1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <sys/types.h> 30 #include <sys/systm.h> 31 #include <sys/stream.h> 32 #include <sys/cmn_err.h> 33 #include <sys/kmem.h> 34 #define _SUN_TPI_VERSION 2 35 #include <sys/tihdr.h> 36 #include <sys/stropts.h> 37 #include <sys/socket.h> 38 #include <sys/random.h> 39 #include <sys/policy.h> 40 #include <sys/tsol/tndb.h> 41 #include <sys/tsol/tnet.h> 42 43 #include <netinet/in.h> 44 #include <netinet/ip6.h> 45 46 #include <inet/common.h> 47 #include <inet/ip.h> 48 #include <inet/ip6.h> 49 #include <inet/ipclassifier.h> 50 #include "sctp_impl.h" 51 #include "sctp_asconf.h" 52 #include "sctp_addr.h" 53 54 /* 55 * Returns 0 on success, EACCES on permission failure. 56 */ 57 static int 58 sctp_select_port(sctp_t *sctp, in_port_t *requested_port, int *user_specified) 59 { 60 sctp_stack_t *sctps = sctp->sctp_sctps; 61 62 /* 63 * Get a valid port (within the anonymous range and should not 64 * be a privileged one) to use if the user has not given a port. 65 * If multiple threads are here, they may all start with 66 * with the same initial port. But, it should be fine as long as 67 * sctp_bindi will ensure that no two threads will be assigned 68 * the same port. 69 */ 70 if (*requested_port == 0) { 71 *requested_port = sctp_update_next_port( 72 sctps->sctps_next_port_to_try, 73 crgetzone(sctp->sctp_credp), sctps); 74 if (*requested_port == 0) 75 return (EACCES); 76 *user_specified = 0; 77 } else { 78 int i; 79 boolean_t priv = B_FALSE; 80 81 /* 82 * If the requested_port is in the well-known privileged range, 83 * verify that the stream was opened by a privileged user. 84 * Note: No locks are held when inspecting sctp_g_*epriv_ports 85 * but instead the code relies on: 86 * - the fact that the address of the array and its size never 87 * changes 88 * - the atomic assignment of the elements of the array 89 */ 90 if (*requested_port < sctps->sctps_smallest_nonpriv_port) { 91 priv = B_TRUE; 92 } else { 93 for (i = 0; i < sctps->sctps_g_num_epriv_ports; i++) { 94 if (*requested_port == 95 sctps->sctps_g_epriv_ports[i]) { 96 priv = B_TRUE; 97 break; 98 } 99 } 100 } 101 if (priv) { 102 /* 103 * sctp_bind() should take a cred_t argument so that 104 * we can use it here. 105 */ 106 if (secpolicy_net_privaddr(sctp->sctp_credp, 107 *requested_port) != 0) { 108 dprint(1, 109 ("sctp_bind(x): no prive for port %d", 110 *requested_port)); 111 return (EACCES); 112 } 113 } 114 *user_specified = 1; 115 } 116 117 return (0); 118 } 119 120 int 121 sctp_listen(sctp_t *sctp) 122 { 123 sctp_tf_t *tf; 124 sctp_stack_t *sctps = sctp->sctp_sctps; 125 126 RUN_SCTP(sctp); 127 /* 128 * TCP handles listen() increasing the backlog, need to check 129 * if it should be handled here too 130 */ 131 if (sctp->sctp_state > SCTPS_BOUND) { 132 WAKE_SCTP(sctp); 133 return (EINVAL); 134 } 135 136 /* Do an anonymous bind for unbound socket doing listen(). */ 137 if (sctp->sctp_nsaddrs == 0) { 138 struct sockaddr_storage ss; 139 int ret; 140 141 bzero(&ss, sizeof (ss)); 142 ss.ss_family = sctp->sctp_family; 143 144 WAKE_SCTP(sctp); 145 if ((ret = sctp_bind(sctp, (struct sockaddr *)&ss, 146 sizeof (ss))) != 0) 147 return (ret); 148 RUN_SCTP(sctp) 149 } 150 151 sctp->sctp_state = SCTPS_LISTEN; 152 (void) random_get_pseudo_bytes(sctp->sctp_secret, SCTP_SECRET_LEN); 153 sctp->sctp_last_secret_update = lbolt64; 154 bzero(sctp->sctp_old_secret, SCTP_SECRET_LEN); 155 tf = &sctps->sctps_listen_fanout[SCTP_LISTEN_HASH( 156 ntohs(sctp->sctp_lport))]; 157 sctp_listen_hash_insert(tf, sctp); 158 WAKE_SCTP(sctp); 159 return (0); 160 } 161 162 /* 163 * Bind the sctp_t to a sockaddr, which includes an address and other 164 * information, such as port or flowinfo. 