xref: /illumos-gate/usr/src/uts/common/inet/sctp/sctp_input.c (revision 46b592853d0f4f11781b6b0a7533f267c6aee132)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #include <sys/types.h>
28 #include <sys/systm.h>
29 #include <sys/stream.h>
30 #include <sys/cmn_err.h>
31 #include <sys/kmem.h>
32 #define	_SUN_TPI_VERSION 2
33 #include <sys/tihdr.h>
34 #include <sys/socket.h>
35 #include <sys/strsun.h>
36 #include <sys/strsubr.h>
37 
38 #include <netinet/in.h>
39 #include <netinet/ip6.h>
40 #include <netinet/tcp_seq.h>
41 #include <netinet/sctp.h>
42 
43 #include <inet/common.h>
44 #include <inet/ip.h>
45 #include <inet/ip6.h>
46 #include <inet/mib2.h>
47 #include <inet/ipclassifier.h>
48 #include <inet/ipp_common.h>
49 #include <inet/ipsec_impl.h>
50 #include <inet/sctp_ip.h>
51 
52 #include "sctp_impl.h"
53 #include "sctp_asconf.h"
54 #include "sctp_addr.h"
55 
56 static struct kmem_cache *sctp_kmem_set_cache;
57 
58 /*
59  * PR-SCTP comments.
60  *
61  * When we get a valid Forward TSN chunk, we check the fragment list for this
62  * SSN and preceeding SSNs free all them. Further, if this Forward TSN causes
63  * the next expected SSN to be present in the stream queue, we deliver any
64  * such stranded messages upstream. We also update the SACK info. appropriately.
65  * When checking for advancing the cumulative ack (in sctp_cumack()) we must
66  * check for abandoned chunks and messages. While traversing the tramsmit
67  * list if we come across an abandoned chunk, we can skip the message (i.e.
68  * take it out of the (re)transmit list) since this message, and hence this
69  * chunk, has been marked abandoned by sctp_rexmit(). If we come across an
70  * unsent chunk for a message this now abandoned we need to check if a
71  * Forward TSN needs to be sent, this could be a case where we deferred sending
72  * a Forward TSN in sctp_get_msg_to_send(). Further, after processing a
73  * SACK we check if the Advanced peer ack point can be moved ahead, i.e.
74  * if we can send a Forward TSN via sctp_check_abandoned_data().
75  */
76 void
77 sctp_free_set(sctp_set_t *s)
78 {
79 	sctp_set_t *p;
80 
81 	while (s) {
82 		p = s->next;
83 		kmem_cache_free(sctp_kmem_set_cache, s);
84 		s = p;
85 	}
86 }
87 
88 static void
89 sctp_ack_add(sctp_set_t **head, uint32_t tsn, int *num)
90 {
91 	sctp_set_t *p, *t;
92 
93 	if (head == NULL || num == NULL)
94 		return;
95 
96 	ASSERT(*num >= 0);
97 	ASSERT((*num == 0 && *head == NULL) || (*num > 0 && *head != NULL));
98 
99 	if (*head == NULL) {
100 		*head = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
101 		if (*head == NULL)
102 			return;
103 		(*head)->prev = (*head)->next = NULL;
104 		(*head)->begin = tsn;
105 		(*head)->end = tsn;
106 		*num = 1;
107 		return;
108 	}
109 
110 	ASSERT((*head)->prev == NULL);
111 
112 	/*
113 	 * Handle this special case here so we don't have to check
114 	 * for it each time in the loop.
115 	 */
116 	if (SEQ_LT(tsn + 1, (*head)->begin)) {
117 		/* add a new set, and move the head pointer */
118 		t = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
119 		if (t == NULL)
120 			return;
121 		t->next = *head;
122 		t->prev = NULL;
123 		(*head)->prev = t;
124 		t->begin = tsn;
125 		t->end = tsn;
126 		(*num)++;
127 		*head = t;
128 		return;
129 	}
130 
131 	/*
132 	 * We need to handle the following cases, where p points to
133 	 * the current set (as we walk through the loop):
134 	 *
135 	 * 1. tsn is entirely less than p; create a new set before p.
136 	 * 2. tsn borders p from less; coalesce p with tsn.
137 	 * 3. tsn is withing p; do nothing.
138 	 * 4. tsn borders p from greater; coalesce p with tsn.
139 	 * 4a. p may now border p->next from less; if so, coalesce those
140 	 *    two sets.
141 	 * 5. tsn is entirely greater then all sets; add a new set at
142 	 *    the end.
143 	 */
144 	for (p = *head; ; p = p->next) {
145 		if (SEQ_LT(tsn + 1, p->begin)) {
146 			/* 1: add a new set before p. */
147 			t = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
148 			if (t == NULL)
149 				return;
150 			t->next = p;
151 			t->prev = NULL;
152 			t->begin = tsn;
153 			t->end = tsn;
154 			if (p->prev) {
155 				t->prev = p->prev;
156 				p->prev->next = t;
157 			}
158 			p->prev = t;
159 			(*num)++;
160 			return;
161 		}
162 
163 		if ((tsn + 1) == p->begin) {
164 			/* 2: adjust p->begin */
165 			p->begin = tsn;
166 			return;
167 		}
168 
169 		if (SEQ_GEQ(tsn, p->begin) && SEQ_LEQ(tsn, p->end)) {
170 			/* 3; do nothing */
171 			return;
172 		}
173 
174 		if ((p->end + 1) == tsn) {
175 			/* 4; adjust p->end */
176 			p->end = tsn;
177 
178 			if (p->next != NULL && (tsn + 1) == p->next->begin) {
179 				/* 4a: coalesce p and p->next */
180 				t = p->next;
181 				p->end = t->end;
182 				p->next = t->next;
183 				if (t->next != NULL)
184 					t->next->prev = p;
185 				kmem_cache_free(sctp_kmem_set_cache, t);
186 				(*num)--;
187 			}
188 			return;
189 		}
190 
191 		if (p->next == NULL) {
192 			/* 5: add new set at the end */
193 			t = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
194 			if (t == NULL)
195 				return;
196 			t->next = NULL;
197 			t->prev = p;
198 			t->begin = tsn;
199 			t->end = tsn;
200 			p->next = t;
201 			(*num)++;
202 			return;
203 		}
204 
205 		if (SEQ_GT(tsn, p->end + 1))
206 			continue;
207 	}
208 }
209 
210 static void
211 sctp_ack_rem(sctp_set_t **head, uint32_t end, int *num)
212 {
213 	sctp_set_t *p, *t;
214 
215 	if (head == NULL || *head == NULL || num == NULL)
216 		return;
217 
218 	/* Nothing to remove */
219 	if (SEQ_LT(end, (*head)->begin))
220 		return;
221 
222 	/* Find out where to start removing sets */
223 	for (p = *head; p->next; p = p->next) {
224 		if (SEQ_LEQ(end, p->end))
225 			break;
226 	}
227 
228 	if (SEQ_LT(end, p->end) && SEQ_GEQ(end, p->begin)) {
229 		/* adjust p */
230 		p->begin = end + 1;
231 		/* all done */
232 		if (p == *head)
233 			return;
234 	} else if (SEQ_GEQ(end, p->end)) {
235 		/* remove this set too */
236 		p = p->next;
237 	}
238 
239 	/* unlink everything before this set */
240 	t = *head;
241 	*head = p;
242 	if (p != NULL && p->prev != NULL) {
243 		p->prev->next = NULL;
244 		p->prev = NULL;
245 	}
246 
247 	sctp_free_set(t);
248 
249 	/* recount the number of sets */
250 	*num = 0;
251 
252 	for (p = *head; p != NULL; p = p->next)
253 		(*num)++;
254 }
255 
256 void
257 sctp_sets_init()
258 {
259 	sctp_kmem_set_cache = kmem_cache_create("sctp_set_cache",
260 	    sizeof (sctp_set_t), 0, NULL, NULL, NULL, NULL,
261 	    NULL, 0);
262 }
263 
264 void
265 sctp_sets_fini()
266 {
267 	kmem_cache_destroy(sctp_kmem_set_cache);
268 }
269 
270 sctp_chunk_hdr_t *
271 sctp_first_chunk(uchar_t *rptr, ssize_t remaining)
272 {
273 	sctp_chunk_hdr_t *ch;
274 	uint16_t ch_len;
275 
276 	if (remaining < sizeof (*ch)) {
277 		return (NULL);
278 	}
279 
280 	ch = (sctp_chunk_hdr_t *)rptr;
281 	ch_len = ntohs(ch->sch_len);
282 
283 	if (ch_len < sizeof (*ch) || remaining < ch_len) {
284 		return (NULL);
285 	}
286 
287 	return (ch);
288 }
289 
290 sctp_chunk_hdr_t *
291 sctp_next_chunk(sctp_chunk_hdr_t *ch, ssize_t *remaining)
292 {
293 	int pad;
294 	uint16_t ch_len;
295 
296 	if (!ch) {
297 		return (NULL);
298 	}
299 
300 	ch_len = ntohs(ch->sch_len);
301 
302 	if ((pad = ch_len & (SCTP_ALIGN - 1)) != 0) {
303 		pad = SCTP_ALIGN - pad;
304 	}
305 
306 	*remaining -= (ch_len + pad);
307 	ch = (sctp_chunk_hdr_t *)((char *)ch + ch_len + pad);
308 
309 	return (sctp_first_chunk((uchar_t *)ch, *remaining));
310 }
311 
312 /*
313  * Attach ancillary data to a received SCTP segments.
314  * If the source address (fp) is not the primary, send up a
315  * unitdata_ind so recvfrom() can populate the msg_name field.
316  * If ancillary data is also requested, we append it to the
317  * unitdata_req. Otherwise, we just send up an optdata_ind.
318  */
319 static int
320 sctp_input_add_ancillary(sctp_t *sctp, mblk_t **mp, sctp_data_hdr_t *dcp,
321     sctp_faddr_t *fp, ip6_pkt_t *ipp)
322 {
323 	struct T_unitdata_ind	*tudi;
324 	int			optlen;
325 	int			hdrlen;
326 	uchar_t			*optptr;
327 	struct cmsghdr		*cmsg;
328 	mblk_t			*mp1;
329 	struct sockaddr_in6	sin_buf[1];
330 	struct sockaddr_in6	*sin6;
331 	struct sockaddr_in	*sin4;
332 	uint_t			addflag = 0;
333 
334 	sin4 = NULL;
335 	sin6 = NULL;
336 
337 	optlen = hdrlen = 0;
338 
339 	/* Figure out address size */
340 	if (sctp->sctp_ipversion == IPV4_VERSION) {
341 		sin4 = (struct sockaddr_in *)sin_buf;
342 		sin4->sin_family = AF_INET;
343 		sin4->sin_port = sctp->sctp_fport;
344 		IN6_V4MAPPED_TO_IPADDR(&fp->faddr, sin4->sin_addr.s_addr);
345 		hdrlen = sizeof (*tudi) + sizeof (*sin4);
346 	} else {
347 		sin6 = sin_buf;
348 		sin6->sin6_family = AF_INET6;
349 		sin6->sin6_port = sctp->sctp_fport;
350 		sin6->sin6_addr = fp->faddr;
351 		hdrlen = sizeof (*tudi) + sizeof (*sin6);
352 	}
353 
354 	/* If app asked to receive send / recv info */
355 	if (sctp->sctp_recvsndrcvinfo) {
356 		optlen += sizeof (*cmsg) + sizeof (struct sctp_sndrcvinfo);
357 		if (hdrlen == 0)
358 			hdrlen = sizeof (struct T_optdata_ind);
359 	}
360 
361 	if (sctp->sctp_ipv6_recvancillary == 0)
362 		goto noancillary;
363 
364 	if ((ipp->ipp_fields & IPPF_IFINDEX) &&
365 	    ipp->ipp_ifindex != sctp->sctp_recvifindex &&
366 	    (sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVPKTINFO)) {
367 		optlen += sizeof (*cmsg) + sizeof (struct in6_pktinfo);
368 		if (hdrlen == 0)
369 			hdrlen = sizeof (struct T_unitdata_ind);
370 		addflag |= SCTP_IPV6_RECVPKTINFO;
371 	}
372 	/* If app asked for hoplimit and it has changed ... */
373 	if ((ipp->ipp_fields & IPPF_HOPLIMIT) &&
374 	    ipp->ipp_hoplimit != sctp->sctp_recvhops &&
375 	    (sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVHOPLIMIT)) {
376 		optlen += sizeof (*cmsg) + sizeof (uint_t);
377 		if (hdrlen == 0)
378 			hdrlen = sizeof (struct T_unitdata_ind);
379 		addflag |= SCTP_IPV6_RECVHOPLIMIT;
380 	}
381 	/* If app asked for hopbyhop headers and it has changed ... */
382 	if ((sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVHOPOPTS) &&
383 	    ip_cmpbuf(sctp->sctp_hopopts, sctp->sctp_hopoptslen,
384 	    (ipp->ipp_fields & IPPF_HOPOPTS),
385 	    ipp->ipp_hopopts, ipp->ipp_hopoptslen)) {
386 		optlen += sizeof (*cmsg) + ipp->ipp_hopoptslen -
387 		    sctp->sctp_v6label_len;
388 		if (hdrlen == 0)
389 			hdrlen = sizeof (struct T_unitdata_ind);
390 		addflag |= SCTP_IPV6_RECVHOPOPTS;
391 		if (!ip_allocbuf((void **)&sctp->sctp_hopopts,
392 		    &sctp->sctp_hopoptslen,
393 		    (ipp->ipp_fields & IPPF_HOPOPTS),
394 		    ipp->ipp_hopopts, ipp->ipp_hopoptslen))
395 			return (-1);
396 	}
397 	/* If app asked for dst headers before routing headers ... */
398 	if ((sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVRTDSTOPTS) &&
399 	    ip_cmpbuf(sctp->sctp_rtdstopts, sctp->sctp_rtdstoptslen,
400 	    (ipp->ipp_fields & IPPF_RTDSTOPTS),
401 	    ipp->ipp_rtdstopts, ipp->ipp_rtdstoptslen)) {
402 		optlen += sizeof (*cmsg) + ipp->ipp_rtdstoptslen;
403 		if (hdrlen == 0)
404 			hdrlen = sizeof (struct T_unitdata_ind);
405 		addflag |= SCTP_IPV6_RECVRTDSTOPTS;
406 		if (!ip_allocbuf((void **)&sctp->sctp_rtdstopts,
407 		    &sctp->sctp_rtdstoptslen,
408 		    (ipp->ipp_fields & IPPF_RTDSTOPTS),
409 		    ipp->ipp_rtdstopts, ipp->ipp_rtdstoptslen))
410 			return (-1);
411 	}
412 	/* If app asked for routing headers and it has changed ... */
413 	if (sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVRTHDR) {
414 		if (ip_cmpbuf(sctp->sctp_rthdr, sctp->sctp_rthdrlen,
415 		    (ipp->ipp_fields & IPPF_RTHDR),
416 		    ipp->ipp_rthdr, ipp->ipp_rthdrlen)) {
417 			optlen += sizeof (*cmsg) + ipp->ipp_rthdrlen;
418 			if (hdrlen == 0)
419 				hdrlen = sizeof (struct T_unitdata_ind);
420 			addflag |= SCTP_IPV6_RECVRTHDR;
421 			if (!ip_allocbuf((void **)&sctp->sctp_rthdr,
422 			    &sctp->sctp_rthdrlen,
423 			    (ipp->ipp_fields & IPPF_RTHDR),
424 			    ipp->ipp_rthdr, ipp->ipp_rthdrlen))
425 				return (-1);
426 		}
427 	}
428 	/* If app asked for dest headers and it has changed ... */
429 	if ((sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVDSTOPTS) &&
430 	    ip_cmpbuf(sctp->sctp_dstopts, sctp->sctp_dstoptslen,
431 	    (ipp->ipp_fields & IPPF_DSTOPTS),
432 	    ipp->ipp_dstopts, ipp->ipp_dstoptslen)) {
433 		optlen += sizeof (*cmsg) + ipp->ipp_dstoptslen;
434 		if (hdrlen == 0)
435 			hdrlen = sizeof (struct T_unitdata_ind);
436 		addflag |= SCTP_IPV6_RECVDSTOPTS;
437 		if (!ip_allocbuf((void **)&sctp->sctp_dstopts,
438 		    &sctp->sctp_dstoptslen,
439 		    (ipp->ipp_fields & IPPF_DSTOPTS),
440 		    ipp->ipp_dstopts, ipp->ipp_dstoptslen))
441 			return (-1);
442 	}
443 noancillary:
444 	/* Nothing to add */
445 	if (hdrlen == 0)
446 		return (-1);
447 
448 	mp1 = allocb(hdrlen + optlen + sizeof (void *), BPRI_MED);
449 	if (mp1 == NULL)
450 		return (-1);
451 	mp1->b_cont = *mp;
452 	*mp = mp1;
453 	mp1->b_rptr += sizeof (void *);  /* pointer worth of padding */
454 	mp1->b_wptr = mp1->b_rptr + hdrlen + optlen;
455 	DB_TYPE(mp1) = M_PROTO;
456 	tudi = (struct T_unitdata_ind *)mp1->b_rptr;
457 	tudi->PRIM_type = T_UNITDATA_IND;
458 	tudi->SRC_length = sin4 ? sizeof (*sin4) : sizeof (*sin6);
459 	tudi->SRC_offset = sizeof (*tudi);
460 	tudi->OPT_offset = sizeof (*tudi) + tudi->SRC_length;
461 	tudi->OPT_length = optlen;
462 	if (sin4) {
463 		bcopy(sin4, tudi + 1, sizeof (*sin4));
464 	} else {
465 		bcopy(sin6, tudi + 1, sizeof (*sin6));
466 	}
467 	optptr = (uchar_t *)tudi + tudi->OPT_offset;
468 
469 	if (sctp->sctp_recvsndrcvinfo) {
470 		/* XXX need backout method if memory allocation fails. */
471 		struct sctp_sndrcvinfo *sri;
472 
473 		cmsg = (struct cmsghdr *)optptr;
474 		cmsg->cmsg_level = IPPROTO_SCTP;
475 		cmsg->cmsg_type = SCTP_SNDRCV;
476 		cmsg->cmsg_len = sizeof (*cmsg) + sizeof (*sri);
477 		optptr += sizeof (*cmsg);
478 
479 		sri = (struct sctp_sndrcvinfo *)(cmsg + 1);
480 		ASSERT(OK_32PTR(sri));
481 		sri->sinfo_stream = ntohs(dcp->sdh_sid);
482 		sri->sinfo_ssn = ntohs(dcp->sdh_ssn);
483 		if (SCTP_DATA_GET_UBIT(dcp)) {
484 			sri->sinfo_flags = MSG_UNORDERED;
485 		} else {
486 			sri->sinfo_flags = 0;
487 		}
488 		sri->sinfo_ppid = dcp->sdh_payload_id;
489 		sri->sinfo_context = 0;
490 		sri->sinfo_timetolive = 0;
491 		sri->sinfo_tsn = ntohl(dcp->sdh_tsn);
492 		sri->sinfo_cumtsn = sctp->sctp_ftsn;
493 		sri->sinfo_assoc_id = 0;
494 
495 		optptr += sizeof (*sri);
496 	}
497 
498 	/*
499 	 * If app asked for pktinfo and the index has changed ...
500 	 * Note that the local address never changes for the connection.
501 	 */
502 	if (addflag & SCTP_IPV6_RECVPKTINFO) {
503 		struct in6_pktinfo *pkti;
504 
505 		cmsg = (struct cmsghdr *)optptr;
506 		cmsg->cmsg_level = IPPROTO_IPV6;
507 		cmsg->cmsg_type = IPV6_PKTINFO;
508 		cmsg->cmsg_len = sizeof (*cmsg) + sizeof (*pkti);
509 		optptr += sizeof (*cmsg);
510 
511 		pkti = (struct in6_pktinfo *)optptr;
512 		if (sctp->sctp_ipversion == IPV6_VERSION)
513 			pkti->ipi6_addr = sctp->sctp_ip6h->ip6_src;
514 		else
515 			IN6_IPADDR_TO_V4MAPPED(sctp->sctp_ipha->ipha_src,
516 			    &pkti->ipi6_addr);
517 		pkti->ipi6_ifindex = ipp->ipp_ifindex;
518 		optptr += sizeof (*pkti);
519 		ASSERT(OK_32PTR(optptr));
520 		/* Save as "last" value */
521 		sctp->sctp_recvifindex = ipp->ipp_ifindex;
522 	}
523 	/* If app asked for hoplimit and it has changed ... */
524 	if (addflag & SCTP_IPV6_RECVHOPLIMIT) {
525 		cmsg = (struct cmsghdr *)optptr;
526 		cmsg->cmsg_level = IPPROTO_IPV6;
527 		cmsg->cmsg_type = IPV6_HOPLIMIT;
528 		cmsg->cmsg_len = sizeof (*cmsg) + sizeof (uint_t);
529 		optptr += sizeof (*cmsg);
530 
531 		*(uint_t *)optptr = ipp->ipp_hoplimit;
532 		optptr += sizeof (uint_t);
533 		ASSERT(OK_32PTR(optptr));
534 		/* Save as "last" value */
535 		sctp->sctp_recvhops = ipp->ipp_hoplimit;
536 	}
537 	if (addflag & SCTP_IPV6_RECVHOPOPTS) {
538 		cmsg = (struct cmsghdr *)optptr;
539 		cmsg->cmsg_level = IPPROTO_IPV6;
540 		cmsg->cmsg_type = IPV6_HOPOPTS;
541 		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_hopoptslen;
542 		optptr += sizeof (*cmsg);
543 
544 		bcopy(ipp->ipp_hopopts, optptr, ipp->ipp_hopoptslen);
545 		optptr += ipp->ipp_hopoptslen;
546 		ASSERT(OK_32PTR(optptr));
547 		/* Save as last value */
548 		ip_savebuf((void **)&sctp->sctp_hopopts,
549 		    &sctp->sctp_hopoptslen,
550 		    (ipp->ipp_fields & IPPF_HOPOPTS),
551 		    ipp->ipp_hopopts, ipp->ipp_hopoptslen);
552 	}
553 	if (addflag & SCTP_IPV6_RECVRTDSTOPTS) {
554 		cmsg = (struct cmsghdr *)optptr;
555 		cmsg->cmsg_level = IPPROTO_IPV6;
556 		cmsg->cmsg_type = IPV6_RTHDRDSTOPTS;
557 		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_rtdstoptslen;
558 		optptr += sizeof (*cmsg);
559 
560 		bcopy(ipp->ipp_rtdstopts, optptr, ipp->ipp_rtdstoptslen);
561 		optptr += ipp->ipp_rtdstoptslen;
562 		ASSERT(OK_32PTR(optptr));
563 		/* Save as last value */
564 		ip_savebuf((void **)&sctp->sctp_rtdstopts,
565 		    &sctp->sctp_rtdstoptslen,
566 		    (ipp->ipp_fields & IPPF_RTDSTOPTS),
567 		    ipp->ipp_rtdstopts, ipp->ipp_rtdstoptslen);
568 	}
569 	if (addflag & SCTP_IPV6_RECVRTHDR) {
570 		cmsg = (struct cmsghdr *)optptr;
571 		cmsg->cmsg_level = IPPROTO_IPV6;
572 		cmsg->cmsg_type = IPV6_RTHDR;
573 		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_rthdrlen;
574 		optptr += sizeof (*cmsg);
575 
576 		bcopy(ipp->ipp_rthdr, optptr, ipp->ipp_rthdrlen);
577 		optptr += ipp->ipp_rthdrlen;
578 		ASSERT(OK_32PTR(optptr));
579 		/* Save as last value */
580 		ip_savebuf((void **)&sctp->sctp_rthdr,
581 		    &sctp->sctp_rthdrlen,
582 		    (ipp->ipp_fields & IPPF_RTHDR),
583 		    ipp->ipp_rthdr, ipp->ipp_rthdrlen);
584 	}
585 	if (addflag & SCTP_IPV6_RECVDSTOPTS) {
586 		cmsg = (struct cmsghdr *)optptr;
587 		cmsg->cmsg_level = IPPROTO_IPV6;
588 		cmsg->cmsg_type = IPV6_DSTOPTS;
589 		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_dstoptslen;
590 		optptr += sizeof (*cmsg);
591 
592 		bcopy(ipp->ipp_dstopts, optptr, ipp->ipp_dstoptslen);
593 		optptr += ipp->ipp_dstoptslen;
594 		ASSERT(OK_32PTR(optptr));
595 		/* Save as last value */
596 		ip_savebuf((void **)&sctp->sctp_dstopts,
597 		    &sctp->sctp_dstoptslen,
598 		    (ipp->ipp_fields & IPPF_DSTOPTS),
599 		    ipp->ipp_dstopts, ipp->ipp_dstoptslen);
600 	}
601 
602 	ASSERT(optptr == mp1->b_wptr);
603 
604 	return (0);
605 }
606 
607 void
608 sctp_free_reass(sctp_instr_t *sip)
609 {
610 	mblk_t *mp, *mpnext, *mctl;
611 
612 	for (mp = sip->istr_reass; mp != NULL; mp = mpnext) {
613 		mpnext = mp->b_next;
614 		mp->b_next = NULL;
615 		mp->b_prev = NULL;
616 		if (DB_TYPE(mp) == M_CTL) {
617 			mctl = mp;
618 			ASSERT(mp->b_cont != NULL);
619 			mp = mp->b_cont;
620 			mctl->b_cont = NULL;
621 			freeb(mctl);
622 		}
623 		freemsg(mp);
624 	}
625 }
626 
627 /*
628  * If the series of data fragments of which dmp is a part is successfully
629  * reassembled, the first mblk in the series is returned. dc is adjusted
630  * to point at the data chunk in the lead mblk, and b_rptr also points to
631  * the data chunk; the following mblk's b_rptr's point at the actual payload.
