xref: /titanic_41/usr/src/uts/common/inet/sctp/sctp_bind.c (revision 9c9af2590af49bb395bc8d2eace0f2d4ea16d165)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 #include <sys/types.h>
30 #include <sys/systm.h>
31 #include <sys/stream.h>
32 #include <sys/cmn_err.h>
33 #include <sys/kmem.h>
34 #define	_SUN_TPI_VERSION 2
35 #include <sys/tihdr.h>
36 #include <sys/stropts.h>
37 #include <sys/socket.h>
38 #include <sys/random.h>
39 #include <sys/policy.h>
40 #include <sys/tsol/tndb.h>
41 #include <sys/tsol/tnet.h>
42 
43 #include <netinet/in.h>
44 #include <netinet/ip6.h>
45 
46 #include <inet/common.h>
47 #include <inet/ip.h>
48 #include <inet/ip6.h>
49 #include <inet/ipclassifier.h>
50 #include "sctp_impl.h"
51 #include "sctp_asconf.h"
52 #include "sctp_addr.h"
53 
54 /*
55  * Returns 0 on success, EACCES on permission failure.
56  */
57 static int
58 sctp_select_port(sctp_t *sctp, in_port_t *requested_port, int *user_specified)
59 {
60 	sctp_stack_t	*sctps = sctp->sctp_sctps;
61 
62 	/*
63 	 * Get a valid port (within the anonymous range and should not
64 	 * be a privileged one) to use if the user has not given a port.
65 	 * If multiple threads are here, they may all start with
66 	 * with the same initial port. But, it should be fine as long as
67 	 * sctp_bindi will ensure that no two threads will be assigned
68 	 * the same port.
69 	 */
70 	if (*requested_port == 0) {
71 		*requested_port = sctp_update_next_port(
72 		    sctps->sctps_next_port_to_try,
73 		    crgetzone(sctp->sctp_credp), sctps);
74 		if (*requested_port == 0)
75 			return (EACCES);
76 		*user_specified = 0;
77 	} else {
78 		int i;
79 		boolean_t priv = B_FALSE;
80 
81 		/*
82 		 * If the requested_port is in the well-known privileged range,
83 		 * verify that the stream was opened by a privileged user.
84 		 * Note: No locks are held when inspecting sctp_g_*epriv_ports
85 		 * but instead the code relies on:
86 		 * - the fact that the address of the array and its size never
87 		 *   changes
88 		 * - the atomic assignment of the elements of the array
89 		 */
90 		if (*requested_port < sctps->sctps_smallest_nonpriv_port) {
91 			priv = B_TRUE;
92 		} else {
93 			for (i = 0; i < sctps->sctps_g_num_epriv_ports; i++) {
94 				if (*requested_port ==
95 				    sctps->sctps_g_epriv_ports[i]) {
96 					priv = B_TRUE;
97 					break;
98 				}
99 			}
100 		}
101 		if (priv) {
102 			/*
103 			 * sctp_bind() should take a cred_t argument so that
104 			 * we can use it here.
