xref: /illumos-gate/usr/src/uts/common/inet/sctp/sctp_input.c (revision 45ede40b2394db7967e59f19288fae9b62efd4aa)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
24  */
25 
26 #include <sys/types.h>
27 #include <sys/systm.h>
28 #include <sys/stream.h>
29 #include <sys/cmn_err.h>
30 #include <sys/kmem.h>
31 #define	_SUN_TPI_VERSION 2
32 #include <sys/tihdr.h>
33 #include <sys/socket.h>
34 #include <sys/strsun.h>
35 #include <sys/strsubr.h>
36 
37 #include <netinet/in.h>
38 #include <netinet/ip6.h>
39 #include <netinet/tcp_seq.h>
40 #include <netinet/sctp.h>
41 
42 #include <inet/common.h>
43 #include <inet/ip.h>
44 #include <inet/ip_if.h>
45 #include <inet/ip6.h>
46 #include <inet/mib2.h>
47 #include <inet/ipclassifier.h>
48 #include <inet/ipp_common.h>
49 #include <inet/ipsec_impl.h>
50 #include <inet/sctp_ip.h>
51 
52 #include "sctp_impl.h"
53 #include "sctp_asconf.h"
54 #include "sctp_addr.h"
55 
56 static struct kmem_cache *sctp_kmem_set_cache;
57 
58 /*
59  * PR-SCTP comments.
60  *
61  * When we get a valid Forward TSN chunk, we check the fragment list for this
62  * SSN and preceeding SSNs free all them. Further, if this Forward TSN causes
63  * the next expected SSN to be present in the stream queue, we deliver any
64  * such stranded messages upstream. We also update the SACK info. appropriately.
65  * When checking for advancing the cumulative ack (in sctp_cumack()) we must
66  * check for abandoned chunks and messages. While traversing the tramsmit
67  * list if we come across an abandoned chunk, we can skip the message (i.e.
68  * take it out of the (re)transmit list) since this message, and hence this
69  * chunk, has been marked abandoned by sctp_rexmit(). If we come across an
70  * unsent chunk for a message this now abandoned we need to check if a
71  * Forward TSN needs to be sent, this could be a case where we deferred sending
72  * a Forward TSN in sctp_get_msg_to_send(). Further, after processing a
73  * SACK we check if the Advanced peer ack point can be moved ahead, i.e.
74  * if we can send a Forward TSN via sctp_check_abandoned_data().
75  */
76 void
77 sctp_free_set(sctp_set_t *s)
78 {
79 	sctp_set_t *p;
80 
81 	while (s) {
82 		p = s->next;
83 		kmem_cache_free(sctp_kmem_set_cache, s);
84 		s = p;
85 	}
86 }
87 
88 static void
89 sctp_ack_add(sctp_set_t **head, uint32_t tsn, int *num)
90 {
91 	sctp_set_t *p, *t;
92 
93 	if (head == NULL || num == NULL)
94 		return;
95 
96 	ASSERT(*num >= 0);
97 	ASSERT((*num == 0 && *head == NULL) || (*num > 0 && *head != NULL));
98 
99 	if (*head == NULL) {
100 		*head = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
101 		if (*head == NULL)
102 			return;
103 		(*head)->prev = (*head)->next = NULL;
104 		(*head)->begin = tsn;
105 		(*head)->end = tsn;
106 		*num = 1;
107 		return;
108 	}
109 
110 	ASSERT((*head)->prev == NULL);
111 
112 	/*
113 	 * Handle this special case here so we don't have to check
114 	 * for it each time in the loop.
115 	 */
116 	if (SEQ_LT(tsn + 1, (*head)->begin)) {
117 		/* add a new set, and move the head pointer */
118 		t = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
119 		if (t == NULL)
120 			return;
121 		t->next = *head;
122 		t->prev = NULL;
123 		(*head)->prev = t;
124 		t->begin = tsn;
125 		t->end = tsn;
126 		(*num)++;
127 		*head = t;
128 		return;
129 	}
130 
131 	/*
132 	 * We need to handle the following cases, where p points to
133 	 * the current set (as we walk through the loop):
134 	 *
135 	 * 1. tsn is entirely less than p; create a new set before p.
136 	 * 2. tsn borders p from less; coalesce p with tsn.
137 	 * 3. tsn is withing p; do nothing.
138 	 * 4. tsn borders p from greater; coalesce p with tsn.
139 	 * 4a. p may now border p->next from less; if so, coalesce those
140 	 *    two sets.
141 	 * 5. tsn is entirely greater then all sets; add a new set at
142 	 *    the end.
143 	 */
144 	for (p = *head; ; p = p->next) {
145 		if (SEQ_LT(tsn + 1, p->begin)) {
146 			/* 1: add a new set before p. */
147 			t = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
148 			if (t == NULL)
149 				return;
150 			t->next = p;
151 			t->prev = NULL;
152 			t->begin = tsn;
153 			t->end = tsn;
154 			if (p->prev) {
155 				t->prev = p->prev;
156 				p->prev->next = t;
157 			}
158 			p->prev = t;
159 			(*num)++;
160 			return;
161 		}
162 
163 		if ((tsn + 1) == p->begin) {
164 			/* 2: adjust p->begin */
165 			p->begin = tsn;
166 			return;
167 		}
168 
169 		if (SEQ_GEQ(tsn, p->begin) && SEQ_LEQ(tsn, p->end)) {
170 			/* 3; do nothing */
171 			return;
172 		}
173 
174 		if ((p->end + 1) == tsn) {
175 			/* 4; adjust p->end */
176 			p->end = tsn;
177 
178 			if (p->next != NULL && (tsn + 1) == p->next->begin) {
179 				/* 4a: coalesce p and p->next */
180 				t = p->next;
181 				p->end = t->end;
182 				p->next = t->next;
183 				if (t->next != NULL)
184 					t->next->prev = p;
185 				kmem_cache_free(sctp_kmem_set_cache, t);
186 				(*num)--;
187 			}
188 			return;
189 		}
190 
191 		if (p->next == NULL) {
192 			/* 5: add new set at the end */
193 			t = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
194 			if (t == NULL)
195 				return;
196 			t->next = NULL;
197 			t->prev = p;
198 			t->begin = tsn;
199 			t->end = tsn;
200 			p->next = t;
201 			(*num)++;
202 			return;
203 		}
204 
205 		if (SEQ_GT(tsn, p->end + 1))
206 			continue;
207 	}
208 }
209 
210 static void
211 sctp_ack_rem(sctp_set_t **head, uint32_t end, int *num)
212 {
213 	sctp_set_t *p, *t;
214 
215 	if (head == NULL || *head == NULL || num == NULL)
216 		return;
217 
218 	/* Nothing to remove */
219 	if (SEQ_LT(end, (*head)->begin))
220 		return;
221 
222 	/* Find out where to start removing sets */
223 	for (p = *head; p->next; p = p->next) {
224 		if (SEQ_LEQ(end, p->end))
225 			break;
226 	}
227 
228 	if (SEQ_LT(end, p->end) && SEQ_GEQ(end, p->begin)) {
229 		/* adjust p */
230 		p->begin = end + 1;
231 		/* all done */
232 		if (p == *head)
233 			return;
234 	} else if (SEQ_GEQ(end, p->end)) {
235 		/* remove this set too */
236 		p = p->next;
237 	}
238 
239 	/* unlink everything before this set */
240 	t = *head;
241 	*head = p;
242 	if (p != NULL && p->prev != NULL) {
243 		p->prev->next = NULL;
244 		p->prev = NULL;
245 	}
246 
247 	sctp_free_set(t);
248 
249 	/* recount the number of sets */
250 	*num = 0;
251 
252 	for (p = *head; p != NULL; p = p->next)
253 		(*num)++;
254 }
255 
256 void
257 sctp_sets_init()
258 {
259 	sctp_kmem_set_cache = kmem_cache_create("sctp_set_cache",
260 	    sizeof (sctp_set_t), 0, NULL, NULL, NULL, NULL,
261 	    NULL, 0);
262 }
263 
264 void
265 sctp_sets_fini()
266 {
267 	kmem_cache_destroy(sctp_kmem_set_cache);
268 }
269 
270 sctp_chunk_hdr_t *
271 sctp_first_chunk(uchar_t *rptr, ssize_t remaining)
272 {
273 	sctp_chunk_hdr_t *ch;
274 	uint16_t ch_len;
275 
276 	if (remaining < sizeof (*ch)) {
277 		return (NULL);
278 	}
279 
280 	ch = (sctp_chunk_hdr_t *)rptr;
281 	ch_len = ntohs(ch->sch_len);
282 
283 	if (ch_len < sizeof (*ch) || remaining < ch_len) {
284 		return (NULL);
285 	}
286 
287 	return (ch);
288 }
289 
290 sctp_chunk_hdr_t *
291 sctp_next_chunk(sctp_chunk_hdr_t *ch, ssize_t *remaining)
292 {
293 	int pad;
294 	uint16_t ch_len;
295 
296 	if (!ch) {
297 		return (NULL);
298 	}
299 
300 	ch_len = ntohs(ch->sch_len);
301 
302 	if ((pad = ch_len & (SCTP_ALIGN - 1)) != 0) {
303 		pad = SCTP_ALIGN - pad;
304 	}
305 
306 	*remaining -= (ch_len + pad);
307 	ch = (sctp_chunk_hdr_t *)((char *)ch + ch_len + pad);
308 
309 	return (sctp_first_chunk((uchar_t *)ch, *remaining));
310 }
311 
312 /*
313  * Attach ancillary data to a received SCTP segments.
314  * If the source address (fp) is not the primary, send up a
315  * unitdata_ind so recvfrom() can populate the msg_name field.
316  * If ancillary data is also requested, we append it to the
317  * unitdata_req. Otherwise, we just send up an optdata_ind.
318  */
319 static int
320 sctp_input_add_ancillary(sctp_t *sctp, mblk_t **mp, sctp_data_hdr_t *dcp,
321     sctp_faddr_t *fp, ip_pkt_t *ipp, ip_recv_attr_t *ira)
322 {
323 	struct T_unitdata_ind	*tudi;
324 	int			optlen;
325 	int			hdrlen;
326 	uchar_t			*optptr;
327 	struct cmsghdr		*cmsg;
328 	mblk_t			*mp1;
329 	struct sockaddr_in6	sin_buf[1];
330 	struct sockaddr_in6	*sin6;
331 	struct sockaddr_in	*sin4;
332 	crb_t			 addflag;	/* Which pieces to add */
333 	conn_t			*connp = sctp->sctp_connp;
334 
335 	sin4 = NULL;
336 	sin6 = NULL;
337 
338 	optlen = hdrlen = 0;
339 	addflag.crb_all = 0;
340 
341 	/* Figure out address size */
342 	if (connp->conn_family == AF_INET) {
343 		sin4 = (struct sockaddr_in *)sin_buf;
344 		sin4->sin_family = AF_INET;
345 		sin4->sin_port = connp->conn_fport;
346 		IN6_V4MAPPED_TO_IPADDR(&fp->sf_faddr, sin4->sin_addr.s_addr);
347 		hdrlen = sizeof (*tudi) + sizeof (*sin4);
348 	} else {
349 		sin6 = sin_buf;
350 		sin6->sin6_family = AF_INET6;
351 		sin6->sin6_port = connp->conn_fport;
352 		sin6->sin6_addr = fp->sf_faddr;
353 		hdrlen = sizeof (*tudi) + sizeof (*sin6);
354 	}
355 	/* If app asked to receive send / recv info */
356 	if (sctp->sctp_recvsndrcvinfo)
357 		optlen += sizeof (*cmsg) + sizeof (struct sctp_sndrcvinfo);
358 
359 	if (connp->conn_recv_ancillary.crb_all == 0)
360 		goto noancillary;
361 
362 	if (connp->conn_recv_ancillary.crb_ip_recvpktinfo &&
363 	    ira->ira_ruifindex != sctp->sctp_recvifindex) {
364 		optlen += sizeof (*cmsg) + sizeof (struct in6_pktinfo);
365 		if (hdrlen == 0)
366 			hdrlen = sizeof (struct T_unitdata_ind);
367 		addflag.crb_ip_recvpktinfo = 1;
368 	}
369 	/* If app asked for hoplimit and it has changed ... */
370 	if (connp->conn_recv_ancillary.crb_ipv6_recvhoplimit &&
371 	    ipp->ipp_hoplimit != sctp->sctp_recvhops) {
372 		optlen += sizeof (*cmsg) + sizeof (uint_t);
373 		if (hdrlen == 0)
374 			hdrlen = sizeof (struct T_unitdata_ind);
375 		addflag.crb_ipv6_recvhoplimit = 1;
376 	}
377 	/* If app asked for tclass and it has changed ... */
378 	if (connp->conn_recv_ancillary.crb_ipv6_recvtclass &&
379 	    ipp->ipp_tclass != sctp->sctp_recvtclass) {
380 		optlen += sizeof (struct T_opthdr) + sizeof (uint_t);
381 		if (hdrlen == 0)
382 			hdrlen = sizeof (struct T_unitdata_ind);
383 		addflag.crb_ipv6_recvtclass = 1;
384 	}
385 	/* If app asked for hopbyhop headers and it has changed ... */
386 	if (connp->conn_recv_ancillary.crb_ipv6_recvhopopts &&
387 	    ip_cmpbuf(sctp->sctp_hopopts, sctp->sctp_hopoptslen,
388 	    (ipp->ipp_fields & IPPF_HOPOPTS),
389 	    ipp->ipp_hopopts, ipp->ipp_hopoptslen)) {
390 		optlen += sizeof (*cmsg) + ipp->ipp_hopoptslen -
391 		    sctp->sctp_v6label_len;
392 		if (hdrlen == 0)
393 			hdrlen = sizeof (struct T_unitdata_ind);
394 		addflag.crb_ipv6_recvhopopts = 1;
395 		if (!ip_allocbuf((void **)&sctp->sctp_hopopts,
396 		    &sctp->sctp_hopoptslen,
397 		    (ipp->ipp_fields & IPPF_HOPOPTS),
398 		    ipp->ipp_hopopts, ipp->ipp_hopoptslen))
399 			return (-1);
400 	}
401 	/* If app asked for dst headers before routing headers ... */
402 	if (connp->conn_recv_ancillary.crb_ipv6_recvrthdrdstopts &&
403 	    ip_cmpbuf(sctp->sctp_rthdrdstopts, sctp->sctp_rthdrdstoptslen,
404 	    (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
405 	    ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen)) {
406 		optlen += sizeof (*cmsg) + ipp->ipp_rthdrdstoptslen;
407 		if (hdrlen == 0)
408 			hdrlen = sizeof (struct T_unitdata_ind);
409 		addflag.crb_ipv6_recvrthdrdstopts = 1;
410 		if (!ip_allocbuf((void **)&sctp->sctp_rthdrdstopts,
411 		    &sctp->sctp_rthdrdstoptslen,
412 		    (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
413 		    ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen))
414 			return (-1);
415 	}
416 	/* If app asked for routing headers and it has changed ... */
417 	if (connp->conn_recv_ancillary.crb_ipv6_recvrthdr &&
418 	    ip_cmpbuf(sctp->sctp_rthdr, sctp->sctp_rthdrlen,
419 	    (ipp->ipp_fields & IPPF_RTHDR),
420 	    ipp->ipp_rthdr, ipp->ipp_rthdrlen)) {
421 		optlen += sizeof (*cmsg) + ipp->ipp_rthdrlen;
422 		if (hdrlen == 0)
423 			hdrlen = sizeof (struct T_unitdata_ind);
424 		addflag.crb_ipv6_recvrthdr = 1;
425 		if (!ip_allocbuf((void **)&sctp->sctp_rthdr,
426 		    &sctp->sctp_rthdrlen,
427 		    (ipp->ipp_fields & IPPF_RTHDR),
428 		    ipp->ipp_rthdr, ipp->ipp_rthdrlen))
429 			return (-1);
430 	}
431 	/* If app asked for dest headers and it has changed ... */
432 	if (connp->conn_recv_ancillary.crb_ipv6_recvdstopts &&
433 	    ip_cmpbuf(sctp->sctp_dstopts, sctp->sctp_dstoptslen,
434 	    (ipp->ipp_fields & IPPF_DSTOPTS),
435 	    ipp->ipp_dstopts, ipp->ipp_dstoptslen)) {
436 		optlen += sizeof (*cmsg) + ipp->ipp_dstoptslen;
437 		if (hdrlen == 0)
438 			hdrlen = sizeof (struct T_unitdata_ind);
439 		addflag.crb_ipv6_recvdstopts = 1;
440 		if (!ip_allocbuf((void **)&sctp->sctp_dstopts,
441 		    &sctp->sctp_dstoptslen,
442 		    (ipp->ipp_fields & IPPF_DSTOPTS),
443 		    ipp->ipp_dstopts, ipp->ipp_dstoptslen))
444 			return (-1);
445 	}
446 noancillary:
447 	/* Nothing to add */
448 	if (hdrlen == 0)
449 		return (-1);
450 
451 	mp1 = allocb(hdrlen + optlen + sizeof (void *), BPRI_MED);
452 	if (mp1 == NULL)
453 		return (-1);
454 	mp1->b_cont = *mp;
455 	*mp = mp1;
456 	mp1->b_rptr += sizeof (void *);  /* pointer worth of padding */
457 	mp1->b_wptr = mp1->b_rptr + hdrlen + optlen;
458 	DB_TYPE(mp1) = M_PROTO;
459 	tudi = (struct T_unitdata_ind *)mp1->b_rptr;
460 	tudi->PRIM_type = T_UNITDATA_IND;
461 	tudi->SRC_length = sin4 ? sizeof (*sin4) : sizeof (*sin6);
462 	tudi->SRC_offset = sizeof (*tudi);
463 	tudi->OPT_offset = sizeof (*tudi) + tudi->SRC_length;
464 	tudi->OPT_length = optlen;
465 	if (sin4) {
466 		bcopy(sin4, tudi + 1, sizeof (*sin4));
467 	} else {
468 		bcopy(sin6, tudi + 1, sizeof (*sin6));
469 	}
470 	optptr = (uchar_t *)tudi + tudi->OPT_offset;
471 
472 	if (sctp->sctp_recvsndrcvinfo) {
473 		/* XXX need backout method if memory allocation fails. */
474 		struct sctp_sndrcvinfo *sri;
475 
476 		cmsg = (struct cmsghdr *)optptr;
477 		cmsg->cmsg_level = IPPROTO_SCTP;
478 		cmsg->cmsg_type = SCTP_SNDRCV;
479 		cmsg->cmsg_len = sizeof (*cmsg) + sizeof (*sri);
480 		optptr += sizeof (*cmsg);
481 
482 		sri = (struct sctp_sndrcvinfo *)(cmsg + 1);
483 		ASSERT(OK_32PTR(sri));
484 		sri->sinfo_stream = ntohs(dcp->sdh_sid);
485 		sri->sinfo_ssn = ntohs(dcp->sdh_ssn);
486 		if (SCTP_DATA_GET_UBIT(dcp)) {
487 			sri->sinfo_flags = MSG_UNORDERED;
488 		} else {
489 			sri->sinfo_flags = 0;
490 		}
491 		sri->sinfo_ppid = dcp->sdh_payload_id;
492 		sri->sinfo_context = 0;
493 		sri->sinfo_timetolive = 0;
494 		sri->sinfo_tsn = ntohl(dcp->sdh_tsn);
495 		sri->sinfo_cumtsn = sctp->sctp_ftsn;
496 		sri->sinfo_assoc_id = 0;
497 
498 		optptr += sizeof (*sri);
499 	}
500 
501 	/*
502 	 * If app asked for pktinfo and the index has changed ...
503 	 * Note that the local address never changes for the connection.
504 	 */
505 	if (addflag.crb_ip_recvpktinfo) {
506 		struct in6_pktinfo *pkti;
507 		uint_t ifindex;
508 
509 		ifindex = ira->ira_ruifindex;
510 		cmsg = (struct cmsghdr *)optptr;
511 		cmsg->cmsg_level = IPPROTO_IPV6;
512 		cmsg->cmsg_type = IPV6_PKTINFO;
513 		cmsg->cmsg_len = sizeof (*cmsg) + sizeof (*pkti);
514 		optptr += sizeof (*cmsg);
515 
516 		pkti = (struct in6_pktinfo *)optptr;
517 		if (connp->conn_family == AF_INET6)
518 			pkti->ipi6_addr = sctp->sctp_ip6h->ip6_src;
519 		else
520 			IN6_IPADDR_TO_V4MAPPED(sctp->sctp_ipha->ipha_src,
521 			    &pkti->ipi6_addr);
522 
523 		pkti->ipi6_ifindex = ifindex;
524 		optptr += sizeof (*pkti);
525 		ASSERT(OK_32PTR(optptr));
526 		/* Save as "last" value */
527 		sctp->sctp_recvifindex = ifindex;
528 	}
529 	/* If app asked for hoplimit and it has changed ... */
530 	if (addflag.crb_ipv6_recvhoplimit) {
531 		cmsg = (struct cmsghdr *)optptr;
532 		cmsg->cmsg_level = IPPROTO_IPV6;
533 		cmsg->cmsg_type = IPV6_HOPLIMIT;
534 		cmsg->cmsg_len = sizeof (*cmsg) + sizeof (uint_t);
535 		optptr += sizeof (*cmsg);
536 
537 		*(uint_t *)optptr = ipp->ipp_hoplimit;
538 		optptr += sizeof (uint_t);
539 		ASSERT(OK_32PTR(optptr));
540 		/* Save as "last" value */
541 		sctp->sctp_recvhops = ipp->ipp_hoplimit;
542 	}
543 	/* If app asked for tclass and it has changed ... */
544 	if (addflag.crb_ipv6_recvtclass) {
545 		cmsg = (struct cmsghdr *)optptr;
546 		cmsg->cmsg_level = IPPROTO_IPV6;
547 		cmsg->cmsg_type = IPV6_TCLASS;
548 		cmsg->cmsg_len = sizeof (*cmsg) + sizeof (uint_t);
549 		optptr += sizeof (*cmsg);
550 
551 		*(uint_t *)optptr = ipp->ipp_tclass;
552 		optptr += sizeof (uint_t);
553 		ASSERT(OK_32PTR(optptr));
554 		/* Save as "last" value */
555 		sctp->sctp_recvtclass = ipp->ipp_tclass;
556 	}
557 	if (addflag.crb_ipv6_recvhopopts) {
558 		cmsg = (struct cmsghdr *)optptr;
559 		cmsg->cmsg_level = IPPROTO_IPV6;
560 		cmsg->cmsg_type = IPV6_HOPOPTS;
561 		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_hopoptslen;
562 		optptr += sizeof (*cmsg);
563 
564 		bcopy(ipp->ipp_hopopts, optptr, ipp->ipp_hopoptslen);
565 		optptr += ipp->ipp_hopoptslen;
566 		ASSERT(OK_32PTR(optptr));
567 		/* Save as last value */
568 		ip_savebuf((void **)&sctp->sctp_hopopts,
569 		    &sctp->sctp_hopoptslen,
570 		    (ipp->ipp_fields & IPPF_HOPOPTS),
571 		    ipp->ipp_hopopts, ipp->ipp_hopoptslen);
572 	}
573 	if (addflag.crb_ipv6_recvrthdrdstopts) {
574 		cmsg = (struct cmsghdr *)optptr;
575 		cmsg->cmsg_level = IPPROTO_IPV6;
576 		cmsg->cmsg_type = IPV6_RTHDRDSTOPTS;
577 		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_rthdrdstoptslen;
578 		optptr += sizeof (*cmsg);
579 
580 		bcopy(ipp->ipp_rthdrdstopts, optptr, ipp->ipp_rthdrdstoptslen);
581 		optptr += ipp->ipp_rthdrdstoptslen;
582 		ASSERT(OK_32PTR(optptr));
583 		/* Save as last value */
584 		ip_savebuf((void **)&sctp->sctp_rthdrdstopts,
585 		    &sctp->sctp_rthdrdstoptslen,
586 		    (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
587 		    ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen);
588 	}
589 	if (addflag.crb_ipv6_recvrthdr) {
590 		cmsg = (struct cmsghdr *)optptr;
591 		cmsg->cmsg_level = IPPROTO_IPV6;
592 		cmsg->cmsg_type = IPV6_RTHDR;
593 		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_rthdrlen;
594 		optptr += sizeof (*cmsg);
595 
596 		bcopy(ipp->ipp_rthdr, optptr, ipp->ipp_rthdrlen);
597 		optptr += ipp->ipp_rthdrlen;
598 		ASSERT(OK_32PTR(optptr));
599 		/* Save as last value */
600 		ip_savebuf((void **)&sctp->sctp_rthdr,
601 		    &sctp->sctp_rthdrlen,
602 		    (ipp->ipp_fields & IPPF_RTHDR),
603 		    ipp->ipp_rthdr, ipp->ipp_rthdrlen);
604 	}
605 	if (addflag.crb_ipv6_recvdstopts) {
606 		cmsg = (struct cmsghdr *)optptr;
607 		cmsg->cmsg_level = IPPROTO_IPV6;
608 		cmsg->cmsg_type = IPV6_DSTOPTS;
609 		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_dstoptslen;
610 		optptr += sizeof (*cmsg);
611 
612 		bcopy(ipp->ipp_dstopts, optptr, ipp->ipp_dstoptslen);
613 		optptr += ipp->ipp_dstoptslen;
614 		ASSERT(OK_32PTR(optptr));
615 		/* Save as last value */
616 		ip_savebuf((void **)&sctp->sctp_dstopts,
617 		    &sctp->sctp_dstoptslen,
618 		    (ipp->ipp_fields & IPPF_DSTOPTS),
619 		    ipp->ipp_dstopts, ipp->ipp_dstoptslen);
620 	}
621 
622 	ASSERT(optptr == mp1->b_wptr);
623 
624 	return (0);
625 }
626 
627 void
628 sctp_free_reass(sctp_instr_t *sip)
629 {
630 	mblk_t *mp, *mpnext, *mctl;
631 #ifdef	DEBUG
632 	sctp_reass_t	*srp;
633 #endif
634 
635 	for (mp = sip->istr_reass; mp != NULL; mp = mpnext) {
636 		mpnext = mp->b_next;
637 		mp->b_next = NULL;
638 		mp->b_prev = NULL;
639 		if (DB_TYPE(mp) == M_CTL) {
640 			mctl = mp;
641 #ifdef	DEBUG
642 			srp = (sctp_reass_t *)DB_BASE(mctl);
643 			/* Partial delivery can leave empty srp */
644 			ASSERT(mp->b_cont != NULL || srp->sr_got == 0);
645 #endif
646 			mp = mp->b_cont;
647 			mctl->b_cont = NULL;
648 			freeb(mctl);
649 		}
650 		freemsg(mp);
651 	}
652 	sip->istr_reass = NULL;
653 }
654 
655 /*
656  * If the series of data fragments of which dmp is a part is successfully
657  * reassembled, the first mblk in the series is returned. dc is adjusted
658  * to point at the data chunk in the lead mblk, and b_rptr also points to
659  * the data chunk; the following mblk's b_rptr's point at the actual payload.
