xref: /illumos-gate/usr/src/uts/common/inet/sctp/sctp_bind.c (revision 44ed9dbbfa620821ecf59a131462082f628dd0f3)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #include <sys/types.h>
28 #include <sys/systm.h>
29 #include <sys/stream.h>
30 #include <sys/cmn_err.h>
31 #include <sys/kmem.h>
32 #define	_SUN_TPI_VERSION 2
33 #include <sys/tihdr.h>
34 #include <sys/stropts.h>
35 #include <sys/socket.h>
36 #include <sys/random.h>
37 #include <sys/policy.h>
38 #include <sys/tsol/tndb.h>
39 #include <sys/tsol/tnet.h>
40 
41 #include <netinet/in.h>
42 #include <netinet/ip6.h>
43 
44 #include <inet/common.h>
45 #include <inet/ip.h>
46 #include <inet/ip6.h>
47 #include <inet/ipclassifier.h>
48 #include "sctp_impl.h"
49 #include "sctp_asconf.h"
50 #include "sctp_addr.h"
51 
52 /*
53  * Returns 0 on success, EACCES on permission failure.
54  */
55 static int
56 sctp_select_port(sctp_t *sctp, in_port_t *requested_port, int *user_specified)
57 {
58 	sctp_stack_t	*sctps = sctp->sctp_sctps;
59 	conn_t		*connp = sctp->sctp_connp;
60 
61 	/*
62 	 * Get a valid port (within the anonymous range and should not
63 	 * be a privileged one) to use if the user has not given a port.
64 	 * If multiple threads are here, they may all start with
65 	 * with the same initial port. But, it should be fine as long as
66 	 * sctp_bindi will ensure that no two threads will be assigned
67 	 * the same port.
68 	 */
69 	if (*requested_port == 0) {
70 		*requested_port = sctp_update_next_port(
71 		    sctps->sctps_next_port_to_try,
72 		    crgetzone(connp->conn_cred), sctps);
73 		if (*requested_port == 0)
74 			return (EACCES);
75 		*user_specified = 0;
76 	} else {
77 		int i;
78 		boolean_t priv = B_FALSE;
79 
80 		/*
81 		 * If the requested_port is in the well-known privileged range,
82 		 * verify that the stream was opened by a privileged user.
83 		 * Note: No locks are held when inspecting sctp_g_*epriv_ports
84 		 * but instead the code relies on:
85 		 * - the fact that the address of the array and its size never
86 		 *   changes
87 		 * - the atomic assignment of the elements of the array
88 		 */
89 		if (*requested_port < sctps->sctps_smallest_nonpriv_port) {
90 			priv = B_TRUE;
91 		} else {
92 			for (i = 0; i < sctps->sctps_g_num_epriv_ports; i++) {
93 				if (*requested_port ==
94 				    sctps->sctps_g_epriv_ports[i]) {
95 					priv = B_TRUE;
96 					break;
97 				}
98 			}
99 		}
100 		if (priv) {
101 			/*
102 			 * sctp_bind() should take a cred_t argument so that
103 			 * we can use it here.
