xref: /titanic_41/usr/src/uts/common/inet/optcom.c (revision e11c3f44f531fdff80941ce57c065d2ae861cefc)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 /* Copyright (c) 1990 Mentat Inc. */
26 
27 /*
28  * This file contains common code for handling Options Management requests.
29  */
30 
31 #include <sys/types.h>
32 #include <sys/stream.h>
33 #include <sys/stropts.h>
34 #include <sys/strsubr.h>
35 #include <sys/errno.h>
36 #define	_SUN_TPI_VERSION 2
37 #include <sys/tihdr.h>
38 #include <sys/socket.h>
39 #include <sys/socketvar.h>
40 #include <sys/ddi.h>
41 #include <sys/debug.h>		/* for ASSERT */
42 #include <sys/policy.h>
43 
44 #include <inet/common.h>
45 #include <inet/mi.h>
46 #include <inet/nd.h>
47 #include <netinet/ip6.h>
48 #include <inet/ip.h>
49 #include <inet/mib2.h>
50 #include <netinet/in.h>
51 #include "optcom.h"
52 
53 #include <inet/optcom.h>
54 #include <inet/ipclassifier.h>
55 #include <inet/proto_set.h>
56 
57 /*
58  * Function prototypes
59  */
60 static t_scalar_t process_topthdrs_first_pass(mblk_t *, cred_t *, optdb_obj_t *,
61     boolean_t *, size_t *);
62 static t_scalar_t do_options_second_pass(queue_t *q, mblk_t *reqmp,
63     mblk_t *ack_mp, cred_t *, optdb_obj_t *dbobjp,
64     mblk_t *first_mp, boolean_t is_restart, boolean_t *queued_statusp);
65 static t_uscalar_t get_worst_status(t_uscalar_t, t_uscalar_t);
66 static int do_opt_default(queue_t *, struct T_opthdr *, uchar_t **,
67     t_uscalar_t *, cred_t *, optdb_obj_t *);
68 static void do_opt_current(queue_t *, struct T_opthdr *, uchar_t **,
69     t_uscalar_t *, cred_t *cr, optdb_obj_t *);
70 static int do_opt_check_or_negotiate(queue_t *q, struct T_opthdr *reqopt,
71     uint_t optset_context, uchar_t **resptrp, t_uscalar_t *worst_statusp,
72     cred_t *, optdb_obj_t *dbobjp, mblk_t *first_mp);
73 static boolean_t opt_level_valid(t_uscalar_t, optlevel_t *, uint_t);
74 static size_t opt_level_allopts_lengths(t_uscalar_t, opdes_t *, uint_t);
75 static boolean_t opt_length_ok(opdes_t *, struct T_opthdr *);
76 static t_uscalar_t optcom_max_optbuf_len(opdes_t *, uint_t);
77 static boolean_t opt_bloated_maxsize(opdes_t *);
78 
79 /* Common code for sending back a T_ERROR_ACK. */
80 void
81 optcom_err_ack(queue_t *q, mblk_t *mp, t_scalar_t t_error, int sys_error)
82 {
83 	if ((mp = mi_tpi_err_ack_alloc(mp, t_error, sys_error)) != NULL)
84 		qreply(q, mp);
85 }
86 
87 /*
88  * The option management routines svr4_optcom_req() and tpi_optcom_req() use
89  * callback functions as arguments. Here is the expected interfaces
90  * assumed from the callback functions
91  *
92  *
93  * (1) deffn(q, optlevel, optname, optvalp)
94  *
95  *	- Function only called when default value comes from protocol
96  *	 specific code and not the option database table (indicated by
97  *	  OP_DEF_FN property in option database.)
98  *	- Error return is -1. Valid returns are >=0.
99  *	- When valid, the return value represents the length used for storing
100  *		the default value of the option.
101  *      - Error return implies the called routine did not recognize this
102  *              option. Something downstream could so input is left unchanged
103  *              in request buffer.
104  *
105  * (2) getfn(q, optlevel, optname, optvalp)
106  *
107  *	- Error return is -1. Valid returns are >=0.
108  *	- When valid, the return value represents the length used for storing
109  *		the actual value of the option.
110  *      - Error return implies the called routine did not recognize this
111  *              option. Something downstream could so input is left unchanged
112  *              in request buffer.
113  *
114  * (3) setfn(q, optset_context, optlevel, optname, inlen, invalp,
115  *	outlenp, outvalp, attrp, cr);
116  *
117  *	- OK return is 0, Error code is returned as a non-zero argument.
118  *      - If negative it is ignored by svr4_optcom_req(). If positive, error
119  *        is returned. A negative return implies that option, while handled on
120  *	  this stack is not handled at this level and will be handled further
121  *	  downstream.
122  *	- Both negative and positive errors are treats as errors in an
123  *	  identical manner by tpi_optcom_req(). The errors affect "status"
124  *	  field of each option's T_opthdr. If sucessfull, an appropriate sucess
125  *	  result is carried. If error, it instantiated to "failure" at the
126  *	  topmost level and left unchanged at other levels. (This "failure" can
127  *	  turn to a success at another level).
128  *	- optset_context passed for tpi_optcom_req(). It is interpreted as:
129  *        - SETFN_OPTCOM_CHECKONLY
130  *		semantics are to pretend to set the value and report
131  *		back if it would be successful.
132  *		This is used with T_CHECK semantics in XTI
133  *        - SETFN_OPTCOM_NEGOTIATE
134  *		set the value. Call from option management primitive
135  *		T_OPTMGMT_REQ when T_NEGOTIATE flags is used.
136  *	  - SETFN_UD_NEGOTIATE
137  *		option request came riding on UNITDATA primitive most often
138  *		has  "this datagram" semantics to influence prpoerties
139  *		affecting an outgoig datagram or associated with recived
140  *		datagram
141  *		[ Note: XTI permits this use outside of "this datagram"
142  *		semantics also and permits setting "management related"
143  *		options in this	context and its test suite enforces it ]
144  *	  - SETFN_CONN_NEGOTATE
145  *		option request came riding on CONN_REQ/RES primitive and
146  *		most often has "this connection" (negotiation during
147  *		"connection estblishment") semantics.
148  *		[ Note: XTI permits use of these outside of "this connection"
149  *		semantics and permits "management related" options in this
150  *		context and its test suite enforces it. ]
151  *
152  *	- inlen, invalp is the option length,value requested to be set.
153  *	- outlenp, outvalp represent return parameters which contain the
154  *	  value set and it might be different from one passed on input.
155  *	- attrp points to a data structure that's used by v6 modules to
156  *	  store ancillary data options or sticky options.
157  *	- cr points to the caller's credentials
158  *	- the caller might pass same buffers for input and output and the
159  *	  routine should protect against this case by not updating output
160  *	  buffers until it is done referencing input buffers and any other
161  *	  issues (e.g. not use bcopy() if we do not trust what it does).
162  *      - If option is not known, it returns error. We randomly pick EINVAL.
163  *        It can however get called with options that are handled downstream
164  *        opr upstream so for svr4_optcom_req(), it does not return error for
165  *        negative return values.
166  *
167  */
168 
169 /*
170  * Upper Level Protocols call this routine when they receive
171  * a T_SVR4_OPTMGMT_REQ message.  They supply callback functions
172  * for setting a new value for a single options, getting the
173  * current value for a single option, and checking for support
174  * of a single option.  svr4_optcom_req validates the option management
175  * buffer passed in, and calls the appropriate routines to do the
176  * job requested.
177  * XXX Code below needs some restructuring after we have some more
178  * macros to support 'struct opthdr' in the headers.
179  *
180  * IP-MT notes: The option management framework functions svr4_optcom_req() and
181  * tpi_optcom_req() allocate and prepend an M_CTL mblk to the actual
182  * T_optmgmt_req mblk and pass the chain as an additional parameter to the
183  * protocol set functions. If a protocol set function (such as ip_opt_set)
184  * cannot process the option immediately it can return EINPROGRESS. ip_opt_set
185  * enqueues the message in the appropriate sq and returns EINPROGRESS. Later
186  * the sq framework arranges to restart this operation and passes control to
187  * the restart function ip_restart_optmgmt() which in turn calls
188  * svr4_optcom_req() or tpi_optcom_req() to restart the option processing.
189  *
190  * XXX Remove the asynchronous behavior of svr_optcom_req() and
191  * tpi_optcom_req().
192  */
193 int
194 svr4_optcom_req(queue_t *q, mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp,
195     boolean_t pass_to_ip)
196 {
197 	pfi_t	deffn = dbobjp->odb_deffn;
198 	pfi_t	getfn = dbobjp->odb_getfn;
199 	opt_set_fn setfn = dbobjp->odb_setfn;
200 	opdes_t	*opt_arr = dbobjp->odb_opt_des_arr;
201 	uint_t opt_arr_cnt = dbobjp->odb_opt_arr_cnt;
202 	boolean_t topmost_tpiprovider = dbobjp->odb_topmost_tpiprovider;
203 	opt_restart_t *or;
204 	struct opthdr *restart_opt;
205 	boolean_t is_restart = B_FALSE;
206 	mblk_t	*first_mp;
207 
208 	t_uscalar_t max_optbuf_len;
209 	int len;
210 	mblk_t	*mp1 = NULL;
211 	struct opthdr *next_opt;
212 	struct opthdr *opt;
213 	struct opthdr *opt1;
214 	struct opthdr *opt_end;
215 	struct opthdr *opt_start;
216 	opdes_t	*optd;
217 	boolean_t	pass_to_next = B_FALSE;
218 	struct T_optmgmt_ack *toa;
219 	struct T_optmgmt_req *tor;
220 	int error;
221 
222 	/*
223 	 * Allocate M_CTL and prepend to the packet for restarting this
224 	 * option if needed. IP may need to queue and restart the option
225 	 * if it cannot obtain exclusive conditions immediately. Please see
226 	 * IP-MT notes before the start of svr4_optcom_req
227 	 */
228 	if (mp->b_datap->db_type == M_CTL) {
229 		is_restart = B_TRUE;
230 		first_mp = mp;
231 		mp = mp->b_cont;
232 		ASSERT(mp->b_wptr - mp->b_rptr >=
233 		    sizeof (struct T_optmgmt_req));
234 		tor = (struct T_optmgmt_req *)mp->b_rptr;
235 		ASSERT(tor->MGMT_flags == T_NEGOTIATE);
236 
237 		or = (opt_restart_t *)first_mp->b_rptr;
238 		opt_start = or->or_start;
239 		opt_end = or->or_end;
240 		restart_opt = or->or_ropt;
241 		goto restart;
242 	}
243 
244 	tor = (struct T_optmgmt_req *)mp->b_rptr;
245 	/* Verify message integrity. */
246 	if (mp->b_wptr - mp->b_rptr < sizeof (struct T_optmgmt_req))
247 		goto bad_opt;
248 	/* Verify MGMT_flags legal */
249 	switch (tor->MGMT_flags) {
250 	case T_DEFAULT:
251 	case T_NEGOTIATE:
252 	case T_CURRENT:
253 	case T_CHECK:
254 		/* OK - legal request flags */
255 		break;
256 	default:
257 		optcom_err_ack(q, mp, TBADFLAG, 0);
258 		return (0);
259 	}
260 	if (tor->MGMT_flags == T_DEFAULT) {
261 		/* Is it a request for default option settings? */
262 
263 		/*
264 		 * Note: XXX TLI and TPI specification was unclear about
265 		 * semantics of T_DEFAULT and the following historical note
266 		 * and its interpretation is incorrect (it implies a request
267 		 * for default values of only the identified options not all.
268 		 * The semantics have been explained better in XTI spec.)
269 		 * However, we do not modify (comment or code) here to keep
270 		 * compatibility.
271 		 * We can rethink this if it ever becomes an issue.