632  *
633  * If the series is not yet reassembled, NULL is returned. dc is not changed.
634  * XXX should probably move this up into the state machine.
635  */
636 
637 /* Fragment list for un-ordered messages. Partial delivery is not supported */
638 static mblk_t *
639 sctp_uodata_frag(sctp_t *sctp, mblk_t *dmp, sctp_data_hdr_t **dc)
640 {
641 	mblk_t		*hmp;
642 	mblk_t		*begin = NULL;
643 	mblk_t		*end = NULL;
644 	sctp_data_hdr_t	*qdc;
645 	uint32_t	ntsn;
646 	uint32_t	tsn = ntohl((*dc)->sdh_tsn);
647 #ifdef	DEBUG
648 	mblk_t		*mp1;
649 #endif
650 
651 	/* First frag. */
652 	if (sctp->sctp_uo_frags == NULL) {
653 		sctp->sctp_uo_frags = dmp;
654 		return (NULL);
655 	}
656 	hmp = sctp->sctp_uo_frags;
657 	/*
658 	 * Insert the segment according to the TSN, fragmented unordered
659 	 * chunks are sequenced by TSN.
660 	 */
661 	while (hmp != NULL) {
662 		qdc = (sctp_data_hdr_t *)hmp->b_rptr;
663 		ntsn = ntohl(qdc->sdh_tsn);
664 		if (SEQ_GT(ntsn, tsn)) {
665 			if (hmp->b_prev == NULL) {
666 				dmp->b_next = hmp;
667 				hmp->b_prev = dmp;
668 				sctp->sctp_uo_frags = dmp;
669 			} else {
670 				dmp->b_next = hmp;
671 				dmp->b_prev = hmp->b_prev;
672 				hmp->b_prev->b_next = dmp;
673 				hmp->b_prev = dmp;
674 			}
675 			break;
676 		}
677 		if (hmp->b_next == NULL) {
678 			hmp->b_next = dmp;
679 			dmp->b_prev = hmp;
680 			break;
681 		}
682 		hmp = hmp->b_next;
683 	}
684 	/* check if we completed a msg */
685 	if (SCTP_DATA_GET_BBIT(*dc)) {
686 		begin = dmp;
687 	} else if (SCTP_DATA_GET_EBIT(*dc)) {
688 		end = dmp;
689 	}
690 	/*
691 	 * We walk consecutive TSNs backwards till we get a seg. with
692 	 * the B bit
693 	 */
694 	if (begin == NULL) {
695 		for (hmp = dmp->b_prev; hmp != NULL; hmp = hmp->b_prev) {
696 			qdc = (sctp_data_hdr_t *)hmp->b_rptr;
697 			ntsn = ntohl(qdc->sdh_tsn);
698 			if ((int32_t)(tsn - ntsn) > 1) {
699 				return (NULL);
700 			}
701 			if (SCTP_DATA_GET_BBIT(qdc)) {
702 				begin = hmp;
703 				break;
704 			}
705 			tsn = ntsn;
706 		}
707 	}
708 	tsn = ntohl((*dc)->sdh_tsn);
709 	/*
710 	 * We walk consecutive TSNs till we get a seg. with the E bit
711 	 */
712 	if (end == NULL) {
713 		for (hmp = dmp->b_next; hmp != NULL; hmp = hmp->b_next) {
714 			qdc = (sctp_data_hdr_t *)hmp->b_rptr;
715 			ntsn = ntohl(qdc->sdh_tsn);
716 			if ((int32_t)(ntsn - tsn) > 1) {
717 				return (NULL);
718 			}
719 			if (SCTP_DATA_GET_EBIT(qdc)) {
720 				end = hmp;
721 				break;
722 			}
723 			tsn = ntsn;
724 		}
725 	}
726 	if (begin == NULL || end == NULL) {
727 		return (NULL);
728 	}
729 	/* Got one!, Remove the msg from the list */
730 	if (sctp->sctp_uo_frags == begin) {
731 		ASSERT(begin->b_prev == NULL);
732 		sctp->sctp_uo_frags = end->b_next;
733 		if (end->b_next != NULL)
734 			end->b_next->b_prev = NULL;
735 	} else {
736 		begin->b_prev->b_next = end->b_next;
737 		if (end->b_next != NULL)
738 			end->b_next->b_prev = begin->b_prev;
739 	}
740 	begin->b_prev = NULL;
741 	end->b_next = NULL;
742 
743 	/*
744 	 * Null out b_next and b_prev and chain using b_cont.
745 	 */
746 	dmp = end = begin;
747 	hmp = begin->b_next;
748 	*dc = (sctp_data_hdr_t *)begin->b_rptr;
749 	begin->b_next = NULL;
750 	while (hmp != NULL) {
751 		qdc = (sctp_data_hdr_t *)hmp->b_rptr;
752 		hmp->b_rptr = (uchar_t *)(qdc + 1);
753 		end = hmp->b_next;
754 		dmp->b_cont = hmp;
755 		dmp = hmp;
756 
757 		if (end != NULL)
758 			hmp->b_next = NULL;
759 		hmp->b_prev = NULL;
760 		hmp = end;
761 	}
762 	BUMP_LOCAL(sctp->sctp_reassmsgs);
763 #ifdef	DEBUG
764 	mp1 = begin;
765 	while (mp1 != NULL) {
766 		ASSERT(mp1->b_next == NULL);
767 		ASSERT(mp1->b_prev == NULL);
768 		mp1 = mp1->b_cont;
769 	}
770 #endif
771 	return (begin);
772 }
773 
774 /*
775  * Try partial delivery.
776  */
777 static mblk_t *
778 sctp_try_partial_delivery(sctp_t *sctp, mblk_t *hmp, sctp_reass_t *srp,
779     sctp_data_hdr_t **dc)
780 {
781 	mblk_t		*first_mp;
782 	mblk_t		*mp;
783 	mblk_t		*dmp;
784 	mblk_t		*qmp;
785 	mblk_t		*prev;
786 	sctp_data_hdr_t	*qdc;
787 	uint32_t	tsn;
788 
789 	ASSERT(DB_TYPE(hmp) == M_CTL);
790 
791 	dprint(4, ("trypartial: got=%d, needed=%d\n",
792 	    (int)(srp->got), (int)(srp->needed)));
793 
794 	first_mp = hmp->b_cont;
795 	mp = first_mp;
796 	qdc = (sctp_data_hdr_t *)mp->b_rptr;
797 
798 	ASSERT(SCTP_DATA_GET_BBIT(qdc) && srp->hasBchunk);
799 
800 	tsn = ntohl(qdc->sdh_tsn) + 1;
801 
802 	/*
803 	 * This loop has two exit conditions: the
804 	 * end of received chunks has been reached, or
805 	 * there is a break in the sequence. We want
806 	 * to chop the reassembly list as follows (the
807 	 * numbers are TSNs):
808 	 *   10 -> 11 -> 	(end of chunks)
809 	 *   10 -> 11 -> | 13   (break in sequence)
810 	 */
811 	prev = mp;
812 	mp = mp->b_cont;
813 	while (mp != NULL) {
814 		qdc = (sctp_data_hdr_t *)mp->b_rptr;
815 		if (ntohl(qdc->sdh_tsn) != tsn)
816 			break;
817 		prev = mp;
818 		mp = mp->b_cont;
819 		tsn++;
820 	}
821 	/*
822 	 * We are sending all the fragments upstream, we have to retain
823 	 * the srp info for further fragments.
824 	 */
825 	if (mp == NULL) {
826 		dmp = hmp->b_cont;
827 		hmp->b_cont = NULL;
828 		srp->nexttsn = tsn;
829 		srp->msglen = 0;
830 		srp->needed = 0;
831 		srp->got = 0;
832 		srp->partial_delivered = B_TRUE;
833 		srp->tail = NULL;
834 	} else {
835 		dmp = hmp->b_cont;
836 		hmp->b_cont = mp;
837 	}
838 	srp->hasBchunk = B_FALSE;
839 	/*
840 	 * mp now points at the last chunk in the sequence,
841 	 * and prev points to mp's previous in the list.
842 	 * We chop the list at prev, and convert mp into the
843 	 * new list head by setting the B bit. Subsequence
844 	 * fragment deliveries will follow the normal reassembly
845 	 * path.
846 	 */
847 	prev->b_cont = NULL;
848 	srp->partial_delivered = B_TRUE;
849 
850 	dprint(4, ("trypartial: got some, got=%d, needed=%d\n",
851 	    (int)(srp->got), (int)(srp->needed)));
852 
853 	/*
854 	 * Adjust all mblk's except the lead so their rptr's point to the
855 	 * payload. sctp_data_chunk() will need to process the lead's
856 	 * data chunk section, so leave it's rptr pointing at the data chunk.
857 	 */
858 	*dc = (sctp_data_hdr_t *)dmp->b_rptr;
859 	if (srp->tail != NULL) {
860 		srp->got--;
861 		ASSERT(srp->got != 0);
862 		if (srp->needed != 0) {
863 			srp->needed--;
864 			ASSERT(srp->needed != 0);
865 		}
866 		srp->msglen -= ntohs((*dc)->sdh_len);
867 	}
868 	for (qmp = dmp->b_cont; qmp != NULL; qmp = qmp->b_cont) {
869 		qdc = (sctp_data_hdr_t *)qmp->b_rptr;
870 		qmp->b_rptr = (uchar_t *)(qdc + 1);
871 
872 		/*
873 		 * Deduct the balance from got and needed here, now that
874 		 * we know we are actually delivering these data.
875 		 */
876 		if (srp->tail != NULL) {
877 			srp->got--;
878 			ASSERT(srp->got != 0);
879 			if (srp->needed != 0) {
880 				srp->needed--;
881 				ASSERT(srp->needed != 0);
882 			}
883 			srp->msglen -= ntohs(qdc->sdh_len);
884 		}
885 	}
886 	ASSERT(srp->msglen == 0);
887 	BUMP_LOCAL(sctp->sctp_reassmsgs);
888 
889 	return (dmp);
890 }
891 
892 /*
893  * Fragment list for ordered messages.
894  * If no error occures, error is set to 0. If we run out of memory, error
895  * is set to 1. If the peer commits a fatal error (like using different
896  * sequence numbers for the same data fragment series), the association is
897  * aborted and error is set to 2. tpfinished indicates whether we have
898  * assembled a complete message, this is used in sctp_data_chunk() to
899  * see if we can try to send any queued message for this stream.
900  */
901 static mblk_t *
902 sctp_data_frag(sctp_t *sctp, mblk_t *dmp, sctp_data_hdr_t **dc, int *error,
903     sctp_instr_t *sip, boolean_t *tpfinished)
904 {
905 	mblk_t		*hmp;
906 	mblk_t		*pmp;
907 	mblk_t		*qmp;
908 	mblk_t		*first_mp;
909 	sctp_reass_t	*srp;
910 	sctp_data_hdr_t	*qdc;
911 	sctp_data_hdr_t	*bdc;
912 	sctp_data_hdr_t	*edc;
913 	uint32_t	tsn;
914 	uint16_t	fraglen = 0;
915 
916 	*error = 0;
917 
918 	/* find the reassembly queue for this data chunk */
919 	hmp = qmp = sip->istr_reass;
920 	for (; hmp != NULL; hmp = hmp->b_next) {
921 		srp = (sctp_reass_t *)DB_BASE(hmp);
922 		if (ntohs((*dc)->sdh_ssn) == srp->ssn)
923 			goto foundit;
924 		else if (SSN_GT(srp->ssn, ntohs((*dc)->sdh_ssn)))
925 			break;
926 		qmp = hmp;
927 	}
928 
929 	/*
930 	 * Allocate a M_CTL that will contain information about this
931 	 * fragmented message.
932 	 */
933 	if ((pmp = allocb(sizeof (*srp), BPRI_MED)) == NULL) {
934 		*error = 1;
935 		return (NULL);
936 	}
937 	DB_TYPE(pmp) = M_CTL;
938 	srp = (sctp_reass_t *)DB_BASE(pmp);
939 	pmp->b_cont = dmp;
940 
941 	if (hmp != NULL) {
942 		if (sip->istr_reass == hmp) {
943 			sip->istr_reass = pmp;
944 			pmp->b_next = hmp;
945 			pmp->b_prev = NULL;
946 			hmp->b_prev = pmp;
947 		} else {
948 			qmp->b_next = pmp;
949 			pmp->b_prev = qmp;
950 			pmp->b_next = hmp;
951 			hmp->b_prev = pmp;
952 		}
953 	} else {
954 		/* make a new reass head and stick it on the end */
955 		if (sip->istr_reass == NULL) {
956 			sip->istr_reass = pmp;
957 			pmp->b_prev = NULL;
958 		} else {
959 			qmp->b_next = pmp;
960 			pmp->b_prev = qmp;
961 		}
962 		pmp->b_next = NULL;
963 	}
964 	srp->partial_delivered = B_FALSE;
965 	srp->ssn = ntohs((*dc)->sdh_ssn);
966 empty_srp:
967 	srp->needed = 0;
968 	srp->got = 1;
969 	srp->tail = dmp;
970 	if (SCTP_DATA_GET_BBIT(*dc)) {
971 		srp->msglen = ntohs((*dc)->sdh_len);
972 		srp->nexttsn = ntohl((*dc)->sdh_tsn) + 1;
973 		srp->hasBchunk = B_TRUE;
974 	} else if (srp->partial_delivered &&
975 	    srp->nexttsn == ntohl((*dc)->sdh_tsn)) {
976 		SCTP_DATA_SET_BBIT(*dc);
977 		/* Last fragment */
978 		if (SCTP_DATA_GET_EBIT(*dc)) {
979 			srp->needed = 1;
980 			goto frag_done;
981 		}
982 		srp->hasBchunk = B_TRUE;
983 		srp->msglen = ntohs((*dc)->sdh_len);
984 		srp->nexttsn++;
985 	}
986 	return (NULL);
987 foundit:
988 	/*
989 	 * else already have a reassembly queue. Insert the new data chunk
990 	 * in the reassemble queue. Try the tail first, on the assumption
991 	 * that the fragments are coming in in order.
992 	 */
993 	qmp = srp->tail;
994 
995 	/*
996 	 * This means the message was partially delivered.
997 	 */
998 	if (qmp == NULL) {
999 		ASSERT(srp->got == 0 && srp->needed == 0 &&
1000 		    srp->partial_delivered);
1001 		ASSERT(hmp->b_cont == NULL);
1002 		hmp->b_cont = dmp;
1003 		goto empty_srp;
1004 	}
1005 	qdc = (sctp_data_hdr_t *)qmp->b_rptr;
1006 	ASSERT(qmp->b_cont == NULL);
1007 
1008 	/* XXXIs it fine to do this just here? */
1009 	if ((*dc)->sdh_sid != qdc->sdh_sid) {
1010 		/* our peer is fatally confused; XXX abort the assc */
1011 		*error = 2;
1012 		return (NULL);
1013 	}
1014 	if (SEQ_GT(ntohl((*dc)->sdh_tsn), ntohl(qdc->sdh_tsn))) {
1015 		qmp->b_cont = dmp;
1016 		srp->tail = dmp;
1017 		dmp->b_cont = NULL;
1018 		if (srp->hasBchunk && srp->nexttsn == ntohl((*dc)->sdh_tsn)) {
1019 			srp->msglen += ntohs((*dc)->sdh_len);
1020 			srp->nexttsn++;
1021 		}
1022 		goto inserted;
1023 	}
1024 
1025 	/* Next check for insertion at the beginning */
1026 	qmp = hmp->b_cont;
1027 	qdc = (sctp_data_hdr_t *)qmp->b_rptr;
1028 	if (SEQ_LT(ntohl((*dc)->sdh_tsn), ntohl(qdc->sdh_tsn))) {
1029 		dmp->b_cont = qmp;
1030 		hmp->b_cont = dmp;
1031 		if (SCTP_DATA_GET_BBIT(*dc)) {
1032 			srp->hasBchunk = B_TRUE;
1033 			srp->nexttsn = ntohl((*dc)->sdh_tsn);
1034 		}
1035 		goto preinserted;
1036 	}
1037 
1038 	/* Insert somewhere in the middle */
1039 	for (;;) {
1040 		/* Tail check above should have caught this */
1041 		ASSERT(qmp->b_cont != NULL);
1042 
1043 		qdc = (sctp_data_hdr_t *)qmp->b_cont->b_rptr;
1044 		if (SEQ_LT(ntohl((*dc)->sdh_tsn), ntohl(qdc->sdh_tsn))) {
1045 			/* insert here */
1046 			dmp->b_cont = qmp->b_cont;
1047 			qmp->b_cont = dmp;
1048 			break;
1049 		}
1050 		qmp = qmp->b_cont;
1051 	}
1052 preinserted:
1053 	if (!srp->hasBchunk || ntohl((*dc)->sdh_tsn) != srp->nexttsn)
1054 		goto inserted;
1055 	/*
1056 	 * fraglen contains the length of consecutive chunks of fragments.
1057 	 * starting from the chunk inserted recently.
1058 	 */
1059 	tsn = srp->nexttsn;
1060 	for (qmp = dmp; qmp != NULL; qmp = qmp->b_cont) {
1061 		qdc = (sctp_data_hdr_t *)qmp->b_rptr;
1062 		if (tsn != ntohl(qdc->sdh_tsn))
1063 			break;
1064 		fraglen += ntohs(qdc->sdh_len);
1065 		tsn++;
1066 	}
1067 	srp->nexttsn = tsn;
1068 	srp->msglen += fraglen;
1069 inserted:
1070 	srp->got++;
1071 	first_mp = hmp->b_cont;
1072 	if (srp->needed == 0) {
1073 		/* check if we have the first and last fragments */
1074 		bdc = (sctp_data_hdr_t *)first_mp->b_rptr;
1075 		edc = (sctp_data_hdr_t *)srp->tail->b_rptr;
1076 
1077 		/* calculate how many fragments are needed, if possible  */
1078 		if (SCTP_DATA_GET_BBIT(bdc) && SCTP_DATA_GET_EBIT(edc)) {
1079 			srp->needed = ntohl(edc->sdh_tsn) -
1080 			    ntohl(bdc->sdh_tsn) + 1;
1081 		}
1082 	}
1083 
1084 	/*
1085 	 * Try partial delivery if the message length has exceeded the
1086 	 * partial delivery point. Only do this if we can immediately
1087 	 * deliver the partially assembled message, and only partially
1088 	 * deliver one message at a time (i.e. messages cannot be
1089 	 * intermixed arriving at the upper layer). A simple way to
1090 	 * enforce this is to only try partial delivery if this TSN is
1091 	 * the next expected TSN. Partial Delivery not supported
1092 	 * for un-ordered message.
1093 	 */
1094 	if (srp->needed != srp->got) {
1095 		dmp = NULL;
1096 		if (ntohl((*dc)->sdh_tsn) == sctp->sctp_ftsn &&
1097 		    srp->msglen >= sctp->sctp_pd_point) {
1098 			dmp = sctp_try_partial_delivery(sctp, hmp, srp, dc);
1099 			*tpfinished = B_FALSE;
1100 		}
1101 		return (dmp);
1102 	}
1103 frag_done:
1104 	/*
1105 	 * else reassembly done; prepare the data for delivery.
1106 	 * First unlink hmp from the ssn list.
1107 	 */
1108 	if (sip->istr_reass == hmp) {
1109 		sip->istr_reass = hmp->b_next;
1110 		if (hmp->b_next)
1111 			hmp->b_next->b_prev = NULL;
1112 	} else {
1113 		ASSERT(hmp->b_prev != NULL);
1114 		hmp->b_prev->b_next = hmp->b_next;
1115 		if (hmp->b_next)
1116 			hmp->b_next->b_prev = hmp->b_prev;
1117 	}
1118 
1119 	/*
1120 	 * Using b_prev and b_next was a little sinful, but OK since
1121 	 * this mblk is never put*'d. However, freeb() will still
1122 	 * ASSERT that they are unused, so we need to NULL them out now.
1123 	 */
1124 	hmp->b_next = NULL;
1125 	hmp->b_prev = NULL;
1126 	dmp = hmp;
1127 	dmp = dmp->b_cont;
1128 	hmp->b_cont = NULL;
1129 	freeb(hmp);
1130 	*tpfinished = B_TRUE;
1131 
1132 	/*
1133 	 * Adjust all mblk's except the lead so their rptr's point to the
1134 	 * payload. sctp_data_chunk() will need to process the lead's
1135 	 * data chunk section, so leave it's rptr pointing at the data chunk.