105 			 */
106 			if (secpolicy_net_privaddr(sctp->sctp_credp,
107 			    *requested_port, IPPROTO_SCTP) != 0) {
108 				dprint(1,
109 				    ("sctp_bind(x): no prive for port %d",
110 				    *requested_port));
111 				return (EACCES);
112 			}
113 		}
114 		*user_specified = 1;
115 	}
116 
117 	return (0);
118 }
119 
120 int
121 sctp_listen(sctp_t *sctp)
122 {
123 	sctp_tf_t	*tf;
124 	sctp_stack_t	*sctps = sctp->sctp_sctps;
125 
126 	RUN_SCTP(sctp);
127 	/*
128 	 * TCP handles listen() increasing the backlog, need to check
129 	 * if it should be handled here too
130 	 */
131 	if (sctp->sctp_state > SCTPS_BOUND ||
132 	    (sctp->sctp_connp->conn_state_flags & CONN_CLOSING)) {
133 		WAKE_SCTP(sctp);
134 		return (EINVAL);
135 	}
136 
137 	/* Do an anonymous bind for unbound socket doing listen(). */
138 	if (sctp->sctp_nsaddrs == 0) {
139 		struct sockaddr_storage ss;
140 		int ret;
141 
142 		bzero(&ss, sizeof (ss));
143 		ss.ss_family = sctp->sctp_family;
144 
145 		WAKE_SCTP(sctp);
146 		if ((ret = sctp_bind(sctp, (struct sockaddr *)&ss,
147 		    sizeof (ss))) != 0)
148 			return (ret);
149 		RUN_SCTP(sctp)
150 	}
151 
152 	sctp->sctp_state = SCTPS_LISTEN;
153 	(void) random_get_pseudo_bytes(sctp->sctp_secret, SCTP_SECRET_LEN);
154 	sctp->sctp_last_secret_update = lbolt64;
155 	bzero(sctp->sctp_old_secret, SCTP_SECRET_LEN);
156 	tf = &sctps->sctps_listen_fanout[SCTP_LISTEN_HASH(
157 	    ntohs(sctp->sctp_lport))];
158 	sctp_listen_hash_insert(tf, sctp);
159 	WAKE_SCTP(sctp);
160 	return (0);
161 }
162 
163 /*
164  * Bind the sctp_t to a sockaddr, which includes an address and other
165  * information, such as port or flowinfo.
166  */
167 int
168 sctp_bind(sctp_t *sctp, struct sockaddr *sa, socklen_t len)
169 {
170 	int		user_specified;
171 	boolean_t	bind_to_req_port_only;
172 	in_port_t	requested_port;
173 	in_port_t	allocated_port;
174 	int		err = 0;
175 
176 	ASSERT(sctp != NULL);
177 	ASSERT(sa);
178 
179 	RUN_SCTP(sctp);
180 
181 	if (sctp->sctp_state > SCTPS_BOUND ||
182 	    (sctp->sctp_connp->conn_state_flags & CONN_CLOSING)) {
183 		err = EINVAL;
184 		goto done;
185 	}
186 
187 	switch (sa->sa_family) {
188 	case AF_INET:
189 		if (len < sizeof (struct sockaddr_in) ||
190 		    sctp->sctp_family == AF_INET6) {
191 			err = EINVAL;
192 			goto done;
193 		}
194 		requested_port = ntohs(((struct sockaddr_in *)sa)->sin_port);
195 		break;
196 	case AF_INET6:
197 		if (len < sizeof (struct sockaddr_in6) ||
198 		    sctp->sctp_family == AF_INET) {
199 			err = EINVAL;
200 			goto done;
201 		}
202 		requested_port = ntohs(((struct sockaddr_in6 *)sa)->sin6_port);
203 		/* Set the flowinfo. */
204 		sctp->sctp_ip6h->ip6_vcf =
205 		    (IPV6_DEFAULT_VERS_AND_FLOW & IPV6_VERS_AND_FLOW_MASK) |
206 		    (((struct sockaddr_in6 *)sa)->sin6_flowinfo &
207 		    ~IPV6_VERS_AND_FLOW_MASK);
208 		break;
209 	default:
210 		err = EAFNOSUPPORT;
211 		goto done;
212 	}
213 	bind_to_req_port_only = requested_port == 0 ? B_FALSE : B_TRUE;
214 
215 	err = sctp_select_port(sctp, &requested_port, &user_specified);
216 	if (err != 0)
217 		goto done;
218 
219 	if ((err = sctp_bind_add(sctp, sa, 1, B_TRUE,
220 	    user_specified == 1 ? htons(requested_port) : 0)) != 0) {
221 		goto done;
222 	}
223 	err = sctp_bindi(sctp, requested_port, bind_to_req_port_only,
224 	    user_specified, &allocated_port);
225 	if (err != 0) {
226 		sctp_free_saddrs(sctp);
227 	} else {
228 		ASSERT(sctp->sctp_state == SCTPS_BOUND);
229 	}
230 done:
231 	WAKE_SCTP(sctp);
232 	return (err);
233 }
234 
235 /*
236  * Perform bind/unbind operation of a list of addresses on a sctp_t
237  */
238 int
239 sctp_bindx(sctp_t *sctp, const void *addrs, int addrcnt, int bindop)
240 {
241 	ASSERT(sctp != NULL);
242 	ASSERT(addrs != NULL);
243 	ASSERT(addrcnt > 0);
244 
245 	switch (bindop) {
246 	case SCTP_BINDX_ADD_ADDR:
247 		return (sctp_bind_add(sctp, addrs, addrcnt, B_FALSE,
248 		    sctp->sctp_lport));
249 	case SCTP_BINDX_REM_ADDR:
250 		return (sctp_bind_del(sctp, addrs, addrcnt, B_FALSE));
251 	default:
252 		return (EINVAL);
253 	}
254 }
255 
256 /*
257  * Add a list of addresses to a sctp_t.