104 			 */
105 			if (secpolicy_net_privaddr(connp->conn_cred,
106 			    *requested_port, IPPROTO_SCTP) != 0) {
107 				dprint(1,
108 				    ("sctp_bind(x): no prive for port %d",
109 				    *requested_port));
110 				return (EACCES);
111 			}
112 		}
113 		*user_specified = 1;
114 	}
115 
116 	return (0);
117 }
118 
119 int
120 sctp_listen(sctp_t *sctp)
121 {
122 	sctp_tf_t	*tf;
123 	sctp_stack_t	*sctps = sctp->sctp_sctps;
124 	conn_t		*connp = sctp->sctp_connp;
125 
126 	RUN_SCTP(sctp);
127 	/*
128 	 * TCP handles listen() increasing the backlog, need to check
129 	 * if it should be handled here too
130 	 */
131 	if (sctp->sctp_state > SCTPS_BOUND ||
132 	    (sctp->sctp_connp->conn_state_flags & CONN_CLOSING)) {
133 		WAKE_SCTP(sctp);
134 		return (EINVAL);
135 	}
136 
137 	/* Do an anonymous bind for unbound socket doing listen(). */
138 	if (sctp->sctp_nsaddrs == 0) {
139 		struct sockaddr_storage ss;
140 		int ret;
141 
142 		bzero(&ss, sizeof (ss));
143 		ss.ss_family = connp->conn_family;
144 
145 		WAKE_SCTP(sctp);
146 		if ((ret = sctp_bind(sctp, (struct sockaddr *)&ss,
147 		    sizeof (ss))) != 0)
148 			return (ret);
149 		RUN_SCTP(sctp)
150 	}
151 
152 	/* Cache things in the ixa without any refhold */
153 	ASSERT(!(connp->conn_ixa->ixa_free_flags & IXA_FREE_CRED));
154 	connp->conn_ixa->ixa_cred = connp->conn_cred;
155 	connp->conn_ixa->ixa_cpid = connp->conn_cpid;
156 	if (is_system_labeled())
157 		connp->conn_ixa->ixa_tsl = crgetlabel(connp->conn_cred);
158 
159 	sctp->sctp_state = SCTPS_LISTEN;
160 	(void) random_get_pseudo_bytes(sctp->sctp_secret, SCTP_SECRET_LEN);
161 	sctp->sctp_last_secret_update = ddi_get_lbolt64();
162 	bzero(sctp->sctp_old_secret, SCTP_SECRET_LEN);
163 	tf = &sctps->sctps_listen_fanout[SCTP_LISTEN_HASH(
164 	    ntohs(connp->conn_lport))];
165 	sctp_listen_hash_insert(tf, sctp);
166 	WAKE_SCTP(sctp);
167 	return (0);
168 }
169 
170 /*
171  * Bind the sctp_t to a sockaddr, which includes an address and other
172  * information, such as port or flowinfo.
173  */
174 int
175 sctp_bind(sctp_t *sctp, struct sockaddr *sa, socklen_t len)
176 {
177 	int		user_specified;
178 	boolean_t	bind_to_req_port_only;
179 	in_port_t	requested_port;
180 	in_port_t	allocated_port;
181 	int		err = 0;
182 	conn_t		*connp = sctp->sctp_connp;
183 	uint_t		scope_id;
184 	sin_t		*sin;
185 	sin6_t		*sin6;
186 
187 	ASSERT(sctp != NULL);
188 
189 	RUN_SCTP(sctp);
190 
191 	if ((sctp->sctp_state >= SCTPS_BOUND) ||
192 	    (sctp->sctp_connp->conn_state_flags & CONN_CLOSING) ||
193 	    (sa == NULL || len == 0)) {
194 		/*
195 		 * Multiple binds not allowed for any SCTP socket
196 		 * Also binding with null address is not supported.
197 		 */
198 		err = EINVAL;
199 		goto done;
200 	}
201 
202 	switch (sa->sa_family) {
203 	case AF_INET:
204 		sin = (sin_t *)sa;
205 		if (len < sizeof (struct sockaddr_in) ||
206 		    connp->conn_family == AF_INET6) {
207 			err = EINVAL;
208 			goto done;
209 		}
210 		requested_port = ntohs(sin->sin_port);
211 		break;
212 	case AF_INET6:
213 		sin6 = (sin6_t *)sa;
214 		if (len < sizeof (struct sockaddr_in6) ||
215 		    connp->conn_family == AF_INET) {
216 			err = EINVAL;
217 			goto done;
218 		}
219 		requested_port = ntohs(sin6->sin6_port);
220 		/* Set the flowinfo. */
221 		connp->conn_flowinfo =
222 		    sin6->sin6_flowinfo & ~IPV6_VERS_AND_FLOW_MASK;
223 
224 		scope_id = sin6->sin6_scope_id;
225 		if (scope_id != 0 && IN6_IS_ADDR_LINKSCOPE(&sin6->sin6_addr)) {