165 */ 166 int 167 sctp_bind(sctp_t *sctp, struct sockaddr *sa, socklen_t len) 168 { 169 int user_specified; 170 boolean_t bind_to_req_port_only; 171 in_port_t requested_port; 172 in_port_t allocated_port; 173 int err = 0; 174 175 ASSERT(sctp != NULL); 176 ASSERT(sa); 177 178 RUN_SCTP(sctp); 179 180 if (sctp->sctp_state > SCTPS_BOUND) { 181 err = EINVAL; 182 goto done; 183 } 184 185 switch (sa->sa_family) { 186 case AF_INET: 187 if (len < sizeof (struct sockaddr_in) || 188 sctp->sctp_family == AF_INET6) { 189 err = EINVAL; 190 goto done; 191 } 192 requested_port = ntohs(((struct sockaddr_in *)sa)->sin_port); 193 break; 194 case AF_INET6: 195 if (len < sizeof (struct sockaddr_in6) || 196 sctp->sctp_family == AF_INET) { 197 err = EINVAL; 198 goto done; 199 } 200 requested_port = ntohs(((struct sockaddr_in6 *)sa)->sin6_port); 201 /* Set the flowinfo. */ 202 sctp->sctp_ip6h->ip6_vcf = 203 (IPV6_DEFAULT_VERS_AND_FLOW & IPV6_VERS_AND_FLOW_MASK) | 204 (((struct sockaddr_in6 *)sa)->sin6_flowinfo & 205 ~IPV6_VERS_AND_FLOW_MASK); 206 break; 207 default: 208 err = EAFNOSUPPORT; 209 goto done; 210 } 211 bind_to_req_port_only = requested_port == 0 ? B_FALSE : B_TRUE; 212 213 err = sctp_select_port(sctp, &requested_port, &user_specified); 214 if (err != 0) 215 goto done; 216 217 if ((err = sctp_bind_add(sctp, sa, 1, B_TRUE, 218 user_specified == 1 ? htons(requested_port) : 0)) != 0) { 219 goto done; 220 } 221 err = sctp_bindi(sctp, requested_port, bind_to_req_port_only, 222 user_specified, &allocated_port); 223 if (err != 0) { 224 sctp_free_saddrs(sctp); 225 } else { 226 ASSERT(sctp->sctp_state == SCTPS_BOUND); 227 } 228 done: 229 WAKE_SCTP(sctp); 230 return (err); 231 } 232 233 /* 234 * Perform bind/unbind operation of a list of addresses on a sctp_t 235 */ 236 int 237 sctp_bindx(sctp_t *sctp, const void *addrs, int addrcnt, int bindop) 238 { 239 ASSERT(sctp != NULL); 240 ASSERT(addrs != NULL); 241 ASSERT(addrcnt > 0); 242 243 switch (bindop) { 244 case SCTP_BINDX_ADD_ADDR: 245 return (sctp_bind_add(sctp, addrs, addrcnt, B_FALSE, 246 sctp->sctp_lport)); 247 case SCTP_BINDX_REM_ADDR: 248 return (sctp_bind_del(sctp, addrs, addrcnt, B_FALSE)); 249 default: 250 return (EINVAL); 251 } 252 } 253 254 /* 255 * Add a list of addresses to a sctp_t. 256 */ 257 int 258 sctp_bind_add(sctp_t *sctp, const void *addrs, uint32_t addrcnt, 259 boolean_t caller_hold_lock, in_port_t port) 260 { 261 int err = 0; 262 boolean_t do_asconf = B_FALSE; 263 sctp_stack_t *sctps = sctp->sctp_sctps; 264 265 if (!caller_hold_lock) 266 RUN_SCTP(sctp); 267 268 if (sctp->sctp_state > SCTPS_ESTABLISHED) { 269 if (!caller_hold_lock) 270 WAKE_SCTP(sctp); 271 return (EINVAL); 272 } 273 274 if (sctp->sctp_state > SCTPS_LISTEN) { 275 /* 276 * Let's do some checking here rather than undoing the 277 * add later (for these reasons). 