258  */
259 int
260 sctp_bind_add(sctp_t *sctp, const void *addrs, uint32_t addrcnt,
261     boolean_t caller_hold_lock, in_port_t port)
262 {
263 	int		err = 0;
264 	boolean_t	do_asconf = B_FALSE;
265 	sctp_stack_t	*sctps = sctp->sctp_sctps;
266 
267 	if (!caller_hold_lock)
268 		RUN_SCTP(sctp);
269 
270 	if (sctp->sctp_state > SCTPS_ESTABLISHED ||
271 	    (sctp->sctp_connp->conn_state_flags & CONN_CLOSING)) {
272 		if (!caller_hold_lock)
273 			WAKE_SCTP(sctp);
274 		return (EINVAL);
275 	}
276 
277 	if (sctp->sctp_state > SCTPS_LISTEN) {
278 		/*
279 		 * Let's do some checking here rather than undoing the
280 		 * add later (for these reasons).
281 		 */
282 		if (!sctps->sctps_addip_enabled ||
283 		    !sctp->sctp_understands_asconf ||
284 		    !sctp->sctp_understands_addip) {
285 			if (!caller_hold_lock)
286 				WAKE_SCTP(sctp);
287 			return (EINVAL);
288 		}
289 		do_asconf = B_TRUE;
290 	}
291 	/*
292 	 * On a clustered node, for an inaddr_any bind, we will pass the list
293 	 * of all the addresses in the global list, minus any address on the
294 	 * loopback interface, and expect the clustering susbsystem to give us
295 	 * the correct list for the 'port'. For explicit binds we give the
296 	 * list of addresses  and the clustering module validates it for the
297 	 * 'port'.
298 	 *
299 	 * On a non-clustered node, cl_sctp_check_addrs will be NULL and
300 	 * we proceed as usual.
301 	 */
302 	if (cl_sctp_check_addrs != NULL) {
303 		uchar_t		*addrlist = NULL;
304 		size_t		size = 0;
305 		int		unspec = 0;
306 		boolean_t	do_listen;
307 		uchar_t		*llist = NULL;
308 		size_t		lsize = 0;
309 
310 		/*
311 		 * If we are adding addresses after listening, but before
312 		 * an association is established, we need to update the
313 		 * clustering module with this info.
