xref: /titanic_50/usr/src/uts/common/inet/sctp/sctp_input.c (revision 6a634c9dca3093f3922e4b7ab826d7bdf17bf78e)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
 */

#include <sys/types.h>
#include <sys/systm.h>
#include <sys/stream.h>
#include <sys/cmn_err.h>
#include <sys/kmem.h>
#define	_SUN_TPI_VERSION 2
#include <sys/tihdr.h>
#include <sys/socket.h>
#include <sys/strsun.h>
#include <sys/strsubr.h>

#include <netinet/in.h>
#include <netinet/ip6.h>
#include <netinet/tcp_seq.h>
#include <netinet/sctp.h>

#include <inet/common.h>
#include <inet/ip.h>
#include <inet/ip_if.h>
#include <inet/ip6.h>
#include <inet/mib2.h>
#include <inet/ipclassifier.h>
#include <inet/ipp_common.h>
#include <inet/ipsec_impl.h>
#include <inet/sctp_ip.h>

#include "sctp_impl.h"
#include "sctp_asconf.h"
#include "sctp_addr.h"

static struct kmem_cache *sctp_kmem_set_cache;

/*
 * PR-SCTP comments.
 *
 * When we get a valid Forward TSN chunk, we check the fragment list for this
 * SSN and preceeding SSNs free all them. Further, if this Forward TSN causes
 * the next expected SSN to be present in the stream queue, we deliver any
 * such stranded messages upstream. We also update the SACK info. appropriately.
 * When checking for advancing the cumulative ack (in sctp_cumack()) we must
 * check for abandoned chunks and messages. While traversing the tramsmit
 * list if we come across an abandoned chunk, we can skip the message (i.e.
 * take it out of the (re)transmit list) since this message, and hence this
 * chunk, has been marked abandoned by sctp_rexmit(). If we come across an
 * unsent chunk for a message this now abandoned we need to check if a
 * Forward TSN needs to be sent, this could be a case where we deferred sending
 * a Forward TSN in sctp_get_msg_to_send(). Further, after processing a
 * SACK we check if the Advanced peer ack point can be moved ahead, i.e.
 * if we can send a Forward TSN via sctp_check_abandoned_data().
 */
void
sctp_free_set(sctp_set_t *s)
{
	sctp_set_t *p;

	while (s) {
		p = s->next;
		kmem_cache_free(sctp_kmem_set_cache, s);
		s = p;
	}
}

static void
sctp_ack_add(sctp_set_t **head, uint32_t tsn, int *num)
{
	sctp_set_t *p, *t;

	if (head == NULL || num == NULL)
		return;

	ASSERT(*num >= 0);
	ASSERT((*num == 0 && *head == NULL) || (*num > 0 && *head != NULL));

	if (*head == NULL) {
		*head = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
		if (*head == NULL)
			return;
		(*head)->prev = (*head)->next = NULL;
		(*head)->begin = tsn;
		(*head)->end = tsn;
		*num = 1;
		return;
	}

	ASSERT((*head)->prev == NULL);

	/*
	 * Handle this special case here so we don't have to check
	 * for it each time in the loop.
	 */
	if (SEQ_LT(tsn + 1, (*head)->begin)) {
		/* add a new set, and move the head pointer */
		t = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
		if (t == NULL)
			return;
		t->next = *head;
		t->prev = NULL;
		(*head)->prev = t;
		t->begin = tsn;
		t->end = tsn;
		(*num)++;
		*head = t;
		return;
	}

	/*
	 * We need to handle the following cases, where p points to
	 * the current set (as we walk through the loop):
	 *
	 * 1. tsn is entirely less than p; create a new set before p.
	 * 2. tsn borders p from less; coalesce p with tsn.
	 * 3. tsn is withing p; do nothing.
	 * 4. tsn borders p from greater; coalesce p with tsn.
	 * 4a. p may now border p->next from less; if so, coalesce those
	 *    two sets.
	 * 5. tsn is entirely greater then all sets; add a new set at
	 *    the end.
	 */
	for (p = *head; ; p = p->next) {
		if (SEQ_LT(tsn + 1, p->begin)) {
			/* 1: add a new set before p. */
			t = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
			if (t == NULL)
				return;
			t->next = p;
			t->prev = NULL;
			t->begin = tsn;
			t->end = tsn;
			if (p->prev) {
				t->prev = p->prev;
				p->prev->next = t;
			}
			p->prev = t;
			(*num)++;
			return;
		}

		if ((tsn + 1) == p->begin) {
			/* 2: adjust p->begin */
			p->begin = tsn;
			return;
		}

		if (SEQ_GEQ(tsn, p->begin) && SEQ_LEQ(tsn, p->end)) {
			/* 3; do nothing */
			return;
		}

		if ((p->end + 1) == tsn) {
			/* 4; adjust p->end */
			p->end = tsn;

			if (p->next != NULL && (tsn + 1) == p->next->begin) {
				/* 4a: coalesce p and p->next */
				t = p->next;
				p->end = t->end;
				p->next = t->next;
				if (t->next != NULL)
					t->next->prev = p;
				kmem_cache_free(sctp_kmem_set_cache, t);
				(*num)--;
			}
			return;
		}

		if (p->next == NULL) {
			/* 5: add new set at the end */
			t = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
			if (t == NULL)
				return;
			t->next = NULL;
			t->prev = p;
			t->begin = tsn;
			t->end = tsn;
			p->next = t;
			(*num)++;
			return;
		}

		if (SEQ_GT(tsn, p->end + 1))
			continue;
	}
}

static void
sctp_ack_rem(sctp_set_t **head, uint32_t end, int *num)
{
	sctp_set_t *p, *t;

	if (head == NULL || *head == NULL || num == NULL)
		return;

	/* Nothing to remove */
	if (SEQ_LT(end, (*head)->begin))
		return;

	/* Find out where to start removing sets */
	for (p = *head; p->next; p = p->next) {
		if (SEQ_LEQ(end, p->end))
			break;
	}

	if (SEQ_LT(end, p->end) && SEQ_GEQ(end, p->begin)) {
		/* adjust p */
		p->begin = end + 1;
		/* all done */
		if (p == *head)
			return;
	} else if (SEQ_GEQ(end, p->end)) {
		/* remove this set too */
		p = p->next;
	}

	/* unlink everything before this set */
	t = *head;
	*head = p;
	if (p != NULL && p->prev != NULL) {
		p->prev->next = NULL;
		p->prev = NULL;
	}

	sctp_free_set(t);

	/* recount the number of sets */
	*num = 0;

	for (p = *head; p != NULL; p = p->next)
		(*num)++;
}

void
sctp_sets_init()
{
	sctp_kmem_set_cache = kmem_cache_create("sctp_set_cache",
	    sizeof (sctp_set_t), 0, NULL, NULL, NULL, NULL,
	    NULL, 0);
}

void
sctp_sets_fini()
{
	kmem_cache_destroy(sctp_kmem_set_cache);
}

sctp_chunk_hdr_t *
sctp_first_chunk(uchar_t *rptr, ssize_t remaining)
{
	sctp_chunk_hdr_t *ch;
	uint16_t ch_len;

	if (remaining < sizeof (*ch)) {
		return (NULL);
	}

	ch = (sctp_chunk_hdr_t *)rptr;
	ch_len = ntohs(ch->sch_len);

	if (ch_len < sizeof (*ch) || remaining < ch_len) {
		return (NULL);
	}

	return (ch);
}

sctp_chunk_hdr_t *
sctp_next_chunk(sctp_chunk_hdr_t *ch, ssize_t *remaining)
{
	int pad;
	uint16_t ch_len;

	if (!ch) {
		return (NULL);
	}

	ch_len = ntohs(ch->sch_len);

	if ((pad = ch_len & (SCTP_ALIGN - 1)) != 0) {
		pad = SCTP_ALIGN - pad;
	}

	*remaining -= (ch_len + pad);
	ch = (sctp_chunk_hdr_t *)((char *)ch + ch_len + pad);