226 			connp->conn_ixa->ixa_flags |= IXAF_SCOPEID_SET;
227 			connp->conn_ixa->ixa_scopeid = scope_id;
228 			connp->conn_incoming_ifindex = scope_id;
229 		} else {
230 			connp->conn_ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
231 			connp->conn_incoming_ifindex = connp->conn_bound_if;
232 		}
233 		break;
234 	default:
235 		err = EAFNOSUPPORT;
236 		goto done;
237 	}
238 	bind_to_req_port_only = requested_port == 0 ? B_FALSE : B_TRUE;
239 
240 	err = sctp_select_port(sctp, &requested_port, &user_specified);
241 	if (err != 0)
242 		goto done;
243 
244 	if ((err = sctp_bind_add(sctp, sa, 1, B_TRUE,
245 	    user_specified == 1 ? htons(requested_port) : 0)) != 0) {
246 		goto done;
247 	}
248 	err = sctp_bindi(sctp, requested_port, bind_to_req_port_only,
249 	    user_specified, &allocated_port);
250 	if (err != 0) {
251 		sctp_free_saddrs(sctp);
252 	} else {
253 		ASSERT(sctp->sctp_state == SCTPS_BOUND);
254 	}
255 done:
256 	WAKE_SCTP(sctp);
257 	return (err);
258 }
259 
260 /*
261  * Perform bind/unbind operation of a list of addresses on a sctp_t
262  */
263 int
264 sctp_bindx(sctp_t *sctp, const void *addrs, int addrcnt, int bindop)
265 {
266 	ASSERT(sctp != NULL);
267 	ASSERT(addrs != NULL);
268 	ASSERT(addrcnt > 0);
269 
270 	switch (bindop) {
271 	case SCTP_BINDX_ADD_ADDR:
272 		return (sctp_bind_add(sctp, addrs, addrcnt, B_FALSE,
273 		    sctp->sctp_connp->conn_lport));
274 	case SCTP_BINDX_REM_ADDR:
275 		return (sctp_bind_del(sctp, addrs, addrcnt, B_FALSE));
276 	default:
277 		return (EINVAL);
278 	}
279 }
280 
281 /*
282  * Add a list of addresses to a sctp_t.
283  */
284 int
285 sctp_bind_add(sctp_t *sctp, const void *addrs, uint32_t addrcnt,
286     boolean_t caller_hold_lock, in_port_t port)
287 {
288 	int		err = 0;
289 	boolean_t	do_asconf = B_FALSE;
290 	sctp_stack_t	*sctps = sctp->sctp_sctps;
291 	conn_t		*connp = sctp->sctp_connp;
292 
293 	if (!caller_hold_lock)
294 		RUN_SCTP(sctp);
295 
296 	if (sctp->sctp_state > SCTPS_ESTABLISHED ||
297 	    (sctp->sctp_connp->conn_state_flags & CONN_CLOSING)) {
298 		if (!caller_hold_lock)
299 			WAKE_SCTP(sctp);
300 		return (EINVAL);
301 	}
302 
303 	if (sctp->sctp_state > SCTPS_LISTEN) {
304 		/*
305 		 * Let's do some checking here rather than undoing the
306 		 * add later (for these reasons).
307 		 */
308 		if (!sctps->sctps_addip_enabled ||
309 		    !sctp->sctp_understands_asconf ||
310 		    !sctp->sctp_understands_addip) {
311 			if (!caller_hold_lock)
312 				WAKE_SCTP(sctp);
313 			return (EINVAL);
314 		}
315 		do_asconf = B_TRUE;
316 	}
317 	/*
318 	 * On a clustered node, for an inaddr_any bind, we will pass the list
319 	 * of all the addresses in the global list, minus any address on the
320 	 * loopback interface, and expect the clustering susbsystem to give us
321 	 * the correct list for the 'port'. For explicit binds we give the
322 	 * list of addresses  and the clustering module validates it for the
323 	 * 'port'.
324 	 *
325 	 * On a non-clustered node, cl_sctp_check_addrs will be NULL and
326 	 * we proceed as usual.
327 	 */
328 	if (cl_sctp_check_addrs != NULL) {
329 		uchar_t		*addrlist = NULL;
330 		size_t		size = 0;
331 		int		unspec = 0;
332 		boolean_t	do_listen;
333 		uchar_t		*llist = NULL;
334 		size_t		lsize = 0;
335 
336 		/*
337 		 * If we are adding addresses after listening, but before
338 		 * an association is established, we need to update the
339 		 * clustering module with this info.