272 		 * ----historical comment start------
273 		 * As we understand it, the input buffer is meaningless
274 		 * so we ditch the message.  A T_DEFAULT request is a
275 		 * request to obtain a buffer containing defaults for
276 		 * all supported options, so we allocate a maximum length
277 		 * reply.
278 		 * ----historical comment end -------
279 		 */
280 		/* T_DEFAULT not passed down */
281 		ASSERT(topmost_tpiprovider == B_TRUE);
282 		freemsg(mp);
283 		max_optbuf_len = optcom_max_optbuf_len(opt_arr,
284 		    opt_arr_cnt);
285 		mp = allocb(max_optbuf_len, BPRI_MED);
286 		if (!mp) {
287 no_mem:;
288 			optcom_err_ack(q, mp, TSYSERR, ENOMEM);
289 			return (0);
290 		}
291 
292 		/* Initialize the T_optmgmt_ack header. */
293 		toa = (struct T_optmgmt_ack *)mp->b_rptr;
294 		bzero((char *)toa, max_optbuf_len);
295 		toa->PRIM_type = T_OPTMGMT_ACK;
296 		toa->OPT_offset = (t_scalar_t)sizeof (struct T_optmgmt_ack);
297 		/* TODO: Is T_DEFAULT the right thing to put in MGMT_flags? */
298 		toa->MGMT_flags = T_DEFAULT;
299 
300 		/* Now walk the table of options passed in */
301 		opt = (struct opthdr *)&toa[1];
302 		for (optd = opt_arr; optd < &opt_arr[opt_arr_cnt]; optd++) {
303 			/*
304 			 * All the options in the table of options passed
305 			 * in are by definition supported by the protocol
306 			 * calling this function.
307 			 */
308 			if (!OA_READ_PERMISSION(optd, cr))
309 				continue;
310 			opt->level = optd->opdes_level;
311 			opt->name = optd->opdes_name;
312 			if (!(optd->opdes_props & OP_DEF_FN) ||
313 			    ((len = (*deffn)(q, opt->level,
314 			    opt->name, (uchar_t *)&opt[1])) < 0)) {
315 				/*
316 				 * Fill length and value from table.
317 				 *
318 				 * Default value not instantiated from function
319 				 * (or the protocol specific function failed it;
320 				 * In this interpretation of T_DEFAULT, this is
321 				 * the best we can do)
322 				 */
323 				switch (optd->opdes_size) {
324 				/*
325 				 * Since options are guaranteed aligned only
326 				 * on a 4 byte boundary (t_scalar_t) any
327 				 * option that is greater in size will default
328 				 * to the bcopy below
329 				 */
330 				case sizeof (int32_t):
331 					*(int32_t *)&opt[1] =
332 					    (int32_t)optd->opdes_default;
333 					break;
334 				case sizeof (int16_t):
335 					*(int16_t *)&opt[1] =
336 					    (int16_t)optd->opdes_default;
337 					break;
338 				case sizeof (int8_t):
339 					*(int8_t *)&opt[1] =
340 					    (int8_t)optd->opdes_default;
341 					break;
342 				default:
343 					/*
344 					 * other length but still assume
345 					 * fixed - use bcopy
346 					 */
347 					bcopy(optd->opdes_defbuf,
348 					    &opt[1], optd->opdes_size);
349 					break;
350 				}
351 				opt->len = optd->opdes_size;
352 			}
353 			else
354 				opt->len = (t_uscalar_t)len;
355 			opt = (struct opthdr *)((char *)&opt[1] +
356 			    _TPI_ALIGN_OPT(opt->len));
357 		}
358 
359 		/* Now record the final length. */
360 		toa->OPT_length = (t_scalar_t)((char *)opt - (char *)&toa[1]);
361 		mp->b_wptr = (uchar_t *)opt;
362 		mp->b_datap->db_type = M_PCPROTO;
363 		/* Ship it back. */
364 		qreply(q, mp);
365 		return (0);
366 	}
367 	/* T_DEFAULT processing complete - no more T_DEFAULT */
368 
369 	/*
370 	 * For T_NEGOTIATE, T_CURRENT, and T_CHECK requests, we make a
371 	 * pass through the input buffer validating the details and
372 	 * making sure each option is supported by the protocol.
373 	 */
374 	if ((opt_start = (struct opthdr *)mi_offset_param(mp,
375 	    tor->OPT_offset, tor->OPT_length)) == NULL)
376 		goto bad_opt;
377 	if (!__TPI_OPT_ISALIGNED(opt_start))
378 		goto bad_opt;
379 
380 	opt_end = (struct opthdr *)((uchar_t *)opt_start +
381 	    tor->OPT_length);
382 
383 	for (opt = opt_start; opt < opt_end; opt = next_opt) {
384 		/*
385 		 * Verify we have room to reference the option header
386 		 * fields in the option buffer.
387 		 */
388 		if ((uchar_t *)opt + sizeof (struct opthdr) >
389 		    (uchar_t *)opt_end)
390 			goto bad_opt;
391 		/*
392 		 * We now compute pointer to next option in buffer 'next_opt'
393 		 * The next_opt computation above below 'opt->len' initialized
394 		 * by application which cannot be trusted. The usual value
395 		 * too large will be captured by the loop termination condition
396 		 * above. We check for the following which it will miss.
397 		 * 	-pointer space wraparound arithmetic overflow
398 		 *	-last option in buffer with 'opt->len' being too large
399 		 *	 (only reason 'next_opt' should equal or exceed
400 		 *	 'opt_end' for last option is roundup unless length is
401 		 *	 too-large/invalid)
402 		 */
403 		next_opt = (struct opthdr *)((uchar_t *)&opt[1] +
404 		    _TPI_ALIGN_OPT(opt->len));
405 
406 		if ((uchar_t *)next_opt < (uchar_t *)&opt[1] ||
407 		    ((next_opt >= opt_end) &&
408 		    (((uchar_t *)next_opt - (uchar_t *)opt_end) >=
409 		    __TPI_ALIGN_SIZE)))
410 			goto bad_opt;
411 
412 		/* sanity check */
413 		if (opt->name == T_ALLOPT)
414 			goto bad_opt;
415 
416 		error = proto_opt_check(opt->level, opt->name, opt->len, NULL,
417 		    opt_arr, opt_arr_cnt, topmost_tpiprovider,
418 		    tor->MGMT_flags == T_NEGOTIATE, tor->MGMT_flags == T_CHECK,
419 		    cr);
420 		if (error < 0) {
421 			optcom_err_ack(q, mp, -error, 0);
422 			return (0);
423 		} else if (error > 0) {
424 			optcom_err_ack(q, mp, TSYSERR, error);
425 			return (0);
426 		}
427 	} /* end for loop scanning option buffer */
428 
429 	/* Now complete the operation as required. */
430 	switch (tor->MGMT_flags) {
431 	case T_CHECK:
432 		/*
433 		 * Historically used same as T_CURRENT (which was added to
434 		 * standard later). Code retained for compatibility.
435 		 */
436 		/* FALLTHROUGH */
437 	case T_CURRENT:
438 		/*
439 		 * Allocate a maximum size reply.  Perhaps we are supposed to
440 		 * assume that the input buffer includes space for the answers
441 		 * as well as the opthdrs, but we don't know that for sure.
442 		 * So, instead, we create a new output buffer, using the
443 		 * input buffer only as a list of options.
444 		 */
445 		max_optbuf_len = optcom_max_optbuf_len(opt_arr,
446 		    opt_arr_cnt);
447 		mp1 = allocb_cred(max_optbuf_len, cr);
448 		if (!mp1)
449 			goto no_mem;
450 		/* Initialize the header. */
451 		mp1->b_datap->db_type = M_PCPROTO;
452 		mp1->b_wptr = &mp1->b_rptr[sizeof (struct T_optmgmt_ack)];
453 		toa = (struct T_optmgmt_ack *)mp1->b_rptr;
454 		toa->OPT_offset = (t_scalar_t)sizeof (struct T_optmgmt_ack);
455 		toa->MGMT_flags = tor->MGMT_flags;
456 		/*
457 		 * Walk through the input buffer again, this time adding
458 		 * entries to the output buffer for each option requested.
459 		 * Note, sanity of option header, last option etc, verified
460 		 * in first pass.
461 		 */
462 		opt1 = (struct opthdr *)&toa[1];
463 
464 		for (opt = opt_start; opt < opt_end; opt = next_opt) {
465 
466 			next_opt = (struct opthdr *)((uchar_t *)&opt[1] +
467 			    _TPI_ALIGN_OPT(opt->len));
468 
469 			opt1->name = opt->name;
470 			opt1->level = opt->level;
471 			len = (*getfn)(q, opt->level,
472 			    opt->name, (uchar_t *)&opt1[1]);
473 			/*
474 			 * Failure means option is not recognized. Copy input
475 			 * buffer as is
476 			 */
477 			if (len < 0) {
478 				opt1->len = opt->len;
479 				bcopy(&opt[1], &opt1[1], opt->len);
480 			} else {
481 				opt1->len = (t_uscalar_t)len;
482 			}
483 			opt1 = (struct opthdr *)((uchar_t *)&opt1[1] +
484 			    _TPI_ALIGN_OPT(opt1->len));
485 		} /* end for loop */
486 
487 		/* Record the final length. */
488 		toa->OPT_length = (t_scalar_t)((uchar_t *)opt1 -
489 		    (uchar_t *)&toa[1]);
490 		mp1->b_wptr = (uchar_t *)opt1;
491 		/* Ditch the input buffer. */
492 		freemsg(mp);
493 		mp = mp1;
494 		/* Always let the next module look at the option. */
495 		pass_to_next = B_TRUE;
496 		break;
497 
498 	case T_NEGOTIATE:
499 		first_mp = allocb(sizeof (opt_restart_t), BPRI_LO);
500 		if (first_mp == NULL) {
501 			optcom_err_ack(q, mp, TSYSERR, ENOMEM);
502 			return (0);
503 		}
504 		first_mp->b_datap->db_type = M_CTL;
505 		or = (opt_restart_t *)first_mp->b_rptr;
506 		or->or_start = opt_start;
507 		or->or_end =  opt_end;
508 		or->or_type = T_SVR4_OPTMGMT_REQ;
509 		or->or_private = 0;
510 		first_mp->b_cont = mp;
511 restart:
512 		/*
513 		 * Here we are expecting that the response buffer is exactly
514 		 * the same size as the input buffer.  We pass each opthdr
515 		 * to the protocol's set function.  If the protocol doesn't
516 		 * like it, it can update the value in it return argument.
517 		 */
518 		/*
519 		 * Pass each negotiated option through the protocol set
520 		 * function.
521 		 * Note: sanity check on option header values done in first
522 		 * pass and not repeated here.
523 		 */
524 		toa = (struct T_optmgmt_ack *)tor;
525 
526 		for (opt = is_restart ? restart_opt: opt_start; opt < opt_end;
527 		    opt = next_opt) {
528 			int error;
529 
530 			/*
531 			 * Point to the current option in or, in case this
532 			 * option has to be restarted later on
533 			 */
534 			or->or_ropt = opt;
535 			next_opt = (struct opthdr *)((uchar_t *)&opt[1] +
536 			    _TPI_ALIGN_OPT(opt->len));
537 
538 			error = (*setfn)(q, SETFN_OPTCOM_NEGOTIATE,
539 			    opt->level, opt->name,
540 			    opt->len, (uchar_t *)&opt[1],
541 			    &opt->len, (uchar_t *)&opt[1], NULL, cr, first_mp);
542 			/*
543 			 * Treat positive "errors" as real.
544 			 * Note: negative errors are to be treated as
545 			 * non-fatal by svr4_optcom_req() and are
546 			 * returned by setfn() when it is passed an
547 			 * option it does not handle. Since the option
548 			 * passed proto_opt_lookup(), it is implied that
549 			 * it is valid but was either handled upstream
550 			 * or will be handled downstream.