	return (sctp_first_chunk((uchar_t *)ch, *remaining));
}

/*
 * Attach ancillary data to a received SCTP segments.
 * If the source address (fp) is not the primary, send up a
 * unitdata_ind so recvfrom() can populate the msg_name field.
 * If ancillary data is also requested, we append it to the
 * unitdata_req. Otherwise, we just send up an optdata_ind.
 */
static int
sctp_input_add_ancillary(sctp_t *sctp, mblk_t **mp, sctp_data_hdr_t *dcp,
    sctp_faddr_t *fp, ip_pkt_t *ipp, ip_recv_attr_t *ira)
{
	struct T_unitdata_ind	*tudi;
	int			optlen;
	int			hdrlen;
	uchar_t			*optptr;
	struct cmsghdr		*cmsg;
	mblk_t			*mp1;
	struct sockaddr_in6	sin_buf[1];
	struct sockaddr_in6	*sin6;
	struct sockaddr_in	*sin4;
	crb_t			 addflag;	/* Which pieces to add */
	conn_t			*connp = sctp->sctp_connp;

	sin4 = NULL;
	sin6 = NULL;

	optlen = hdrlen = 0;
	addflag.crb_all = 0;

	/* Figure out address size */
	if (connp->conn_family == AF_INET) {
		sin4 = (struct sockaddr_in *)sin_buf;
		sin4->sin_family = AF_INET;
		sin4->sin_port = connp->conn_fport;
		IN6_V4MAPPED_TO_IPADDR(&fp->sf_faddr, sin4->sin_addr.s_addr);
		hdrlen = sizeof (*tudi) + sizeof (*sin4);
	} else {
		sin6 = sin_buf;
		sin6->sin6_family = AF_INET6;
		sin6->sin6_port = connp->conn_fport;
		sin6->sin6_addr = fp->sf_faddr;
		hdrlen = sizeof (*tudi) + sizeof (*sin6);
	}
	/* If app asked to receive send / recv info */
	if (sctp->sctp_recvsndrcvinfo)
		optlen += sizeof (*cmsg) + sizeof (struct sctp_sndrcvinfo);

	if (connp->conn_recv_ancillary.crb_all == 0)
		goto noancillary;

	if (connp->conn_recv_ancillary.crb_ip_recvpktinfo &&
	    ira->ira_ruifindex != sctp->sctp_recvifindex) {
		optlen += sizeof (*cmsg) + sizeof (struct in6_pktinfo);
		if (hdrlen == 0)
			hdrlen = sizeof (struct T_unitdata_ind);
		addflag.crb_ip_recvpktinfo = 1;
	}
	/* If app asked for hoplimit and it has changed ... */
	if (connp->conn_recv_ancillary.crb_ipv6_recvhoplimit &&
	    ipp->ipp_hoplimit != sctp->sctp_recvhops) {
		optlen += sizeof (*cmsg) + sizeof (uint_t);
		if (hdrlen == 0)
			hdrlen = sizeof (struct T_unitdata_ind);
		addflag.crb_ipv6_recvhoplimit = 1;
	}
	/* If app asked for tclass and it has changed ... */
	if (connp->conn_recv_ancillary.crb_ipv6_recvtclass &&
	    ipp->ipp_tclass != sctp->sctp_recvtclass) {
		optlen += sizeof (struct T_opthdr) + sizeof (uint_t);
		if (hdrlen == 0)
			hdrlen = sizeof (struct T_unitdata_ind);
		addflag.crb_ipv6_recvtclass = 1;
	}
	/* If app asked for hopbyhop headers and it has changed ... */
	if (connp->conn_recv_ancillary.crb_ipv6_recvhopopts &&
	    ip_cmpbuf(sctp->sctp_hopopts, sctp->sctp_hopoptslen,
	    (ipp->ipp_fields & IPPF_HOPOPTS),
	    ipp->ipp_hopopts, ipp->ipp_hopoptslen)) {
		optlen += sizeof (*cmsg) + ipp->ipp_hopoptslen -
		    sctp->sctp_v6label_len;
		if (hdrlen == 0)
			hdrlen = sizeof (struct T_unitdata_ind);
		addflag.crb_ipv6_recvhopopts = 1;
		if (!ip_allocbuf((void **)&sctp->sctp_hopopts,
		    &sctp->sctp_hopoptslen,
		    (ipp->ipp_fields & IPPF_HOPOPTS),
		    ipp->ipp_hopopts, ipp->ipp_hopoptslen))
			return (-1);
	}
	/* If app asked for dst headers before routing headers ... */
	if (connp->conn_recv_ancillary.crb_ipv6_recvrthdrdstopts &&
	    ip_cmpbuf(sctp->sctp_rthdrdstopts, sctp->sctp_rthdrdstoptslen,
	    (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
	    ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen)) {
		optlen += sizeof (*cmsg) + ipp->ipp_rthdrdstoptslen;
		if (hdrlen == 0)
			hdrlen = sizeof (struct T_unitdata_ind);
		addflag.crb_ipv6_recvrthdrdstopts = 1;
		if (!ip_allocbuf((void **)&sctp->sctp_rthdrdstopts,
		    &sctp->sctp_rthdrdstoptslen,
		    (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
		    ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen))
			return (-1);
	}
	/* If app asked for routing headers and it has changed ... */
	if (connp->conn_recv_ancillary.crb_ipv6_recvrthdr &&
	    ip_cmpbuf(sctp->sctp_rthdr, sctp->sctp_rthdrlen,
	    (ipp->ipp_fields & IPPF_RTHDR),
	    ipp->ipp_rthdr, ipp->ipp_rthdrlen)) {
		optlen += sizeof (*cmsg) + ipp->ipp_rthdrlen;
		if (hdrlen == 0)
			hdrlen = sizeof (struct T_unitdata_ind);
		addflag.crb_ipv6_recvrthdr = 1;
		if (!ip_allocbuf((void **)&sctp->sctp_rthdr,
		    &sctp->sctp_rthdrlen,
		    (ipp->ipp_fields & IPPF_RTHDR),
		    ipp->ipp_rthdr, ipp->ipp_rthdrlen))
			return (-1);
	}
	/* If app asked for dest headers and it has changed ... */
	if (connp->conn_recv_ancillary.crb_ipv6_recvdstopts &&
	    ip_cmpbuf(sctp->sctp_dstopts, sctp->sctp_dstoptslen,
	    (ipp->ipp_fields & IPPF_DSTOPTS),
	    ipp->ipp_dstopts, ipp->ipp_dstoptslen)) {
		optlen += sizeof (*cmsg) + ipp->ipp_dstoptslen;
		if (hdrlen == 0)
			hdrlen = sizeof (struct T_unitdata_ind);
		addflag.crb_ipv6_recvdstopts = 1;
		if (!ip_allocbuf((void **)&sctp->sctp_dstopts,
		    &sctp->sctp_dstoptslen,
		    (ipp->ipp_fields & IPPF_DSTOPTS),
		    ipp->ipp_dstopts, ipp->ipp_dstoptslen))
			return (-1);
	}
noancillary:
	/* Nothing to add */
	if (hdrlen == 0)
		return (-1);

	mp1 = allocb(hdrlen + optlen + sizeof (void *), BPRI_MED);
	if (mp1 == NULL)
		return (-1);
	mp1->b_cont = *mp;
	*mp = mp1;
	mp1->b_rptr += sizeof (void *);  /* pointer worth of padding */
	mp1->b_wptr = mp1->b_rptr + hdrlen + optlen;
	DB_TYPE(mp1) = M_PROTO;
	tudi = (struct T_unitdata_ind *)mp1->b_rptr;
	tudi->PRIM_type = T_UNITDATA_IND;
	tudi->SRC_length = sin4 ? sizeof (*sin4) : sizeof (*sin6);
	tudi->SRC_offset = sizeof (*tudi);
	tudi->OPT_offset = sizeof (*tudi) + tudi->SRC_length;
	tudi->OPT_length = optlen;
	if (sin4) {
		bcopy(sin4, tudi + 1, sizeof (*sin4));
	} else {
		bcopy(sin6, tudi + 1, sizeof (*sin6));
	}
	optptr = (uchar_t *)tudi + tudi->OPT_offset;