314 		 */
315 		do_listen = !do_asconf && sctp->sctp_state > SCTPS_BOUND &&
316 		    cl_sctp_listen != NULL;
317 
318 		err = sctp_get_addrlist(sctp, addrs, &addrcnt, &addrlist,
319 		    &unspec, &size);
320 		if (err != 0) {
321 			ASSERT(addrlist == NULL);
322 			ASSERT(addrcnt == 0);
323 			ASSERT(size == 0);
324 			if (!caller_hold_lock)
325 				WAKE_SCTP(sctp);
326 			SCTP_KSTAT(sctps, sctp_cl_check_addrs);
327 			return (err);
328 		}
329 		ASSERT(addrlist != NULL);
330 		(*cl_sctp_check_addrs)(sctp->sctp_family, port, &addrlist,
331 		    size, &addrcnt, unspec == 1);
332 		if (addrcnt == 0) {
333 			/* We free the list */
334 			kmem_free(addrlist, size);
335 			if (!caller_hold_lock)
336 				WAKE_SCTP(sctp);
337 			return (EINVAL);
338 		}
339 		if (do_listen) {
340 			lsize = sizeof (in6_addr_t) * addrcnt;
341 			llist = kmem_alloc(lsize, KM_SLEEP);
342 		}
343 		err = sctp_valid_addr_list(sctp, addrlist, addrcnt, llist,
344 		    lsize);
345 		if (err == 0 && do_listen) {
346 			(*cl_sctp_listen)(sctp->sctp_family, llist,
347 			    addrcnt, sctp->sctp_lport);
348 			/* list will be freed by the clustering module */
349 		} else if (err != 0 && llist != NULL) {
350 			kmem_free(llist, lsize);
351 		}
352 		/* free the list we allocated */
353 		kmem_free(addrlist, size);
354 	} else {
355 		err = sctp_valid_addr_list(sctp, addrs, addrcnt, NULL, 0);
356 	}
357 	if (err != 0) {
358 		if (!caller_hold_lock)
359 			WAKE_SCTP(sctp);
360 		return (err);
361 	}
362 	/* Need to send  ASCONF messages */
363 	if (do_asconf) {
364 		err = sctp_add_ip(sctp, addrs, addrcnt);
365 		if (err != 0) {
366 			sctp_del_saddr_list(sctp, addrs, addrcnt, B_FALSE);
367 			if (!caller_hold_lock)
368 				WAKE_SCTP(sctp);
369 			return (err);
370 		}
371 	}
372 	if (!caller_hold_lock)
373 		WAKE_SCTP(sctp);
374 	if (do_asconf)
375 		sctp_process_sendq(sctp);
376 	return (0);
377 }
378 
379 /*
380  * Remove one or more addresses bound to the sctp_t.
381  */
382 int
383 sctp_bind_del(sctp_t *sctp, const void *addrs, uint32_t addrcnt,
384     boolean_t caller_hold_lock)
385 {
386 	int		error = 0;
387 	boolean_t	do_asconf = B_FALSE;
388 	uchar_t		*ulist = NULL;
389 	size_t		usize = 0;
390 	sctp_stack_t	*sctps = sctp->sctp_sctps;
391 
392 	if (!caller_hold_lock)
393 		RUN_SCTP(sctp);
394 
395 	if (sctp->sctp_state > SCTPS_ESTABLISHED ||
396 	    (sctp->sctp_connp->conn_state_flags & CONN_CLOSING)) {
397 		if (!caller_hold_lock)
398 			WAKE_SCTP(sctp);
399 		return (EINVAL);
400 	}
401 	/*
402 	 * Fail the remove if we are beyond listen, but can't send this
403 	 * to the peer.