340 		 */
341 		do_listen = !do_asconf && sctp->sctp_state > SCTPS_BOUND &&
342 		    cl_sctp_listen != NULL;
343 
344 		err = sctp_get_addrlist(sctp, addrs, &addrcnt, &addrlist,
345 		    &unspec, &size);
346 		if (err != 0) {
347 			ASSERT(addrlist == NULL);
348 			ASSERT(addrcnt == 0);
349 			ASSERT(size == 0);
350 			if (!caller_hold_lock)
351 				WAKE_SCTP(sctp);
352 			SCTP_KSTAT(sctps, sctp_cl_check_addrs);
353 			return (err);
354 		}
355 		ASSERT(addrlist != NULL);
356 		(*cl_sctp_check_addrs)(connp->conn_family, port, &addrlist,
357 		    size, &addrcnt, unspec == 1);
358 		if (addrcnt == 0) {
359 			/* We free the list */
360 			kmem_free(addrlist, size);
361 			if (!caller_hold_lock)
362 				WAKE_SCTP(sctp);
363 			return (EINVAL);
364 		}
365 		if (do_listen) {
366 			lsize = sizeof (in6_addr_t) * addrcnt;
367 			llist = kmem_alloc(lsize, KM_SLEEP);
368 		}
369 		err = sctp_valid_addr_list(sctp, addrlist, addrcnt, llist,
370 		    lsize);
371 		if (err == 0 && do_listen) {
372 			(*cl_sctp_listen)(connp->conn_family, llist,
373 			    addrcnt, connp->conn_lport);
374 			/* list will be freed by the clustering module */
375 		} else if (err != 0 && llist != NULL) {
376 			kmem_free(llist, lsize);
377 		}
378 		/* free the list we allocated */
379 		kmem_free(addrlist, size);
380 	} else {
381 		err = sctp_valid_addr_list(sctp, addrs, addrcnt, NULL, 0);
382 	}
383 	if (err != 0) {
384 		if (!caller_hold_lock)
385 			WAKE_SCTP(sctp);
386 		return (err);
387 	}
388 	/* Need to send  ASCONF messages */
389 	if (do_asconf) {
390 		err = sctp_add_ip(sctp, addrs, addrcnt);
391 		if (err != 0) {
392 			sctp_del_saddr_list(sctp, addrs, addrcnt, B_FALSE);
393 			if (!caller_hold_lock)
394 				WAKE_SCTP(sctp);
395 			return (err);
396 		}
397 	}
398 	if (!caller_hold_lock)
399 		WAKE_SCTP(sctp);
400 	return (0);
401 }
402 
403 /*
404  * Remove one or more addresses bound to the sctp_t.
405  */
406 int
407 sctp_bind_del(sctp_t *sctp, const void *addrs, uint32_t addrcnt,
408     boolean_t caller_hold_lock)
409 {
410 	int		error = 0;
411 	boolean_t	do_asconf = B_FALSE;
412 	uchar_t		*ulist = NULL;
413 	size_t		usize = 0;
414 	sctp_stack_t	*sctps = sctp->sctp_sctps;
415 	conn_t		*connp = sctp->sctp_connp;
416 
417 	if (!caller_hold_lock)
418 		RUN_SCTP(sctp);
419 
420 	if (sctp->sctp_state > SCTPS_ESTABLISHED ||
421 	    (sctp->sctp_connp->conn_state_flags & CONN_CLOSING)) {
422 		if (!caller_hold_lock)
423 			WAKE_SCTP(sctp);
424 		return (EINVAL);
425 	}
426 	/*
427 	 * Fail the remove if we are beyond listen, but can't send this
428 	 * to the peer.