1136 	 */
1137 	*dc = (sctp_data_hdr_t *)dmp->b_rptr;
1138 	for (qmp = dmp->b_cont; qmp != NULL; qmp = qmp->b_cont) {
1139 		qdc = (sctp_data_hdr_t *)qmp->b_rptr;
1140 		qmp->b_rptr = (uchar_t *)(qdc + 1);
1141 	}
1142 	BUMP_LOCAL(sctp->sctp_reassmsgs);
1143 
1144 	return (dmp);
1145 }
1146 static void
1147 sctp_add_dup(uint32_t tsn, mblk_t **dups)
1148 {
1149 	mblk_t *mp;
1150 	size_t bsize = SCTP_DUP_MBLK_SZ * sizeof (tsn);
1151 
1152 	if (dups == NULL) {
1153 		return;
1154 	}
1155 
1156 	/* first time? */
1157 	if (*dups == NULL) {
1158 		*dups = allocb(bsize, BPRI_MED);
1159 		if (*dups == NULL) {
1160 			return;
1161 		}
1162 	}
1163 
1164 	mp = *dups;
1165 	if ((mp->b_wptr - mp->b_rptr) >= bsize) {
1166 		/* maximum reached */
1167 		return;
1168 	}
1169 
1170 	/* add the duplicate tsn */
1171 	bcopy(&tsn, mp->b_wptr, sizeof (tsn));
1172 	mp->b_wptr += sizeof (tsn);
1173 	ASSERT((mp->b_wptr - mp->b_rptr) <= bsize);
1174 }
1175 
1176 static void
1177 sctp_data_chunk(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *mp, mblk_t **dups,
1178     sctp_faddr_t *fp, ip6_pkt_t *ipp)
1179 {
1180 	sctp_data_hdr_t *dc;
1181 	mblk_t *dmp, *pmp;
1182 	sctp_instr_t *instr;
1183 	int ubit;
1184 	int isfrag;
1185 	uint16_t ssn;
1186 	uint32_t oftsn;
1187 	boolean_t can_deliver = B_TRUE;
1188 	uint32_t tsn;
1189 	int dlen;
1190 	boolean_t tpfinished = B_TRUE;
1191 	int32_t new_rwnd;
1192 	sctp_stack_t	*sctps = sctp->sctp_sctps;
1193 	int	error;
1194 
1195 	/* The following are used multiple times, so we inline them */
1196 #define	SCTP_ACK_IT(sctp, tsn)						\
1197 	if (tsn == sctp->sctp_ftsn) {					\
1198 		dprint(2, ("data_chunk: acking next %x\n", tsn));	\
1199 		(sctp)->sctp_ftsn++;					\
1200 		if ((sctp)->sctp_sack_gaps > 0)				\
1201 			(sctp)->sctp_force_sack = 1;			\
1202 	} else if (SEQ_GT(tsn, sctp->sctp_ftsn)) {			\
1203 		/* Got a gap; record it */				\
1204 		BUMP_LOCAL(sctp->sctp_outseqtsns);			\
1205 		dprint(2, ("data_chunk: acking gap %x\n", tsn));	\
1206 		sctp_ack_add(&sctp->sctp_sack_info, tsn,		\
1207 		    &sctp->sctp_sack_gaps);				\
1208 		sctp->sctp_force_sack = 1;				\
1209 	}
1210 
1211 	dmp = NULL;
1212 
1213 	dc = (sctp_data_hdr_t *)ch;
1214 	tsn = ntohl(dc->sdh_tsn);
1215 
1216 	dprint(3, ("sctp_data_chunk: mp=%p tsn=%x\n", (void *)mp, tsn));
1217 
1218 	/* Check for duplicates */
1219 	if (SEQ_LT(tsn, sctp->sctp_ftsn)) {
1220 		dprint(4, ("sctp_data_chunk: dropping duplicate\n"));
1221 		BUMP_LOCAL(sctp->sctp_idupchunks);
1222 		sctp->sctp_force_sack = 1;
1223 		sctp_add_dup(dc->sdh_tsn, dups);
1224 		return;
1225 	}
1226 
1227 	if (sctp->sctp_sack_info != NULL) {
1228 		sctp_set_t *sp;
1229 
1230 		for (sp = sctp->sctp_sack_info; sp; sp = sp->next) {
1231 			if (SEQ_GEQ(tsn, sp->begin) && SEQ_LEQ(tsn, sp->end)) {
1232 				dprint(4,
1233 				    ("sctp_data_chunk: dropping dup > "
1234 				    "cumtsn\n"));
1235 				BUMP_LOCAL(sctp->sctp_idupchunks);
1236 				sctp->sctp_force_sack = 1;
1237 				sctp_add_dup(dc->sdh_tsn, dups);
1238 				return;
1239 			}
1240 		}
1241 	}
1242 
1243 	/* We cannot deliver anything up now but we still need to handle it. */
1244 	if (SCTP_IS_DETACHED(sctp)) {
1245 		BUMP_MIB(&sctps->sctps_mib, sctpInClosed);
1246 		can_deliver = B_FALSE;
1247 	}
1248 
1249 	dlen = ntohs(dc->sdh_len) - sizeof (*dc);
1250 
1251 	/*
1252 	 * Check for buffer space. Note if this is the next expected TSN
1253 	 * we have to take it to avoid deadlock because we cannot deliver
1254 	 * later queued TSNs and thus clear buffer space without it.
1255 	 * We drop anything that is purely zero window probe data here.
1256 	 */
1257 	if ((sctp->sctp_rwnd - sctp->sctp_rxqueued < dlen) &&
1258 	    (tsn != sctp->sctp_ftsn || sctp->sctp_rwnd == 0)) {
1259 		/* Drop and SACK, but don't advance the cumulative TSN. */
1260 		sctp->sctp_force_sack = 1;
1261 		dprint(0, ("sctp_data_chunk: exceed rwnd %d rxqueued %d "
1262 		    "dlen %d ssn %d tsn %x\n", sctp->sctp_rwnd,
1263 		    sctp->sctp_rxqueued, dlen, ntohs(dc->sdh_ssn),
1264 		    ntohl(dc->sdh_tsn)));
1265 		return;
1266 	}
1267 
1268 	if (ntohs(dc->sdh_sid) >= sctp->sctp_num_istr) {
1269 		sctp_bsc_t	inval_parm;
1270 
1271 		/* Will populate the CAUSE block in the ERROR chunk. */
1272 		inval_parm.bsc_sid = dc->sdh_sid;
1273 		/* RESERVED, ignored at the receiving end */
1274 		inval_parm.bsc_pad = 0;
1275 
1276 		/* ack and drop it */
1277 		sctp_add_err(sctp, SCTP_ERR_BAD_SID, (void *)&inval_parm,
1278 		    sizeof (sctp_bsc_t), fp);
1279 		SCTP_ACK_IT(sctp, tsn);
1280 		return;
1281 	}
1282 
1283 	ubit = SCTP_DATA_GET_UBIT(dc);
1284 	ASSERT(sctp->sctp_instr != NULL);
1285 	instr = &sctp->sctp_instr[ntohs(dc->sdh_sid)];
1286 	/* Initialize the stream, if not yet used */
1287 	if (instr->sctp == NULL)
1288 		instr->sctp = sctp;
1289 
1290 	isfrag = !(SCTP_DATA_GET_BBIT(dc) && SCTP_DATA_GET_EBIT(dc));
1291 	ssn = ntohs(dc->sdh_ssn);
1292 
1293 	dmp = dupb(mp);
1294 	if (dmp == NULL) {
1295 		/* drop it and don't ack it, causing the peer to retransmit */
1296 		return;
1297 	}
1298 	dmp->b_wptr = (uchar_t *)ch + ntohs(ch->sch_len);
1299 
1300 	sctp->sctp_rxqueued += dlen;
1301 
1302 	oftsn = sctp->sctp_ftsn;
1303 
1304 	if (isfrag) {
1305 
1306 		error = 0;
1307 		/* fragmented data chunk */
1308 		dmp->b_rptr = (uchar_t *)dc;
1309 		if (ubit) {
1310 			dmp = sctp_uodata_frag(sctp, dmp, &dc);
1311 #if	DEBUG
1312 			if (dmp != NULL) {
1313 				ASSERT(instr ==
1314 				    &sctp->sctp_instr[ntohs(dc->sdh_sid)]);
1315 			}
1316 #endif
1317 		} else {
1318 			dmp = sctp_data_frag(sctp, dmp, &dc, &error, instr,
1319 			    &tpfinished);
1320 		}
1321 		if (error != 0) {
1322 			sctp->sctp_rxqueued -= dlen;
1323 			if (error == 1) {
1324 				/*
1325 				 * out of memory; don't ack it so
1326 				 * the peer retransmits
1327 				 */
1328 				return;
1329 			} else if (error == 2) {
1330 				/*
1331 				 * fatal error (i.e. peer used different
1332 				 * ssn's for same fragmented data) --
1333 				 * the association has been aborted.
1334 				 * XXX need to return errval so state
1335 				 * machine can also abort processing.
1336 				 */
1337 				dprint(0, ("error 2: must not happen!\n"));
1338 				return;
1339 			}
1340 		}
1341 
1342 		if (dmp == NULL) {
1343 			/*
1344 			 * Can't process this data now, but the cumulative
1345 			 * TSN may be advanced, so do the checks at done.
1346 			 */
1347 			SCTP_ACK_IT(sctp, tsn);
1348 			goto done;
1349 		}
1350 	}
1351 
1352 	/*
1353 	 * Insert complete messages in correct order for ordered delivery.
1354 	 * tpfinished is true when the incoming chunk contains a complete
1355 	 * message or is the final missing fragment which completed a message.
1356 	 */
1357 	if (!ubit && tpfinished && ssn != instr->nextseq) {
1358 		/* Adjust rptr to point at the data chunk for compares */
1359 		dmp->b_rptr = (uchar_t *)dc;
1360 
1361 		dprint(2,
1362 		    ("data_chunk: inserted %x in pq (ssn %d expected %d)\n",
1363 		    ntohl(dc->sdh_tsn), (int)(ssn), (int)(instr->nextseq)));
1364 
1365 		if (instr->istr_msgs == NULL) {
1366 			instr->istr_msgs = dmp;
1367 			ASSERT(dmp->b_prev == NULL && dmp->b_next == NULL);
1368 		} else {
1369 			mblk_t			*imblk = instr->istr_msgs;
1370 			sctp_data_hdr_t		*idc;
1371 
1372 			/*
1373 			 * XXXNeed to take sequence wraps into account,
1374 			 * ... and a more efficient insertion algo.
1375 			 */
1376 			for (;;) {
1377 				idc = (sctp_data_hdr_t *)imblk->b_rptr;
1378 				if (SSN_GT(ntohs(idc->sdh_ssn),
1379 				    ntohs(dc->sdh_ssn))) {
1380 					if (instr->istr_msgs == imblk) {
1381 						instr->istr_msgs = dmp;
1382 						dmp->b_next = imblk;
1383 						imblk->b_prev = dmp;
1384 					} else {
1385 						ASSERT(imblk->b_prev != NULL);
1386 						imblk->b_prev->b_next = dmp;
1387 						dmp->b_prev = imblk->b_prev;
1388 						imblk->b_prev = dmp;
1389 						dmp->b_next = imblk;
1390 					}
1391 					break;
1392 				}
1393 				if (imblk->b_next == NULL) {
1394 					imblk->b_next = dmp;
1395 					dmp->b_prev = imblk;
1396 					break;
1397 				}
1398 				imblk = imblk->b_next;
1399 			}
1400 		}
1401 		(instr->istr_nmsgs)++;
1402 		(sctp->sctp_istr_nmsgs)++;
1403 		SCTP_ACK_IT(sctp, tsn);
1404 		return;
1405 	}
1406 
1407 	/*
1408 	 * Else we can deliver the data directly. Recalculate
1409 	 * dlen now since we may have reassembled data.
1410 	 */
1411 	dlen = dmp->b_wptr - (uchar_t *)dc - sizeof (*dc);
1412 	for (pmp = dmp->b_cont; pmp != NULL; pmp = pmp->b_cont)
1413 		dlen += MBLKL(pmp);
1414 	ASSERT(sctp->sctp_rxqueued >= dlen);
1415 
1416 	/* Deliver the message. */
1417 	sctp->sctp_rxqueued -= dlen;
1418 
1419 	if (can_deliver) {
1420 
1421 		dmp->b_rptr = (uchar_t *)(dc + 1);
1422 		if (sctp_input_add_ancillary(sctp, &dmp, dc, fp, ipp) == 0) {
1423 			dprint(1, ("sctp_data_chunk: delivering %lu bytes\n",
1424 			    msgdsize(dmp)));
1425 			sctp->sctp_rwnd -= dlen;
1426 			/*
1427 			 * Override b_flag for SCTP sockfs internal use
1428 			 */
1429 			dmp->b_flag = tpfinished ? 0 : SCTP_PARTIAL_DATA;
1430 			new_rwnd = sctp->sctp_ulp_recv(sctp->sctp_ulpd, dmp,
1431 			    msgdsize(dmp), 0, &error, NULL);
1432 			/*
1433 			 * Since we always deliver the next TSN data chunk,
1434 			 * we may buffer a little more than allowed. In
1435 			 * that case, just mark the window as 0.
1436 			 */
1437 			if (new_rwnd < 0)
1438 				sctp->sctp_rwnd = 0;
1439 			else if (new_rwnd > sctp->sctp_rwnd)
1440 				sctp->sctp_rwnd = new_rwnd;
1441 			SCTP_ACK_IT(sctp, tsn);
1442 		} else {
1443 			/* Just free the message if we don't have memory. */
1444 			freemsg(dmp);
1445 			return;
1446 		}
1447 	} else {
1448 		/* About to free the data */
1449 		freemsg(dmp);
1450 		SCTP_ACK_IT(sctp, tsn);
1451 	}
1452 
1453 	/*
1454 	 * data, now enqueued, may already have been processed and free'd
1455 	 * by the ULP (or we may have just freed it above, if we could not
1456 	 * deliver it), so we must not reference it (this is why we kept
1457 	 * the ssn and ubit above).
1458 	 */
1459 	if (ubit != 0) {
1460 		BUMP_LOCAL(sctp->sctp_iudchunks);
1461 		goto done;
1462 	}
1463 	BUMP_LOCAL(sctp->sctp_idchunks);
1464 
1465 	/*
1466 	 * If there was a partial delivery and it has not finished,
1467 	 * don't pull anything from the pqueues.
1468 	 */
1469 	if (!tpfinished) {
1470 		goto done;
1471 	}
1472 
1473 	instr->nextseq = ssn + 1;
1474 	/* Deliver any successive data chunks in the instr queue */
1475 	while (instr->istr_nmsgs > 0) {
1476 		dmp = (mblk_t *)instr->istr_msgs;
1477 		dc = (sctp_data_hdr_t *)dmp->b_rptr;
1478 		ssn = ntohs(dc->sdh_ssn);
1479 		/* Gap in the sequence */
1480 		if (ssn != instr->nextseq)
1481 			break;
1482 
1483 		/* Else deliver the data */
1484 		(instr->istr_nmsgs)--;
1485 		(instr->nextseq)++;
1486 		(sctp->sctp_istr_nmsgs)--;
1487 
1488 		instr->istr_msgs = instr->istr_msgs->b_next;
1489 		if (instr->istr_msgs != NULL)
1490 			instr->istr_msgs->b_prev = NULL;
1491 		dmp->b_next = dmp->b_prev = NULL;
1492 
1493 		dprint(2, ("data_chunk: pulling %x from pq (ssn %d)\n",
1494 		    ntohl(dc->sdh_tsn), (int)ssn));
1495 
1496 		/*
1497 		 * If this chunk was reassembled, each b_cont represents
1498 		 * another TSN; advance ftsn now.
1499 		 */
1500 		dlen = dmp->b_wptr - dmp->b_rptr - sizeof (*dc);
1501 		for (pmp = dmp->b_cont; pmp; pmp = pmp->b_cont)
1502 			dlen += MBLKL(pmp);
1503 
1504 		ASSERT(sctp->sctp_rxqueued >= dlen);
1505 
1506 		sctp->sctp_rxqueued -= dlen;
1507 		if (can_deliver) {
1508 			dmp->b_rptr = (uchar_t *)(dc + 1);
1509 			if (sctp_input_add_ancillary(sctp, &dmp, dc, fp,
1510 			    ipp) == 0) {
1511 				dprint(1, ("sctp_data_chunk: delivering %lu "
1512 				    "bytes\n", msgdsize(dmp)));
1513 				sctp->sctp_rwnd -= dlen;
1514 				/*
1515 				 * Override b_flag for SCTP sockfs internal use
1516 				 */
1517 				dmp->b_flag = tpfinished ?
1518 				    0 : SCTP_PARTIAL_DATA;
1519 				new_rwnd = sctp->sctp_ulp_recv(sctp->sctp_ulpd,
1520 				    dmp, msgdsize(dmp), 0, &error, NULL);
1521 				if (new_rwnd < 0)
1522 					sctp->sctp_rwnd = 0;
1523 				else if (new_rwnd > sctp->sctp_rwnd)
1524 					sctp->sctp_rwnd = new_rwnd;
1525 				SCTP_ACK_IT(sctp, tsn);
1526 			} else {
1527 				freemsg(dmp);
1528 				return;
1529 			}
1530 		} else {
1531 			/* About to free the data */
1532 			freemsg(dmp);
1533 			SCTP_ACK_IT(sctp, tsn);
1534 		}
1535 	}
1536 
1537 done:
1538 
1539 	/*
1540 	 * If there are gap reports pending, check if advancing
1541 	 * the ftsn here closes a gap. If so, we can advance
1542 	 * ftsn to the end of the set.
1543 	 */
1544 	if (sctp->sctp_sack_info != NULL &&
1545 	    sctp->sctp_ftsn == sctp->sctp_sack_info->begin) {
1546 		sctp->sctp_ftsn = sctp->sctp_sack_info->end + 1;
1547 	}
1548 	/*
1549 	 * If ftsn has moved forward, maybe we can remove gap reports.
1550 	 * NB: dmp may now be NULL, so don't dereference it here.
1551 	 */
1552 	if (oftsn != sctp->sctp_ftsn && sctp->sctp_sack_info != NULL) {
1553 		sctp_ack_rem(&sctp->sctp_sack_info, sctp->sctp_ftsn - 1,
1554 		    &sctp->sctp_sack_gaps);
1555 		dprint(2, ("data_chunk: removed acks before %x (num=%d)\n",
1556 		    sctp->sctp_ftsn - 1, sctp->sctp_sack_gaps));
1557 	}
1558 
1559 #ifdef	DEBUG
1560 	if (sctp->sctp_sack_info != NULL) {
1561 		ASSERT(sctp->sctp_ftsn != sctp->sctp_sack_info->begin);
1562 	}
1563 #endif
1564 
1565 #undef	SCTP_ACK_IT
1566 }
1567 
1568 void
1569 sctp_fill_sack(sctp_t *sctp, unsigned char *dst, int sacklen)
1570 {
1571 	sctp_chunk_hdr_t *sch;
1572 	sctp_sack_chunk_t *sc;
1573 	sctp_sack_frag_t *sf;
1574 	uint16_t num_gaps = sctp->sctp_sack_gaps;
1575 	sctp_set_t *sp;
1576 
1577 	/* Chunk hdr */
1578 	sch = (sctp_chunk_hdr_t *)dst;
1579 	sch->sch_id = CHUNK_SACK;
1580 	sch->sch_flags = 0;
1581 	sch->sch_len = htons(sacklen);
1582 
1583 	/* SACK chunk */
1584 	sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
1585 
1586 	sc = (sctp_sack_chunk_t *)(sch + 1);
1587 	sc->ssc_cumtsn = htonl(sctp->sctp_lastacked);
1588 	if (sctp->sctp_rxqueued < sctp->sctp_rwnd) {
1589 		sc->ssc_a_rwnd = htonl(sctp->sctp_rwnd - sctp->sctp_rxqueued);
1590 	} else {
1591 		sc->ssc_a_rwnd = 0;
1592 	}
1593 	sc->ssc_numfrags = htons(num_gaps);
1594 	sc->ssc_numdups = 0;
1595 
1596 	/* lay in gap reports */
1597 	sf = (sctp_sack_frag_t *)(sc + 1);
1598 	for (sp = sctp->sctp_sack_info; sp; sp = sp->next) {
1599 		uint16_t offset;
1600 
1601 		/* start */
1602 		if (sp->begin > sctp->sctp_lastacked) {
1603 			offset = (uint16_t)(sp->begin - sctp->sctp_lastacked);
1604 		} else {
1605 			/* sequence number wrap */
1606 			offset = (uint16_t)(UINT32_MAX - sctp->sctp_lastacked +
1607 			    sp->begin);
1608 		}
1609 		sf->ssf_start = htons(offset);
1610 
1611 		/* end */
1612 		if (sp->end >= sp->begin) {
1613 			offset += (uint16_t)(sp->end - sp->begin);
1614 		} else {
1615 			/* sequence number wrap */
1616 			offset += (uint16_t)(UINT32_MAX - sp->begin + sp->end);
1617 		}
1618 		sf->ssf_end = htons(offset);
1619 
1620 		sf++;
1621 		/* This is just for debugging (a la the following assertion) */
1622 		num_gaps--;
1623 	}
1624 
1625 	ASSERT(num_gaps == 0);
1626 
1627 	/* If the SACK timer is running, stop it */
1628 	if (sctp->sctp_ack_timer_running) {
1629 		sctp_timer_stop(sctp->sctp_ack_mp);
1630 		sctp->sctp_ack_timer_running = B_FALSE;
1631 	}
1632 
1633 	BUMP_LOCAL(sctp->sctp_obchunks);
1634 	BUMP_LOCAL(sctp->sctp_osacks);
1635 }
1636 
1637 mblk_t *
1638 sctp_make_sack(sctp_t *sctp, sctp_faddr_t *sendto, mblk_t *dups)
1639 {
1640 	mblk_t *smp;
1641 	size_t slen;
1642 	sctp_chunk_hdr_t *sch;
1643 	sctp_sack_chunk_t *sc;
1644 	int32_t acks_max;
1645 	sctp_stack_t	*sctps = sctp->sctp_sctps;
1646 	uint32_t	dups_len;
1647 	sctp_faddr_t	*fp;
1648 
1649 	if (sctp->sctp_force_sack) {
1650 		sctp->sctp_force_sack = 0;
1651 		goto checks_done;
1652 	}
1653 
1654 	acks_max = sctps->sctps_deferred_acks_max;
1655 	if (sctp->sctp_state == SCTPS_ESTABLISHED) {
1656 		if (sctp->sctp_sack_toggle < acks_max) {
1657 			/* no need to SACK right now */
1658 			dprint(2, ("sctp_make_sack: %p no sack (toggle)\n",
1659 			    (void *)sctp));
1660 			return (NULL);
1661 		} else if (sctp->sctp_sack_toggle >= acks_max) {
1662 			sctp->sctp_sack_toggle = 0;
1663 		}
1664 	}
1665 
1666 	if (sctp->sctp_ftsn == sctp->sctp_lastacked + 1) {
1667 		dprint(2, ("sctp_make_sack: %p no sack (already)\n",
1668 		    (void *)sctp));
1669 		return (NULL);
1670 	}
1671 
1672 checks_done:
1673 	dprint(2, ("sctp_make_sack: acking %x\n", sctp->sctp_ftsn - 1));
1674 
1675 	if (dups != NULL)
1676 		dups_len = MBLKL(dups);
1677 	else
1678 		dups_len = 0;
1679 	slen = sizeof (*sch) + sizeof (*sc) +
1680 	    (sizeof (sctp_sack_frag_t) * sctp->sctp_sack_gaps);
1681 
1682 	/*
1683 	 * If there are error chunks, check and see if we can send the
1684 	 * SACK chunk and error chunks together in one packet.  If not,
1685 	 * send the error chunks out now.
