh->v_tag;
11267 	}
11268 	len += sizeof(struct sctphdr);
11269 	ch = (struct sctp_chunkhdr *)((caddr_t)shout + sizeof(struct sctphdr));
11270 	ch->chunk_type = type;
11271 	if (vtag) {
11272 		ch->chunk_flags = 0;
11273 	} else {
11274 		ch->chunk_flags = SCTP_HAD_NO_TCB;
11275 	}
11276 	ch->chunk_length = htons((uint16_t)(sizeof(struct sctp_chunkhdr) + cause_len));
11277 	len += sizeof(struct sctp_chunkhdr);
11278 	len += cause_len + padding_len;
11279 
11280 	if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
11281 		sctp_m_freem(mout);
11282 		return;
11283 	}
11284 	SCTP_ATTACH_CHAIN(o_pak, mout, len);
11285 	switch (dst->sa_family) {
11286 #ifdef INET
11287 	case AF_INET:
11288 		if (port) {
11289 			if (V_udp_cksum) {
11290 				udp->uh_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
11291 			} else {
11292 				udp->uh_sum = 0;
11293 			}
11294 		}
11295 		ip->ip_len = htons(len);
11296 		if (port) {
11297 			shout->checksum = sctp_calculate_cksum(mout, sizeof(struct ip) + sizeof(struct udphdr));
11298 			SCTP_STAT_INCR(sctps_sendswcrc);
11299 			if (V_udp_cksum) {
11300 				SCTP_ENABLE_UDP_CSUM(o_pak);
11301 			}
11302 		} else {
11303 			mout->m_pkthdr.csum_flags = CSUM_SCTP;
11304 			mout->m_pkthdr.csum_data = offsetof(struct sctphdr, checksum);
11305 			SCTP_STAT_INCR(sctps_sendhwcrc);
11306 		}
11307 #ifdef SCTP_PACKET_LOGGING
11308 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING) {
11309 			sctp_packet_log(o_pak);
11310 		}
11311 #endif
11312 		SCTP_PROBE5(send, NULL, NULL, ip, NULL, shout);
11313 		SCTP_IP_OUTPUT(ret, o_pak, NULL, NULL, vrf_id);
11314 		break;
11315 #endif
11316 #ifdef INET6
11317 	case AF_INET6:
11318 		ip6->ip6_plen = htons((uint16_t)(len - sizeof(struct ip6_hdr)));
11319 		if (port) {
11320 			shout->checksum = sctp_calculate_cksum(mout, sizeof(struct ip6_hdr) + sizeof(struct udphdr));
11321 			SCTP_STAT_INCR(sctps_sendswcrc);
11322 			if ((udp->uh_sum = in6_cksum(o_pak, IPPROTO_UDP, sizeof(struct ip6_hdr), len - sizeof(struct ip6_hdr))) == 0) {
11323 				udp->uh_sum = 0xffff;
11324 			}
11325 		} else {
11326 			mout->m_pkthdr.csum_flags = CSUM_SCTP_IPV6;
11327 			mout->m_pkthdr.csum_data = offsetof(struct sctphdr, checksum);
11328 			SCTP_STAT_INCR(sctps_sendhwcrc);
11329 		}
11330 #ifdef SCTP_PACKET_LOGGING
11331 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING) {
11332 			sctp_packet_log(o_pak);
11333 		}
11334 #endif
11335 		SCTP_PROBE5(send, NULL, NULL, ip6, NULL, shout);
11336 		SCTP_IP6_OUTPUT(ret, o_pak, NULL, NULL, NULL, vrf_id);
11337 		break;
11338 #endif
11339 	default:
11340 		SCTPDBG(SCTP_DEBUG_OUTPUT1, "Unknown protocol (TSNH) type %d\n",
11341 		    dst->sa_family);
11342 		sctp_m_freem(mout);
11343 		SCTP_LTRACE_ERR_RET_PKT(mout, NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EFAULT);
11344 		return;
11345 	}
11346 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "return from send is %d\n", ret);
11347 	if (port) {
11348 		UDPSTAT_INC(udps_opackets);
11349 	}
11350 	SCTP_STAT_INCR(sctps_sendpackets);
11351 	SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
11352 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
11353 	if (ret) {
11354 		SCTP_STAT_INCR(sctps_senderrors);
11355 	}
11356 	return;
11357 }
11358 
11359 void
11360 sctp_send_shutdown_complete2(struct sockaddr *src, struct sockaddr *dst,
11361     struct sctphdr *sh,
11362     uint8_t mflowtype, uint32_t mflowid, uint16_t fibnum,
11363     uint32_t vrf_id, uint16_t port)
11364 {
11365 	sctp_send_resp_msg(src, dst, sh, 0, SCTP_SHUTDOWN_COMPLETE, NULL,
11366 	    mflowtype, mflowid, fibnum,
11367 	    vrf_id, port);
11368 }
11369 
11370 void
11371 sctp_send_hb(struct sctp_tcb *stcb, struct sctp_nets *net, int so_locked)
11372 {
11373 	struct sctp_tmit_chunk *chk;
11374 	struct sctp_heartbeat_chunk *hb;
11375 	struct timeval now;
11376 
11377 	SCTP_TCB_LOCK_ASSERT(stcb);
11378 	if (net == NULL) {
11379 		return;
11380 	}
11381 	(void)SCTP_GETTIME_TIMEVAL(&now);
11382 	switch (net->ro._l_addr.sa.sa_family) {
11383 #ifdef INET
11384 	case AF_INET:
11385 		break;
11386 #endif
11387 #ifdef INET6
11388 	case AF_INET6:
11389 		break;
11390 #endif
11391 	default:
11392 		return;
11393 	}
11394 	sctp_alloc_a_chunk(stcb, chk);
11395 	if (chk == NULL) {
11396 		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Gak, can't get a chunk for hb\n");
11397 		return;
11398 	}
11399 
11400 	chk->copy_by_ref = 0;
11401 	chk->rec.chunk_id.id = SCTP_HEARTBEAT_REQUEST;
11402 	chk->rec.chunk_id.can_take_data = 1;
11403 	chk->flags = 0;
11404 	chk->asoc = &stcb->asoc;
11405 	chk->send_size = sizeof(struct sctp_heartbeat_chunk);
11406 
11407 	chk->data = sctp_get_mbuf_for_msg(chk->send_size, 0, M_NOWAIT, 1, MT_HEADER);
11408 	if (chk->data == NULL) {
11409 		sctp_free_a_chunk(stcb, chk, so_locked);
11410 		return;
11411 	}
11412 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11413 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11414 	chk->sent = SCTP_DATAGRAM_UNSENT;
11415 	chk->snd_count = 0;
11416 	chk->whoTo = net;
11417 	atomic_add_int(&chk->whoTo->ref_count, 1);
11418 	/* Now we have a mbuf that we can fill in with the details */
11419 	hb = mtod(chk->data, struct sctp_heartbeat_chunk *);
11420 	memset(hb, 0, sizeof(struct sctp_heartbeat_chunk));
11421 	/* fill out chunk header */
11422 	hb->ch.chunk_type = SCTP_HEARTBEAT_REQUEST;
11423 	hb->ch.chunk_flags = 0;
11424 	hb->ch.chunk_length = htons(chk->send_size);
11425 	/* Fill out hb parameter */
11426 	hb->heartbeat.hb_info.ph.param_type = htons(SCTP_HEARTBEAT_INFO);
11427 	hb->heartbeat.hb_info.ph.param_length = htons(sizeof(struct sctp_heartbeat_info_param));
11428 	hb->heartbeat.hb_info.time_value_1 = now.tv_sec;
11429 	hb->heartbeat.hb_info.time_value_2 = now.tv_usec;
11430 	/* Did our user request this one, put it in */
11431 	hb->heartbeat.hb_info.addr_family = (uint8_t)net->ro._l_addr.sa.sa_family;
11432 	hb->heartbeat.hb_info.addr_len = net->ro._l_addr.sa.sa_len;
11433 	if (net->dest_state & SCTP_ADDR_UNCONFIRMED) {
11434 		/*
11435 		 * we only take from the entropy pool if the address is not
11436 		 * confirmed.
11437 		 */
11438 		net->heartbeat_random1 = hb->heartbeat.hb_info.random_value1 = sctp_select_initial_TSN(&stcb->sctp_ep->sctp_ep);
11439 		net->heartbeat_random2 = hb->heartbeat.hb_info.random_value2 = sctp_select_initial_TSN(&stcb->sctp_ep->sctp_ep);
11440 	} else {
11441 		net->heartbeat_random1 = hb->heartbeat.hb_info.random_value1 = 0;
11442 		net->heartbeat_random2 = hb->heartbeat.hb_info.random_value2 = 0;
11443 	}
11444 	switch (net->ro._l_addr.sa.sa_family) {
11445 #ifdef INET
11446 	case AF_INET:
11447 		memcpy(hb->heartbeat.hb_info.address,
11448 		    &net->ro._l_addr.sin.sin_addr,
11449 		    sizeof(net->ro._l_addr.sin.sin_addr));
11450 		break;
11451 #endif
11452 #ifdef INET6
11453 	case AF_INET6:
11454 		memcpy(hb->heartbeat.hb_info.address,
11455 		    &net->ro._l_addr.sin6.sin6_addr,
11456 		    sizeof(net->ro._l_addr.sin6.sin6_addr));
11457 		break;
11458 #endif
11459 	default:
11460 		if (chk->data) {
11461 			sctp_m_freem(chk->data);
11462 			chk->data = NULL;
11463 		}
11464 		sctp_free_a_chunk(stcb, chk, so_locked);
11465 		return;
11466 		break;
11467 	}
11468 	net->hb_responded = 0;
11469 	TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, chk, sctp_next);
11470 	stcb->asoc.ctrl_queue_cnt++;
11471 	SCTP_STAT_INCR(sctps_sendheartbeat);
11472 	return;
11473 }
11474 
11475 void
11476 sctp_send_ecn_echo(struct sctp_tcb *stcb, struct sctp_nets *net,
11477     uint32_t high_tsn)
11478 {
11479 	struct sctp_association *asoc;
11480 	struct sctp_ecne_chunk *ecne;
11481 	struct sctp_tmit_chunk *chk;
11482 
11483 	if (net == NULL) {
11484 		return;
11485 	}
11486 	asoc = &stcb->asoc;
11487 	SCTP_TCB_LOCK_ASSERT(stcb);
11488 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
11489 		if ((chk->rec.chunk_id.id == SCTP_ECN_ECHO) && (net == chk->whoTo)) {
11490 			/* found a previous ECN_ECHO update it if needed */
11491 			uint32_t cnt, ctsn;
11492 
11493 			ecne = mtod(chk->data, struct sctp_ecne_chunk *);
11494 			ctsn = ntohl(ecne->tsn);
11495 			if (SCTP_TSN_GT(high_tsn, ctsn)) {
11496 				ecne->tsn = htonl(high_tsn);
11497 				SCTP_STAT_INCR(sctps_queue_upd_ecne);
11498 			}
11499 			cnt = ntohl(ecne->num_pkts_since_cwr);
11500 			cnt++;
11501 			ecne->num_pkts_since_cwr = htonl(cnt);
11502 			return;
11503 		}
11504 	}
11505 	/* nope could not find one to update so we must build one */
11506 	sctp_alloc_a_chunk(stcb, chk);
11507 	if (chk == NULL) {
11508 		return;
11509 	}
11510 	SCTP_STAT_INCR(sctps_queue_upd_ecne);
11511 	chk->copy_by_ref = 0;
11512 	chk->rec.chunk_id.id = SCTP_ECN_ECHO;
11513 	chk->rec.chunk_id.can_take_data = 0;
11514 	chk->flags = 0;
11515 	chk->asoc = &stcb->asoc;
11516 	chk->send_size = sizeof(struct sctp_ecne_chunk);
11517 	chk->data = sctp_get_mbuf_for_msg(chk->send_size, 0, M_NOWAIT, 1, MT_HEADER);
11518 	if (chk->data == NULL) {
11519 		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
11520 		return;
11521 	}
11522 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11523 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11524 	chk->sent = SCTP_DATAGRAM_UNSENT;
11525 	chk->snd_count = 0;
11526 	chk->whoTo = net;
11527 	atomic_add_int(&chk->whoTo->ref_count, 1);
11528 
11529 	stcb->asoc.ecn_echo_cnt_onq++;
11530 	ecne = mtod(chk->data, struct sctp_ecne_chunk *);
11531 	ecne->ch.chunk_type = SCTP_ECN_ECHO;
11532 	ecne->ch.chunk_flags = 0;
11533 	ecne->ch.chunk_length = htons(sizeof(struct sctp_ecne_chunk));
11534 	ecne->tsn = htonl(high_tsn);
11535 	ecne->num_pkts_since_cwr = htonl(1);
11536 	TAILQ_INSERT_HEAD(&stcb->asoc.control_send_queue, chk, sctp_next);
11537 	asoc->ctrl_queue_cnt++;
11538 }
11539 
11540 void
11541 sctp_send_packet_dropped(struct sctp_tcb *stcb, struct sctp_nets *net,
11542     struct mbuf *m, int len, int iphlen, int bad_crc)
11543 {
11544 	struct sctp_association *asoc;
11545 	struct sctp_pktdrop_chunk *drp;
11546 	struct sctp_tmit_chunk *chk;
11547 	uint8_t *datap;
11548 	int was_trunc = 0;
11549 	int fullsz = 0;
11550 	long spc;
11551 	int offset;
11552 	struct sctp_chunkhdr *ch, chunk_buf;
11553 	unsigned int chk_length;
11554 
11555 	if (!stcb) {
11556 		return;
11557 	}
11558 	asoc = &stcb->asoc;
11559 	SCTP_TCB_LOCK_ASSERT(stcb);
11560 	if (asoc->pktdrop_supported == 0) {
11561 		/*-
11562 		 * peer must declare support before I send one.
11563 		 */
11564 		return;
11565 	}
11566 	if (stcb->sctp_socket == NULL) {
11567 		return;
11568 	}
11569 	sctp_alloc_a_chunk(stcb, chk);
11570 	if (chk == NULL) {
11571 		return;
11572 	}
11573 	chk->copy_by_ref = 0;
11574 	chk->rec.chunk_id.id = SCTP_PACKET_DROPPED;
11575 	chk->rec.chunk_id.can_take_data = 1;
11576 	chk->flags = 0;
11577 	len -= iphlen;
11578 	chk->send_size = len;
11579 	/* Validate that we do not have an ABORT in here. */
11580 	offset = iphlen + sizeof(struct sctphdr);
11581 	ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, offset,
11582 	    sizeof(*ch), (uint8_t *)&chunk_buf);
11583 	while (ch != NULL) {
11584 		chk_length = ntohs(ch->chunk_length);
11585 		if (chk_length < sizeof(*ch)) {
11586 			/* break to abort land */
11587 			break;
11588 		}
11589 		switch (ch->chunk_type) {
11590 		case SCTP_PACKET_DROPPED:
11591 		case SCTP_ABORT_ASSOCIATION:
11592 		case SCTP_INITIATION_ACK:
11593 			/**
11594 			 * We don't respond with an PKT-DROP to an ABORT
11595 			 * or PKT-DROP. We also do not respond to an
11596 			 * INIT-ACK, because we can't know if the initiation
11597 			 * tag is correct or not.