	if (sctp->sctp_recvsndrcvinfo) {
		/* XXX need backout method if memory allocation fails. */
		struct sctp_sndrcvinfo *sri;

		cmsg = (struct cmsghdr *)optptr;
		cmsg->cmsg_level = IPPROTO_SCTP;
		cmsg->cmsg_type = SCTP_SNDRCV;
		cmsg->cmsg_len = sizeof (*cmsg) + sizeof (*sri);
		optptr += sizeof (*cmsg);

		sri = (struct sctp_sndrcvinfo *)(cmsg + 1);
		ASSERT(OK_32PTR(sri));
		sri->sinfo_stream = ntohs(dcp->sdh_sid);
		sri->sinfo_ssn = ntohs(dcp->sdh_ssn);
		if (SCTP_DATA_GET_UBIT(dcp)) {
			sri->sinfo_flags = MSG_UNORDERED;
		} else {
			sri->sinfo_flags = 0;
		}
		sri->sinfo_ppid = dcp->sdh_payload_id;
		sri->sinfo_context = 0;
		sri->sinfo_timetolive = 0;
		sri->sinfo_tsn = ntohl(dcp->sdh_tsn);
		sri->sinfo_cumtsn = sctp->sctp_ftsn;
		sri->sinfo_assoc_id = 0;

		optptr += sizeof (*sri);
	}

	/*
	 * If app asked for pktinfo and the index has changed ...
	 * Note that the local address never changes for the connection.
	 */
	if (addflag.crb_ip_recvpktinfo) {
		struct in6_pktinfo *pkti;
		uint_t ifindex;

		ifindex = ira->ira_ruifindex;
		cmsg = (struct cmsghdr *)optptr;
		cmsg->cmsg_level = IPPROTO_IPV6;
		cmsg->cmsg_type = IPV6_PKTINFO;
		cmsg->cmsg_len = sizeof (*cmsg) + sizeof (*pkti);
		optptr += sizeof (*cmsg);

		pkti = (struct in6_pktinfo *)optptr;
		if (connp->conn_family == AF_INET6)
			pkti->ipi6_addr = sctp->sctp_ip6h->ip6_src;
		else
			IN6_IPADDR_TO_V4MAPPED(sctp->sctp_ipha->ipha_src,
			    &pkti->ipi6_addr);

		pkti->ipi6_ifindex = ifindex;
		optptr += sizeof (*pkti);
		ASSERT(OK_32PTR(optptr));
		/* Save as "last" value */
		sctp->sctp_recvifindex = ifindex;
	}
	/* If app asked for hoplimit and it has changed ... */
	if (addflag.crb_ipv6_recvhoplimit) {
		cmsg = (struct cmsghdr *)optptr;
		cmsg->cmsg_level = IPPROTO_IPV6;
		cmsg->cmsg_type = IPV6_HOPLIMIT;
		cmsg->cmsg_len = sizeof (*cmsg) + sizeof (uint_t);
		optptr += sizeof (*cmsg);

		*(uint_t *)optptr = ipp->ipp_hoplimit;
		optptr += sizeof (uint_t);
		ASSERT(OK_32PTR(optptr));
		/* Save as "last" value */
		sctp->sctp_recvhops = ipp->ipp_hoplimit;
	}
	/* If app asked for tclass and it has changed ... */
	if (addflag.crb_ipv6_recvtclass) {
		cmsg = (struct cmsghdr *)optptr;
		cmsg->cmsg_level = IPPROTO_IPV6;
		cmsg->cmsg_type = IPV6_TCLASS;
		cmsg->cmsg_len = sizeof (*cmsg) + sizeof (uint_t);
		optptr += sizeof (*cmsg);

		*(uint_t *)optptr = ipp->ipp_tclass;
		optptr += sizeof (uint_t);
		ASSERT(OK_32PTR(optptr));
		/* Save as "last" value */
		sctp->sctp_recvtclass = ipp->ipp_tclass;
	}
	if (addflag.crb_ipv6_recvhopopts) {
		cmsg = (struct cmsghdr *)optptr;
		cmsg->cmsg_level = IPPROTO_IPV6;
		cmsg->cmsg_type = IPV6_HOPOPTS;
		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_hopoptslen;
		optptr += sizeof (*cmsg);

		bcopy(ipp->ipp_hopopts, optptr, ipp->ipp_hopoptslen);
		optptr += ipp->ipp_hopoptslen;
		ASSERT(OK_32PTR(optptr));
		/* Save as last value */
		ip_savebuf((void **)&sctp->sctp_hopopts,
		    &sctp->sctp_hopoptslen,
		    (ipp->ipp_fields & IPPF_HOPOPTS),
		    ipp->ipp_hopopts, ipp->ipp_hopoptslen);
	}
	if (addflag.crb_ipv6_recvrthdrdstopts) {
		cmsg = (struct cmsghdr *)optptr;
		cmsg->cmsg_level = IPPROTO_IPV6;
		cmsg->cmsg_type = IPV6_RTHDRDSTOPTS;
		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_rthdrdstoptslen;
		optptr += sizeof (*cmsg);

		bcopy(ipp->ipp_rthdrdstopts, optptr, ipp->ipp_rthdrdstoptslen);
		optptr += ipp->ipp_rthdrdstoptslen;
		ASSERT(OK_32PTR(optptr));
		/* Save as last value */
		ip_savebuf((void **)&sctp->sctp_rthdrdstopts,
		    &sctp->sctp_rthdrdstoptslen,
		    (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
		    ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen);
	}
	if (addflag.crb_ipv6_recvrthdr) {
		cmsg = (struct cmsghdr *)optptr;
		cmsg->cmsg_level = IPPROTO_IPV6;
		cmsg->cmsg_type = IPV6_RTHDR;
		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_rthdrlen;
		optptr += sizeof (*cmsg);

		bcopy(ipp->ipp_rthdr, optptr, ipp->ipp_rthdrlen);
		optptr += ipp->ipp_rthdrlen;
		ASSERT(OK_32PTR(optptr));
		/* Save as last value */
		ip_savebuf((void **)&sctp->sctp_rthdr,
		    &sctp->sctp_rthdrlen,
		    (ipp->ipp_fields & IPPF_RTHDR),
		    ipp->ipp_rthdr, ipp->ipp_rthdrlen);
	}
	if (addflag.crb_ipv6_recvdstopts) {
		cmsg = (struct cmsghdr *)optptr;
		cmsg->cmsg_level = IPPROTO_IPV6;
		cmsg->cmsg_type = IPV6_DSTOPTS;
		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_dstoptslen;
		optptr += sizeof (*cmsg);

		bcopy(ipp->ipp_dstopts, optptr, ipp->ipp_dstoptslen);
		optptr += ipp->ipp_dstoptslen;
		ASSERT(OK_32PTR(optptr));
		/* Save as last value */
		ip_savebuf((void **)&sctp->sctp_dstopts,
		    &sctp->sctp_dstoptslen,
		    (ipp->ipp_fields & IPPF_DSTOPTS),
		    ipp->ipp_dstopts, ipp->ipp_dstoptslen);
	}