1686 	 */
1687 	if (sctp->sctp_err_chunks != NULL) {
1688 		fp = SCTP_CHUNK_DEST(sctp->sctp_err_chunks);
1689 		if (sctp->sctp_err_len + slen + dups_len > fp->sfa_pmss) {
1690 			if ((smp = sctp_make_mp(sctp, fp, 0)) == NULL) {
1691 				SCTP_KSTAT(sctps, sctp_send_err_failed);
1692 				SCTP_KSTAT(sctps, sctp_send_sack_failed);
1693 				freemsg(sctp->sctp_err_chunks);
1694 				sctp->sctp_err_chunks = NULL;
1695 				sctp->sctp_err_len = 0;
1696 				return (NULL);
1697 			}
1698 			smp->b_cont = sctp->sctp_err_chunks;
1699 			sctp_set_iplen(sctp, smp);
1700 			sctp_add_sendq(sctp, smp);
1701 			sctp->sctp_err_chunks = NULL;
1702 			sctp->sctp_err_len = 0;
1703 		}
1704 	}
1705 	smp = sctp_make_mp(sctp, sendto, slen);
1706 	if (smp == NULL) {
1707 		SCTP_KSTAT(sctps, sctp_send_sack_failed);
1708 		return (NULL);
1709 	}
1710 	sch = (sctp_chunk_hdr_t *)smp->b_wptr;
1711 
1712 	sctp_fill_sack(sctp, smp->b_wptr, slen);
1713 	smp->b_wptr += slen;
1714 	if (dups != NULL) {
1715 		sc = (sctp_sack_chunk_t *)(sch + 1);
1716 		sc->ssc_numdups = htons(MBLKL(dups) / sizeof (uint32_t));
1717 		sch->sch_len = htons(slen + dups_len);
1718 		smp->b_cont = dups;
1719 	}
1720 
1721 	if (sctp->sctp_err_chunks != NULL) {
1722 		linkb(smp, sctp->sctp_err_chunks);
1723 		sctp->sctp_err_chunks = NULL;
1724 		sctp->sctp_err_len = 0;
1725 	}
1726 	return (smp);
1727 }
1728 
1729 /*
1730  * Check and see if we need to send a SACK chunk.  If it is needed,
1731  * send it out.  Return true if a SACK chunk is sent, false otherwise.
1732  */
1733 boolean_t
1734 sctp_sack(sctp_t *sctp, mblk_t *dups)
1735 {
1736 	mblk_t *smp;
1737 	sctp_stack_t	*sctps = sctp->sctp_sctps;
1738 
1739 	/* If we are shutting down, let send_shutdown() bundle the SACK */
1740 	if (sctp->sctp_state == SCTPS_SHUTDOWN_SENT) {
1741 		sctp_send_shutdown(sctp, 0);
1742 	}
1743 
1744 	ASSERT(sctp->sctp_lastdata != NULL);
1745 
1746 	if ((smp = sctp_make_sack(sctp, sctp->sctp_lastdata, dups)) == NULL) {
1747 		/* The caller of sctp_sack() will not free the dups mblk. */
1748 		if (dups != NULL)
1749 			freeb(dups);
1750 		return (B_FALSE);
1751 	}
1752 	sctp_set_iplen(sctp, smp);
1753 
1754 	dprint(2, ("sctp_sack: sending to %p %x:%x:%x:%x\n",
1755 	    (void *)sctp->sctp_lastdata,
1756 	    SCTP_PRINTADDR(sctp->sctp_lastdata->faddr)));
1757 
1758 	sctp->sctp_active = lbolt64;
1759 
1760 	BUMP_MIB(&sctps->sctps_mib, sctpOutAck);
1761 	sctp_add_sendq(sctp, smp);
1762 	return (B_TRUE);
1763 }
1764 
1765 /*
1766  * This is called if we have a message that was partially sent and is
1767  * abandoned. The cum TSN will be the last chunk sent for this message,
1768  * subsequent chunks will be marked ABANDONED. We send a Forward TSN
1769  * chunk in this case with the TSN of the last sent chunk so that the
1770  * peer can clean up its fragment list for this message. This message
1771  * will be removed from the transmit list when the peer sends a SACK
1772  * back.
1773  */
1774 int
1775 sctp_check_abandoned_msg(sctp_t *sctp, mblk_t *meta)
1776 {
1777 	sctp_data_hdr_t	*dh;
1778 	mblk_t		*nmp;
1779 	mblk_t		*head;
1780 	int32_t		unsent = 0;
1781 	mblk_t		*mp1 = meta->b_cont;
1782 	uint32_t	adv_pap = sctp->sctp_adv_pap;
1783 	sctp_faddr_t	*fp = sctp->sctp_current;
1784 	sctp_stack_t	*sctps = sctp->sctp_sctps;
1785 
1786 	dh = (sctp_data_hdr_t *)mp1->b_rptr;
1787 	if (SEQ_GEQ(sctp->sctp_lastack_rxd, ntohl(dh->sdh_tsn))) {
1788 		sctp_ftsn_set_t	*sets = NULL;
1789 		uint_t		nsets = 0;
1790 		uint32_t	seglen = sizeof (uint32_t);
1791 		boolean_t	ubit = SCTP_DATA_GET_UBIT(dh);
1792 
1793 		while (mp1->b_next != NULL && SCTP_CHUNK_ISSENT(mp1->b_next))
1794 			mp1 = mp1->b_next;
1795 		dh = (sctp_data_hdr_t *)mp1->b_rptr;
1796 		sctp->sctp_adv_pap = ntohl(dh->sdh_tsn);
1797 		if (!ubit &&
1798 		    !sctp_add_ftsn_set(&sets, fp, meta, &nsets, &seglen)) {
1799 			sctp->sctp_adv_pap = adv_pap;
1800 			return (ENOMEM);
1801 		}
1802 		nmp = sctp_make_ftsn_chunk(sctp, fp, sets, nsets, seglen);
1803 		sctp_free_ftsn_set(sets);
1804 		if (nmp == NULL) {
1805 			sctp->sctp_adv_pap = adv_pap;
1806 			return (ENOMEM);
1807 		}
1808 		head = sctp_add_proto_hdr(sctp, fp, nmp, 0, NULL);
1809 		if (head == NULL) {
1810 			sctp->sctp_adv_pap = adv_pap;
1811 			freemsg(nmp);
1812 			SCTP_KSTAT(sctps, sctp_send_ftsn_failed);
1813 			return (ENOMEM);
1814 		}
1815 		SCTP_MSG_SET_ABANDONED(meta);
1816 		sctp_set_iplen(sctp, head);
1817 		sctp_add_sendq(sctp, head);
1818 		if (!fp->timer_running)
1819 			SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
1820 		mp1 = mp1->b_next;
1821 		while (mp1 != NULL) {
1822 			ASSERT(!SCTP_CHUNK_ISSENT(mp1));
1823 			ASSERT(!SCTP_CHUNK_ABANDONED(mp1));
1824 			SCTP_ABANDON_CHUNK(mp1);
1825 			dh = (sctp_data_hdr_t *)mp1->b_rptr;
1826 			unsent += ntohs(dh->sdh_len) - sizeof (*dh);
1827 			mp1 = mp1->b_next;
1828 		}
1829 		ASSERT(sctp->sctp_unsent >= unsent);
1830 		sctp->sctp_unsent -= unsent;
1831 		/*
1832 		 * Update ULP the amount of queued data, which is
1833 		 * sent-unack'ed + unsent.
1834 		 */
1835 		if (!SCTP_IS_DETACHED(sctp))
1836 			SCTP_TXQ_UPDATE(sctp);
1837 		return (0);
1838 	}
1839 	return (-1);
1840 }
1841 
1842 uint32_t
1843 sctp_cumack(sctp_t *sctp, uint32_t tsn, mblk_t **first_unacked)
1844 {
1845 	mblk_t *ump, *nump, *mp = NULL;
1846 	uint16_t chunklen;
1847 	uint32_t xtsn;
1848 	sctp_faddr_t *fp;
1849 	sctp_data_hdr_t *sdc;
1850 	uint32_t cumack_forward = 0;
1851 	sctp_msg_hdr_t	*mhdr;
1852 	sctp_stack_t	*sctps = sctp->sctp_sctps;
1853 
1854 	ump = sctp->sctp_xmit_head;
1855 
1856 	/*
1857 	 * Free messages only when they're completely acked.
1858 	 */
1859 	while (ump != NULL) {
1860 		mhdr = (sctp_msg_hdr_t *)ump->b_rptr;
1861 		for (mp = ump->b_cont; mp != NULL; mp = mp->b_next) {
1862 			if (SCTP_CHUNK_ABANDONED(mp)) {
1863 				ASSERT(SCTP_IS_MSG_ABANDONED(ump));
1864 				mp = NULL;
1865 				break;
1866 			}
1867 			/*
1868 			 * We check for abandoned message if we are PR-SCTP
1869 			 * aware, if this is not the first chunk in the
1870 			 * message (b_cont) and if the message is marked
1871 			 * abandoned.
1872 			 */
1873 			if (!SCTP_CHUNK_ISSENT(mp)) {
1874 				if (sctp->sctp_prsctp_aware &&
1875 				    mp != ump->b_cont &&
1876 				    (SCTP_IS_MSG_ABANDONED(ump) ||
1877 				    SCTP_MSG_TO_BE_ABANDONED(ump, mhdr,
1878 				    sctp))) {
1879 					(void) sctp_check_abandoned_msg(sctp,
1880 					    ump);
1881 				}
1882 				goto cum_ack_done;
1883 			}
1884 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
1885 			xtsn = ntohl(sdc->sdh_tsn);
1886 			if (SEQ_GEQ(sctp->sctp_lastack_rxd, xtsn))
1887 				continue;
1888 			if (SEQ_GEQ(tsn, xtsn)) {
1889 				fp = SCTP_CHUNK_DEST(mp);
1890 				chunklen = ntohs(sdc->sdh_len);
1891 
1892 				if (sctp->sctp_out_time != 0 &&
1893 				    xtsn == sctp->sctp_rtt_tsn) {
1894 					/* Got a new RTT measurement */
1895 					sctp_update_rtt(sctp, fp,
1896 					    lbolt64 - sctp->sctp_out_time);
1897 					sctp->sctp_out_time = 0;
1898 				}
1899 				if (SCTP_CHUNK_ISACKED(mp))
1900 					continue;
1901 				SCTP_CHUNK_SET_SACKCNT(mp, 0);
1902 				SCTP_CHUNK_ACKED(mp);
1903 				ASSERT(fp->suna >= chunklen);
1904 				fp->suna -= chunklen;
1905 				fp->acked += chunklen;
1906 				cumack_forward += chunklen;
1907 				ASSERT(sctp->sctp_unacked >=
1908 				    (chunklen - sizeof (*sdc)));
1909 				sctp->sctp_unacked -=
1910 				    (chunklen - sizeof (*sdc));
1911 				if (fp->suna == 0) {
1912 					/* all outstanding data acked */
1913 					fp->pba = 0;
1914 					SCTP_FADDR_TIMER_STOP(fp);
1915 				} else {
1916 					SCTP_FADDR_TIMER_RESTART(sctp, fp,
1917 					    fp->rto);
1918 				}
1919 			} else {
1920 				goto cum_ack_done;
1921 			}
1922 		}
1923 		nump = ump->b_next;
1924 		if (nump != NULL)
1925 			nump->b_prev = NULL;
1926 		if (ump == sctp->sctp_xmit_tail)
1927 			sctp->sctp_xmit_tail = nump;
1928 		if (SCTP_IS_MSG_ABANDONED(ump)) {
1929 			BUMP_LOCAL(sctp->sctp_prsctpdrop);
1930 			ump->b_next = NULL;
1931 			sctp_sendfail_event(sctp, ump, 0, B_TRUE);
1932 		} else {
1933 			sctp_free_msg(ump);
1934 		}
1935 		sctp->sctp_xmit_head = ump = nump;
1936 	}
1937 cum_ack_done:
1938 	*first_unacked = mp;
1939 	if (cumack_forward > 0) {
1940 		BUMP_MIB(&sctps->sctps_mib, sctpInAck);
1941 		if (SEQ_GT(sctp->sctp_lastack_rxd, sctp->sctp_recovery_tsn)) {
1942 			sctp->sctp_recovery_tsn = sctp->sctp_lastack_rxd;
1943 		}
1944 
1945 		/*
1946 		 * Update ULP the amount of queued data, which is
1947 		 * sent-unack'ed + unsent.
1948 		 */
1949 		if (!SCTP_IS_DETACHED(sctp))
1950 			SCTP_TXQ_UPDATE(sctp);
1951 
1952 		/* Time to send a shutdown? */
1953 		if (sctp->sctp_state == SCTPS_SHUTDOWN_PENDING) {
1954 			sctp_send_shutdown(sctp, 0);
1955 		}
1956 		sctp->sctp_xmit_unacked = mp;
1957 	} else {
1958 		/* dup ack */
1959 		BUMP_MIB(&sctps->sctps_mib, sctpInDupAck);
1960 	}
1961 	sctp->sctp_lastack_rxd = tsn;
1962 	if (SEQ_LT(sctp->sctp_adv_pap, sctp->sctp_lastack_rxd))
1963 		sctp->sctp_adv_pap = sctp->sctp_lastack_rxd;
1964 	ASSERT(sctp->sctp_xmit_head || sctp->sctp_unacked == 0);
1965 
1966 	return (cumack_forward);
1967 }
1968 
1969 static int
1970 sctp_set_frwnd(sctp_t *sctp, uint32_t frwnd)
1971 {
1972 	uint32_t orwnd;
1973 
1974 	if (sctp->sctp_unacked > frwnd) {
1975 		sctp->sctp_frwnd = 0;
1976 		return (0);
1977 	}
1978 	orwnd = sctp->sctp_frwnd;
1979 	sctp->sctp_frwnd = frwnd - sctp->sctp_unacked;
1980 	if (orwnd < sctp->sctp_frwnd) {
1981 		return (1);
1982 	} else {
1983 		return (0);
1984 	}
1985 }
1986 
1987 /*
1988  * For un-ordered messages.
1989  * Walk the sctp->sctp_uo_frag list and remove any fragments with TSN
1990  * less than/equal to ftsn. Fragments for un-ordered messages are
1991  * strictly in sequence (w.r.t TSN).
1992  */
1993 static int
1994 sctp_ftsn_check_uo_frag(sctp_t *sctp, uint32_t ftsn)
1995 {
1996 	mblk_t		*hmp;
1997 	mblk_t		*hmp_next;
1998 	sctp_data_hdr_t	*dc;
1999 	int		dlen = 0;
2000 
2001 	hmp = sctp->sctp_uo_frags;
2002 	while (hmp != NULL) {
2003 		hmp_next = hmp->b_next;
2004 		dc = (sctp_data_hdr_t *)hmp->b_rptr;
2005 		if (SEQ_GT(ntohl(dc->sdh_tsn), ftsn))
2006 			return (dlen);
2007 		sctp->sctp_uo_frags = hmp_next;
2008 		if (hmp_next != NULL)
2009 			hmp_next->b_prev = NULL;
2010 		hmp->b_next = NULL;
2011 		dlen += ntohs(dc->sdh_len) - sizeof (*dc);
2012 		freeb(hmp);
2013 		hmp = hmp_next;
2014 	}
2015 	return (dlen);
2016 }
2017 
2018 /*
2019  * For ordered messages.
2020  * Check for existing fragments for an sid-ssn pair reported as abandoned,
2021  * hence will not receive, in the Forward TSN. If there are fragments, then
2022  * we just nuke them. If and when Partial Delivery API is supported, we
2023  * would need to send a notification to the upper layer about this.
2024  */
2025 static int
2026 sctp_ftsn_check_frag(sctp_t *sctp, uint16_t ssn, sctp_instr_t *sip)
2027 {
2028 	sctp_reass_t	*srp;
2029 	mblk_t		*hmp;
2030 	mblk_t		*dmp;
2031 	mblk_t		*hmp_next;
2032 	sctp_data_hdr_t	*dc;
2033 	int		dlen = 0;
2034 
2035 	hmp = sip->istr_reass;
2036 	while (hmp != NULL) {
2037 		hmp_next = hmp->b_next;
2038 		srp = (sctp_reass_t *)DB_BASE(hmp);
2039 		if (SSN_GT(srp->ssn, ssn))
2040 			return (dlen);
2041 		/*
2042 		 * If we had sent part of this message up, send a partial
2043 		 * delivery event. Since this is ordered delivery, we should
2044 		 * have sent partial message only for the next in sequence,
2045 		 * hence the ASSERT. See comments in sctp_data_chunk() for
2046 		 * trypartial.
2047 		 */
2048 		if (srp->partial_delivered) {
2049 			ASSERT(sip->nextseq == srp->ssn);
2050 			sctp_partial_delivery_event(sctp);
2051 		}
2052 		/* Take it out of the reass queue */
2053 		sip->istr_reass = hmp_next;
2054 		if (hmp_next != NULL)
2055 			hmp_next->b_prev = NULL;
2056 		hmp->b_next = NULL;
2057 		ASSERT(hmp->b_prev == NULL);
2058 		dmp = hmp;
2059 		ASSERT(DB_TYPE(hmp) == M_CTL);
2060 		dmp = hmp->b_cont;
2061 		hmp->b_cont = NULL;
2062 		freeb(hmp);
2063 		hmp = dmp;
2064 		while (dmp != NULL) {
2065 			dc = (sctp_data_hdr_t *)dmp->b_rptr;
2066 			dlen += ntohs(dc->sdh_len) - sizeof (*dc);
2067 			dmp = dmp->b_cont;
2068 		}
2069 		freemsg(hmp);
2070 		hmp = hmp_next;
2071 	}
2072 	return (dlen);
2073 }
2074 
2075 /*
2076  * Update sctp_ftsn to the cumulative TSN from the Forward TSN chunk. Remove
2077  * any SACK gaps less than the newly updated sctp_ftsn. Walk through the
2078  * sid-ssn pair in the Forward TSN and for each, clean the fragment list
2079  * for this pair, if needed, and check if we can deliver subsequent
2080  * messages, if any, from the instream queue (that were waiting for this
2081  * sid-ssn message to show up). Once we are done try to update the SACK
2082  * info. We could get a duplicate Forward TSN, in which case just send
2083  * a SACK. If any of the sid values in the the Forward TSN is invalid,
2084  * send back an "Invalid Stream Identifier" error and continue processing
2085  * the rest.
2086  */
2087 static void
2088 sctp_process_forward_tsn(sctp_t *sctp, sctp_chunk_hdr_t *ch, sctp_faddr_t *fp,
2089     ip6_pkt_t *ipp)
2090 {
2091 	uint32_t	*ftsn = (uint32_t *)(ch + 1);
2092 	ftsn_entry_t	*ftsn_entry;
2093 	sctp_instr_t	*instr;
2094 	boolean_t	can_deliver = B_TRUE;
2095 	size_t		dlen;
2096 	int		flen;
2097 	mblk_t		*dmp;
2098 	mblk_t		*pmp;
2099 	sctp_data_hdr_t	*dc;
2100 	ssize_t		remaining;
2101 	sctp_stack_t	*sctps = sctp->sctp_sctps;
2102 
2103 	*ftsn = ntohl(*ftsn);
2104 	remaining =  ntohs(ch->sch_len) - sizeof (*ch) - sizeof (*ftsn);
2105 
2106 	if (SCTP_IS_DETACHED(sctp)) {
2107 		BUMP_MIB(&sctps->sctps_mib, sctpInClosed);
2108 		can_deliver = B_FALSE;
2109 	}
2110 	/*
2111 	 * un-ordered messages don't have SID-SSN pair entries, we check
2112 	 * for any fragments (for un-ordered message) to be discarded using
2113 	 * the cumulative FTSN.
2114 	 */
2115 	flen = sctp_ftsn_check_uo_frag(sctp, *ftsn);
2116 	if (flen > 0) {
2117 		ASSERT(sctp->sctp_rxqueued >= flen);
2118 		sctp->sctp_rxqueued -= flen;
2119 	}
2120 	ftsn_entry = (ftsn_entry_t *)(ftsn + 1);
2121 	while (remaining >= sizeof (*ftsn_entry)) {
2122 		ftsn_entry->ftsn_sid = ntohs(ftsn_entry->ftsn_sid);
2123 		ftsn_entry->ftsn_ssn = ntohs(ftsn_entry->ftsn_ssn);
2124 		if (ftsn_entry->ftsn_sid >= sctp->sctp_num_istr) {
2125 			sctp_bsc_t	inval_parm;
2126 
2127 			/* Will populate the CAUSE block in the ERROR chunk. */
2128 			inval_parm.bsc_sid = htons(ftsn_entry->ftsn_sid);
2129 			/* RESERVED, ignored at the receiving end */
2130 			inval_parm.bsc_pad = 0;
2131 
2132 			sctp_add_err(sctp, SCTP_ERR_BAD_SID,
2133 			    (void *)&inval_parm, sizeof (sctp_bsc_t), fp);
2134 			ftsn_entry++;
2135 			remaining -= sizeof (*ftsn_entry);
2136 			continue;
2137 		}
2138 		instr = &sctp->sctp_instr[ftsn_entry->ftsn_sid];
2139 		flen = sctp_ftsn_check_frag(sctp, ftsn_entry->ftsn_ssn, instr);
2140 		/* Indicates frags were nuked, update rxqueued */
2141 		if (flen > 0) {
2142 			ASSERT(sctp->sctp_rxqueued >= flen);
2143 			sctp->sctp_rxqueued -= flen;
2144 		}
2145 		/*
2146 		 * It is possible to receive an FTSN chunk with SSN smaller
2147 		 * than then nextseq if this chunk is a retransmission because
2148 		 * of incomplete processing when it was first processed.