11598 			 */
11599 			sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
11600 			return;
11601 		default:
11602 			break;
11603 		}
11604 		offset += SCTP_SIZE32(chk_length);
11605 		ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, offset,
11606 		    sizeof(*ch), (uint8_t *)&chunk_buf);
11607 	}
11608 
11609 	if ((len + SCTP_MAX_OVERHEAD + sizeof(struct sctp_pktdrop_chunk)) >
11610 	    min(stcb->asoc.smallest_mtu, MCLBYTES)) {
11611 		/*
11612 		 * only send 1 mtu worth, trim off the excess on the end.
11613 		 */
11614 		fullsz = len;
11615 		len = min(stcb->asoc.smallest_mtu, MCLBYTES) - SCTP_MAX_OVERHEAD;
11616 		was_trunc = 1;
11617 	}
11618 	chk->asoc = &stcb->asoc;
11619 	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
11620 	if (chk->data == NULL) {
11621 jump_out:
11622 		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
11623 		return;
11624 	}
11625 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11626 	drp = mtod(chk->data, struct sctp_pktdrop_chunk *);
11627 	if (drp == NULL) {
11628 		sctp_m_freem(chk->data);
11629 		chk->data = NULL;
11630 		goto jump_out;
11631 	}
11632 	chk->book_size = SCTP_SIZE32((chk->send_size + sizeof(struct sctp_pktdrop_chunk) +
11633 	    sizeof(struct sctphdr) + SCTP_MED_OVERHEAD));
11634 	chk->book_size_scale = 0;
11635 	if (was_trunc) {
11636 		drp->ch.chunk_flags = SCTP_PACKET_TRUNCATED;
11637 		drp->trunc_len = htons(fullsz);
11638 		/*
11639 		 * Len is already adjusted to size minus overhead above take
11640 		 * out the pkt_drop chunk itself from it.
11641 		 */
11642 		chk->send_size = (uint16_t)(len - sizeof(struct sctp_pktdrop_chunk));
11643 		len = chk->send_size;
11644 	} else {
11645 		/* no truncation needed */
11646 		drp->ch.chunk_flags = 0;
11647 		drp->trunc_len = htons(0);
11648 	}
11649 	if (bad_crc) {
11650 		drp->ch.chunk_flags |= SCTP_BADCRC;
11651 	}
11652 	chk->send_size += sizeof(struct sctp_pktdrop_chunk);
11653 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11654 	chk->sent = SCTP_DATAGRAM_UNSENT;
11655 	chk->snd_count = 0;
11656 	if (net) {
11657 		/* we should hit here */
11658 		chk->whoTo = net;
11659 		atomic_add_int(&chk->whoTo->ref_count, 1);
11660 	} else {
11661 		chk->whoTo = NULL;
11662 	}
11663 	drp->ch.chunk_type = SCTP_PACKET_DROPPED;
11664 	drp->ch.chunk_length = htons(chk->send_size);
11665 	spc = SCTP_SB_LIMIT_RCV(stcb->sctp_socket);
11666 	if (spc < 0) {
11667 		spc = 0;
11668 	}
11669 	drp->bottle_bw = htonl(spc);
11670 	if (asoc->my_rwnd) {
11671 		drp->current_onq = htonl(asoc->size_on_reasm_queue +
11672 		    asoc->size_on_all_streams +
11673 		    asoc->my_rwnd_control_len +
11674 		    SCTP_SBAVAIL(&stcb->sctp_socket->so_rcv));
11675 	} else {
11676 		/*-
11677 		 * If my rwnd is 0, possibly from mbuf depletion as well as
11678 		 * space used, tell the peer there is NO space aka onq == bw
11679 		 */
11680 		drp->current_onq = htonl(spc);
11681 	}
11682 	drp->reserved = 0;
11683 	datap = drp->data;
11684 	m_copydata(m, iphlen, len, (caddr_t)datap);
11685 	TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, chk, sctp_next);
11686 	asoc->ctrl_queue_cnt++;
11687 }
11688 
11689 void
11690 sctp_send_cwr(struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t high_tsn, uint8_t override)
11691 {
11692 	struct sctp_association *asoc;
11693 	struct sctp_cwr_chunk *cwr;
11694 	struct sctp_tmit_chunk *chk;
11695 
11696 	SCTP_TCB_LOCK_ASSERT(stcb);
11697 	if (net == NULL) {
11698 		return;
11699 	}
11700 	asoc = &stcb->asoc;
11701 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
11702 		if ((chk->rec.chunk_id.id == SCTP_ECN_CWR) && (net == chk->whoTo)) {
11703 			/*
11704 			 * found a previous CWR queued to same destination
11705 			 * update it if needed
11706 			 */
11707 			uint32_t ctsn;
11708 
11709 			cwr = mtod(chk->data, struct sctp_cwr_chunk *);
11710 			ctsn = ntohl(cwr->tsn);
11711 			if (SCTP_TSN_GT(high_tsn, ctsn)) {
11712 				cwr->tsn = htonl(high_tsn);
11713 			}
11714 			if (override & SCTP_CWR_REDUCE_OVERRIDE) {
11715 				/* Make sure override is carried */
11716 				cwr->ch.chunk_flags |= SCTP_CWR_REDUCE_OVERRIDE;
11717 			}
11718 			return;
11719 		}
11720 	}
11721 	sctp_alloc_a_chunk(stcb, chk);
11722 	if (chk == NULL) {
11723 		return;
11724 	}
11725 	chk->copy_by_ref = 0;
11726 	chk->rec.chunk_id.id = SCTP_ECN_CWR;
11727 	chk->rec.chunk_id.can_take_data = 1;
11728 	chk->flags = 0;
11729 	chk->asoc = asoc;
11730 	chk->send_size = sizeof(struct sctp_cwr_chunk);
11731 	chk->data = sctp_get_mbuf_for_msg(chk->send_size, 0, M_NOWAIT, 1, MT_HEADER);
11732 	if (chk->data == NULL) {
11733 		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
11734 		return;
11735 	}
11736 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11737 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11738 	chk->sent = SCTP_DATAGRAM_UNSENT;
11739 	chk->snd_count = 0;
11740 	chk->whoTo = net;
11741 	atomic_add_int(&chk->whoTo->ref_count, 1);
11742 	cwr = mtod(chk->data, struct sctp_cwr_chunk *);
11743 	cwr->ch.chunk_type = SCTP_ECN_CWR;
11744 	cwr->ch.chunk_flags = override;
11745 	cwr->ch.chunk_length = htons(sizeof(struct sctp_cwr_chunk));
11746 	cwr->tsn = htonl(high_tsn);
11747 	TAILQ_INSERT_TAIL(&asoc->control_send_queue, chk, sctp_next);
11748 	asoc->ctrl_queue_cnt++;
11749 }
11750 
11751 static int
11752 sctp_add_stream_reset_out(struct sctp_tcb *stcb, struct sctp_tmit_chunk *chk,
11753     uint32_t seq, uint32_t resp_seq, uint32_t last_sent)
11754 {
11755 	uint16_t len, old_len, i;
11756 	struct sctp_stream_reset_out_request *req_out;
11757 	struct sctp_chunkhdr *ch;
11758 	int at;
11759 	int number_entries = 0;
11760 
11761 	ch = mtod(chk->data, struct sctp_chunkhdr *);
11762 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11763 	/* get to new offset for the param. */
11764 	req_out = (struct sctp_stream_reset_out_request *)((caddr_t)ch + len);
11765 	/* now how long will this param be? */
11766 	for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
11767 		if ((stcb->asoc.strmout[i].state == SCTP_STREAM_RESET_PENDING) &&
11768 		    (stcb->asoc.strmout[i].chunks_on_queues == 0) &&
11769 		    TAILQ_EMPTY(&stcb->asoc.strmout[i].outqueue)) {
11770 			number_entries++;
11771 		}
11772 	}
11773 	if (number_entries == 0) {
11774 		return (0);
11775 	}
11776 	if (number_entries == stcb->asoc.streamoutcnt) {
11777 		number_entries = 0;
11778 	}
11779 	if (number_entries > SCTP_MAX_STREAMS_AT_ONCE_RESET) {
11780 		number_entries = SCTP_MAX_STREAMS_AT_ONCE_RESET;
11781 	}
11782 	len = (uint16_t)(sizeof(struct sctp_stream_reset_out_request) + (sizeof(uint16_t) * number_entries));
11783 	req_out->ph.param_type = htons(SCTP_STR_RESET_OUT_REQUEST);
11784 	req_out->ph.param_length = htons(len);
11785 	req_out->request_seq = htonl(seq);
11786 	req_out->response_seq = htonl(resp_seq);
11787 	req_out->send_reset_at_tsn = htonl(last_sent);
11788 	at = 0;
11789 	if (number_entries) {
11790 		for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
11791 			if ((stcb->asoc.strmout[i].state == SCTP_STREAM_RESET_PENDING) &&
11792 			    (stcb->asoc.strmout[i].chunks_on_queues == 0) &&
11793 			    TAILQ_EMPTY(&stcb->asoc.strmout[i].outqueue)) {
11794 				req_out->list_of_streams[at] = htons(i);
11795 				at++;
11796 				stcb->asoc.strmout[i].state = SCTP_STREAM_RESET_IN_FLIGHT;
11797 				if (at >= number_entries) {
11798 					break;
11799 				}
11800 			}
11801 		}
11802 	} else {
11803 		for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
11804 			stcb->asoc.strmout[i].state = SCTP_STREAM_RESET_IN_FLIGHT;
11805 		}
11806 	}
11807 	if (SCTP_SIZE32(len) > len) {
11808 		/*-
11809 		 * Need to worry about the pad we may end up adding to the
11810 		 * end. This is easy since the struct is either aligned to 4
11811 		 * bytes or 2 bytes off.
11812 		 */
11813 		req_out->list_of_streams[number_entries] = 0;
11814 	}
11815 	/* now fix the chunk length */
11816 	ch->chunk_length = htons(len + old_len);
11817 	chk->book_size = len + old_len;
11818 	chk->book_size_scale = 0;
11819 	chk->send_size = SCTP_SIZE32(chk->book_size);
11820 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11821 	return (1);
11822 }
11823 
11824 static void
11825 sctp_add_stream_reset_in(struct sctp_tmit_chunk *chk,
11826     int number_entries, uint16_t *list,
11827     uint32_t seq)
11828 {
11829 	uint16_t len, old_len, i;
11830 	struct sctp_stream_reset_in_request *req_in;
11831 	struct sctp_chunkhdr *ch;
11832 
11833 	ch = mtod(chk->data, struct sctp_chunkhdr *);
11834 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11835 
11836 	/* get to new offset for the param. */
11837 	req_in = (struct sctp_stream_reset_in_request *)((caddr_t)ch + len);
11838 	/* now how long will this param be? */
11839 	len = (uint16_t)(sizeof(struct sctp_stream_reset_in_request) + (sizeof(uint16_t) * number_entries));
11840 	req_in->ph.param_type = htons(SCTP_STR_RESET_IN_REQUEST);
11841 	req_in->ph.param_length = htons(len);
11842 	req_in->request_seq = htonl(seq);
11843 	if (number_entries) {
11844 		for (i = 0; i < number_entries; i++) {
11845 			req_in->list_of_streams[i] = htons(list[i]);
11846 		}
11847 	}
11848 	if (SCTP_SIZE32(len) > len) {
11849 		/*-
11850 		 * Need to worry about the pad we may end up adding to the
11851 		 * end. This is easy since the struct is either aligned to 4
11852 		 * bytes or 2 bytes off.
11853 		 */
11854 		req_in->list_of_streams[number_entries] = 0;
11855 	}
11856 	/* now fix the chunk length */
11857 	ch->chunk_length = htons(len + old_len);
11858 	chk->book_size = len + old_len;
11859 	chk->book_size_scale = 0;
11860 	chk->send_size = SCTP_SIZE32(chk->book_size);
11861 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11862 	return;
11863 }
11864 
11865 static void
11866 sctp_add_stream_reset_tsn(struct sctp_tmit_chunk *chk,
11867     uint32_t seq)
11868 {
11869 	uint16_t len, old_len;
11870 	struct sctp_stream_reset_tsn_request *req_tsn;
11871 	struct sctp_chunkhdr *ch;
11872 
11873 	ch = mtod(chk->data, struct sctp_chunkhdr *);
11874 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11875 
11876 	/* get to new offset for the param. */
11877 	req_tsn = (struct sctp_stream_reset_tsn_request *)((caddr_t)ch + len);
11878 	/* now how long will this param be? */
11879 	len = sizeof(struct sctp_stream_reset_tsn_request);
11880 	req_tsn->ph.param_type = htons(SCTP_STR_RESET_TSN_REQUEST);
11881 	req_tsn->ph.param_length = htons(len);
11882 	req_tsn->request_seq = htonl(seq);
11883 
11884 	/* now fix the chunk length */
11885 	ch->chunk_length = htons(len + old_len);
11886 	chk->send_size = len + old_len;
11887 	chk->book_size = SCTP_SIZE32(chk->send_size);
11888 	chk->book_size_scale = 0;
11889 	SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
11890 	return;
11891 }
11892 
11893 void
11894 sctp_add_stream_reset_result(struct sctp_tmit_chunk *chk,
11895     uint32_t resp_seq, uint32_t result)
11896 {
11897 	uint16_t len, old_len;
11898 	struct sctp_stream_reset_response *resp;
11899 	struct sctp_chunkhdr *ch;
11900 
11901 	ch = mtod(chk->data, struct sctp_chunkhdr *);
11902 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11903 
11904 	/* get to new offset for the param. */
11905 	resp = (struct sctp_stream_reset_response *)((caddr_t)ch + len);
11906 	/* now how long will this param be? */
11907 	len = sizeof(struct sctp_stream_reset_response);
11908 	resp->ph.param_type = htons(SCTP_STR_RESET_RESPONSE);
11909 	resp->ph.param_length = htons(len);
11910 	resp->response_seq = htonl(resp_seq);
11911 	resp->result = ntohl(result);
11912 
11913 	/* now fix the chunk length */
11914 	ch->chunk_length = htons(len + old_len);
11915 	chk->book_size = len + old_len;
11916 	chk->book_size_scale = 0;
11917 	chk->send_size = SCTP_SIZE32(chk->book_size);
11918 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11919 	return;
11920 }
11921 
11922 void
11923 sctp_send_deferred_reset_response(struct sctp_tcb *stcb,
11924     struct sctp_stream_reset_list *ent,
11925     int response)
11926 {
11927 	struct sctp_association *asoc;
11928 	struct sctp_tmit_chunk *chk;
11929 	struct sctp_chunkhdr *ch;
11930 
11931 	asoc = &stcb->asoc;
11932 
11933 	/*
11934 	 * Reset our last reset action to the new one IP -> response
11935 	 * (PERFORMED probably). This assures that if we fail to send, a
11936 	 * retran from the peer will get the new response.