404 	 */
405 	if (sctp->sctp_state > SCTPS_LISTEN) {
406 		if (!sctps->sctps_addip_enabled ||
407 		    !sctp->sctp_understands_asconf ||
408 		    !sctp->sctp_understands_addip) {
409 			if (!caller_hold_lock)
410 				WAKE_SCTP(sctp);
411 			return (EINVAL);
412 		}
413 		do_asconf = B_TRUE;
414 	}
415 
416 	/* Can't delete the last address nor all of the addresses */
417 	if (sctp->sctp_nsaddrs == 1 || addrcnt >= sctp->sctp_nsaddrs) {
418 		if (!caller_hold_lock)
419 			WAKE_SCTP(sctp);
420 		return (EINVAL);
421 	}
422 
423 	if (cl_sctp_unlisten != NULL && !do_asconf &&
424 	    sctp->sctp_state > SCTPS_BOUND) {
425 		usize = sizeof (in6_addr_t) * addrcnt;
426 		ulist = kmem_alloc(usize, KM_SLEEP);
427 	}
428 
429 	error = sctp_del_ip(sctp, addrs, addrcnt, ulist, usize);
430 	if (error != 0) {
431 		if (ulist != NULL)
432 			kmem_free(ulist, usize);
433 		if (!caller_hold_lock)
434 			WAKE_SCTP(sctp);
435 		return (error);
436 	}
437 	/* ulist will be non-NULL only if cl_sctp_unlisten is non-NULL */
438 	if (ulist != NULL) {
439 		ASSERT(cl_sctp_unlisten != NULL);
440 		(*cl_sctp_unlisten)(sctp->sctp_family, ulist, addrcnt,
441 		    sctp->sctp_lport);
442 		/* ulist will be freed by the clustering module */
443 	}
444 	if (!caller_hold_lock)
445 		WAKE_SCTP(sctp);
446 	if (do_asconf)
447 		sctp_process_sendq(sctp);
448 	return (error);
449 }
450 
451 /*
452  * Returns 0 for success, errno value otherwise.
453  *
454  * If the "bind_to_req_port_only" parameter is set and the requested port
455  * number is available, then set allocated_port to it.  If not available,
456  * return an error.
457  *
458  * If the "bind_to_req_port_only" parameter is not set and the requested port
459  * number is available, then set allocated_port to it.  If not available,
460  * find the first anonymous port we can and set allocated_port to that.  If no
461  * anonymous ports are available, return an error.
462  *
463  * In either case, when succeeding, update the sctp_t to record the port number
464  * and insert it in the bind hash table.
465  */
466 int
467 sctp_bindi(sctp_t *sctp, in_port_t port, boolean_t bind_to_req_port_only,
468     int user_specified, in_port_t *allocated_port)
469 {
470 	/* number of times we have run around the loop */
471 	int count = 0;
472 	/* maximum number of times to run around the loop */
473 	int loopmax;
474 	zoneid_t zoneid = sctp->sctp_zoneid;
475 	zone_t *zone = crgetzone(sctp->sctp_credp);
476 	sctp_stack_t	*sctps = sctp->sctp_sctps;
477 
478 	/*
479 	 * Lookup for free addresses is done in a loop and "loopmax"
480 	 * influences how long we spin in the loop
481 	 */
482 	if (bind_to_req_port_only) {
483 		/*
484 		 * If the requested port is busy, don't bother to look
485 		 * for a new one. Setting loop maximum count to 1 has
486 		 * that effect.
487 		 */
488 		loopmax = 1;
489 	} else {
490 		/*
491 		 * If the requested port is busy, look for a free one
492 		 * in the anonymous port range.
493 		 * Set loopmax appropriately so that one does not look
494 		 * forever in the case all of the anonymous ports are in use.
495 		 */
496 		loopmax = (sctps->sctps_largest_anon_port -
497 		    sctps->sctps_smallest_anon_port + 1);
498 	}
499 	do {
500 		uint16_t	lport;
501 		sctp_tf_t	*tbf;
502 		sctp_t		*lsctp;
503 		int		addrcmp;
504 
505 		lport = htons(port);
506 
507 		/*
508 		 * Ensure that the sctp_t is not currently in the bind hash.
509 		 * Hold the lock on the hash bucket to ensure that
510 		 * the duplicate check plus the insertion is an atomic
511 		 * operation.