551 			 */
552 			if (error == EINPROGRESS) {
553 				/*
554 				 * The message is queued and will be
555 				 * reprocessed later. Typically ip queued
556 				 * the message to get some exclusive conditions
557 				 * and later on calls this func again.
558 				 */
559 				return (EINPROGRESS);
560 			} else if (error > 0) {
561 				optcom_err_ack(q, mp, TSYSERR, error);
562 				freeb(first_mp);
563 				return (0);
564 			}
565 			/*
566 			 * error < 0 means option is not recognized.
567 			 * But with OP_PASSNEXT the next module
568 			 * might recognize it.
569 			 */
570 		}
571 		/* Done with the restart control mp. */
572 		freeb(first_mp);
573 		pass_to_next = B_TRUE;
574 		break;
575 	default:
576 		optcom_err_ack(q, mp, TBADFLAG, 0);
577 		return (0);
578 	}
579 
580 	if (pass_to_next && (q->q_next != NULL || pass_to_ip)) {
581 		/* Send it down to the next module and let it reply */
582 		toa->PRIM_type = T_SVR4_OPTMGMT_REQ; /* Changed by IP to ACK */
583 		if (q->q_next != NULL)
584 			putnext(q, mp);
585 		else
586 			ip_output(Q_TO_CONN(q), mp, q, IP_WPUT);
587 	} else {
588 		/* Set common fields in the header. */
589 		toa->MGMT_flags = T_SUCCESS;
590 		mp->b_datap->db_type = M_PCPROTO;
591 		toa->PRIM_type = T_OPTMGMT_ACK;
592 		qreply(q, mp);
593 	}
594 	return (0);
595 bad_opt:;
596 	optcom_err_ack(q, mp, TBADOPT, 0);
597 	return (0);
598 }
599 
600 /*
601  * New optcom_req inspired by TPI/XTI semantics
602  */
603 int
604 tpi_optcom_req(queue_t *q, mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp,
605     boolean_t pass_to_ip)
606 {
607 	t_scalar_t t_error;
608 	mblk_t *toa_mp;
609 	boolean_t pass_to_next;
610 	size_t toa_len;
611 	struct T_optmgmt_ack *toa;
612 	struct T_optmgmt_req *tor =
613 	    (struct T_optmgmt_req *)mp->b_rptr;
614 
615 	opt_restart_t *or;
616 	boolean_t is_restart = B_FALSE;
617 	mblk_t	*first_mp = NULL;
618 	t_uscalar_t worst_status;
619 	boolean_t queued_status;
620 
621 	/*
622 	 * Allocate M_CTL and prepend to the packet for restarting this
623 	 * option if needed. IP may need to queue and restart the option
624 	 * if it cannot obtain exclusive conditions immediately. Please see
625 	 * IP-MT notes before the start of svr4_optcom_req
626 	 */
627 	if (mp->b_datap->db_type == M_CTL) {
628 		is_restart = B_TRUE;
629 		first_mp = mp;
630 		toa_mp = mp->b_cont;
631 		mp = toa_mp->b_cont;
632 		ASSERT(mp->b_wptr - mp->b_rptr >=
633 		    sizeof (struct T_optmgmt_req));
634 		tor = (struct T_optmgmt_req *)mp->b_rptr;
635 		ASSERT(tor->MGMT_flags == T_NEGOTIATE);
636 
637 		or = (opt_restart_t *)first_mp->b_rptr;
638 		goto restart;
639 	}
640 
641 	/* Verify message integrity. */
642 	if ((mp->b_wptr - mp->b_rptr) < sizeof (struct T_optmgmt_req)) {
643 		optcom_err_ack(q, mp, TBADOPT, 0);
644 		return (0);
645 	}
646 
647 	/* Verify MGMT_flags legal */
648 	switch (tor->MGMT_flags) {
649 	case T_DEFAULT:
650 	case T_NEGOTIATE:
651 	case T_CURRENT:
652 	case T_CHECK:
653 		/* OK - legal request flags */
654 		break;
655 	default:
656 		optcom_err_ack(q, mp, TBADFLAG, 0);
657 		return (0);
658 	}
659 
660 	/*
661 	 * In this design, there are two passes required on the input buffer
662 	 * mostly to accomodate variable length options and "T_ALLOPT" option
663 	 * which has the semantics "all options of the specified level".
664 	 *
665 	 * For T_DEFAULT, T_NEGOTIATE, T_CURRENT, and T_CHECK requests, we make
666 	 * a pass through the input buffer validating the details and making
667 	 * sure each option is supported by the protocol. We also determine the
668 	 * length of the option buffer to return. (Variable length options and
669 	 * T_ALLOPT mean that length can be different for output buffer).
670 	 */
671 
672 	pass_to_next = B_FALSE;	/* initial value */
673 	toa_len = 0;		/* initial value */
674 
675 	/*
676 	 * First pass, we do the following
677 	 *	- estimate cumulative length needed for results
678 	 *	- set "status" field based on permissions, option header check
679 	 *	  etc.
680 	 *	- determine "pass_to_next" whether we need to send request to
681 	 *	  downstream module/driver.
682 	 */
683 	if ((t_error = process_topthdrs_first_pass(mp, cr, dbobjp,
684 	    &pass_to_next, &toa_len)) != 0) {
685 		optcom_err_ack(q, mp, t_error, 0);
686 		return (0);
687 	}
688 
689 	/*
690 	 * A validation phase of the input buffer is done. We have also
691 	 * obtained the length requirement and and other details about the
692 	 * input and we liked input buffer so far.  We make another scan
693 	 * through the input now and generate the output necessary to complete
694 	 * the operation.
695 	 */
696 
697 	toa_mp = allocb_cred(toa_len, cr);
698 	if (!toa_mp) {
699 		optcom_err_ack(q, mp, TSYSERR, ENOMEM);
700 		return (0);
701 	}
702 
703 	first_mp = allocb(sizeof (opt_restart_t), BPRI_LO);
704 	if (first_mp == NULL) {
705 		freeb(toa_mp);
706 		optcom_err_ack(q, mp, TSYSERR, ENOMEM);
707 		return (0);
708 	}
709 	first_mp->b_datap->db_type = M_CTL;
710 	or = (opt_restart_t *)first_mp->b_rptr;
711 	/*
712 	 * Set initial values for generating output.
713 	 */
714 	or->or_worst_status = T_SUCCESS;
715 	or->or_type = T_OPTMGMT_REQ;
716 	or->or_private = 0;
717 	/* remaining fields fileed in do_options_second_pass */
718 
719 restart:
720 	/*
721 	 * This routine makes another pass through the option buffer this
722 	 * time acting on the request based on "status" result in the
723 	 * first pass. It also performs "expansion" of T_ALLOPT into
724 	 * all options of a certain level and acts on each for this request.
725 	 */
726 	if ((t_error = do_options_second_pass(q, mp, toa_mp, cr, dbobjp,
727 	    first_mp, is_restart, &queued_status)) != 0) {
728 		freemsg(toa_mp);
729 		optcom_err_ack(q, mp, t_error, 0);
730 		return (0);
731 	}
732 	if (queued_status) {
733 		/* Option will be restarted */
734 		return (EINPROGRESS);
735 	}
736 	worst_status = or->or_worst_status;
737 	/* Done with the first mp */
738 	freeb(first_mp);
739 	toa_mp->b_cont = NULL;
740 
741 	/*
742 	 * Following code relies on the coincidence that T_optmgmt_req
743 	 * and T_optmgmt_ack are identical in binary representation
744 	 */
745 	toa = (struct T_optmgmt_ack *)toa_mp->b_rptr;
746 	toa->OPT_length = (t_scalar_t)(toa_mp->b_wptr - (toa_mp->b_rptr +
747 	    sizeof (struct T_optmgmt_ack)));
748 	toa->OPT_offset = (t_scalar_t)sizeof (struct T_optmgmt_ack);
749 
750 	toa->MGMT_flags = tor->MGMT_flags;
751 
752 
753 	freemsg(mp);		/* free input mblk */
754 
755 	/*
756 	 * If there is atleast one option that requires a downstream
757 	 * forwarding and if it is possible, we forward the message
758 	 * downstream. Else we ack it.
759 	 */
760 	if (pass_to_next && (q->q_next != NULL || pass_to_ip)) {
761 		/*
762 		 * We pass it down as T_OPTMGMT_REQ. This code relies
763 		 * on the happy coincidence that T_optmgmt_req and
764 		 * T_optmgmt_ack are identical data structures
765 		 * at the binary representation level.
766 		 */
767 		toa_mp->b_datap->db_type = M_PROTO;
768 		toa->PRIM_type = T_OPTMGMT_REQ;
769 		if (q->q_next != NULL)
770 			putnext(q, toa_mp);
771 		else
772 			ip_output(Q_TO_CONN(q), toa_mp, q, IP_WPUT);
773 	} else {
774 		toa->PRIM_type = T_OPTMGMT_ACK;
775 		toa_mp->b_datap->db_type = M_PCPROTO;
776 		toa->MGMT_flags |= worst_status; /* XXX "worst" or "OR" TPI ? */
777 		qreply(q, toa_mp);
778 	}
779 	return (0);
780 }
781 
782 
783 /*
784  * Following routine makes a pass through option buffer in mp and performs the
785  * following tasks.
786  *	- estimate cumulative length needed for results
787  *	- set "status" field based on permissions, option header check
788  *	  etc.
789  *	- determine "pass_to_next" whether we need to send request to
790  *	  downstream module/driver.
791  */
792 
793 static t_scalar_t
794 process_topthdrs_first_pass(mblk_t *mp, cred_t *cr, optdb_obj_t *dbobjp,
795     boolean_t *pass_to_nextp, size_t *toa_lenp)
796 {
797 	opdes_t	*opt_arr = dbobjp->odb_opt_des_arr;
798 	uint_t opt_arr_cnt = dbobjp->odb_opt_arr_cnt;
799 	boolean_t topmost_tpiprovider = dbobjp->odb_topmost_tpiprovider;
800 	optlevel_t *valid_level_arr = dbobjp->odb_valid_levels_arr;
801 	uint_t valid_level_arr_cnt = dbobjp->odb_valid_levels_arr_cnt;
802 	struct T_opthdr *opt;
803 	struct T_opthdr *opt_start, *opt_end;
804 	opdes_t	*optd;
805 	size_t allopt_len;
806 	struct T_optmgmt_req *tor =
807 	    (struct T_optmgmt_req *)mp->b_rptr;
808 
809 	*toa_lenp = sizeof (struct T_optmgmt_ack); /* initial value */
810 
811 	if ((opt_start = (struct T_opthdr *)
812 	    mi_offset_param(mp, tor->OPT_offset, tor->OPT_length)) == NULL) {
813 		return (TBADOPT);
814 	}
815 	if (!__TPI_TOPT_ISALIGNED(opt_start))
816 		return (TBADOPT);
817 
818 	opt_end = (struct T_opthdr *)((uchar_t *)opt_start + tor->OPT_length);
819 
820 	for (opt = opt_start; opt && (opt < opt_end);
821 	    opt = _TPI_TOPT_NEXTHDR(opt_start, tor->OPT_length, opt)) {
822 		/*
823 		 * Validate the option for length and alignment
824 		 * before accessing anything in it.
825 		 */
826 		if (!(_TPI_TOPT_VALID(opt, opt_start, opt_end)))
827 			return (TBADOPT);
828 
829 		/* Find the option in the opt_arr. */
830 		if (opt->name != T_ALLOPT) {
831 			optd = proto_opt_lookup(opt->level, opt->name,
832 			    opt_arr, opt_arr_cnt);
833 			if (optd == NULL) {
834 				/*
835 				 * Option not found
836 				 *
837 				 * Verify if level is "valid" or not.
838 				 * Note: This check is required by XTI
839 				 *
840 				 * TPI provider always initializes
841 				 * the "not supported" (or whatever) status
842 				 * for the options. Other levels leave status
843 				 * unchanged if they do not understand an
844 				 * option.