11937 	 */
11938 	asoc->last_reset_action[0] = response;
11939 	if (asoc->stream_reset_outstanding) {
11940 		return;
11941 	}
11942 	sctp_alloc_a_chunk(stcb, chk);
11943 	if (chk == NULL) {
11944 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
11945 		return;
11946 	}
11947 	chk->copy_by_ref = 0;
11948 	chk->rec.chunk_id.id = SCTP_STREAM_RESET;
11949 	chk->rec.chunk_id.can_take_data = 0;
11950 	chk->flags = 0;
11951 	chk->asoc = &stcb->asoc;
11952 	chk->book_size = sizeof(struct sctp_chunkhdr);
11953 	chk->send_size = SCTP_SIZE32(chk->book_size);
11954 	chk->book_size_scale = 0;
11955 	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
11956 	if (chk->data == NULL) {
11957 		sctp_free_a_chunk(stcb, chk, SCTP_SO_LOCKED);
11958 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
11959 		return;
11960 	}
11961 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11962 	/* setup chunk parameters */
11963 	chk->sent = SCTP_DATAGRAM_UNSENT;
11964 	chk->snd_count = 0;
11965 	if (stcb->asoc.alternate) {
11966 		chk->whoTo = stcb->asoc.alternate;
11967 	} else {
11968 		chk->whoTo = stcb->asoc.primary_destination;
11969 	}
11970 	ch = mtod(chk->data, struct sctp_chunkhdr *);
11971 	ch->chunk_type = SCTP_STREAM_RESET;
11972 	ch->chunk_flags = 0;
11973 	ch->chunk_length = htons(chk->book_size);
11974 	atomic_add_int(&chk->whoTo->ref_count, 1);
11975 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11976 	sctp_add_stream_reset_result(chk, ent->seq, response);
11977 	/* insert the chunk for sending */
11978 	TAILQ_INSERT_TAIL(&asoc->control_send_queue,
11979 	    chk,
11980 	    sctp_next);
11981 	asoc->ctrl_queue_cnt++;
11982 }
11983 
11984 void
11985 sctp_add_stream_reset_result_tsn(struct sctp_tmit_chunk *chk,
11986     uint32_t resp_seq, uint32_t result,
11987     uint32_t send_una, uint32_t recv_next)
11988 {
11989 	uint16_t len, old_len;
11990 	struct sctp_stream_reset_response_tsn *resp;
11991 	struct sctp_chunkhdr *ch;
11992 
11993 	ch = mtod(chk->data, struct sctp_chunkhdr *);
11994 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11995 
11996 	/* get to new offset for the param. */
11997 	resp = (struct sctp_stream_reset_response_tsn *)((caddr_t)ch + len);
11998 	/* now how long will this param be? */
11999 	len = sizeof(struct sctp_stream_reset_response_tsn);
12000 	resp->ph.param_type = htons(SCTP_STR_RESET_RESPONSE);
12001 	resp->ph.param_length = htons(len);
12002 	resp->response_seq = htonl(resp_seq);
12003 	resp->result = htonl(result);
12004 	resp->senders_next_tsn = htonl(send_una);
12005 	resp->receivers_next_tsn = htonl(recv_next);
12006 
12007 	/* now fix the chunk length */
12008 	ch->chunk_length = htons(len + old_len);
12009 	chk->book_size = len + old_len;
12010 	chk->send_size = SCTP_SIZE32(chk->book_size);
12011 	chk->book_size_scale = 0;
12012 	SCTP_BUF_LEN(chk->data) = chk->send_size;
12013 	return;
12014 }
12015 
12016 static void
12017 sctp_add_an_out_stream(struct sctp_tmit_chunk *chk,
12018     uint32_t seq,
12019     uint16_t adding)
12020 {
12021 	uint16_t len, old_len;
12022 	struct sctp_chunkhdr *ch;
12023 	struct sctp_stream_reset_add_strm *addstr;
12024 
12025 	ch = mtod(chk->data, struct sctp_chunkhdr *);
12026 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
12027 
12028 	/* get to new offset for the param. */
12029 	addstr = (struct sctp_stream_reset_add_strm *)((caddr_t)ch + len);
12030 	/* now how long will this param be? */
12031 	len = sizeof(struct sctp_stream_reset_add_strm);
12032 
12033 	/* Fill it out. */
12034 	addstr->ph.param_type = htons(SCTP_STR_RESET_ADD_OUT_STREAMS);
12035 	addstr->ph.param_length = htons(len);
12036 	addstr->request_seq = htonl(seq);
12037 	addstr->number_of_streams = htons(adding);
12038 	addstr->reserved = 0;
12039 
12040 	/* now fix the chunk length */
12041 	ch->chunk_length = htons(len + old_len);
12042 	chk->send_size = len + old_len;
12043 	chk->book_size = SCTP_SIZE32(chk->send_size);
12044 	chk->book_size_scale = 0;
12045 	SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
12046 	return;
12047 }
12048 
12049 static void
12050 sctp_add_an_in_stream(struct sctp_tmit_chunk *chk,
12051     uint32_t seq,
12052     uint16_t adding)
12053 {
12054 	uint16_t len, old_len;
12055 	struct sctp_chunkhdr *ch;
12056 	struct sctp_stream_reset_add_strm *addstr;
12057 
12058 	ch = mtod(chk->data, struct sctp_chunkhdr *);
12059 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
12060 
12061 	/* get to new offset for the param. */
12062 	addstr = (struct sctp_stream_reset_add_strm *)((caddr_t)ch + len);
12063 	/* now how long will this param be? */
12064 	len = sizeof(struct sctp_stream_reset_add_strm);
12065 	/* Fill it out. */
12066 	addstr->ph.param_type = htons(SCTP_STR_RESET_ADD_IN_STREAMS);
12067 	addstr->ph.param_length = htons(len);
12068 	addstr->request_seq = htonl(seq);
12069 	addstr->number_of_streams = htons(adding);
12070 	addstr->reserved = 0;
12071 
12072 	/* now fix the chunk length */
12073 	ch->chunk_length = htons(len + old_len);
12074 	chk->send_size = len + old_len;
12075 	chk->book_size = SCTP_SIZE32(chk->send_size);
12076 	chk->book_size_scale = 0;
12077 	SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
12078 	return;
12079 }
12080 
12081 int
12082 sctp_send_stream_reset_out_if_possible(struct sctp_tcb *stcb, int so_locked)
12083 {
12084 	struct sctp_association *asoc;
12085 	struct sctp_tmit_chunk *chk;
12086 	struct sctp_chunkhdr *ch;
12087 	uint32_t seq;
12088 
12089 	asoc = &stcb->asoc;
12090 	asoc->trigger_reset = 0;
12091 	if (asoc->stream_reset_outstanding) {
12092 		return (EALREADY);
12093 	}
12094 	sctp_alloc_a_chunk(stcb, chk);
12095 	if (chk == NULL) {
12096 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12097 		return (ENOMEM);
12098 	}
12099 	chk->copy_by_ref = 0;
12100 	chk->rec.chunk_id.id = SCTP_STREAM_RESET;
12101 	chk->rec.chunk_id.can_take_data = 0;
12102 	chk->flags = 0;
12103 	chk->asoc = &stcb->asoc;
12104 	chk->book_size = sizeof(struct sctp_chunkhdr);
12105 	chk->send_size = SCTP_SIZE32(chk->book_size);
12106 	chk->book_size_scale = 0;
12107 	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
12108 	if (chk->data == NULL) {
12109 		sctp_free_a_chunk(stcb, chk, so_locked);
12110 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12111 		return (ENOMEM);
12112 	}
12113 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
12114 
12115 	/* setup chunk parameters */
12116 	chk->sent = SCTP_DATAGRAM_UNSENT;
12117 	chk->snd_count = 0;
12118 	if (stcb->asoc.alternate) {
12119 		chk->whoTo = stcb->asoc.alternate;
12120 	} else {
12121 		chk->whoTo = stcb->asoc.primary_destination;
12122 	}
12123 	ch = mtod(chk->data, struct sctp_chunkhdr *);
12124 	ch->chunk_type = SCTP_STREAM_RESET;
12125 	ch->chunk_flags = 0;
12126 	ch->chunk_length = htons(chk->book_size);
12127 	atomic_add_int(&chk->whoTo->ref_count, 1);
12128 	SCTP_BUF_LEN(chk->data) = chk->send_size;
12129 	seq = stcb->asoc.str_reset_seq_out;
12130 	if (sctp_add_stream_reset_out(stcb, chk, seq, (stcb->asoc.str_reset_seq_in - 1), (stcb->asoc.sending_seq - 1))) {
12131 		seq++;
12132 		asoc->stream_reset_outstanding++;
12133 	} else {
12134 		m_freem(chk->data);
12135 		chk->data = NULL;
12136 		sctp_free_a_chunk(stcb, chk, so_locked);
12137 		return (ENOENT);
12138 	}
12139 	asoc->str_reset = chk;
12140 	/* insert the chunk for sending */
12141 	TAILQ_INSERT_TAIL(&asoc->control_send_queue,
12142 	    chk,
12143 	    sctp_next);
12144 	asoc->ctrl_queue_cnt++;
12145 
12146 	if (stcb->asoc.send_sack) {
12147 		sctp_send_sack(stcb, so_locked);
12148 	}
12149 	sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo);
12150 	return (0);
12151 }
12152 
12153 int
12154 sctp_send_str_reset_req(struct sctp_tcb *stcb,
12155     uint16_t number_entries, uint16_t *list,
12156     uint8_t send_in_req,
12157     uint8_t send_tsn_req,
12158     uint8_t add_stream,
12159     uint16_t adding_o,
12160     uint16_t adding_i, uint8_t peer_asked)
12161 {
12162 	struct sctp_association *asoc;
12163 	struct sctp_tmit_chunk *chk;
12164 	struct sctp_chunkhdr *ch;
12165 	int can_send_out_req = 0;
12166 	uint32_t seq;
12167 
12168 	SCTP_TCB_LOCK_ASSERT(stcb);
12169 
12170 	asoc = &stcb->asoc;
12171 	if (asoc->stream_reset_outstanding) {
12172 		/*-
12173 		 * Already one pending, must get ACK back to clear the flag.
12174 		 */
12175 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EBUSY);
12176 		return (EBUSY);
12177 	}
12178 	if ((send_in_req == 0) && (send_tsn_req == 0) &&
12179 	    (add_stream == 0)) {
12180 		/* nothing to do */
12181 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12182 		return (EINVAL);
12183 	}
12184 	if (send_tsn_req && send_in_req) {
12185 		/* error, can't do that */
12186 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12187 		return (EINVAL);
12188 	} else if (send_in_req) {
12189 		can_send_out_req = 1;
12190 	}
12191 	if (number_entries > (MCLBYTES -
12192 	    SCTP_MIN_OVERHEAD -
12193 	    sizeof(struct sctp_chunkhdr) -
12194 	    sizeof(struct sctp_stream_reset_out_request)) /
12195 	    sizeof(uint16_t)) {
12196 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12197 		return (ENOMEM);
12198 	}
12199 	sctp_alloc_a_chunk(stcb, chk);
12200 	if (chk == NULL) {
12201 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12202 		return (ENOMEM);
12203 	}
12204 	chk->copy_by_ref = 0;
12205 	chk->rec.chunk_id.id = SCTP_STREAM_RESET;
12206 	chk->rec.chunk_id.can_take_data = 0;
12207 	chk->flags = 0;
12208 	chk->asoc = &stcb->asoc;
12209 	chk->book_size = sizeof(struct sctp_chunkhdr);
12210 	chk->send_size = SCTP_SIZE32(chk->book_size);
12211 	chk->book_size_scale = 0;
12212 	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
12213 	if (chk->data == NULL) {
12214 		sctp_free_a_chunk(stcb, chk, SCTP_SO_LOCKED);
12215 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12216 		return (ENOMEM);
12217 	}
12218 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
12219 
12220 	/* setup chunk parameters */
12221 	chk->sent = SCTP_DATAGRAM_UNSENT;
12222 	chk->snd_count = 0;
12223 	if (stcb->asoc.alternate) {
12224 		chk->whoTo = stcb->asoc.alternate;
12225 	} else {
12226 		chk->whoTo = stcb->asoc.primary_destination;
12227 	}
12228 	atomic_add_int(&chk->whoTo->ref_count, 1);
12229 	ch = mtod(chk->data, struct sctp_chunkhdr *);
12230 	ch->chunk_type = SCTP_STREAM_RESET;
12231 	ch->chunk_flags = 0;
12232 	ch->chunk_length = htons(chk->book_size);
12233 	SCTP_BUF_LEN(chk->data) = chk->send_size;
12234 
12235 	seq = stcb->asoc.str_reset_seq_out;
12236 	if (can_send_out_req) {
12237 		int ret;
12238 
12239 		ret = sctp_add_stream_reset_out(stcb, chk, seq, (stcb->asoc.str_reset_seq_in - 1), (stcb->asoc.sending_seq - 1));
12240 		if (ret) {
12241 			seq++;
12242 			asoc->stream_reset_outstanding++;
12243 		}
12244 	}
12245 	if ((add_stream & 1) &&
12246 	    ((stcb->asoc.strm_realoutsize - stcb->asoc.streamoutcnt) < adding_o)) {
12247 		/* Need to allocate more */
12248 		struct sctp_stream_out *oldstream;
12249 		struct sctp_stream_queue_pending *sp, *nsp;
12250 		int i;
12251 #if defined(SCTP_DETAILED_STR_STATS)
12252 		int j;
12253 #endif
12254 
12255 		oldstream = stcb->asoc.strmout;
12256 		/* get some more */
12257 		SCTP_MALLOC(stcb->asoc.strmout, struct sctp_stream_out *,
12258 		    (stcb->asoc.streamoutcnt + adding_o) * sizeof(struct sctp_stream_out),
12259 		    SCTP_M_STRMO);
12260 		if (stcb->asoc.strmout == NULL) {
12261 			uint8_t x;
12262 
12263 			stcb->asoc.strmout = oldstream;
12264 			/* Turn off the bit */
12265 			x = add_stream & 0xfe;
12266 			add_stream = x;
12267 			goto skip_stuff;
12268 		}
12269 		/*
12270 		 * Ok now we proceed with copying the old out stuff and
12271 		 * initializing the new stuff.