2149 		 */
2150 		if (SSN_GE(ftsn_entry->ftsn_ssn, instr->nextseq))
2151 			instr->nextseq = ftsn_entry->ftsn_ssn + 1;
2152 		while (instr->istr_nmsgs > 0) {
2153 			mblk_t	*next;
2154 
2155 			dmp = (mblk_t *)instr->istr_msgs;
2156 			dc = (sctp_data_hdr_t *)dmp->b_rptr;
2157 			if (ntohs(dc->sdh_ssn) != instr->nextseq)
2158 				break;
2159 
2160 			next = dmp->b_next;
2161 			dlen = dmp->b_wptr - dmp->b_rptr - sizeof (*dc);
2162 			for (pmp = dmp->b_cont; pmp != NULL;
2163 			    pmp = pmp->b_cont) {
2164 				dlen += MBLKL(pmp);
2165 			}
2166 			if (can_deliver) {
2167 				int32_t	nrwnd;
2168 				int error;
2169 
2170 				dmp->b_rptr = (uchar_t *)(dc + 1);
2171 				dmp->b_next = NULL;
2172 				ASSERT(dmp->b_prev == NULL);
2173 				if (sctp_input_add_ancillary(sctp,
2174 				    &dmp, dc, fp, ipp) == 0) {
2175 					sctp->sctp_rxqueued -= dlen;
2176 					sctp->sctp_rwnd -= dlen;
2177 					/*
2178 					 * Override b_flag for SCTP sockfs
2179 					 * internal use
2180 					 */
2181 
2182 					dmp->b_flag = 0;
2183 					nrwnd = sctp->sctp_ulp_recv(
2184 					    sctp->sctp_ulpd, dmp, msgdsize(dmp),
2185 					    0, &error, NULL);
2186 					if (nrwnd < 0)
2187 						sctp->sctp_rwnd = 0;
2188 					else if (nrwnd > sctp->sctp_rwnd)
2189 						sctp->sctp_rwnd = nrwnd;
2190 				} else {
2191 					/*
2192 					 * We will resume processing when
2193 					 * the FTSN chunk is re-xmitted.
2194 					 */
2195 					dmp->b_rptr = (uchar_t *)dc;
2196 					dmp->b_next = next;
2197 					dprint(0,
2198 					    ("FTSN dequeuing %u failed\n",
2199 					    ntohs(dc->sdh_ssn)));
2200 					return;
2201 				}
2202 			} else {
2203 				sctp->sctp_rxqueued -= dlen;
2204 				ASSERT(dmp->b_prev == NULL);
2205 				dmp->b_next = NULL;
2206 				freemsg(dmp);
2207 			}
2208 			instr->istr_nmsgs--;
2209 			instr->nextseq++;
2210 			sctp->sctp_istr_nmsgs--;
2211 			if (next != NULL)
2212 				next->b_prev = NULL;
2213 			instr->istr_msgs = next;
2214 		}
2215 		ftsn_entry++;
2216 		remaining -= sizeof (*ftsn_entry);
2217 	}
2218 	/* Duplicate FTSN */
2219 	if (*ftsn <= (sctp->sctp_ftsn - 1)) {
2220 		sctp->sctp_force_sack = 1;
2221 		return;
2222 	}
2223 	/* Advance cum TSN to that reported in the Forward TSN chunk */
2224 	sctp->sctp_ftsn = *ftsn + 1;
2225 
2226 	/* Remove all the SACK gaps before the new cum TSN */
2227 	if (sctp->sctp_sack_info != NULL) {
2228 		sctp_ack_rem(&sctp->sctp_sack_info, sctp->sctp_ftsn - 1,
2229 		    &sctp->sctp_sack_gaps);
2230 	}
2231 	/*
2232 	 * If there are gap reports pending, check if advancing
2233 	 * the ftsn here closes a gap. If so, we can advance
2234 	 * ftsn to the end of the set.
2235 	 * If ftsn has moved forward, maybe we can remove gap reports.
2236 	 */
2237 	if (sctp->sctp_sack_info != NULL &&
2238 	    sctp->sctp_ftsn == sctp->sctp_sack_info->begin) {
2239 		sctp->sctp_ftsn = sctp->sctp_sack_info->end + 1;
2240 		sctp_ack_rem(&sctp->sctp_sack_info, sctp->sctp_ftsn - 1,
2241 		    &sctp->sctp_sack_gaps);
2242 	}
2243 }
2244 
2245 /*
2246  * When we have processed a SACK we check to see if we can advance the
2247  * cumulative TSN if there are abandoned chunks immediately following
2248  * the updated cumulative TSN. If there are, we attempt to send a
2249  * Forward TSN chunk.
2250  */
2251 static void
2252 sctp_check_abandoned_data(sctp_t *sctp, sctp_faddr_t *fp)
2253 {
2254 	mblk_t		*meta = sctp->sctp_xmit_head;
2255 	mblk_t		*mp;
2256 	mblk_t		*nmp;
2257 	uint32_t	seglen;
2258 	uint32_t	adv_pap = sctp->sctp_adv_pap;
2259 
2260 	/*
2261 	 * We only check in the first meta since otherwise we can't
2262 	 * advance the cumulative ack point. We just look for chunks
2263 	 * marked for retransmission, else we might prematurely
2264 	 * send an FTSN for a sent, but unacked, chunk.
2265 	 */
2266 	for (mp = meta->b_cont; mp != NULL; mp = mp->b_next) {
2267 		if (!SCTP_CHUNK_ISSENT(mp))
2268 			return;
2269 		if (SCTP_CHUNK_WANT_REXMIT(mp))
2270 			break;
2271 	}
2272 	if (mp == NULL)
2273 		return;
2274 	sctp_check_adv_ack_pt(sctp, meta, mp);
2275 	if (SEQ_GT(sctp->sctp_adv_pap, adv_pap)) {
2276 		sctp_make_ftsns(sctp, meta, mp, &nmp, fp, &seglen);
2277 		if (nmp == NULL) {
2278 			sctp->sctp_adv_pap = adv_pap;
2279 			if (!fp->timer_running)
2280 				SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
2281 			return;
2282 		}
2283 		sctp_set_iplen(sctp, nmp);
2284 		sctp_add_sendq(sctp, nmp);
2285 		if (!fp->timer_running)
2286 			SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
2287 	}
2288 }
2289 
2290 /*
2291  * The processing here follows the same logic in sctp_got_sack(), the reason
2292  * we do this separately is because, usually, gap blocks are ordered and
2293  * we can process it in sctp_got_sack(). However if they aren't we would
2294  * need to do some additional non-optimal stuff when we start processing the
2295  * unordered gaps. To that effect sctp_got_sack() does the processing in the
2296  * simple case and this does the same in the more involved case.
2297  */
2298 static uint32_t
2299 sctp_process_uo_gaps(sctp_t *sctp, uint32_t ctsn, sctp_sack_frag_t *ssf,
2300     int num_gaps, mblk_t *umphead, mblk_t *mphead, int *trysend,
2301     boolean_t *fast_recovery, uint32_t fr_xtsn)
2302 {
2303 	uint32_t		xtsn;
2304 	uint32_t		gapstart = 0;
2305 	uint32_t		gapend = 0;
2306 	int			gapcnt;
2307 	uint16_t		chunklen;
2308 	sctp_data_hdr_t		*sdc;
2309 	int			gstart;
2310 	mblk_t			*ump = umphead;
2311 	mblk_t			*mp = mphead;
2312 	sctp_faddr_t		*fp;
2313 	uint32_t		acked = 0;
2314 	sctp_stack_t		*sctps = sctp->sctp_sctps;
2315 
2316 	/*
2317 	 * gstart tracks the last (in the order of TSN) gapstart that
2318 	 * we process in this SACK gaps walk.
2319 	 */
2320 	gstart = ctsn;
2321 
2322 	sdc = (sctp_data_hdr_t *)mp->b_rptr;
2323 	xtsn = ntohl(sdc->sdh_tsn);
2324 	for (gapcnt = 0; gapcnt < num_gaps; gapcnt++, ssf++) {
2325 		if (gapstart != 0) {
2326 			/*
2327 			 * If we have reached the end of the transmit list or
2328 			 * hit an unsent chunk or encountered an unordered gap
2329 			 * block start from the ctsn again.
2330 			 */
2331 			if (ump == NULL || !SCTP_CHUNK_ISSENT(mp) ||
2332 			    SEQ_LT(ctsn + ntohs(ssf->ssf_start), xtsn)) {
2333 				ump = umphead;
2334 				mp = mphead;
2335 				sdc = (sctp_data_hdr_t *)mp->b_rptr;
2336 				xtsn = ntohl(sdc->sdh_tsn);
2337 			}
2338 		}
2339 
2340 		gapstart = ctsn + ntohs(ssf->ssf_start);
2341 		gapend = ctsn + ntohs(ssf->ssf_end);
2342 
2343 		/*
2344 		 * Sanity checks:
2345 		 *
2346 		 * 1. SACK for TSN we have not sent - ABORT
2347 		 * 2. Invalid or spurious gaps, ignore all gaps
2348 		 */
2349 		if (SEQ_GT(gapstart, sctp->sctp_ltsn - 1) ||
2350 		    SEQ_GT(gapend, sctp->sctp_ltsn - 1)) {
2351 			BUMP_MIB(&sctps->sctps_mib, sctpInAckUnsent);
2352 			*trysend = -1;
2353 			return (acked);
2354 		} else if (SEQ_LT(gapend, gapstart) ||
2355 		    SEQ_LEQ(gapstart, ctsn)) {
2356 			break;
2357 		}
2358 		/*
2359 		 * The xtsn can be the TSN processed for the last gap
2360 		 * (gapend) or it could be the cumulative TSN. We continue
2361 		 * with the last xtsn as long as the gaps are ordered, when
2362 		 * we hit an unordered gap, we re-start from the cumulative
2363 		 * TSN. For the first gap it is always the cumulative TSN.
2364 		 */
2365 		while (xtsn != gapstart) {
2366 			/*
2367 			 * We can't reliably check for reneged chunks
2368 			 * when walking the unordered list, so we don't.
2369 			 * In case the peer reneges then we will end up
2370 			 * sending the reneged chunk via timeout.
2371 			 */
2372 			mp = mp->b_next;
2373 			if (mp == NULL) {
2374 				ump = ump->b_next;
2375 				/*
2376 				 * ump can't be NULL because of the sanity
2377 				 * check above.
2378 				 */
2379 				ASSERT(ump != NULL);
2380 				mp = ump->b_cont;
2381 			}
2382 			/*
2383 			 * mp can't be unsent because of the sanity check
2384 			 * above.
2385 			 */
2386 			ASSERT(SCTP_CHUNK_ISSENT(mp));
2387 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
2388 			xtsn = ntohl(sdc->sdh_tsn);
2389 		}
2390 		/*
2391 		 * Now that we have found the chunk with TSN == 'gapstart',
2392 		 * let's walk till we hit the chunk with TSN == 'gapend'.
2393 		 * All intermediate chunks will be marked ACKED, if they
2394 		 * haven't already been.
2395 		 */
2396 		while (SEQ_LEQ(xtsn, gapend)) {
2397 			/*
2398 			 * SACKed
2399 			 */
2400 			SCTP_CHUNK_SET_SACKCNT(mp, 0);
2401 			if (!SCTP_CHUNK_ISACKED(mp)) {
2402 				SCTP_CHUNK_ACKED(mp);
2403 
2404 				fp = SCTP_CHUNK_DEST(mp);
2405 				chunklen = ntohs(sdc->sdh_len);
2406 				ASSERT(fp->suna >= chunklen);
2407 				fp->suna -= chunklen;
2408 				if (fp->suna == 0) {
2409 					/* All outstanding data acked. */
2410 					fp->pba = 0;
2411 					SCTP_FADDR_TIMER_STOP(fp);
2412 				}
2413 				fp->acked += chunklen;
2414 				acked += chunklen;
2415 				sctp->sctp_unacked -= chunklen - sizeof (*sdc);
2416 				ASSERT(sctp->sctp_unacked >= 0);
2417 			}
2418 			/*
2419 			 * Move to the next message in the transmit list
2420 			 * if we are done with all the chunks from the current
2421 			 * message. Note, it is possible to hit the end of the
2422 			 * transmit list here, i.e. if we have already completed
2423 			 * processing the gap block.
2424 			 */
2425 			mp = mp->b_next;
2426 			if (mp == NULL) {
2427 				ump = ump->b_next;
2428 				if (ump == NULL) {
2429 					ASSERT(xtsn == gapend);
2430 					break;
2431 				}
2432 				mp = ump->b_cont;
2433 			}
2434 			/*
2435 			 * Likewise, we can hit an unsent chunk once we have
2436 			 * completed processing the gap block.
2437 			 */
2438 			if (!SCTP_CHUNK_ISSENT(mp)) {
2439 				ASSERT(xtsn == gapend);
2440 				break;
2441 			}
2442 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
2443 			xtsn = ntohl(sdc->sdh_tsn);
2444 		}
2445 		/*
2446 		 * We keep track of the last gap we successfully processed
2447 		 * so that we can terminate the walk below for incrementing
2448 		 * the SACK count.
2449 		 */
2450 		if (SEQ_LT(gstart, gapstart))
2451 			gstart = gapstart;
2452 	}
2453 	/*
2454 	 * Check if have incremented the SACK count for all unacked TSNs in
2455 	 * sctp_got_sack(), if so we are done.
2456 	 */
2457 	if (SEQ_LEQ(gstart, fr_xtsn))
2458 		return (acked);
2459 
2460 	ump = umphead;
2461 	mp = mphead;
2462 	sdc = (sctp_data_hdr_t *)mp->b_rptr;
2463 	xtsn = ntohl(sdc->sdh_tsn);
2464 	while (SEQ_LT(xtsn, gstart)) {
2465 		/*
2466 		 * We have incremented SACK count for TSNs less than fr_tsn
2467 		 * in sctp_got_sack(), so don't increment them again here.
2468 		 */
2469 		if (SEQ_GT(xtsn, fr_xtsn) && !SCTP_CHUNK_ISACKED(mp)) {
2470 			SCTP_CHUNK_SET_SACKCNT(mp, SCTP_CHUNK_SACKCNT(mp) + 1);
2471 			if (SCTP_CHUNK_SACKCNT(mp) ==
2472 			    sctps->sctps_fast_rxt_thresh) {
2473 				SCTP_CHUNK_REXMIT(mp);
2474 				sctp->sctp_chk_fast_rexmit = B_TRUE;
2475 				*trysend = 1;
2476 				if (!*fast_recovery) {
2477 					/*
2478 					 * Entering fast recovery.
2479 					 */
2480 					fp = SCTP_CHUNK_DEST(mp);
2481 					fp->ssthresh = fp->cwnd / 2;
2482 					if (fp->ssthresh < 2 * fp->sfa_pmss) {
2483 						fp->ssthresh =
2484 						    2 * fp->sfa_pmss;
2485 					}
2486 					fp->cwnd = fp->ssthresh;
2487 					fp->pba = 0;
2488 					sctp->sctp_recovery_tsn =
2489 					    sctp->sctp_ltsn - 1;
2490 					*fast_recovery = B_TRUE;
2491 				}
2492 			}
2493 		}
2494 		mp = mp->b_next;
2495 		if (mp == NULL) {
2496 			ump = ump->b_next;
2497 			/* We can't get to the end of the transmit list here */
2498 			ASSERT(ump != NULL);
2499 			mp = ump->b_cont;
2500 		}
2501 		/* We can't hit an unsent chunk here */
2502 		ASSERT(SCTP_CHUNK_ISSENT(mp));
2503 		sdc = (sctp_data_hdr_t *)mp->b_rptr;
2504 		xtsn = ntohl(sdc->sdh_tsn);
2505 	}
2506 	return (acked);
2507 }
2508 
2509 static int
2510 sctp_got_sack(sctp_t *sctp, sctp_chunk_hdr_t *sch)
2511 {
2512 	sctp_sack_chunk_t	*sc;
2513 	sctp_data_hdr_t		*sdc;
2514 	sctp_sack_frag_t	*ssf;
2515 	mblk_t			*ump;
2516 	mblk_t			*mp;
2517 	mblk_t			*mp1;
2518 	uint32_t		cumtsn;
2519 	uint32_t		xtsn;
2520 	uint32_t		gapstart = 0;
2521 	uint32_t		gapend = 0;
2522 	uint32_t		acked = 0;
2523 	uint16_t		chunklen;
2524 	sctp_faddr_t		*fp;
2525 	int			num_gaps;
2526 	int			trysend = 0;
2527 	int			i;
2528 	boolean_t		fast_recovery = B_FALSE;
2529 	boolean_t		cumack_forward = B_FALSE;
2530 	boolean_t		fwd_tsn = B_FALSE;
2531 	sctp_stack_t		*sctps = sctp->sctp_sctps;
2532 
2533 	BUMP_LOCAL(sctp->sctp_ibchunks);
2534 	BUMP_LOCAL(sctp->sctp_isacks);
2535 	chunklen = ntohs(sch->sch_len);
2536 	if (chunklen < (sizeof (*sch) + sizeof (*sc)))
2537 		return (0);
2538 
2539 	sc = (sctp_sack_chunk_t *)(sch + 1);
2540 	cumtsn = ntohl(sc->ssc_cumtsn);
2541 
2542 	dprint(2, ("got sack cumtsn %x -> %x\n", sctp->sctp_lastack_rxd,
2543 	    cumtsn));
2544 
2545 	/* out of order */
2546 	if (SEQ_LT(cumtsn, sctp->sctp_lastack_rxd))
2547 		return (0);
2548 
2549 	if (SEQ_GT(cumtsn, sctp->sctp_ltsn - 1)) {
2550 		BUMP_MIB(&sctps->sctps_mib, sctpInAckUnsent);
2551 		/* Send an ABORT */
2552 		return (-1);
2553 	}
2554 
2555 	/*
2556 	 * Cwnd only done when not in fast recovery mode.
2557 	 */
2558 	if (SEQ_LT(sctp->sctp_lastack_rxd, sctp->sctp_recovery_tsn))
2559 		fast_recovery = B_TRUE;
2560 
2561 	/*
2562 	 * .. and if the cum TSN is not moving ahead on account Forward TSN
2563 	 */
2564 	if (SEQ_LT(sctp->sctp_lastack_rxd, sctp->sctp_adv_pap))
2565 		fwd_tsn = B_TRUE;
2566 
2567 	if (cumtsn == sctp->sctp_lastack_rxd &&
2568 	    (sctp->sctp_xmit_unacked == NULL ||
2569 	    !SCTP_CHUNK_ABANDONED(sctp->sctp_xmit_unacked))) {
2570 		if (sctp->sctp_xmit_unacked != NULL)
2571 			mp = sctp->sctp_xmit_unacked;
2572 		else if (sctp->sctp_xmit_head != NULL)
2573 			mp = sctp->sctp_xmit_head->b_cont;
2574 		else
2575 			mp = NULL;
2576 		BUMP_MIB(&sctps->sctps_mib, sctpInDupAck);
2577 		/*
2578 		 * If we were doing a zero win probe and the win
2579 		 * has now opened to at least MSS, re-transmit the
2580 		 * zero win probe via sctp_rexmit_packet().
2581 		 */
2582 		if (mp != NULL && sctp->sctp_zero_win_probe &&
2583 		    ntohl(sc->ssc_a_rwnd) >= sctp->sctp_current->sfa_pmss) {
2584 			mblk_t	*pkt;
2585 			uint_t	pkt_len;
2586 			mblk_t	*mp1 = mp;
2587 			mblk_t	*meta = sctp->sctp_xmit_head;
2588 
2589 			/*
2590 			 * Reset the RTO since we have been backing-off
2591 			 * to send the ZWP.
2592 			 */
2593 			fp = sctp->sctp_current;
2594 			fp->rto = fp->srtt + 4 * fp->rttvar;
2595 			SCTP_MAX_RTO(sctp, fp);
2596 			/* Resend the ZWP */
2597 			pkt = sctp_rexmit_packet(sctp, &meta, &mp1, fp,
2598 			    &pkt_len);
2599 			if (pkt == NULL) {
2600 				SCTP_KSTAT(sctps, sctp_ss_rexmit_failed);
2601 				return (0);
2602 			}
2603 			ASSERT(pkt_len <= fp->sfa_pmss);
2604 			sctp->sctp_zero_win_probe = B_FALSE;
2605 			sctp->sctp_rxt_nxttsn = sctp->sctp_ltsn;
2606 			sctp->sctp_rxt_maxtsn = sctp->sctp_ltsn;
2607 			sctp_set_iplen(sctp, pkt);
2608 			sctp_add_sendq(sctp, pkt);
2609 		}
2610 	} else {
2611 		if (sctp->sctp_zero_win_probe) {
2612 			/*
2613 			 * Reset the RTO since we have been backing-off
2614 			 * to send the ZWP.
2615 			 */
2616 			fp = sctp->sctp_current;
2617 			fp->rto = fp->srtt + 4 * fp->rttvar;
2618 			SCTP_MAX_RTO(sctp, fp);
2619 			sctp->sctp_zero_win_probe = B_FALSE;
2620 			/* This is probably not required */
2621 			if (!sctp->sctp_rexmitting) {
2622 				sctp->sctp_rxt_nxttsn = sctp->sctp_ltsn;
2623 				sctp->sctp_rxt_maxtsn = sctp->sctp_ltsn;
2624 			}
2625 		}
2626 		acked = sctp_cumack(sctp, cumtsn, &mp);
2627 		sctp->sctp_xmit_unacked = mp;
2628 		if (acked > 0) {
2629 			trysend = 1;
2630 			cumack_forward = B_TRUE;
2631 			if (fwd_tsn && SEQ_GEQ(sctp->sctp_lastack_rxd,
2632 			    sctp->sctp_adv_pap)) {
2633 				cumack_forward = B_FALSE;
2634 			}
2635 		}
2636 	}
2637 	num_gaps = ntohs(sc->ssc_numfrags);
2638 	UPDATE_LOCAL(sctp->sctp_gapcnt, num_gaps);
2639 	if (num_gaps == 0 || mp == NULL || !SCTP_CHUNK_ISSENT(mp) ||
2640 	    chunklen < (sizeof (*sch) + sizeof (*sc) +
2641 	    num_gaps * sizeof (*ssf))) {
2642 		goto ret;
2643 	}
2644 #ifdef	DEBUG
2645 	/*
2646 	 * Since we delete any message that has been acked completely,
2647 	 * the unacked chunk must belong to sctp_xmit_head (as
2648 	 * we don't have a back pointer from the mp to the meta data
2649 	 * we do this).
2650 	 */
2651 	{
2652 		mblk_t	*mp2 = sctp->sctp_xmit_head->b_cont;
2653 
2654 		while (mp2 != NULL) {
2655 			if (mp2 == mp)
2656 				break;
2657 			mp2 = mp2->b_next;
2658 		}
2659 		ASSERT(mp2 != NULL);
2660 	}
2661 #endif
2662 	ump = sctp->sctp_xmit_head;
2663 
2664 	/*
2665 	 * Just remember where we started from, in case we need to call
2666 	 * sctp_process_uo_gaps() if the gap blocks are unordered.
2667 	 */
2668 	mp1 = mp;
2669 
2670 	sdc = (sctp_data_hdr_t *)mp->b_rptr;
2671 	xtsn = ntohl(sdc->sdh_tsn);
2672 	ASSERT(xtsn == cumtsn + 1);
2673 
2674 	/*
2675 	 * Go through SACK gaps. They are ordered based on start TSN.