845 				 */
846 				if (topmost_tpiprovider) {
847 					if (!opt_level_valid(opt->level,
848 					    valid_level_arr,
849 					    valid_level_arr_cnt))
850 						return (TBADOPT);
851 					/*
852 					 * level is valid - initialize
853 					 * option as not supported
854 					 */
855 					opt->status = T_NOTSUPPORT;
856 				}
857 
858 				*toa_lenp += _TPI_ALIGN_TOPT(opt->len);
859 				continue;
860 			}
861 		} else {
862 			/*
863 			 * Handle T_ALLOPT case as a special case.
864 			 * Note: T_ALLOPT does not mean anything
865 			 * for T_CHECK operation.
866 			 */
867 			allopt_len = 0;
868 			if (tor->MGMT_flags == T_CHECK ||
869 			    !topmost_tpiprovider ||
870 			    ((allopt_len = opt_level_allopts_lengths(opt->level,
871 			    opt_arr, opt_arr_cnt)) == 0)) {
872 				/*
873 				 * This is confusing but correct !
874 				 * It is not valid to to use T_ALLOPT with
875 				 * T_CHECK flag.
876 				 *
877 				 * T_ALLOPT is assumed "expanded" at the
878 				 * topmost_tpiprovider level so it should not
879 				 * be there as an "option name" if this is not
880 				 * a topmost_tpiprovider call and we fail it.
881 				 *
882 				 * opt_level_allopts_lengths() is used to verify
883 				 * that "level" associated with the T_ALLOPT is
884 				 * supported.
885 				 *
886 				 */
887 				opt->status = T_FAILURE;
888 				*toa_lenp += _TPI_ALIGN_TOPT(opt->len);
889 				continue;
890 			}
891 			ASSERT(allopt_len != 0); /* remove ? */
892 
893 			*toa_lenp += allopt_len;
894 			opt->status = T_SUCCESS;
895 			/* XXX - always set T_ALLOPT 'pass_to_next' for now */
896 			*pass_to_nextp = B_TRUE;
897 			continue;
898 		}
899 		/*
900 		 * Check if option wants to flow downstream
901 		 */
902 		if (optd->opdes_props & OP_PASSNEXT)
903 			*pass_to_nextp = B_TRUE;
904 
905 		/* Additional checks dependent on operation. */
906 		switch (tor->MGMT_flags) {
907 		case T_DEFAULT:
908 		case T_CURRENT:
909 
910 			/*
911 			 * The proto_opt_lookup() routine call above approved of
912 			 * this option so we can work on the status for it
913 			 * based on the permissions for the operation. (This
914 			 * can override any status for it set at higher levels)
915 			 * We assume this override is OK since chkfn at this
916 			 * level approved of this option.
917 			 *
918 			 * T_CURRENT semantics:
919 			 * The read access is required. Else option
920 			 * status is T_NOTSUPPORT.
921 			 *
922 			 * T_DEFAULT semantics:
923 			 * Note: specification is not clear on this but we
924 			 * interpret T_DEFAULT semantics such that access to
925 			 * read value is required for access even the default
926 			 * value. Otherwise the option status is T_NOTSUPPORT.
927 			 */
928 			if (!OA_READ_PERMISSION(optd, cr)) {
929 				opt->status = T_NOTSUPPORT;
930 				*toa_lenp += _TPI_ALIGN_TOPT(opt->len);
931 				/* skip to next */
932 				continue;
933 			}
934 
935 			/*
936 			 * T_DEFAULT/T_CURRENT semantics:
937 			 * We know that read access is set. If no other access
938 			 * is set, then status is T_READONLY.
939 			 */
940 			if (OA_READONLY_PERMISSION(optd, cr))
941 				opt->status = T_READONLY;
942 			else
943 				opt->status = T_SUCCESS;
944 			/*
945 			 * Option passes all checks. Make room for it in the
946 			 * ack. Note: size stored in table does not include
947 			 * space for option header.
948 			 */
949 			*toa_lenp += sizeof (struct T_opthdr) +
950 			    _TPI_ALIGN_TOPT(optd->opdes_size);
951 			break;
952 
953 		case T_CHECK:
954 		case T_NEGOTIATE:
955 
956 			/*
957 			 * T_NEGOTIATE semantics:
958 			 * If for fixed length option value on input is not the
959 			 * same as value supplied, then status is T_FAILURE.
960 			 *
961 			 * T_CHECK semantics:
962 			 * If value is supplied, semantics same as T_NEGOTIATE.
963 			 * It is however ok not to supply a value with T_CHECK.
964 			 */
965 
966 			if (tor->MGMT_flags == T_NEGOTIATE ||
967 			    (opt->len != sizeof (struct T_opthdr))) {
968 				/*
969 				 * Implies "value" is specified in T_CHECK or
970 				 * it is a T_NEGOTIATE request.
971 				 * Verify size.
972 				 * Note: This can override anything about this
973 				 * option request done at a higher level.
974 				 */
975 				if (!opt_length_ok(optd, opt)) {
976 					/* bad size */
977 					*toa_lenp += _TPI_ALIGN_TOPT(opt->len);
978 					opt->status = T_FAILURE;
979 					continue;
980 				}
981 			}
982 			/*
983 			 * The proto_opt_lookup()  routine above() approved of
984 			 * this option so we can work on the status for it based
985 			 * on the permissions for the operation. (This can
986 			 * override anything set at a higher level).
987 			 *
988 			 * T_CHECK/T_NEGOTIATE semantics:
989 			 * Set status to T_READONLY if read is the only access
990 			 * permitted
991 			 */
992 			if (OA_READONLY_PERMISSION(optd, cr)) {
993 				opt->status = T_READONLY;
994 				*toa_lenp += _TPI_ALIGN_TOPT(opt->len);
995 				/* skip to next */
996 				continue;
997 			}
998 
999 			/*
1000 			 * T_CHECK/T_NEGOTIATE semantics:
1001 			 * If write (or execute) access is not set, then status
1002 			 * is T_NOTSUPPORT.
1003 			 */
1004 			if (!OA_WRITE_OR_EXECUTE(optd, cr)) {
1005 				opt->status = T_NOTSUPPORT;
1006 				*toa_lenp += _TPI_ALIGN_TOPT(opt->len);
1007 				/* skip to next option */
1008 				continue;
1009 			}
1010 			/*
1011 			 * Option passes all checks. Make room for it in the
1012 			 * ack and set success in status.
1013 			 * Note: size stored in table does not include header
1014 			 * length.
1015 			 */
1016 			opt->status = T_SUCCESS;
1017 			*toa_lenp += sizeof (struct T_opthdr) +
1018 			    _TPI_ALIGN_TOPT(optd->opdes_size);
1019 			break;
1020 
1021 		default:
1022 			return (TBADFLAG);
1023 		}
1024 	} /* for loop scanning input buffer */
1025 
1026 	return (0);		/* OK return */
1027 }
1028 
1029 /*
1030  * This routine makes another pass through the option buffer this
1031  * time acting on the request based on "status" result in the
1032  * first pass. It also performs "expansion" of T_ALLOPT into
1033  * all options of a certain level and acts on each for this request.
1034  */
1035 static t_scalar_t
1036 do_options_second_pass(queue_t *q, mblk_t *reqmp, mblk_t *ack_mp, cred_t *cr,
1037     optdb_obj_t *dbobjp, mblk_t *first_mp, boolean_t is_restart,
1038     boolean_t *queued_statusp)
1039 {
1040 	boolean_t topmost_tpiprovider = dbobjp->odb_topmost_tpiprovider;
1041 	int failed_option;
1042 	struct T_opthdr *opt;
1043 	struct T_opthdr *opt_start, *opt_end, *restart_opt;
1044 	uchar_t *optr;
1045 	uint_t optset_context;
1046 	struct T_optmgmt_req *tor = (struct T_optmgmt_req *)reqmp->b_rptr;
1047 	opt_restart_t	*or;
1048 	t_uscalar_t	*worst_statusp;
1049 	int	err;
1050 
1051 	*queued_statusp = B_FALSE;
1052 	or = (opt_restart_t *)first_mp->b_rptr;
1053 	worst_statusp = &or->or_worst_status;
1054 
1055 	optr = (uchar_t *)ack_mp->b_rptr +
1056 	    sizeof (struct T_optmgmt_ack); /* assumed int32_t aligned */
1057 
1058 	/*
1059 	 * Set initial values for scanning input
1060 	 */
1061 	if (is_restart) {
1062 		opt_start = (struct T_opthdr *)or->or_start;
1063 		opt_end = (struct T_opthdr *)or->or_end;
1064 		restart_opt = (struct T_opthdr *)or->or_ropt;
1065 	} else {
1066 		opt_start = (struct T_opthdr *)mi_offset_param(reqmp,
1067 		    tor->OPT_offset, tor->OPT_length);
1068 		if (opt_start == NULL)
1069 			return (TBADOPT);
1070 		opt_end = (struct T_opthdr *)((uchar_t *)opt_start +
1071 		    tor->OPT_length);
1072 		or->or_start = (struct opthdr *)opt_start;
1073 		or->or_end = (struct opthdr *)opt_end;
1074 		/*
1075 		 * construct the mp chain, in case the setfn needs to
1076 		 * queue this and restart option processing later on.
1077 		 */
1078 		first_mp->b_cont = ack_mp;
1079 		ack_mp->b_cont = reqmp;
1080 	}
1081 	ASSERT(__TPI_TOPT_ISALIGNED(opt_start)); /* verified in first pass */
1082 
1083 	for (opt = is_restart ? restart_opt : opt_start;
1084 	    opt && (opt < opt_end);
1085 	    opt = _TPI_TOPT_NEXTHDR(opt_start, tor->OPT_length, opt)) {
1086 		or->or_ropt = (struct opthdr *)opt;
1087 		/* verified in first pass */
1088 		ASSERT(_TPI_TOPT_VALID(opt, opt_start, opt_end));
1089 
1090 		/*
1091 		 * If the first pass in process_topthdrs_first_pass()
1092 		 * has marked the option as a failure case for the MGMT_flags
1093 		 * semantics then there is not much to do.
1094 		 *
1095 		 * Note: For all practical purposes, T_READONLY status is
1096 		 * a "success" for T_DEFAULT/T_CURRENT and "failure" for
1097 		 * T_CHECK/T_NEGOTIATE
1098 		 */
1099 		failed_option =
1100 		    (opt->status == T_NOTSUPPORT) ||
1101 		    (opt->status == T_FAILURE) ||
1102 		    ((tor->MGMT_flags & (T_NEGOTIATE|T_CHECK)) &&
1103 		    (opt->status == T_READONLY));
1104 
1105 		if (failed_option) {
1106 			/*
1107 			 * According to T_DEFAULT/T_CURRENT semantics, the
1108 			 * input values, even if present, are to be ignored.
1109 			 * Note: Specification is not clear on this, but we
1110 			 * interpret that even though we ignore the values, we
1111 			 * can return them as is. So we process them similar to
1112 			 * T_CHECK/T_NEGOTIATE case which has the semantics to
1113 			 * return the values as is. XXX If interpretation is
1114 			 * ever determined incorrect fill in appropriate code
1115 			 * here to treat T_DEFAULT/T_CURRENT differently.
1116 			 *
1117 			 * According to T_CHECK/T_NEGOTIATE semantics,
1118 			 * in the case of T_NOTSUPPORT/T_FAILURE/T_READONLY,
1119 			 * the semantics are to return the "value" part of
1120 			 * option untouched. So here we copy the option
1121 			 * head including value part if any to output.