	ASSERT(optptr == mp1->b_wptr);

	return (0);
}

void
sctp_free_reass(sctp_instr_t *sip)
{
	mblk_t *mp, *mpnext, *mctl;
#ifdef	DEBUG
	sctp_reass_t	*srp;
#endif

	for (mp = sip->istr_reass; mp != NULL; mp = mpnext) {
		mpnext = mp->b_next;
		mp->b_next = NULL;
		mp->b_prev = NULL;
		if (DB_TYPE(mp) == M_CTL) {
			mctl = mp;
#ifdef	DEBUG
			srp = (sctp_reass_t *)DB_BASE(mctl);
			/* Partial delivery can leave empty srp */
			ASSERT(mp->b_cont != NULL || srp->sr_got == 0);
#endif
			mp = mp->b_cont;
			mctl->b_cont = NULL;
			freeb(mctl);
		}
		freemsg(mp);
	}
	sip->istr_reass = NULL;
}

/*
 * If the series of data fragments of which dmp is a part is successfully
 * reassembled, the first mblk in the series is returned. dc is adjusted
 * to point at the data chunk in the lead mblk, and b_rptr also points to
 * the data chunk; the following mblk's b_rptr's point at the actual payload.
 *
 * If the series is not yet reassembled, NULL is returned. dc is not changed.
 * XXX should probably move this up into the state machine.
 */

/* Fragment list for un-ordered messages. Partial delivery is not supported */
static mblk_t *
sctp_uodata_frag(sctp_t *sctp, mblk_t *dmp, sctp_data_hdr_t **dc)
{
	mblk_t		*hmp;
	mblk_t		*begin = NULL;
	mblk_t		*end = NULL;
	sctp_data_hdr_t	*qdc;
	uint32_t	ntsn;
	uint32_t	tsn = ntohl((*dc)->sdh_tsn);
#ifdef	DEBUG
	mblk_t		*mp1;
#endif

	/* First frag. */
	if (sctp->sctp_uo_frags == NULL) {
		sctp->sctp_uo_frags = dmp;
		return (NULL);
	}
	hmp = sctp->sctp_uo_frags;
	/*
	 * Insert the segment according to the TSN, fragmented unordered
	 * chunks are sequenced by TSN.
	 */
	while (hmp != NULL) {
		qdc = (sctp_data_hdr_t *)hmp->b_rptr;
		ntsn = ntohl(qdc->sdh_tsn);
		if (SEQ_GT(ntsn, tsn)) {
			if (hmp->b_prev == NULL) {
				dmp->b_next = hmp;
				hmp->b_prev = dmp;
				sctp->sctp_uo_frags = dmp;
			} else {
				dmp->b_next = hmp;
				dmp->b_prev = hmp->b_prev;
				hmp->b_prev->b_next = dmp;
				hmp->b_prev = dmp;
			}
			break;
		}
		if (hmp->b_next == NULL) {
			hmp->b_next = dmp;
			dmp->b_prev = hmp;
			break;
		}
		hmp = hmp->b_next;
	}
	/* check if we completed a msg */
	if (SCTP_DATA_GET_BBIT(*dc)) {
		begin = dmp;
	} else if (SCTP_DATA_GET_EBIT(*dc)) {
		end = dmp;
	}
	/*
	 * We walk consecutive TSNs backwards till we get a seg. with
	 * the B bit
	 */
	if (begin == NULL) {
		for (hmp = dmp->b_prev; hmp != NULL; hmp = hmp->b_prev) {
			qdc = (sctp_data_hdr_t *)hmp->b_rptr;
			ntsn = ntohl(qdc->sdh_tsn);
			if ((int32_t)(tsn - ntsn) > 1) {
				return (NULL);
			}
			if (SCTP_DATA_GET_BBIT(qdc)) {
				begin = hmp;
				break;
			}
			tsn = ntsn;
		}
	}
	tsn = ntohl((*dc)->sdh_tsn);
	/*
	 * We walk consecutive TSNs till we get a seg. with the E bit
	 */
	if (end == NULL) {
		for (hmp = dmp->b_next; hmp != NULL; hmp = hmp->b_next) {
			qdc = (sctp_data_hdr_t *)hmp->b_rptr;
			ntsn = ntohl(qdc->sdh_tsn);
			if ((int32_t)(ntsn - tsn) > 1) {
				return (NULL);
			}
			if (SCTP_DATA_GET_EBIT(qdc)) {
				end = hmp;
				break;
			}
			tsn = ntsn;
		}
	}
	if (begin == NULL || end == NULL) {
		return (NULL);
	}
	/* Got one!, Remove the msg from the list */
	if (sctp->sctp_uo_frags == begin) {
		ASSERT(begin->b_prev == NULL);
		sctp->sctp_uo_frags = end->b_next;
		if (end->b_next != NULL)
			end->b_next->b_prev = NULL;
	} else {
		begin->b_prev->b_next = end->b_next;
		if (end->b_next != NULL)
			end->b_next->b_prev = begin->b_prev;
	}
	begin->b_prev = NULL;
	end->b_next = NULL;

	/*
	 * Null out b_next and b_prev and chain using b_cont.
	 */
	dmp = end = begin;
	hmp = begin->b_next;
	*dc = (sctp_data_hdr_t *)begin->b_rptr;
	begin->b_next = NULL;
	while (hmp != NULL) {
		qdc = (sctp_data_hdr_t *)hmp->b_rptr;
		hmp->b_rptr = (uchar_t *)(qdc + 1);
		end = hmp->b_next;
		dmp->b_cont = hmp;
		dmp = hmp;

		if (end != NULL)
			hmp->b_next = NULL;
		hmp->b_prev = NULL;
		hmp = end;
	}
	BUMP_LOCAL(sctp->sctp_reassmsgs);
#ifdef	DEBUG
	mp1 = begin;
	while (mp1 != NULL) {
		ASSERT(mp1->b_next == NULL);
		ASSERT(mp1->b_prev == NULL);
		mp1 = mp1->b_cont;
	}
#endif
	return (begin);
}

/*
 * Try partial delivery.
 */
static mblk_t *
sctp_try_partial_delivery(sctp_t *sctp, mblk_t *hmp, sctp_reass_t *srp,
    sctp_data_hdr_t **dc)
{
	mblk_t		*mp;
	mblk_t		*dmp;
	mblk_t		*qmp;
	mblk_t		*prev;
	sctp_data_hdr_t	*qdc;
	uint32_t	tsn;

	ASSERT(DB_TYPE(hmp) == M_CTL);

	dprint(4, ("trypartial: got=%d, needed=%d\n",
	    (int)(srp->sr_got), (int)(srp->sr_needed)));

	mp = hmp->b_cont;
	qdc = (sctp_data_hdr_t *)mp->b_rptr;

	ASSERT(SCTP_DATA_GET_BBIT(qdc) && srp->sr_hasBchunk);

	tsn = ntohl(qdc->sdh_tsn) + 1;

	/*
	 * This loop has two exit conditions: the
	 * end of received chunks has been reached, or
	 * there is a break in the sequence. We want
	 * to chop the reassembly list as follows (the
	 * numbers are TSNs):
	 *   10 -> 11 -> 	(end of chunks)
	 *   10 -> 11 -> | 13   (break in sequence)
	 */
	prev = mp;
	mp = mp->b_cont;
	while (mp != NULL) {
		qdc = (sctp_data_hdr_t *)mp->b_rptr;
		if (ntohl(qdc->sdh_tsn) != tsn)
			break;
		prev = mp;
		mp = mp->b_cont;
		tsn++;
	}
	/*
	 * We are sending all the fragments upstream, we have to retain
	 * the srp info for further fragments.
	 */
	if (mp == NULL) {
		dmp = hmp->b_cont;
		hmp->b_cont = NULL;
		srp->sr_nexttsn = tsn;
		srp->sr_msglen = 0;
		srp->sr_needed = 0;
		srp->sr_got = 0;
		srp->sr_tail = NULL;
	} else {
		/*
		 * There is a gap then some ordered frags which are not
		 * the next deliverable tsn. When the next deliverable
		 * frag arrives it will be set as the new list head in
		 * sctp_data_frag() by setting the B bit.
		 */
		dmp = hmp->b_cont;
		hmp->b_cont = mp;
	}
	srp->sr_hasBchunk = B_FALSE;
	/*
	 * mp now points at the last chunk in the sequence,
	 * and prev points to mp's previous in the list.
	 * We chop the list at prev. Subsequent fragment
	 * deliveries will follow the normal reassembly
	 * path unless they too exceed the sctp_pd_point.
	 */
	prev->b_cont = NULL;
	srp->sr_partial_delivered = B_TRUE;

	dprint(4, ("trypartial: got some, got=%d, needed=%d\n",
	    (int)(srp->sr_got), (int)(srp->sr_needed)));