12272 		 */
12273 		stcb->asoc.ss_functions.sctp_ss_clear(stcb, &stcb->asoc, false);
12274 		for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
12275 			TAILQ_INIT(&stcb->asoc.strmout[i].outqueue);
12276 			/* FIX ME FIX ME */
12277 			/*
12278 			 * This should be a SS_COPY operation FIX ME STREAM
12279 			 * SCHEDULER EXPERT
12280 			 */
12281 			stcb->asoc.ss_functions.sctp_ss_init_stream(stcb, &stcb->asoc.strmout[i], &oldstream[i]);
12282 			stcb->asoc.strmout[i].chunks_on_queues = oldstream[i].chunks_on_queues;
12283 #if defined(SCTP_DETAILED_STR_STATS)
12284 			for (j = 0; j < SCTP_PR_SCTP_MAX + 1; j++) {
12285 				stcb->asoc.strmout[i].abandoned_sent[j] = oldstream[i].abandoned_sent[j];
12286 				stcb->asoc.strmout[i].abandoned_unsent[j] = oldstream[i].abandoned_unsent[j];
12287 			}
12288 #else
12289 			stcb->asoc.strmout[i].abandoned_sent[0] = oldstream[i].abandoned_sent[0];
12290 			stcb->asoc.strmout[i].abandoned_unsent[0] = oldstream[i].abandoned_unsent[0];
12291 #endif
12292 			stcb->asoc.strmout[i].next_mid_ordered = oldstream[i].next_mid_ordered;
12293 			stcb->asoc.strmout[i].next_mid_unordered = oldstream[i].next_mid_unordered;
12294 			stcb->asoc.strmout[i].last_msg_incomplete = oldstream[i].last_msg_incomplete;
12295 			stcb->asoc.strmout[i].sid = i;
12296 			stcb->asoc.strmout[i].state = oldstream[i].state;
12297 			/* now anything on those queues? */
12298 			TAILQ_FOREACH_SAFE(sp, &oldstream[i].outqueue, next, nsp) {
12299 				TAILQ_REMOVE(&oldstream[i].outqueue, sp, next);
12300 				TAILQ_INSERT_TAIL(&stcb->asoc.strmout[i].outqueue, sp, next);
12301 			}
12302 		}
12303 		/* now the new streams */
12304 		stcb->asoc.ss_functions.sctp_ss_init(stcb, &stcb->asoc);
12305 		for (i = stcb->asoc.streamoutcnt; i < (stcb->asoc.streamoutcnt + adding_o); i++) {
12306 			TAILQ_INIT(&stcb->asoc.strmout[i].outqueue);
12307 			stcb->asoc.strmout[i].chunks_on_queues = 0;
12308 #if defined(SCTP_DETAILED_STR_STATS)
12309 			for (j = 0; j < SCTP_PR_SCTP_MAX + 1; j++) {
12310 				stcb->asoc.strmout[i].abandoned_sent[j] = 0;
12311 				stcb->asoc.strmout[i].abandoned_unsent[j] = 0;
12312 			}
12313 #else
12314 			stcb->asoc.strmout[i].abandoned_sent[0] = 0;
12315 			stcb->asoc.strmout[i].abandoned_unsent[0] = 0;
12316 #endif
12317 			stcb->asoc.strmout[i].next_mid_ordered = 0;
12318 			stcb->asoc.strmout[i].next_mid_unordered = 0;
12319 			stcb->asoc.strmout[i].sid = i;
12320 			stcb->asoc.strmout[i].last_msg_incomplete = 0;
12321 			stcb->asoc.ss_functions.sctp_ss_init_stream(stcb, &stcb->asoc.strmout[i], NULL);
12322 			stcb->asoc.strmout[i].state = SCTP_STREAM_CLOSED;
12323 		}
12324 		stcb->asoc.strm_realoutsize = stcb->asoc.streamoutcnt + adding_o;
12325 		SCTP_FREE(oldstream, SCTP_M_STRMO);
12326 	}
12327 skip_stuff:
12328 	if ((add_stream & 1) && (adding_o > 0)) {
12329 		asoc->strm_pending_add_size = adding_o;
12330 		asoc->peer_req_out = peer_asked;
12331 		sctp_add_an_out_stream(chk, seq, adding_o);
12332 		seq++;
12333 		asoc->stream_reset_outstanding++;
12334 	}
12335 	if ((add_stream & 2) && (adding_i > 0)) {
12336 		sctp_add_an_in_stream(chk, seq, adding_i);
12337 		seq++;
12338 		asoc->stream_reset_outstanding++;
12339 	}
12340 	if (send_in_req) {
12341 		sctp_add_stream_reset_in(chk, number_entries, list, seq);
12342 		seq++;
12343 		asoc->stream_reset_outstanding++;
12344 	}
12345 	if (send_tsn_req) {
12346 		sctp_add_stream_reset_tsn(chk, seq);
12347 		asoc->stream_reset_outstanding++;
12348 	}
12349 	asoc->str_reset = chk;
12350 	/* insert the chunk for sending */
12351 	TAILQ_INSERT_TAIL(&asoc->control_send_queue,
12352 	    chk,
12353 	    sctp_next);
12354 	asoc->ctrl_queue_cnt++;
12355 	if (stcb->asoc.send_sack) {
12356 		sctp_send_sack(stcb, SCTP_SO_LOCKED);
12357 	}
12358 	sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo);
12359 	return (0);
12360 }
12361 
12362 void
12363 sctp_send_abort(struct mbuf *m, int iphlen, struct sockaddr *src, struct sockaddr *dst,
12364     struct sctphdr *sh, uint32_t vtag, struct mbuf *cause,
12365     uint8_t mflowtype, uint32_t mflowid, uint16_t fibnum,
12366     uint32_t vrf_id, uint16_t port)
12367 {
12368 	/* Don't respond to an ABORT with an ABORT. */
12369 	if (sctp_is_there_an_abort_here(m, iphlen, &vtag)) {
12370 		if (cause)
12371 			sctp_m_freem(cause);
12372 		return;
12373 	}
12374 	sctp_send_resp_msg(src, dst, sh, vtag, SCTP_ABORT_ASSOCIATION, cause,
12375 	    mflowtype, mflowid, fibnum,
12376 	    vrf_id, port);
12377 	return;
12378 }
12379 
12380 void
12381 sctp_send_operr_to(struct sockaddr *src, struct sockaddr *dst,
12382     struct sctphdr *sh, uint32_t vtag, struct mbuf *cause,
12383     uint8_t mflowtype, uint32_t mflowid, uint16_t fibnum,
12384     uint32_t vrf_id, uint16_t port)
12385 {
12386 	sctp_send_resp_msg(src, dst, sh, vtag, SCTP_OPERATION_ERROR, cause,
12387 	    mflowtype, mflowid, fibnum,
12388 	    vrf_id, port);
12389 	return;
12390 }
12391 
12392 static struct mbuf *
12393 sctp_copy_resume(struct uio *uio,
12394     int max_send_len,
12395     int user_marks_eor,
12396     int *error,
12397     uint32_t *sndout,
12398     struct mbuf **new_tail)
12399 {
12400 	struct mbuf *m;
12401 
12402 	m = m_uiotombuf(uio, M_WAITOK, max_send_len, 0,
12403 	    (M_PKTHDR | (user_marks_eor ? M_EOR : 0)));
12404 	if (m == NULL) {
12405 		/* The only possible error is EFAULT. */
12406 		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EFAULT);
12407 		*error = EFAULT;
12408 	} else {
12409 		*sndout = m_length(m, NULL);
12410 		*new_tail = m_last(m);
12411 	}
12412 	return (m);
12413 }
12414 
12415 static int
12416 sctp_copy_one(struct sctp_stream_queue_pending *sp,
12417     struct uio *uio,
12418     int resv_upfront)
12419 {
12420 	sp->data = m_uiotombuf(uio, M_WAITOK, sp->length, resv_upfront, 0);
12421 	if (sp->data == NULL) {
12422 		/* The only possible error is EFAULT. */
12423 		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EFAULT);
12424 		return (EFAULT);
12425 	}
12426 	sp->tail_mbuf = m_last(sp->data);
12427 	return (0);
12428 }
12429 
12430 static struct sctp_stream_queue_pending *
12431 sctp_copy_it_in(struct sctp_tcb *stcb,
12432     struct sctp_association *asoc,
12433     struct sctp_nonpad_sndrcvinfo *srcv,
12434     struct uio *uio,
12435     struct sctp_nets *net,
12436     ssize_t max_send_len,
12437     int user_marks_eor,
12438     int *error)
12439 {
12440 
12441 	/*-
12442 	 * This routine must be very careful in its work. Protocol
12443 	 * processing is up and running so care must be taken to spl...()
12444 	 * when you need to do something that may effect the stcb/asoc. The
12445 	 * sb is locked however. When data is copied the protocol processing
12446 	 * should be enabled since this is a slower operation...
12447 	 */
12448 	struct sctp_stream_queue_pending *sp;
12449 	int resv_in_first;
12450 
12451 	*error = 0;
12452 	sctp_alloc_a_strmoq(stcb, sp);
12453 	if (sp == NULL) {
12454 		SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12455 		*error = ENOMEM;
12456 		goto out_now;
12457 	}
12458 	sp->act_flags = 0;
12459 	sp->sender_all_done = 0;
12460 	sp->sinfo_flags = srcv->sinfo_flags;
12461 	sp->timetolive = srcv->sinfo_timetolive;
12462 	sp->ppid = srcv->sinfo_ppid;
12463 	sp->context = srcv->sinfo_context;
12464 	sp->fsn = 0;
12465 	(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
12466 	sp->sid = srcv->sinfo_stream;
12467 	sp->length = (uint32_t)min(uio->uio_resid, max_send_len);
12468 	if ((sp->length == (uint32_t)uio->uio_resid) &&
12469 	    ((user_marks_eor == 0) ||
12470 	    (srcv->sinfo_flags & SCTP_EOF) ||
12471 	    (user_marks_eor && (srcv->sinfo_flags & SCTP_EOR)))) {
12472 		sp->msg_is_complete = 1;
12473 	} else {
12474 		sp->msg_is_complete = 0;
12475 	}
12476 	sp->sender_all_done = 0;
12477 	sp->some_taken = 0;
12478 	sp->put_last_out = 0;
12479 	resv_in_first = SCTP_DATA_CHUNK_OVERHEAD(stcb);
12480 	sp->data = sp->tail_mbuf = NULL;
12481 	if (sp->length == 0) {
12482 		goto skip_copy;
12483 	}
12484 	if (srcv->sinfo_keynumber_valid) {
12485 		sp->auth_keyid = srcv->sinfo_keynumber;
12486 	} else {
12487 		sp->auth_keyid = stcb->asoc.authinfo.active_keyid;
12488 	}
12489 	if (sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks)) {
12490 		sctp_auth_key_acquire(stcb, sp->auth_keyid);
12491 		sp->holds_key_ref = 1;
12492 	}
12493 	*error = sctp_copy_one(sp, uio, resv_in_first);
12494 skip_copy:
12495 	if (*error) {
12496 		sctp_free_a_strmoq(stcb, sp, SCTP_SO_LOCKED);
12497 		sp = NULL;
12498 	} else {
12499 		if (sp->sinfo_flags & SCTP_ADDR_OVER) {
12500 			sp->net = net;
12501 			atomic_add_int(&sp->net->ref_count, 1);
12502 		} else {
12503 			sp->net = NULL;
12504 		}
12505 		sctp_set_prsctp_policy(sp);
12506 	}
12507 out_now:
12508 	return (sp);
12509 }
12510 
12511 int
12512 sctp_sosend(struct socket *so,
12513     struct sockaddr *addr,
12514     struct uio *uio,
12515     struct mbuf *top,
12516     struct mbuf *control,
12517     int flags,
12518     struct thread *p)
12519 {
12520 	struct sctp_sndrcvinfo sndrcvninfo;
12521 #if defined(INET) && defined(INET6)
12522 	struct sockaddr_in sin;
12523 #endif
12524 	struct sockaddr *addr_to_use;
12525 	int error;
12526 	bool use_sndinfo;
12527 
12528 	if (control != NULL) {
12529 		/* process cmsg snd/rcv info (maybe a assoc-id) */
12530 		use_sndinfo = sctp_find_cmsg(SCTP_SNDRCV, (void *)&sndrcvninfo, control, sizeof(sndrcvninfo));
12531 	} else {
12532 		use_sndinfo = false;
12533 	}
12534 #if defined(INET) && defined(INET6)
12535 	if ((addr != NULL) && (addr->sa_family == AF_INET6)) {
12536 		struct sockaddr_in6 *sin6;
12537 
12538 		if (addr->sa_len != sizeof(struct sockaddr_in6)) {
12539 			SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12540 			return (EINVAL);
12541 		}
12542 		sin6 = (struct sockaddr_in6 *)addr;
12543 		if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
12544 			in6_sin6_2_sin(&sin, sin6);
12545 			addr_to_use = (struct sockaddr *)&sin;
12546 		} else {
12547 			addr_to_use = addr;
12548 		}
12549 	} else {
12550 		addr_to_use = addr;
12551 	}
12552 #else
12553 	addr_to_use = addr;
12554 #endif
12555 	error = sctp_lower_sosend(so, addr_to_use, uio, top, control, flags,
12556 	    use_sndinfo ? &sndrcvninfo : NULL, p);
12557 	return (error);
12558 }
12559 
12560 int
12561 sctp_lower_sosend(struct socket *so,
12562     struct sockaddr *addr,
12563     struct uio *uio,
12564     struct mbuf *top,
12565     struct mbuf *control,
12566     int flags,
12567     struct sctp_sndrcvinfo *srcv,
12568     struct thread *p)
12569 {
12570 	struct sctp_nonpad_sndrcvinfo sndrcvninfo_buf;
12571 	struct epoch_tracker et;
12572 	struct timeval now;
12573 	struct sctp_block_entry be;
12574 	struct sctp_inpcb *inp;
12575 	struct sctp_tcb *stcb = NULL;
12576 	struct sctp_nets *net;
12577 	struct sctp_association *asoc;
12578 	struct sctp_inpcb *t_inp;
12579 	struct sctp_nonpad_sndrcvinfo *sndrcvninfo;
12580 	ssize_t sndlen = 0, max_len, local_add_more;
12581 	ssize_t local_soresv = 0;
12582 	sctp_assoc_t sinfo_assoc_id;
12583 	int user_marks_eor;
12584 	int nagle_applies = 0;
12585 	int error;
12586 	int queue_only = 0, queue_only_for_init = 0;
12587 	int un_sent;
12588 	int now_filled = 0;
12589 	unsigned int inqueue_bytes = 0;
12590 	uint16_t port;
12591 	uint16_t sinfo_flags;
12592 	uint16_t sinfo_stream;
12593 	bool create_lock_applied = false;
12594 	bool free_cnt_applied = false;
12595 	bool some_on_control;
12596 	bool got_all_of_the_send = false;
12597 	bool non_blocking = false;
12598 
12599 	error = 0;
12600 	net = NULL;
12601 	stcb = NULL;
12602 
12603 	if ((uio == NULL) && (top == NULL)) {
12604 		error = EINVAL;
12605 		goto out_unlocked;
12606 	}
12607 	if (addr != NULL) {
12608 		union sctp_sockstore *raddr = (union sctp_sockstore *)addr;
12609 
12610 		switch (raddr->sa.sa_family) {
12611 #ifdef INET
12612 		case AF_INET:
12613 			if (raddr->sin.sin_len != sizeof(struct sockaddr_in)) {
12614 				error = EINVAL;
12615 				goto out_unlocked;
12616 			}
12617 			port = raddr->sin.sin_port;
12618 			break;
12619 #endif
12620 #ifdef INET6
12621 		case AF_INET6:
12622 			if (raddr->sin6.sin6_len != sizeof(struct sockaddr_in6)) {
12623 				error = EINVAL;
12624 				goto out_unlocked;
12625 			}
12626 			port = raddr->sin6.sin6_port;
12627 			break;
12628 #endif
12629 		default:
12630 			error = EAFNOSUPPORT;
12631 			goto out_unlocked;
12632 		}
12633 	} else {
12634 		port = 0;
12635 	}
12636 	if (uio != NULL) {
12637 		if (uio->uio_resid < 0) {
12638 			error = EINVAL;
12639 			goto out_unlocked;
12640 		}
12641 		sndlen = uio->uio_resid;
12642 	} else {
12643 		sndlen = SCTP_HEADER_LEN(top);
12644 	}
12645 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "Send called addr:%p send length %zd\n",
12646 	    (void *)addr, sndlen);
12647 
12648 	t_inp = inp = (struct sctp_inpcb *)so->so_pcb;
12649 	if (inp == NULL) {
12650 		error = EINVAL;
12651 		goto out_unlocked;
12652 	}
12653 	user_marks_eor = sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXPLICIT_EOR);
12654 	if ((uio == NULL) && (user_marks_eor != 0)) {
12655 		/*-
12656 		 * We do not support eeor mode for
12657 		 * sending with mbuf chains (like sendfile).