429 	 */
430 	if (sctp->sctp_state > SCTPS_LISTEN) {
431 		if (!sctps->sctps_addip_enabled ||
432 		    !sctp->sctp_understands_asconf ||
433 		    !sctp->sctp_understands_addip) {
434 			if (!caller_hold_lock)
435 				WAKE_SCTP(sctp);
436 			return (EINVAL);
437 		}
438 		do_asconf = B_TRUE;
439 	}
440 
441 	/* Can't delete the last address nor all of the addresses */
442 	if (sctp->sctp_nsaddrs == 1 || addrcnt >= sctp->sctp_nsaddrs) {
443 		if (!caller_hold_lock)
444 			WAKE_SCTP(sctp);
445 		return (EINVAL);
446 	}
447 
448 	if (cl_sctp_unlisten != NULL && !do_asconf &&
449 	    sctp->sctp_state > SCTPS_BOUND) {
450 		usize = sizeof (in6_addr_t) * addrcnt;
451 		ulist = kmem_alloc(usize, KM_SLEEP);
452 	}
453 
454 	error = sctp_del_ip(sctp, addrs, addrcnt, ulist, usize);
455 	if (error != 0) {
456 		if (ulist != NULL)
457 			kmem_free(ulist, usize);
458 		if (!caller_hold_lock)
459 			WAKE_SCTP(sctp);
460 		return (error);
461 	}
462 	/* ulist will be non-NULL only if cl_sctp_unlisten is non-NULL */
463 	if (ulist != NULL) {
464 		ASSERT(cl_sctp_unlisten != NULL);
465 		(*cl_sctp_unlisten)(connp->conn_family, ulist, addrcnt,
466 		    connp->conn_lport);
467 		/* ulist will be freed by the clustering module */
468 	}
469 	if (!caller_hold_lock)
470 		WAKE_SCTP(sctp);
471 	return (error);
472 }
473 
474 /*
475  * Returns 0 for success, errno value otherwise.
476  *
477  * If the "bind_to_req_port_only" parameter is set and the requested port
478  * number is available, then set allocated_port to it.  If not available,
479  * return an error.
480  *
481  * If the "bind_to_req_port_only" parameter is not set and the requested port
482  * number is available, then set allocated_port to it.  If not available,
483  * find the first anonymous port we can and set allocated_port to that.  If no
484  * anonymous ports are available, return an error.
485  *
486  * In either case, when succeeding, update the sctp_t to record the port number
487  * and insert it in the bind hash table.
488  */
489 int
490 sctp_bindi(sctp_t *sctp, in_port_t port, boolean_t bind_to_req_port_only,
491     int user_specified, in_port_t *allocated_port)
492 {
493 	/* number of times we have run around the loop */
494 	int count = 0;
495 	/* maximum number of times to run around the loop */
496 	int loopmax;
497 	sctp_stack_t	*sctps = sctp->sctp_sctps;
498 	conn_t		*connp = sctp->sctp_connp;
499 	zone_t *zone = crgetzone(connp->conn_cred);
500 	zoneid_t zoneid = connp->conn_zoneid;
501 
502 	/*
503 	 * Lookup for free addresses is done in a loop and "loopmax"
504 	 * influences how long we spin in the loop
505 	 */
506 	if (bind_to_req_port_only) {
507 		/*
508 		 * If the requested port is busy, don't bother to look
509 		 * for a new one. Setting loop maximum count to 1 has
510 		 * that effect.
511 		 */
512 		loopmax = 1;
513 	} else {
514 		/*
515 		 * If the requested port is busy, look for a free one
516 		 * in the anonymous port range.
517 		 * Set loopmax appropriately so that one does not look
518 		 * forever in the case all of the anonymous ports are in use.
519 		 */
520 		loopmax = (sctps->sctps_largest_anon_port -
521 		    sctps->sctps_smallest_anon_port + 1);
522 	}
523 	do {
524 		uint16_t	lport;
525 		sctp_tf_t	*tbf;
526 		sctp_t		*lsctp;
527 		int		addrcmp;
528 
529 		lport = htons(port);
530 
531 		/*
532 		 * Ensure that the sctp_t is not currently in the bind hash.
533 		 * Hold the lock on the hash bucket to ensure that
534 		 * the duplicate check plus the insertion is an atomic
535 		 * operation.