	/*
	 * Adjust all mblk's except the lead so their rptr's point to the
	 * payload. sctp_data_chunk() will need to process the lead's
	 * data chunk section, so leave it's rptr pointing at the data chunk.
	 */
	*dc = (sctp_data_hdr_t *)dmp->b_rptr;
	if (srp->sr_tail != NULL) {
		srp->sr_got--;
		ASSERT(srp->sr_got != 0);
		if (srp->sr_needed != 0) {
			srp->sr_needed--;
			ASSERT(srp->sr_needed != 0);
		}
		srp->sr_msglen -= ntohs((*dc)->sdh_len);
	}
	for (qmp = dmp->b_cont; qmp != NULL; qmp = qmp->b_cont) {
		qdc = (sctp_data_hdr_t *)qmp->b_rptr;
		qmp->b_rptr = (uchar_t *)(qdc + 1);

		/*
		 * Deduct the balance from got and needed here, now that
		 * we know we are actually delivering these data.
		 */
		if (srp->sr_tail != NULL) {
			srp->sr_got--;
			ASSERT(srp->sr_got != 0);
			if (srp->sr_needed != 0) {
				srp->sr_needed--;
				ASSERT(srp->sr_needed != 0);
			}
			srp->sr_msglen -= ntohs(qdc->sdh_len);
		}
	}
	ASSERT(srp->sr_msglen == 0);
	BUMP_LOCAL(sctp->sctp_reassmsgs);

	return (dmp);
}

/*
 * Handle received fragments for ordered delivery to upper layer protocol.
 * Manage the per message reassembly queue and if this fragment completes
 * reassembly of the message, or qualifies the already reassembled data
 * for partial delivery, prepare the message for delivery upstream.
 *
 * tpfinished in the caller remains set only when the incoming fragment
 * has completed the reassembly of the message associated with its ssn.
 */
static mblk_t *
sctp_data_frag(sctp_t *sctp, mblk_t *dmp, sctp_data_hdr_t **dc, int *error,
    sctp_instr_t *sip, boolean_t *tpfinished)
{
	mblk_t		*reassq_curr, *reassq_next, *reassq_prev;
	mblk_t		*new_reassq;
	mblk_t		*qmp;
	mblk_t		*first_mp;
	sctp_reass_t	*srp;
	sctp_data_hdr_t	*qdc;
	sctp_data_hdr_t	*bdc;
	sctp_data_hdr_t	*edc;
	uint32_t	tsn;
	uint16_t	fraglen = 0;

	*error = 0;

	/*
	 * Find the reassembly queue for this data chunk, if none
	 * yet exists, a new per message queue will be created and
	 * appended to the end of the list of per message queues.
	 *
	 * sip points on sctp_instr_t representing instream messages
	 * as yet undelivered for this stream (sid) of the association.
	 */
	reassq_next = reassq_prev = sip->istr_reass;
	for (; reassq_next != NULL; reassq_next = reassq_next->b_next) {
		srp = (sctp_reass_t *)DB_BASE(reassq_next);
		if (ntohs((*dc)->sdh_ssn) == srp->sr_ssn) {
			reassq_curr = reassq_next;
			goto foundit;
		} else if (SSN_GT(srp->sr_ssn, ntohs((*dc)->sdh_ssn)))
			break;
		reassq_prev = reassq_next;
	}

	/*
	 * First fragment of this message received, allocate a M_CTL that
	 * will head the reassembly queue for this message. The message
	 * and all its fragments are identified by having the same ssn.
	 *
	 * Arriving fragments will be inserted in tsn order on the
	 * reassembly queue for this message (ssn), linked by b_cont.
	 */
	if ((new_reassq = allocb(sizeof (*srp), BPRI_MED)) == NULL) {
		*error = ENOMEM;
		return (NULL);
	}
	DB_TYPE(new_reassq) = M_CTL;
	srp = (sctp_reass_t *)DB_BASE(new_reassq);
	new_reassq->b_cont = dmp;

	/*
	 * All per ssn reassembly queues, (one for each message) on
	 * this stream are doubly linked by b_next/b_prev back to the
	 * instr_reass of the instream structure associated with this
	 * stream id, (sip is initialized as sctp->sctp_instr[sid]).
	 * Insert the new reassembly queue in the correct (ssn) order.
	 */
	if (reassq_next != NULL) {
		if (sip->istr_reass == reassq_next) {
			/* head insertion */
			sip->istr_reass = new_reassq;
			new_reassq->b_next = reassq_next;
			new_reassq->b_prev = NULL;
			reassq_next->b_prev = new_reassq;
		} else {
			/* mid queue insertion */
			reassq_prev->b_next = new_reassq;
			new_reassq->b_prev = reassq_prev;
			new_reassq->b_next = reassq_next;
			reassq_next->b_prev = new_reassq;
		}
	} else {
		/* place new reassembly queue at the end */
		if (sip->istr_reass == NULL) {
			sip->istr_reass = new_reassq;
			new_reassq->b_prev = NULL;
		} else {
			reassq_prev->b_next = new_reassq;
			new_reassq->b_prev = reassq_prev;
		}
		new_reassq->b_next = NULL;
	}
	srp->sr_partial_delivered = B_FALSE;
	srp->sr_ssn = ntohs((*dc)->sdh_ssn);
	srp->sr_hasBchunk = B_FALSE;
empty_srp:
	srp->sr_needed = 0;
	srp->sr_got = 1;
	/* tail always the highest tsn on the reassembly queue for this ssn */
	srp->sr_tail = dmp;
	if (SCTP_DATA_GET_BBIT(*dc)) {
		/* Incoming frag is flagged as the beginning of message */
		srp->sr_msglen = ntohs((*dc)->sdh_len);
		srp->sr_nexttsn = ntohl((*dc)->sdh_tsn) + 1;
		srp->sr_hasBchunk = B_TRUE;
	} else if (srp->sr_partial_delivered &&
	    srp->sr_nexttsn == ntohl((*dc)->sdh_tsn)) {
		/*
		 * The real beginning fragment of the message was already
		 * delivered upward, so this is the earliest frag expected.
		 * Fake the B-bit then see if this frag also completes the
		 * message.
		 */
		SCTP_DATA_SET_BBIT(*dc);
		srp->sr_hasBchunk = B_TRUE;
		srp->sr_msglen = ntohs((*dc)->sdh_len);
		if (SCTP_DATA_GET_EBIT(*dc)) {
			/* This frag is marked as the end of message */
			srp->sr_needed = 1;
			/* Got all fragments of this message now */
			goto frag_done;
		}
		srp->sr_nexttsn++;
	}

	/* The only fragment of this message currently queued */
	*tpfinished = B_FALSE;
	return (NULL);
foundit:
	/*
	 * This message already has a reassembly queue. Insert the new frag
	 * in the reassembly queue. Try the tail first, on the assumption
	 * that the fragments are arriving in order.
	 */
	qmp = srp->sr_tail;