2676 	 */
2677 	ssf = (sctp_sack_frag_t *)(sc + 1);
2678 	for (i = 0; i < num_gaps; i++, ssf++) {
2679 		if (gapstart != 0) {
2680 			/* check for unordered gap */
2681 			if (SEQ_LEQ(cumtsn + ntohs(ssf->ssf_start), gapstart)) {
2682 				acked += sctp_process_uo_gaps(sctp,
2683 				    cumtsn, ssf, num_gaps - i,
2684 				    sctp->sctp_xmit_head, mp1,
2685 				    &trysend, &fast_recovery, gapstart);
2686 				if (trysend < 0) {
2687 					BUMP_MIB(&sctps->sctps_mib,
2688 					    sctpInAckUnsent);
2689 					return (-1);
2690 				}
2691 				break;
2692 			}
2693 		}
2694 		gapstart = cumtsn + ntohs(ssf->ssf_start);
2695 		gapend = cumtsn + ntohs(ssf->ssf_end);
2696 
2697 		/*
2698 		 * Sanity checks:
2699 		 *
2700 		 * 1. SACK for TSN we have not sent - ABORT
2701 		 * 2. Invalid or spurious gaps, ignore all gaps
2702 		 */
2703 		if (SEQ_GT(gapstart, sctp->sctp_ltsn - 1) ||
2704 		    SEQ_GT(gapend, sctp->sctp_ltsn - 1)) {
2705 			BUMP_MIB(&sctps->sctps_mib, sctpInAckUnsent);
2706 			return (-1);
2707 		} else if (SEQ_LT(gapend, gapstart) ||
2708 		    SEQ_LEQ(gapstart, cumtsn)) {
2709 			break;
2710 		}
2711 		/*
2712 		 * Let's start at the current TSN (for the 1st gap we start
2713 		 * from the cumulative TSN, for subsequent ones we start from
2714 		 * where the previous gapend was found - second while loop
2715 		 * below) and walk the transmit list till we find the TSN
2716 		 * corresponding to gapstart. All the unacked chunks till we
2717 		 * get to the chunk with TSN == gapstart will have their
2718 		 * SACKCNT incremented by 1. Note since the gap blocks are
2719 		 * ordered, we won't be incrementing the SACKCNT for an
2720 		 * unacked chunk by more than one while processing the gap
2721 		 * blocks. If the SACKCNT for any unacked chunk exceeds
2722 		 * the fast retransmit threshold, we will fast retransmit
2723 		 * after processing all the gap blocks.
2724 		 */
2725 		ASSERT(SEQ_LEQ(xtsn, gapstart));
2726 		while (xtsn != gapstart) {
2727 			SCTP_CHUNK_SET_SACKCNT(mp, SCTP_CHUNK_SACKCNT(mp) + 1);
2728 			if (SCTP_CHUNK_SACKCNT(mp) ==
2729 			    sctps->sctps_fast_rxt_thresh) {
2730 				SCTP_CHUNK_REXMIT(mp);
2731 				sctp->sctp_chk_fast_rexmit = B_TRUE;
2732 				trysend = 1;
2733 				if (!fast_recovery) {
2734 					/*
2735 					 * Entering fast recovery.
2736 					 */
2737 					fp = SCTP_CHUNK_DEST(mp);
2738 					fp->ssthresh = fp->cwnd / 2;
2739 					if (fp->ssthresh < 2 * fp->sfa_pmss) {
2740 						fp->ssthresh =
2741 						    2 * fp->sfa_pmss;
2742 					}
2743 					fp->cwnd = fp->ssthresh;
2744 					fp->pba = 0;
2745 					sctp->sctp_recovery_tsn =
2746 					    sctp->sctp_ltsn - 1;
2747 					fast_recovery = B_TRUE;
2748 				}
2749 			}
2750 
2751 			/*
2752 			 * Peer may have reneged on this chunk, so un-sack
2753 			 * it now. If the peer did renege, we need to
2754 			 * readjust unacked.
2755 			 */
2756 			if (SCTP_CHUNK_ISACKED(mp)) {
2757 				chunklen = ntohs(sdc->sdh_len);
2758 				fp = SCTP_CHUNK_DEST(mp);
2759 				fp->suna += chunklen;
2760 				sctp->sctp_unacked += chunklen - sizeof (*sdc);
2761 				SCTP_CHUNK_CLEAR_ACKED(mp);
2762 				if (!fp->timer_running) {
2763 					SCTP_FADDR_TIMER_RESTART(sctp, fp,
2764 					    fp->rto);
2765 				}
2766 			}
2767 
2768 			mp = mp->b_next;
2769 			if (mp == NULL) {
2770 				ump = ump->b_next;
2771 				/*
2772 				 * ump can't be NULL given the sanity check
2773 				 * above.  But if it is NULL, it means that
2774 				 * there is a data corruption.  We'd better
2775 				 * panic.
2776 				 */
2777 				if (ump == NULL) {
2778 					panic("Memory corruption detected: gap "
2779 					    "start TSN 0x%x missing from the "
2780 					    "xmit list: %p", gapstart,
2781 					    (void *)sctp);
2782 				}
2783 				mp = ump->b_cont;
2784 			}
2785 			/*
2786 			 * mp can't be unsent given the sanity check above.
2787 			 */
2788 			ASSERT(SCTP_CHUNK_ISSENT(mp));
2789 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
2790 			xtsn = ntohl(sdc->sdh_tsn);
2791 		}
2792 		/*
2793 		 * Now that we have found the chunk with TSN == 'gapstart',
2794 		 * let's walk till we hit the chunk with TSN == 'gapend'.
2795 		 * All intermediate chunks will be marked ACKED, if they
2796 		 * haven't already been.
2797 		 */
2798 		while (SEQ_LEQ(xtsn, gapend)) {
2799 			/*
2800 			 * SACKed
2801 			 */
2802 			SCTP_CHUNK_SET_SACKCNT(mp, 0);
2803 			if (!SCTP_CHUNK_ISACKED(mp)) {
2804 				SCTP_CHUNK_ACKED(mp);
2805 
2806 				fp = SCTP_CHUNK_DEST(mp);
2807 				chunklen = ntohs(sdc->sdh_len);
2808 				ASSERT(fp->suna >= chunklen);
2809 				fp->suna -= chunklen;
2810 				if (fp->suna == 0) {
2811 					/* All outstanding data acked. */
2812 					fp->pba = 0;
2813 					SCTP_FADDR_TIMER_STOP(fp);
2814 				}
2815 				fp->acked += chunklen;
2816 				acked += chunklen;
2817 				sctp->sctp_unacked -= chunklen - sizeof (*sdc);
2818 				ASSERT(sctp->sctp_unacked >= 0);
2819 			}
2820 			/* Go to the next chunk of the current message */
2821 			mp = mp->b_next;
2822 			/*
2823 			 * Move to the next message in the transmit list
2824 			 * if we are done with all the chunks from the current
2825 			 * message. Note, it is possible to hit the end of the
2826 			 * transmit list here, i.e. if we have already completed
2827 			 * processing the gap block.  But the TSN must be equal
2828 			 * to the gapend because of the above sanity check.
2829 			 * If it is not equal, it means that some data is
2830 			 * missing.
2831 			 * Also, note that we break here, which means we
2832 			 * continue processing gap blocks, if any. In case of
2833 			 * ordered gap blocks there can't be any following
2834 			 * this (if there is it will fail the sanity check
2835 			 * above). In case of un-ordered gap blocks we will
2836 			 * switch to sctp_process_uo_gaps().  In either case
2837 			 * it should be fine to continue with NULL ump/mp,
2838 			 * but we just reset it to xmit_head.
2839 			 */
2840 			if (mp == NULL) {
2841 				ump = ump->b_next;
2842 				if (ump == NULL) {
2843 					if (xtsn != gapend) {
2844 						panic("Memory corruption "
2845 						    "detected: gap end TSN "
2846 						    "0x%x missing from the "
2847 						    "xmit list: %p", gapend,
2848 						    (void *)sctp);
2849 					}
2850 					ump = sctp->sctp_xmit_head;
2851 					mp = mp1;
2852 					sdc = (sctp_data_hdr_t *)mp->b_rptr;
2853 					xtsn = ntohl(sdc->sdh_tsn);
2854 					break;
2855 				}
2856 				mp = ump->b_cont;
2857 			}
2858 			/*
2859 			 * Likewise, we could hit an unsent chunk once we have
2860 			 * completed processing the gap block. Again, it is
2861 			 * fine to continue processing gap blocks with mp
2862 			 * pointing to the unsent chunk, because if there
2863 			 * are more ordered gap blocks, they will fail the
2864 			 * sanity check, and if there are un-ordered gap blocks,
2865 			 * we will continue processing in sctp_process_uo_gaps()
2866 			 * We just reset the mp to the one we started with.
2867 			 */
2868 			if (!SCTP_CHUNK_ISSENT(mp)) {
2869 				ASSERT(xtsn == gapend);
2870 				ump = sctp->sctp_xmit_head;
2871 				mp = mp1;
2872 				sdc = (sctp_data_hdr_t *)mp->b_rptr;
2873 				xtsn = ntohl(sdc->sdh_tsn);
2874 				break;
2875 			}
2876 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
2877 			xtsn = ntohl(sdc->sdh_tsn);
2878 		}
2879 	}
2880 	if (sctp->sctp_prsctp_aware)
2881 		sctp_check_abandoned_data(sctp, sctp->sctp_current);
2882 	if (sctp->sctp_chk_fast_rexmit)
2883 		sctp_fast_rexmit(sctp);
2884 ret:
2885 	trysend += sctp_set_frwnd(sctp, ntohl(sc->ssc_a_rwnd));
2886 
2887 	/*
2888 	 * If receive window is closed while there is unsent data,
2889 	 * set a timer for doing zero window probes.
2890 	 */
2891 	if (sctp->sctp_frwnd == 0 && sctp->sctp_unacked == 0 &&
2892 	    sctp->sctp_unsent != 0) {
2893 		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
2894 		    sctp->sctp_current->rto);
2895 	}
2896 
2897 	/*
2898 	 * Set cwnd for all destinations.
2899 	 * Congestion window gets increased only when cumulative
2900 	 * TSN moves forward, we're not in fast recovery, and
2901 	 * cwnd has been fully utilized (almost fully, need to allow
2902 	 * some leeway due to non-MSS sized messages).
2903 	 */
2904 	if (sctp->sctp_current->acked == acked) {
2905 		/*
2906 		 * Fast-path, only data sent to sctp_current got acked.
2907 		 */
2908 		fp = sctp->sctp_current;
2909 		if (cumack_forward && !fast_recovery &&
2910 		    (fp->acked + fp->suna > fp->cwnd - fp->sfa_pmss)) {
2911 			if (fp->cwnd < fp->ssthresh) {
2912 				/*
2913 				 * Slow start
2914 				 */
2915 				if (fp->acked > fp->sfa_pmss) {
2916 					fp->cwnd += fp->sfa_pmss;
2917 				} else {
2918 					fp->cwnd += fp->acked;
2919 				}
2920 				fp->cwnd = MIN(fp->cwnd, sctp->sctp_cwnd_max);
2921 			} else {
2922 				/*
2923 				 * Congestion avoidance
2924 				 */
2925 				fp->pba += fp->acked;
2926 				if (fp->pba >= fp->cwnd) {
2927 					fp->pba -= fp->cwnd;
2928 					fp->cwnd += fp->sfa_pmss;
2929 					fp->cwnd = MIN(fp->cwnd,
2930 					    sctp->sctp_cwnd_max);
2931 				}
2932 			}
2933 		}
2934 		/*
2935 		 * Limit the burst of transmitted data segments.
2936 		 */
2937 		if (fp->suna + sctps->sctps_maxburst * fp->sfa_pmss <
2938 		    fp->cwnd) {
2939 			fp->cwnd = fp->suna + sctps->sctps_maxburst *
2940 			    fp->sfa_pmss;
2941 		}
2942 		fp->acked = 0;
2943 		goto check_ss_rxmit;
2944 	}
2945 	for (fp = sctp->sctp_faddrs; fp != NULL; fp = fp->next) {
2946 		if (cumack_forward && fp->acked && !fast_recovery &&
2947 		    (fp->acked + fp->suna > fp->cwnd - fp->sfa_pmss)) {
2948 			if (fp->cwnd < fp->ssthresh) {
2949 				if (fp->acked > fp->sfa_pmss) {
2950 					fp->cwnd += fp->sfa_pmss;
2951 				} else {
2952 					fp->cwnd += fp->acked;
2953 				}
2954 				fp->cwnd = MIN(fp->cwnd, sctp->sctp_cwnd_max);
2955 			} else {
2956 				fp->pba += fp->acked;
2957 				if (fp->pba >= fp->cwnd) {
2958 					fp->pba -= fp->cwnd;
2959 					fp->cwnd += fp->sfa_pmss;
2960 					fp->cwnd = MIN(fp->cwnd,
2961 					    sctp->sctp_cwnd_max);
2962 				}
2963 			}
2964 		}
2965 		if (fp->suna + sctps->sctps_maxburst * fp->sfa_pmss <
2966 		    fp->cwnd) {
2967 			fp->cwnd = fp->suna + sctps->sctps_maxburst *
2968 			    fp->sfa_pmss;
2969 		}
2970 		fp->acked = 0;
2971 	}
2972 	fp = sctp->sctp_current;
2973 check_ss_rxmit:
2974 	/*
2975 	 * If this is a SACK following a timeout, check if there are
2976 	 * still unacked chunks (sent before the timeout) that we can
2977 	 * send.
2978 	 */
2979 	if (sctp->sctp_rexmitting) {
2980 		if (SEQ_LT(sctp->sctp_lastack_rxd, sctp->sctp_rxt_maxtsn)) {
2981 			/*
2982 			 * As we are in retransmission phase, we may get a
2983 			 * SACK which indicates some new chunks are received
2984 			 * but cum_tsn does not advance.  During this
2985 			 * phase, the other side advances cum_tsn only because
2986 			 * it receives our retransmitted chunks.  Only
2987 			 * this signals that some chunks are still
2988 			 * missing.
2989 			 */
2990 			if (cumack_forward) {
2991 				fp->rxt_unacked -= acked;
2992 				sctp_ss_rexmit(sctp);
2993 			}
2994 		} else {
2995 			sctp->sctp_rexmitting = B_FALSE;
2996 			sctp->sctp_rxt_nxttsn = sctp->sctp_ltsn;
2997 			sctp->sctp_rxt_maxtsn = sctp->sctp_ltsn;
2998 			fp->rxt_unacked = 0;
2999 		}
3000 	}
3001 	return (trysend);
3002 }
3003 
3004 /*
3005  * Returns 0 if the caller should stop processing any more chunks,
3006  * 1 if the caller should skip this chunk and continue processing.
3007  */
3008 static int
3009 sctp_strange_chunk(sctp_t *sctp, sctp_chunk_hdr_t *ch, sctp_faddr_t *fp)
3010 {
3011 	size_t len;
3012 
3013 	BUMP_LOCAL(sctp->sctp_ibchunks);
3014 	/* check top two bits for action required */
3015 	if (ch->sch_id & 0x40) {	/* also matches 0xc0 */
3016 		len = ntohs(ch->sch_len);
3017 		sctp_add_err(sctp, SCTP_ERR_UNREC_CHUNK, ch, len, fp);
3018 
3019 		if ((ch->sch_id & 0xc0) == 0xc0) {
3020 			/* skip and continue */
3021 			return (1);
3022 		} else {
3023 			/* stop processing */
3024 			return (0);
3025 		}
3026 	}
3027 	if (ch->sch_id & 0x80) {
3028 		/* skip and continue, no error */
3029 		return (1);
3030 	}
3031 	/* top two bits are clear; stop processing and no error */
3032 	return (0);
3033 }
3034 
3035 /*
3036  * Basic sanity checks on all input chunks and parameters: they must
3037  * be of legitimate size for their purported type, and must follow
3038  * ordering conventions as defined in rfc2960.
3039  *
3040  * Returns 1 if the chunk and all encloded params are legitimate,
3041  * 0 otherwise.
3042  */
3043 /*ARGSUSED*/
3044 static int
3045 sctp_check_input(sctp_t *sctp, sctp_chunk_hdr_t *ch, ssize_t len, int first)
3046 {
3047 	sctp_parm_hdr_t	*ph;
3048 	void		*p = NULL;
3049 	ssize_t		clen;
3050 	uint16_t	ch_len;
3051 
3052 	ch_len = ntohs(ch->sch_len);
3053 	if (ch_len > len) {
3054 		return (0);
3055 	}
3056 
3057 	switch (ch->sch_id) {
3058 	case CHUNK_DATA:
3059 		if (ch_len < sizeof (sctp_data_hdr_t)) {
3060 			return (0);
3061 		}
3062 		return (1);
3063 	case CHUNK_INIT:
3064 	case CHUNK_INIT_ACK:
3065 		{
3066 			ssize_t	remlen = len;
3067 
3068 			/*
3069 			 * INIT and INIT-ACK chunks must not be bundled with
3070 			 * any other.
3071 			 */
3072 			if (!first || sctp_next_chunk(ch, &remlen) != NULL ||
3073 			    (ch_len < (sizeof (*ch) +
3074 			    sizeof (sctp_init_chunk_t)))) {
3075 				return (0);
3076 			}
3077 			/* may have params that need checking */
3078 			p = (char *)(ch + 1) + sizeof (sctp_init_chunk_t);
3079 			clen = ch_len - (sizeof (*ch) +
3080 			    sizeof (sctp_init_chunk_t));
3081 		}
3082 		break;
3083 	case CHUNK_SACK:
3084 		if (ch_len < (sizeof (*ch) + sizeof (sctp_sack_chunk_t))) {
3085 			return (0);
3086 		}
3087 		/* dup and gap reports checked by got_sack() */
3088 		return (1);
3089 	case CHUNK_SHUTDOWN:
3090 		if (ch_len < (sizeof (*ch) + sizeof (uint32_t))) {
3091 			return (0);
3092 		}
3093 		return (1);
3094 	case CHUNK_ABORT:
3095 	case CHUNK_ERROR:
3096 		if (ch_len < sizeof (*ch)) {
3097 			return (0);
3098 		}
3099 		/* may have params that need checking */
3100 		p = ch + 1;
3101 		clen = ch_len - sizeof (*ch);
3102 		break;
3103 	case CHUNK_ECNE:
3104 	case CHUNK_CWR:
3105 	case CHUNK_HEARTBEAT:
3106 	case CHUNK_HEARTBEAT_ACK:
3107 	/* Full ASCONF chunk and parameter checks are in asconf.c */
3108 	case CHUNK_ASCONF:
3109 	case CHUNK_ASCONF_ACK:
3110 		if (ch_len < sizeof (*ch)) {
3111 			return (0);
3112 		}
3113 		/* heartbeat data checked by process_heartbeat() */
3114 		return (1);
3115 	case CHUNK_SHUTDOWN_COMPLETE:
3116 		{
3117 			ssize_t remlen = len;
3118 
3119 			/*
3120 			 * SHUTDOWN-COMPLETE chunk must not be bundled with any
3121 			 * other
3122 			 */
3123 			if (!first || sctp_next_chunk(ch, &remlen) != NULL ||
3124 			    ch_len < sizeof (*ch)) {
3125 				return (0);
3126 			}
3127 		}
3128 		return (1);
3129 	case CHUNK_COOKIE:
3130 	case CHUNK_COOKIE_ACK:
3131 	case CHUNK_SHUTDOWN_ACK:
3132 		if (ch_len < sizeof (*ch) || !first) {
3133 			return (0);
3134 		}
3135 		return (1);
3136 	case CHUNK_FORWARD_TSN:
3137 		if (ch_len < (sizeof (*ch) + sizeof (uint32_t)))
3138 			return (0);
3139 		return (1);
3140 	default:
3141 		return (1);	/* handled by strange_chunk() */
3142 	}
3143 
3144 	/* check and byteorder parameters */
3145 	if (clen <= 0) {
3146 		return (1);
3147 	}
3148 	ASSERT(p != NULL);
3149 
3150 	ph = p;
3151 	while (ph != NULL && clen > 0) {
3152 		ch_len = ntohs(ph->sph_len);
3153 		if (ch_len > len || ch_len < sizeof (*ph)) {
3154 			return (0);
3155 		}
3156 		ph = sctp_next_parm(ph, &clen);
3157 	}
3158 
3159 	/* All OK */
3160 	return (1);
3161 }
3162 
3163 /* ARGSUSED */
3164 static sctp_hdr_t *
3165 find_sctp_hdrs(mblk_t *mp, in6_addr_t *src, in6_addr_t *dst,
3166     uint_t *ifindex, uint_t *ip_hdr_len, ip6_pkt_t *ipp, ip_pktinfo_t *pinfo)
3167 {
3168 	uchar_t	*rptr;
3169 	ipha_t	*ip4h;
3170 	ip6_t	*ip6h;
3171 	mblk_t	*mp1;
3172 
3173 	rptr = mp->b_rptr;
3174 	if (IPH_HDR_VERSION(rptr) == IPV4_VERSION) {
3175 		*ip_hdr_len = IPH_HDR_LENGTH(rptr);
3176 		ip4h = (ipha_t *)rptr;
3177 		IN6_IPADDR_TO_V4MAPPED(ip4h->ipha_src, src);
3178 		IN6_IPADDR_TO_V4MAPPED(ip4h->ipha_dst, dst);
3179 
3180 		ipp->ipp_fields |= IPPF_HOPLIMIT;
3181 		ipp->ipp_hoplimit = ((ipha_t *)rptr)->ipha_ttl;
3182 		if (pinfo != NULL && (pinfo->ip_pkt_flags & IPF_RECVIF)) {
3183 			ipp->ipp_fields |= IPPF_IFINDEX;
3184 			ipp->ipp_ifindex = pinfo->ip_pkt_ifindex;
3185 		}
3186 	} else {
3187 		ASSERT(IPH_HDR_VERSION(rptr) == IPV6_VERSION);
3188 		ip6h = (ip6_t *)rptr;
3189 		ipp->ipp_fields = IPPF_HOPLIMIT;
3190 		ipp->ipp_hoplimit = ip6h->ip6_hops;
3191 
3192 		if (ip6h->ip6_nxt != IPPROTO_SCTP) {
3193 			/* Look for ifindex information */
3194 			if (ip6h->ip6_nxt == IPPROTO_RAW) {
3195 				ip6i_t *ip6i = (ip6i_t *)ip6h;
3196 
3197 				if (ip6i->ip6i_flags & IP6I_IFINDEX) {
3198 					ASSERT(ip6i->ip6i_ifindex != 0);
3199 					ipp->ipp_fields |= IPPF_IFINDEX;
3200 					ipp->ipp_ifindex = ip6i->ip6i_ifindex;
3201 				}
3202 				rptr = (uchar_t *)&ip6i[1];
3203 				mp->b_rptr = rptr;
3204 				if (rptr == mp->b_wptr) {
3205 					mp1 = mp->b_cont;
3206 					freeb(mp);
3207 					mp = mp1;
3208 					rptr = mp->b_rptr;
3209 				}
3210 				ASSERT(mp->b_wptr - rptr >=
3211 				    IPV6_HDR_LEN + sizeof (sctp_hdr_t));
3212 				ip6h = (ip6_t *)rptr;
3213 			}
3214 			/*
3215 			 * Find any potentially interesting extension headers
3216 			 * as well as the length of the IPv6 + extension
3217 			 * headers.