660  *
661  * If the series is not yet reassembled, NULL is returned. dc is not changed.
662  * XXX should probably move this up into the state machine.
663  */
664 
665 /* Fragment list for un-ordered messages. Partial delivery is not supported */
666 static mblk_t *
667 sctp_uodata_frag(sctp_t *sctp, mblk_t *dmp, sctp_data_hdr_t **dc)
668 {
669 	mblk_t		*hmp;
670 	mblk_t		*begin = NULL;
671 	mblk_t		*end = NULL;
672 	sctp_data_hdr_t	*qdc;
673 	uint32_t	ntsn;
674 	uint32_t	tsn = ntohl((*dc)->sdh_tsn);
675 #ifdef	DEBUG
676 	mblk_t		*mp1;
677 #endif
678 
679 	/* First frag. */
680 	if (sctp->sctp_uo_frags == NULL) {
681 		sctp->sctp_uo_frags = dmp;
682 		return (NULL);
683 	}
684 	hmp = sctp->sctp_uo_frags;
685 	/*
686 	 * Insert the segment according to the TSN, fragmented unordered
687 	 * chunks are sequenced by TSN.
688 	 */
689 	while (hmp != NULL) {
690 		qdc = (sctp_data_hdr_t *)hmp->b_rptr;
691 		ntsn = ntohl(qdc->sdh_tsn);
692 		if (SEQ_GT(ntsn, tsn)) {
693 			if (hmp->b_prev == NULL) {
694 				dmp->b_next = hmp;
695 				hmp->b_prev = dmp;
696 				sctp->sctp_uo_frags = dmp;
697 			} else {
698 				dmp->b_next = hmp;
699 				dmp->b_prev = hmp->b_prev;
700 				hmp->b_prev->b_next = dmp;
701 				hmp->b_prev = dmp;
702 			}
703 			break;
704 		}
705 		if (hmp->b_next == NULL) {
706 			hmp->b_next = dmp;
707 			dmp->b_prev = hmp;
708 			break;
709 		}
710 		hmp = hmp->b_next;
711 	}
712 	/* check if we completed a msg */
713 	if (SCTP_DATA_GET_BBIT(*dc)) {
714 		begin = dmp;
715 	} else if (SCTP_DATA_GET_EBIT(*dc)) {
716 		end = dmp;
717 	}
718 	/*
719 	 * We walk consecutive TSNs backwards till we get a seg. with
720 	 * the B bit
721 	 */
722 	if (begin == NULL) {
723 		for (hmp = dmp->b_prev; hmp != NULL; hmp = hmp->b_prev) {
724 			qdc = (sctp_data_hdr_t *)hmp->b_rptr;
725 			ntsn = ntohl(qdc->sdh_tsn);
726 			if ((int32_t)(tsn - ntsn) > 1) {
727 				return (NULL);
728 			}
729 			if (SCTP_DATA_GET_BBIT(qdc)) {
730 				begin = hmp;
731 				break;
732 			}
733 			tsn = ntsn;
734 		}
735 	}
736 	tsn = ntohl((*dc)->sdh_tsn);
737 	/*
738 	 * We walk consecutive TSNs till we get a seg. with the E bit
739 	 */
740 	if (end == NULL) {
741 		for (hmp = dmp->b_next; hmp != NULL; hmp = hmp->b_next) {
742 			qdc = (sctp_data_hdr_t *)hmp->b_rptr;
743 			ntsn = ntohl(qdc->sdh_tsn);
744 			if ((int32_t)(ntsn - tsn) > 1) {
745 				return (NULL);
746 			}
747 			if (SCTP_DATA_GET_EBIT(qdc)) {
748 				end = hmp;
749 				break;
750 			}
751 			tsn = ntsn;
752 		}
753 	}
754 	if (begin == NULL || end == NULL) {
755 		return (NULL);
756 	}
757 	/* Got one!, Remove the msg from the list */
758 	if (sctp->sctp_uo_frags == begin) {
759 		ASSERT(begin->b_prev == NULL);
760 		sctp->sctp_uo_frags = end->b_next;
761 		if (end->b_next != NULL)
762 			end->b_next->b_prev = NULL;
763 	} else {
764 		begin->b_prev->b_next = end->b_next;
765 		if (end->b_next != NULL)
766 			end->b_next->b_prev = begin->b_prev;
767 	}
768 	begin->b_prev = NULL;
769 	end->b_next = NULL;
770 
771 	/*
772 	 * Null out b_next and b_prev and chain using b_cont.
773 	 */
774 	dmp = end = begin;
775 	hmp = begin->b_next;
776 	*dc = (sctp_data_hdr_t *)begin->b_rptr;
777 	begin->b_next = NULL;
778 	while (hmp != NULL) {
779 		qdc = (sctp_data_hdr_t *)hmp->b_rptr;
780 		hmp->b_rptr = (uchar_t *)(qdc + 1);
781 		end = hmp->b_next;
782 		dmp->b_cont = hmp;
783 		dmp = hmp;
784 
785 		if (end != NULL)
786 			hmp->b_next = NULL;
787 		hmp->b_prev = NULL;
788 		hmp = end;
789 	}
790 	BUMP_LOCAL(sctp->sctp_reassmsgs);
791 #ifdef	DEBUG
792 	mp1 = begin;
793 	while (mp1 != NULL) {
794 		ASSERT(mp1->b_next == NULL);
795 		ASSERT(mp1->b_prev == NULL);
796 		mp1 = mp1->b_cont;
797 	}
798 #endif
799 	return (begin);
800 }
801 
802 /*
803  * Try partial delivery.
804  */
805 static mblk_t *
806 sctp_try_partial_delivery(sctp_t *sctp, mblk_t *hmp, sctp_reass_t *srp,
807     sctp_data_hdr_t **dc)
808 {
809 	mblk_t		*mp;
810 	mblk_t		*dmp;
811 	mblk_t		*qmp;
812 	mblk_t		*prev;
813 	sctp_data_hdr_t	*qdc;
814 	uint32_t	tsn;
815 
816 	ASSERT(DB_TYPE(hmp) == M_CTL);
817 
818 	dprint(4, ("trypartial: got=%d, needed=%d\n",
819 	    (int)(srp->sr_got), (int)(srp->sr_needed)));
820 
821 	mp = hmp->b_cont;
822 	qdc = (sctp_data_hdr_t *)mp->b_rptr;
823 
824 	ASSERT(SCTP_DATA_GET_BBIT(qdc) && srp->sr_hasBchunk);
825 
826 	tsn = ntohl(qdc->sdh_tsn) + 1;
827 
828 	/*
829 	 * This loop has two exit conditions: the
830 	 * end of received chunks has been reached, or
831 	 * there is a break in the sequence. We want
832 	 * to chop the reassembly list as follows (the
833 	 * numbers are TSNs):
834 	 *   10 -> 11 ->	(end of chunks)
835 	 *   10 -> 11 -> | 13   (break in sequence)
836 	 */
837 	prev = mp;
838 	mp = mp->b_cont;
839 	while (mp != NULL) {
840 		qdc = (sctp_data_hdr_t *)mp->b_rptr;
841 		if (ntohl(qdc->sdh_tsn) != tsn)
842 			break;
843 		prev = mp;
844 		mp = mp->b_cont;
845 		tsn++;
846 	}
847 	/*
848 	 * We are sending all the fragments upstream, we have to retain
849 	 * the srp info for further fragments.
850 	 */
851 	if (mp == NULL) {
852 		dmp = hmp->b_cont;
853 		hmp->b_cont = NULL;
854 		srp->sr_nexttsn = tsn;
855 		srp->sr_msglen = 0;
856 		srp->sr_needed = 0;
857 		srp->sr_got = 0;
858 		srp->sr_tail = NULL;
859 	} else {
860 		/*
861 		 * There is a gap then some ordered frags which are not
862 		 * the next deliverable tsn. When the next deliverable
863 		 * frag arrives it will be set as the new list head in
864 		 * sctp_data_frag() by setting the B bit.
865 		 */
866 		dmp = hmp->b_cont;
867 		hmp->b_cont = mp;
868 	}
869 	srp->sr_hasBchunk = B_FALSE;
870 	/*
871 	 * mp now points at the last chunk in the sequence,
872 	 * and prev points to mp's previous in the list.
873 	 * We chop the list at prev. Subsequent fragment
874 	 * deliveries will follow the normal reassembly
875 	 * path unless they too exceed the sctp_pd_point.
876 	 */
877 	prev->b_cont = NULL;
878 	srp->sr_partial_delivered = B_TRUE;
879 
880 	dprint(4, ("trypartial: got some, got=%d, needed=%d\n",
881 	    (int)(srp->sr_got), (int)(srp->sr_needed)));
882 
883 	/*
884 	 * Adjust all mblk's except the lead so their rptr's point to the
885 	 * payload. sctp_data_chunk() will need to process the lead's
886 	 * data chunk section, so leave it's rptr pointing at the data chunk.
887 	 */
888 	*dc = (sctp_data_hdr_t *)dmp->b_rptr;
889 	if (srp->sr_tail != NULL) {
890 		srp->sr_got--;
891 		ASSERT(srp->sr_got != 0);
892 		if (srp->sr_needed != 0) {
893 			srp->sr_needed--;
894 			ASSERT(srp->sr_needed != 0);
895 		}
896 		srp->sr_msglen -= ntohs((*dc)->sdh_len);
897 	}
898 	for (qmp = dmp->b_cont; qmp != NULL; qmp = qmp->b_cont) {
899 		qdc = (sctp_data_hdr_t *)qmp->b_rptr;
900 		qmp->b_rptr = (uchar_t *)(qdc + 1);
901 
902 		/*
903 		 * Deduct the balance from got and needed here, now that
904 		 * we know we are actually delivering these data.
905 		 */
906 		if (srp->sr_tail != NULL) {
907 			srp->sr_got--;
908 			ASSERT(srp->sr_got != 0);
909 			if (srp->sr_needed != 0) {
910 				srp->sr_needed--;
911 				ASSERT(srp->sr_needed != 0);
912 			}
913 			srp->sr_msglen -= ntohs(qdc->sdh_len);
914 		}
915 	}
916 	ASSERT(srp->sr_msglen == 0);
917 	BUMP_LOCAL(sctp->sctp_reassmsgs);
918 
919 	return (dmp);
920 }
921 
922 /*
923  * Handle received fragments for ordered delivery to upper layer protocol.
924  * Manage the per message reassembly queue and if this fragment completes
925  * reassembly of the message, or qualifies the already reassembled data
926  * for partial delivery, prepare the message for delivery upstream.
927  *
928  * tpfinished in the caller remains set only when the incoming fragment
929  * has completed the reassembly of the message associated with its ssn.
930  */
931 static mblk_t *
932 sctp_data_frag(sctp_t *sctp, mblk_t *dmp, sctp_data_hdr_t **dc, int *error,
933     sctp_instr_t *sip, boolean_t *tpfinished)
934 {
935 	mblk_t		*reassq_curr, *reassq_next, *reassq_prev;
936 	mblk_t		*new_reassq;
937 	mblk_t		*qmp;
938 	mblk_t		*first_mp;
939 	sctp_reass_t	*srp;
940 	sctp_data_hdr_t	*qdc;
941 	sctp_data_hdr_t	*bdc;
942 	sctp_data_hdr_t	*edc;
943 	uint32_t	tsn;
944 	uint16_t	fraglen = 0;
945 
946 	reassq_curr = NULL;
947 	*error = 0;
948 
949 	/*
950 	 * Find the reassembly queue for this data chunk, if none
951 	 * yet exists, a new per message queue will be created and
952 	 * appended to the end of the list of per message queues.
953 	 *
954 	 * sip points on sctp_instr_t representing instream messages
955 	 * as yet undelivered for this stream (sid) of the association.
956 	 */
957 	reassq_next = reassq_prev = sip->istr_reass;
958 	for (; reassq_next != NULL; reassq_next = reassq_next->b_next) {
959 		srp = (sctp_reass_t *)DB_BASE(reassq_next);
960 		if (ntohs((*dc)->sdh_ssn) == srp->sr_ssn) {
961 			reassq_curr = reassq_next;
962 			goto foundit;
963 		} else if (SSN_GT(srp->sr_ssn, ntohs((*dc)->sdh_ssn)))
964 			break;
965 		reassq_prev = reassq_next;
966 	}
967 
968 	/*
969 	 * First fragment of this message received, allocate a M_CTL that
970 	 * will head the reassembly queue for this message. The message
971 	 * and all its fragments are identified by having the same ssn.
972 	 *
973 	 * Arriving fragments will be inserted in tsn order on the
974 	 * reassembly queue for this message (ssn), linked by b_cont.
975 	 */
976 	if ((new_reassq = allocb(sizeof (*srp), BPRI_MED)) == NULL) {
977 		*error = ENOMEM;
978 		return (NULL);
979 	}
980 	DB_TYPE(new_reassq) = M_CTL;
981 	srp = (sctp_reass_t *)DB_BASE(new_reassq);
982 	new_reassq->b_cont = dmp;
983 
984 	/*
985 	 * All per ssn reassembly queues, (one for each message) on
986 	 * this stream are doubly linked by b_next/b_prev back to the
987 	 * instr_reass of the instream structure associated with this
988 	 * stream id, (sip is initialized as sctp->sctp_instr[sid]).
989 	 * Insert the new reassembly queue in the correct (ssn) order.
990 	 */
991 	if (reassq_next != NULL) {
992 		if (sip->istr_reass == reassq_next) {
993 			/* head insertion */
994 			sip->istr_reass = new_reassq;
995 			new_reassq->b_next = reassq_next;
996 			new_reassq->b_prev = NULL;
997 			reassq_next->b_prev = new_reassq;
998 		} else {
999 			/* mid queue insertion */
1000 			reassq_prev->b_next = new_reassq;
1001 			new_reassq->b_prev = reassq_prev;
1002 			new_reassq->b_next = reassq_next;
1003 			reassq_next->b_prev = new_reassq;
1004 		}
1005 	} else {
1006 		/* place new reassembly queue at the end */
1007 		if (sip->istr_reass == NULL) {
1008 			sip->istr_reass = new_reassq;
1009 			new_reassq->b_prev = NULL;
1010 		} else {
1011 			reassq_prev->b_next = new_reassq;
1012 			new_reassq->b_prev = reassq_prev;
1013 		}
1014 		new_reassq->b_next = NULL;
1015 	}
1016 	srp->sr_partial_delivered = B_FALSE;
1017 	srp->sr_ssn = ntohs((*dc)->sdh_ssn);
1018 	srp->sr_hasBchunk = B_FALSE;
1019 empty_srp:
1020 	srp->sr_needed = 0;
1021 	srp->sr_got = 1;
1022 	/* tail always the highest tsn on the reassembly queue for this ssn */
1023 	srp->sr_tail = dmp;
1024 	if (SCTP_DATA_GET_BBIT(*dc)) {
1025 		/* Incoming frag is flagged as the beginning of message */
1026 		srp->sr_msglen = ntohs((*dc)->sdh_len);
1027 		srp->sr_nexttsn = ntohl((*dc)->sdh_tsn) + 1;
1028 		srp->sr_hasBchunk = B_TRUE;
1029 	} else if (srp->sr_partial_delivered &&
1030 	    srp->sr_nexttsn == ntohl((*dc)->sdh_tsn)) {
1031 		/*
1032 		 * The real beginning fragment of the message was already
1033 		 * delivered upward, so this is the earliest frag expected.
1034 		 * Fake the B-bit then see if this frag also completes the
1035 		 * message.
1036 		 */
1037 		SCTP_DATA_SET_BBIT(*dc);
1038 		srp->sr_hasBchunk = B_TRUE;
1039 		srp->sr_msglen = ntohs((*dc)->sdh_len);
1040 		if (SCTP_DATA_GET_EBIT(*dc)) {
1041 			/* This frag is marked as the end of message */
1042 			srp->sr_needed = 1;
1043 			/* Got all fragments of this message now */
1044 			goto frag_done;
1045 		}
1046 		srp->sr_nexttsn++;
1047 	}
1048 
1049 	/* The only fragment of this message currently queued */
1050 	*tpfinished = B_FALSE;
1051 	return (NULL);
1052 foundit:
1053 	/*
1054 	 * This message already has a reassembly queue. Insert the new frag
1055 	 * in the reassembly queue. Try the tail first, on the assumption
1056 	 * that the fragments are arriving in order.
1057 	 */
1058 	qmp = srp->sr_tail;
1059 
1060 	/*
1061 	 * A NULL tail means all existing fragments of the message have
1062 	 * been entirely consumed during a partially delivery.
1063 	 */
1064 	if (qmp == NULL) {
1065 		ASSERT(srp->sr_got == 0 && srp->sr_needed == 0 &&
1066 		    srp->sr_partial_delivered);
1067 		ASSERT(reassq_curr->b_cont == NULL);
1068 		reassq_curr->b_cont = dmp;
1069 		goto empty_srp;
1070 	} else {
1071 		/*
1072 		 * If partial delivery did take place but the next arriving
1073 		 * fragment was not the next to be delivered, or partial
1074 		 * delivery broke off due to a gap, fragments remain on the
1075 		 * tail. The next fragment due to be delivered still has to
1076 		 * be set as the new head of list upon arrival. Fake B-bit
1077 		 * on that frag then see if it also completes the message.
1078 		 */
1079 		if (srp->sr_partial_delivered &&
1080 		    srp->sr_nexttsn == ntohl((*dc)->sdh_tsn)) {
1081 			SCTP_DATA_SET_BBIT(*dc);
1082 			srp->sr_hasBchunk = B_TRUE;
1083 			if (SCTP_DATA_GET_EBIT(*dc)) {
1084 				/* Got all fragments of this message now */
1085 				goto frag_done;
1086 			}
1087 		}
1088 	}
1089 
1090 	/* grab the frag header of already queued tail frag for comparison */
1091 	qdc = (sctp_data_hdr_t *)qmp->b_rptr;
1092 	ASSERT(qmp->b_cont == NULL);
1093 
1094 	/* check if the frag goes on the tail in order */
1095 	if (SEQ_GT(ntohl((*dc)->sdh_tsn), ntohl(qdc->sdh_tsn))) {
1096 		qmp->b_cont = dmp;
1097 		srp->sr_tail = dmp;
1098 		dmp->b_cont = NULL;
1099 		if (srp->sr_hasBchunk && srp->sr_nexttsn ==
1100 		    ntohl((*dc)->sdh_tsn)) {
1101 			srp->sr_msglen += ntohs((*dc)->sdh_len);
1102 			srp->sr_nexttsn++;
1103 		}
1104 		goto inserted;
1105 	}
1106 
1107 	/* Next check if we should insert this frag at the beginning */
1108 	qmp = reassq_curr->b_cont;
1109 	qdc = (sctp_data_hdr_t *)qmp->b_rptr;
1110 	if (SEQ_LT(ntohl((*dc)->sdh_tsn), ntohl(qdc->sdh_tsn))) {
1111 		dmp->b_cont = qmp;
1112 		reassq_curr->b_cont = dmp;
1113 		if (SCTP_DATA_GET_BBIT(*dc)) {
1114 			srp->sr_hasBchunk = B_TRUE;
1115 			srp->sr_nexttsn = ntohl((*dc)->sdh_tsn);
1116 		}
1117 		goto preinserted;
1118 	}
1119 
1120 	/* Insert this frag in it's correct order in the middle */
1121 	for (;;) {
1122 		/* Tail check above should have caught this */
1123 		ASSERT(qmp->b_cont != NULL);
1124 
1125 		qdc = (sctp_data_hdr_t *)qmp->b_cont->b_rptr;
1126 		if (SEQ_LT(ntohl((*dc)->sdh_tsn), ntohl(qdc->sdh_tsn))) {
1127 			/* insert here */
1128 			dmp->b_cont = qmp->b_cont;
1129 			qmp->b_cont = dmp;
1130 			break;
1131 		}
1132 		qmp = qmp->b_cont;
1133 	}
1134 preinserted:
1135 	/*
1136 	 * Need head of message and to be due to deliver, otherwise skip
1137 	 * the recalculation of the message length below.
1138 	 */
1139 	if (!srp->sr_hasBchunk || ntohl((*dc)->sdh_tsn) != srp->sr_nexttsn)
1140 		goto inserted;
1141 	/*
1142 	 * fraglen contains the length of consecutive chunks of fragments.
1143 	 * starting from the chunk we just inserted.
1144 	 */
1145 	tsn = srp->sr_nexttsn;
1146 	for (qmp = dmp; qmp != NULL; qmp = qmp->b_cont) {
1147 		qdc = (sctp_data_hdr_t *)qmp->b_rptr;
1148 		if (tsn != ntohl(qdc->sdh_tsn))
1149 			break;
1150 		fraglen += ntohs(qdc->sdh_len);
1151 		tsn++;
1152 	}
1153 	srp->sr_nexttsn = tsn;
1154 	srp->sr_msglen += fraglen;
1155 inserted:
1156 	srp->sr_got++;
1157 	first_mp = reassq_curr->b_cont;
1158 	/* Prior to this frag either the beginning or end frag was missing */
1159 	if (srp->sr_needed == 0) {
1160 		/* used to check if we have the first and last fragments */
1161 		bdc = (sctp_data_hdr_t *)first_mp->b_rptr;
1162 		edc = (sctp_data_hdr_t *)srp->sr_tail->b_rptr;
1163 
1164 		/*
1165 		 * If we now have both the beginning and the end of the message,
1166 		 * calculate how many fragments in the complete message.