	/*
	 * A NULL tail means all existing fragments of the message have
	 * been entirely consumed during a partially delivery.
	 */
	if (qmp == NULL) {
		ASSERT(srp->sr_got == 0 && srp->sr_needed == 0 &&
		    srp->sr_partial_delivered);
		ASSERT(reassq_curr->b_cont == NULL);
		reassq_curr->b_cont = dmp;
		goto empty_srp;
	} else {
		/*
		 * If partial delivery did take place but the next arriving
		 * fragment was not the next to be delivered, or partial
		 * delivery broke off due to a gap, fragments remain on the
		 * tail. The next fragment due to be delivered still has to
		 * be set as the new head of list upon arrival. Fake B-bit
		 * on that frag then see if it also completes the message.
		 */
		if (srp->sr_partial_delivered &&
		    srp->sr_nexttsn == ntohl((*dc)->sdh_tsn)) {
			SCTP_DATA_SET_BBIT(*dc);
			srp->sr_hasBchunk = B_TRUE;
			if (SCTP_DATA_GET_EBIT(*dc)) {
				/* Got all fragments of this message now */
				goto frag_done;
			}
		}
	}

	/* grab the frag header of already queued tail frag for comparison */
	qdc = (sctp_data_hdr_t *)qmp->b_rptr;
	ASSERT(qmp->b_cont == NULL);

	/* check if the frag goes on the tail in order */
	if (SEQ_GT(ntohl((*dc)->sdh_tsn), ntohl(qdc->sdh_tsn))) {
		qmp->b_cont = dmp;
		srp->sr_tail = dmp;
		dmp->b_cont = NULL;
		if (srp->sr_hasBchunk && srp->sr_nexttsn ==
		    ntohl((*dc)->sdh_tsn)) {
			srp->sr_msglen += ntohs((*dc)->sdh_len);
			srp->sr_nexttsn++;
		}
		goto inserted;
	}

	/* Next check if we should insert this frag at the beginning */
	qmp = reassq_curr->b_cont;
	qdc = (sctp_data_hdr_t *)qmp->b_rptr;
	if (SEQ_LT(ntohl((*dc)->sdh_tsn), ntohl(qdc->sdh_tsn))) {
		dmp->b_cont = qmp;
		reassq_curr->b_cont = dmp;
		if (SCTP_DATA_GET_BBIT(*dc)) {
			srp->sr_hasBchunk = B_TRUE;
			srp->sr_nexttsn = ntohl((*dc)->sdh_tsn);
		}
		goto preinserted;
	}

	/* Insert this frag in it's correct order in the middle */
	for (;;) {
		/* Tail check above should have caught this */
		ASSERT(qmp->b_cont != NULL);

		qdc = (sctp_data_hdr_t *)qmp->b_cont->b_rptr;
		if (SEQ_LT(ntohl((*dc)->sdh_tsn), ntohl(qdc->sdh_tsn))) {
			/* insert here */
			dmp->b_cont = qmp->b_cont;
			qmp->b_cont = dmp;
			break;
		}
		qmp = qmp->b_cont;
	}
preinserted:
	/*
	 * Need head of message and to be due to deliver, otherwise skip
	 * the recalculation of the message length below.
	 */
	if (!srp->sr_hasBchunk || ntohl((*dc)->sdh_tsn) != srp->sr_nexttsn)
		goto inserted;
	/*
	 * fraglen contains the length of consecutive chunks of fragments.
	 * starting from the chunk we just inserted.
	 */
	tsn = srp->sr_nexttsn;
	for (qmp = dmp; qmp != NULL; qmp = qmp->b_cont) {
		qdc = (sctp_data_hdr_t *)qmp->b_rptr;
		if (tsn != ntohl(qdc->sdh_tsn))
			break;
		fraglen += ntohs(qdc->sdh_len);
		tsn++;
	}
	srp->sr_nexttsn = tsn;
	srp->sr_msglen += fraglen;
inserted:
	srp->sr_got++;
	first_mp = reassq_curr->b_cont;
	/* Prior to this frag either the beginning or end frag was missing */
	if (srp->sr_needed == 0) {
		/* used to check if we have the first and last fragments */
		bdc = (sctp_data_hdr_t *)first_mp->b_rptr;
		edc = (sctp_data_hdr_t *)srp->sr_tail->b_rptr;

		/*
		 * If we now have both the beginning and the end of the message,
		 * calculate how many fragments in the complete message.
		 */
		if (SCTP_DATA_GET_BBIT(bdc) && SCTP_DATA_GET_EBIT(edc)) {
			srp->sr_needed = ntohl(edc->sdh_tsn) -
			    ntohl(bdc->sdh_tsn) + 1;
		}
	}

	/*
	 * Try partial delivery if the message length has exceeded the
	 * partial delivery point. Only do this if we can immediately
	 * deliver the partially assembled message, and only partially
	 * deliver one message at a time (i.e. messages cannot be
	 * intermixed arriving at the upper layer).
	 * sctp_try_partial_delivery() will return a message consisting
	 * of only consecutive fragments.
	 */
	if (srp->sr_needed != srp->sr_got) {
		/* we don't have the full message yet */
		dmp = NULL;
		if (ntohl((*dc)->sdh_tsn) <= sctp->sctp_ftsn &&
		    srp->sr_msglen >= sctp->sctp_pd_point &&
		    srp->sr_ssn == sip->nextseq) {
			dmp = sctp_try_partial_delivery(sctp, reassq_curr,
			    srp, dc);
		}
		*tpfinished = B_FALSE;
		/*
		 * NULL unless a segment of the message now qualified for
		 * partial_delivery and has been prepared for delivery by
		 * sctp_try_partial_delivery().
		 */
		return (dmp);
	}
frag_done:
	/*
	 * Reassembly complete for this message, prepare the data for delivery.
	 * First unlink the reassembly queue for this ssn from the list of
	 * messages in reassembly.
	 */
	if (sip->istr_reass == reassq_curr) {
		sip->istr_reass = reassq_curr->b_next;
		if (reassq_curr->b_next)
			reassq_curr->b_next->b_prev = NULL;
	} else {
		ASSERT(reassq_curr->b_prev != NULL);
		reassq_curr->b_prev->b_next = reassq_curr->b_next;
		if (reassq_curr->b_next)
			reassq_curr->b_next->b_prev = reassq_curr->b_prev;
	}

	/*
	 * Need to clean up b_prev and b_next as freeb() will
	 * ASSERT that they are unused.
	 */
	reassq_curr->b_next = NULL;
	reassq_curr->b_prev = NULL;

	dmp = reassq_curr;
	/* point to the head of the reassembled data message */
	dmp = dmp->b_cont;
	reassq_curr->b_cont = NULL;
	freeb(reassq_curr);
	/* Tell our caller that we are returning a complete message. */
	*tpfinished = B_TRUE;

	/*
	 * Adjust all mblk's except the lead so their rptr's point to the
	 * payload. sctp_data_chunk() will need to process the lead's data
	 * data chunk section, so leave its rptr pointing at the data chunk
	 * header.
	 */
	*dc = (sctp_data_hdr_t *)dmp->b_rptr;
	for (qmp = dmp->b_cont; qmp != NULL; qmp = qmp->b_cont) {
		qdc = (sctp_data_hdr_t *)qmp->b_rptr;
		qmp->b_rptr = (uchar_t *)(qdc + 1);
	}
	BUMP_LOCAL(sctp->sctp_reassmsgs);

	return (dmp);
}

static void
sctp_add_dup(uint32_t tsn, mblk_t **dups)
{
	mblk_t *mp;
	size_t bsize = SCTP_DUP_MBLK_SZ * sizeof (tsn);

	if (dups == NULL) {
		return;
	}

	/* first time? */
	if (*dups == NULL) {
		*dups = allocb(bsize, BPRI_MED);
		if (*dups == NULL) {
			return;
		}
	}

	mp = *dups;
	if ((mp->b_wptr - mp->b_rptr) >= bsize) {
		/* maximum reached */
		return;
	}

	/* add the duplicate tsn */
	bcopy(&tsn, mp->b_wptr, sizeof (tsn));
	mp->b_wptr += sizeof (tsn);
	ASSERT((mp->b_wptr - mp->b_rptr) <= bsize);
}