278 */ 279 if (!sctps->sctps_addip_enabled || 280 !sctp->sctp_understands_asconf || 281 !sctp->sctp_understands_addip) { 282 if (!caller_hold_lock) 283 WAKE_SCTP(sctp); 284 return (EINVAL); 285 } 286 do_asconf = B_TRUE; 287 } 288 /* 289 * On a clustered node, for an inaddr_any bind, we will pass the list 290 * of all the addresses in the global list, minus any address on the 291 * loopback interface, and expect the clustering susbsystem to give us 292 * the correct list for the 'port'. For explicit binds we give the 293 * list of addresses and the clustering module validates it for the 294 * 'port'. 295 * 296 * On a non-clustered node, cl_sctp_check_addrs will be NULL and 297 * we proceed as usual. 298 */ 299 if (cl_sctp_check_addrs != NULL) { 300 uchar_t *addrlist = NULL; 301 size_t size = 0; 302 int unspec = 0; 303 boolean_t do_listen; 304 uchar_t *llist = NULL; 305 size_t lsize = 0; 306 307 /* 308 * If we are adding addresses after listening, but before 309 * an association is established, we need to update the 310 * clustering module with this info. 311 */ 312 do_listen = !do_asconf && sctp->sctp_state > SCTPS_BOUND && 313 cl_sctp_listen != NULL; 314 315 err = sctp_get_addrlist(sctp, addrs, &addrcnt, &addrlist, 316 &unspec, &size); 317 if (err != 0) { 318 ASSERT(addrlist == NULL); 319 ASSERT(addrcnt == 0); 320 ASSERT(size == 0); 321 if (!caller_hold_lock) 322 WAKE_SCTP(sctp); 323 SCTP_KSTAT(sctps, sctp_cl_check_addrs); 324 return (err); 325 } 326 ASSERT(addrlist != NULL); 327 (*cl_sctp_check_addrs)(sctp->sctp_family, port, &addrlist, 328 size, &addrcnt, unspec == 1); 329 if (addrcnt == 0) { 330 /* We free the list */ 331 kmem_free(addrlist, size); 332 if (!caller_hold_lock) 333 WAKE_SCTP(sctp); 334 return (EINVAL); 335 } 336 if (do_listen) { 337 lsize = sizeof (in6_addr_t) * addrcnt; 338 llist = kmem_alloc(lsize, KM_SLEEP); 339 } 340 err = sctp_valid_addr_list(sctp, addrlist, addrcnt, llist, 341 lsize); 342 if (err == 0 && do_listen) { 343 (*cl_sctp_listen)(sctp->sctp_family, llist, 344 addrcnt, sctp->sctp_lport); 345 /* list will be freed by the clustering module */ 346 } else if (err != 0 && llist != NULL) { 347 kmem_free(llist, lsize); 348 } 349 /* free the list we allocated */ 350 kmem_free(addrlist, size); 351 } else { 352 err = sctp_valid_addr_list(sctp, addrs, addrcnt, NULL, 0); 353 } 354 if (err != 0) { 355 if (!caller_hold_lock) 356 WAKE_SCTP(sctp); 357 return (err); 358 } 359 /* Need to send ASCONF messages */ 360 if (do_asconf) { 361 err = sctp_add_ip(sctp, addrs, addrcnt); 362 if (err != 0) { 363 sctp_del_saddr_list(sctp, addrs, addrcnt, B_FALSE); 364 if (!caller_hold_lock) 365 WAKE_SCTP(sctp); 366 return (err); 367 } 368 } 369 if (!caller_hold_lock) 370 WAKE_SCTP(sctp); 371 if (do_asconf) 372 sctp_process_sendq(sctp); 373 return (0); 374 } 375 376 /* 377 * Remove one or more addresses bound to the sctp_t. 378 */ 379 int 380 sctp_bind_del(sctp_t *sctp, const void *addrs, uint32_t addrcnt, 381 boolean_t caller_hold_lock) 382 { 383 int error = 0; 384 boolean_t do_asconf = B_FALSE; 385 uchar_t *ulist = NULL; 386 size_t usize = 0; 387 sctp_stack_t *sctps = sctp->sctp_sctps; 388 389 if (!caller_hold_lock) 390 RUN_SCTP(sctp); 391 392 if (sctp->sctp_state > SCTPS_ESTABLISHED) { 393 if (!caller_hold_lock) 394 WAKE_SCTP(sctp); 395 return (EINVAL); 396 } 397 /* 398 * Fail the remove if we are beyond listen, but can't send this 399 * to the peer. 400 */ 401 if (sctp->sctp_state > SCTPS_LISTEN) { 402 if (!sctps->sctps_addip_enabled || 403 !sctp->sctp_understands_asconf || 404 !sctp->sctp_understands_addip) { 405 if (!caller_hold_lock) 406 WAKE_SCTP(sctp); 407 return (EINVAL); 408 } 409 do_asconf = B_TRUE; 410 } 411 412 /* Can't delete the last address nor all of the addresses */ 413 if (sctp->sctp_nsaddrs == 1 || addrcnt >= sctp->sctp_nsaddrs) { 414 if (!caller_hold_lock) 415 WAKE_SCTP(sctp); 416 return (EINVAL); 417 } 418 419 if (cl_sctp_unlisten != NULL && !do_asconf && 420 sctp->sctp_state > SCTPS_BOUND) { 421 usize = sizeof (in6_addr_t) * addrcnt; 422 ulist = kmem_alloc(usize, KM_SLEEP); 423 } 424 425 error = sctp_del_ip(sctp, addrs, addrcnt, ulist, usize); 426 if (error != 0) { 427 if (ulist != NULL) 428 kmem_free(ulist, usize); 429 if (!caller_hold_lock) 430 WAKE_SCTP(sctp); 431 return (error); 432 } 433 /* ulist will be non-NULL only if cl_sctp_unlisten is non-NULL */ 434 if (ulist != NULL) { 435 ASSERT(cl_sctp_unlisten != NULL); 436 (*cl_sctp_unlisten)(sctp->sctp_family, ulist, addrcnt, 437 sctp->sctp_lport); 438 /* ulist will be freed by the clustering module */ 439 } 440 if (!caller_hold_lock) 441 WAKE_SCTP(sctp); 442 if (do_asconf) 443 sctp_process_sendq(sctp); 444 return (error); 445 } 446 447 /* 448 * Returns 0 for success, errno value otherwise. 449 * 450 * If the "bind_to_req_port_only" parameter is set and the requested port 451 * number is available, then set allocated_port to it. If not available, 452 * return an error. 453 * 454 * If the "bind_to_req_port_only" parameter is not set and the requested port 455 * number is available, then set allocated_port to it. If not available, 456 * find the first anonymous port we can and set allocated_port to that. If no 457 * anonymous ports are available, return an error. 458 * 459 * In either case, when succeeding, update the sctp_t to record the port number 460 * and insert it in the bind hash table. 461 */ 462 int 463 sctp_bindi(sctp_t *sctp, in_port_t port, boolean_t bind_to_req_port_only, 464 int user_specified, in_port_t *allocated_port) 465 { 466 /* number of times we have run around the loop */ 467 int count = 0; 468 /* maximum number of times to run around the loop */ 469 int loopmax; 470 zoneid_t zoneid = sctp->sctp_zoneid; 471 zone_t *zone = crgetzone(sctp->sctp_credp); 472 sctp_stack_t *sctps = sctp->sctp_sctps; 473 474 /* 475 * Lookup for free addresses is done in a loop and "loopmax" 476 * influences how long we spin in the loop 477 */ 478 if (bind_to_req_port_only) { 479 /* 480 * If the requested port is busy, don't bother to look 481 * for a new one. Setting loop maximum count to 1 has 482 * that effect. 483 */ 484 loopmax = 1; 485 } else { 486 /* 487 * If the requested port is busy, look for a free one 488 * in the anonymous port range. 