1167 		 */
1168 		if (SCTP_DATA_GET_BBIT(bdc) && SCTP_DATA_GET_EBIT(edc)) {
1169 			srp->sr_needed = ntohl(edc->sdh_tsn) -
1170 			    ntohl(bdc->sdh_tsn) + 1;
1171 		}
1172 	}
1173 
1174 	/*
1175 	 * Try partial delivery if the message length has exceeded the
1176 	 * partial delivery point. Only do this if we can immediately
1177 	 * deliver the partially assembled message, and only partially
1178 	 * deliver one message at a time (i.e. messages cannot be
1179 	 * intermixed arriving at the upper layer).
1180 	 * sctp_try_partial_delivery() will return a message consisting
1181 	 * of only consecutive fragments.
1182 	 */
1183 	if (srp->sr_needed != srp->sr_got) {
1184 		/* we don't have the full message yet */
1185 		dmp = NULL;
1186 		if (ntohl((*dc)->sdh_tsn) <= sctp->sctp_ftsn &&
1187 		    srp->sr_msglen >= sctp->sctp_pd_point &&
1188 		    srp->sr_ssn == sip->nextseq) {
1189 			dmp = sctp_try_partial_delivery(sctp, reassq_curr,
1190 			    srp, dc);
1191 		}
1192 		*tpfinished = B_FALSE;
1193 		/*
1194 		 * NULL unless a segment of the message now qualified for
1195 		 * partial_delivery and has been prepared for delivery by
1196 		 * sctp_try_partial_delivery().
1197 		 */
1198 		return (dmp);
1199 	}
1200 frag_done:
1201 	/*
1202 	 * Reassembly complete for this message, prepare the data for delivery.
1203 	 * First unlink the reassembly queue for this ssn from the list of
1204 	 * messages in reassembly.
1205 	 */
1206 	if (sip->istr_reass == reassq_curr) {
1207 		sip->istr_reass = reassq_curr->b_next;
1208 		if (reassq_curr->b_next)
1209 			reassq_curr->b_next->b_prev = NULL;
1210 	} else {
1211 		ASSERT(reassq_curr->b_prev != NULL);
1212 		reassq_curr->b_prev->b_next = reassq_curr->b_next;
1213 		if (reassq_curr->b_next)
1214 			reassq_curr->b_next->b_prev = reassq_curr->b_prev;
1215 	}
1216 
1217 	/*
1218 	 * Need to clean up b_prev and b_next as freeb() will
1219 	 * ASSERT that they are unused.
1220 	 */
1221 	reassq_curr->b_next = NULL;
1222 	reassq_curr->b_prev = NULL;
1223 
1224 	dmp = reassq_curr;
1225 	/* point to the head of the reassembled data message */
1226 	dmp = dmp->b_cont;
1227 	reassq_curr->b_cont = NULL;
1228 	freeb(reassq_curr);
1229 	/* Tell our caller that we are returning a complete message. */
1230 	*tpfinished = B_TRUE;
1231 
1232 	/*
1233 	 * Adjust all mblk's except the lead so their rptr's point to the
1234 	 * payload. sctp_data_chunk() will need to process the lead's data
1235 	 * data chunk section, so leave its rptr pointing at the data chunk
1236 	 * header.
1237 	 */
1238 	*dc = (sctp_data_hdr_t *)dmp->b_rptr;
1239 	for (qmp = dmp->b_cont; qmp != NULL; qmp = qmp->b_cont) {
1240 		qdc = (sctp_data_hdr_t *)qmp->b_rptr;
1241 		qmp->b_rptr = (uchar_t *)(qdc + 1);
1242 	}
1243 	BUMP_LOCAL(sctp->sctp_reassmsgs);
1244 
1245 	return (dmp);
1246 }
1247 
1248 static void
1249 sctp_add_dup(uint32_t tsn, mblk_t **dups)
1250 {
1251 	mblk_t *mp;
1252 	size_t bsize = SCTP_DUP_MBLK_SZ * sizeof (tsn);
1253 
1254 	if (dups == NULL) {
1255 		return;
1256 	}
1257 
1258 	/* first time? */
1259 	if (*dups == NULL) {
1260 		*dups = allocb(bsize, BPRI_MED);
1261 		if (*dups == NULL) {
1262 			return;
1263 		}
1264 	}
1265 
1266 	mp = *dups;
1267 	if ((mp->b_wptr - mp->b_rptr) >= bsize) {
1268 		/* maximum reached */
1269 		return;
1270 	}
1271 
1272 	/* add the duplicate tsn */
1273 	bcopy(&tsn, mp->b_wptr, sizeof (tsn));
1274 	mp->b_wptr += sizeof (tsn);
1275 	ASSERT((mp->b_wptr - mp->b_rptr) <= bsize);
1276 }
1277 
1278 /*
1279  * All incoming sctp data, complete messages and fragments are handled by
1280  * this function. Unless the U-bit is set in the data chunk it will be
1281  * delivered in order or queued until an in-order delivery can be made.
1282  */
1283 static void
1284 sctp_data_chunk(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *mp, mblk_t **dups,
1285     sctp_faddr_t *fp, ip_pkt_t *ipp, ip_recv_attr_t *ira)
1286 {
1287 	sctp_data_hdr_t *dc;
1288 	mblk_t *dmp, *pmp;
1289 	sctp_instr_t *instr;
1290 	int ubit;
1291 	int sid;
1292 	int isfrag;
1293 	uint16_t ssn;
1294 	uint32_t oftsn;
1295 	boolean_t can_deliver = B_TRUE;
1296 	uint32_t tsn;
1297 	int dlen;
1298 	boolean_t tpfinished = B_TRUE;
1299 	sctp_stack_t	*sctps = sctp->sctp_sctps;
1300 	int	error;
1301 
1302 	/* The following are used multiple times, so we inline them */
1303 #define	SCTP_ACK_IT(sctp, tsn)						\
1304 	if (tsn == sctp->sctp_ftsn) {					\
1305 		dprint(2, ("data_chunk: acking next %x\n", tsn));	\
1306 		(sctp)->sctp_ftsn++;					\
1307 		if ((sctp)->sctp_sack_gaps > 0)				\
1308 			(sctp)->sctp_force_sack = 1;			\
1309 	} else if (SEQ_GT(tsn, sctp->sctp_ftsn)) {			\
1310 		/* Got a gap; record it */				\
1311 		BUMP_LOCAL(sctp->sctp_outseqtsns);			\
1312 		dprint(2, ("data_chunk: acking gap %x\n", tsn));	\
1313 		sctp_ack_add(&sctp->sctp_sack_info, tsn,		\
1314 		    &sctp->sctp_sack_gaps);				\
1315 		sctp->sctp_force_sack = 1;				\
1316 	}
1317 
1318 	dmp = NULL;
1319 
1320 	dc = (sctp_data_hdr_t *)ch;
1321 	tsn = ntohl(dc->sdh_tsn);
1322 
1323 	dprint(3, ("sctp_data_chunk: mp=%p tsn=%x\n", (void *)mp, tsn));
1324 
1325 	/* Check for duplicates */
1326 	if (SEQ_LT(tsn, sctp->sctp_ftsn)) {
1327 		dprint(4, ("sctp_data_chunk: dropping duplicate\n"));
1328 		BUMP_LOCAL(sctp->sctp_idupchunks);
1329 		sctp->sctp_force_sack = 1;
1330 		sctp_add_dup(dc->sdh_tsn, dups);
1331 		return;
1332 	}
1333 
1334 	/* Check for dups of sack'ed data */
1335 	if (sctp->sctp_sack_info != NULL) {
1336 		sctp_set_t *sp;
1337 
1338 		for (sp = sctp->sctp_sack_info; sp; sp = sp->next) {
1339 			if (SEQ_GEQ(tsn, sp->begin) && SEQ_LEQ(tsn, sp->end)) {
1340 				dprint(4,
1341 				    ("sctp_data_chunk: dropping dup > "
1342 				    "cumtsn\n"));
1343 				BUMP_LOCAL(sctp->sctp_idupchunks);
1344 				sctp->sctp_force_sack = 1;
1345 				sctp_add_dup(dc->sdh_tsn, dups);
1346 				return;
1347 			}
1348 		}
1349 	}
1350 
1351 	/* We can no longer deliver anything up, but still need to handle it. */
1352 	if (SCTP_IS_DETACHED(sctp)) {
1353 		SCTPS_BUMP_MIB(sctps, sctpInClosed);
1354 		can_deliver = B_FALSE;
1355 	}
1356 
1357 	dlen = ntohs(dc->sdh_len) - sizeof (*dc);
1358 
1359 	/*
1360 	 * Check for buffer space. Note if this is the next expected TSN
1361 	 * we have to take it to avoid deadlock because we cannot deliver
1362 	 * later queued TSNs and thus clear buffer space without it.
1363 	 * We drop anything that is purely zero window probe data here.
1364 	 */
1365 	if ((sctp->sctp_rwnd - sctp->sctp_rxqueued < dlen) &&
1366 	    (tsn != sctp->sctp_ftsn || sctp->sctp_rwnd == 0)) {
1367 		/* Drop and SACK, but don't advance the cumulative TSN. */
1368 		sctp->sctp_force_sack = 1;
1369 		dprint(0, ("sctp_data_chunk: exceed rwnd %d rxqueued %d "
1370 		    "dlen %d ssn %d tsn %x\n", sctp->sctp_rwnd,
1371 		    sctp->sctp_rxqueued, dlen, ntohs(dc->sdh_ssn),
1372 		    ntohl(dc->sdh_tsn)));
1373 		return;
1374 	}
1375 
1376 	sid = ntohs(dc->sdh_sid);
1377 
1378 	/* Data received for a stream not negotiated for this association */
1379 	if (sid >= sctp->sctp_num_istr) {
1380 		sctp_bsc_t	inval_parm;
1381 
1382 		/* Will populate the CAUSE block in the ERROR chunk. */
1383 		inval_parm.bsc_sid = dc->sdh_sid;
1384 		/* RESERVED, ignored at the receiving end */
1385 		inval_parm.bsc_pad = 0;
1386 
1387 		/* ack and drop it */
1388 		sctp_add_err(sctp, SCTP_ERR_BAD_SID, (void *)&inval_parm,
1389 		    sizeof (sctp_bsc_t), fp);
1390 		SCTP_ACK_IT(sctp, tsn);
1391 		return;
1392 	}
1393 
1394 	/* unordered delivery OK for this data if ubit set */
1395 	ubit = SCTP_DATA_GET_UBIT(dc);
1396 	ASSERT(sctp->sctp_instr != NULL);
1397 
1398 	/* select per stream structure for this stream from the array */
1399 	instr = &sctp->sctp_instr[sid];
1400 	/* Initialize the stream, if not yet used */
1401 	if (instr->sctp == NULL)
1402 		instr->sctp = sctp;
1403 
1404 	/* Begin and End bit set would mean a complete message */
1405 	isfrag = !(SCTP_DATA_GET_BBIT(dc) && SCTP_DATA_GET_EBIT(dc));
1406 
1407 	/* The ssn of this sctp message and of any fragments in it */
1408 	ssn = ntohs(dc->sdh_ssn);
1409 
1410 	dmp = dupb(mp);
1411 	if (dmp == NULL) {
1412 		/* drop it and don't ack, let the peer retransmit */
1413 		return;
1414 	}
1415 	/*
1416 	 * Past header and payload, note: the underlying buffer may
1417 	 * contain further chunks from the same incoming IP packet,
1418 	 * if so db_ref will be greater than one.
1419 	 */
1420 	dmp->b_wptr = (uchar_t *)ch + ntohs(ch->sch_len);
1421 
1422 	sctp->sctp_rxqueued += dlen;
1423 
1424 	oftsn = sctp->sctp_ftsn;
1425 
1426 	if (isfrag) {
1427 
1428 		error = 0;
1429 		/* fragmented data chunk */
1430 		dmp->b_rptr = (uchar_t *)dc;
1431 		if (ubit) {
1432 			/* prepare data for unordered delivery */
1433 			dmp = sctp_uodata_frag(sctp, dmp, &dc);
1434 #if	DEBUG
1435 			if (dmp != NULL) {
1436 				ASSERT(instr ==
1437 				    &sctp->sctp_instr[sid]);
1438 			}
1439 #endif
1440 		} else {
1441 			/*
1442 			 * Assemble fragments and queue for ordered delivery,
1443 			 * dmp returned is NULL or the head of a complete or
1444 			 * "partial delivery" message. Any returned message
1445 			 * and all its fragments will have the same ssn as the
1446 			 * input fragment currently being handled.
1447 			 */
1448 			dmp = sctp_data_frag(sctp, dmp, &dc, &error, instr,
1449 			    &tpfinished);
1450 		}
1451 		if (error == ENOMEM) {
1452 			/* back out the adjustment made earlier */
1453 			sctp->sctp_rxqueued -= dlen;
1454 			/*
1455 			 * Don't ack the segment,
1456 			 * the peer will retransmit.
1457 			 */
1458 			return;
1459 		}
1460 
1461 		if (dmp == NULL) {
1462 			/*
1463 			 * The frag has been queued for later in-order delivery,
1464 			 * but the cumulative TSN may need to advance, so also
1465 			 * need to perform the gap ack checks at the done label.
1466 			 */
1467 			SCTP_ACK_IT(sctp, tsn);
1468 			DTRACE_PROBE4(sctp_data_frag_queued, sctp_t *, sctp,
1469 			    int, sid, int, tsn, uint16_t, ssn);
1470 			goto done;
1471 		}
1472 	}
1473 
1474 	/*
1475 	 * Unless message is the next for delivery to the ulp, queue complete
1476 	 * message in the correct order for ordered delivery.
1477 	 * Note: tpfinished is true when the incoming chunk contains a complete
1478 	 * message or is the final missing fragment which completed a message.
1479 	 */
1480 	if (!ubit && tpfinished && ssn != instr->nextseq) {
1481 		/* Adjust rptr to point at the data chunk for compares */
1482 		dmp->b_rptr = (uchar_t *)dc;
1483 
1484 		dprint(2,
1485 		    ("data_chunk: inserted %x in pq (ssn %d expected %d)\n",
1486 		    ntohl(dc->sdh_tsn), (int)(ssn), (int)(instr->nextseq)));
1487 
1488 		if (instr->istr_msgs == NULL) {
1489 			instr->istr_msgs = dmp;
1490 			ASSERT(dmp->b_prev == NULL && dmp->b_next == NULL);
1491 		} else {
1492 			mblk_t			*imblk = instr->istr_msgs;
1493 			sctp_data_hdr_t		*idc;
1494 
1495 			/*
1496 			 * XXXNeed to take sequence wraps into account,
1497 			 * ... and a more efficient insertion algo.
1498 			 */
1499 			for (;;) {
1500 				idc = (sctp_data_hdr_t *)imblk->b_rptr;
1501 				if (SSN_GT(ntohs(idc->sdh_ssn),
1502 				    ntohs(dc->sdh_ssn))) {
1503 					if (instr->istr_msgs == imblk) {
1504 						instr->istr_msgs = dmp;
1505 						dmp->b_next = imblk;
1506 						imblk->b_prev = dmp;
1507 					} else {
1508 						ASSERT(imblk->b_prev != NULL);
1509 						imblk->b_prev->b_next = dmp;
1510 						dmp->b_prev = imblk->b_prev;
1511 						imblk->b_prev = dmp;
1512 						dmp->b_next = imblk;
1513 					}
1514 					break;
1515 				}
1516 				if (imblk->b_next == NULL) {
1517 					imblk->b_next = dmp;
1518 					dmp->b_prev = imblk;
1519 					break;
1520 				}
1521 				imblk = imblk->b_next;
1522 			}
1523 		}
1524 		(instr->istr_nmsgs)++;
1525 		(sctp->sctp_istr_nmsgs)++;
1526 		SCTP_ACK_IT(sctp, tsn);
1527 		DTRACE_PROBE4(sctp_pqueue_completemsg, sctp_t *, sctp,
1528 		    int, sid, int, tsn, uint16_t, ssn);
1529 		return;
1530 	}
1531 
1532 	/*
1533 	 * Deliver the data directly. Recalculate dlen now since
1534 	 * we may have just reassembled this data.
1535 	 */
1536 	dlen = dmp->b_wptr - (uchar_t *)dc - sizeof (*dc);
1537 	for (pmp = dmp->b_cont; pmp != NULL; pmp = pmp->b_cont)
1538 		dlen += MBLKL(pmp);
1539 	ASSERT(sctp->sctp_rxqueued >= dlen);
1540 
1541 	/* Deliver the message. */
1542 	sctp->sctp_rxqueued -= dlen;
1543 
1544 	if (can_deliver) {
1545 		/* step past header to the payload */
1546 		dmp->b_rptr = (uchar_t *)(dc + 1);
1547 		if (sctp_input_add_ancillary(sctp, &dmp, dc, fp,
1548 		    ipp, ira) == 0) {
1549 			dprint(1, ("sctp_data_chunk: delivering %lu bytes\n",
1550 			    msgdsize(dmp)));
1551 			/*
1552 			 * We overload the meaning of b_flag for SCTP sockfs
1553 			 * internal use, to advise sockfs of partial delivery
1554 			 * semantics.
1555 			 */
1556 			dmp->b_flag = tpfinished ? 0 : SCTP_PARTIAL_DATA;
1557 			if (sctp->sctp_flowctrld) {
1558 				sctp->sctp_rwnd -= dlen;
1559 				if (sctp->sctp_rwnd < 0)
1560 					sctp->sctp_rwnd = 0;
1561 			}
1562 			if (sctp->sctp_ulp_recv(sctp->sctp_ulpd, dmp,
1563 			    msgdsize(dmp), 0, &error, NULL) <= 0) {
1564 				sctp->sctp_flowctrld = B_TRUE;
1565 			}
1566 			SCTP_ACK_IT(sctp, tsn);
1567 		} else {
1568 			/* No memory don't ack, the peer will retransmit. */
1569 			freemsg(dmp);
1570 			return;
1571 		}
1572 	} else {
1573 		/* Closed above, ack to peer and free the data */
1574 		freemsg(dmp);
1575 		SCTP_ACK_IT(sctp, tsn);
1576 	}
1577 
1578 	/*
1579 	 * Data now enqueued, may already have been processed and free'd
1580 	 * by the ULP (or we may have just freed it above, if we could not
1581 	 * deliver), so we must not reference it (this is why we saved the
1582 	 * ssn and ubit earlier).
1583 	 */
1584 	if (ubit != 0) {
1585 		BUMP_LOCAL(sctp->sctp_iudchunks);
1586 		goto done;
1587 	}
1588 	BUMP_LOCAL(sctp->sctp_idchunks);
1589 
1590 	/*
1591 	 * There was a partial delivery and it has not finished,
1592 	 * don't pull anything from the pqueues or increment the
1593 	 * nextseq. This msg must complete before starting on
1594 	 * the next ssn and the partial message must have the
1595 	 * same ssn as the next expected message..
1596 	 */
1597 	if (!tpfinished) {
1598 		DTRACE_PROBE4(sctp_partial_delivery, sctp_t *, sctp,
1599 		    int, sid, int, tsn, uint16_t, ssn);
1600 		/*
1601 		 * Verify the partial delivery is part of the
1602 		 * message expected for ordered delivery.
1603 		 */
1604 		if (ssn != instr->nextseq) {
1605 			DTRACE_PROBE4(sctp_partial_delivery_error,
1606 			    sctp_t *, sctp, int, sid, int, tsn,
1607 			    uint16_t, ssn);
1608 			cmn_err(CE_WARN, "sctp partial"
1609 			    " delivery error, sctp 0x%p"
1610 			    " sid = 0x%x ssn != nextseq"
1611 			    " tsn 0x%x ftsn 0x%x"
1612 			    " ssn 0x%x nextseq 0x%x",
1613 			    (void *)sctp, sid,
1614 			    tsn, sctp->sctp_ftsn, ssn,
1615 			    instr->nextseq);
1616 		}
1617 
1618 		ASSERT(ssn == instr->nextseq);
1619 		goto done;
1620 	}
1621 
1622 	if (ssn != instr->nextseq) {
1623 		DTRACE_PROBE4(sctp_inorder_delivery_error,
1624 		    sctp_t *, sctp, int, sid, int, tsn,
1625 		    uint16_t, ssn);
1626 		cmn_err(CE_WARN, "sctp in-order delivery error, sctp 0x%p "
1627 		    "sid = 0x%x ssn != nextseq ssn 0x%x nextseq 0x%x",
1628 		    (void *)sctp, sid, ssn, instr->nextseq);
1629 	}
1630 
1631 	ASSERT(ssn == instr->nextseq);
1632 
1633 	DTRACE_PROBE4(sctp_deliver_completemsg, sctp_t *, sctp, int, sid,
1634 	    int, tsn, uint16_t, ssn);
1635 
1636 	instr->nextseq = ssn + 1;
1637 
1638 	/*
1639 	 * Deliver any successive data chunks waiting in the instr pqueue
1640 	 * for the data just sent up.
1641 	 */
1642 	while (instr->istr_nmsgs > 0) {
1643 		dmp = (mblk_t *)instr->istr_msgs;
1644 		dc = (sctp_data_hdr_t *)dmp->b_rptr;
1645 		ssn = ntohs(dc->sdh_ssn);
1646 		tsn = ntohl(dc->sdh_tsn);
1647 		/* Stop at the first gap in the sequence */
1648 		if (ssn != instr->nextseq)
1649 			break;
1650 
1651 		DTRACE_PROBE4(sctp_deliver_pqueuedmsg, sctp_t *, sctp,
1652 		    int, sid, int, tsn, uint16_t, ssn);
1653 		/*
1654 		 * Ready to deliver all data before the gap
1655 		 * to the upper layer.
1656 		 */
1657 		(instr->istr_nmsgs)--;
1658 		(instr->nextseq)++;
1659 		(sctp->sctp_istr_nmsgs)--;
1660 
1661 		instr->istr_msgs = instr->istr_msgs->b_next;
1662 		if (instr->istr_msgs != NULL)
1663 			instr->istr_msgs->b_prev = NULL;
1664 		dmp->b_next = dmp->b_prev = NULL;
1665 
1666 		dprint(2, ("data_chunk: pulling %x from pq (ssn %d)\n",
1667 		    ntohl(dc->sdh_tsn), (int)ssn));
1668 
1669 		/*
1670 		 * Composite messages indicate this chunk was reassembled,
1671 		 * each b_cont represents another TSN; Follow the chain to
1672 		 * reach the frag with the last tsn in order to advance ftsn
1673 		 * shortly by calling SCTP_ACK_IT().
1674 		 */
1675 		dlen = dmp->b_wptr - dmp->b_rptr - sizeof (*dc);
1676 		for (pmp = dmp->b_cont; pmp; pmp = pmp->b_cont)
1677 			dlen += MBLKL(pmp);
1678 
1679 		ASSERT(sctp->sctp_rxqueued >= dlen);
1680 
1681 		sctp->sctp_rxqueued -= dlen;
1682 		if (can_deliver) {
1683 			dmp->b_rptr = (uchar_t *)(dc + 1);
1684 			if (sctp_input_add_ancillary(sctp, &dmp, dc, fp,
1685 			    ipp, ira) == 0) {
1686 				dprint(1, ("sctp_data_chunk: delivering %lu "
1687 				    "bytes\n", msgdsize(dmp)));
1688 				/*
1689 				 * Meaning of b_flag overloaded for SCTP sockfs
1690 				 * internal use, advise sockfs of partial
1691 				 * delivery semantics.