536 		 *
537 		 * This function does an inline lookup on the bind hash list
538 		 * Make sure that we access only members of sctp_t
539 		 * and that we don't look at sctp_sctp, since we are not
540 		 * doing a SCTPB_REFHOLD. For more details please see the notes
541 		 * in sctp_compress()
542 		 */
543 		sctp_bind_hash_remove(sctp);
544 		tbf = &sctps->sctps_bind_fanout[SCTP_BIND_HASH(port)];
545 		mutex_enter(&tbf->tf_lock);
546 		for (lsctp = tbf->tf_sctp; lsctp != NULL;
547 		    lsctp = lsctp->sctp_bind_hash) {
548 			conn_t *lconnp = lsctp->sctp_connp;
549 
550 			if (lport != lconnp->conn_lport ||
551 			    lsctp->sctp_state < SCTPS_BOUND)
552 				continue;
553 
554 			/*
555 			 * On a labeled system, we must treat bindings to ports
556 			 * on shared IP addresses by sockets with MAC exemption
557 			 * privilege as being in all zones, as there's
558 			 * otherwise no way to identify the right receiver.
559 			 */
560 			if (lconnp->conn_zoneid != zoneid &&
561 			    lconnp->conn_mac_mode == CONN_MAC_DEFAULT &&
562 			    connp->conn_mac_mode == CONN_MAC_DEFAULT)
563 				continue;
564 
565 			addrcmp = sctp_compare_saddrs(sctp, lsctp);
566 			if (addrcmp != SCTP_ADDR_DISJOINT) {
567 				if (!connp->conn_reuseaddr) {
568 					/* in use */
569 					break;
570 				} else if (lsctp->sctp_state == SCTPS_BOUND ||
571 				    lsctp->sctp_state == SCTPS_LISTEN) {
572 					/*
573 					 * socket option SO_REUSEADDR is set
574 					 * on the binding sctp_t.
575 					 *
576 					 * We have found a match of IP source
577 					 * address and source port, which is
578 					 * refused regardless of the
579 					 * SO_REUSEADDR setting, so we break.
580 					 */
581 					break;
582 				}
583 			}
584 		}
585 		if (lsctp != NULL) {
586 			/* The port number is busy */
587 			mutex_exit(&tbf->tf_lock);
588 		} else {
589 			if (is_system_labeled()) {
590 				mlp_type_t addrtype, mlptype;
591 				uint_t ipversion;
592 
593 				/*
594 				 * On a labeled system we must check the type
595 				 * of the binding requested by the user (either
596 				 * MLP or SLP on shared and private addresses),
597 				 * and that the user's requested binding
598 				 * is permitted.
599 				 */
600 				if (connp->conn_family == AF_INET)
601 					ipversion = IPV4_VERSION;
602 				else
603 					ipversion = IPV6_VERSION;
604 
605 				addrtype = tsol_mlp_addr_type(
606 				    connp->conn_allzones ? ALL_ZONES :
607 				    zone->zone_id,
608 				    ipversion,
609 				    connp->conn_family == AF_INET ?
610 				    (void *)&sctp->sctp_ipha->ipha_src :
611 				    (void *)&sctp->sctp_ip6h->ip6_src,
612 				    sctps->sctps_netstack->netstack_ip);
613 
614 				/*
615 				 * tsol_mlp_addr_type returns the possibilities
616 				 * for the selected address.  Since all local
617 				 * addresses are either private or shared, the
618 				 * return value mlptSingle means "local address
619 				 * not valid (interface not present)."
620 				 */
621 				if (addrtype == mlptSingle) {
622 					mutex_exit(&tbf->tf_lock);
623 					return (EADDRNOTAVAIL);
624 				}
625 				mlptype = tsol_mlp_port_type(zone, IPPROTO_SCTP,
626 				    port, addrtype);
627 				if (mlptype != mlptSingle) {
628 					if (secpolicy_net_bindmlp(connp->
629 					    conn_cred) != 0) {
630 						mutex_exit(&tbf->tf_lock);
631 						return (EACCES);
632 					}
633 					/*
634 					 * If we're binding a shared MLP, then
635 					 * make sure that this zone is the one
636 					 * that owns that MLP.  Shared MLPs can
637 					 * be owned by at most one zone.
638 					 *
639 					 * No need to handle exclusive-stack
640 					 * zones since ALL_ZONES only applies
641 					 * to the shared stack.