1122 			 */
1123 
1124 			bcopy(opt, optr, opt->len);
1125 			optr += _TPI_ALIGN_TOPT(opt->len);
1126 
1127 			*worst_statusp = get_worst_status(opt->status,
1128 			    *worst_statusp);
1129 
1130 			/* skip to process next option in buffer */
1131 			continue;
1132 
1133 		} /* end if "failed option" */
1134 		/*
1135 		 * The status is T_SUCCESS or T_READONLY
1136 		 * We process the value part here
1137 		 */
1138 		ASSERT(opt->status == T_SUCCESS || opt->status == T_READONLY);
1139 		switch (tor->MGMT_flags) {
1140 		case T_DEFAULT:
1141 			/*
1142 			 * We fill default value from table or protocol specific
1143 			 * function. If this call fails, we pass input through.
1144 			 */
1145 			if (do_opt_default(q, opt, &optr, worst_statusp,
1146 			    cr, dbobjp) < 0) {
1147 				/* fail or pass transparently */
1148 				if (topmost_tpiprovider)
1149 					opt->status = T_FAILURE;
1150 				bcopy(opt, optr, opt->len);
1151 				optr += _TPI_ALIGN_TOPT(opt->len);
1152 				*worst_statusp = get_worst_status(opt->status,
1153 				    *worst_statusp);
1154 			}
1155 			break;
1156 
1157 		case T_CURRENT:
1158 
1159 			do_opt_current(q, opt, &optr, worst_statusp, cr,
1160 			    dbobjp);
1161 			break;
1162 
1163 		case T_CHECK:
1164 		case T_NEGOTIATE:
1165 			if (tor->MGMT_flags == T_CHECK)
1166 				optset_context = SETFN_OPTCOM_CHECKONLY;
1167 			else	/* T_NEGOTIATE */
1168 				optset_context = SETFN_OPTCOM_NEGOTIATE;
1169 			err = do_opt_check_or_negotiate(q, opt, optset_context,
1170 			    &optr, worst_statusp, cr, dbobjp, first_mp);
1171 			if (err == EINPROGRESS) {
1172 				*queued_statusp = B_TRUE;
1173 				return (0);
1174 			}
1175 			break;
1176 		default:
1177 			return (TBADFLAG);
1178 		}
1179 	} /* end for loop scanning option buffer */
1180 
1181 	ack_mp->b_wptr = optr;
1182 	ASSERT(ack_mp->b_wptr <= ack_mp->b_datap->db_lim);
1183 
1184 	return (0);		/* OK return */
1185 }
1186 
1187 
1188 static t_uscalar_t
1189 get_worst_status(t_uscalar_t status, t_uscalar_t current_worst_status)
1190 {
1191 	/*
1192 	 * Return the "worst" among the arguments "status" and
1193 	 * "current_worst_status".
1194 	 *
1195 	 * Note: Tracking "worst_status" can be made a bit simpler
1196 	 * if we use the property that status codes are bitwise
1197 	 * distinct.
1198 	 *
1199 	 * The pecking order is
1200 	 *
1201 	 * T_SUCCESS ..... best
1202 	 * T_PARTSUCCESS
1203 	 * T_FAILURE
1204 	 * T_READONLY
1205 	 * T_NOTSUPPORT... worst
1206 	 */
1207 	if (status == current_worst_status)
1208 		return (current_worst_status);
1209 	switch (current_worst_status) {
1210 	case T_SUCCESS:
1211 		if (status == T_PARTSUCCESS)
1212 			return (T_PARTSUCCESS);
1213 		/* FALLTHROUGH */
1214 	case T_PARTSUCCESS:
1215 		if (status == T_FAILURE)
1216 			return (T_FAILURE);
1217 		/* FALLTHROUGH */
1218 	case T_FAILURE:
1219 		if (status == T_READONLY)
1220 			return (T_READONLY);
1221 		/* FALLTHROUGH */
1222 	case T_READONLY:
1223 		if (status == T_NOTSUPPORT)
1224 			return (T_NOTSUPPORT);
1225 		/* FALLTHROUGH */
1226 	case T_NOTSUPPORT:
1227 	default:
1228 		return (current_worst_status);
1229 	}
1230 }
1231 
1232 static int
1233 do_opt_default(queue_t *q, struct T_opthdr *reqopt, uchar_t **resptrp,
1234     t_uscalar_t *worst_statusp, cred_t *cr, optdb_obj_t *dbobjp)
1235 {
1236 	pfi_t	deffn = dbobjp->odb_deffn;
1237 	opdes_t	*opt_arr = dbobjp->odb_opt_des_arr;
1238 	uint_t opt_arr_cnt = dbobjp->odb_opt_arr_cnt;
1239 	boolean_t topmost_tpiprovider = dbobjp->odb_topmost_tpiprovider;
1240 
1241 	struct T_opthdr *topth;
1242 	opdes_t *optd;
1243 
1244 	if (reqopt->name != T_ALLOPT) {
1245 		/*
1246 		 * lookup the option in the table and fill default value
1247 		 */
1248 		optd = proto_opt_lookup(reqopt->level, reqopt->name,
1249 		    opt_arr, opt_arr_cnt);
1250 
1251 		if (optd == NULL) {
1252 			/*
1253 			 * not found - fail this one. Should not happen
1254 			 * for topmost_tpiprovider as calling routine
1255 			 * should have verified it.
1256 			 */
1257 			ASSERT(!topmost_tpiprovider);
1258 			return (-1);
1259 		}
1260 
1261 		topth = (struct T_opthdr *)(*resptrp);
1262 		topth->level = reqopt->level;
1263 		topth->name = reqopt->name;
1264 		topth->status = reqopt->status;
1265 
1266 		*worst_statusp = get_worst_status(reqopt->status,
1267 		    *worst_statusp);
1268 
1269 		if (optd->opdes_props & OP_NODEFAULT) {
1270 			/* header only, no default "value" part */
1271 			topth->len = sizeof (struct T_opthdr);
1272 			*resptrp += sizeof (struct T_opthdr);
1273 		} else {
1274 			int deflen;
1275 
1276 			if (optd->opdes_props & OP_DEF_FN) {
1277 				deflen = (*deffn)(q, reqopt->level,
1278 				    reqopt->name, _TPI_TOPT_DATA(topth));
1279 				if (deflen >= 0) {
1280 					topth->len = (t_uscalar_t)
1281 					    (sizeof (struct T_opthdr) + deflen);
1282 				} else {
1283 					/*
1284 					 * return error, this should 'pass
1285 					 * through' the option and maybe some
1286 					 * other level will fill it in or
1287 					 * already did.
1288 					 * (No change in 'resptrp' upto here)
1289 					 */
1290 					return (-1);
1291 				}
1292 			} else {
1293 				/* fill length and value part */
1294 				switch (optd->opdes_size) {
1295 				/*
1296 				 * Since options are guaranteed aligned only
1297 				 * on a 4 byte boundary (t_scalar_t) any
1298 				 * option that is greater in size will default
1299 				 * to the bcopy below
1300 				 */
1301 				case sizeof (int32_t):
1302 					*(int32_t *)_TPI_TOPT_DATA(topth) =
1303 					    (int32_t)optd->opdes_default;
1304 					break;
1305 				case sizeof (int16_t):
1306 					*(int16_t *)_TPI_TOPT_DATA(topth) =
1307 					    (int16_t)optd->opdes_default;
1308 					break;
1309 				case sizeof (int8_t):
1310 					*(int8_t *)_TPI_TOPT_DATA(topth) =
1311 					    (int8_t)optd->opdes_default;
1312 					break;
1313 				default:
1314 					/*
1315 					 * other length but still assume
1316 					 * fixed - use bcopy
1317 					 */
1318 					bcopy(optd->opdes_defbuf,
1319 					    _TPI_TOPT_DATA(topth),
1320 					    optd->opdes_size);
1321 					break;
1322 				}
1323 				topth->len = (t_uscalar_t)(optd->opdes_size +
1324 				    sizeof (struct T_opthdr));
1325 			}
1326 			*resptrp += _TPI_ALIGN_TOPT(topth->len);
1327 		}
1328 		return (0);	/* OK return */
1329 	}
1330 
1331 	/*
1332 	 * T_ALLOPT processing
1333 	 *
1334 	 * lookup and stuff default values of all the options of the
1335 	 * level specified
1336 	 * Note: This expansion of T_ALLOPT should happen in
1337 	 * a topmost_tpiprovider.
1338 	 */
1339 	ASSERT(topmost_tpiprovider);
1340 	for (optd = opt_arr; optd < &opt_arr[opt_arr_cnt]; optd++) {
1341 		if (reqopt->level != optd->opdes_level)
1342 			continue;
1343 		/*
1344 		 *
1345 		 * T_DEFAULT semantics:
1346 		 * XXX: we interpret T_DEFAULT semantics such that access to
1347 		 * read value is required for access even the default value.
1348 		 * Else option is ignored for T_ALLOPT request.
1349 		 */
1350 		if (!OA_READ_PERMISSION(optd, cr))
1351 			/* skip this one */
1352 			continue;
1353 
1354 		/*
1355 		 * Found option of same level as T_ALLOPT request
1356 		 * that we can return.
1357 		 */
1358 
1359 		topth = (struct T_opthdr *)(*resptrp);
1360 		topth->level = optd->opdes_level;
1361 		topth->name = optd->opdes_name;
1362 
1363 		/*
1364 		 * T_DEFAULT semantics:
1365 		 * We know that read access is set. If no other access is set,
1366 		 * then status is T_READONLY
1367 		 */
1368 		if (OA_READONLY_PERMISSION(optd, cr)) {
1369 			topth->status = T_READONLY;
1370 			*worst_statusp = get_worst_status(T_READONLY,
1371 			    *worst_statusp);
1372 		} else {
1373 			topth->status = T_SUCCESS;
1374 			/*
1375 			 * Note: *worst_statusp has to be T_SUCCESS or
1376 			 * worse so no need to adjust
1377 			 */
1378 		}
1379 
1380 		if (optd->opdes_props & OP_NODEFAULT) {
1381 			/* header only, no value part */
1382 			topth->len = sizeof (struct T_opthdr);
1383 			*resptrp += sizeof (struct T_opthdr);
1384 		} else {
1385 			int deflen;
1386 
1387 			if (optd->opdes_props & OP_DEF_FN) {
1388 				deflen = (*deffn)(q, reqopt->level,
1389 				    reqopt->name, _TPI_TOPT_DATA(topth));
1390 				if (deflen >= 0) {
1391 					topth->len = (t_uscalar_t)(deflen +
1392 					    sizeof (struct T_opthdr));
1393 				} else {
1394 					/*
1395 					 * deffn failed.
1396 					 * return just the header as T_ALLOPT
1397 					 * expansion.
1398 					 * Some other level deffn may
1399 					 * supply value part.