1692 				 */
1693 				dmp->b_flag = tpfinished ?
1694 				    0 : SCTP_PARTIAL_DATA;
1695 				if (sctp->sctp_flowctrld) {
1696 					sctp->sctp_rwnd -= dlen;
1697 					if (sctp->sctp_rwnd < 0)
1698 						sctp->sctp_rwnd = 0;
1699 				}
1700 				if (sctp->sctp_ulp_recv(sctp->sctp_ulpd, dmp,
1701 				    msgdsize(dmp), 0, &error, NULL) <= 0) {
1702 					sctp->sctp_flowctrld = B_TRUE;
1703 				}
1704 				SCTP_ACK_IT(sctp, tsn);
1705 			} else {
1706 				/* don't ack, the peer will retransmit */
1707 				freemsg(dmp);
1708 				return;
1709 			}
1710 		} else {
1711 			/* Closed above, ack and free the data */
1712 			freemsg(dmp);
1713 			SCTP_ACK_IT(sctp, tsn);
1714 		}
1715 	}
1716 
1717 done:
1718 
1719 	/*
1720 	 * If there are gap reports pending, check if advancing
1721 	 * the ftsn here closes a gap. If so, we can advance
1722 	 * ftsn to the end of the set.
1723 	 */
1724 	if (sctp->sctp_sack_info != NULL &&
1725 	    sctp->sctp_ftsn == sctp->sctp_sack_info->begin) {
1726 		sctp->sctp_ftsn = sctp->sctp_sack_info->end + 1;
1727 	}
1728 	/*
1729 	 * If ftsn has moved forward, maybe we can remove gap reports.
1730 	 * NB: dmp may now be NULL, so don't dereference it here.
1731 	 */
1732 	if (oftsn != sctp->sctp_ftsn && sctp->sctp_sack_info != NULL) {
1733 		sctp_ack_rem(&sctp->sctp_sack_info, sctp->sctp_ftsn - 1,
1734 		    &sctp->sctp_sack_gaps);
1735 		dprint(2, ("data_chunk: removed acks before %x (num=%d)\n",
1736 		    sctp->sctp_ftsn - 1, sctp->sctp_sack_gaps));
1737 	}
1738 
1739 #ifdef	DEBUG
1740 	if (sctp->sctp_sack_info != NULL) {
1741 		ASSERT(sctp->sctp_ftsn != sctp->sctp_sack_info->begin);
1742 	}
1743 #endif
1744 
1745 #undef	SCTP_ACK_IT
1746 }
1747 
1748 void
1749 sctp_fill_sack(sctp_t *sctp, unsigned char *dst, int sacklen)
1750 {
1751 	sctp_chunk_hdr_t *sch;
1752 	sctp_sack_chunk_t *sc;
1753 	sctp_sack_frag_t *sf;
1754 	uint16_t num_gaps = sctp->sctp_sack_gaps;
1755 	sctp_set_t *sp;
1756 
1757 	/* Chunk hdr */
1758 	sch = (sctp_chunk_hdr_t *)dst;
1759 	sch->sch_id = CHUNK_SACK;
1760 	sch->sch_flags = 0;
1761 	sch->sch_len = htons(sacklen);
1762 
1763 	/* SACK chunk */
1764 	sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
1765 
1766 	sc = (sctp_sack_chunk_t *)(sch + 1);
1767 	sc->ssc_cumtsn = htonl(sctp->sctp_lastacked);
1768 	if (sctp->sctp_rxqueued < sctp->sctp_rwnd) {
1769 		sc->ssc_a_rwnd = htonl(sctp->sctp_rwnd - sctp->sctp_rxqueued);
1770 	} else {
1771 		sc->ssc_a_rwnd = 0;
1772 	}
1773 	/* Remember the last window sent to peer. */
1774 	sctp->sctp_arwnd = sc->ssc_a_rwnd;
1775 	sc->ssc_numfrags = htons(num_gaps);
1776 	sc->ssc_numdups = 0;
1777 
1778 	/* lay in gap reports */
1779 	sf = (sctp_sack_frag_t *)(sc + 1);
1780 	for (sp = sctp->sctp_sack_info; sp; sp = sp->next) {
1781 		uint16_t offset;
1782 
1783 		/* start */
1784 		if (sp->begin > sctp->sctp_lastacked) {
1785 			offset = (uint16_t)(sp->begin - sctp->sctp_lastacked);
1786 		} else {
1787 			/* sequence number wrap */
1788 			offset = (uint16_t)(UINT32_MAX - sctp->sctp_lastacked +
1789 			    sp->begin);
1790 		}
1791 		sf->ssf_start = htons(offset);
1792 
1793 		/* end */
1794 		if (sp->end >= sp->begin) {
1795 			offset += (uint16_t)(sp->end - sp->begin);
1796 		} else {
1797 			/* sequence number wrap */
1798 			offset += (uint16_t)(UINT32_MAX - sp->begin + sp->end);
1799 		}
1800 		sf->ssf_end = htons(offset);
1801 
1802 		sf++;
1803 		/* This is just for debugging (a la the following assertion) */
1804 		num_gaps--;
1805 	}
1806 
1807 	ASSERT(num_gaps == 0);
1808 
1809 	/* If the SACK timer is running, stop it */
1810 	if (sctp->sctp_ack_timer_running) {
1811 		sctp_timer_stop(sctp->sctp_ack_mp);
1812 		sctp->sctp_ack_timer_running = B_FALSE;
1813 	}
1814 
1815 	BUMP_LOCAL(sctp->sctp_obchunks);
1816 	BUMP_LOCAL(sctp->sctp_osacks);
1817 }
1818 
1819 mblk_t *
1820 sctp_make_sack(sctp_t *sctp, sctp_faddr_t *sendto, mblk_t *dups)
1821 {
1822 	mblk_t *smp;
1823 	size_t slen;
1824 	sctp_chunk_hdr_t *sch;
1825 	sctp_sack_chunk_t *sc;
1826 	int32_t acks_max;
1827 	sctp_stack_t	*sctps = sctp->sctp_sctps;
1828 	uint32_t	dups_len;
1829 	sctp_faddr_t	*fp;
1830 
1831 	ASSERT(sendto != NULL);
1832 
1833 	if (sctp->sctp_force_sack) {
1834 		sctp->sctp_force_sack = 0;
1835 		goto checks_done;
1836 	}
1837 
1838 	acks_max = sctps->sctps_deferred_acks_max;
1839 	if (sctp->sctp_state == SCTPS_ESTABLISHED) {
1840 		if (sctp->sctp_sack_toggle < acks_max) {
1841 			/* no need to SACK right now */
1842 			dprint(2, ("sctp_make_sack: %p no sack (toggle)\n",
1843 			    (void *)sctp));
1844 			return (NULL);
1845 		} else if (sctp->sctp_sack_toggle >= acks_max) {
1846 			sctp->sctp_sack_toggle = 0;
1847 		}
1848 	}
1849 
1850 	if (sctp->sctp_ftsn == sctp->sctp_lastacked + 1) {
1851 		dprint(2, ("sctp_make_sack: %p no sack (already)\n",
1852 		    (void *)sctp));
1853 		return (NULL);
1854 	}
1855 
1856 checks_done:
1857 	dprint(2, ("sctp_make_sack: acking %x\n", sctp->sctp_ftsn - 1));
1858 
1859 	if (dups != NULL)
1860 		dups_len = MBLKL(dups);
1861 	else
1862 		dups_len = 0;
1863 	slen = sizeof (*sch) + sizeof (*sc) +
1864 	    (sizeof (sctp_sack_frag_t) * sctp->sctp_sack_gaps);
1865 
1866 	/*
1867 	 * If there are error chunks, check and see if we can send the
1868 	 * SACK chunk and error chunks together in one packet.  If not,
1869 	 * send the error chunks out now.
1870 	 */
1871 	if (sctp->sctp_err_chunks != NULL) {
1872 		fp = SCTP_CHUNK_DEST(sctp->sctp_err_chunks);
1873 		if (sctp->sctp_err_len + slen + dups_len > fp->sf_pmss) {
1874 			if ((smp = sctp_make_mp(sctp, fp, 0)) == NULL) {
1875 				SCTP_KSTAT(sctps, sctp_send_err_failed);
1876 				SCTP_KSTAT(sctps, sctp_send_sack_failed);
1877 				freemsg(sctp->sctp_err_chunks);
1878 				sctp->sctp_err_chunks = NULL;
1879 				sctp->sctp_err_len = 0;
1880 				return (NULL);
1881 			}
1882 			smp->b_cont = sctp->sctp_err_chunks;
1883 			sctp_set_iplen(sctp, smp, fp->sf_ixa);
1884 			(void) conn_ip_output(smp, fp->sf_ixa);
1885 			BUMP_LOCAL(sctp->sctp_opkts);
1886 			sctp->sctp_err_chunks = NULL;
1887 			sctp->sctp_err_len = 0;
1888 		}
1889 	}
1890 	smp = sctp_make_mp(sctp, sendto, slen);
1891 	if (smp == NULL) {
1892 		SCTP_KSTAT(sctps, sctp_send_sack_failed);
1893 		return (NULL);
1894 	}
1895 	sch = (sctp_chunk_hdr_t *)smp->b_wptr;
1896 
1897 	sctp_fill_sack(sctp, smp->b_wptr, slen);
1898 	smp->b_wptr += slen;
1899 	if (dups != NULL) {
1900 		sc = (sctp_sack_chunk_t *)(sch + 1);
1901 		sc->ssc_numdups = htons(MBLKL(dups) / sizeof (uint32_t));
1902 		sch->sch_len = htons(slen + dups_len);
1903 		smp->b_cont = dups;
1904 	}
1905 
1906 	if (sctp->sctp_err_chunks != NULL) {
1907 		linkb(smp, sctp->sctp_err_chunks);
1908 		sctp->sctp_err_chunks = NULL;
1909 		sctp->sctp_err_len = 0;
1910 	}
1911 	return (smp);
1912 }
1913 
1914 /*
1915  * Check and see if we need to send a SACK chunk.  If it is needed,
1916  * send it out.  Return true if a SACK chunk is sent, false otherwise.
1917  */
1918 boolean_t
1919 sctp_sack(sctp_t *sctp, mblk_t *dups)
1920 {
1921 	mblk_t *smp;
1922 	sctp_stack_t	*sctps = sctp->sctp_sctps;
1923 
1924 	/* If we are shutting down, let send_shutdown() bundle the SACK */
1925 	if (sctp->sctp_state == SCTPS_SHUTDOWN_SENT) {
1926 		sctp_send_shutdown(sctp, 0);
1927 	}
1928 
1929 	ASSERT(sctp->sctp_lastdata != NULL);
1930 
1931 	if ((smp = sctp_make_sack(sctp, sctp->sctp_lastdata, dups)) == NULL) {
1932 		/* The caller of sctp_sack() will not free the dups mblk. */
1933 		if (dups != NULL)
1934 			freeb(dups);
1935 		return (B_FALSE);
1936 	}
1937 	dprint(2, ("sctp_sack: sending to %p %x:%x:%x:%x\n",
1938 	    (void *)sctp->sctp_lastdata,
1939 	    SCTP_PRINTADDR(sctp->sctp_lastdata->sf_faddr)));
1940 
1941 	sctp->sctp_active = LBOLT_FASTPATH64;
1942 
1943 	SCTPS_BUMP_MIB(sctps, sctpOutAck);
1944 
1945 	sctp_set_iplen(sctp, smp, sctp->sctp_lastdata->sf_ixa);
1946 	(void) conn_ip_output(smp, sctp->sctp_lastdata->sf_ixa);
1947 	BUMP_LOCAL(sctp->sctp_opkts);
1948 	return (B_TRUE);
1949 }
1950 
1951 /*
1952  * This is called if we have a message that was partially sent and is
1953  * abandoned. The cum TSN will be the last chunk sent for this message,
1954  * subsequent chunks will be marked ABANDONED. We send a Forward TSN
1955  * chunk in this case with the TSN of the last sent chunk so that the
1956  * peer can clean up its fragment list for this message. This message
1957  * will be removed from the transmit list when the peer sends a SACK
1958  * back.
1959  */
1960 int
1961 sctp_check_abandoned_msg(sctp_t *sctp, mblk_t *meta)
1962 {
1963 	sctp_data_hdr_t	*dh;
1964 	mblk_t		*nmp;
1965 	mblk_t		*head;
1966 	int32_t		unsent = 0;
1967 	mblk_t		*mp1 = meta->b_cont;
1968 	uint32_t	adv_pap = sctp->sctp_adv_pap;
1969 	sctp_faddr_t	*fp = sctp->sctp_current;
1970 	sctp_stack_t	*sctps = sctp->sctp_sctps;
1971 
1972 	dh = (sctp_data_hdr_t *)mp1->b_rptr;
1973 	if (SEQ_GEQ(sctp->sctp_lastack_rxd, ntohl(dh->sdh_tsn))) {
1974 		sctp_ftsn_set_t	*sets = NULL;
1975 		uint_t		nsets = 0;
1976 		uint32_t	seglen = sizeof (uint32_t);
1977 		boolean_t	ubit = SCTP_DATA_GET_UBIT(dh);
1978 
1979 		while (mp1->b_next != NULL && SCTP_CHUNK_ISSENT(mp1->b_next))
1980 			mp1 = mp1->b_next;
1981 		dh = (sctp_data_hdr_t *)mp1->b_rptr;
1982 		sctp->sctp_adv_pap = ntohl(dh->sdh_tsn);
1983 		if (!ubit &&
1984 		    !sctp_add_ftsn_set(&sets, fp, meta, &nsets, &seglen)) {
1985 			sctp->sctp_adv_pap = adv_pap;
1986 			return (ENOMEM);
1987 		}
1988 		nmp = sctp_make_ftsn_chunk(sctp, fp, sets, nsets, seglen);
1989 		sctp_free_ftsn_set(sets);
1990 		if (nmp == NULL) {
1991 			sctp->sctp_adv_pap = adv_pap;
1992 			return (ENOMEM);
1993 		}
1994 		head = sctp_add_proto_hdr(sctp, fp, nmp, 0, NULL);
1995 		if (head == NULL) {
1996 			sctp->sctp_adv_pap = adv_pap;
1997 			freemsg(nmp);
1998 			SCTP_KSTAT(sctps, sctp_send_ftsn_failed);
1999 			return (ENOMEM);
2000 		}
2001 		SCTP_MSG_SET_ABANDONED(meta);
2002 		sctp_set_iplen(sctp, head, fp->sf_ixa);
2003 		(void) conn_ip_output(head, fp->sf_ixa);
2004 		BUMP_LOCAL(sctp->sctp_opkts);
2005 		if (!fp->sf_timer_running)
2006 			SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto);
2007 		mp1 = mp1->b_next;
2008 		while (mp1 != NULL) {
2009 			ASSERT(!SCTP_CHUNK_ISSENT(mp1));
2010 			ASSERT(!SCTP_CHUNK_ABANDONED(mp1));
2011 			SCTP_ABANDON_CHUNK(mp1);
2012 			dh = (sctp_data_hdr_t *)mp1->b_rptr;
2013 			unsent += ntohs(dh->sdh_len) - sizeof (*dh);
2014 			mp1 = mp1->b_next;
2015 		}
2016 		ASSERT(sctp->sctp_unsent >= unsent);
2017 		sctp->sctp_unsent -= unsent;
2018 		/*
2019 		 * Update ULP the amount of queued data, which is
2020 		 * sent-unack'ed + unsent.
2021 		 */
2022 		if (!SCTP_IS_DETACHED(sctp))
2023 			SCTP_TXQ_UPDATE(sctp);
2024 		return (0);
2025 	}
2026 	return (-1);
2027 }
2028 
2029 uint32_t
2030 sctp_cumack(sctp_t *sctp, uint32_t tsn, mblk_t **first_unacked)
2031 {
2032 	mblk_t *ump, *nump, *mp = NULL;
2033 	uint16_t chunklen;
2034 	uint32_t xtsn;
2035 	sctp_faddr_t *fp;
2036 	sctp_data_hdr_t *sdc;
2037 	uint32_t cumack_forward = 0;
2038 	sctp_msg_hdr_t	*mhdr;
2039 	sctp_stack_t	*sctps = sctp->sctp_sctps;
2040 
2041 	ump = sctp->sctp_xmit_head;
2042 
2043 	/*
2044 	 * Free messages only when they're completely acked.
2045 	 */
2046 	while (ump != NULL) {
2047 		mhdr = (sctp_msg_hdr_t *)ump->b_rptr;
2048 		for (mp = ump->b_cont; mp != NULL; mp = mp->b_next) {
2049 			if (SCTP_CHUNK_ABANDONED(mp)) {
2050 				ASSERT(SCTP_IS_MSG_ABANDONED(ump));
2051 				mp = NULL;
2052 				break;
2053 			}
2054 			/*
2055 			 * We check for abandoned message if we are PR-SCTP
2056 			 * aware, if this is not the first chunk in the
2057 			 * message (b_cont) and if the message is marked
2058 			 * abandoned.
2059 			 */
2060 			if (!SCTP_CHUNK_ISSENT(mp)) {
2061 				if (sctp->sctp_prsctp_aware &&
2062 				    mp != ump->b_cont &&
2063 				    (SCTP_IS_MSG_ABANDONED(ump) ||
2064 				    SCTP_MSG_TO_BE_ABANDONED(ump, mhdr,
2065 				    sctp))) {
2066 					(void) sctp_check_abandoned_msg(sctp,
2067 					    ump);
2068 				}
2069 				goto cum_ack_done;
2070 			}
2071 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
2072 			xtsn = ntohl(sdc->sdh_tsn);
2073 			if (SEQ_GEQ(sctp->sctp_lastack_rxd, xtsn))
2074 				continue;
2075 			if (SEQ_GEQ(tsn, xtsn)) {
2076 				fp = SCTP_CHUNK_DEST(mp);
2077 				chunklen = ntohs(sdc->sdh_len);
2078 
2079 				if (sctp->sctp_out_time != 0 &&
2080 				    xtsn == sctp->sctp_rtt_tsn) {
2081 					/* Got a new RTT measurement */
2082 					sctp_update_rtt(sctp, fp,
2083 					    ddi_get_lbolt64() -
2084 					    sctp->sctp_out_time);
2085 					sctp->sctp_out_time = 0;
2086 				}
2087 				if (SCTP_CHUNK_ISACKED(mp))
2088 					continue;
2089 				SCTP_CHUNK_SET_SACKCNT(mp, 0);
2090 				SCTP_CHUNK_ACKED(mp);
2091 				ASSERT(fp->sf_suna >= chunklen);
2092 				fp->sf_suna -= chunklen;
2093 				fp->sf_acked += chunklen;
2094 				cumack_forward += chunklen;
2095 				ASSERT(sctp->sctp_unacked >=
2096 				    (chunklen - sizeof (*sdc)));
2097 				sctp->sctp_unacked -=
2098 				    (chunklen - sizeof (*sdc));
2099 				if (fp->sf_suna == 0) {
2100 					/* all outstanding data acked */
2101 					fp->sf_pba = 0;
2102 					SCTP_FADDR_TIMER_STOP(fp);
2103 				} else {
2104 					SCTP_FADDR_TIMER_RESTART(sctp, fp,
2105 					    fp->sf_rto);
2106 				}
2107 			} else {
2108 				goto cum_ack_done;
2109 			}
2110 		}
2111 		nump = ump->b_next;
2112 		if (nump != NULL)
2113 			nump->b_prev = NULL;
2114 		if (ump == sctp->sctp_xmit_tail)
2115 			sctp->sctp_xmit_tail = nump;
2116 		if (SCTP_IS_MSG_ABANDONED(ump)) {
2117 			BUMP_LOCAL(sctp->sctp_prsctpdrop);
2118 			ump->b_next = NULL;
2119 			sctp_sendfail_event(sctp, ump, 0, B_TRUE);
2120 		} else {
2121 			sctp_free_msg(ump);
2122 		}
2123 		sctp->sctp_xmit_head = ump = nump;
2124 	}
2125 cum_ack_done:
2126 	*first_unacked = mp;
2127 	if (cumack_forward > 0) {
2128 		SCTPS_BUMP_MIB(sctps, sctpInAck);
2129 		if (SEQ_GT(sctp->sctp_lastack_rxd, sctp->sctp_recovery_tsn)) {
2130 			sctp->sctp_recovery_tsn = sctp->sctp_lastack_rxd;
2131 		}
2132 
2133 		/*
2134 		 * Update ULP the amount of queued data, which is
2135 		 * sent-unack'ed + unsent.
2136 		 */
2137 		if (!SCTP_IS_DETACHED(sctp))
2138 			SCTP_TXQ_UPDATE(sctp);
2139 
2140 		/* Time to send a shutdown? */
2141 		if (sctp->sctp_state == SCTPS_SHUTDOWN_PENDING) {
2142 			sctp_send_shutdown(sctp, 0);
2143 		}
2144 		sctp->sctp_xmit_unacked = mp;
2145 	} else {
2146 		/* dup ack */
2147 		SCTPS_BUMP_MIB(sctps, sctpInDupAck);
2148 	}
2149 	sctp->sctp_lastack_rxd = tsn;
2150 	if (SEQ_LT(sctp->sctp_adv_pap, sctp->sctp_lastack_rxd))
2151 		sctp->sctp_adv_pap = sctp->sctp_lastack_rxd;
2152 	ASSERT(sctp->sctp_xmit_head || sctp->sctp_unacked == 0);
2153 
2154 	return (cumack_forward);
2155 }
2156 
2157 static int
2158 sctp_set_frwnd(sctp_t *sctp, uint32_t frwnd)
2159 {
2160 	uint32_t orwnd;
2161 
2162 	if (sctp->sctp_unacked > frwnd) {
2163 		sctp->sctp_frwnd = 0;
2164 		return (0);
2165 	}
2166 	orwnd = sctp->sctp_frwnd;
2167 	sctp->sctp_frwnd = frwnd - sctp->sctp_unacked;
2168 	if (orwnd < sctp->sctp_frwnd) {
2169 		return (1);
2170 	} else {
2171 		return (0);
2172 	}
2173 }
2174 
2175 /*
2176  * For un-ordered messages.
2177  * Walk the sctp->sctp_uo_frag list and remove any fragments with TSN
2178  * less than/equal to ftsn. Fragments for un-ordered messages are
2179  * strictly in sequence (w.r.t TSN).
2180  */
2181 static int
2182 sctp_ftsn_check_uo_frag(sctp_t *sctp, uint32_t ftsn)
2183 {
2184 	mblk_t		*hmp;
2185 	mblk_t		*hmp_next;
2186 	sctp_data_hdr_t	*dc;
2187 	int		dlen = 0;
2188 
2189 	hmp = sctp->sctp_uo_frags;
2190 	while (hmp != NULL) {
2191 		hmp_next = hmp->b_next;
2192 		dc = (sctp_data_hdr_t *)hmp->b_rptr;
2193 		if (SEQ_GT(ntohl(dc->sdh_tsn), ftsn))
2194 			return (dlen);
2195 		sctp->sctp_uo_frags = hmp_next;
2196 		if (hmp_next != NULL)
2197 			hmp_next->b_prev = NULL;
2198 		hmp->b_next = NULL;
2199 		dlen += ntohs(dc->sdh_len) - sizeof (*dc);
2200 		freeb(hmp);
2201 		hmp = hmp_next;
2202 	}
2203 	return (dlen);
2204 }
2205 
2206 /*
2207  * For ordered messages.
2208  * Check for existing fragments for an sid-ssn pair reported as abandoned,
2209  * hence will not receive, in the Forward TSN. If there are fragments, then
2210  * we just nuke them. If and when Partial Delivery API is supported, we
2211  * would need to send a notification to the upper layer about this.