12658 		 */
12659 		error = EINVAL;
12660 		goto out_unlocked;
12661 	}
12662 	if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
12663 	    SCTP_IS_LISTENING(inp)) {
12664 		/* The listener can NOT send. */
12665 		error = EINVAL;
12666 		goto out_unlocked;
12667 	}
12668 	atomic_add_int(&inp->total_sends, 1);
12669 
12670 	if (srcv != NULL) {
12671 		sndrcvninfo = (struct sctp_nonpad_sndrcvinfo *)srcv;
12672 		sinfo_assoc_id = sndrcvninfo->sinfo_assoc_id;
12673 		sinfo_flags = sndrcvninfo->sinfo_flags;
12674 		if (INVALID_SINFO_FLAG(sinfo_flags) ||
12675 		    PR_SCTP_INVALID_POLICY(sinfo_flags)) {
12676 			error = EINVAL;
12677 			goto out_unlocked;
12678 		}
12679 		if (sinfo_flags != 0) {
12680 			SCTP_STAT_INCR(sctps_sends_with_flags);
12681 		}
12682 	} else {
12683 		sndrcvninfo = NULL;
12684 		sinfo_flags = inp->def_send.sinfo_flags;
12685 		sinfo_assoc_id = inp->def_send.sinfo_assoc_id;
12686 	}
12687 	if (flags & MSG_EOR) {
12688 		sinfo_flags |= SCTP_EOR;
12689 	}
12690 	if (flags & MSG_EOF) {
12691 		sinfo_flags |= SCTP_EOF;
12692 	}
12693 	if ((sinfo_flags & SCTP_ADDR_OVER) && (addr == NULL)) {
12694 		error = EINVAL;
12695 		goto out_unlocked;
12696 	}
12697 	SCTP_INP_RLOCK(inp);
12698 	if ((sinfo_flags & SCTP_SENDALL) &&
12699 	    (inp->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) {
12700 		SCTP_INP_RUNLOCK(inp);
12701 		error = sctp_sendall(inp, uio, top, sndrcvninfo);
12702 		top = NULL;
12703 		goto out_unlocked;
12704 	}
12705 	/* Now we must find the association. */
12706 	if ((inp->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) ||
12707 	    (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
12708 		stcb = LIST_FIRST(&inp->sctp_asoc_list);
12709 		if (stcb != NULL) {
12710 			SCTP_TCB_LOCK(stcb);
12711 		}
12712 		SCTP_INP_RUNLOCK(inp);
12713 	} else if (sinfo_assoc_id > SCTP_ALL_ASSOC) {
12714 		stcb = sctp_findasoc_ep_asocid_locked(inp, sinfo_assoc_id, 1);
12715 		SCTP_INP_RUNLOCK(inp);
12716 		if (stcb != NULL) {
12717 			SCTP_TCB_LOCK_ASSERT(stcb);
12718 		}
12719 	} else if (addr != NULL) {
12720 		/*-
12721 		 * Since we did not use findep we must
12722 		 * increment it, and if we don't find a tcb
12723 		 * decrement it.
12724 		 */
12725 		SCTP_INP_INCR_REF(inp);
12726 		SCTP_INP_RUNLOCK(inp);
12727 		stcb = sctp_findassociation_ep_addr(&t_inp, addr, &net, NULL, NULL);
12728 		if (stcb == NULL) {
12729 			SCTP_INP_WLOCK(inp);
12730 			SCTP_INP_DECR_REF(inp);
12731 			SCTP_INP_WUNLOCK(inp);
12732 		} else {
12733 			SCTP_TCB_LOCK_ASSERT(stcb);
12734 		}
12735 	} else {
12736 		SCTP_INP_RUNLOCK(inp);
12737 	}
12738 
12739 #ifdef INVARIANTS
12740 	if (stcb != NULL) {
12741 		SCTP_TCB_LOCK_ASSERT(stcb);
12742 	}
12743 #endif
12744 
12745 	if ((stcb == NULL) && (addr != NULL)) {
12746 		/* Possible implicit send? */
12747 		SCTP_ASOC_CREATE_LOCK(inp);
12748 		create_lock_applied = true;
12749 		if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
12750 		    (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE)) {
12751 			error = EINVAL;
12752 			goto out_unlocked;
12753 		}
12754 		if (((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) == 0) &&
12755 		    (addr->sa_family == AF_INET6)) {
12756 			error = EINVAL;
12757 			goto out_unlocked;
12758 		}
12759 		SCTP_INP_WLOCK(inp);
12760 		SCTP_INP_INCR_REF(inp);
12761 		SCTP_INP_WUNLOCK(inp);
12762 		/* With the lock applied look again */
12763 		stcb = sctp_findassociation_ep_addr(&t_inp, addr, &net, NULL, NULL);
12764 #if defined(INET) || defined(INET6)
12765 		if ((stcb == NULL) && (control != NULL) && (port > 0)) {
12766 			stcb = sctp_findassociation_cmsgs(&t_inp, port, control, &net, &error);
12767 		}
12768 #endif
12769 		if (stcb == NULL) {
12770 			SCTP_INP_WLOCK(inp);
12771 			SCTP_INP_DECR_REF(inp);
12772 			SCTP_INP_WUNLOCK(inp);
12773 		} else {
12774 			SCTP_TCB_LOCK_ASSERT(stcb);
12775 			SCTP_ASOC_CREATE_UNLOCK(inp);
12776 			create_lock_applied = false;
12777 		}
12778 		if (error != 0) {
12779 			goto out_unlocked;
12780 		}
12781 		if (t_inp != inp) {
12782 			error = ENOTCONN;
12783 			goto out_unlocked;
12784 		}
12785 	}
12786 	if (stcb == NULL) {
12787 		if (addr == NULL) {
12788 			error = ENOENT;
12789 			goto out_unlocked;
12790 		} else {
12791 			/* We must go ahead and start the INIT process */
12792 			uint32_t vrf_id;
12793 
12794 			if ((sinfo_flags & SCTP_ABORT) ||
12795 			    ((sinfo_flags & SCTP_EOF) && (sndlen == 0))) {
12796 				/*-
12797 				 * User asks to abort a non-existent assoc,
12798 				 * or EOF a non-existent assoc with no data
12799 				 */
12800 				error = ENOENT;
12801 				goto out_unlocked;
12802 			}
12803 			/* get an asoc/stcb struct */
12804 			vrf_id = inp->def_vrf_id;
12805 			KASSERT(create_lock_applied, ("create_lock_applied is false"));
12806 			stcb = sctp_aloc_assoc_connected(inp, addr, &error, 0, 0, vrf_id,
12807 			    inp->sctp_ep.pre_open_stream_count,
12808 			    inp->sctp_ep.port,
12809 			    p,
12810 			    SCTP_INITIALIZE_AUTH_PARAMS);
12811 			if (stcb == NULL) {
12812 				/* error is setup for us in the call. */
12813 				KASSERT(error != 0, ("error is 0 although stcb is NULL"));
12814 				goto out_unlocked;
12815 			}
12816 			SCTP_TCB_LOCK_ASSERT(stcb);
12817 			SCTP_ASOC_CREATE_UNLOCK(inp);
12818 			create_lock_applied = false;
12819 			/*
12820 			 * Turn on queue only flag to prevent data from
12821 			 * being sent
12822 			 */
12823 			queue_only = 1;
12824 			SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_WAIT);
12825 			(void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
12826 			if (control != NULL) {
12827 				if (sctp_process_cmsgs_for_init(stcb, control, &error)) {
12828 					sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
12829 					    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_6);
12830 					stcb = NULL;
12831 					KASSERT(error != 0,
12832 					    ("error is 0 although sctp_process_cmsgs_for_init() indicated an error"));
12833 					goto out_unlocked;
12834 				}
12835 			}
12836 			/* out with the INIT */
12837 			queue_only_for_init = 1;
12838 			/*-
12839 			 * we may want to dig in after this call and adjust the MTU
12840 			 * value. It defaulted to 1500 (constant) but the ro
12841 			 * structure may now have an update and thus we may need to
12842 			 * change it BEFORE we append the message.
12843 			 */
12844 		}
12845 	}
12846 
12847 	KASSERT(!create_lock_applied, ("create_lock_applied is true"));
12848 	KASSERT(stcb != NULL, ("stcb is NULL"));
12849 	SCTP_TCB_LOCK_ASSERT(stcb);
12850 
12851 	asoc = &stcb->asoc;
12852 	if ((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) ||
12853 	    (asoc->state & SCTP_STATE_WAS_ABORTED)) {
12854 		if (asoc->state & SCTP_STATE_WAS_ABORTED) {
12855 			/* XXX: Could also be ECONNABORTED, not enough info. */
12856 			error = ECONNRESET;
12857 		} else {
12858 			error = ENOTCONN;
12859 		}
12860 		goto out_unlocked;
12861 	}
12862 	if ((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) ||
12863 	    (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) {
12864 		queue_only = 1;
12865 	}
12866 	/* Keep the stcb from being freed under our feet. */
12867 	atomic_add_int(&asoc->refcnt, 1);
12868 	free_cnt_applied = true;
12869 	if (sndrcvninfo == NULL) {
12870 		/* Use a local copy to have a consistent view. */
12871 		sndrcvninfo_buf = asoc->def_send;
12872 		sndrcvninfo = &sndrcvninfo_buf;
12873 		sinfo_flags = sndrcvninfo->sinfo_flags;
12874 		if (flags & MSG_EOR) {
12875 			sinfo_flags |= SCTP_EOR;
12876 		}
12877 		if (flags & MSG_EOF) {
12878 			sinfo_flags |= SCTP_EOF;
12879 		}
12880 	}
12881 	/* Are we aborting? */
12882 	if (sinfo_flags & SCTP_ABORT) {
12883 		struct mbuf *mm;
12884 		struct sctp_paramhdr *ph;
12885 		ssize_t tot_demand, tot_out = 0, max_out;
12886 
12887 		SCTP_STAT_INCR(sctps_sends_with_abort);
12888 		if ((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) ||
12889 		    (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) {
12890 			/* It has to be up before we abort. */
12891 			error = EINVAL;
12892 			goto out_unlocked;
12893 		}
12894 		/* How big is the user initiated abort? */
12895 		if (top != NULL) {
12896 			struct mbuf *cntm;
12897 
12898 			if (sndlen != 0) {
12899 				for (cntm = top; cntm; cntm = SCTP_BUF_NEXT(cntm)) {
12900 					tot_out += SCTP_BUF_LEN(cntm);
12901 				}
12902 			}
12903 			mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 0, M_NOWAIT, 1, MT_DATA);
12904 		} else {
12905 			/* Must fit in a MTU */
12906 			tot_out = sndlen;
12907 			tot_demand = (tot_out + sizeof(struct sctp_paramhdr));
12908 			if (tot_demand > SCTP_DEFAULT_ADD_MORE) {
12909 				error = EMSGSIZE;
12910 				goto out_unlocked;
12911 			}
12912 			mm = sctp_get_mbuf_for_msg((unsigned int)tot_demand, 0, M_NOWAIT, 1, MT_DATA);
12913 		}
12914 		if (mm == NULL) {
12915 			error = ENOMEM;
12916 			goto out_unlocked;
12917 		}
12918 		max_out = asoc->smallest_mtu - sizeof(struct sctp_paramhdr);
12919 		max_out -= sizeof(struct sctp_abort_msg);
12920 		if (tot_out > max_out) {
12921 			tot_out = max_out;
12922 		}
12923 		ph = mtod(mm, struct sctp_paramhdr *);
12924 		ph->param_type = htons(SCTP_CAUSE_USER_INITIATED_ABT);
12925 		ph->param_length = htons((uint16_t)(sizeof(struct sctp_paramhdr) + tot_out));
12926 		ph++;
12927 		SCTP_BUF_LEN(mm) = (int)(tot_out + sizeof(struct sctp_paramhdr));
12928 		if (top == NULL) {
12929 			SCTP_TCB_UNLOCK(stcb);
12930 			error = uiomove((caddr_t)ph, (int)tot_out, uio);
12931 			SCTP_TCB_LOCK(stcb);
12932 			if ((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) ||
12933 			    (asoc->state & SCTP_STATE_WAS_ABORTED)) {
12934 				sctp_m_freem(mm);
12935 				if (asoc->state & SCTP_STATE_WAS_ABORTED) {
12936 					/*
12937 					 * XXX: Could also be ECONNABORTED,
12938 					 * not enough info.