/*
 * All incoming sctp data, complete messages and fragments are handled by
 * this function. Unless the U-bit is set in the data chunk it will be
 * delivered in order or queued until an in-order delivery can be made.
 */
static void
sctp_data_chunk(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *mp, mblk_t **dups,
    sctp_faddr_t *fp, ip_pkt_t *ipp, ip_recv_attr_t *ira)
{
	sctp_data_hdr_t *dc;
	mblk_t *dmp, *pmp;
	sctp_instr_t *instr;
	int ubit;
	int sid;
	int isfrag;
	uint16_t ssn;
	uint32_t oftsn;
	boolean_t can_deliver = B_TRUE;
	uint32_t tsn;
	int dlen;
	boolean_t tpfinished = B_TRUE;
	sctp_stack_t	*sctps = sctp->sctp_sctps;
	int	error;

	/* The following are used multiple times, so we inline them */
#define	SCTP_ACK_IT(sctp, tsn)						\
	if (tsn == sctp->sctp_ftsn) {					\
		dprint(2, ("data_chunk: acking next %x\n", tsn));	\
		(sctp)->sctp_ftsn++;					\
		if ((sctp)->sctp_sack_gaps > 0)				\
			(sctp)->sctp_force_sack = 1;			\
	} else if (SEQ_GT(tsn, sctp->sctp_ftsn)) {			\
		/* Got a gap; record it */				\
		BUMP_LOCAL(sctp->sctp_outseqtsns);			\
		dprint(2, ("data_chunk: acking gap %x\n", tsn));	\
		sctp_ack_add(&sctp->sctp_sack_info, tsn,		\
		    &sctp->sctp_sack_gaps);				\
		sctp->sctp_force_sack = 1;				\
	}

	dmp = NULL;

	dc = (sctp_data_hdr_t *)ch;
	tsn = ntohl(dc->sdh_tsn);

	dprint(3, ("sctp_data_chunk: mp=%p tsn=%x\n", (void *)mp, tsn));

	/* Check for duplicates */
	if (SEQ_LT(tsn, sctp->sctp_ftsn)) {
		dprint(4, ("sctp_data_chunk: dropping duplicate\n"));
		BUMP_LOCAL(sctp->sctp_idupchunks);
		sctp->sctp_force_sack = 1;
		sctp_add_dup(dc->sdh_tsn, dups);
		return;
	}

	/* Check for dups of sack'ed data */
	if (sctp->sctp_sack_info != NULL) {
		sctp_set_t *sp;

		for (sp = sctp->sctp_sack_info; sp; sp = sp->next) {
			if (SEQ_GEQ(tsn, sp->begin) && SEQ_LEQ(tsn, sp->end)) {
				dprint(4,
				    ("sctp_data_chunk: dropping dup > "
				    "cumtsn\n"));
				BUMP_LOCAL(sctp->sctp_idupchunks);
				sctp->sctp_force_sack = 1;
				sctp_add_dup(dc->sdh_tsn, dups);
				return;
			}
		}
	}

	/* We can no longer deliver anything up, but still need to handle it. */
	if (SCTP_IS_DETACHED(sctp)) {
		SCTPS_BUMP_MIB(sctps, sctpInClosed);
		can_deliver = B_FALSE;
	}

	dlen = ntohs(dc->sdh_len) - sizeof (*dc);

	/*
	 * Check for buffer space. Note if this is the next expected TSN
	 * we have to take it to avoid deadlock because we cannot deliver
	 * later queued TSNs and thus clear buffer space without it.
	 * We drop anything that is purely zero window probe data here.
	 */
	if ((sctp->sctp_rwnd - sctp->sctp_rxqueued < dlen) &&
	    (tsn != sctp->sctp_ftsn || sctp->sctp_rwnd == 0)) {
		/* Drop and SACK, but don't advance the cumulative TSN. */
		sctp->sctp_force_sack = 1;
		dprint(0, ("sctp_data_chunk: exceed rwnd %d rxqueued %d "
		    "dlen %d ssn %d tsn %x\n", sctp->sctp_rwnd,
		    sctp->sctp_rxqueued, dlen, ntohs(dc->sdh_ssn),
		    ntohl(dc->sdh_tsn)));
		return;
	}

	sid = ntohs(dc->sdh_sid);

	/* Data received for a stream not negotiated for this association */
	if (sid >= sctp->sctp_num_istr) {
		sctp_bsc_t	inval_parm;

		/* Will populate the CAUSE block in the ERROR chunk. */
		inval_parm.bsc_sid = dc->sdh_sid;
		/* RESERVED, ignored at the receiving end */
		inval_parm.bsc_pad = 0;

		/* ack and drop it */
		sctp_add_err(sctp, SCTP_ERR_BAD_SID, (void *)&inval_parm,
		    sizeof (sctp_bsc_t), fp);
		SCTP_ACK_IT(sctp, tsn);
		return;
	}

	/* unordered delivery OK for this data if ubit set */
	ubit = SCTP_DATA_GET_UBIT(dc);
	ASSERT(sctp->sctp_instr != NULL);

	/* select per stream structure for this stream from the array */
	instr = &sctp->sctp_instr[sid];
	/* Initialize the stream, if not yet used */
	if (instr->sctp == NULL)
		instr->sctp = sctp;

	/* Begin and End bit set would mean a complete message */
	isfrag = !(SCTP_DATA_GET_BBIT(dc) && SCTP_DATA_GET_EBIT(dc));

	/* The ssn of this sctp message and of any fragments in it */
	ssn = ntohs(dc->sdh_ssn);

	dmp = dupb(mp);
	if (dmp == NULL) {
		/* drop it and don't ack, let the peer retransmit */
		return;
	}
	/*
	 * Past header and payload, note: the underlying buffer may
	 * contain further chunks from the same incoming IP packet,
	 * if so db_ref will be greater than one.
	 */
	dmp->b_wptr = (uchar_t *)ch + ntohs(ch->sch_len);

	sctp->sctp_rxqueued += dlen;

	oftsn = sctp->sctp_ftsn;

	if (isfrag) {

		error = 0;
		/* fragmented data chunk */
		dmp->b_rptr = (uchar_t *)dc;
		if (ubit) {
			/* prepare data for unordered delivery */
			dmp = sctp_uodata_frag(sctp, dmp, &dc);
#if	DEBUG
			if (dmp != NULL) {
				ASSERT(instr ==
				    &sctp->sctp_instr[sid]);
			}
#endif
		} else {
			/*
			 * Assemble fragments and queue for ordered delivery,
			 * dmp returned is NULL or the head of a complete or
			 * "partial delivery" message. Any returned message
			 * and all its fragments will have the same ssn as the
			 * input fragment currently being handled.
			 */
			dmp = sctp_data_frag(sctp, dmp, &dc, &error, instr,
			    &tpfinished);
		}
		if (error == ENOMEM) {
			/* back out the adjustment made earlier */
			sctp->sctp_rxqueued -= dlen;
			/*
			 * Don't ack the segment,
			 * the peer will retransmit.
			 */
			return;
		}

		if (dmp == NULL) {
			/*
			 * The frag has been queued for later in-order delivery,
			 * but the cumulative TSN may need to advance, so also
			 * need to perform the gap ack checks at the done label.
			 */
			SCTP_ACK_IT(sctp, tsn);
			DTRACE_PROBE4(sctp_data_frag_queued, sctp_t *, sctp,
			    int, sid, int, tsn, uint16_t, ssn);
			goto done;
		}
	}