2212  */
2213 static int
2214 sctp_ftsn_check_frag(sctp_t *sctp, uint16_t ssn, sctp_instr_t *sip)
2215 {
2216 	sctp_reass_t	*srp;
2217 	mblk_t		*hmp;
2218 	mblk_t		*dmp;
2219 	mblk_t		*hmp_next;
2220 	sctp_data_hdr_t	*dc;
2221 	int		dlen = 0;
2222 
2223 	hmp = sip->istr_reass;
2224 	while (hmp != NULL) {
2225 		hmp_next = hmp->b_next;
2226 		srp = (sctp_reass_t *)DB_BASE(hmp);
2227 		if (SSN_GT(srp->sr_ssn, ssn))
2228 			return (dlen);
2229 		/*
2230 		 * If we had sent part of this message up, send a partial
2231 		 * delivery event. Since this is ordered delivery, we should
2232 		 * have sent partial message only for the next in sequence,
2233 		 * hence the ASSERT. See comments in sctp_data_chunk() for
2234 		 * trypartial.
2235 		 */
2236 		if (srp->sr_partial_delivered) {
2237 			if (srp->sr_ssn != sip->nextseq)
2238 				cmn_err(CE_WARN, "sctp partial"
2239 				    " delivery notify, sctp 0x%p"
2240 				    " sip = 0x%p ssn != nextseq"
2241 				    " ssn 0x%x nextseq 0x%x",
2242 				    (void *)sctp, (void *)sip,
2243 				    srp->sr_ssn, sip->nextseq);
2244 			ASSERT(sip->nextseq == srp->sr_ssn);
2245 			sctp_partial_delivery_event(sctp);
2246 		}
2247 		/* Take it out of the reass queue */
2248 		sip->istr_reass = hmp_next;
2249 		if (hmp_next != NULL)
2250 			hmp_next->b_prev = NULL;
2251 		hmp->b_next = NULL;
2252 		ASSERT(hmp->b_prev == NULL);
2253 		dmp = hmp;
2254 		ASSERT(DB_TYPE(hmp) == M_CTL);
2255 		dmp = hmp->b_cont;
2256 		hmp->b_cont = NULL;
2257 		freeb(hmp);
2258 		hmp = dmp;
2259 		while (dmp != NULL) {
2260 			dc = (sctp_data_hdr_t *)dmp->b_rptr;
2261 			dlen += ntohs(dc->sdh_len) - sizeof (*dc);
2262 			dmp = dmp->b_cont;
2263 		}
2264 		freemsg(hmp);
2265 		hmp = hmp_next;
2266 	}
2267 	return (dlen);
2268 }
2269 
2270 /*
2271  * Update sctp_ftsn to the cumulative TSN from the Forward TSN chunk. Remove
2272  * any SACK gaps less than the newly updated sctp_ftsn. Walk through the
2273  * sid-ssn pair in the Forward TSN and for each, clean the fragment list
2274  * for this pair, if needed, and check if we can deliver subsequent
2275  * messages, if any, from the instream queue (that were waiting for this
2276  * sid-ssn message to show up). Once we are done try to update the SACK
2277  * info. We could get a duplicate Forward TSN, in which case just send
2278  * a SACK. If any of the sid values in the Forward TSN is invalid,
2279  * send back an "Invalid Stream Identifier" error and continue processing
2280  * the rest.
2281  */
2282 static void
2283 sctp_process_forward_tsn(sctp_t *sctp, sctp_chunk_hdr_t *ch, sctp_faddr_t *fp,
2284     ip_pkt_t *ipp, ip_recv_attr_t *ira)
2285 {
2286 	uint32_t	*ftsn = (uint32_t *)(ch + 1);
2287 	ftsn_entry_t	*ftsn_entry;
2288 	sctp_instr_t	*instr;
2289 	boolean_t	can_deliver = B_TRUE;
2290 	size_t		dlen;
2291 	int		flen;
2292 	mblk_t		*dmp;
2293 	mblk_t		*pmp;
2294 	sctp_data_hdr_t	*dc;
2295 	ssize_t		remaining;
2296 	sctp_stack_t	*sctps = sctp->sctp_sctps;
2297 
2298 	*ftsn = ntohl(*ftsn);
2299 	remaining =  ntohs(ch->sch_len) - sizeof (*ch) - sizeof (*ftsn);
2300 
2301 	if (SCTP_IS_DETACHED(sctp)) {
2302 		SCTPS_BUMP_MIB(sctps, sctpInClosed);
2303 		can_deliver = B_FALSE;
2304 	}
2305 	/*
2306 	 * un-ordered messages don't have SID-SSN pair entries, we check
2307 	 * for any fragments (for un-ordered message) to be discarded using
2308 	 * the cumulative FTSN.
2309 	 */
2310 	flen = sctp_ftsn_check_uo_frag(sctp, *ftsn);
2311 	if (flen > 0) {
2312 		ASSERT(sctp->sctp_rxqueued >= flen);
2313 		sctp->sctp_rxqueued -= flen;
2314 	}
2315 	ftsn_entry = (ftsn_entry_t *)(ftsn + 1);
2316 	while (remaining >= sizeof (*ftsn_entry)) {
2317 		ftsn_entry->ftsn_sid = ntohs(ftsn_entry->ftsn_sid);
2318 		ftsn_entry->ftsn_ssn = ntohs(ftsn_entry->ftsn_ssn);
2319 		if (ftsn_entry->ftsn_sid >= sctp->sctp_num_istr) {
2320 			sctp_bsc_t	inval_parm;
2321 
2322 			/* Will populate the CAUSE block in the ERROR chunk. */
2323 			inval_parm.bsc_sid = htons(ftsn_entry->ftsn_sid);
2324 			/* RESERVED, ignored at the receiving end */
2325 			inval_parm.bsc_pad = 0;
2326 
2327 			sctp_add_err(sctp, SCTP_ERR_BAD_SID,
2328 			    (void *)&inval_parm, sizeof (sctp_bsc_t), fp);
2329 			ftsn_entry++;
2330 			remaining -= sizeof (*ftsn_entry);
2331 			continue;
2332 		}
2333 		instr = &sctp->sctp_instr[ftsn_entry->ftsn_sid];
2334 		flen = sctp_ftsn_check_frag(sctp, ftsn_entry->ftsn_ssn, instr);
2335 		/* Indicates frags were nuked, update rxqueued */
2336 		if (flen > 0) {
2337 			ASSERT(sctp->sctp_rxqueued >= flen);
2338 			sctp->sctp_rxqueued -= flen;
2339 		}
2340 		/*
2341 		 * It is possible to receive an FTSN chunk with SSN smaller
2342 		 * than then nextseq if this chunk is a retransmission because
2343 		 * of incomplete processing when it was first processed.
2344 		 */
2345 		if (SSN_GE(ftsn_entry->ftsn_ssn, instr->nextseq))
2346 			instr->nextseq = ftsn_entry->ftsn_ssn + 1;
2347 		while (instr->istr_nmsgs > 0) {
2348 			mblk_t	*next;
2349 
2350 			dmp = (mblk_t *)instr->istr_msgs;
2351 			dc = (sctp_data_hdr_t *)dmp->b_rptr;
2352 			if (ntohs(dc->sdh_ssn) != instr->nextseq)
2353 				break;
2354 
2355 			next = dmp->b_next;
2356 			dlen = dmp->b_wptr - dmp->b_rptr - sizeof (*dc);
2357 			for (pmp = dmp->b_cont; pmp != NULL;
2358 			    pmp = pmp->b_cont) {
2359 				dlen += MBLKL(pmp);
2360 			}
2361 			if (can_deliver) {
2362 				int error;
2363 
2364 				dmp->b_rptr = (uchar_t *)(dc + 1);
2365 				dmp->b_next = NULL;
2366 				ASSERT(dmp->b_prev == NULL);
2367 				if (sctp_input_add_ancillary(sctp,
2368 				    &dmp, dc, fp, ipp, ira) == 0) {
2369 					sctp->sctp_rxqueued -= dlen;
2370 					/*
2371 					 * Override b_flag for SCTP sockfs
2372 					 * internal use
2373 					 */
2374 
2375 					dmp->b_flag = 0;
2376 					if (sctp->sctp_flowctrld) {
2377 						sctp->sctp_rwnd -= dlen;
2378 						if (sctp->sctp_rwnd < 0)
2379 							sctp->sctp_rwnd = 0;
2380 					}
2381 					if (sctp->sctp_ulp_recv(
2382 					    sctp->sctp_ulpd, dmp, msgdsize(dmp),
2383 					    0, &error, NULL) <= 0) {
2384 						sctp->sctp_flowctrld = B_TRUE;
2385 					}
2386 				} else {
2387 					/*
2388 					 * We will resume processing when
2389 					 * the FTSN chunk is re-xmitted.
2390 					 */
2391 					dmp->b_rptr = (uchar_t *)dc;
2392 					dmp->b_next = next;
2393 					dprint(0,
2394 					    ("FTSN dequeuing %u failed\n",
2395 					    ntohs(dc->sdh_ssn)));
2396 					return;
2397 				}
2398 			} else {
2399 				sctp->sctp_rxqueued -= dlen;
2400 				ASSERT(dmp->b_prev == NULL);
2401 				dmp->b_next = NULL;
2402 				freemsg(dmp);
2403 			}
2404 			instr->istr_nmsgs--;
2405 			instr->nextseq++;
2406 			sctp->sctp_istr_nmsgs--;
2407 			if (next != NULL)
2408 				next->b_prev = NULL;
2409 			instr->istr_msgs = next;
2410 		}
2411 		ftsn_entry++;
2412 		remaining -= sizeof (*ftsn_entry);
2413 	}
2414 	/* Duplicate FTSN */
2415 	if (*ftsn <= (sctp->sctp_ftsn - 1)) {
2416 		sctp->sctp_force_sack = 1;
2417 		return;
2418 	}
2419 	/* Advance cum TSN to that reported in the Forward TSN chunk */
2420 	sctp->sctp_ftsn = *ftsn + 1;
2421 
2422 	/* Remove all the SACK gaps before the new cum TSN */
2423 	if (sctp->sctp_sack_info != NULL) {
2424 		sctp_ack_rem(&sctp->sctp_sack_info, sctp->sctp_ftsn - 1,
2425 		    &sctp->sctp_sack_gaps);
2426 	}
2427 	/*
2428 	 * If there are gap reports pending, check if advancing
2429 	 * the ftsn here closes a gap. If so, we can advance
2430 	 * ftsn to the end of the set.
2431 	 * If ftsn has moved forward, maybe we can remove gap reports.
2432 	 */
2433 	if (sctp->sctp_sack_info != NULL &&
2434 	    sctp->sctp_ftsn == sctp->sctp_sack_info->begin) {
2435 		sctp->sctp_ftsn = sctp->sctp_sack_info->end + 1;
2436 		sctp_ack_rem(&sctp->sctp_sack_info, sctp->sctp_ftsn - 1,
2437 		    &sctp->sctp_sack_gaps);
2438 	}
2439 }
2440 
2441 /*
2442  * When we have processed a SACK we check to see if we can advance the
2443  * cumulative TSN if there are abandoned chunks immediately following
2444  * the updated cumulative TSN. If there are, we attempt to send a
2445  * Forward TSN chunk.
2446  */
2447 static void
2448 sctp_check_abandoned_data(sctp_t *sctp, sctp_faddr_t *fp)
2449 {
2450 	mblk_t		*meta = sctp->sctp_xmit_head;
2451 	mblk_t		*mp;
2452 	mblk_t		*nmp;
2453 	uint32_t	seglen;
2454 	uint32_t	adv_pap = sctp->sctp_adv_pap;
2455 
2456 	/*
2457 	 * We only check in the first meta since otherwise we can't
2458 	 * advance the cumulative ack point. We just look for chunks
2459 	 * marked for retransmission, else we might prematurely
2460 	 * send an FTSN for a sent, but unacked, chunk.
2461 	 */
2462 	for (mp = meta->b_cont; mp != NULL; mp = mp->b_next) {
2463 		if (!SCTP_CHUNK_ISSENT(mp))
2464 			return;
2465 		if (SCTP_CHUNK_WANT_REXMIT(mp))
2466 			break;
2467 	}
2468 	if (mp == NULL)
2469 		return;
2470 	sctp_check_adv_ack_pt(sctp, meta, mp);
2471 	if (SEQ_GT(sctp->sctp_adv_pap, adv_pap)) {
2472 		sctp_make_ftsns(sctp, meta, mp, &nmp, fp, &seglen);
2473 		if (nmp == NULL) {
2474 			sctp->sctp_adv_pap = adv_pap;
2475 			if (!fp->sf_timer_running)
2476 				SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto);
2477 			return;
2478 		}
2479 		sctp_set_iplen(sctp, nmp, fp->sf_ixa);
2480 		(void) conn_ip_output(nmp, fp->sf_ixa);
2481 		BUMP_LOCAL(sctp->sctp_opkts);
2482 		if (!fp->sf_timer_running)
2483 			SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto);
2484 	}
2485 }
2486 
2487 /*
2488  * The processing here follows the same logic in sctp_got_sack(), the reason
2489  * we do this separately is because, usually, gap blocks are ordered and
2490  * we can process it in sctp_got_sack(). However if they aren't we would
2491  * need to do some additional non-optimal stuff when we start processing the
2492  * unordered gaps. To that effect sctp_got_sack() does the processing in the
2493  * simple case and this does the same in the more involved case.
2494  */
2495 static uint32_t
2496 sctp_process_uo_gaps(sctp_t *sctp, uint32_t ctsn, sctp_sack_frag_t *ssf,
2497     int num_gaps, mblk_t *umphead, mblk_t *mphead, int *trysend,
2498     boolean_t *fast_recovery, uint32_t fr_xtsn)
2499 {
2500 	uint32_t		xtsn;
2501 	uint32_t		gapstart = 0;
2502 	uint32_t		gapend = 0;
2503 	int			gapcnt;
2504 	uint16_t		chunklen;
2505 	sctp_data_hdr_t		*sdc;
2506 	int			gstart;
2507 	mblk_t			*ump = umphead;
2508 	mblk_t			*mp = mphead;
2509 	sctp_faddr_t		*fp;
2510 	uint32_t		acked = 0;
2511 	sctp_stack_t		*sctps = sctp->sctp_sctps;
2512 
2513 	/*
2514 	 * gstart tracks the last (in the order of TSN) gapstart that
2515 	 * we process in this SACK gaps walk.
2516 	 */
2517 	gstart = ctsn;
2518 
2519 	sdc = (sctp_data_hdr_t *)mp->b_rptr;
2520 	xtsn = ntohl(sdc->sdh_tsn);
2521 	for (gapcnt = 0; gapcnt < num_gaps; gapcnt++, ssf++) {
2522 		if (gapstart != 0) {
2523 			/*
2524 			 * If we have reached the end of the transmit list or
2525 			 * hit an unsent chunk or encountered an unordered gap
2526 			 * block start from the ctsn again.
2527 			 */
2528 			if (ump == NULL || !SCTP_CHUNK_ISSENT(mp) ||
2529 			    SEQ_LT(ctsn + ntohs(ssf->ssf_start), xtsn)) {
2530 				ump = umphead;
2531 				mp = mphead;
2532 				sdc = (sctp_data_hdr_t *)mp->b_rptr;
2533 				xtsn = ntohl(sdc->sdh_tsn);
2534 			}
2535 		}
2536 
2537 		gapstart = ctsn + ntohs(ssf->ssf_start);
2538 		gapend = ctsn + ntohs(ssf->ssf_end);
2539 
2540 		/*
2541 		 * Sanity checks:
2542 		 *
2543 		 * 1. SACK for TSN we have not sent - ABORT
2544 		 * 2. Invalid or spurious gaps, ignore all gaps
2545 		 */
2546 		if (SEQ_GT(gapstart, sctp->sctp_ltsn - 1) ||
2547 		    SEQ_GT(gapend, sctp->sctp_ltsn - 1)) {
2548 			SCTPS_BUMP_MIB(sctps, sctpInAckUnsent);
2549 			*trysend = -1;
2550 			return (acked);
2551 		} else if (SEQ_LT(gapend, gapstart) ||
2552 		    SEQ_LEQ(gapstart, ctsn)) {
2553 			break;
2554 		}
2555 		/*
2556 		 * The xtsn can be the TSN processed for the last gap
2557 		 * (gapend) or it could be the cumulative TSN. We continue
2558 		 * with the last xtsn as long as the gaps are ordered, when
2559 		 * we hit an unordered gap, we re-start from the cumulative
2560 		 * TSN. For the first gap it is always the cumulative TSN.
2561 		 */
2562 		while (xtsn != gapstart) {
2563 			/*
2564 			 * We can't reliably check for reneged chunks
2565 			 * when walking the unordered list, so we don't.
2566 			 * In case the peer reneges then we will end up
2567 			 * sending the reneged chunk via timeout.
2568 			 */
2569 			mp = mp->b_next;
2570 			if (mp == NULL) {
2571 				ump = ump->b_next;
2572 				/*
2573 				 * ump can't be NULL because of the sanity
2574 				 * check above.
2575 				 */
2576 				ASSERT(ump != NULL);
2577 				mp = ump->b_cont;
2578 			}
2579 			/*
2580 			 * mp can't be unsent because of the sanity check
2581 			 * above.
2582 			 */
2583 			ASSERT(SCTP_CHUNK_ISSENT(mp));
2584 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
2585 			xtsn = ntohl(sdc->sdh_tsn);
2586 		}
2587 		/*
2588 		 * Now that we have found the chunk with TSN == 'gapstart',
2589 		 * let's walk till we hit the chunk with TSN == 'gapend'.
2590 		 * All intermediate chunks will be marked ACKED, if they
2591 		 * haven't already been.
2592 		 */
2593 		while (SEQ_LEQ(xtsn, gapend)) {
2594 			/*
2595 			 * SACKed
2596 			 */
2597 			SCTP_CHUNK_SET_SACKCNT(mp, 0);
2598 			if (!SCTP_CHUNK_ISACKED(mp)) {
2599 				SCTP_CHUNK_ACKED(mp);
2600 
2601 				fp = SCTP_CHUNK_DEST(mp);
2602 				chunklen = ntohs(sdc->sdh_len);
2603 				ASSERT(fp->sf_suna >= chunklen);
2604 				fp->sf_suna -= chunklen;
2605 				if (fp->sf_suna == 0) {
2606 					/* All outstanding data acked. */
2607 					fp->sf_pba = 0;
2608 					SCTP_FADDR_TIMER_STOP(fp);
2609 				}
2610 				fp->sf_acked += chunklen;
2611 				acked += chunklen;
2612 				sctp->sctp_unacked -= chunklen - sizeof (*sdc);
2613 				ASSERT(sctp->sctp_unacked >= 0);
2614 			}
2615 			/*
2616 			 * Move to the next message in the transmit list
2617 			 * if we are done with all the chunks from the current
2618 			 * message. Note, it is possible to hit the end of the
2619 			 * transmit list here, i.e. if we have already completed
2620 			 * processing the gap block.
2621 			 */
2622 			mp = mp->b_next;
2623 			if (mp == NULL) {
2624 				ump = ump->b_next;
2625 				if (ump == NULL) {
2626 					ASSERT(xtsn == gapend);
2627 					break;
2628 				}
2629 				mp = ump->b_cont;
2630 			}
2631 			/*
2632 			 * Likewise, we can hit an unsent chunk once we have
2633 			 * completed processing the gap block.
2634 			 */
2635 			if (!SCTP_CHUNK_ISSENT(mp)) {
2636 				ASSERT(xtsn == gapend);
2637 				break;
2638 			}
2639 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
2640 			xtsn = ntohl(sdc->sdh_tsn);
2641 		}
2642 		/*
2643 		 * We keep track of the last gap we successfully processed
2644 		 * so that we can terminate the walk below for incrementing
2645 		 * the SACK count.
2646 		 */
2647 		if (SEQ_LT(gstart, gapstart))
2648 			gstart = gapstart;
2649 	}
2650 	/*
2651 	 * Check if have incremented the SACK count for all unacked TSNs in
2652 	 * sctp_got_sack(), if so we are done.
2653 	 */
2654 	if (SEQ_LEQ(gstart, fr_xtsn))
2655 		return (acked);
2656 
2657 	ump = umphead;
2658 	mp = mphead;
2659 	sdc = (sctp_data_hdr_t *)mp->b_rptr;
2660 	xtsn = ntohl(sdc->sdh_tsn);
2661 	while (SEQ_LT(xtsn, gstart)) {
2662 		/*
2663 		 * We have incremented SACK count for TSNs less than fr_tsn
2664 		 * in sctp_got_sack(), so don't increment them again here.
2665 		 */
2666 		if (SEQ_GT(xtsn, fr_xtsn) && !SCTP_CHUNK_ISACKED(mp)) {
2667 			SCTP_CHUNK_SET_SACKCNT(mp, SCTP_CHUNK_SACKCNT(mp) + 1);
2668 			if (SCTP_CHUNK_SACKCNT(mp) ==
2669 			    sctps->sctps_fast_rxt_thresh) {
2670 				SCTP_CHUNK_REXMIT(sctp, mp);
2671 				sctp->sctp_chk_fast_rexmit = B_TRUE;
2672 				*trysend = 1;
2673 				if (!*fast_recovery) {
2674 					/*
2675 					 * Entering fast recovery.
2676 					 */
2677 					fp = SCTP_CHUNK_DEST(mp);
2678 					fp->sf_ssthresh = fp->sf_cwnd / 2;
2679 					if (fp->sf_ssthresh < 2 * fp->sf_pmss) {
2680 						fp->sf_ssthresh =
2681 						    2 * fp->sf_pmss;
2682 					}
2683 					fp->sf_cwnd = fp->sf_ssthresh;
2684 					fp->sf_pba = 0;
2685 					sctp->sctp_recovery_tsn =
2686 					    sctp->sctp_ltsn - 1;
2687 					*fast_recovery = B_TRUE;
2688 				}
2689 			}
2690 		}
2691 		mp = mp->b_next;
2692 		if (mp == NULL) {
2693 			ump = ump->b_next;
2694 			/* We can't get to the end of the transmit list here */
2695 			ASSERT(ump != NULL);
2696 			mp = ump->b_cont;
2697 		}
2698 		/* We can't hit an unsent chunk here */
2699 		ASSERT(SCTP_CHUNK_ISSENT(mp));
2700 		sdc = (sctp_data_hdr_t *)mp->b_rptr;
2701 		xtsn = ntohl(sdc->sdh_tsn);
2702 	}
2703 	return (acked);
2704 }
2705 
2706 static int
2707 sctp_got_sack(sctp_t *sctp, sctp_chunk_hdr_t *sch)
2708 {
2709 	sctp_sack_chunk_t	*sc;
2710 	sctp_data_hdr_t		*sdc;
2711 	sctp_sack_frag_t	*ssf;
2712 	mblk_t			*ump;
2713 	mblk_t			*mp;
2714 	mblk_t			*mp1;
2715 	uint32_t		cumtsn;
2716 	uint32_t		xtsn;
2717 	uint32_t		gapstart = 0;
2718 	uint32_t		gapend = 0;
2719 	uint32_t		acked = 0;
2720 	uint16_t		chunklen;
2721 	sctp_faddr_t		*fp;
2722 	int			num_gaps;
2723 	int			trysend = 0;
2724 	int			i;
2725 	boolean_t		fast_recovery = B_FALSE;
2726 	boolean_t		cumack_forward = B_FALSE;
2727 	boolean_t		fwd_tsn = B_FALSE;
2728 	sctp_stack_t		*sctps = sctp->sctp_sctps;
2729 
2730 	BUMP_LOCAL(sctp->sctp_ibchunks);
2731 	BUMP_LOCAL(sctp->sctp_isacks);
2732 	chunklen = ntohs(sch->sch_len);
2733 	if (chunklen < (sizeof (*sch) + sizeof (*sc)))
2734 		return (0);
2735 
2736 	sc = (sctp_sack_chunk_t *)(sch + 1);
2737 	cumtsn = ntohl(sc->ssc_cumtsn);
2738 
2739 	dprint(2, ("got sack cumtsn %x -> %x\n", sctp->sctp_lastack_rxd,
2740 	    cumtsn));
2741 
2742 	/* out of order */
2743 	if (SEQ_LT(cumtsn, sctp->sctp_lastack_rxd))
2744 		return (0);
2745 
2746 	if (SEQ_GT(cumtsn, sctp->sctp_ltsn - 1)) {
2747 		SCTPS_BUMP_MIB(sctps, sctpInAckUnsent);
2748 		/* Send an ABORT */
2749 		return (-1);
2750 	}
2751 
2752 	/*
2753 	 * Cwnd only done when not in fast recovery mode.