1400 					 */
1401 					topth->len = sizeof (struct T_opthdr);
1402 					topth->status = T_FAILURE;
1403 					*worst_statusp =
1404 					    get_worst_status(T_FAILURE,
1405 					    *worst_statusp);
1406 				}
1407 			} else {
1408 				/*
1409 				 * fill length and value part from
1410 				 * table
1411 				 */
1412 				switch (optd->opdes_size) {
1413 				/*
1414 				 * Since options are guaranteed aligned only
1415 				 * on a 4 byte boundary (t_scalar_t) any
1416 				 * option that is greater in size will default
1417 				 * to the bcopy below
1418 				 */
1419 				case sizeof (int32_t):
1420 					*(int32_t *)_TPI_TOPT_DATA(topth) =
1421 					    (int32_t)optd->opdes_default;
1422 					break;
1423 				case sizeof (int16_t):
1424 					*(int16_t *)_TPI_TOPT_DATA(topth) =
1425 					    (int16_t)optd->opdes_default;
1426 					break;
1427 				case sizeof (int8_t):
1428 					*(int8_t *)_TPI_TOPT_DATA(topth) =
1429 					    (int8_t)optd->opdes_default;
1430 					break;
1431 				default:
1432 					/*
1433 					 * other length but still assume
1434 					 * fixed - use bcopy
1435 					 */
1436 					bcopy(optd->opdes_defbuf,
1437 					    _TPI_TOPT_DATA(topth),
1438 					    optd->opdes_size);
1439 				}
1440 				topth->len = (t_uscalar_t)(optd->opdes_size +
1441 				    sizeof (struct T_opthdr));
1442 			}
1443 			*resptrp += _TPI_ALIGN_TOPT(topth->len);
1444 		}
1445 	}
1446 	return (0);
1447 }
1448 
1449 static void
1450 do_opt_current(queue_t *q, struct T_opthdr *reqopt, uchar_t **resptrp,
1451     t_uscalar_t *worst_statusp, cred_t *cr, optdb_obj_t *dbobjp)
1452 {
1453 	pfi_t	getfn = dbobjp->odb_getfn;
1454 	opdes_t	*opt_arr = dbobjp->odb_opt_des_arr;
1455 	uint_t opt_arr_cnt = dbobjp->odb_opt_arr_cnt;
1456 	boolean_t topmost_tpiprovider = dbobjp->odb_topmost_tpiprovider;
1457 
1458 	struct T_opthdr *topth;
1459 	opdes_t *optd;
1460 	int optlen;
1461 	uchar_t *initptr = *resptrp;
1462 
1463 	/*
1464 	 * We call getfn to get the current value of an option. The call may
1465 	 * fail in which case we copy the values from the input buffer. Maybe
1466 	 * something downstream will fill it in or something upstream did.
1467 	 */
1468 
1469 	if (reqopt->name != T_ALLOPT) {
1470 		topth = (struct T_opthdr *)*resptrp;
1471 		*resptrp += sizeof (struct T_opthdr);
1472 		optlen = (*getfn)(q, reqopt->level, reqopt->name, *resptrp);
1473 		if (optlen >= 0) {
1474 			topth->len = (t_uscalar_t)(optlen +
1475 			    sizeof (struct T_opthdr));
1476 			topth->level = reqopt->level;
1477 			topth->name = reqopt->name;
1478 			topth->status = reqopt->status;
1479 			*resptrp += _TPI_ALIGN_TOPT(optlen);
1480 			*worst_statusp = get_worst_status(topth->status,
1481 			    *worst_statusp);
1482 		} else {
1483 			/* failed - reset "*resptrp" pointer */
1484 			*resptrp -= sizeof (struct T_opthdr);
1485 		}
1486 	} else {		/* T_ALLOPT processing */
1487 		ASSERT(topmost_tpiprovider == B_TRUE);
1488 		/* scan and get all options */
1489 		for (optd = opt_arr; optd < &opt_arr[opt_arr_cnt]; optd++) {
1490 			/* skip other levels */
1491 			if (reqopt->level != optd->opdes_level)
1492 				continue;
1493 
1494 			if (!OA_READ_PERMISSION(optd, cr))
1495 				/* skip this one */
1496 				continue;
1497 
1498 			topth = (struct T_opthdr *)*resptrp;
1499 			*resptrp += sizeof (struct T_opthdr);
1500 
1501 			/* get option of this level */
1502 			optlen = (*getfn)(q, reqopt->level, optd->opdes_name,
1503 			    *resptrp);
1504 			if (optlen >= 0) {
1505 				/* success */
1506 				topth->len = (t_uscalar_t)(optlen +
1507 				    sizeof (struct T_opthdr));
1508 				topth->level = reqopt->level;
1509 				topth->name = optd->opdes_name;
1510 				if (OA_READONLY_PERMISSION(optd, cr))
1511 					topth->status = T_READONLY;
1512 				else
1513 					topth->status = T_SUCCESS;
1514 				*resptrp += _TPI_ALIGN_TOPT(optlen);
1515 			} else {
1516 				/*
1517 				 * failed, return as T_FAILURE and null value
1518 				 * part. Maybe something downstream will
1519 				 * handle this one and fill in a value. Here
1520 				 * it is just part of T_ALLOPT expansion.
1521 				 */
1522 				topth->len = sizeof (struct T_opthdr);
1523 				topth->level = reqopt->level;
1524 				topth->name = optd->opdes_name;
1525 				topth->status = T_FAILURE;
1526 			}
1527 			*worst_statusp = get_worst_status(topth->status,
1528 			    *worst_statusp);
1529 		} /* end for loop */
1530 	}
1531 	if (*resptrp == initptr) {
1532 		/*
1533 		 * getfn failed and does not want to handle this option. Maybe
1534 		 * something downstream will or something upstream did. (If
1535 		 * topmost_tpiprovider, initialize "status" to failure which
1536 		 * can possibly change downstream). Copy the input "as is" from
1537 		 * input option buffer if any to maintain transparency.
1538 		 */
1539 		if (topmost_tpiprovider)
1540 			reqopt->status = T_FAILURE;
1541 		bcopy(reqopt, *resptrp, reqopt->len);
1542 		*resptrp += _TPI_ALIGN_TOPT(reqopt->len);
1543 		*worst_statusp = get_worst_status(reqopt->status,
1544 		    *worst_statusp);
1545 	}
1546 }
1547 
1548 /* ARGSUSED */
1549 static int
1550 do_opt_check_or_negotiate(queue_t *q, struct T_opthdr *reqopt,
1551     uint_t optset_context, uchar_t **resptrp, t_uscalar_t *worst_statusp,
1552     cred_t *cr, optdb_obj_t *dbobjp, mblk_t *first_mp)
1553 {
1554 	pfi_t	deffn = dbobjp->odb_deffn;
1555 	opt_set_fn setfn = dbobjp->odb_setfn;
1556 	opdes_t	*opt_arr = dbobjp->odb_opt_des_arr;
1557 	uint_t opt_arr_cnt = dbobjp->odb_opt_arr_cnt;
1558 	boolean_t topmost_tpiprovider = dbobjp->odb_topmost_tpiprovider;
1559 
1560 	struct T_opthdr *topth;
1561 	opdes_t *optd;
1562 	int error;
1563 	t_uscalar_t optlen;
1564 	t_scalar_t optsize;
1565 	uchar_t *initptr = *resptrp;
1566 
1567 	ASSERT(reqopt->status == T_SUCCESS);
1568 
1569 	if (reqopt->name != T_ALLOPT) {
1570 		topth = (struct T_opthdr *)*resptrp;
1571 		*resptrp += sizeof (struct T_opthdr);
1572 		error = (*setfn)(q, optset_context, reqopt->level, reqopt->name,
1573 		    reqopt->len - sizeof (struct T_opthdr),
1574 		    _TPI_TOPT_DATA(reqopt), &optlen, _TPI_TOPT_DATA(topth),
1575 		    NULL, cr, first_mp);
1576 		if (error) {
1577 			/* failed - reset "*resptrp" */
1578 			*resptrp -= sizeof (struct T_opthdr);
1579 			if (error == EINPROGRESS)
1580 				return (error);
1581 		} else {
1582 			/*
1583 			 * success - "value" already filled in setfn()
1584 			 */
1585 			topth->len = (t_uscalar_t)(optlen +
1586 			    sizeof (struct T_opthdr));
1587 			topth->level = reqopt->level;
1588 			topth->name = reqopt->name;
1589 			topth->status = reqopt->status;
1590 			*resptrp += _TPI_ALIGN_TOPT(optlen);
1591 			*worst_statusp = get_worst_status(topth->status,
1592 			    *worst_statusp);
1593 		}
1594 	} else {		/* T_ALLOPT processing */
1595 		/* only for T_NEGOTIATE case */
1596 		ASSERT(optset_context == SETFN_OPTCOM_NEGOTIATE);
1597 		ASSERT(topmost_tpiprovider == B_TRUE);
1598 
1599 		/* scan and set all options to default value */
1600 		for (optd = opt_arr; optd < &opt_arr[opt_arr_cnt]; optd++) {
1601 
1602 			/* skip other levels */
1603 			if (reqopt->level != optd->opdes_level)
1604 				continue;
1605 
1606 			if (OA_EXECUTE_PERMISSION(optd, cr) ||
1607 			    OA_NO_PERMISSION(optd, cr)) {
1608 				/*
1609 				 * skip this one too. Does not make sense to
1610 				 * set anything to default value for "execute"
1611 				 * options.
1612 				 */
1613 				continue;
1614 			}
1615 
1616 			if (OA_READONLY_PERMISSION(optd, cr)) {
1617 				/*
1618 				 * Return with T_READONLY status (and no value
1619 				 * part). Note: spec is not clear but
1620 				 * XTI test suite needs this.
1621 				 */
1622 				topth = (struct T_opthdr *)*resptrp;
1623 				topth->len = sizeof (struct T_opthdr);
1624 				*resptrp += topth->len;
1625 				topth->level = reqopt->level;
1626 				topth->name = optd->opdes_name;
1627 				topth->status = T_READONLY;
1628 				*worst_statusp = get_worst_status(topth->status,
1629 				    *worst_statusp);
1630 				continue;
1631 			}
1632 
1633 			/*
1634 			 * It is not read only or execute type
1635 			 * the it must have write permission
1636 			 */
1637 			ASSERT(OA_WRITE_PERMISSION(optd, cr));
1638 
1639 			topth = (struct T_opthdr *)*resptrp;
1640 			*resptrp += sizeof (struct T_opthdr);
1641 
1642 			topth->len = sizeof (struct T_opthdr);
1643 			topth->level = reqopt->level;
1644 			topth->name = optd->opdes_name;
1645 			if (optd->opdes_props & OP_NODEFAULT) {
1646 				/*
1647 				 * Option of "no default value" so it does not
1648 				 * make sense to try to set it. We just return
1649 				 * header with status of T_SUCCESS
1650 				 * XXX should this be failure ?
1651 				 */
1652 				topth->status = T_SUCCESS;
1653 				continue; /* skip setting */
1654 			}
1655 			if (optd->opdes_props & OP_DEF_FN) {
1656 				if ((optd->opdes_props & OP_VARLEN) ||
1657 				    ((optsize = (*deffn)(q, reqopt->level,
1658 				    optd->opdes_name,
1659 				    (uchar_t *)optd->opdes_defbuf)) < 0)) {
1660 					/* XXX - skip these too */
1661 					topth->status = T_SUCCESS;
1662 					continue; /* skip setting */
1663 				}
1664 			} else {
1665 				optsize = optd->opdes_size;
1666 			}
1667 
1668 
1669 			/* set option of this level */
1670 			error = (*setfn)(q, SETFN_OPTCOM_NEGOTIATE,
1671 			    reqopt->level, optd->opdes_name, optsize,
1672 			    (uchar_t *)optd->opdes_defbuf, &optlen,
1673 			    _TPI_TOPT_DATA(topth), NULL, cr, NULL);
1674 			if (error) {
1675 				/*
1676 				 * failed, return as T_FAILURE and null value
1677 				 * part. Maybe something downstream will
1678 				 * handle this one and fill in a value. Here
1679 				 * it is just part of T_ALLOPT expansion.
1680 				 */
1681 				topth->status = T_FAILURE;
1682 				*worst_statusp = get_worst_status(topth->status,
1683 				    *worst_statusp);
1684 			} else {
1685 				/* success */
1686 				topth->len += optlen;
1687 				topth->status = T_SUCCESS;
1688 				*resptrp += _TPI_ALIGN_TOPT(optlen);
1689 			}
1690 		} /* end for loop */
1691 		/* END T_ALLOPT */
1692 	}
1693 
1694 	if (*resptrp == initptr) {
1695 		/*
1696 		 * setfn failed and does not want to handle this option. Maybe
1697 		 * something downstream will or something upstream
1698 		 * did. Copy the input as is from input option buffer if any to
1699 		 * maintain transparency (maybe something at a level above
1700 		 * did something.