642 					 */
643 
644 					if (mlptype == mlptShared &&
645 					    addrtype == mlptShared &&
646 					    connp->conn_zoneid !=
647 					    tsol_mlp_findzone(IPPROTO_SCTP,
648 					    lport)) {
649 						mutex_exit(&tbf->tf_lock);
650 						return (EACCES);
651 					}
652 					connp->conn_mlp_type = mlptype;
653 				}
654 			}
655 			/*
656 			 * This port is ours. Insert in fanout and mark as
657 			 * bound to prevent others from getting the port
658 			 * number.
659 			 */
660 			sctp->sctp_state = SCTPS_BOUND;
661 			connp->conn_lport = lport;
662 
663 			ASSERT(&sctps->sctps_bind_fanout[
664 			    SCTP_BIND_HASH(port)] == tbf);
665 			sctp_bind_hash_insert(tbf, sctp, 1);
666 
667 			mutex_exit(&tbf->tf_lock);
668 
669 			/*
670 			 * We don't want sctp_next_port_to_try to "inherit"
671 			 * a port number supplied by the user in a bind.
672 			 *
673 			 * This is the only place where sctp_next_port_to_try
674 			 * is updated. After the update, it may or may not
675 			 * be in the valid range.
676 			 */
677 			if (user_specified == 0)
678 				sctps->sctps_next_port_to_try = port + 1;
679 
680 			*allocated_port = port;
681 
682 			return (0);
683 		}
684 
685 		if ((count == 0) && (user_specified)) {
686 			/*
687 			 * We may have to return an anonymous port. So
688 			 * get one to start with.
689 			 */
690 			port = sctp_update_next_port(
691 			    sctps->sctps_next_port_to_try,
692 			    zone, sctps);
693 			user_specified = 0;
694 		} else {
695 			port = sctp_update_next_port(port + 1, zone, sctps);
696 		}
697 		if (port == 0)
698 			break;
699 
700 		/*
701 		 * Don't let this loop run forever in the case where
702 		 * all of the anonymous ports are in use.
703 		 */
704 	} while (++count < loopmax);
705 
706 	return (bind_to_req_port_only ? EADDRINUSE : EADDRNOTAVAIL);
707 }
708 
709 /*
710  * Don't let port fall into the privileged range.
711  * Since the extra privileged ports can be arbitrary we also
712  * ensure that we exclude those from consideration.
713  * sctp_g_epriv_ports is not sorted thus we loop over it until
714  * there are no changes.
715  *
716  * Note: No locks are held when inspecting sctp_g_*epriv_ports
717  * but instead the code relies on:
718  * - the fact that the address of the array and its size never changes
719  * - the atomic assignment of the elements of the array
720  */
721 in_port_t
722 sctp_update_next_port(in_port_t port, zone_t *zone, sctp_stack_t *sctps)
723 {
724 	int i;
725 	boolean_t restart = B_FALSE;
726 
727 retry:
728 	if (port < sctps->sctps_smallest_anon_port)
729 		port = sctps->sctps_smallest_anon_port;
730 
731 	if (port > sctps->sctps_largest_anon_port) {
732 		if (restart)
733 			return (0);
734 		restart = B_TRUE;
735 		port = sctps->sctps_smallest_anon_port;
736 	}
737 
738 	if (port < sctps->sctps_smallest_nonpriv_port)
739 		port = sctps->sctps_smallest_nonpriv_port;
740 
741 	for (i = 0; i < sctps->sctps_g_num_epriv_ports; i++) {
742 		if (port == sctps->sctps_g_epriv_ports[i]) {
743 			port++;
744 			/*
745 			 * Make sure whether the port is in the
746 			 * valid range.
747 			 *
748 			 * XXX Note that if sctp_g_epriv_ports contains
749 			 * all the anonymous ports this will be an
750 			 * infinite loop.
751 			 */
752 			goto retry;
753 		}
754 	}
755 
756 	if (is_system_labeled() &&
757 	    (i = tsol_next_port(zone, port, IPPROTO_SCTP, B_TRUE)) != 0) {
758 		port = i;
759 		goto retry;
760 	}
761 
762 	return (port);
763 }
764