2754 	 */
2755 	if (SEQ_LT(sctp->sctp_lastack_rxd, sctp->sctp_recovery_tsn))
2756 		fast_recovery = B_TRUE;
2757 
2758 	/*
2759 	 * .. and if the cum TSN is not moving ahead on account Forward TSN
2760 	 */
2761 	if (SEQ_LT(sctp->sctp_lastack_rxd, sctp->sctp_adv_pap))
2762 		fwd_tsn = B_TRUE;
2763 
2764 	if (cumtsn == sctp->sctp_lastack_rxd &&
2765 	    (sctp->sctp_xmit_unacked == NULL ||
2766 	    !SCTP_CHUNK_ABANDONED(sctp->sctp_xmit_unacked))) {
2767 		if (sctp->sctp_xmit_unacked != NULL)
2768 			mp = sctp->sctp_xmit_unacked;
2769 		else if (sctp->sctp_xmit_head != NULL)
2770 			mp = sctp->sctp_xmit_head->b_cont;
2771 		else
2772 			mp = NULL;
2773 		SCTPS_BUMP_MIB(sctps, sctpInDupAck);
2774 		/*
2775 		 * If we were doing a zero win probe and the win
2776 		 * has now opened to at least MSS, re-transmit the
2777 		 * zero win probe via sctp_rexmit_packet().
2778 		 */
2779 		if (mp != NULL && sctp->sctp_zero_win_probe &&
2780 		    ntohl(sc->ssc_a_rwnd) >= sctp->sctp_current->sf_pmss) {
2781 			mblk_t	*pkt;
2782 			uint_t	pkt_len;
2783 			mblk_t	*mp1 = mp;
2784 			mblk_t	*meta = sctp->sctp_xmit_head;
2785 
2786 			/*
2787 			 * Reset the RTO since we have been backing-off
2788 			 * to send the ZWP.
2789 			 */
2790 			fp = sctp->sctp_current;
2791 			fp->sf_rto = fp->sf_srtt + 4 * fp->sf_rttvar;
2792 			SCTP_MAX_RTO(sctp, fp);
2793 			/* Resend the ZWP */
2794 			pkt = sctp_rexmit_packet(sctp, &meta, &mp1, fp,
2795 			    &pkt_len);
2796 			if (pkt == NULL) {
2797 				SCTP_KSTAT(sctps, sctp_ss_rexmit_failed);
2798 				return (0);
2799 			}
2800 			ASSERT(pkt_len <= fp->sf_pmss);
2801 			sctp->sctp_zero_win_probe = B_FALSE;
2802 			sctp->sctp_rxt_nxttsn = sctp->sctp_ltsn;
2803 			sctp->sctp_rxt_maxtsn = sctp->sctp_ltsn;
2804 			sctp_set_iplen(sctp, pkt, fp->sf_ixa);
2805 			(void) conn_ip_output(pkt, fp->sf_ixa);
2806 			BUMP_LOCAL(sctp->sctp_opkts);
2807 		}
2808 	} else {
2809 		if (sctp->sctp_zero_win_probe) {
2810 			/*
2811 			 * Reset the RTO since we have been backing-off
2812 			 * to send the ZWP.
2813 			 */
2814 			fp = sctp->sctp_current;
2815 			fp->sf_rto = fp->sf_srtt + 4 * fp->sf_rttvar;
2816 			SCTP_MAX_RTO(sctp, fp);
2817 			sctp->sctp_zero_win_probe = B_FALSE;
2818 			/* This is probably not required */
2819 			if (!sctp->sctp_rexmitting) {
2820 				sctp->sctp_rxt_nxttsn = sctp->sctp_ltsn;
2821 				sctp->sctp_rxt_maxtsn = sctp->sctp_ltsn;
2822 			}
2823 		}
2824 		acked = sctp_cumack(sctp, cumtsn, &mp);
2825 		sctp->sctp_xmit_unacked = mp;
2826 		if (acked > 0) {
2827 			trysend = 1;
2828 			cumack_forward = B_TRUE;
2829 			if (fwd_tsn && SEQ_GEQ(sctp->sctp_lastack_rxd,
2830 			    sctp->sctp_adv_pap)) {
2831 				cumack_forward = B_FALSE;
2832 			}
2833 		}
2834 	}
2835 	num_gaps = ntohs(sc->ssc_numfrags);
2836 	UPDATE_LOCAL(sctp->sctp_gapcnt, num_gaps);
2837 	if (num_gaps == 0 || mp == NULL || !SCTP_CHUNK_ISSENT(mp) ||
2838 	    chunklen < (sizeof (*sch) + sizeof (*sc) +
2839 	    num_gaps * sizeof (*ssf))) {
2840 		goto ret;
2841 	}
2842 #ifdef	DEBUG
2843 	/*
2844 	 * Since we delete any message that has been acked completely,
2845 	 * the unacked chunk must belong to sctp_xmit_head (as
2846 	 * we don't have a back pointer from the mp to the meta data
2847 	 * we do this).
2848 	 */
2849 	{
2850 		mblk_t	*mp2 = sctp->sctp_xmit_head->b_cont;
2851 
2852 		while (mp2 != NULL) {
2853 			if (mp2 == mp)
2854 				break;
2855 			mp2 = mp2->b_next;
2856 		}
2857 		ASSERT(mp2 != NULL);
2858 	}
2859 #endif
2860 	ump = sctp->sctp_xmit_head;
2861 
2862 	/*
2863 	 * Just remember where we started from, in case we need to call
2864 	 * sctp_process_uo_gaps() if the gap blocks are unordered.
2865 	 */
2866 	mp1 = mp;
2867 
2868 	sdc = (sctp_data_hdr_t *)mp->b_rptr;
2869 	xtsn = ntohl(sdc->sdh_tsn);
2870 	ASSERT(xtsn == cumtsn + 1);
2871 
2872 	/*
2873 	 * Go through SACK gaps. They are ordered based on start TSN.
2874 	 */
2875 	ssf = (sctp_sack_frag_t *)(sc + 1);
2876 	for (i = 0; i < num_gaps; i++, ssf++) {
2877 		if (gapstart != 0) {
2878 			/* check for unordered gap */
2879 			if (SEQ_LEQ(cumtsn + ntohs(ssf->ssf_start), gapstart)) {
2880 				acked += sctp_process_uo_gaps(sctp,
2881 				    cumtsn, ssf, num_gaps - i,
2882 				    sctp->sctp_xmit_head, mp1,
2883 				    &trysend, &fast_recovery, gapstart);
2884 				if (trysend < 0) {
2885 					SCTPS_BUMP_MIB(sctps, sctpInAckUnsent);
2886 					return (-1);
2887 				}
2888 				break;
2889 			}
2890 		}
2891 		gapstart = cumtsn + ntohs(ssf->ssf_start);
2892 		gapend = cumtsn + ntohs(ssf->ssf_end);
2893 
2894 		/*
2895 		 * Sanity checks:
2896 		 *
2897 		 * 1. SACK for TSN we have not sent - ABORT
2898 		 * 2. Invalid or spurious gaps, ignore all gaps
2899 		 */
2900 		if (SEQ_GT(gapstart, sctp->sctp_ltsn - 1) ||
2901 		    SEQ_GT(gapend, sctp->sctp_ltsn - 1)) {
2902 			SCTPS_BUMP_MIB(sctps, sctpInAckUnsent);
2903 			return (-1);
2904 		} else if (SEQ_LT(gapend, gapstart) ||
2905 		    SEQ_LEQ(gapstart, cumtsn)) {
2906 			break;
2907 		}
2908 		/*
2909 		 * Let's start at the current TSN (for the 1st gap we start
2910 		 * from the cumulative TSN, for subsequent ones we start from
2911 		 * where the previous gapend was found - second while loop
2912 		 * below) and walk the transmit list till we find the TSN
2913 		 * corresponding to gapstart. All the unacked chunks till we
2914 		 * get to the chunk with TSN == gapstart will have their
2915 		 * SACKCNT incremented by 1. Note since the gap blocks are
2916 		 * ordered, we won't be incrementing the SACKCNT for an
2917 		 * unacked chunk by more than one while processing the gap
2918 		 * blocks. If the SACKCNT for any unacked chunk exceeds
2919 		 * the fast retransmit threshold, we will fast retransmit
2920 		 * after processing all the gap blocks.
2921 		 */
2922 		ASSERT(SEQ_LEQ(xtsn, gapstart));
2923 		while (xtsn != gapstart) {
2924 			SCTP_CHUNK_SET_SACKCNT(mp, SCTP_CHUNK_SACKCNT(mp) + 1);
2925 			if (SCTP_CHUNK_SACKCNT(mp) ==
2926 			    sctps->sctps_fast_rxt_thresh) {
2927 				SCTP_CHUNK_REXMIT(sctp, mp);
2928 				sctp->sctp_chk_fast_rexmit = B_TRUE;
2929 				trysend = 1;
2930 				if (!fast_recovery) {
2931 					/*
2932 					 * Entering fast recovery.
2933 					 */
2934 					fp = SCTP_CHUNK_DEST(mp);
2935 					fp->sf_ssthresh = fp->sf_cwnd / 2;
2936 					if (fp->sf_ssthresh < 2 * fp->sf_pmss) {
2937 						fp->sf_ssthresh =
2938 						    2 * fp->sf_pmss;
2939 					}
2940 					fp->sf_cwnd = fp->sf_ssthresh;
2941 					fp->sf_pba = 0;
2942 					sctp->sctp_recovery_tsn =
2943 					    sctp->sctp_ltsn - 1;
2944 					fast_recovery = B_TRUE;
2945 				}
2946 			}
2947 
2948 			/*
2949 			 * Peer may have reneged on this chunk, so un-sack
2950 			 * it now. If the peer did renege, we need to
2951 			 * readjust unacked.
2952 			 */
2953 			if (SCTP_CHUNK_ISACKED(mp)) {
2954 				chunklen = ntohs(sdc->sdh_len);
2955 				fp = SCTP_CHUNK_DEST(mp);
2956 				fp->sf_suna += chunklen;
2957 				sctp->sctp_unacked += chunklen - sizeof (*sdc);
2958 				SCTP_CHUNK_CLEAR_ACKED(sctp, mp);
2959 				if (!fp->sf_timer_running) {
2960 					SCTP_FADDR_TIMER_RESTART(sctp, fp,
2961 					    fp->sf_rto);
2962 				}
2963 			}
2964 
2965 			mp = mp->b_next;
2966 			if (mp == NULL) {
2967 				ump = ump->b_next;
2968 				/*
2969 				 * ump can't be NULL given the sanity check
2970 				 * above.  But if it is NULL, it means that
2971 				 * there is a data corruption.  We'd better
2972 				 * panic.
2973 				 */
2974 				if (ump == NULL) {
2975 					panic("Memory corruption detected: gap "
2976 					    "start TSN 0x%x missing from the "
2977 					    "xmit list: %p", gapstart,
2978 					    (void *)sctp);
2979 				}
2980 				mp = ump->b_cont;
2981 			}
2982 			/*
2983 			 * mp can't be unsent given the sanity check above.
2984 			 */
2985 			ASSERT(SCTP_CHUNK_ISSENT(mp));
2986 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
2987 			xtsn = ntohl(sdc->sdh_tsn);
2988 		}
2989 		/*
2990 		 * Now that we have found the chunk with TSN == 'gapstart',
2991 		 * let's walk till we hit the chunk with TSN == 'gapend'.
2992 		 * All intermediate chunks will be marked ACKED, if they
2993 		 * haven't already been.
2994 		 */
2995 		while (SEQ_LEQ(xtsn, gapend)) {
2996 			/*
2997 			 * SACKed
2998 			 */
2999 			SCTP_CHUNK_SET_SACKCNT(mp, 0);
3000 			if (!SCTP_CHUNK_ISACKED(mp)) {
3001 				SCTP_CHUNK_ACKED(mp);
3002 
3003 				fp = SCTP_CHUNK_DEST(mp);
3004 				chunklen = ntohs(sdc->sdh_len);
3005 				ASSERT(fp->sf_suna >= chunklen);
3006 				fp->sf_suna -= chunklen;
3007 				if (fp->sf_suna == 0) {
3008 					/* All outstanding data acked. */
3009 					fp->sf_pba = 0;
3010 					SCTP_FADDR_TIMER_STOP(fp);
3011 				}
3012 				fp->sf_acked += chunklen;
3013 				acked += chunklen;
3014 				sctp->sctp_unacked -= chunklen - sizeof (*sdc);
3015 				ASSERT(sctp->sctp_unacked >= 0);
3016 			}
3017 			/* Go to the next chunk of the current message */
3018 			mp = mp->b_next;
3019 			/*
3020 			 * Move to the next message in the transmit list
3021 			 * if we are done with all the chunks from the current
3022 			 * message. Note, it is possible to hit the end of the
3023 			 * transmit list here, i.e. if we have already completed
3024 			 * processing the gap block.  But the TSN must be equal
3025 			 * to the gapend because of the above sanity check.
3026 			 * If it is not equal, it means that some data is
3027 			 * missing.
3028 			 * Also, note that we break here, which means we
3029 			 * continue processing gap blocks, if any. In case of
3030 			 * ordered gap blocks there can't be any following
3031 			 * this (if there is it will fail the sanity check
3032 			 * above). In case of un-ordered gap blocks we will
3033 			 * switch to sctp_process_uo_gaps().  In either case
3034 			 * it should be fine to continue with NULL ump/mp,
3035 			 * but we just reset it to xmit_head.
3036 			 */
3037 			if (mp == NULL) {
3038 				ump = ump->b_next;
3039 				if (ump == NULL) {
3040 					if (xtsn != gapend) {
3041 						panic("Memory corruption "
3042 						    "detected: gap end TSN "
3043 						    "0x%x missing from the "
3044 						    "xmit list: %p", gapend,
3045 						    (void *)sctp);
3046 					}
3047 					ump = sctp->sctp_xmit_head;
3048 					mp = mp1;
3049 					sdc = (sctp_data_hdr_t *)mp->b_rptr;
3050 					xtsn = ntohl(sdc->sdh_tsn);
3051 					break;
3052 				}
3053 				mp = ump->b_cont;
3054 			}
3055 			/*
3056 			 * Likewise, we could hit an unsent chunk once we have
3057 			 * completed processing the gap block. Again, it is
3058 			 * fine to continue processing gap blocks with mp
3059 			 * pointing to the unsent chunk, because if there
3060 			 * are more ordered gap blocks, they will fail the
3061 			 * sanity check, and if there are un-ordered gap blocks,
3062 			 * we will continue processing in sctp_process_uo_gaps()
3063 			 * We just reset the mp to the one we started with.
3064 			 */
3065 			if (!SCTP_CHUNK_ISSENT(mp)) {
3066 				ASSERT(xtsn == gapend);
3067 				ump = sctp->sctp_xmit_head;
3068 				mp = mp1;
3069 				sdc = (sctp_data_hdr_t *)mp->b_rptr;
3070 				xtsn = ntohl(sdc->sdh_tsn);
3071 				break;
3072 			}
3073 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
3074 			xtsn = ntohl(sdc->sdh_tsn);
3075 		}
3076 	}
3077 	if (sctp->sctp_prsctp_aware)
3078 		sctp_check_abandoned_data(sctp, sctp->sctp_current);
3079 	if (sctp->sctp_chk_fast_rexmit)
3080 		sctp_fast_rexmit(sctp);
3081 ret:
3082 	trysend += sctp_set_frwnd(sctp, ntohl(sc->ssc_a_rwnd));
3083 
3084 	/*
3085 	 * If receive window is closed while there is unsent data,
3086 	 * set a timer for doing zero window probes.
3087 	 */
3088 	if (sctp->sctp_frwnd == 0 && sctp->sctp_unacked == 0 &&
3089 	    sctp->sctp_unsent != 0) {
3090 		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
3091 		    sctp->sctp_current->sf_rto);
3092 	}
3093 
3094 	/*
3095 	 * Set cwnd for all destinations.
3096 	 * Congestion window gets increased only when cumulative
3097 	 * TSN moves forward, we're not in fast recovery, and
3098 	 * cwnd has been fully utilized (almost fully, need to allow
3099 	 * some leeway due to non-MSS sized messages).
3100 	 */
3101 	if (sctp->sctp_current->sf_acked == acked) {
3102 		/*
3103 		 * Fast-path, only data sent to sctp_current got acked.
3104 		 */
3105 		fp = sctp->sctp_current;
3106 		if (cumack_forward && !fast_recovery &&
3107 		    (fp->sf_acked + fp->sf_suna > fp->sf_cwnd - fp->sf_pmss)) {
3108 			if (fp->sf_cwnd < fp->sf_ssthresh) {
3109 				/*
3110 				 * Slow start
3111 				 */
3112 				if (fp->sf_acked > fp->sf_pmss) {
3113 					fp->sf_cwnd += fp->sf_pmss;
3114 				} else {
3115 					fp->sf_cwnd += fp->sf_acked;
3116 				}
3117 				fp->sf_cwnd = MIN(fp->sf_cwnd,
3118 				    sctp->sctp_cwnd_max);
3119 			} else {
3120 				/*
3121 				 * Congestion avoidance
3122 				 */
3123 				fp->sf_pba += fp->sf_acked;
3124 				if (fp->sf_pba >= fp->sf_cwnd) {
3125 					fp->sf_pba -= fp->sf_cwnd;
3126 					fp->sf_cwnd += fp->sf_pmss;
3127 					fp->sf_cwnd = MIN(fp->sf_cwnd,
3128 					    sctp->sctp_cwnd_max);
3129 				}
3130 			}
3131 		}
3132 		/*
3133 		 * Limit the burst of transmitted data segments.
3134 		 */
3135 		if (fp->sf_suna + sctps->sctps_maxburst * fp->sf_pmss <
3136 		    fp->sf_cwnd) {
3137 			fp->sf_cwnd = fp->sf_suna + sctps->sctps_maxburst *
3138 			    fp->sf_pmss;
3139 		}
3140 		fp->sf_acked = 0;
3141 		goto check_ss_rxmit;
3142 	}
3143 	for (fp = sctp->sctp_faddrs; fp != NULL; fp = fp->sf_next) {
3144 		if (cumack_forward && fp->sf_acked && !fast_recovery &&
3145 		    (fp->sf_acked + fp->sf_suna > fp->sf_cwnd - fp->sf_pmss)) {
3146 			if (fp->sf_cwnd < fp->sf_ssthresh) {
3147 				if (fp->sf_acked > fp->sf_pmss) {
3148 					fp->sf_cwnd += fp->sf_pmss;
3149 				} else {
3150 					fp->sf_cwnd += fp->sf_acked;
3151 				}
3152 				fp->sf_cwnd = MIN(fp->sf_cwnd,
3153 				    sctp->sctp_cwnd_max);
3154 			} else {
3155 				fp->sf_pba += fp->sf_acked;
3156 				if (fp->sf_pba >= fp->sf_cwnd) {
3157 					fp->sf_pba -= fp->sf_cwnd;
3158 					fp->sf_cwnd += fp->sf_pmss;
3159 					fp->sf_cwnd = MIN(fp->sf_cwnd,
3160 					    sctp->sctp_cwnd_max);
3161 				}
3162 			}
3163 		}
3164 		if (fp->sf_suna + sctps->sctps_maxburst * fp->sf_pmss <
3165 		    fp->sf_cwnd) {
3166 			fp->sf_cwnd = fp->sf_suna + sctps->sctps_maxburst *
3167 			    fp->sf_pmss;
3168 		}
3169 		fp->sf_acked = 0;
3170 	}
3171 	fp = sctp->sctp_current;
3172 check_ss_rxmit:
3173 	/*
3174 	 * If this is a SACK following a timeout, check if there are
3175 	 * still unacked chunks (sent before the timeout) that we can
3176 	 * send.
3177 	 */
3178 	if (sctp->sctp_rexmitting) {
3179 		if (SEQ_LT(sctp->sctp_lastack_rxd, sctp->sctp_rxt_maxtsn)) {
3180 			/*
3181 			 * As we are in retransmission phase, we may get a
3182 			 * SACK which indicates some new chunks are received
3183 			 * but cum_tsn does not advance.  During this
3184 			 * phase, the other side advances cum_tsn only because
3185 			 * it receives our retransmitted chunks.  Only
3186 			 * this signals that some chunks are still
3187 			 * missing.
3188 			 */
3189 			if (cumack_forward) {
3190 				fp->sf_rxt_unacked -= acked;
3191 				sctp_ss_rexmit(sctp);
3192 			}
3193 		} else {
3194 			sctp->sctp_rexmitting = B_FALSE;
3195 			sctp->sctp_rxt_nxttsn = sctp->sctp_ltsn;
3196 			sctp->sctp_rxt_maxtsn = sctp->sctp_ltsn;
3197 			fp->sf_rxt_unacked = 0;
3198 		}
3199 	}
3200 	return (trysend);
3201 }
3202 
3203 /*
3204  * Returns 0 if the caller should stop processing any more chunks,
3205  * 1 if the caller should skip this chunk and continue processing.
3206  */
3207 static int
3208 sctp_strange_chunk(sctp_t *sctp, sctp_chunk_hdr_t *ch, sctp_faddr_t *fp)
3209 {
3210 	size_t len;
3211 
3212 	BUMP_LOCAL(sctp->sctp_ibchunks);
3213 	/* check top two bits for action required */
3214 	if (ch->sch_id & 0x40) {	/* also matches 0xc0 */
3215 		len = ntohs(ch->sch_len);
3216 		sctp_add_err(sctp, SCTP_ERR_UNREC_CHUNK, ch, len, fp);
3217 
3218 		if ((ch->sch_id & 0xc0) == 0xc0) {
3219 			/* skip and continue */
3220 			return (1);
3221 		} else {
3222 			/* stop processing */
3223 			return (0);
3224 		}
3225 	}
3226 	if (ch->sch_id & 0x80) {
3227 		/* skip and continue, no error */
3228 		return (1);
3229 	}
3230 	/* top two bits are clear; stop processing and no error */
3231 	return (0);
3232 }
3233 
3234 /*
3235  * Basic sanity checks on all input chunks and parameters: they must
3236  * be of legitimate size for their purported type, and must follow
3237  * ordering conventions as defined in rfc2960.
3238  *
3239  * Returns 1 if the chunk and all encloded params are legitimate,
3240  * 0 otherwise.
3241  */
3242 /*ARGSUSED*/
3243 static int
3244 sctp_check_input(sctp_t *sctp, sctp_chunk_hdr_t *ch, ssize_t len, int first)
3245 {
3246 	sctp_parm_hdr_t	*ph;
3247 	void		*p = NULL;
3248 	ssize_t		clen;
3249 	uint16_t	ch_len;
3250 
3251 	ch_len = ntohs(ch->sch_len);
3252 	if (ch_len > len) {
3253 		return (0);
3254 	}
3255 
3256 	switch (ch->sch_id) {
3257 	case CHUNK_DATA:
3258 		if (ch_len < sizeof (sctp_data_hdr_t)) {
3259 			return (0);
3260 		}
3261 		return (1);
3262 	case CHUNK_INIT:
3263 	case CHUNK_INIT_ACK:
3264 		{
3265 			ssize_t	remlen = len;
3266 
3267 			/*
3268 			 * INIT and INIT-ACK chunks must not be bundled with
3269 			 * any other.