512 		 *
513 		 * This function does an inline lookup on the bind hash list
514 		 * Make sure that we access only members of sctp_t
515 		 * and that we don't look at sctp_sctp, since we are not
516 		 * doing a SCTPB_REFHOLD. For more details please see the notes
517 		 * in sctp_compress()
518 		 */
519 		sctp_bind_hash_remove(sctp);
520 		tbf = &sctps->sctps_bind_fanout[SCTP_BIND_HASH(port)];
521 		mutex_enter(&tbf->tf_lock);
522 		for (lsctp = tbf->tf_sctp; lsctp != NULL;
523 		    lsctp = lsctp->sctp_bind_hash) {
524 
525 			if (lport != lsctp->sctp_lport ||
526 			    lsctp->sctp_state < SCTPS_BOUND)
527 				continue;
528 
529 			/*
530 			 * On a labeled system, we must treat bindings to ports
531 			 * on shared IP addresses by sockets with MAC exemption
532 			 * privilege as being in all zones, as there's
533 			 * otherwise no way to identify the right receiver.
534 			 */
535 			if (lsctp->sctp_zoneid != zoneid &&
536 			    !lsctp->sctp_mac_exempt && !sctp->sctp_mac_exempt)
537 				continue;
538 
539 			addrcmp = sctp_compare_saddrs(sctp, lsctp);
540 			if (addrcmp != SCTP_ADDR_DISJOINT) {
541 				if (!sctp->sctp_reuseaddr) {
542 					/* in use */
543 					break;
544 				} else if (lsctp->sctp_state == SCTPS_BOUND ||
545 				    lsctp->sctp_state == SCTPS_LISTEN) {
546 					/*
547 					 * socket option SO_REUSEADDR is set
548 					 * on the binding sctp_t.
549 					 *
550 					 * We have found a match of IP source
551 					 * address and source port, which is
552 					 * refused regardless of the
553 					 * SO_REUSEADDR setting, so we break.
554 					 */
555 					break;
556 				}
557 			}
558 		}
559 		if (lsctp != NULL) {
560 			/* The port number is busy */
561 			mutex_exit(&tbf->tf_lock);
562 		} else {
563 			conn_t *connp = sctp->sctp_connp;
564 
565 			if (is_system_labeled()) {
566 				mlp_type_t addrtype, mlptype;
567 
568 				/*
569 				 * On a labeled system we must check the type
570 				 * of the binding requested by the user (either
571 				 * MLP or SLP on shared and private addresses),
572 				 * and that the user's requested binding
573 				 * is permitted.
574 				 */
575 				addrtype = tsol_mlp_addr_type(zone->zone_id,
576 				    sctp->sctp_ipversion,
577 				    sctp->sctp_ipversion == IPV4_VERSION ?
578 				    (void *)&sctp->sctp_ipha->ipha_src :
579 				    (void *)&sctp->sctp_ip6h->ip6_src,
580 				    sctps->sctps_netstack->netstack_ip);
581 
582 				/*
583 				 * tsol_mlp_addr_type returns the possibilities
584 				 * for the selected address.  Since all local
585 				 * addresses are either private or shared, the
586 				 * return value mlptSingle means "local address
587 				 * not valid (interface not present)."
588 				 */
589 				if (addrtype == mlptSingle) {
590 					mutex_exit(&tbf->tf_lock);
591 					return (EADDRNOTAVAIL);
592 				}
593 				mlptype = tsol_mlp_port_type(zone, IPPROTO_SCTP,
594 				    port, addrtype);
595 				if (mlptype != mlptSingle) {
596 					if (secpolicy_net_bindmlp(connp->
597 					    conn_cred) != 0) {
598 						mutex_exit(&tbf->tf_lock);
599 						return (EACCES);
600 					}
601 					/*
602 					 * If we're binding a shared MLP, then
603 					 * make sure that this zone is the one
604 					 * that owns that MLP.  Shared MLPs can
605 					 * be owned by at most one zone.
606 					 *
607 					 * No need to handle exclusive-stack
608 					 * zones since ALL_ZONES only applies
609 					 * to the shared stack.