1701 		 */
1702 		if (topmost_tpiprovider)
1703 			reqopt->status = T_FAILURE;
1704 		bcopy(reqopt, *resptrp, reqopt->len);
1705 		*resptrp += _TPI_ALIGN_TOPT(reqopt->len);
1706 		*worst_statusp = get_worst_status(reqopt->status,
1707 		    *worst_statusp);
1708 	}
1709 	return (0);
1710 }
1711 
1712 /*
1713  * The following routines process options buffer passed with
1714  * T_CONN_REQ, T_CONN_RES and T_UNITDATA_REQ.
1715  * This routine does the consistency check applied to the
1716  * sanity of formatting of multiple options packed in the
1717  * buffer.
1718  *
1719  * XTI brain damage alert:
1720  * XTI interface adopts the notion of an option being an
1721  * "absolute requirement" from OSI transport service (but applies
1722  * it to all transports including Internet transports).
1723  * The main effect of that is action on failure to "negotiate" a
1724  * requested option to the exact requested value
1725  *
1726  *          - if the option is an "absolute requirement", the primitive
1727  *            is aborted (e.g T_DISCON_REQ or T_UDERR generated)
1728  *          - if the option is NOT and "absolute requirement" it can
1729  *            just be ignored.
1730  *
1731  * We would not support "negotiating" of options on connection
1732  * primitives for Internet transports. However just in case we
1733  * forced to in order to pass strange test suites, the design here
1734  * tries to support these notions.
1735  *
1736  * tpi_optcom_buf(q, mp, opt_lenp, opt_offset, cred, dbobjp, thisdg_attrs,
1737  *	*is_absreq_failurep)
1738  *
1739  * - Verify the option buffer, if formatted badly, return error 1
1740  *
1741  * - If it is a "permissions" failure (read-only), return error 2
1742  *
1743  * - Else, process the option "in place", the following can happen,
1744  *	     - if a "privileged" option, mark it as "ignored".
1745  *	     - if "not supported", mark "ignored"
1746  *	     - if "supported" attempt negotiation and fill result in
1747  *	       the outcome
1748  *			- if "absolute requirement", set "*is_absreq_failurep"
1749  *			- if NOT an "absolute requirement", then our
1750  *			  interpretation is to mark is at ignored if
1751  *			  negotiation fails (Spec allows partial success
1752  *			  as in OSI protocols but not failure)
1753  *
1754  *   Then delete "ignored" options from option buffer and return success.
1755  *
1756  */
1757 int
1758 tpi_optcom_buf(queue_t *q, mblk_t *mp, t_scalar_t *opt_lenp,
1759     t_scalar_t opt_offset, cred_t *cr, optdb_obj_t *dbobjp,
1760     void *thisdg_attrs, int *is_absreq_failurep)
1761 {
1762 	opt_set_fn setfn = dbobjp->odb_setfn;
1763 	opdes_t *opt_arr = dbobjp->odb_opt_des_arr;
1764 	uint_t opt_arr_cnt = dbobjp->odb_opt_arr_cnt;
1765 	struct T_opthdr *opt, *opt_start, *opt_end;
1766 	mblk_t  *copy_mp_head;
1767 	uchar_t *optr, *init_optr;
1768 	opdes_t *optd;
1769 	uint_t optset_context;
1770 	t_uscalar_t olen;
1771 	int error = 0;
1772 
1773 	ASSERT((uchar_t *)opt_lenp > mp->b_rptr &&
1774 	    (uchar_t *)opt_lenp < mp->b_wptr);
1775 
1776 	copy_mp_head = NULL;
1777 	*is_absreq_failurep = 0;
1778 	switch (((union T_primitives *)mp->b_rptr)->type) {
1779 	case T_CONN_REQ:
1780 	case T_CONN_RES:
1781 		optset_context = SETFN_CONN_NEGOTIATE;
1782 		break;
1783 	case T_UNITDATA_REQ:
1784 		optset_context = SETFN_UD_NEGOTIATE;
1785 		break;
1786 	default:
1787 		/*
1788 		 * should never get here, all possible TPI primitives
1789 		 * where this can be called from should be accounted
1790 		 * for in the cases above
1791 		 */
1792 		return (EINVAL);
1793 	}
1794 
1795 	if ((opt_start = (struct T_opthdr *)
1796 	    mi_offset_param(mp, opt_offset, *opt_lenp)) == NULL) {
1797 		error = ENOPROTOOPT;
1798 		goto error_ret;
1799 	}
1800 	if (!__TPI_TOPT_ISALIGNED(opt_start)) {
1801 		error = ENOPROTOOPT;
1802 		goto error_ret;
1803 	}
1804 
1805 	opt_end = (struct T_opthdr *)((uchar_t *)opt_start
1806 	    + *opt_lenp);
1807 
1808 	if ((copy_mp_head = copyb(mp)) == (mblk_t *)NULL) {
1809 		error = ENOMEM;
1810 		goto error_ret;
1811 	}
1812 
1813 	init_optr = optr = (uchar_t *)&copy_mp_head->b_rptr[opt_offset];
1814 
1815 	for (opt = opt_start; opt && (opt < opt_end);
1816 	    opt = _TPI_TOPT_NEXTHDR(opt_start, *opt_lenp, opt)) {
1817 		/*
1818 		 * Validate the option for length and alignment
1819 		 * before accessing anything in it
1820 		 */
1821 		if (!_TPI_TOPT_VALID(opt, opt_start, opt_end)) {
1822 			error = ENOPROTOOPT;
1823 			goto error_ret;
1824 		}
1825 
1826 		/* Find the option in the opt_arr. */
1827 		optd = proto_opt_lookup(opt->level, opt->name,
1828 		    opt_arr, opt_arr_cnt);
1829 
1830 		if (optd == NULL) {
1831 			/*
1832 			 * Option not found
1833 			 */
1834 			opt->status = T_NOTSUPPORT;
1835 			continue;
1836 		}
1837 
1838 		/*
1839 		 * Weird but as in XTI spec.
1840 		 * Sec 6.3.6 "Privileged and ReadOnly Options"
1841 		 * Permission problems (e.g.readonly) fail with bad access
1842 		 * BUT "privileged" option request from those NOT PRIVILEGED
1843 		 * are to be merely "ignored".
1844 		 * XXX Prevents "probing" of privileged options ?
1845 		 */
1846 		if (OA_READONLY_PERMISSION(optd, cr)) {
1847 			error = EACCES;
1848 			goto error_ret;
1849 		}
1850 		if (OA_MATCHED_PRIV(optd, cr)) {
1851 			/*
1852 			 * For privileged options, we DO perform
1853 			 * access checks as is common sense
1854 			 */
1855 			if (!OA_WX_ANYPRIV(optd)) {
1856 				error = EACCES;
1857 				goto error_ret;
1858 			}
1859 		} else {
1860 			/*
1861 			 * For non privileged, we fail instead following
1862 			 * "ignore" semantics dictated by XTI spec for
1863 			 * permissions problems.
1864 			 * Sec 6.3.6 "Privileged and ReadOnly Options"
1865 			 * XXX Should we do "ignore" semantics ?
1866 			 */
1867 			if (!OA_WX_NOPRIV(optd)) { /* nopriv */
1868 				opt->status = T_FAILURE;
1869 				continue;
1870 			}
1871 		}
1872 		/*
1873 		 *
1874 		 * If the negotiation fails, for options that
1875 		 * are "absolute requirement", it is a fatal error.
1876 		 * For options that are NOT "absolute requirements",
1877 		 * and the value fails to negotiate, the XTI spec
1878 		 * only considers the possibility of partial success
1879 		 * (T_PARTSUCCES - not likely for Internet protocols).
1880 		 * The spec is in denial about complete failure
1881 		 * (T_FAILURE) to negotiate for options that are
1882 		 * carried on T_CONN_REQ/T_CONN_RES/T_UNITDATA
1883 		 * We interpret the T_FAILURE to negotiate an option
1884 		 * that is NOT an absolute requirement that it is safe
1885 		 * to ignore it.
1886 		 */
1887 
1888 		/* verify length */
1889 		if (!opt_length_ok(optd, opt)) {
1890 			/* bad size */
1891 			if ((optd->opdes_props & OP_NOT_ABSREQ) == 0) {
1892 				/* option is absolute requirement */
1893 				*is_absreq_failurep = 1;
1894 				error = EINVAL;
1895 				goto error_ret;
1896 			}
1897 			opt->status = T_FAILURE;
1898 			continue;
1899 		}
1900 
1901 		/*
1902 		 * verified generic attributes. Now call set function.
1903 		 * Note: We assume the following to simplify code.
1904 		 * XXX If this is found not to be valid, this routine
1905 		 * will need to be rewritten. At this point it would
1906 		 * be premature to introduce more complexity than is
1907 		 * needed.
1908 		 * Assumption: For variable length options, we assume
1909 		 * that the value returned will be same or less length
1910 		 * (size does not increase). This makes it OK to pass the
1911 		 * same space for output as it is on input.
1912 		 */
1913 
1914 		error = (*setfn)(q, optset_context, opt->level, opt->name,
1915 		    opt->len - (t_uscalar_t)sizeof (struct T_opthdr),
1916 		    _TPI_TOPT_DATA(opt), &olen, _TPI_TOPT_DATA(opt),
1917 		    thisdg_attrs, cr, NULL);
1918 
1919 		if (olen > (int)(opt->len - sizeof (struct T_opthdr))) {
1920 			/*
1921 			 * Space on output more than space on input. Should
1922 			 * not happen and we consider it a bug/error.
1923 			 * More of a restriction than an error in our
1924 			 * implementation. Will see if we can live with this
1925 			 * otherwise code will get more hairy with multiple
1926 			 * passes.
1927 			 */
1928 			error = EINVAL;
1929 			goto error_ret;
1930 		}
1931 		if (error != 0) {
1932 			if ((optd->opdes_props & OP_NOT_ABSREQ) == 0) {
1933 				/* option is absolute requirement. */
1934 				*is_absreq_failurep = 1;
1935 				goto error_ret;
1936 			}
1937 			/*
1938 			 * failed - but option "not an absolute
1939 			 * requirement"
1940 			 */
1941 			opt->status = T_FAILURE;
1942 			continue;
1943 		}
1944 		/*
1945 		 * Fill in the only possible successful result
1946 		 * (Note: TPI allows for T_PARTSUCCESS - partial
1947 		 * sucess result code which is relevant in OSI world
1948 		 * and not possible in Internet code)
1949 		 */
1950 		opt->status = T_SUCCESS;
1951 
1952 		/*
1953 		 * Add T_SUCCESS result code options to the "output" options.
1954 		 * No T_FAILURES or T_NOTSUPPORT here as they are to be
1955 		 * ignored.
1956 		 * This code assumes output option buffer will
1957 		 * be <= input option buffer.
1958 		 *
1959 		 * Copy option header+value
1960 		 */
1961 		bcopy(opt, optr, opt->len);
1962 		optr +=  _TPI_ALIGN_TOPT(opt->len);
1963 	}
1964 	/*
1965 	 * Overwrite the input mblk option buffer now with the output
1966 	 * and update length, and contents in original mbl
1967 	 * (offset remains unchanged).
1968 	 */
1969 	*opt_lenp = (t_scalar_t)(optr - init_optr);
1970 	if (*opt_lenp > 0) {
1971 		bcopy(init_optr, opt_start, *opt_lenp);
1972 	}
1973 
1974 error_ret:
1975 	if (copy_mp_head != NULL)
1976 		freeb(copy_mp_head);
1977 	return (error);
1978 }
1979 
1980 static boolean_t
1981 opt_level_valid(t_uscalar_t level, optlevel_t *valid_level_arr,
1982     uint_t valid_level_arr_cnt)
1983 {
1984 	optlevel_t		*olp;
1985 
1986 	for (olp = valid_level_arr;
1987 	    olp < &valid_level_arr[valid_level_arr_cnt];
1988 	    olp++) {
1989 		if (level == (uint_t)(*olp))
1990 			return (B_TRUE);
1991 	}
1992 	return (B_FALSE);
1993 }
1994 
1995 
1996 /*
1997  * Compute largest possible size for an option buffer containing
1998  * all options in one buffer.