3270 			 */
3271 			if (!first || sctp_next_chunk(ch, &remlen) != NULL ||
3272 			    (ch_len < (sizeof (*ch) +
3273 			    sizeof (sctp_init_chunk_t)))) {
3274 				return (0);
3275 			}
3276 			/* may have params that need checking */
3277 			p = (char *)(ch + 1) + sizeof (sctp_init_chunk_t);
3278 			clen = ch_len - (sizeof (*ch) +
3279 			    sizeof (sctp_init_chunk_t));
3280 		}
3281 		break;
3282 	case CHUNK_SACK:
3283 		if (ch_len < (sizeof (*ch) + sizeof (sctp_sack_chunk_t))) {
3284 			return (0);
3285 		}
3286 		/* dup and gap reports checked by got_sack() */
3287 		return (1);
3288 	case CHUNK_SHUTDOWN:
3289 		if (ch_len < (sizeof (*ch) + sizeof (uint32_t))) {
3290 			return (0);
3291 		}
3292 		return (1);
3293 	case CHUNK_ABORT:
3294 	case CHUNK_ERROR:
3295 		if (ch_len < sizeof (*ch)) {
3296 			return (0);
3297 		}
3298 		/* may have params that need checking */
3299 		p = ch + 1;
3300 		clen = ch_len - sizeof (*ch);
3301 		break;
3302 	case CHUNK_ECNE:
3303 	case CHUNK_CWR:
3304 	case CHUNK_HEARTBEAT:
3305 	case CHUNK_HEARTBEAT_ACK:
3306 	/* Full ASCONF chunk and parameter checks are in asconf.c */
3307 	case CHUNK_ASCONF:
3308 	case CHUNK_ASCONF_ACK:
3309 		if (ch_len < sizeof (*ch)) {
3310 			return (0);
3311 		}
3312 		/* heartbeat data checked by process_heartbeat() */
3313 		return (1);
3314 	case CHUNK_SHUTDOWN_COMPLETE:
3315 		{
3316 			ssize_t remlen = len;
3317 
3318 			/*
3319 			 * SHUTDOWN-COMPLETE chunk must not be bundled with any
3320 			 * other
3321 			 */
3322 			if (!first || sctp_next_chunk(ch, &remlen) != NULL ||
3323 			    ch_len < sizeof (*ch)) {
3324 				return (0);
3325 			}
3326 		}
3327 		return (1);
3328 	case CHUNK_COOKIE:
3329 	case CHUNK_COOKIE_ACK:
3330 	case CHUNK_SHUTDOWN_ACK:
3331 		if (ch_len < sizeof (*ch) || !first) {
3332 			return (0);
3333 		}
3334 		return (1);
3335 	case CHUNK_FORWARD_TSN:
3336 		if (ch_len < (sizeof (*ch) + sizeof (uint32_t)))
3337 			return (0);
3338 		return (1);
3339 	default:
3340 		return (1);	/* handled by strange_chunk() */
3341 	}
3342 
3343 	/* check and byteorder parameters */
3344 	if (clen <= 0) {
3345 		return (1);
3346 	}
3347 	ASSERT(p != NULL);
3348 
3349 	ph = p;
3350 	while (ph != NULL && clen > 0) {
3351 		ch_len = ntohs(ph->sph_len);
3352 		if (ch_len > len || ch_len < sizeof (*ph)) {
3353 			return (0);
3354 		}
3355 		ph = sctp_next_parm(ph, &clen);
3356 	}
3357 
3358 	/* All OK */
3359 	return (1);
3360 }
3361 
3362 static mblk_t *
3363 sctp_check_in_policy(mblk_t *mp, ip_recv_attr_t *ira, ip_stack_t *ipst)
3364 {
3365 	boolean_t policy_present;
3366 	ipha_t *ipha;
3367 	ip6_t *ip6h;
3368 	netstack_t	*ns = ipst->ips_netstack;
3369 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
3370 
3371 	if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) {
3372 		policy_present = ipss->ipsec_inbound_v4_policy_present;
3373 		ipha = (ipha_t *)mp->b_rptr;
3374 		ip6h = NULL;
3375 	} else {
3376 		policy_present = ipss->ipsec_inbound_v6_policy_present;
3377 		ipha = NULL;
3378 		ip6h = (ip6_t *)mp->b_rptr;
3379 	}
3380 
3381 	if (policy_present) {
3382 		/*
3383 		 * The conn_t parameter is NULL because we already know
3384 		 * nobody's home.
3385 		 */
3386 		mp = ipsec_check_global_policy(mp, (conn_t *)NULL,
3387 		    ipha, ip6h, ira, ns);
3388 		if (mp == NULL)
3389 			return (NULL);
3390 	}
3391 	return (mp);
3392 }
3393 
3394 /* Handle out-of-the-blue packets */
3395 void
3396 sctp_ootb_input(mblk_t *mp, ip_recv_attr_t *ira, ip_stack_t *ipst)
3397 {
3398 	sctp_t			*sctp;
3399 	sctp_chunk_hdr_t	*ch;
3400 	sctp_hdr_t		*sctph;
3401 	in6_addr_t		src, dst;
3402 	uint_t			ip_hdr_len = ira->ira_ip_hdr_length;
3403 	ssize_t			mlen;
3404 	sctp_stack_t		*sctps;
3405 	boolean_t		secure;
3406 	zoneid_t		zoneid = ira->ira_zoneid;
3407 	uchar_t			*rptr;
3408 
3409 	ASSERT(ira->ira_ill == NULL);
3410 
3411 	secure = ira->ira_flags & IRAF_IPSEC_SECURE;
3412 
3413 	sctps = ipst->ips_netstack->netstack_sctp;
3414 
3415 	SCTPS_BUMP_MIB(sctps, sctpOutOfBlue);
3416 	SCTPS_BUMP_MIB(sctps, sctpInSCTPPkts);
3417 
3418 	if (mp->b_cont != NULL) {
3419 		/*
3420 		 * All subsequent code is vastly simplified if it can
3421 		 * assume a single contiguous chunk of data.
3422 		 */
3423 		if (pullupmsg(mp, -1) == 0) {
3424 			BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
3425 			ip_drop_input("ipIfStatsInDiscards", mp, NULL);
3426 			freemsg(mp);
3427 			return;
3428 		}
3429 	}
3430 
3431 	rptr = mp->b_rptr;
3432 	sctph = ((sctp_hdr_t *)&rptr[ip_hdr_len]);
3433 	if (ira->ira_flags & IRAF_IS_IPV4) {
3434 		ipha_t *ipha;
3435 
3436 		ipha = (ipha_t *)rptr;
3437 		IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &src);
3438 		IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &dst);
3439 	} else {
3440 		ip6_t *ip6h;
3441 
3442 		ip6h = (ip6_t *)rptr;
3443 		src = ip6h->ip6_src;
3444 		dst = ip6h->ip6_dst;
3445 	}
3446 
3447 	mlen = mp->b_wptr - (uchar_t *)(sctph + 1);
3448 	if ((ch = sctp_first_chunk((uchar_t *)(sctph + 1), mlen)) == NULL) {
3449 		dprint(3, ("sctp_ootb_input: invalid packet\n"));
3450 		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
3451 		ip_drop_input("ipIfStatsInDiscards", mp, NULL);
3452 		freemsg(mp);
3453 		return;
3454 	}
3455 
3456 	switch (ch->sch_id) {
3457 	case CHUNK_INIT:
3458 		/* no listener; send abort  */
3459 		if (secure && sctp_check_in_policy(mp, ira, ipst) == NULL)
3460 			return;
3461 		sctp_ootb_send_abort(sctp_init2vtag(ch), 0,
3462 		    NULL, 0, mp, 0, B_TRUE, ira, ipst);
3463 		break;
3464 	case CHUNK_INIT_ACK:
3465 		/* check for changed src addr */
3466 		sctp = sctp_addrlist2sctp(mp, sctph, ch, zoneid, sctps);
3467 		if (sctp != NULL) {
3468 			/* success; proceed to normal path */
3469 			mutex_enter(&sctp->sctp_lock);
3470 			if (sctp->sctp_running) {
3471 				sctp_add_recvq(sctp, mp, B_FALSE, ira);
3472 				mutex_exit(&sctp->sctp_lock);
3473 			} else {
3474 				/*
3475 				 * If the source address is changed, we
3476 				 * don't need to worry too much about
3477 				 * out of order processing.  So we don't
3478 				 * check if the recvq is empty or not here.
3479 				 */
3480 				sctp->sctp_running = B_TRUE;
3481 				mutex_exit(&sctp->sctp_lock);
3482 				sctp_input_data(sctp, mp, ira);
3483 				WAKE_SCTP(sctp);
3484 			}
3485 			SCTP_REFRELE(sctp);
3486 			return;
3487 		}
3488 		/* else bogus init ack; drop it */
3489 		break;
3490 	case CHUNK_SHUTDOWN_ACK:
3491 		if (secure && sctp_check_in_policy(mp, ira, ipst) == NULL)
3492 			return;
3493 		sctp_ootb_shutdown_ack(mp, ip_hdr_len, ira, ipst);
3494 		return;
3495 	case CHUNK_ERROR:
3496 	case CHUNK_ABORT:
3497 	case CHUNK_COOKIE_ACK:
3498 	case CHUNK_SHUTDOWN_COMPLETE:
3499 		break;
3500 	default:
3501 		if (secure && sctp_check_in_policy(mp, ira, ipst) == NULL)
3502 			return;
3503 		sctp_ootb_send_abort(sctph->sh_verf, 0,
3504 		    NULL, 0, mp, 0, B_TRUE, ira, ipst);
3505 		break;
3506 	}
3507 	freemsg(mp);
3508 }
3509 
3510 /*
3511  * Handle sctp packets.
3512  * Note that we rele the sctp_t (the caller got a reference on it).
3513  */
3514 void
3515 sctp_input(conn_t *connp, ipha_t *ipha, ip6_t *ip6h, mblk_t *mp,
3516     ip_recv_attr_t *ira)
3517 {
3518 	sctp_t		*sctp = CONN2SCTP(connp);
3519 	boolean_t	secure;
3520 	ill_t		*ill = ira->ira_ill;
3521 	ip_stack_t	*ipst = ill->ill_ipst;
3522 	ipsec_stack_t	*ipss = ipst->ips_netstack->netstack_ipsec;
3523 	iaflags_t	iraflags = ira->ira_flags;
3524 	ill_t		*rill = ira->ira_rill;
3525 
3526 	secure = iraflags & IRAF_IPSEC_SECURE;
3527 
3528 	/*
3529 	 * We check some fields in conn_t without holding a lock.
3530 	 * This should be fine.
3531 	 */
3532 	if (((iraflags & IRAF_IS_IPV4) ?
3533 	    CONN_INBOUND_POLICY_PRESENT(connp, ipss) :
3534 	    CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss)) ||
3535 	    secure) {
3536 		mp = ipsec_check_inbound_policy(mp, connp, ipha,
3537 		    ip6h, ira);
3538 		if (mp == NULL) {
3539 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
3540 			/* Note that mp is NULL */
3541 			ip_drop_input("ipIfStatsInDiscards", mp, ill);
3542 			SCTP_REFRELE(sctp);
3543 			return;
3544 		}
3545 	}
3546 
3547 	ira->ira_ill = ira->ira_rill = NULL;
3548 
3549 	mutex_enter(&sctp->sctp_lock);
3550 	if (sctp->sctp_running) {
3551 		sctp_add_recvq(sctp, mp, B_FALSE, ira);
3552 		mutex_exit(&sctp->sctp_lock);
3553 		goto done;
3554 	} else {
3555 		sctp->sctp_running = B_TRUE;
3556 		mutex_exit(&sctp->sctp_lock);
3557 
3558 		mutex_enter(&sctp->sctp_recvq_lock);
3559 		if (sctp->sctp_recvq != NULL) {
3560 			sctp_add_recvq(sctp, mp, B_TRUE, ira);
3561 			mutex_exit(&sctp->sctp_recvq_lock);
3562 			WAKE_SCTP(sctp);
3563 			goto done;
3564 		}
3565 	}
3566 	mutex_exit(&sctp->sctp_recvq_lock);
3567 	if (ira->ira_flags & IRAF_ICMP_ERROR)
3568 		sctp_icmp_error(sctp, mp);
3569 	else
3570 		sctp_input_data(sctp, mp, ira);
3571 	WAKE_SCTP(sctp);
3572 
3573 done:
3574 	SCTP_REFRELE(sctp);
3575 	ira->ira_ill = ill;
3576 	ira->ira_rill = rill;
3577 }
3578 
3579 static void
3580 sctp_process_abort(sctp_t *sctp, sctp_chunk_hdr_t *ch, int err)
3581 {
3582 	sctp_stack_t	*sctps = sctp->sctp_sctps;
3583 
3584 	SCTPS_BUMP_MIB(sctps, sctpAborted);
3585 	BUMP_LOCAL(sctp->sctp_ibchunks);
3586 
3587 	/*
3588 	 * SCTP_COMM_LOST is only sent up if the association is
3589 	 * established (sctp_state >= SCTPS_ESTABLISHED).
3590 	 */
3591 	if (sctp->sctp_state >= SCTPS_ESTABLISHED) {
3592 		sctp_assoc_event(sctp, SCTP_COMM_LOST,
3593 		    ntohs(((sctp_parm_hdr_t *)(ch + 1))->sph_type), ch);
3594 	}
3595 
3596 	sctp_clean_death(sctp, err);
3597 }
3598 
3599 void
3600 sctp_input_data(sctp_t *sctp, mblk_t *mp, ip_recv_attr_t *ira)
3601 {
3602 	sctp_chunk_hdr_t	*ch;
3603 	ssize_t			mlen;
3604 	int			gotdata;
3605 	int			trysend;
3606 	sctp_faddr_t		*fp;
3607 	sctp_init_chunk_t	*iack;
3608 	uint32_t		tsn;
3609 	sctp_data_hdr_t		*sdc;
3610 	ip_pkt_t		ipp;
3611 	in6_addr_t		src;
3612 	in6_addr_t		dst;
3613 	uint_t			ifindex;
3614 	sctp_hdr_t		*sctph;
3615 	uint_t			ip_hdr_len = ira->ira_ip_hdr_length;
3616 	mblk_t			*dups = NULL;
3617 	int			recv_adaptation;
3618 	boolean_t		wake_eager = B_FALSE;
3619 	in6_addr_t		peer_src;
3620 	int64_t			now;
3621 	sctp_stack_t		*sctps = sctp->sctp_sctps;
3622 	ip_stack_t		*ipst = sctps->sctps_netstack->netstack_ip;
3623 	boolean_t		hb_already = B_FALSE;
3624 	cred_t			*cr;
3625 	pid_t			cpid;
3626 	uchar_t			*rptr;
3627 	conn_t			*connp = sctp->sctp_connp;
3628 	boolean_t		shutdown_ack_needed = B_FALSE;
3629 
3630 	ASSERT(DB_TYPE(mp) == M_DATA);
3631 	ASSERT(ira->ira_ill == NULL);
3632 
3633 	if (mp->b_cont != NULL) {
3634 		/*
3635 		 * All subsequent code is vastly simplified if it can
3636 		 * assume a single contiguous chunk of data.
3637 		 */
3638 		if (pullupmsg(mp, -1) == 0) {
3639 			BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
3640 			ip_drop_input("ipIfStatsInDiscards", mp, NULL);
3641 			freemsg(mp);
3642 			return;
3643 		}
3644 	}
3645 
3646 	BUMP_LOCAL(sctp->sctp_ipkts);
3647 	ifindex = ira->ira_ruifindex;
3648 
3649 	rptr = mp->b_rptr;
3650 
3651 	ipp.ipp_fields = 0;
3652 	if (connp->conn_recv_ancillary.crb_all != 0) {
3653 		/*
3654 		 * Record packet information in the ip_pkt_t
3655 		 */
3656 		if (ira->ira_flags & IRAF_IS_IPV4) {
3657 			(void) ip_find_hdr_v4((ipha_t *)rptr, &ipp,
3658 			    B_FALSE);
3659 		} else {
3660 			uint8_t nexthdrp;
3661 
3662 			/*
3663 			 * IPv6 packets can only be received by applications
3664 			 * that are prepared to receive IPv6 addresses.
3665 			 * The IP fanout must ensure this.
3666 			 */
3667 			ASSERT(connp->conn_family == AF_INET6);
3668 
3669 			(void) ip_find_hdr_v6(mp, (ip6_t *)rptr, B_TRUE, &ipp,
3670 			    &nexthdrp);
3671 			ASSERT(nexthdrp == IPPROTO_SCTP);
3672 
3673 			/* Could have caused a pullup? */
3674 			rptr = mp->b_rptr;
3675 		}
3676 	}
3677 
3678 	sctph = ((sctp_hdr_t *)&rptr[ip_hdr_len]);
3679 
3680 	if (ira->ira_flags & IRAF_IS_IPV4) {
3681 		ipha_t *ipha;
3682 
3683 		ipha = (ipha_t *)rptr;
3684 		IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &src);
3685 		IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &dst);
3686 	} else {
3687 		ip6_t *ip6h;
3688 
3689 		ip6h = (ip6_t *)rptr;
3690 		src = ip6h->ip6_src;
3691 		dst = ip6h->ip6_dst;
3692 	}
3693 
3694 	mlen = mp->b_wptr - (uchar_t *)(sctph + 1);
3695 	ch = sctp_first_chunk((uchar_t *)(sctph + 1), mlen);
3696 	if (ch == NULL) {
3697 		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
3698 		ip_drop_input("ipIfStatsInDiscards", mp, NULL);
3699 		freemsg(mp);
3700 		return;
3701 	}
3702 
3703 	if (!sctp_check_input(sctp, ch, mlen, 1)) {
3704 		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
3705 		ip_drop_input("ipIfStatsInDiscards", mp, NULL);
3706 		goto done;
3707 	}
3708 	/*
3709 	 * Check verfication tag (special handling for INIT,
3710 	 * COOKIE, SHUTDOWN_COMPLETE and SHUTDOWN_ACK chunks).
3711 	 * ABORTs are handled in the chunk processing loop, since
3712 	 * may not appear first. All other checked chunks must
3713 	 * appear first, or will have been dropped by check_input().
3714 	 */
3715 	switch (ch->sch_id) {
3716 	case CHUNK_INIT:
3717 		if (sctph->sh_verf != 0) {
3718 			/* drop it */
3719 			goto done;
3720 		}
3721 		break;
3722 	case CHUNK_SHUTDOWN_COMPLETE:
3723 		if (sctph->sh_verf == sctp->sctp_lvtag)
3724 			break;
3725 		if (sctph->sh_verf == sctp->sctp_fvtag &&
3726 		    SCTP_GET_TBIT(ch)) {
3727 			break;
3728 		}
3729 		/* else drop it */
3730 		goto done;
3731 	case CHUNK_ABORT:
3732 	case CHUNK_COOKIE:
3733 		/* handled below */
3734 		break;
3735 	case CHUNK_SHUTDOWN_ACK:
3736 		if (sctp->sctp_state > SCTPS_BOUND &&
3737 		    sctp->sctp_state < SCTPS_ESTABLISHED) {
3738 			/* treat as OOTB */
3739 			sctp_ootb_shutdown_ack(mp, ip_hdr_len, ira, ipst);
3740 			return;
3741 		}
3742 		/* else fallthru */
3743 	default:
3744 		/*
3745 		 * All other packets must have a valid
3746 		 * verification tag, however if this is a
3747 		 * listener, we use a refined version of
3748 		 * out-of-the-blue logic.
3749 		 */
3750 		if (sctph->sh_verf != sctp->sctp_lvtag &&
3751 		    sctp->sctp_state != SCTPS_LISTEN) {
3752 			/* drop it */
3753 			goto done;
3754 		}
3755 		break;
3756 	}
3757 
3758 	/* Have a valid sctp for this packet */
3759 	fp = sctp_lookup_faddr(sctp, &src);
3760 	dprint(2, ("sctp_dispatch_rput: mp=%p fp=%p sctp=%p\n", (void *)mp,
3761 	    (void *)fp, (void *)sctp));
3762 
3763 	gotdata = 0;
3764 	trysend = 0;
3765 
3766 	now = LBOLT_FASTPATH64;
3767 	/* Process the chunks */
3768 	do {
3769 		dprint(3, ("sctp_dispatch_rput: state=%d, chunk id=%d\n",
3770 		    sctp->sctp_state, (int)(ch->sch_id)));
3771 
3772 		if (ch->sch_id == CHUNK_ABORT) {
3773 			if (sctph->sh_verf != sctp->sctp_lvtag &&
3774 			    sctph->sh_verf != sctp->sctp_fvtag) {
3775 				/* drop it */
3776 				goto done;
3777 			}
3778 		}
3779 
3780 		switch (sctp->sctp_state) {
3781 
3782 		case SCTPS_ESTABLISHED:
3783 		case SCTPS_SHUTDOWN_PENDING:
3784 		case SCTPS_SHUTDOWN_SENT:
3785 			switch (ch->sch_id) {
3786 			case CHUNK_DATA:
3787 				/* 0-length data chunks are not allowed */
3788 				if (ntohs(ch->sch_len) == sizeof (*sdc)) {
3789 					sdc = (sctp_data_hdr_t *)ch;
3790 					tsn = sdc->sdh_tsn;
3791 					sctp_send_abort(sctp, sctp->sctp_fvtag,
3792 					    SCTP_ERR_NO_USR_DATA, (char *)&tsn,
3793 					    sizeof (tsn), mp, 0, B_FALSE, ira);
3794 					sctp_assoc_event(sctp, SCTP_COMM_LOST,
3795 					    0, NULL);
3796 					sctp_clean_death(sctp, ECONNABORTED);
3797 					goto done;
3798 				}
3799 
3800 				ASSERT(fp != NULL);
3801 				sctp->sctp_lastdata = fp;
3802 				sctp_data_chunk(sctp, ch, mp, &dups, fp,
3803 				    &ipp, ira);
3804 				gotdata = 1;
3805 				/* Restart shutdown timer if shutting down */
3806 				if (sctp->sctp_state == SCTPS_SHUTDOWN_SENT) {
3807 					/*
3808 					 * If we have exceeded our max
3809 					 * wait bound for waiting for a
3810 					 * shutdown ack from the peer,
3811 					 * abort the association.
3812 					 */
3813 					if (sctps->sctps_shutack_wait_bound !=
3814 					    0 &&
3815 					    TICK_TO_MSEC(now -
3816 					    sctp->sctp_out_time) >
3817 					    sctps->sctps_shutack_wait_bound) {
3818 						sctp_send_abort(sctp,
3819 						    sctp->sctp_fvtag, 0, NULL,
3820 						    0, mp, 0, B_FALSE, ira);
3821 						sctp_assoc_event(sctp,
3822 						    SCTP_COMM_LOST, 0, NULL);
3823 						sctp_clean_death(sctp,
3824 						    ECONNABORTED);
3825 						goto done;
3826 					}
3827 					SCTP_FADDR_TIMER_RESTART(sctp, fp,
3828 					    fp->sf_rto);
3829 				}
3830 				break;
3831 			case CHUNK_SACK:
3832 				ASSERT(fp != NULL);
3833 				/*
3834 				 * Peer is real and alive if it can ack our
3835 				 * data.
3836 				 */
3837 				sctp_faddr_alive(sctp, fp);
3838 				trysend = sctp_got_sack(sctp, ch);
3839 				if (trysend < 0) {
3840 					sctp_send_abort(sctp, sctph->sh_verf,
3841 					    0, NULL, 0, mp, 0, B_FALSE, ira);
3842 					sctp_assoc_event(sctp,
3843 					    SCTP_COMM_LOST, 0, NULL);
3844 					sctp_clean_death(sctp,
3845 					    ECONNABORTED);
3846 					goto done;
3847 				}
3848 				break;
3849 			case CHUNK_HEARTBEAT:
3850 				if (!hb_already) {
3851 					/*
3852 					 * In any one packet, there should
3853 					 * only be one heartbeat chunk.  So
3854 					 * we should not process more than
3855 					 * once.