12939 					 */
12940 					error = ECONNRESET;
12941 				} else {
12942 					error = ENOTCONN;
12943 				}
12944 				goto out_unlocked;
12945 			}
12946 			if (error != 0) {
12947 				/*-
12948 				 * Here if we can't get his data we
12949 				 * still abort we just don't get to
12950 				 * send the users note :-0
12951 				 */
12952 				sctp_m_freem(mm);
12953 				mm = NULL;
12954 				error = 0;
12955 			}
12956 		} else {
12957 			if (sndlen != 0) {
12958 				SCTP_BUF_NEXT(mm) = top;
12959 			}
12960 		}
12961 		atomic_subtract_int(&asoc->refcnt, 1);
12962 		free_cnt_applied = false;
12963 		/* release this lock, otherwise we hang on ourselves */
12964 		NET_EPOCH_ENTER(et);
12965 		sctp_abort_an_association(stcb->sctp_ep, stcb, mm, false, SCTP_SO_LOCKED);
12966 		NET_EPOCH_EXIT(et);
12967 		stcb = NULL;
12968 		/*
12969 		 * In this case top is already chained to mm avoid double
12970 		 * free, since we free it below if top != NULL and driver
12971 		 * would free it after sending the packet out
12972 		 */
12973 		if (sndlen != 0) {
12974 			top = NULL;
12975 		}
12976 		goto out_unlocked;
12977 	}
12978 
12979 	KASSERT(stcb != NULL, ("stcb is NULL"));
12980 	SCTP_TCB_LOCK_ASSERT(stcb);
12981 	KASSERT((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0,
12982 	    ("Association about to be freed"));
12983 	KASSERT((asoc->state & SCTP_STATE_WAS_ABORTED) == 0,
12984 	    ("Association was aborted"));
12985 
12986 	if (sinfo_flags & SCTP_ADDR_OVER) {
12987 		if (addr != NULL) {
12988 			net = sctp_findnet(stcb, addr);
12989 		} else {
12990 			net = NULL;
12991 		}
12992 		if ((net == NULL) ||
12993 		    ((port != 0) && (port != stcb->rport))) {
12994 			error = EINVAL;
12995 			goto out_unlocked;
12996 		}
12997 	} else {
12998 		if (asoc->alternate != NULL) {
12999 			net = asoc->alternate;
13000 		} else {
13001 			net = asoc->primary_destination;
13002 		}
13003 	}
13004 	if (sndlen == 0) {
13005 		if (sinfo_flags & SCTP_EOF) {
13006 			got_all_of_the_send = true;
13007 			goto dataless_eof;
13008 		} else {
13009 			error = EINVAL;
13010 			goto out_unlocked;
13011 		}
13012 	}
13013 	if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_NO_FRAGMENT)) {
13014 		if (sndlen > (ssize_t)asoc->smallest_mtu) {
13015 			error = EMSGSIZE;
13016 			goto out_unlocked;
13017 		}
13018 	}
13019 	sinfo_stream = sndrcvninfo->sinfo_stream;
13020 	/* Is the stream no. valid? */
13021 	if (sinfo_stream >= asoc->streamoutcnt) {
13022 		/* Invalid stream number */
13023 		error = EINVAL;
13024 		goto out_unlocked;
13025 	}
13026 	if ((asoc->strmout[sinfo_stream].state != SCTP_STREAM_OPEN) &&
13027 	    (asoc->strmout[sinfo_stream].state != SCTP_STREAM_OPENING)) {
13028 		/*
13029 		 * Can't queue any data while stream reset is underway.
13030 		 */
13031 		if (asoc->strmout[sinfo_stream].state > SCTP_STREAM_OPEN) {
13032 			error = EAGAIN;
13033 		} else {
13034 			error = EINVAL;
13035 		}
13036 		goto out_unlocked;
13037 	}
13038 	atomic_add_int(&stcb->total_sends, 1);
13039 	if (SCTP_SO_IS_NBIO(so) || (flags & (MSG_NBIO | MSG_DONTWAIT)) != 0) {
13040 		non_blocking = true;
13041 	}
13042 	if (non_blocking) {
13043 		ssize_t amount;
13044 
13045 		inqueue_bytes = asoc->total_output_queue_size - (asoc->chunks_on_out_queue * SCTP_DATA_CHUNK_OVERHEAD(stcb));
13046 		if (user_marks_eor == 0) {
13047 			amount = sndlen;
13048 		} else {
13049 			amount = 1;
13050 		}
13051 		if ((SCTP_SB_LIMIT_SND(so) < (amount + inqueue_bytes + asoc->sb_send_resv)) ||
13052 		    (asoc->chunks_on_out_queue >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
13053 			if ((sndlen > (ssize_t)SCTP_SB_LIMIT_SND(so)) &&
13054 			    (user_marks_eor == 0)) {
13055 				error = EMSGSIZE;
13056 			} else {
13057 				error = EWOULDBLOCK;
13058 			}
13059 			goto out_unlocked;
13060 		}
13061 	}
13062 	atomic_add_int(&asoc->sb_send_resv, (int)sndlen);
13063 	local_soresv = sndlen;
13064 
13065 	KASSERT(stcb != NULL, ("stcb is NULL"));
13066 	SCTP_TCB_LOCK_ASSERT(stcb);
13067 	KASSERT((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0,
13068 	    ("Association about to be freed"));
13069 	KASSERT((asoc->state & SCTP_STATE_WAS_ABORTED) == 0,
13070 	    ("Association was aborted"));
13071 
13072 	/* Ok, we will attempt a msgsnd :> */
13073 	if (p != NULL) {
13074 		p->td_ru.ru_msgsnd++;
13075 	}
13076 	/* Calculate the maximum we can send */
13077 	inqueue_bytes = asoc->total_output_queue_size - (asoc->chunks_on_out_queue * SCTP_DATA_CHUNK_OVERHEAD(stcb));
13078 	if (SCTP_SB_LIMIT_SND(so) > inqueue_bytes) {
13079 		max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes;
13080 	} else {
13081 		max_len = 0;
13082 	}
13083 	/* Unless E_EOR mode is on, we must make a send FIT in one call. */
13084 	if ((user_marks_eor == 0) &&
13085 	    (sndlen > (ssize_t)SCTP_SB_LIMIT_SND(stcb->sctp_socket))) {
13086 		/* It will NEVER fit. */
13087 		error = EMSGSIZE;
13088 		goto out_unlocked;
13089 	}
13090 	if (user_marks_eor != 0) {
13091 		local_add_more = (ssize_t)min(SCTP_SB_LIMIT_SND(so), SCTP_BASE_SYSCTL(sctp_add_more_threshold));
13092 	} else {
13093 		/*-
13094 		 * For non-eeor the whole message must fit in
13095 		 * the socket send buffer.
13096 		 */
13097 		local_add_more = sndlen;
13098 	}
13099 	if (non_blocking) {
13100 		goto skip_preblock;
13101 	}
13102 	if (((max_len <= local_add_more) && ((ssize_t)SCTP_SB_LIMIT_SND(so) >= local_add_more)) ||
13103 	    (max_len == 0) ||
13104 	    ((asoc->chunks_on_out_queue + asoc->stream_queue_cnt) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
13105 		/* No room right now! */
13106 		inqueue_bytes = asoc->total_output_queue_size - (asoc->chunks_on_out_queue * SCTP_DATA_CHUNK_OVERHEAD(stcb));
13107 		SOCKBUF_LOCK(&so->so_snd);
13108 		while ((SCTP_SB_LIMIT_SND(so) < (inqueue_bytes + local_add_more)) ||
13109 		    ((asoc->stream_queue_cnt + asoc->chunks_on_out_queue) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
13110 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "pre_block limit:%u <(inq:%d + %zd) || (%d+%d > %d)\n",
13111 			    (unsigned int)SCTP_SB_LIMIT_SND(so),
13112 			    inqueue_bytes,
13113 			    local_add_more,
13114 			    asoc->stream_queue_cnt,
13115 			    asoc->chunks_on_out_queue,
13116 			    SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue));
13117 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13118 				sctp_log_block(SCTP_BLOCK_LOG_INTO_BLKA, asoc, sndlen);
13119 			}
13120 			be.error = 0;
13121 			stcb->block_entry = &be;
13122 			SCTP_TCB_UNLOCK(stcb);
13123 			error = sbwait(so, SO_SND);
13124 			if (error == 0) {
13125 				if (so->so_error != 0) {
13126 					error = so->so_error;
13127 				}
13128 				if (be.error != 0) {
13129 					error = be.error;
13130 				}
13131 			}
13132 			SOCKBUF_UNLOCK(&so->so_snd);
13133 			SCTP_TCB_LOCK(stcb);
13134 			stcb->block_entry = NULL;
13135 			if (error != 0) {
13136 				goto out_unlocked;
13137 			}
13138 			if ((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) ||
13139 			    (asoc->state & SCTP_STATE_WAS_ABORTED)) {
13140 				if (asoc->state & SCTP_STATE_WAS_ABORTED) {
13141 					/*
13142 					 * XXX: Could also be ECONNABORTED,
13143 					 * not enough info.
13144 					 */
13145 					error = ECONNRESET;
13146 				} else {
13147 					error = ENOTCONN;
13148 				}
13149 				goto out_unlocked;
13150 			}
13151 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13152 				sctp_log_block(SCTP_BLOCK_LOG_OUTOF_BLK,
13153 				    asoc, asoc->total_output_queue_size);
13154 			}
13155 			inqueue_bytes = asoc->total_output_queue_size - (asoc->chunks_on_out_queue * SCTP_DATA_CHUNK_OVERHEAD(stcb));
13156 			SOCKBUF_LOCK(&so->so_snd);
13157 		}
13158 		if (SCTP_SB_LIMIT_SND(so) > inqueue_bytes) {
13159 			max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes;
13160 		} else {
13161 			max_len = 0;
13162 		}
13163 		SOCKBUF_UNLOCK(&so->so_snd);
13164 	}
13165 
13166 skip_preblock:
13167 	KASSERT(stcb != NULL, ("stcb is NULL"));
13168 	SCTP_TCB_LOCK_ASSERT(stcb);
13169 	KASSERT((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0,
13170 	    ("Association about to be freed"));
13171 	KASSERT((asoc->state & SCTP_STATE_WAS_ABORTED) == 0,
13172 	    ("Association was aborted"));
13173 
13174 	/*
13175 	 * sndlen covers for mbuf case uio_resid covers for the non-mbuf
13176 	 * case NOTE: uio will be null when top/mbuf is passed
13177 	 */
13178 	if (top == NULL) {
13179 		struct sctp_stream_queue_pending *sp;
13180 		struct sctp_stream_out *strm;
13181 		uint32_t sndout;
13182 
13183 		if ((asoc->stream_locked) &&
13184 		    (asoc->stream_locked_on != sinfo_stream)) {
13185 			error = EINVAL;
13186 			goto out;
13187 		}
13188 		strm = &asoc->strmout[sinfo_stream];
13189 		if (strm->last_msg_incomplete == 0) {
13190 	do_a_copy_in:
13191 			SCTP_TCB_UNLOCK(stcb);
13192 			sp = sctp_copy_it_in(stcb, asoc, sndrcvninfo, uio, net, max_len, user_marks_eor, &error);
13193 			SCTP_TCB_LOCK(stcb);
13194 			if ((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) ||
13195 			    (asoc->state & SCTP_STATE_WAS_ABORTED)) {
13196 				if (asoc->state & SCTP_STATE_WAS_ABORTED) {
13197 					/*
13198 					 * XXX: Could also be ECONNABORTED,
13199 					 * not enough info.
13200 					 */
13201 					error = ECONNRESET;
13202 				} else {
13203 					error = ENOTCONN;
13204 				}
13205 				goto out;
13206 			}
13207 			if (error != 0) {
13208 				goto out;
13209 			}
13210 			/*
13211 			 * Reject the sending of a new user message, if the
13212 			 * association is about to be shut down.
13213 			 */
13214 			if ((SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_SENT) ||
13215 			    (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
13216 			    (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
13217 			    (asoc->state & SCTP_STATE_SHUTDOWN_PENDING)) {
13218 				if (sp->data != 0) {
13219 					sctp_m_freem(sp->data);
13220 					sp->data = NULL;
13221 					sp->tail_mbuf = NULL;
13222 					sp->length = 0;
13223 				}
13224 				if (sp->net != NULL) {
13225 					sctp_free_remote_addr(sp->net);
13226 					sp->net = NULL;
13227 				}
13228 				sctp_free_a_strmoq(stcb, sp, SCTP_SO_LOCKED);
13229 				error = EPIPE;
13230 				goto out_unlocked;
13231 			}
13232 			/* The out streams might be reallocated. */
13233 			strm = &asoc->strmout[sinfo_stream];
13234 			if (sp->msg_is_complete) {
13235 				strm->last_msg_incomplete = 0;
13236 				asoc->stream_locked = 0;
13237 			} else {
13238 				/*
13239 				 * Just got locked to this guy in case of an
13240 				 * interrupt.