489 * Set loopmax appropriately so that one does not look 490 * forever in the case all of the anonymous ports are in use. 491 */ 492 loopmax = (sctps->sctps_largest_anon_port - 493 sctps->sctps_smallest_anon_port + 1); 494 } 495 do { 496 uint16_t lport; 497 sctp_tf_t *tbf; 498 sctp_t *lsctp; 499 int addrcmp; 500 501 lport = htons(port); 502 503 /* 504 * Ensure that the sctp_t is not currently in the bind hash. 505 * Hold the lock on the hash bucket to ensure that 506 * the duplicate check plus the insertion is an atomic 507 * operation. 508 * 509 * This function does an inline lookup on the bind hash list 510 * Make sure that we access only members of sctp_t 511 * and that we don't look at sctp_sctp, since we are not 512 * doing a SCTPB_REFHOLD. For more details please see the notes 513 * in sctp_compress() 514 */ 515 sctp_bind_hash_remove(sctp); 516 tbf = &sctps->sctps_bind_fanout[SCTP_BIND_HASH(port)]; 517 mutex_enter(&tbf->tf_lock); 518 for (lsctp = tbf->tf_sctp; lsctp != NULL; 519 lsctp = lsctp->sctp_bind_hash) { 520 521 if (lport != lsctp->sctp_lport || 522 lsctp->sctp_state < SCTPS_BOUND) 523 continue; 524 525 /* 526 * On a labeled system, we must treat bindings to ports 527 * on shared IP addresses by sockets with MAC exemption 528 * privilege as being in all zones, as there's 529 * otherwise no way to identify the right receiver. 530 */ 531 if (lsctp->sctp_zoneid != zoneid && 532 !lsctp->sctp_mac_exempt && !sctp->sctp_mac_exempt) 533 continue; 534 535 addrcmp = sctp_compare_saddrs(sctp, lsctp); 536 if (addrcmp != SCTP_ADDR_DISJOINT) { 537 if (!sctp->sctp_reuseaddr) { 538 /* in use */ 539 break; 540 } else if (lsctp->sctp_state == SCTPS_BOUND || 541 lsctp->sctp_state == SCTPS_LISTEN) { 542 /* 543 * socket option SO_REUSEADDR is set 544 * on the binding sctp_t. 545 * 546 * We have found a match of IP source 547 * address and source port, which is 548 * refused regardless of the 549 * SO_REUSEADDR setting, so we break. 550 */ 551 break; 552 } 553 } 554 } 555 if (lsctp != NULL) { 556 /* The port number is busy */ 557 mutex_exit(&tbf->tf_lock); 558 } else { 559 conn_t *connp = sctp->sctp_connp; 560 561 if (is_system_labeled()) { 562 mlp_type_t addrtype, mlptype; 563 564 /* 565 * On a labeled system we must check the type 566 * of the binding requested by the user (either 567 * MLP or SLP on shared and private addresses), 568 * and that the user's requested binding 569 * is permitted. 570 */ 571 addrtype = tsol_mlp_addr_type(zone->zone_id, 572 sctp->sctp_ipversion, 573 sctp->sctp_ipversion == IPV4_VERSION ? 574 (void *)&sctp->sctp_ipha->ipha_src : 575 (void *)&sctp->sctp_ip6h->ip6_src, 576 sctps->sctps_netstack->netstack_ip); 577 578 /* 579 * tsol_mlp_addr_type returns the possibilities 580 * for the selected address. Since all local 581 * addresses are either private or shared, the 582 * return value mlptSingle means "local address 583 * not valid (interface not present)." 584 */ 585 if (addrtype == mlptSingle) { 586 mutex_exit(&tbf->tf_lock); 587 return (EADDRNOTAVAIL); 588 } 589 mlptype = tsol_mlp_port_type(zone, IPPROTO_SCTP, 590 port, addrtype); 591 if (mlptype != mlptSingle) { 592 if (secpolicy_net_bindmlp(connp-> 593 conn_cred) != 0) { 594 mutex_exit(&tbf->tf_lock); 595 return (EACCES); 596 } 597 /* 598 * If we're binding a shared MLP, then 599 * make sure that this zone is the one 600 * that owns that MLP. Shared MLPs can 601 * be owned by at most one zone. 602 * 603 * No need to handle exclusive-stack 604 * zones since ALL_ZONES only applies 605 * to the shared stack. 