3856 					 */
3857 					sctp_return_heartbeat(sctp, ch, mp);
3858 					hb_already = B_TRUE;
3859 				}
3860 				break;
3861 			case CHUNK_HEARTBEAT_ACK:
3862 				sctp_process_heartbeat(sctp, ch);
3863 				break;
3864 			case CHUNK_SHUTDOWN:
3865 				sctp_shutdown_event(sctp);
3866 				trysend = sctp_shutdown_received(sctp, ch,
3867 				    B_FALSE, B_FALSE, fp);
3868 				BUMP_LOCAL(sctp->sctp_ibchunks);
3869 				break;
3870 			case CHUNK_SHUTDOWN_ACK:
3871 				BUMP_LOCAL(sctp->sctp_ibchunks);
3872 				if (sctp->sctp_state == SCTPS_SHUTDOWN_SENT) {
3873 					sctp_shutdown_complete(sctp);
3874 					SCTPS_BUMP_MIB(sctps, sctpShutdowns);
3875 					sctp_assoc_event(sctp,
3876 					    SCTP_SHUTDOWN_COMP, 0, NULL);
3877 					sctp_clean_death(sctp, 0);
3878 					goto done;
3879 				}
3880 				break;
3881 			case CHUNK_ABORT: {
3882 				sctp_saddr_ipif_t *sp;
3883 
3884 				/* Ignore if delete pending */
3885 				sp = sctp_saddr_lookup(sctp, &dst, 0);
3886 				ASSERT(sp != NULL);
3887 				if (sp->saddr_ipif_delete_pending) {
3888 					BUMP_LOCAL(sctp->sctp_ibchunks);
3889 					break;
3890 				}
3891 
3892 				sctp_process_abort(sctp, ch, ECONNRESET);
3893 				goto done;
3894 			}
3895 			case CHUNK_INIT:
3896 				sctp_send_initack(sctp, sctph, ch, mp, ira);
3897 				break;
3898 			case CHUNK_COOKIE:
3899 				if (sctp_process_cookie(sctp, ch, mp, &iack,
3900 				    sctph, &recv_adaptation, NULL, ira) != -1) {
3901 					sctp_send_cookie_ack(sctp);
3902 					sctp_assoc_event(sctp, SCTP_RESTART,
3903 					    0, NULL);
3904 					if (recv_adaptation) {
3905 						sctp->sctp_recv_adaptation = 1;
3906 						sctp_adaptation_event(sctp);
3907 					}
3908 				} else {
3909 					SCTPS_BUMP_MIB(sctps,
3910 					    sctpInInvalidCookie);
3911 				}
3912 				break;
3913 			case CHUNK_ERROR: {
3914 				int error;
3915 
3916 				BUMP_LOCAL(sctp->sctp_ibchunks);
3917 				error = sctp_handle_error(sctp, sctph, ch, mp,
3918 				    ira);
3919 				if (error != 0) {
3920 					sctp_assoc_event(sctp, SCTP_COMM_LOST,
3921 					    0, NULL);
3922 					sctp_clean_death(sctp, error);
3923 					goto done;
3924 				}
3925 				break;
3926 			}
3927 			case CHUNK_ASCONF:
3928 				ASSERT(fp != NULL);
3929 				sctp_input_asconf(sctp, ch, fp);
3930 				BUMP_LOCAL(sctp->sctp_ibchunks);
3931 				break;
3932 			case CHUNK_ASCONF_ACK:
3933 				ASSERT(fp != NULL);
3934 				sctp_faddr_alive(sctp, fp);
3935 				sctp_input_asconf_ack(sctp, ch, fp);
3936 				BUMP_LOCAL(sctp->sctp_ibchunks);
3937 				break;
3938 			case CHUNK_FORWARD_TSN:
3939 				ASSERT(fp != NULL);
3940 				sctp->sctp_lastdata = fp;
3941 				sctp_process_forward_tsn(sctp, ch, fp,
3942 				    &ipp, ira);
3943 				gotdata = 1;
3944 				BUMP_LOCAL(sctp->sctp_ibchunks);
3945 				break;
3946 			default:
3947 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
3948 					goto nomorechunks;
3949 				} /* else skip and continue processing */
3950 				break;
3951 			}
3952 			break;
3953 
3954 		case SCTPS_LISTEN:
3955 			switch (ch->sch_id) {
3956 			case CHUNK_INIT:
3957 				sctp_send_initack(sctp, sctph, ch, mp, ira);
3958 				break;
3959 			case CHUNK_COOKIE: {
3960 				sctp_t *eager;
3961 
3962 				if (sctp_process_cookie(sctp, ch, mp, &iack,
3963 				    sctph, &recv_adaptation, &peer_src,
3964 				    ira) == -1) {
3965 					SCTPS_BUMP_MIB(sctps,
3966 					    sctpInInvalidCookie);
3967 					goto done;
3968 				}
3969 
3970 				/*
3971 				 * The cookie is good; ensure that
3972 				 * the peer used the verification
3973 				 * tag from the init ack in the header.
3974 				 */
3975 				if (iack->sic_inittag != sctph->sh_verf)
3976 					goto done;
3977 
3978 				eager = sctp_conn_request(sctp, mp, ifindex,
3979 				    ip_hdr_len, iack, ira);
3980 				if (eager == NULL) {
3981 					sctp_send_abort(sctp, sctph->sh_verf,
3982 					    SCTP_ERR_NO_RESOURCES, NULL, 0, mp,
3983 					    0, B_FALSE, ira);
3984 					goto done;
3985 				}
3986 
3987 				/*
3988 				 * If there were extra chunks
3989 				 * bundled with the cookie,
3990 				 * they must be processed
3991 				 * on the eager's queue. We
3992 				 * accomplish this by refeeding
3993 				 * the whole packet into the
3994 				 * state machine on the right
3995 				 * q. The packet (mp) gets
3996 				 * there via the eager's
3997 				 * cookie_mp field (overloaded
3998 				 * with the active open role).
3999 				 * This is picked up when
4000 				 * processing the null bind
4001 				 * request put on the eager's
4002 				 * q by sctp_accept(). We must
4003 				 * first revert the cookie
4004 				 * chunk's length field to network
4005 				 * byteorder so it can be
4006 				 * properly reprocessed on the
4007 				 * eager's queue.
4008 				 */
4009 				SCTPS_BUMP_MIB(sctps, sctpPassiveEstab);
4010 				if (mlen > ntohs(ch->sch_len)) {
4011 					eager->sctp_cookie_mp = dupb(mp);
4012 					/*
4013 					 * If no mem, just let
4014 					 * the peer retransmit.
4015 					 */
4016 				}
4017 				sctp_assoc_event(eager, SCTP_COMM_UP, 0, NULL);
4018 				if (recv_adaptation) {
4019 					eager->sctp_recv_adaptation = 1;
4020 					eager->sctp_rx_adaptation_code =
4021 					    sctp->sctp_rx_adaptation_code;
4022 					sctp_adaptation_event(eager);
4023 				}
4024 
4025 				eager->sctp_active = now;
4026 				sctp_send_cookie_ack(eager);
4027 
4028 				wake_eager = B_TRUE;
4029 
4030 				/*
4031 				 * Process rest of the chunks with eager.
4032 				 */
4033 				sctp = eager;
4034 				fp = sctp_lookup_faddr(sctp, &peer_src);
4035 				/*
4036 				 * Confirm peer's original source.  fp can
4037 				 * only be NULL if peer does not use the
4038 				 * original source as one of its addresses...
4039 				 */
4040 				if (fp == NULL)
4041 					fp = sctp_lookup_faddr(sctp, &src);
4042 				else
4043 					sctp_faddr_alive(sctp, fp);
4044 
4045 				/*
4046 				 * Validate the peer addresses.  It also starts
4047 				 * the heartbeat timer.
4048 				 */
4049 				sctp_validate_peer(sctp);
4050 				break;
4051 			}
4052 			/* Anything else is considered out-of-the-blue */
4053 			case CHUNK_ERROR:
4054 			case CHUNK_ABORT:
4055 			case CHUNK_COOKIE_ACK:
4056 			case CHUNK_SHUTDOWN_COMPLETE:
4057 				BUMP_LOCAL(sctp->sctp_ibchunks);
4058 				goto done;
4059 			default:
4060 				BUMP_LOCAL(sctp->sctp_ibchunks);
4061 				sctp_send_abort(sctp, sctph->sh_verf, 0, NULL,
4062 				    0, mp, 0, B_TRUE, ira);
4063 				goto done;
4064 			}
4065 			break;
4066 
4067 		case SCTPS_COOKIE_WAIT:
4068 			switch (ch->sch_id) {
4069 			case CHUNK_INIT_ACK:
4070 				sctp_stop_faddr_timers(sctp);
4071 				sctp_faddr_alive(sctp, sctp->sctp_current);
4072 				sctp_send_cookie_echo(sctp, ch, mp, ira);
4073 				BUMP_LOCAL(sctp->sctp_ibchunks);
4074 				break;
4075 			case CHUNK_ABORT:
4076 				sctp_process_abort(sctp, ch, ECONNREFUSED);
4077 				goto done;
4078 			case CHUNK_INIT:
4079 				sctp_send_initack(sctp, sctph, ch, mp, ira);
4080 				break;
4081 			case CHUNK_COOKIE:
4082 				cr = ira->ira_cred;
4083 				cpid = ira->ira_cpid;
4084 
4085 				if (sctp_process_cookie(sctp, ch, mp, &iack,
4086 				    sctph, &recv_adaptation, NULL, ira) == -1) {
4087 					SCTPS_BUMP_MIB(sctps,
4088 					    sctpInInvalidCookie);
4089 					break;
4090 				}
4091 				sctp_send_cookie_ack(sctp);
4092 				sctp_stop_faddr_timers(sctp);
4093 				if (!SCTP_IS_DETACHED(sctp)) {
4094 					sctp->sctp_ulp_connected(
4095 					    sctp->sctp_ulpd, 0, cr, cpid);
4096 					sctp_set_ulp_prop(sctp);
4097 
4098 				}
4099 				SCTP_ASSOC_EST(sctps, sctp);
4100 				SCTPS_BUMP_MIB(sctps, sctpActiveEstab);
4101 				if (sctp->sctp_cookie_mp) {
4102 					freemsg(sctp->sctp_cookie_mp);
4103 					sctp->sctp_cookie_mp = NULL;
4104 				}
4105 
4106 				/* Validate the peer addresses. */
4107 				sctp->sctp_active = now;
4108 				sctp_validate_peer(sctp);
4109 
4110 				sctp_assoc_event(sctp, SCTP_COMM_UP, 0, NULL);
4111 				if (recv_adaptation) {
4112 					sctp->sctp_recv_adaptation = 1;
4113 					sctp_adaptation_event(sctp);
4114 				}
4115 				/* Try sending queued data, or ASCONFs */
4116 				trysend = 1;
4117 				break;
4118 			default:
4119 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
4120 					goto nomorechunks;
4121 				} /* else skip and continue processing */
4122 				break;
4123 			}
4124 			break;
4125 
4126 		case SCTPS_COOKIE_ECHOED:
4127 			switch (ch->sch_id) {
4128 			case CHUNK_COOKIE_ACK:
4129 				cr = ira->ira_cred;
4130 				cpid = ira->ira_cpid;
4131 
4132 				if (!SCTP_IS_DETACHED(sctp)) {
4133 					sctp->sctp_ulp_connected(
4134 					    sctp->sctp_ulpd, 0, cr, cpid);
4135 					sctp_set_ulp_prop(sctp);
4136 				}
4137 				if (sctp->sctp_unacked == 0)
4138 					sctp_stop_faddr_timers(sctp);
4139 				SCTP_ASSOC_EST(sctps, sctp);
4140 				SCTPS_BUMP_MIB(sctps, sctpActiveEstab);
4141 				BUMP_LOCAL(sctp->sctp_ibchunks);
4142 				if (sctp->sctp_cookie_mp) {
4143 					freemsg(sctp->sctp_cookie_mp);
4144 					sctp->sctp_cookie_mp = NULL;
4145 				}
4146 				sctp_faddr_alive(sctp, fp);
4147 				/* Validate the peer addresses. */
4148 				sctp->sctp_active = now;
4149 				sctp_validate_peer(sctp);
4150 
4151 				/* Try sending queued data, or ASCONFs */
4152 				trysend = 1;
4153 				sctp_assoc_event(sctp, SCTP_COMM_UP, 0, NULL);
4154 				sctp_adaptation_event(sctp);
4155 				break;
4156 			case CHUNK_ABORT:
4157 				sctp_process_abort(sctp, ch, ECONNREFUSED);
4158 				goto done;
4159 			case CHUNK_COOKIE:
4160 				cr = ira->ira_cred;
4161 				cpid = ira->ira_cpid;
4162 
4163 				if (sctp_process_cookie(sctp, ch, mp, &iack,
4164 				    sctph, &recv_adaptation, NULL, ira) == -1) {
4165 					SCTPS_BUMP_MIB(sctps,
4166 					    sctpInInvalidCookie);
4167 					break;
4168 				}
4169 				sctp_send_cookie_ack(sctp);
4170 
4171 				if (!SCTP_IS_DETACHED(sctp)) {
4172 					sctp->sctp_ulp_connected(
4173 					    sctp->sctp_ulpd, 0, cr, cpid);
4174 					sctp_set_ulp_prop(sctp);
4175 
4176 				}
4177 				if (sctp->sctp_unacked == 0)
4178 					sctp_stop_faddr_timers(sctp);
4179 				SCTP_ASSOC_EST(sctps, sctp);
4180 				SCTPS_BUMP_MIB(sctps, sctpActiveEstab);
4181 				if (sctp->sctp_cookie_mp) {
4182 					freemsg(sctp->sctp_cookie_mp);
4183 					sctp->sctp_cookie_mp = NULL;
4184 				}
4185 				/* Validate the peer addresses. */
4186 				sctp->sctp_active = now;
4187 				sctp_validate_peer(sctp);
4188 
4189 				sctp_assoc_event(sctp, SCTP_COMM_UP, 0, NULL);
4190 				if (recv_adaptation) {
4191 					sctp->sctp_recv_adaptation = 1;
4192 					sctp_adaptation_event(sctp);
4193 				}
4194 				/* Try sending queued data, or ASCONFs */
4195 				trysend = 1;
4196 				break;
4197 			case CHUNK_INIT:
4198 				sctp_send_initack(sctp, sctph, ch, mp, ira);
4199 				break;
4200 			case CHUNK_ERROR: {
4201 				sctp_parm_hdr_t *p;
4202 
4203 				BUMP_LOCAL(sctp->sctp_ibchunks);
4204 				/* check for a stale cookie */
4205 				if (ntohs(ch->sch_len) >=
4206 				    (sizeof (*p) + sizeof (*ch)) +
4207 				    sizeof (uint32_t)) {
4208 
4209 					p = (sctp_parm_hdr_t *)(ch + 1);
4210 					if (p->sph_type ==
4211 					    htons(SCTP_ERR_STALE_COOKIE)) {
4212 						SCTPS_BUMP_MIB(sctps,
4213 						    sctpAborted);
4214 						sctp_error_event(sctp,
4215 						    ch, B_FALSE);
4216 						sctp_assoc_event(sctp,
4217 						    SCTP_COMM_LOST, 0, NULL);
4218 						sctp_clean_death(sctp,
4219 						    ECONNREFUSED);
4220 						goto done;
4221 					}
4222 				}
4223 				break;
4224 			}
4225 			case CHUNK_HEARTBEAT:
4226 				if (!hb_already) {
4227 					sctp_return_heartbeat(sctp, ch, mp);
4228 					hb_already = B_TRUE;
4229 				}
4230 				break;
4231 			default:
4232 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
4233 					goto nomorechunks;
4234 				} /* else skip and continue processing */
4235 			} /* switch (ch->sch_id) */
4236 			break;
4237 
4238 		case SCTPS_SHUTDOWN_ACK_SENT:
4239 			switch (ch->sch_id) {
4240 			case CHUNK_ABORT:
4241 				/* Pass gathered wisdom to IP for keeping */
4242 				sctp_update_dce(sctp);
4243 				sctp_process_abort(sctp, ch, 0);
4244 				goto done;
4245 			case CHUNK_SHUTDOWN_COMPLETE:
4246 				BUMP_LOCAL(sctp->sctp_ibchunks);
4247 				SCTPS_BUMP_MIB(sctps, sctpShutdowns);
4248 				sctp_assoc_event(sctp, SCTP_SHUTDOWN_COMP, 0,
4249 				    NULL);
4250 
4251 				/* Pass gathered wisdom to IP for keeping */
4252 				sctp_update_dce(sctp);
4253 				sctp_clean_death(sctp, 0);
4254 				goto done;
4255 			case CHUNK_SHUTDOWN_ACK:
4256 				sctp_shutdown_complete(sctp);
4257 				BUMP_LOCAL(sctp->sctp_ibchunks);
4258 				SCTPS_BUMP_MIB(sctps, sctpShutdowns);
4259 				sctp_assoc_event(sctp, SCTP_SHUTDOWN_COMP, 0,
4260 				    NULL);
4261 				sctp_clean_death(sctp, 0);
4262 				goto done;
4263 			case CHUNK_COOKIE:
4264 				(void) sctp_shutdown_received(sctp, NULL,
4265 				    B_TRUE, B_FALSE, fp);
4266 				BUMP_LOCAL(sctp->sctp_ibchunks);
4267 				break;
4268 			case CHUNK_HEARTBEAT:
4269 				if (!hb_already) {
4270 					sctp_return_heartbeat(sctp, ch, mp);
4271 					hb_already = B_TRUE;
4272 				}
4273 				break;
4274 			default:
4275 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
4276 					goto nomorechunks;
4277 				} /* else skip and continue processing */
4278 				break;
4279 			}
4280 			break;
4281 
4282 		case SCTPS_SHUTDOWN_RECEIVED:
4283 			switch (ch->sch_id) {
4284 			case CHUNK_SHUTDOWN:
4285 				trysend = sctp_shutdown_received(sctp, ch,
4286 				    B_FALSE, B_FALSE, fp);
4287 				/*
4288 				 * shutdown_ack_needed may have been set as
4289 				 * mentioned in the case CHUNK_SACK below.
4290 				 * If sctp_shutdown_received() above found
4291 				 * the xmit queue empty the SHUTDOWN ACK chunk
4292 				 * has already been sent (or scheduled to be
4293 				 * sent on the timer) and the SCTP state
4294 				 * changed, so reset shutdown_ack_needed.
4295 				 */
4296 				if (shutdown_ack_needed && (sctp->sctp_state ==
4297 				    SCTPS_SHUTDOWN_ACK_SENT))
4298 					shutdown_ack_needed = B_FALSE;
4299 				break;
4300 			case CHUNK_SACK:
4301 				trysend = sctp_got_sack(sctp, ch);
4302 				if (trysend < 0) {
4303 					sctp_send_abort(sctp, sctph->sh_verf,
4304 					    0, NULL, 0, mp, 0, B_FALSE, ira);
4305 					sctp_assoc_event(sctp,
4306 					    SCTP_COMM_LOST, 0, NULL);
4307 					sctp_clean_death(sctp,
4308 					    ECONNABORTED);
4309 					goto done;
4310 				}
4311 
4312 				/*
4313 				 * All data acknowledgement after a shutdown
4314 				 * should be done with SHUTDOWN chunk.
4315 				 * However some peer SCTP do not conform with
4316 				 * this and can unexpectedly send a SACK chunk.
4317 				 * If all data are acknowledged, set
4318 				 * shutdown_ack_needed here indicating that
4319 				 * SHUTDOWN ACK needs to be sent later by
4320 				 * sctp_send_shutdown_ack().
4321 				 */
4322 				if ((sctp->sctp_xmit_head == NULL) &&
4323 				    (sctp->sctp_xmit_unsent == NULL))
4324 					shutdown_ack_needed = B_TRUE;
4325 				break;
4326 			case CHUNK_ABORT:
4327 				sctp_process_abort(sctp, ch, ECONNRESET);
4328 				goto done;
4329 			case CHUNK_HEARTBEAT:
4330 				if (!hb_already) {
4331 					sctp_return_heartbeat(sctp, ch, mp);
4332 					hb_already = B_TRUE;
4333 				}
4334 				break;
4335 			default:
4336 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
4337 					goto nomorechunks;
4338 				} /* else skip and continue processing */
4339 				break;
4340 			}
4341 			break;
4342 
4343 		default:
4344 			/*
4345 			 * The only remaining states are SCTPS_IDLE and
4346 			 * SCTPS_BOUND, and we should not be getting here
4347 			 * for these.
4348 			 */
4349 			ASSERT(0);
4350 		} /* switch (sctp->sctp_state) */
4351 
4352 		ch = sctp_next_chunk(ch, &mlen);
4353 		if (ch != NULL && !sctp_check_input(sctp, ch, mlen, 0))
4354 			goto done;
4355 	} while (ch != NULL);
4356 
4357 	/* Finished processing all chunks in packet */
4358 
4359 nomorechunks:
4360 
4361 	if (shutdown_ack_needed)
4362 		sctp_send_shutdown_ack(sctp, fp, B_FALSE);
4363 
4364 	/* SACK if necessary */
4365 	if (gotdata) {
4366 		boolean_t sack_sent;
4367 
4368 		(sctp->sctp_sack_toggle)++;
4369 		sack_sent = sctp_sack(sctp, dups);
4370 		dups = NULL;
4371 
4372 		/* If a SACK is sent, no need to restart the timer. */
4373 		if (!sack_sent && !sctp->sctp_ack_timer_running) {
4374 			sctp->sctp_ack_timer_running = B_TRUE;
4375 			sctp_timer(sctp, sctp->sctp_ack_mp,
4376 			    MSEC_TO_TICK(sctps->sctps_deferred_ack_interval));
4377 		}
4378 	}
4379 
4380 	if (trysend) {
4381 		sctp_output(sctp, UINT_MAX);
4382 		if (sctp->sctp_cxmit_list != NULL)
4383 			sctp_wput_asconf(sctp, NULL);
4384 	}
4385 	/*
4386 	 * If there is unsent data, make sure a timer is running, check
4387 	 * timer_mp, if sctp_closei_local() ran the timers may be free.
4388 	 */
4389 	if (sctp->sctp_unsent > 0 && !sctp->sctp_current->sf_timer_running &&
4390 	    sctp->sctp_current->sf_timer_mp != NULL) {
4391 		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
4392 		    sctp->sctp_current->sf_rto);
4393 	}
4394 
4395 done:
4396 	if (dups != NULL)
4397 		freeb(dups);
4398 	freemsg(mp);
4399 
4400 	if (sctp->sctp_err_chunks != NULL)
4401 		sctp_process_err(sctp);
4402 
4403 	if (wake_eager) {
4404 		/*
4405 		 * sctp points to newly created control block, need to
4406 		 * release it before exiting.
4407 		 */
4408 		WAKE_SCTP(sctp);
4409 	}
4410 }
4411 
4412 /*
4413  * Some amount of data got removed from ULP's receive queue and we can
4414  * push messages up if we are flow controlled before.  Reset the receive
4415  * window to full capacity (conn_rcvbuf) and check if we should send a
4416  * window update.
4417  */
4418 void
4419 sctp_recvd(sctp_t *sctp, int len)
4420 {
4421 	sctp_stack_t	*sctps = sctp->sctp_sctps;
4422 	conn_t		*connp = sctp->sctp_connp;
4423 	boolean_t	send_sack = B_FALSE;
4424 
4425 	ASSERT(sctp != NULL);
4426 	RUN_SCTP(sctp);
4427 
4428 	sctp->sctp_flowctrld = B_FALSE;
4429 	/* This is the amount of data queued in ULP. */
4430 	sctp->sctp_ulp_rxqueued = connp->conn_rcvbuf - len;
4431 
4432 	if (connp->conn_rcvbuf - sctp->sctp_arwnd >= sctp->sctp_mss)
4433 		send_sack = B_TRUE;
4434 	sctp->sctp_rwnd = connp->conn_rcvbuf;
4435 
4436 	if (sctp->sctp_state >= SCTPS_ESTABLISHED && send_sack) {
4437 		sctp->sctp_force_sack = 1;
4438 		SCTPS_BUMP_MIB(sctps, sctpOutWinUpdate);
4439 		(void) sctp_sack(sctp, NULL);
4440 	}
4441 	WAKE_SCTP(sctp);
4442 }
4443