610 					 */
611 
612 					if (mlptype == mlptShared &&
613 					    addrtype == mlptShared &&
614 					    connp->conn_zoneid !=
615 					    tsol_mlp_findzone(IPPROTO_SCTP,
616 					    lport)) {
617 						mutex_exit(&tbf->tf_lock);
618 						return (EACCES);
619 					}
620 					connp->conn_mlp_type = mlptype;
621 				}
622 			}
623 			/*
624 			 * This port is ours. Insert in fanout and mark as
625 			 * bound to prevent others from getting the port
626 			 * number.
627 			 */
628 			sctp->sctp_state = SCTPS_BOUND;
629 			sctp->sctp_lport = lport;
630 			sctp->sctp_sctph->sh_sport = lport;
631 
632 			ASSERT(&sctps->sctps_bind_fanout[
633 			    SCTP_BIND_HASH(port)] == tbf);
634 			sctp_bind_hash_insert(tbf, sctp, 1);
635 
636 			mutex_exit(&tbf->tf_lock);
637 
638 			/*
639 			 * We don't want sctp_next_port_to_try to "inherit"
640 			 * a port number supplied by the user in a bind.
641 			 *
642 			 * This is the only place where sctp_next_port_to_try
643 			 * is updated. After the update, it may or may not
644 			 * be in the valid range.
645 			 */
646 			if (user_specified == 0)
647 				sctps->sctps_next_port_to_try = port + 1;
648 
649 			*allocated_port = port;
650 
651 			return (0);
652 		}
653 
654 		if ((count == 0) && (user_specified)) {
655 			/*
656 			 * We may have to return an anonymous port. So
657 			 * get one to start with.
658 			 */
659 			port = sctp_update_next_port(
660 			    sctps->sctps_next_port_to_try,
661 			    zone, sctps);
662 			user_specified = 0;
663 		} else {
664 			port = sctp_update_next_port(port + 1, zone, sctps);
665 		}
666 		if (port == 0)
667 			break;
668 
669 		/*
670 		 * Don't let this loop run forever in the case where
671 		 * all of the anonymous ports are in use.
672 		 */
673 	} while (++count < loopmax);
674 
675 	return (bind_to_req_port_only ? EADDRINUSE : EADDRNOTAVAIL);
676 }
677 
678 /*
679  * Don't let port fall into the privileged range.
680  * Since the extra privileged ports can be arbitrary we also
681  * ensure that we exclude those from consideration.
682  * sctp_g_epriv_ports is not sorted thus we loop over it until
683  * there are no changes.
684  *
685  * Note: No locks are held when inspecting sctp_g_*epriv_ports
686  * but instead the code relies on:
687  * - the fact that the address of the array and its size never changes
688  * - the atomic assignment of the elements of the array
689  */
690 in_port_t
691 sctp_update_next_port(in_port_t port, zone_t *zone, sctp_stack_t *sctps)
692 {
693 	int i;
694 	boolean_t restart = B_FALSE;
695 
696 retry:
697 	if (port < sctps->sctps_smallest_anon_port)
698 		port = sctps->sctps_smallest_anon_port;
699 
700 	if (port > sctps->sctps_largest_anon_port) {
701 		if (restart)
702 			return (0);
703 		restart = B_TRUE;
704 		port = sctps->sctps_smallest_anon_port;
705 	}
706 
707 	if (port < sctps->sctps_smallest_nonpriv_port)
708 		port = sctps->sctps_smallest_nonpriv_port;
709 
710 	for (i = 0; i < sctps->sctps_g_num_epriv_ports; i++) {
711 		if (port == sctps->sctps_g_epriv_ports[i]) {
712 			port++;
713 			/*
714 			 * Make sure whether the port is in the
715 			 * valid range.
716 			 *
717 			 * XXX Note that if sctp_g_epriv_ports contains
718 			 * all the anonymous ports this will be an
719 			 * infinite loop.
720 			 */
721 			goto retry;
722 		}
723 	}
724 
725 	if (is_system_labeled() &&
726 	    (i = tsol_next_port(zone, port, IPPROTO_SCTP, B_TRUE)) != 0) {
727 		port = i;
728 		goto retry;
729 	}
730 
731 	return (port);
732 }
733