13241 				 */
13242 				strm->last_msg_incomplete = 1;
13243 				if (asoc->idata_supported == 0) {
13244 					asoc->stream_locked = 1;
13245 					asoc->stream_locked_on = sinfo_stream;
13246 				}
13247 				sp->sender_all_done = 0;
13248 			}
13249 			sctp_snd_sb_alloc(stcb, sp->length);
13250 			atomic_add_int(&asoc->stream_queue_cnt, 1);
13251 			if (sinfo_flags & SCTP_UNORDERED) {
13252 				SCTP_STAT_INCR(sctps_sends_with_unord);
13253 			}
13254 			sp->processing = 1;
13255 			TAILQ_INSERT_TAIL(&strm->outqueue, sp, next);
13256 			asoc->ss_functions.sctp_ss_add_to_stream(stcb, asoc, strm, sp);
13257 		} else {
13258 			sp = TAILQ_LAST(&strm->outqueue, sctp_streamhead);
13259 			if (sp == NULL) {
13260 				/* ???? Huh ??? last msg is gone */
13261 #ifdef INVARIANTS
13262 				panic("Warning: Last msg marked incomplete, yet nothing left?");
13263 #else
13264 				SCTP_PRINTF("Warning: Last msg marked incomplete, yet nothing left?\n");
13265 				strm->last_msg_incomplete = 0;
13266 #endif
13267 				goto do_a_copy_in;
13268 			}
13269 			if (sp->processing != 0) {
13270 				error = EINVAL;
13271 				goto out;
13272 			} else {
13273 				sp->processing = 1;
13274 			}
13275 		}
13276 
13277 		KASSERT(stcb != NULL, ("stcb is NULL"));
13278 		SCTP_TCB_LOCK_ASSERT(stcb);
13279 		KASSERT((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0,
13280 		    ("Association about to be freed"));
13281 		KASSERT((asoc->state & SCTP_STATE_WAS_ABORTED) == 0,
13282 		    ("Association was aborted"));
13283 
13284 		while (uio->uio_resid > 0) {
13285 			/* How much room do we have? */
13286 			struct mbuf *new_tail, *mm;
13287 
13288 			inqueue_bytes = asoc->total_output_queue_size - (asoc->chunks_on_out_queue * SCTP_DATA_CHUNK_OVERHEAD(stcb));
13289 			if (SCTP_SB_LIMIT_SND(so) > inqueue_bytes) {
13290 				max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes;
13291 			} else {
13292 				max_len = 0;
13293 			}
13294 			if ((max_len > (ssize_t)SCTP_BASE_SYSCTL(sctp_add_more_threshold)) ||
13295 			    ((max_len > 0) && (SCTP_SB_LIMIT_SND(so) < SCTP_BASE_SYSCTL(sctp_add_more_threshold))) ||
13296 			    (uio->uio_resid <= max_len)) {
13297 				SCTP_TCB_UNLOCK(stcb);
13298 				sndout = 0;
13299 				new_tail = NULL;
13300 				mm = sctp_copy_resume(uio, (int)max_len, user_marks_eor, &error, &sndout, &new_tail);
13301 				SCTP_TCB_LOCK(stcb);
13302 				if ((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) ||
13303 				    (asoc->state & SCTP_STATE_WAS_ABORTED)) {
13304 					/*
13305 					 * We need to get out. Peer probably
13306 					 * aborted.
13307 					 */
13308 					sctp_m_freem(mm);
13309 					if (asoc->state & SCTP_STATE_WAS_ABORTED) {
13310 						/*
13311 						 * XXX: Could also be
13312 						 * ECONNABORTED, not enough
13313 						 * info.
13314 						 */
13315 						error = ECONNRESET;
13316 					} else {
13317 						error = ENOTCONN;
13318 					}
13319 					goto out;
13320 				}
13321 				if ((mm == NULL) || (error != 0)) {
13322 					if (mm != NULL) {
13323 						sctp_m_freem(mm);
13324 					}
13325 					if (sp != NULL) {
13326 						sp->processing = 0;
13327 					}
13328 					goto out;
13329 				}
13330 				/* Update the mbuf and count */
13331 				if (sp->tail_mbuf != NULL) {
13332 					/* Tack it to the end. */
13333 					SCTP_BUF_NEXT(sp->tail_mbuf) = mm;
13334 				} else {
13335 					/* A stolen mbuf. */
13336 					sp->data = mm;
13337 				}
13338 				sp->tail_mbuf = new_tail;
13339 				sctp_snd_sb_alloc(stcb, sndout);
13340 				atomic_add_int(&sp->length, sndout);
13341 				if (sinfo_flags & SCTP_SACK_IMMEDIATELY) {
13342 					sp->sinfo_flags |= SCTP_SACK_IMMEDIATELY;
13343 				}
13344 
13345 				/* Did we reach EOR? */
13346 				if ((uio->uio_resid == 0) &&
13347 				    ((user_marks_eor == 0) ||
13348 				    (sinfo_flags & SCTP_EOF) ||
13349 				    (user_marks_eor && (sinfo_flags & SCTP_EOR)))) {
13350 					sp->msg_is_complete = 1;
13351 				} else {
13352 					sp->msg_is_complete = 0;
13353 				}
13354 			}
13355 
13356 			KASSERT(stcb != NULL, ("stcb is NULL"));
13357 			SCTP_TCB_LOCK_ASSERT(stcb);
13358 			KASSERT((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0,
13359 			    ("Association about to be freed"));
13360 			KASSERT((asoc->state & SCTP_STATE_WAS_ABORTED) == 0,
13361 			    ("Association was aborted"));
13362 
13363 			if (uio->uio_resid == 0) {
13364 				/* got it all? */
13365 				continue;
13366 			}
13367 			/* PR-SCTP? */
13368 			if ((asoc->prsctp_supported) && (asoc->sent_queue_cnt_removeable > 0)) {
13369 				/*
13370 				 * This is ugly but we must assure locking
13371 				 * order
13372 				 */
13373 				sctp_prune_prsctp(stcb, asoc, sndrcvninfo, (int)sndlen);
13374 				inqueue_bytes = asoc->total_output_queue_size - (asoc->chunks_on_out_queue * SCTP_DATA_CHUNK_OVERHEAD(stcb));
13375 				if (SCTP_SB_LIMIT_SND(so) > inqueue_bytes)
13376 					max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes;
13377 				else
13378 					max_len = 0;
13379 				if (max_len > 0) {
13380 					continue;
13381 				}
13382 			}
13383 			/* wait for space now */
13384 			if (non_blocking) {
13385 				/* Non-blocking io in place out */
13386 				if (sp != NULL) {
13387 					sp->processing = 0;
13388 				}
13389 				goto skip_out_eof;
13390 			}
13391 			/* What about the INIT, send it maybe */
13392 			if (queue_only_for_init) {
13393 				if (SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) {
13394 					/* a collision took us forward? */
13395 					queue_only = 0;
13396 				} else {
13397 					NET_EPOCH_ENTER(et);
13398 					sctp_send_initiate(inp, stcb, SCTP_SO_LOCKED);
13399 					NET_EPOCH_EXIT(et);
13400 					SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_WAIT);
13401 					queue_only = 1;
13402 				}
13403 			}
13404 			if ((net->flight_size > net->cwnd) &&
13405 			    (asoc->sctp_cmt_on_off == 0)) {
13406 				SCTP_STAT_INCR(sctps_send_cwnd_avoid);
13407 				queue_only = 1;
13408 			} else if (asoc->ifp_had_enobuf) {
13409 				SCTP_STAT_INCR(sctps_ifnomemqueued);
13410 				if (net->flight_size > (2 * net->mtu)) {
13411 					queue_only = 1;
13412 				}
13413 				asoc->ifp_had_enobuf = 0;
13414 			}
13415 			un_sent = asoc->total_output_queue_size - asoc->total_flight;
13416 			if ((sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY)) &&
13417 			    (asoc->total_flight > 0) &&
13418 			    (asoc->stream_queue_cnt < SCTP_MAX_DATA_BUNDLING) &&
13419 			    (un_sent < (int)(asoc->smallest_mtu - SCTP_MIN_OVERHEAD))) {
13420 				/*-
13421 				 * Ok, Nagle is set on and we have data outstanding.
13422 				 * Don't send anything and let SACKs drive out the
13423 				 * data unless we have a "full" segment to send.
13424 				 */
13425 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
13426 					sctp_log_nagle_event(stcb, SCTP_NAGLE_APPLIED);
13427 				}
13428 				SCTP_STAT_INCR(sctps_naglequeued);
13429 				nagle_applies = 1;
13430 			} else {
13431 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
13432 					if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY))
13433 						sctp_log_nagle_event(stcb, SCTP_NAGLE_SKIPPED);
13434 				}
13435 				SCTP_STAT_INCR(sctps_naglesent);
13436 				nagle_applies = 0;
13437 			}
13438 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13439 				sctp_misc_ints(SCTP_CWNDLOG_PRESEND, queue_only_for_init, queue_only,
13440 				    nagle_applies, un_sent);
13441 				sctp_misc_ints(SCTP_CWNDLOG_PRESEND, asoc->total_output_queue_size,
13442 				    asoc->total_flight,
13443 				    asoc->chunks_on_out_queue, asoc->total_flight_count);
13444 			}
13445 			if (queue_only_for_init) {
13446 				queue_only_for_init = 0;
13447 			}
13448 			if ((queue_only == 0) && (nagle_applies == 0)) {
13449 				/*-
13450 				 * need to start chunk output
13451 				 * before blocking.. note that if
13452 				 * a lock is already applied, then
13453 				 * the input via the net is happening
13454 				 * and I don't need to start output :-D
13455 				 */
13456 				NET_EPOCH_ENTER(et);
13457 				sctp_chunk_output(inp, stcb,
13458 				    SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
13459 				NET_EPOCH_EXIT(et);
13460 			}
13461 			/*-
13462 			 * This is a bit strange, but I think it will
13463 			 * work. The total_output_queue_size is locked and
13464 			 * protected by the TCB_LOCK, which we just released.
13465 			 * There is a race that can occur between releasing it
13466 			 * above, and me getting the socket lock, where sacks
13467 			 * come in but we have not put the SB_WAIT on the
13468 			 * so_snd buffer to get the wakeup. After the LOCK
13469 			 * is applied the sack_processing will also need to
13470 			 * LOCK the so->so_snd to do the actual sowwakeup(). So
13471 			 * once we have the socket buffer lock if we recheck the
13472 			 * size we KNOW we will get to sleep safely with the
13473 			 * wakeup flag in place.
13474 			 */
13475 			inqueue_bytes = asoc->total_output_queue_size - (asoc->chunks_on_out_queue * SCTP_DATA_CHUNK_OVERHEAD(stcb));
13476 			SOCKBUF_LOCK(&so->so_snd);
13477 			if (SCTP_SB_LIMIT_SND(so) <= (inqueue_bytes +
13478 			    min(SCTP_BASE_SYSCTL(sctp_add_more_threshold), SCTP_SB_LIMIT_SND(so)))) {
13479 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13480 					sctp_log_block(SCTP_BLOCK_LOG_INTO_BLK,
13481 					    asoc, uio->uio_resid);
13482 				}
13483 				be.error = 0;
13484 				stcb->block_entry = &be;
13485 				SCTP_TCB_UNLOCK(stcb);
13486 				error = sbwait(so, SO_SND);
13487 				if (error == 0) {
13488 					if (so->so_error != 0)
13489 						error = so->so_error;
13490 					if (be.error != 0) {
13491 						error = be.error;
13492 					}
13493 				}
13494 				SOCKBUF_UNLOCK(&so->so_snd);
13495 				SCTP_TCB_LOCK(stcb);
13496 				stcb->block_entry = NULL;
13497 				if ((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) ||
13498 				    (asoc->state & SCTP_STATE_WAS_ABORTED)) {
13499 					if (asoc->state & SCTP_STATE_WAS_ABORTED) {
13500 						/*
13501 						 * XXX: Could also be
13502 						 * ECONNABORTED, not enough
13503 						 * info.