3218 			 */
3219 			*ip_hdr_len = ip_find_hdr_v6(mp, ip6h, ipp, NULL);
3220 		} else {
3221 			*ip_hdr_len = IPV6_HDR_LEN;
3222 		}
3223 		*src = ip6h->ip6_src;
3224 		*dst = ip6h->ip6_dst;
3225 	}
3226 	ASSERT((uintptr_t)(mp->b_wptr - rptr) <= (uintptr_t)INT_MAX);
3227 	return ((sctp_hdr_t *)&rptr[*ip_hdr_len]);
3228 #undef IPVER
3229 }
3230 
3231 static mblk_t *
3232 sctp_check_in_policy(mblk_t *mp, mblk_t *ipsec_mp)
3233 {
3234 	ipsec_in_t *ii;
3235 	boolean_t check = B_TRUE;
3236 	boolean_t policy_present;
3237 	ipha_t *ipha;
3238 	ip6_t *ip6h;
3239 	netstack_t	*ns;
3240 	ipsec_stack_t	*ipss;
3241 
3242 	ii = (ipsec_in_t *)ipsec_mp->b_rptr;
3243 	ASSERT(ii->ipsec_in_type == IPSEC_IN);
3244 	ns = ii->ipsec_in_ns;
3245 	ipss = ns->netstack_ipsec;
3246 
3247 	if (ii->ipsec_in_dont_check) {
3248 		check = B_FALSE;
3249 		if (!ii->ipsec_in_secure) {
3250 			freeb(ipsec_mp);
3251 			ipsec_mp = NULL;
3252 		}
3253 	}
3254 	if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) {
3255 		policy_present = ipss->ipsec_inbound_v4_policy_present;
3256 		ipha = (ipha_t *)mp->b_rptr;
3257 		ip6h = NULL;
3258 	} else {
3259 		policy_present = ipss->ipsec_inbound_v6_policy_present;
3260 		ipha = NULL;
3261 		ip6h = (ip6_t *)mp->b_rptr;
3262 	}
3263 
3264 	if (check && policy_present) {
3265 		/*
3266 		 * The conn_t parameter is NULL because we already know
3267 		 * nobody's home.
3268 		 */
3269 		ipsec_mp = ipsec_check_global_policy(ipsec_mp, (conn_t *)NULL,
3270 		    ipha, ip6h, B_TRUE, ns);
3271 		if (ipsec_mp == NULL)
3272 			return (NULL);
3273 	}
3274 	if (ipsec_mp != NULL)
3275 		freeb(ipsec_mp);
3276 	return (mp);
3277 }
3278 
3279 /* Handle out-of-the-blue packets */
3280 void
3281 sctp_ootb_input(mblk_t *mp, ill_t *recv_ill, zoneid_t zoneid,
3282     boolean_t mctl_present)
3283 {
3284 	sctp_t			*sctp;
3285 	sctp_chunk_hdr_t	*ch;
3286 	sctp_hdr_t		*sctph;
3287 	in6_addr_t		src, dst;
3288 	uint_t			ip_hdr_len;
3289 	uint_t			ifindex;
3290 	ip6_pkt_t		ipp;
3291 	ssize_t			mlen;
3292 	ip_pktinfo_t		*pinfo = NULL;
3293 	mblk_t			*first_mp;
3294 	sctp_stack_t		*sctps;
3295 	ip_stack_t		*ipst;
3296 
3297 	ASSERT(recv_ill != NULL);
3298 	ipst = recv_ill->ill_ipst;
3299 	sctps = ipst->ips_netstack->netstack_sctp;
3300 
3301 	BUMP_MIB(&sctps->sctps_mib, sctpOutOfBlue);
3302 	BUMP_MIB(&sctps->sctps_mib, sctpInSCTPPkts);
3303 
3304 	if (sctps->sctps_gsctp == NULL) {
3305 		/*
3306 		 * For non-zero stackids the default queue isn't created
3307 		 * until the first open, thus there can be a need to send
3308 		 * an error before then. But we can't do that, hence we just
3309 		 * drop the packet. Later during boot, when the default queue
3310 		 * has been setup, a retransmitted packet from the peer
3311 		 * will result in a error.
3312 		 */
3313 		ASSERT(sctps->sctps_netstack->netstack_stackid !=
3314 		    GLOBAL_NETSTACKID);
3315 		freemsg(mp);
3316 		return;
3317 	}
3318 
3319 	first_mp = mp;
3320 	if (mctl_present)
3321 		mp = mp->b_cont;
3322 
3323 	/* Initiate IPPf processing, if needed. */
3324 	if (IPP_ENABLED(IPP_LOCAL_IN, ipst)) {
3325 		ip_process(IPP_LOCAL_IN, &mp,
3326 		    recv_ill->ill_phyint->phyint_ifindex);
3327 		if (mp == NULL) {
3328 			if (mctl_present)
3329 				freeb(first_mp);
3330 			return;
3331 		}
3332 	}
3333 
3334 	if (mp->b_cont != NULL) {
3335 		/*
3336 		 * All subsequent code is vastly simplified if it can
3337 		 * assume a single contiguous chunk of data.
3338 		 */
3339 		if (pullupmsg(mp, -1) == 0) {
3340 			BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsInDiscards);
3341 			freemsg(first_mp);
3342 			return;
3343 		}
3344 	}
3345 
3346 	/*
3347 	 * We don't really need to call this function...  Need to
3348 	 * optimize later.
3349 	 */
3350 	sctph = find_sctp_hdrs(mp, &src, &dst, &ifindex, &ip_hdr_len,
3351 	    &ipp, pinfo);
3352 	mlen = mp->b_wptr - (uchar_t *)(sctph + 1);
3353 	if ((ch = sctp_first_chunk((uchar_t *)(sctph + 1), mlen)) == NULL) {
3354 		dprint(3, ("sctp_ootb_input: invalid packet\n"));
3355 		BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsInDiscards);
3356 		freemsg(first_mp);
3357 		return;
3358 	}
3359 
3360 	switch (ch->sch_id) {
3361 	case CHUNK_INIT:
3362 		/* no listener; send abort  */
3363 		if (mctl_present && sctp_check_in_policy(mp, first_mp) == NULL)
3364 			return;
3365 		sctp_send_abort(sctps->sctps_gsctp, sctp_init2vtag(ch), 0,
3366 		    NULL, 0, mp, 0, B_TRUE);
3367 		break;
3368 	case CHUNK_INIT_ACK:
3369 		/* check for changed src addr */
3370 		sctp = sctp_addrlist2sctp(mp, sctph, ch, zoneid, sctps);
3371 		if (sctp != NULL) {
3372 			/* success; proceed to normal path */
3373 			mutex_enter(&sctp->sctp_lock);
3374 			if (sctp->sctp_running) {
3375 				if (!sctp_add_recvq(sctp, mp, B_FALSE)) {
3376 					BUMP_MIB(recv_ill->ill_ip_mib,
3377 					    ipIfStatsInDiscards);
3378 					freemsg(mp);
3379 				}
3380 				mutex_exit(&sctp->sctp_lock);
3381 			} else {
3382 				/*
3383 				 * If the source address is changed, we
3384 				 * don't need to worry too much about
3385 				 * out of order processing.  So we don't
3386 				 * check if the recvq is empty or not here.
3387 				 */
3388 				sctp->sctp_running = B_TRUE;
3389 				mutex_exit(&sctp->sctp_lock);
3390 				sctp_input_data(sctp, mp, NULL);
3391 				WAKE_SCTP(sctp);
3392 				sctp_process_sendq(sctp);
3393 			}
3394 			SCTP_REFRELE(sctp);
3395 			return;
3396 		}
3397 		if (mctl_present)
3398 			freeb(first_mp);
3399 		/* else bogus init ack; drop it */
3400 		break;
3401 	case CHUNK_SHUTDOWN_ACK:
3402 		if (mctl_present && sctp_check_in_policy(mp, first_mp) == NULL)
3403 			return;
3404 		sctp_ootb_shutdown_ack(sctps->sctps_gsctp, mp, ip_hdr_len);
3405 		sctp_process_sendq(sctps->sctps_gsctp);
3406 		return;
3407 	case CHUNK_ERROR:
3408 	case CHUNK_ABORT:
3409 	case CHUNK_COOKIE_ACK:
3410 	case CHUNK_SHUTDOWN_COMPLETE:
3411 		if (mctl_present)
3412 			freeb(first_mp);
3413 		break;
3414 	default:
3415 		if (mctl_present && sctp_check_in_policy(mp, first_mp) == NULL)
3416 			return;
3417 		sctp_send_abort(sctps->sctps_gsctp, sctph->sh_verf, 0,
3418 		    NULL, 0, mp, 0, B_TRUE);
3419 		break;
3420 	}
3421 	sctp_process_sendq(sctps->sctps_gsctp);
3422 	freemsg(mp);
3423 }
3424 
3425 void
3426 sctp_input(conn_t *connp, ipha_t *ipha, mblk_t *mp, mblk_t *first_mp,
3427     ill_t *recv_ill, boolean_t isv4, boolean_t mctl_present)
3428 {
3429 	sctp_t *sctp = CONN2SCTP(connp);
3430 	ip_stack_t	*ipst = recv_ill->ill_ipst;
3431 	ipsec_stack_t	*ipss = ipst->ips_netstack->netstack_ipsec;
3432 
3433 	/*
3434 	 * We check some fields in conn_t without holding a lock.
3435 	 * This should be fine.
3436 	 */
3437 	if (CONN_INBOUND_POLICY_PRESENT(connp, ipss) || mctl_present) {
3438 		first_mp = ipsec_check_inbound_policy(first_mp, connp,
3439 		    ipha, NULL, mctl_present);
3440 		if (first_mp == NULL) {
3441 			BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsInDiscards);
3442 			SCTP_REFRELE(sctp);
3443 			return;
3444 		}
3445 	}
3446 
3447 	/* Initiate IPPF processing for fastpath */
3448 	if (IPP_ENABLED(IPP_LOCAL_IN, ipst)) {
3449 		ip_process(IPP_LOCAL_IN, &mp,
3450 		    recv_ill->ill_phyint->phyint_ifindex);
3451 		if (mp == NULL) {
3452 			SCTP_REFRELE(sctp);
3453 			if (mctl_present)
3454 				freeb(first_mp);
3455 			return;
3456 		} else if (mctl_present) {
3457 			/*
3458 			 * ip_process might return a new mp.
3459 			 */
3460 			ASSERT(first_mp != mp);
3461 			first_mp->b_cont = mp;
3462 		} else {
3463 			first_mp = mp;
3464 		}
3465 	}
3466 
3467 	if (connp->conn_recvif || connp->conn_recvslla ||
3468 	    connp->conn_ip_recvpktinfo) {
3469 		int in_flags = 0;
3470 
3471 		if (connp->conn_recvif || connp->conn_ip_recvpktinfo) {
3472 			in_flags = IPF_RECVIF;
3473 		}
3474 		if (connp->conn_recvslla) {
3475 			in_flags |= IPF_RECVSLLA;
3476 		}
3477 		if (isv4) {
3478 			mp = ip_add_info(mp, recv_ill, in_flags,
3479 			    IPCL_ZONEID(connp), ipst);
3480 		} else {
3481 			mp = ip_add_info_v6(mp, recv_ill,
3482 			    &(((ip6_t *)ipha)->ip6_dst));
3483 		}
3484 		if (mp == NULL) {
3485 			BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsInDiscards);
3486 			SCTP_REFRELE(sctp);
3487 			if (mctl_present)
3488 				freeb(first_mp);
3489 			return;
3490 		} else if (mctl_present) {
3491 			/*
3492 			 * ip_add_info might return a new mp.
3493 			 */
3494 			ASSERT(first_mp != mp);
3495 			first_mp->b_cont = mp;
3496 		} else {
3497 			first_mp = mp;
3498 		}
3499 	}
3500 
3501 	mutex_enter(&sctp->sctp_lock);
3502 	if (sctp->sctp_running) {
3503 		if (mctl_present)
3504 			mp->b_prev = first_mp;
3505 		if (!sctp_add_recvq(sctp, mp, B_FALSE)) {
3506 			BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsInDiscards);
3507 			freemsg(first_mp);
3508 		}
3509 		mutex_exit(&sctp->sctp_lock);
3510 		SCTP_REFRELE(sctp);
3511 		return;
3512 	} else {
3513 		sctp->sctp_running = B_TRUE;
3514 		mutex_exit(&sctp->sctp_lock);
3515 
3516 		mutex_enter(&sctp->sctp_recvq_lock);
3517 		if (sctp->sctp_recvq != NULL) {
3518 			if (mctl_present)
3519 				mp->b_prev = first_mp;
3520 			if (!sctp_add_recvq(sctp, mp, B_TRUE)) {
3521 				BUMP_MIB(recv_ill->ill_ip_mib,
3522 				    ipIfStatsInDiscards);
3523 				freemsg(first_mp);
3524 			}
3525 			mutex_exit(&sctp->sctp_recvq_lock);
3526 			WAKE_SCTP(sctp);
3527 			SCTP_REFRELE(sctp);
3528 			return;
3529 		}
3530 	}
3531 	mutex_exit(&sctp->sctp_recvq_lock);
3532 	sctp_input_data(sctp, mp, (mctl_present ? first_mp : NULL));
3533 	WAKE_SCTP(sctp);
3534 	sctp_process_sendq(sctp);
3535 	SCTP_REFRELE(sctp);
3536 }
3537 
3538 static void
3539 sctp_process_abort(sctp_t *sctp, sctp_chunk_hdr_t *ch, int err)
3540 {
3541 	sctp_stack_t	*sctps = sctp->sctp_sctps;
3542 
3543 	BUMP_MIB(&sctps->sctps_mib, sctpAborted);
3544 	BUMP_LOCAL(sctp->sctp_ibchunks);
3545 
3546 	sctp_assoc_event(sctp, SCTP_COMM_LOST,
3547 	    ntohs(((sctp_parm_hdr_t *)(ch + 1))->sph_type), ch);
3548 	sctp_clean_death(sctp, err);
3549 }
3550 
3551 void
3552 sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
3553 {
3554 	sctp_chunk_hdr_t	*ch;
3555 	ssize_t			mlen;
3556 	int			gotdata;
3557 	int			trysend;
3558 	sctp_faddr_t		*fp;
3559 	sctp_init_chunk_t	*iack;
3560 	uint32_t		tsn;
3561 	sctp_data_hdr_t		*sdc;
3562 	ip6_pkt_t		ipp;
3563 	in6_addr_t		src;
3564 	in6_addr_t		dst;
3565 	uint_t			ifindex;
3566 	sctp_hdr_t		*sctph;
3567 	uint_t			ip_hdr_len;
3568 	mblk_t			*dups = NULL;
3569 	int			recv_adaptation;
3570 	boolean_t		wake_eager = B_FALSE;
3571 	mblk_t			*pinfo_mp;
3572 	ip_pktinfo_t		*pinfo = NULL;
3573 	in6_addr_t		peer_src;
3574 	int64_t			now;
3575 	sctp_stack_t		*sctps = sctp->sctp_sctps;
3576 	ip_stack_t		*ipst = sctps->sctps_netstack->netstack_ip;
3577 	boolean_t		hb_already = B_FALSE;
3578 	cred_t			*cr;
3579 	pid_t			cpid;
3580 
3581 	if (DB_TYPE(mp) != M_DATA) {
3582 		ASSERT(DB_TYPE(mp) == M_CTL);
3583 		if (MBLKL(mp) == sizeof (ip_pktinfo_t) &&
3584 		    ((ip_pktinfo_t *)mp->b_rptr)->ip_pkt_ulp_type ==
3585 		    IN_PKTINFO) {
3586 			pinfo = (ip_pktinfo_t *)mp->b_rptr;
3587 			pinfo_mp = mp;
3588 			mp = mp->b_cont;
3589 		} else {
3590 			if (ipsec_mp != NULL)
3591 				freeb(ipsec_mp);
3592 			sctp_icmp_error(sctp, mp);
3593 			return;
3594 		}
3595 	}
3596 	ASSERT(DB_TYPE(mp) == M_DATA);
3597 
3598 	if (mp->b_cont != NULL) {
3599 		/*
3600 		 * All subsequent code is vastly simplified if it can
3601 		 * assume a single contiguous chunk of data.
3602 		 */
3603 		if (pullupmsg(mp, -1) == 0) {
3604 			BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
3605 			if (ipsec_mp != NULL)
3606 				freeb(ipsec_mp);
3607 			if (pinfo != NULL)
3608 				freeb(pinfo_mp);
3609 			freemsg(mp);
3610 			return;
3611 		}
3612 	}
3613 
3614 	BUMP_LOCAL(sctp->sctp_ipkts);
3615 	sctph = find_sctp_hdrs(mp, &src, &dst, &ifindex, &ip_hdr_len,
3616 	    &ipp, pinfo);
3617 	if (pinfo != NULL)
3618 		freeb(pinfo_mp);
3619 	mlen = mp->b_wptr - (uchar_t *)(sctph + 1);
3620 	ch = sctp_first_chunk((uchar_t *)(sctph + 1), mlen);
3621 	if (ch == NULL) {
3622 		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
3623 		if (ipsec_mp != NULL)
3624 			freeb(ipsec_mp);
3625 		freemsg(mp);
3626 		return;
3627 	}
3628 
3629 	if (!sctp_check_input(sctp, ch, mlen, 1)) {
3630 		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
3631 		goto done;
3632 	}
3633 	/*
3634 	 * Check verfication tag (special handling for INIT,
3635 	 * COOKIE, SHUTDOWN_COMPLETE and SHUTDOWN_ACK chunks).
3636 	 * ABORTs are handled in the chunk processing loop, since
3637 	 * may not appear first. All other checked chunks must
3638 	 * appear first, or will have been dropped by check_input().
3639 	 */
3640 	switch (ch->sch_id) {
3641 	case CHUNK_INIT:
3642 		if (sctph->sh_verf != 0) {
3643 			/* drop it */
3644 			goto done;
3645 		}
3646 		break;
3647 	case CHUNK_SHUTDOWN_COMPLETE:
3648 		if (sctph->sh_verf == sctp->sctp_lvtag)
3649 			break;
3650 		if (sctph->sh_verf == sctp->sctp_fvtag &&
3651 		    SCTP_GET_TBIT(ch)) {
3652 			break;
3653 		}
3654 		/* else drop it */
3655 		goto done;
3656 	case CHUNK_ABORT:
3657 	case CHUNK_COOKIE:
3658 		/* handled below */
3659 		break;
3660 	case CHUNK_SHUTDOWN_ACK:
3661 		if (sctp->sctp_state > SCTPS_BOUND &&
3662 		    sctp->sctp_state < SCTPS_ESTABLISHED) {
3663 			/* treat as OOTB */
3664 			sctp_ootb_shutdown_ack(sctp, mp, ip_hdr_len);
3665 			if (ipsec_mp != NULL)
3666 				freeb(ipsec_mp);
3667 			return;
3668 		}
3669 		/* else fallthru */
3670 	default:
3671 		/*
3672 		 * All other packets must have a valid
3673 		 * verification tag, however if this is a
3674 		 * listener, we use a refined version of
3675 		 * out-of-the-blue logic.
3676 		 */
3677 		if (sctph->sh_verf != sctp->sctp_lvtag &&
3678 		    sctp->sctp_state != SCTPS_LISTEN) {
3679 			/* drop it */
3680 			goto done;
3681 		}
3682 		break;
3683 	}
3684 
3685 	/* Have a valid sctp for this packet */
3686 	fp = sctp_lookup_faddr(sctp, &src);
3687 	dprint(2, ("sctp_dispatch_rput: mp=%p fp=%p sctp=%p\n", (void *)mp,
3688 	    (void *)fp, (void *)sctp));
3689 
3690 	gotdata = 0;
3691 	trysend = 0;
3692 
3693 	now = lbolt64;
3694 	/* Process the chunks */
3695 	do {
3696 		dprint(3, ("sctp_dispatch_rput: state=%d, chunk id=%d\n",
3697 		    sctp->sctp_state, (int)(ch->sch_id)));
3698 
3699 		if (ch->sch_id == CHUNK_ABORT) {
3700 			if (sctph->sh_verf != sctp->sctp_lvtag &&
3701 			    sctph->sh_verf != sctp->sctp_fvtag) {
3702 				/* drop it */
3703 				goto done;
3704 			}
3705 		}
3706 
3707 		switch (sctp->sctp_state) {
3708 
3709 		case SCTPS_ESTABLISHED:
3710 		case SCTPS_SHUTDOWN_PENDING:
3711 		case SCTPS_SHUTDOWN_SENT:
3712 			switch (ch->sch_id) {
3713 			case CHUNK_DATA:
3714 				/* 0-length data chunks are not allowed */
3715 				if (ntohs(ch->sch_len) == sizeof (*sdc)) {
3716 					sdc = (sctp_data_hdr_t *)ch;
3717 					tsn = sdc->sdh_tsn;
3718 					sctp_send_abort(sctp, sctp->sctp_fvtag,
3719 					    SCTP_ERR_NO_USR_DATA, (char *)&tsn,
3720 					    sizeof (tsn), mp, 0, B_FALSE);
3721 					sctp_assoc_event(sctp, SCTP_COMM_LOST,
3722 					    0, NULL);
3723 					sctp_clean_death(sctp, ECONNABORTED);
3724 					goto done;
3725 				}
3726 
3727 				ASSERT(fp != NULL);
3728 				sctp->sctp_lastdata = fp;
3729 				sctp_data_chunk(sctp, ch, mp, &dups, fp, &ipp);
3730 				gotdata = 1;
3731 				/* Restart shutdown timer if shutting down */
3732 				if (sctp->sctp_state == SCTPS_SHUTDOWN_SENT) {
3733 					/*
3734 					 * If we have exceeded our max
3735 					 * wait bound for waiting for a
3736 					 * shutdown ack from the peer,
3737 					 * abort the association.
3738 					 */
3739 					if (sctps->sctps_shutack_wait_bound !=
3740 					    0 &&
3741 					    TICK_TO_MSEC(now -
3742 					    sctp->sctp_out_time) >
3743 					    sctps->sctps_shutack_wait_bound) {
3744 						sctp_send_abort(sctp,
3745 						    sctp->sctp_fvtag, 0, NULL,
3746 						    0, mp, 0, B_FALSE);
3747 						sctp_assoc_event(sctp,
3748 						    SCTP_COMM_LOST, 0, NULL);
3749 						sctp_clean_death(sctp,
3750 						    ECONNABORTED);
3751 						goto done;
3752 					}
3753 					SCTP_FADDR_TIMER_RESTART(sctp, fp,
3754 					    fp->rto);
3755 				}
3756 				break;
3757 			case CHUNK_SACK:
3758 				ASSERT(fp != NULL);
3759 				/*
3760 				 * Peer is real and alive if it can ack our
3761 				 * data.
3762 				 */
3763 				sctp_faddr_alive(sctp, fp);
3764 				trysend = sctp_got_sack(sctp, ch);
3765 				if (trysend < 0) {
3766 					sctp_send_abort(sctp, sctph->sh_verf,
3767 					    0, NULL, 0, mp, 0, B_FALSE);
3768 					sctp_assoc_event(sctp,
3769 					    SCTP_COMM_LOST, 0, NULL);
3770 					sctp_clean_death(sctp,
3771 					    ECONNABORTED);
3772 					goto done;
3773 				}
3774 				break;
3775 			case CHUNK_HEARTBEAT:
3776 				if (!hb_already) {
3777 					/*
3778 					 * In any one packet, there should
3779 					 * only be one heartbeat chunk.  So
3780 					 * we should not process more than
3781 					 * once.