1999  *
2000  * XXX TBD, investigate use of opt_bloated_maxsize() to avoid
2001  *     wastefully large buffer allocation.
2002  */
2003 static size_t
2004 opt_level_allopts_lengths(t_uscalar_t level, opdes_t *opt_arr,
2005     uint_t opt_arr_cnt)
2006 {
2007 	opdes_t		*optd;
2008 	size_t allopt_len = 0;	/* 0 implies no option at this level */
2009 
2010 	/*
2011 	 * Scan opt_arr computing aggregate length
2012 	 * requirement for storing values of all
2013 	 * options.
2014 	 * Note: we do not filter for permissions
2015 	 * etc. This will be >= the real aggregate
2016 	 * length required (upper bound).
2017 	 */
2018 
2019 	for (optd = opt_arr; optd < &opt_arr[opt_arr_cnt];
2020 	    optd++) {
2021 		if (level == optd->opdes_level) {
2022 			allopt_len += sizeof (struct T_opthdr) +
2023 			    _TPI_ALIGN_TOPT(optd->opdes_size);
2024 		}
2025 	}
2026 	return (allopt_len);	/* 0 implies level not found */
2027 }
2028 
2029 /*
2030  * Compute largest possible size for an option buffer containing
2031  * all options in one buffer - a (theoretical?) worst case scenario
2032  * for certain cases.
2033  */
2034 t_uscalar_t
2035 optcom_max_optbuf_len(opdes_t *opt_arr, uint_t opt_arr_cnt)
2036 {
2037 	t_uscalar_t max_optbuf_len = sizeof (struct T_info_ack);
2038 	opdes_t		*optd;
2039 
2040 	for (optd = opt_arr; optd < &opt_arr[opt_arr_cnt]; optd++) {
2041 		max_optbuf_len += (t_uscalar_t)sizeof (struct T_opthdr) +
2042 		    (t_uscalar_t)_TPI_ALIGN_TOPT(optd->opdes_size);
2043 	}
2044 	return (max_optbuf_len);
2045 }
2046 
2047 /*
2048  * Compute largest possible size for OPT_size for a transport.
2049  * Heuristic used is to add all but certain extremely large
2050  * size options; this is done by calling opt_bloated_maxsize().
2051  * It affects user level allocations in TLI/XTI code using t_alloc()
2052  * and other TLI/XTI implementation instance strucutures.
2053  * The large size options excluded are presumed to be
2054  * never accessed through the (theoretical?) worst case code paths
2055  * through TLI/XTI as they are currently IPv6 specific options.
2056  */
2057 
2058 t_uscalar_t
2059 optcom_max_optsize(opdes_t *opt_arr, uint_t opt_arr_cnt)
2060 {
2061 	t_uscalar_t max_optbuf_len = sizeof (struct T_info_ack);
2062 	opdes_t		*optd;
2063 
2064 	for (optd = opt_arr; optd < &opt_arr[opt_arr_cnt]; optd++) {
2065 		if (!opt_bloated_maxsize(optd)) {
2066 			max_optbuf_len +=
2067 			    (t_uscalar_t)sizeof (struct T_opthdr) +
2068 			    (t_uscalar_t)_TPI_ALIGN_TOPT(optd->opdes_size);
2069 		}
2070 	}
2071 	return (max_optbuf_len);
2072 }
2073 
2074 /*
2075  * The theoretical model used in optcom_max_optsize() and
2076  * opt_level_allopts_lengths() accounts for the worst case of all
2077  * possible options for the theoretical cases and results in wasteful
2078  * memory allocations for certain theoretically correct usage scenarios.
2079  * In practice, the "features" they support are rarely, if ever,
2080  * used and even then only by test suites for those features (VSU, VST).
2081  * However, they result in large allocations due to the increased transport
2082  * T_INFO_ACK OPT_size field affecting t_alloc() users and TLI/XTI library
2083  * instance data structures for applications.
2084  *
2085  * The following routine opt_bloated_maxsize() supports a hack that avoids
2086  * paying the tax for the bloated options by excluding them and pretending
2087  * they don't exist for certain features without affecting features that
2088  * do use them.
2089  *
2090  * XXX Currently implemented only for optcom_max_optsize()
2091  *     (to reduce risk late in release).
2092  *     TBD for future, investigate use in optcom_level_allopts_lengths() and
2093  *     all the instances of T_ALLOPT processing to exclude "bloated options".
2094  *     Will not affect VSU/VST tests as they do not test with IPPROTO_IPV6
2095  *     level options which are the only ones that fit the "bloated maxsize"
2096  *     option profile now.
2097  */
2098 static boolean_t
2099 opt_bloated_maxsize(opdes_t *optd)
2100 {
2101 	if (optd->opdes_level != IPPROTO_IPV6)
2102 		return (B_FALSE);
2103 	switch (optd->opdes_name) {
2104 	case IPV6_HOPOPTS:
2105 	case IPV6_DSTOPTS:
2106 	case IPV6_RTHDRDSTOPTS:
2107 	case IPV6_RTHDR:
2108 	case IPV6_PATHMTU:
2109 		return (B_TRUE);
2110 	default:
2111 		break;
2112 	}
2113 	return (B_FALSE);
2114 }
2115 
2116 static boolean_t
2117 opt_length_ok(opdes_t *optd, struct T_opthdr *opt)
2118 {
2119 	/*
2120 	 * Verify length.
2121 	 * Value specified should match length of fixed length option or be
2122 	 * less than maxlen of variable length option.
2123 	 */
2124 	if (optd->opdes_props & OP_VARLEN) {
2125 		if (opt->len <= optd->opdes_size +
2126 		    (t_uscalar_t)sizeof (struct T_opthdr))
2127 			return (B_TRUE);
2128 	} else {
2129 		/* fixed length option */
2130 		if (opt->len == optd->opdes_size +
2131 		    (t_uscalar_t)sizeof (struct T_opthdr))
2132 			return (B_TRUE);
2133 	}
2134 	return (B_FALSE);
2135 }
2136 
2137 /*
2138  * This routine appends a pssed in hop-by-hop option to the existing
2139  * option (in this case a cipso label encoded in HOPOPT option). The
2140  * passed in option is always padded. The 'reservelen' is the
2141  * length of reserved data (label). New memory will be allocated if
2142  * the current buffer is not large enough. Return failure if memory
2143  * can not be allocated.
2144  */
2145 int
2146 optcom_pkt_set(uchar_t *invalp, uint_t inlen, boolean_t sticky,
2147     uchar_t **optbufp, uint_t *optlenp, uint_t reservelen)
2148 {
2149 	uchar_t *optbuf;
2150 	uchar_t	*optp;
2151 
2152 	if (!sticky) {
2153 		*optbufp = invalp;
2154 		*optlenp = inlen;
2155 		return (0);
2156 	}
2157 
2158 	if (inlen == *optlenp - reservelen) {
2159 		/* Unchanged length - no need to reallocate */
2160 		optp = *optbufp + reservelen;
2161 		bcopy(invalp, optp, inlen);
2162 		if (reservelen != 0) {
2163 			/*
2164 			 * Convert the NextHeader and Length of the
2165 			 * passed in hop-by-hop header to pads
2166 			 */
2167 			optp[0] = IP6OPT_PADN;
2168 			optp[1] = 0;
2169 		}
2170 		return (0);
2171 	}
2172 	if (inlen + reservelen > 0) {
2173 		/* Allocate new buffer before free */
2174 		optbuf = kmem_alloc(inlen + reservelen, KM_NOSLEEP);
2175 		if (optbuf == NULL)
2176 			return (ENOMEM);
2177 	} else {
2178 		optbuf = NULL;
2179 	}
2180 
2181 	/* Copy out old reserved data (label) */
2182 	if (reservelen > 0)
2183 		bcopy(*optbufp, optbuf, reservelen);
2184 
2185 	/* Free old buffer */
2186 	if (*optlenp != 0)
2187 		kmem_free(*optbufp, *optlenp);
2188 
2189 	if (inlen > 0)
2190 		bcopy(invalp, optbuf + reservelen, inlen);
2191 
2192 	if (reservelen != 0) {
2193 		/*
2194 		 * Convert the NextHeader and Length of the
2195 		 * passed in hop-by-hop header to pads
2196 		 */
2197 		optbuf[reservelen] = IP6OPT_PADN;
2198 		optbuf[reservelen + 1] = 0;
2199 		/*
2200 		 * Set the Length of the hop-by-hop header, number of 8
2201 		 * byte-words following the 1st 8 bytes
2202 		 */
2203 		optbuf[1] = (reservelen + inlen - 1) >> 3;
2204 	}
2205 	*optbufp = optbuf;
2206 	*optlenp = inlen + reservelen;
2207 	return (0);
2208 }
2209 
2210 int
2211 process_auxiliary_options(conn_t *connp, void *control, t_uscalar_t controllen,
2212     void *optbuf, optdb_obj_t *dbobjp, int (*opt_set_fn)(conn_t *, uint_t, int,
2213     int, uint_t, uchar_t *, uint_t *, uchar_t *, void *, cred_t *))
2214 {
2215 	struct cmsghdr *cmsg;
2216 	opdes_t *optd;
2217 	t_uscalar_t outlen;
2218 	int error = EOPNOTSUPP;
2219 	t_uscalar_t len;
2220 	uint_t opt_arr_cnt = dbobjp->odb_opt_arr_cnt;
2221 	opdes_t *opt_arr = dbobjp->odb_opt_des_arr;
2222 
2223 	for (cmsg = (struct cmsghdr *)control;
2224 	    CMSG_VALID(cmsg, control, (uintptr_t)control + controllen);
2225 	    cmsg = CMSG_NEXT(cmsg)) {
2226 
2227 		len = (t_uscalar_t)CMSG_CONTENTLEN(cmsg);
2228 		/* Find the option in the opt_arr. */
2229 		optd = proto_opt_lookup(cmsg->cmsg_level, cmsg->cmsg_type,
2230 		    opt_arr, opt_arr_cnt);
2231 		if (optd == NULL) {
2232 			return (EINVAL);
2233 		}
2234 		if (OA_READONLY_PERMISSION(optd, connp->conn_cred)) {
2235 			return (EACCES);
2236 		}
2237 		if (OA_MATCHED_PRIV(optd, connp->conn_cred)) {
2238 			/*
2239 			 * For privileged options, we DO perform
2240 			 * access checks as is common sense
2241 			 */
2242 			if (!OA_WX_ANYPRIV(optd)) {
2243 				return (EACCES);
2244 			}
2245 		} else {
2246 			/*
2247 			 * For non privileged, we fail instead following
2248 			 * "ignore" semantics dictated by XTI spec for
2249 			 * permissions problems.
2250 			 */
2251 			if (!OA_WX_NOPRIV(optd)) { /* nopriv */
2252 				return (EACCES);
2253 			}
2254 		}
2255 		error = opt_set_fn(connp, SETFN_UD_NEGOTIATE, optd->opdes_level,
2256 		    optd->opdes_name, len, (uchar_t *)CMSG_CONTENT(cmsg),
2257 		    &outlen, (uchar_t *)CMSG_CONTENT(cmsg), (void *)optbuf,
2258 		    connp->conn_cred);
2259 		if (error > 0) {
2260 			return (error);
2261 		} else if (outlen > len) {
2262 			return (EINVAL);
2263 		} else {
2264 			/*
2265 			 * error can be -ve if the protocol wants to
2266 			 * pass the option to IP. We donot pass auxiliary
2267 			 * options to IP.
2268 			 */
2269 			error = 0;
2270 		}
2271 	}
2272 	return (error);
2273 }
2274