13504 						 */
13505 						error = ECONNRESET;
13506 					} else {
13507 						error = ENOTCONN;
13508 					}
13509 					goto out_unlocked;
13510 				}
13511 				if (error != 0) {
13512 					if (sp != NULL) {
13513 						sp->processing = 0;
13514 					}
13515 					goto out_unlocked;
13516 				}
13517 			} else {
13518 				SOCKBUF_UNLOCK(&so->so_snd);
13519 			}
13520 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13521 				sctp_log_block(SCTP_BLOCK_LOG_OUTOF_BLK,
13522 				    asoc, asoc->total_output_queue_size);
13523 			}
13524 		}
13525 
13526 		KASSERT(stcb != NULL, ("stcb is NULL"));
13527 		SCTP_TCB_LOCK_ASSERT(stcb);
13528 		KASSERT((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0,
13529 		    ("Association about to be freed"));
13530 		KASSERT((asoc->state & SCTP_STATE_WAS_ABORTED) == 0,
13531 		    ("Association was aborted"));
13532 
13533 		/* The out streams might be reallocated. */
13534 		strm = &asoc->strmout[sinfo_stream];
13535 		if (sp != NULL) {
13536 			if (sp->msg_is_complete == 0) {
13537 				strm->last_msg_incomplete = 1;
13538 				if (asoc->idata_supported == 0) {
13539 					asoc->stream_locked = 1;
13540 					asoc->stream_locked_on = sinfo_stream;
13541 				}
13542 			} else {
13543 				sp->sender_all_done = 1;
13544 				strm->last_msg_incomplete = 0;
13545 				asoc->stream_locked = 0;
13546 			}
13547 			sp->processing = 0;
13548 		} else {
13549 			SCTP_PRINTF("Huh no sp TSNH?\n");
13550 			strm->last_msg_incomplete = 0;
13551 			asoc->stream_locked = 0;
13552 		}
13553 		if (uio->uio_resid == 0) {
13554 			got_all_of_the_send = true;
13555 		}
13556 	} else {
13557 		error = sctp_msg_append(stcb, net, top, sndrcvninfo);
13558 		top = NULL;
13559 		if ((sinfo_flags & SCTP_EOF) != 0) {
13560 			got_all_of_the_send = true;
13561 		}
13562 	}
13563 	if (error != 0) {
13564 		goto out;
13565 	}
13566 
13567 dataless_eof:
13568 	KASSERT(stcb != NULL, ("stcb is NULL"));
13569 	SCTP_TCB_LOCK_ASSERT(stcb);
13570 	KASSERT((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0,
13571 	    ("Association about to be freed"));
13572 	KASSERT((asoc->state & SCTP_STATE_WAS_ABORTED) == 0,
13573 	    ("Association was aborted"));
13574 
13575 	/* EOF thing ? */
13576 	if ((sinfo_flags & SCTP_EOF) && got_all_of_the_send) {
13577 		SCTP_STAT_INCR(sctps_sends_with_eof);
13578 		error = 0;
13579 		if (TAILQ_EMPTY(&asoc->send_queue) &&
13580 		    TAILQ_EMPTY(&asoc->sent_queue) &&
13581 		    sctp_is_there_unsent_data(stcb, SCTP_SO_LOCKED) == 0) {
13582 			if ((*asoc->ss_functions.sctp_ss_is_user_msgs_incomplete) (stcb, asoc)) {
13583 				goto abort_anyway;
13584 			}
13585 			/* there is nothing queued to send, so I'm done... */
13586 			if ((SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT) &&
13587 			    (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
13588 			    (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
13589 				struct sctp_nets *netp;
13590 
13591 				/* only send SHUTDOWN the first time through */
13592 				if (SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) {
13593 					SCTP_STAT_DECR_GAUGE32(sctps_currestab);
13594 				}
13595 				SCTP_SET_STATE(stcb, SCTP_STATE_SHUTDOWN_SENT);
13596 				sctp_stop_timers_for_shutdown(stcb);
13597 				if (asoc->alternate != NULL) {
13598 					netp = asoc->alternate;
13599 				} else {
13600 					netp = asoc->primary_destination;
13601 				}
13602 				sctp_send_shutdown(stcb, netp);
13603 				sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb,
13604 				    netp);
13605 				sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
13606 				    NULL);
13607 			}
13608 		} else {
13609 			/*-
13610 			 * we still got (or just got) data to send, so set
13611 			 * SHUTDOWN_PENDING
13612 			 */
13613 			/*-
13614 			 * XXX sockets draft says that SCTP_EOF should be
13615 			 * sent with no data.  currently, we will allow user
13616 			 * data to be sent first and move to
13617 			 * SHUTDOWN-PENDING
13618 			 */
13619 			if ((SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT) &&
13620 			    (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
13621 			    (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
13622 				if ((*asoc->ss_functions.sctp_ss_is_user_msgs_incomplete) (stcb, asoc)) {
13623 					SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_PARTIAL_MSG_LEFT);
13624 				}
13625 				SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_SHUTDOWN_PENDING);
13626 				if (TAILQ_EMPTY(&asoc->send_queue) &&
13627 				    TAILQ_EMPTY(&asoc->sent_queue) &&
13628 				    (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) {
13629 					struct mbuf *op_err;
13630 					char msg[SCTP_DIAG_INFO_LEN];
13631 
13632 			abort_anyway:
13633 					if (free_cnt_applied) {
13634 						atomic_subtract_int(&asoc->refcnt, 1);
13635 						free_cnt_applied = false;
13636 					}
13637 					SCTP_SNPRINTF(msg, sizeof(msg),
13638 					    "%s:%d at %s", __FILE__, __LINE__, __func__);
13639 					op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
13640 					    msg);
13641 					NET_EPOCH_ENTER(et);
13642 					sctp_abort_an_association(stcb->sctp_ep, stcb,
13643 					    op_err, false, SCTP_SO_LOCKED);
13644 					NET_EPOCH_EXIT(et);
13645 					stcb = NULL;
13646 					error = ECONNABORTED;
13647 					goto out;
13648 				}
13649 				sctp_feature_off(inp, SCTP_PCB_FLAGS_NODELAY);
13650 			}
13651 		}
13652 	}
13653 
13654 skip_out_eof:
13655 	KASSERT(stcb != NULL, ("stcb is NULL"));
13656 	SCTP_TCB_LOCK_ASSERT(stcb);
13657 	KASSERT((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0,
13658 	    ("Association about to be freed"));
13659 	KASSERT((asoc->state & SCTP_STATE_WAS_ABORTED) == 0,
13660 	    ("Association was aborted"));
13661 
13662 	some_on_control = !TAILQ_EMPTY(&asoc->control_send_queue);
13663 	if (queue_only_for_init) {
13664 		if (SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) {
13665 			/* a collision took us forward? */
13666 			queue_only = 0;
13667 		} else {
13668 			NET_EPOCH_ENTER(et);
13669 			sctp_send_initiate(inp, stcb, SCTP_SO_LOCKED);
13670 			NET_EPOCH_EXIT(et);
13671 			SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_WAIT);
13672 			queue_only = 1;
13673 		}
13674 	}
13675 
13676 	KASSERT(stcb != NULL, ("stcb is NULL"));
13677 	SCTP_TCB_LOCK_ASSERT(stcb);
13678 	KASSERT((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0,
13679 	    ("Association about to be freed"));
13680 	KASSERT((asoc->state & SCTP_STATE_WAS_ABORTED) == 0,
13681 	    ("Association was aborted"));
13682 
13683 	if ((net->flight_size > net->cwnd) &&
13684 	    (asoc->sctp_cmt_on_off == 0)) {
13685 		SCTP_STAT_INCR(sctps_send_cwnd_avoid);
13686 		queue_only = 1;
13687 	} else if (asoc->ifp_had_enobuf) {
13688 		SCTP_STAT_INCR(sctps_ifnomemqueued);
13689 		if (net->flight_size > (2 * net->mtu)) {
13690 			queue_only = 1;
13691 		}
13692 		asoc->ifp_had_enobuf = 0;
13693 	}
13694 	un_sent = asoc->total_output_queue_size - asoc->total_flight;
13695 	if ((sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY)) &&
13696 	    (asoc->total_flight > 0) &&
13697 	    (asoc->stream_queue_cnt < SCTP_MAX_DATA_BUNDLING) &&
13698 	    (un_sent < (int)(asoc->smallest_mtu - SCTP_MIN_OVERHEAD))) {
13699 		/*-
13700 		 * Ok, Nagle is set on and we have data outstanding.
13701 		 * Don't send anything and let SACKs drive out the
13702 		 * data unless wen have a "full" segment to send.
13703 		 */
13704 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
13705 			sctp_log_nagle_event(stcb, SCTP_NAGLE_APPLIED);
13706 		}
13707 		SCTP_STAT_INCR(sctps_naglequeued);
13708 		nagle_applies = 1;
13709 	} else {
13710 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
13711 			if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY))
13712 				sctp_log_nagle_event(stcb, SCTP_NAGLE_SKIPPED);
13713 		}
13714 		SCTP_STAT_INCR(sctps_naglesent);
13715 		nagle_applies = 0;
13716 	}
13717 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13718 		sctp_misc_ints(SCTP_CWNDLOG_PRESEND, queue_only_for_init, queue_only,
13719 		    nagle_applies, un_sent);
13720 		sctp_misc_ints(SCTP_CWNDLOG_PRESEND, asoc->total_output_queue_size,
13721 		    asoc->total_flight,
13722 		    asoc->chunks_on_out_queue, asoc->total_flight_count);
13723 	}
13724 
13725 	KASSERT(stcb != NULL, ("stcb is NULL"));
13726 	SCTP_TCB_LOCK_ASSERT(stcb);
13727 	KASSERT((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0,
13728 	    ("Association about to be freed"));
13729 	KASSERT((asoc->state & SCTP_STATE_WAS_ABORTED) == 0,
13730 	    ("Association was aborted"));
13731 
13732 	NET_EPOCH_ENTER(et);
13733 	if ((queue_only == 0) && (nagle_applies == 0) && (asoc->peers_rwnd && un_sent)) {
13734 		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
13735 	} else if ((queue_only == 0) &&
13736 		    (asoc->peers_rwnd == 0) &&
13737 	    (asoc->total_flight == 0)) {
13738 		/* We get to have a probe outstanding */
13739 		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
13740 	} else if (some_on_control) {
13741 		int num_out, reason;
13742 
13743 		/* Here we do control only */
13744 		(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out,
13745 		    &reason, 1, 1, &now, &now_filled,
13746 		    sctp_get_frag_point(stcb),
13747 		    SCTP_SO_LOCKED);
13748 	}
13749 	NET_EPOCH_EXIT(et);
13750 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "USR Send complete qo:%d prw:%d unsent:%d tf:%d cooq:%d toqs:%d err:%d\n",
13751 	    queue_only, asoc->peers_rwnd, un_sent,
13752 	    asoc->total_flight, asoc->chunks_on_out_queue,
13753 	    asoc->total_output_queue_size, error);
13754 
13755 	KASSERT(stcb != NULL, ("stcb is NULL"));
13756 	SCTP_TCB_LOCK_ASSERT(stcb);
13757 	KASSERT((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0,
13758 	    ("Association about to be freed"));
13759 	KASSERT((asoc->state & SCTP_STATE_WAS_ABORTED) == 0,
13760 	    ("Association was aborted"));
13761 
13762 out:
13763 out_unlocked:
13764 	if (create_lock_applied) {
13765 		SCTP_ASOC_CREATE_UNLOCK(inp);
13766 	}
13767 	if (stcb != NULL) {
13768 		if (local_soresv) {
13769 			atomic_subtract_int(&asoc->sb_send_resv, (int)sndlen);
13770 		}
13771 		if (free_cnt_applied) {
13772 			atomic_subtract_int(&asoc->refcnt, 1);
13773 		}
13774 		SCTP_TCB_UNLOCK(stcb);
13775 	}
13776 	if (top != NULL) {
13777 		sctp_m_freem(top);
13778 	}
13779 	if (control != NULL) {
13780 		sctp_m_freem(control);
13781 	}
13782 	SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, error);
13783 	return (error);
13784 }
13785 
13786 /*
13787  * generate an AUTHentication chunk, if required
13788  */
13789 struct mbuf *
13790 sctp_add_auth_chunk(struct mbuf *m, struct mbuf **m_end,
13791     struct sctp_auth_chunk **auth_ret, uint32_t *offset,
13792     struct sctp_tcb *stcb, uint8_t chunk)
13793 {
13794 	struct mbuf *m_auth;
13795 	struct sctp_auth_chunk *auth;
13796 	int chunk_len;
13797 	struct mbuf *cn;
13798 
13799 	if ((m_end == NULL) || (auth_ret == NULL) || (offset == NULL) ||
13800 	    (stcb == NULL))
13801 		return (m);
13802 
13803 	if (stcb->asoc.auth_supported == 0) {
13804 		return (m);
13805 	}
13806 	/* does the requested chunk require auth? */
13807 	if (!sctp_auth_is_required_chunk(chunk, stcb->asoc.peer_auth_chunks)) {
13808 		return (m);
13809 	}
13810 	m_auth = sctp_get_mbuf_for_msg(sizeof(*auth), 0, M_NOWAIT, 1, MT_HEADER);
13811 	if (m_auth == NULL) {
13812 		/* no mbuf's */
13813 		return (m);
13814 	}
13815 	/* reserve some space if this will be the first mbuf */
13816 	if (m == NULL)
13817 		SCTP_BUF_RESV_UF(m_auth, SCTP_MIN_OVERHEAD);
13818 	/* fill in the AUTH chunk details */
13819 	auth = mtod(m_auth, struct sctp_auth_chunk *);
13820 	memset(auth, 0, sizeof(*auth));
13821 	auth->ch.chunk_type = SCTP_AUTHENTICATION;
13822 	auth->ch.chunk_flags = 0;
13823 	chunk_len = sizeof(*auth) +
13824 	    sctp_get_hmac_digest_len(stcb->asoc.peer_hmac_id);
13825 	auth->ch.chunk_length = htons(chunk_len);
13826 	auth->hmac_id = htons(stcb->asoc.peer_hmac_id);
13827 	/* key id and hmac digest will be computed and filled in upon send */
13828 
13829 	/* save the offset where the auth was inserted into the chain */
13830 	*offset = 0;
13831 	for (cn = m; cn; cn = SCTP_BUF_NEXT(cn)) {
13832 		*offset += SCTP_BUF_LEN(cn);
13833 	}
13834 
13835 	/* update length and return pointer to the auth chunk */
13836 	SCTP_BUF_LEN(m_auth) = chunk_len;
13837 	m = sctp_copy_mbufchain(m_auth, m, m_end, 1, chunk_len, 0);
13838 	if (auth_ret != NULL)
13839 		*auth_ret = auth;
13840 
13841 	return (m);
13842 }
13843 
13844 #ifdef INET6
13845 int
13846 sctp_v6src_match_nexthop(struct sockaddr_in6 *src6, sctp_route_t *ro)
13847 {
13848 	struct nd_prefix *pfx = NULL;
13849 	struct nd_pfxrouter *pfxrtr = NULL;
13850 	struct sockaddr_in6 gw6;
13851 
13852 	if (ro == NULL || ro->ro_nh == NULL || src6->sin6_family != AF_INET6)
13853 		return (0);
13854 
13855 	/* get prefix entry of address */
13856 	ND6_RLOCK();
13857 	LIST_FOREACH(pfx, &MODULE_GLOBAL(nd_prefix), ndpr_entry) {
13858 		if (pfx->ndpr_stateflags & NDPRF_DETACHED)
13859 			continue;
13860 		if (IN6_ARE_MASKED_ADDR_EQUAL(&pfx->ndpr_prefix.sin6_addr,
13861 		    &src6->sin6_addr, &pfx->ndpr_mask))
13862 			break;
13863 	}
13864 	/* no prefix entry in the prefix list */
13865 	if (pfx == NULL) {
13866 		ND6_RUNLOCK();
13867 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "No prefix entry for ");
13868 		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)src6);
13869 		return (0);
13870 	}
13871 
13872 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "v6src_match_nexthop(), Prefix entry is ");
13873 	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)src6);
13874 
13875 	/* search installed gateway from prefix entry */
13876 	LIST_FOREACH(pfxrtr, &pfx->ndpr_advrtrs, pfr_entry) {
13877 		memset(&gw6, 0, sizeof(struct sockaddr_in6));
13878 		gw6.sin6_family = AF_INET6;
13879 		gw6.sin6_len = sizeof(struct sockaddr_in6);
13880 		memcpy(&gw6.sin6_addr, &pfxrtr->router->rtaddr,
13881 		    sizeof(struct in6_addr));
13882 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "prefix router is ");
13883 		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)&gw6);
13884 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "installed router is ");
13885 		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &ro->ro_nh->gw_sa);
13886 		if (sctp_cmpaddr((struct sockaddr *)&gw6, &ro->ro_nh->gw_sa)) {
13887 			ND6_RUNLOCK();
13888 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "pfxrouter is installed\n");
13889 			return (1);
13890 		}
13891 	}
13892 	ND6_RUNLOCK();
13893 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "pfxrouter is not installed\n");
13894 	return (0);
13895 }
13896 #endif
13897 
13898 int
13899 sctp_v4src_match_nexthop(struct sctp_ifa *sifa, sctp_route_t *ro)
13900 {
13901 #ifdef INET
13902 	struct sockaddr_in *sin, *mask;
13903 	struct ifaddr *ifa;
13904 	struct in_addr srcnetaddr, gwnetaddr;
13905 
13906 	if (ro == NULL || ro->ro_nh == NULL ||
13907 	    sifa->address.sa.sa_family != AF_INET) {
13908 		return (0);
13909 	}
13910 	ifa = (struct ifaddr *)sifa->ifa;
13911 	mask = (struct sockaddr_in *)(ifa->ifa_netmask);
13912 	sin = &sifa->address.sin;
13913 	srcnetaddr.s_addr = (sin->sin_addr.s_addr & mask->sin_addr.s_addr);
13914 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "match_nexthop4: src address is ");
13915 	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &sifa->address.sa);
13916 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "network address is %x\n", srcnetaddr.s_addr);
13917 
13918 	sin = &ro->ro_nh->gw4_sa;
13919 	gwnetaddr.s_addr = (sin->sin_addr.s_addr & mask->sin_addr.s_addr);
13920 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "match_nexthop4: nexthop is ");
13921 	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &ro->ro_nh->gw_sa);
13922 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "network address is %x\n", gwnetaddr.s_addr);
13923 	if (srcnetaddr.s_addr == gwnetaddr.s_addr) {
13924 		return (1);
13925 	}
13926 #endif
13927 	return (0);
13928 }
13929