606 */ 607 608 if (mlptype == mlptShared && 609 addrtype == mlptShared && 610 connp->conn_zoneid != 611 tsol_mlp_findzone(IPPROTO_SCTP, 612 lport)) { 613 mutex_exit(&tbf->tf_lock); 614 return (EACCES); 615 } 616 connp->conn_mlp_type = mlptype; 617 } 618 } 619 /* 620 * This port is ours. Insert in fanout and mark as 621 * bound to prevent others from getting the port 622 * number. 623 */ 624 sctp->sctp_state = SCTPS_BOUND; 625 sctp->sctp_lport = lport; 626 sctp->sctp_sctph->sh_sport = lport; 627 628 ASSERT(&sctps->sctps_bind_fanout[ 629 SCTP_BIND_HASH(port)] == tbf); 630 sctp_bind_hash_insert(tbf, sctp, 1); 631 632 mutex_exit(&tbf->tf_lock); 633 634 /* 635 * We don't want sctp_next_port_to_try to "inherit" 636 * a port number supplied by the user in a bind. 637 * 638 * This is the only place where sctp_next_port_to_try 639 * is updated. After the update, it may or may not 640 * be in the valid range. 641 */ 642 if (user_specified == 0) 643 sctps->sctps_next_port_to_try = port + 1; 644 645 *allocated_port = port; 646 647 return (0); 648 } 649 650 if ((count == 0) && (user_specified)) { 651 /* 652 * We may have to return an anonymous port. So 653 * get one to start with. 654 */ 655 port = sctp_update_next_port( 656 sctps->sctps_next_port_to_try, 657 zone, sctps); 658 user_specified = 0; 659 } else { 660 port = sctp_update_next_port(port + 1, zone, sctps); 661 } 662 if (port == 0) 663 break; 664 665 /* 666 * Don't let this loop run forever in the case where 667 * all of the anonymous ports are in use. 668 */ 669 } while (++count < loopmax); 670 671 return (bind_to_req_port_only ? EADDRINUSE : EADDRNOTAVAIL); 672 } 673 674 /* 675 * Don't let port fall into the privileged range. 676 * Since the extra privileged ports can be arbitrary we also 677 * ensure that we exclude those from consideration. 678 * sctp_g_epriv_ports is not sorted thus we loop over it until 679 * there are no changes. 680 * 681 * Note: No locks are held when inspecting sctp_g_*epriv_ports 682 * but instead the code relies on: 683 * - the fact that the address of the array and its size never changes 684 * - the atomic assignment of the elements of the array 685 */ 686 in_port_t 687 sctp_update_next_port(in_port_t port, zone_t *zone, sctp_stack_t *sctps) 688 { 689 int i; 690 boolean_t restart = B_FALSE; 691 692 retry: 693 if (port < sctps->sctps_smallest_anon_port) 694 port = sctps->sctps_smallest_anon_port; 695 696 if (port > sctps->sctps_largest_anon_port) { 697 if (restart) 698 return (0); 699 restart = B_TRUE; 700 port = sctps->sctps_smallest_anon_port; 701 } 702 703 if (port < sctps->sctps_smallest_nonpriv_port) 704 port = sctps->sctps_smallest_nonpriv_port; 705 706 for (i = 0; i < sctps->sctps_g_num_epriv_ports; i++) { 707 if (port == sctps->sctps_g_epriv_ports[i]) { 708 port++; 709 /* 710 * Make sure whether the port is in the 711 * valid range. 712 * 713 * XXX Note that if sctp_g_epriv_ports contains 714 * all the anonymous ports this will be an 715 * infinite loop. 716 */ 717 goto retry; 718 } 719 } 720 721 if (is_system_labeled() && 722 (i = tsol_next_port(zone, port, IPPROTO_SCTP, B_TRUE)) != 0) { 723 port = i; 724 goto retry; 725 } 726 727 return (port); 728 } 729