3782 					 */
3783 					sctp_return_heartbeat(sctp, ch, mp);
3784 					hb_already = B_TRUE;
3785 				}
3786 				break;
3787 			case CHUNK_HEARTBEAT_ACK:
3788 				sctp_process_heartbeat(sctp, ch);
3789 				break;
3790 			case CHUNK_SHUTDOWN:
3791 				sctp_shutdown_event(sctp);
3792 				trysend = sctp_shutdown_received(sctp, ch,
3793 				    B_FALSE, B_FALSE, fp);
3794 				BUMP_LOCAL(sctp->sctp_ibchunks);
3795 				break;
3796 			case CHUNK_SHUTDOWN_ACK:
3797 				BUMP_LOCAL(sctp->sctp_ibchunks);
3798 				if (sctp->sctp_state == SCTPS_SHUTDOWN_SENT) {
3799 					sctp_shutdown_complete(sctp);
3800 					BUMP_MIB(&sctps->sctps_mib,
3801 					    sctpShutdowns);
3802 					sctp_assoc_event(sctp,
3803 					    SCTP_SHUTDOWN_COMP, 0, NULL);
3804 					sctp_clean_death(sctp, 0);
3805 					goto done;
3806 				}
3807 				break;
3808 			case CHUNK_ABORT: {
3809 				sctp_saddr_ipif_t *sp;
3810 
3811 				/* Ignore if delete pending */
3812 				sp = sctp_saddr_lookup(sctp, &dst, 0);
3813 				ASSERT(sp != NULL);
3814 				if (sp->saddr_ipif_delete_pending) {
3815 					BUMP_LOCAL(sctp->sctp_ibchunks);
3816 					break;
3817 				}
3818 
3819 				sctp_process_abort(sctp, ch, ECONNRESET);
3820 				goto done;
3821 			}
3822 			case CHUNK_INIT:
3823 				sctp_send_initack(sctp, sctph, ch, mp);
3824 				break;
3825 			case CHUNK_COOKIE:
3826 				if (sctp_process_cookie(sctp, ch, mp, &iack,
3827 				    sctph, &recv_adaptation, NULL) != -1) {
3828 					sctp_send_cookie_ack(sctp);
3829 					sctp_assoc_event(sctp, SCTP_RESTART,
3830 					    0, NULL);
3831 					if (recv_adaptation) {
3832 						sctp->sctp_recv_adaptation = 1;
3833 						sctp_adaptation_event(sctp);
3834 					}
3835 				} else {
3836 					BUMP_MIB(&sctps->sctps_mib,
3837 					    sctpInInvalidCookie);
3838 				}
3839 				break;
3840 			case CHUNK_ERROR: {
3841 				int error;
3842 
3843 				BUMP_LOCAL(sctp->sctp_ibchunks);
3844 				error = sctp_handle_error(sctp, sctph, ch, mp);
3845 				if (error != 0) {
3846 					sctp_assoc_event(sctp, SCTP_COMM_LOST,
3847 					    0, NULL);
3848 					sctp_clean_death(sctp, error);
3849 					goto done;
3850 				}
3851 				break;
3852 			}
3853 			case CHUNK_ASCONF:
3854 				ASSERT(fp != NULL);
3855 				sctp_input_asconf(sctp, ch, fp);
3856 				BUMP_LOCAL(sctp->sctp_ibchunks);
3857 				break;
3858 			case CHUNK_ASCONF_ACK:
3859 				ASSERT(fp != NULL);
3860 				sctp_faddr_alive(sctp, fp);
3861 				sctp_input_asconf_ack(sctp, ch, fp);
3862 				BUMP_LOCAL(sctp->sctp_ibchunks);
3863 				break;
3864 			case CHUNK_FORWARD_TSN:
3865 				ASSERT(fp != NULL);
3866 				sctp->sctp_lastdata = fp;
3867 				sctp_process_forward_tsn(sctp, ch, fp, &ipp);
3868 				gotdata = 1;
3869 				BUMP_LOCAL(sctp->sctp_ibchunks);
3870 				break;
3871 			default:
3872 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
3873 					goto nomorechunks;
3874 				} /* else skip and continue processing */
3875 				break;
3876 			}
3877 			break;
3878 
3879 		case SCTPS_LISTEN:
3880 			switch (ch->sch_id) {
3881 			case CHUNK_INIT:
3882 				sctp_send_initack(sctp, sctph, ch, mp);
3883 				break;
3884 			case CHUNK_COOKIE: {
3885 				sctp_t *eager;
3886 
3887 				if (sctp_process_cookie(sctp, ch, mp, &iack,
3888 				    sctph, &recv_adaptation, &peer_src) == -1) {
3889 					BUMP_MIB(&sctps->sctps_mib,
3890 					    sctpInInvalidCookie);
3891 					goto done;
3892 				}
3893 
3894 				/*
3895 				 * The cookie is good; ensure that
3896 				 * the peer used the verification
3897 				 * tag from the init ack in the header.
3898 				 */
3899 				if (iack->sic_inittag != sctph->sh_verf)
3900 					goto done;
3901 
3902 				eager = sctp_conn_request(sctp, mp, ifindex,
3903 				    ip_hdr_len, iack, ipsec_mp);
3904 				if (eager == NULL) {
3905 					sctp_send_abort(sctp, sctph->sh_verf,
3906 					    SCTP_ERR_NO_RESOURCES, NULL, 0, mp,
3907 					    0, B_FALSE);
3908 					goto done;
3909 				}
3910 
3911 				/*
3912 				 * If there were extra chunks
3913 				 * bundled with the cookie,
3914 				 * they must be processed
3915 				 * on the eager's queue. We
3916 				 * accomplish this by refeeding
3917 				 * the whole packet into the
3918 				 * state machine on the right
3919 				 * q. The packet (mp) gets
3920 				 * there via the eager's
3921 				 * cookie_mp field (overloaded
3922 				 * with the active open role).
3923 				 * This is picked up when
3924 				 * processing the null bind
3925 				 * request put on the eager's
3926 				 * q by sctp_accept(). We must
3927 				 * first revert the cookie
3928 				 * chunk's length field to network
3929 				 * byteorder so it can be
3930 				 * properly reprocessed on the
3931 				 * eager's queue.
3932 				 */
3933 				BUMP_MIB(&sctps->sctps_mib, sctpPassiveEstab);
3934 				if (mlen > ntohs(ch->sch_len)) {
3935 					eager->sctp_cookie_mp = dupb(mp);
3936 					mblk_setcred(eager->sctp_cookie_mp,
3937 					    CONN_CRED(eager->sctp_connp),
3938 					    eager->sctp_cpid);
3939 					/*
3940 					 * If no mem, just let
3941 					 * the peer retransmit.
3942 					 */
3943 				}
3944 				sctp_assoc_event(eager, SCTP_COMM_UP, 0, NULL);
3945 				if (recv_adaptation) {
3946 					eager->sctp_recv_adaptation = 1;
3947 					eager->sctp_rx_adaptation_code =
3948 					    sctp->sctp_rx_adaptation_code;
3949 					sctp_adaptation_event(eager);
3950 				}
3951 
3952 				eager->sctp_active = now;
3953 				sctp_send_cookie_ack(eager);
3954 
3955 				wake_eager = B_TRUE;
3956 
3957 				/*
3958 				 * Process rest of the chunks with eager.
3959 				 */
3960 				sctp = eager;
3961 				fp = sctp_lookup_faddr(sctp, &peer_src);
3962 				/*
3963 				 * Confirm peer's original source.  fp can
3964 				 * only be NULL if peer does not use the
3965 				 * original source as one of its addresses...
3966 				 */
3967 				if (fp == NULL)
3968 					fp = sctp_lookup_faddr(sctp, &src);
3969 				else
3970 					sctp_faddr_alive(sctp, fp);
3971 
3972 				/*
3973 				 * Validate the peer addresses.  It also starts
3974 				 * the heartbeat timer.
3975 				 */
3976 				sctp_validate_peer(sctp);
3977 				break;
3978 			}
3979 			/* Anything else is considered out-of-the-blue */
3980 			case CHUNK_ERROR:
3981 			case CHUNK_ABORT:
3982 			case CHUNK_COOKIE_ACK:
3983 			case CHUNK_SHUTDOWN_COMPLETE:
3984 				BUMP_LOCAL(sctp->sctp_ibchunks);
3985 				goto done;
3986 			default:
3987 				BUMP_LOCAL(sctp->sctp_ibchunks);
3988 				sctp_send_abort(sctp, sctph->sh_verf, 0, NULL,
3989 				    0, mp, 0, B_TRUE);
3990 				goto done;
3991 			}
3992 			break;
3993 
3994 		case SCTPS_COOKIE_WAIT:
3995 			switch (ch->sch_id) {
3996 			case CHUNK_INIT_ACK:
3997 				sctp_stop_faddr_timers(sctp);
3998 				sctp_faddr_alive(sctp, sctp->sctp_current);
3999 				sctp_send_cookie_echo(sctp, ch, mp);
4000 				BUMP_LOCAL(sctp->sctp_ibchunks);
4001 				break;
4002 			case CHUNK_ABORT:
4003 				sctp_process_abort(sctp, ch, ECONNREFUSED);
4004 				goto done;
4005 			case CHUNK_INIT:
4006 				sctp_send_initack(sctp, sctph, ch, mp);
4007 				break;
4008 			case CHUNK_COOKIE:
4009 				cr = msg_getcred(mp, &cpid);
4010 
4011 				if (sctp_process_cookie(sctp, ch, mp, &iack,
4012 				    sctph, &recv_adaptation, NULL) == -1) {
4013 					BUMP_MIB(&sctps->sctps_mib,
4014 					    sctpInInvalidCookie);
4015 					break;
4016 				}
4017 				sctp_send_cookie_ack(sctp);
4018 				sctp_stop_faddr_timers(sctp);
4019 				if (!SCTP_IS_DETACHED(sctp)) {
4020 					sctp->sctp_ulp_connected(
4021 					    sctp->sctp_ulpd, 0, cr, cpid);
4022 					sctp_set_ulp_prop(sctp);
4023 
4024 				}
4025 				sctp->sctp_state = SCTPS_ESTABLISHED;
4026 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
4027 				BUMP_MIB(&sctps->sctps_mib, sctpActiveEstab);
4028 				if (sctp->sctp_cookie_mp) {
4029 					freemsg(sctp->sctp_cookie_mp);
4030 					sctp->sctp_cookie_mp = NULL;
4031 				}
4032 
4033 				/* Validate the peer addresses. */
4034 				sctp->sctp_active = now;
4035 				sctp_validate_peer(sctp);
4036 
4037 				sctp_assoc_event(sctp, SCTP_COMM_UP, 0, NULL);
4038 				if (recv_adaptation) {
4039 					sctp->sctp_recv_adaptation = 1;
4040 					sctp_adaptation_event(sctp);
4041 				}
4042 				/* Try sending queued data, or ASCONFs */
4043 				trysend = 1;
4044 				break;
4045 			default:
4046 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
4047 					goto nomorechunks;
4048 				} /* else skip and continue processing */
4049 				break;
4050 			}
4051 			break;
4052 
4053 		case SCTPS_COOKIE_ECHOED:
4054 			switch (ch->sch_id) {
4055 			case CHUNK_COOKIE_ACK:
4056 				cr = msg_getcred(mp, &cpid);
4057 
4058 				if (!SCTP_IS_DETACHED(sctp)) {
4059 					sctp->sctp_ulp_connected(
4060 					    sctp->sctp_ulpd, 0, cr, cpid);
4061 					sctp_set_ulp_prop(sctp);
4062 				}
4063 				if (sctp->sctp_unacked == 0)
4064 					sctp_stop_faddr_timers(sctp);
4065 				sctp->sctp_state = SCTPS_ESTABLISHED;
4066 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
4067 				BUMP_MIB(&sctps->sctps_mib, sctpActiveEstab);
4068 				BUMP_LOCAL(sctp->sctp_ibchunks);
4069 				if (sctp->sctp_cookie_mp) {
4070 					freemsg(sctp->sctp_cookie_mp);
4071 					sctp->sctp_cookie_mp = NULL;
4072 				}
4073 				sctp_faddr_alive(sctp, fp);
4074 				/* Validate the peer addresses. */
4075 				sctp->sctp_active = now;
4076 				sctp_validate_peer(sctp);
4077 
4078 				/* Try sending queued data, or ASCONFs */
4079 				trysend = 1;
4080 				sctp_assoc_event(sctp, SCTP_COMM_UP, 0, NULL);
4081 				sctp_adaptation_event(sctp);
4082 				break;
4083 			case CHUNK_ABORT:
4084 				sctp_process_abort(sctp, ch, ECONNREFUSED);
4085 				goto done;
4086 			case CHUNK_COOKIE:
4087 				cr = msg_getcred(mp, &cpid);
4088 
4089 				if (sctp_process_cookie(sctp, ch, mp, &iack,
4090 				    sctph, &recv_adaptation, NULL) == -1) {
4091 					BUMP_MIB(&sctps->sctps_mib,
4092 					    sctpInInvalidCookie);
4093 					break;
4094 				}
4095 				sctp_send_cookie_ack(sctp);
4096 
4097 				if (!SCTP_IS_DETACHED(sctp)) {
4098 					sctp->sctp_ulp_connected(
4099 					    sctp->sctp_ulpd, 0, cr, cpid);
4100 					sctp_set_ulp_prop(sctp);
4101 
4102 				}
4103 				if (sctp->sctp_unacked == 0)
4104 					sctp_stop_faddr_timers(sctp);
4105 				sctp->sctp_state = SCTPS_ESTABLISHED;
4106 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
4107 				BUMP_MIB(&sctps->sctps_mib, sctpActiveEstab);
4108 				if (sctp->sctp_cookie_mp) {
4109 					freemsg(sctp->sctp_cookie_mp);
4110 					sctp->sctp_cookie_mp = NULL;
4111 				}
4112 				/* Validate the peer addresses. */
4113 				sctp->sctp_active = now;
4114 				sctp_validate_peer(sctp);
4115 
4116 				sctp_assoc_event(sctp, SCTP_COMM_UP, 0, NULL);
4117 				if (recv_adaptation) {
4118 					sctp->sctp_recv_adaptation = 1;
4119 					sctp_adaptation_event(sctp);
4120 				}
4121 				/* Try sending queued data, or ASCONFs */
4122 				trysend = 1;
4123 				break;
4124 			case CHUNK_INIT:
4125 				sctp_send_initack(sctp, sctph, ch, mp);
4126 				break;
4127 			case CHUNK_ERROR: {
4128 				sctp_parm_hdr_t *p;
4129 
4130 				BUMP_LOCAL(sctp->sctp_ibchunks);
4131 				/* check for a stale cookie */
4132 				if (ntohs(ch->sch_len) >=
4133 				    (sizeof (*p) + sizeof (*ch)) +
4134 				    sizeof (uint32_t)) {
4135 
4136 					p = (sctp_parm_hdr_t *)(ch + 1);
4137 					if (p->sph_type ==
4138 					    htons(SCTP_ERR_STALE_COOKIE)) {
4139 						BUMP_MIB(&sctps->sctps_mib,
4140 						    sctpAborted);
4141 						sctp_error_event(sctp, ch);
4142 						sctp_assoc_event(sctp,
4143 						    SCTP_COMM_LOST, 0, NULL);
4144 						sctp_clean_death(sctp,
4145 						    ECONNREFUSED);
4146 						goto done;
4147 					}
4148 				}
4149 				break;
4150 			}
4151 			case CHUNK_HEARTBEAT:
4152 				if (!hb_already) {
4153 					sctp_return_heartbeat(sctp, ch, mp);
4154 					hb_already = B_TRUE;
4155 				}
4156 				break;
4157 			default:
4158 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
4159 					goto nomorechunks;
4160 				} /* else skip and continue processing */
4161 			} /* switch (ch->sch_id) */
4162 			break;
4163 
4164 		case SCTPS_SHUTDOWN_ACK_SENT:
4165 			switch (ch->sch_id) {
4166 			case CHUNK_ABORT:
4167 				/* Pass gathered wisdom to IP for keeping */
4168 				sctp_update_ire(sctp);
4169 				sctp_process_abort(sctp, ch, 0);
4170 				goto done;
4171 			case CHUNK_SHUTDOWN_COMPLETE:
4172 				BUMP_LOCAL(sctp->sctp_ibchunks);
4173 				BUMP_MIB(&sctps->sctps_mib, sctpShutdowns);
4174 				sctp_assoc_event(sctp, SCTP_SHUTDOWN_COMP, 0,
4175 				    NULL);
4176 
4177 				/* Pass gathered wisdom to IP for keeping */
4178 				sctp_update_ire(sctp);
4179 				sctp_clean_death(sctp, 0);
4180 				goto done;
4181 			case CHUNK_SHUTDOWN_ACK:
4182 				sctp_shutdown_complete(sctp);
4183 				BUMP_LOCAL(sctp->sctp_ibchunks);
4184 				BUMP_MIB(&sctps->sctps_mib, sctpShutdowns);
4185 				sctp_assoc_event(sctp, SCTP_SHUTDOWN_COMP, 0,
4186 				    NULL);
4187 				sctp_clean_death(sctp, 0);
4188 				goto done;
4189 			case CHUNK_COOKIE:
4190 				(void) sctp_shutdown_received(sctp, NULL,
4191 				    B_TRUE, B_FALSE, fp);
4192 				BUMP_LOCAL(sctp->sctp_ibchunks);
4193 				break;
4194 			case CHUNK_HEARTBEAT:
4195 				if (!hb_already) {
4196 					sctp_return_heartbeat(sctp, ch, mp);
4197 					hb_already = B_TRUE;
4198 				}
4199 				break;
4200 			default:
4201 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
4202 					goto nomorechunks;
4203 				} /* else skip and continue processing */
4204 				break;
4205 			}
4206 			break;
4207 
4208 		case SCTPS_SHUTDOWN_RECEIVED:
4209 			switch (ch->sch_id) {
4210 			case CHUNK_SHUTDOWN:
4211 				trysend = sctp_shutdown_received(sctp, ch,
4212 				    B_FALSE, B_FALSE, fp);
4213 				break;
4214 			case CHUNK_SACK:
4215 				trysend = sctp_got_sack(sctp, ch);
4216 				if (trysend < 0) {
4217 					sctp_send_abort(sctp, sctph->sh_verf,
4218 					    0, NULL, 0, mp, 0, B_FALSE);
4219 					sctp_assoc_event(sctp,
4220 					    SCTP_COMM_LOST, 0, NULL);
4221 					sctp_clean_death(sctp,
4222 					    ECONNABORTED);
4223 					goto done;
4224 				}
4225 				break;
4226 			case CHUNK_ABORT:
4227 				sctp_process_abort(sctp, ch, ECONNRESET);
4228 				goto done;
4229 			case CHUNK_HEARTBEAT:
4230 				if (!hb_already) {
4231 					sctp_return_heartbeat(sctp, ch, mp);
4232 					hb_already = B_TRUE;
4233 				}
4234 				break;
4235 			default:
4236 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
4237 					goto nomorechunks;
4238 				} /* else skip and continue processing */
4239 				break;
4240 			}
4241 			break;
4242 
4243 		default:
4244 			/*
4245 			 * The only remaining states are SCTPS_IDLE and
4246 			 * SCTPS_BOUND, and we should not be getting here
4247 			 * for these.
4248 			 */
4249 			ASSERT(0);
4250 		} /* switch (sctp->sctp_state) */
4251 
4252 		ch = sctp_next_chunk(ch, &mlen);
4253 		if (ch != NULL && !sctp_check_input(sctp, ch, mlen, 0))
4254 			goto done;
4255 	} while (ch != NULL);
4256 
4257 	/* Finished processing all chunks in packet */
4258 
4259 nomorechunks:
4260 	/* SACK if necessary */
4261 	if (gotdata) {
4262 		boolean_t sack_sent;
4263 
4264 		(sctp->sctp_sack_toggle)++;
4265 		sack_sent = sctp_sack(sctp, dups);
4266 		dups = NULL;
4267 
4268 		/* If a SACK is sent, no need to restart the timer. */
4269 		if (!sack_sent && !sctp->sctp_ack_timer_running) {
4270 			sctp->sctp_ack_timer_running = B_TRUE;
4271 			sctp_timer(sctp, sctp->sctp_ack_mp,
4272 			    MSEC_TO_TICK(sctps->sctps_deferred_ack_interval));
4273 		}
4274 	}
4275 
4276 	if (trysend) {
4277 		sctp_output(sctp, UINT_MAX);
4278 		if (sctp->sctp_cxmit_list != NULL)
4279 			sctp_wput_asconf(sctp, NULL);
4280 	}
4281 	/* If there is unsent data, make sure a timer is running */
4282 	if (sctp->sctp_unsent > 0 && !sctp->sctp_current->timer_running) {
4283 		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
4284 		    sctp->sctp_current->rto);
4285 	}
4286 
4287 done:
4288 	if (dups != NULL)
4289 		freeb(dups);
4290 	if (ipsec_mp != NULL)
4291 		freeb(ipsec_mp);
4292 	freemsg(mp);
4293 
4294 	if (sctp->sctp_err_chunks != NULL)
4295 		sctp_process_err(sctp);
4296 
4297 	if (wake_eager) {
4298 		/*
4299 		 * sctp points to newly created control block, need to
4300 		 * release it before exiting.  Before releasing it and
4301 		 * processing the sendq, need to grab a hold on it.
4302 		 * Otherwise, another thread can close it while processing
4303 		 * the sendq.
4304 		 */
4305 		SCTP_REFHOLD(sctp);
4306 		WAKE_SCTP(sctp);
4307 		sctp_process_sendq(sctp);
4308 		SCTP_REFRELE(sctp);
4309 	}
4310 }
4311 
4312 /*
4313  * Some amount of data got removed from rx q.
4314  * Check if we should send a window update.
4315  *
4316  * Due to way sctp_rwnd updates are made, ULP can give reports out-of-order.
4317  * To keep from dropping incoming data due to this, we only update
4318  * sctp_rwnd when if it's larger than what we've reported to peer earlier.
4319  */
4320 void
4321 sctp_recvd(sctp_t *sctp, int len)
4322 {
4323 	int32_t old, new;
4324 	sctp_stack_t	*sctps = sctp->sctp_sctps;
4325 
4326 	ASSERT(sctp != NULL);
4327 	RUN_SCTP(sctp);
4328 
4329 	if (len < sctp->sctp_rwnd) {
4330 		WAKE_SCTP(sctp);
4331 		return;
4332 	}
4333 	ASSERT(sctp->sctp_rwnd >= sctp->sctp_rxqueued);
4334 	old = sctp->sctp_rwnd - sctp->sctp_rxqueued;
4335 	new = len - sctp->sctp_rxqueued;
4336 	sctp->sctp_rwnd = len;
4337 
4338 	if (sctp->sctp_state >= SCTPS_ESTABLISHED &&
4339 	    ((old <= new >> 1) || (old < sctp->sctp_mss))) {
4340 		sctp->sctp_force_sack = 1;
4341 		BUMP_MIB(&sctps->sctps_mib, sctpOutWinUpdate);
4342 		(void) sctp_sack(sctp, NULL);
4343 		old = 1;
4344 	} else {
4345 		old = 0;
4346 	}
4347 	WAKE_SCTP(sctp);
4348 	if (old > 0) {
4349 		sctp_process_sendq(sctp);
4350 	}
4351 }
4352