	/*
	 * Unless message is the next for delivery to the ulp, queue complete
	 * message in the correct order for ordered delivery.
	 * Note: tpfinished is true when the incoming chunk contains a complete
	 * message or is the final missing fragment which completed a message.
	 */
	if (!ubit && tpfinished && ssn != instr->nextseq) {
		/* Adjust rptr to point at the data chunk for compares */
		dmp->b_rptr = (uchar_t *)dc;

		dprint(2,
		    ("data_chunk: inserted %x in pq (ssn %d expected %d)\n",
		    ntohl(dc->sdh_tsn), (int)(ssn), (int)(instr->nextseq)));

		if (instr->istr_msgs == NULL) {
			instr->istr_msgs = dmp;
			ASSERT(dmp->b_prev == NULL && dmp->b_next == NULL);
		} else {
			mblk_t			*imblk = instr->istr_msgs;
			sctp_data_hdr_t		*idc;

			/*
			 * XXXNeed to take sequence wraps into account,
			 * ... and a more efficient insertion algo.
			 */
			for (;;) {
				idc = (sctp_data_hdr_t *)imblk->b_rptr;
				if (SSN_GT(ntohs(idc->sdh_ssn),
				    ntohs(dc->sdh_ssn))) {
					if (instr->istr_msgs == imblk) {
						instr->istr_msgs = dmp;
						dmp->b_next = imblk;
						imblk->b_prev = dmp;
					} else {
						ASSERT(imblk->b_prev != NULL);
						imblk->b_prev->b_next = dmp;
						dmp->b_prev = imblk->b_prev;
						imblk->b_prev = dmp;
						dmp->b_next = imblk;
					}
					break;
				}
				if (imblk->b_next == NULL) {
					imblk->b_next = dmp;
					dmp->b_prev = imblk;
					break;
				}
				imblk = imblk->b_next;
			}
		}
		(instr->istr_nmsgs)++;
		(sctp->sctp_istr_nmsgs)++;
		SCTP_ACK_IT(sctp, tsn);
		DTRACE_PROBE4(sctp_pqueue_completemsg, sctp_t *, sctp,
		    int, sid, int, tsn, uint16_t, ssn);
		return;
	}

	/*
	 * Deliver the data directly. Recalculate dlen now since
	 * we may have just reassembled this data.
	 */
	dlen = dmp->b_wptr - (uchar_t *)dc - sizeof (*dc);
	for (pmp = dmp->b_cont; pmp != NULL; pmp = pmp->b_cont)
		dlen += MBLKL(pmp);
	ASSERT(sctp->sctp_rxqueued >= dlen);

	/* Deliver the message. */
	sctp->sctp_rxqueued -= dlen;

	if (can_deliver) {
		/* step past header to the payload */
		dmp->b_rptr = (uchar_t *)(dc + 1);
		if (sctp_input_add_ancillary(sctp, &dmp, dc, fp,
		    ipp, ira) == 0) {
			dprint(1, ("sctp_data_chunk: delivering %lu bytes\n",
			    msgdsize(dmp)));
			/*
			 * We overload the meaning of b_flag for SCTP sockfs
			 * internal use, to advise sockfs of partial delivery
			 * semantics.
			 */
			dmp->b_flag = tpfinished ? 0 : SCTP_PARTIAL_DATA;
			if (sctp->sctp_flowctrld) {
				sctp->sctp_rwnd -= dlen;
				if (sctp->sctp_rwnd < 0)
					sctp->sctp_rwnd = 0;
			}
			if (sctp->sctp_ulp_recv(sctp->sctp_ulpd, dmp,
			    msgdsize(dmp), 0, &error, NULL) <= 0) {
				sctp->sctp_flowctrld = B_TRUE;
			}
			SCTP_ACK_IT(sctp, tsn);
		} else {
			/* No memory don't ack, the peer will retransmit. */
			freemsg(dmp);
			return;
		}
	} else {
		/* Closed above, ack to peer and free the data */
		freemsg(dmp);
		SCTP_ACK_IT(sctp, tsn);
	}

	/*
	 * Data now enqueued, may already have been processed and free'd
	 * by the ULP (or we may have just freed it above, if we could not
	 * deliver), so we must not reference it (this is why we saved the
	 * ssn and ubit earlier).
	 */
	if (ubit != 0) {
		BUMP_LOCAL(sctp->sctp_iudchunks);
		goto done;
	}
	BUMP_LOCAL(sctp->sctp_idchunks);

	/*
	 * There was a partial delivery and it has not finished,
	 * don't pull anything from the pqueues or increment the
	 * nextseq. This msg must complete before starting on
	 * the next ssn and the partial message must have the
	 * same ssn as the next expected message..
	 */
	if (!tpfinished) {
		DTRACE_PROBE4(sctp_partial_delivery, sctp_t *, sctp,
		    int, sid, int, tsn, uint16_t, ssn);
		/*
		 * Verify the partial delivery is part of the
		 * message expected for ordered delivery.
		 */
		if (ssn != instr->nextseq) {
			DTRACE_PROBE4(sctp_partial_delivery_error,
			    sctp_t *, sctp, int, sid, int, tsn,
			    uint16_t, ssn);
			cmn_err(CE_WARN, "sctp partial"
			    " delivery error, sctp 0x%p"
			    " sid = 0x%x ssn != nextseq"
			    " tsn 0x%x ftsn 0x%x"
			    " ssn 0x%x nextseq 0x%x",
			    (void *)sctp, sid,
			    tsn, sctp->sctp_ftsn, ssn,
			    instr->nextseq);
		}

		ASSERT(ssn == instr->nextseq);
		goto done;
	}

	if (ssn != instr->nextseq) {
		DTRACE_PROBE4(sctp_inorder_delivery_error,
		    sctp_t *, sctp, int, sid, int, tsn,
		    uint16_t, ssn);
		cmn_err(CE_WARN, "sctp in-order delivery error, sctp 0x%p "
		    "sid = 0x%x ssn != nextseq ssn 0x%x nextseq 0x%x",
		    (void *)sctp, sid, ssn, instr->nextseq);
	}

	ASSERT(ssn == instr->nextseq);

	DTRACE_PROBE4(sctp_deliver_completemsg, sctp_t *, sctp, int, sid,
	    int, tsn, uint16_t, ssn);

	instr->nextseq = ssn + 1;

	/*
	 * Deliver any successive data chunks waiting in the instr pqueue
	 * for the data just sent up.
	 */
	while (instr->istr_nmsgs > 0) {
		dmp = (mblk_t *)instr->istr_msgs;
		dc = (sctp_data_hdr_t *)dmp->b_rptr;
		ssn = ntohs(dc->sdh_ssn);
		tsn = ntohl(dc->sdh_tsn);
		/* Stop at the first gap in the sequence */
		if (ssn != instr->nextseq)
			break;

		DTRACE_PROBE4(sctp_deliver_pqueuedmsg, sctp_t *, sctp,
		    int, sid, int, tsn, uint16_t, ssn);
		/*
		 * Ready to deliver all data before the gap
		 * to the upper layer.
		 */
		(instr->istr_nmsgs)--;
		(instr->nextseq)++;
		(sctp->sctp_istr_nmsgs)--;

		instr->istr_msgs = instr->istr_msgs->b_next;
		if (instr->istr_msgs != NULL)
			instr->istr_msgs->b_prev = NULL;
		dmp->b_next = dmp->b_prev = NULL;

		dprint(2, ("data_chunk: pulling %x from pq (ssn %d)\n",
		    ntohl(dc->sdh_tsn), (int)ssn));

		/*
		 * Composite messages indicate this chunk was reassembled,
		 * each b_cont represents another TSN; Follow the chain to
		 * reach the frag with the last tsn in order to advance ftsn
		 * shortly by calling SCTP_ACK_IT().
		 */
		dlen = dmp->b_wptr - dmp->b_rptr - sizeof (*dc);
		for (pmp = dmp->b_cont; pmp; pmp = pmp->b_cont)
			dlen += MBLKL(pmp);

		ASSERT(sctp->sctp_rxqueued >= dlen);

		sctp->sctp_rxqueued -= dlen;
		if (can_deliver) {
			dmp->b_rptr = (uchar_t *)(dc + 1);
			if (sctp_input_add_ancillary(sctp, &dmp, dc, fp,
			    ipp, ira) == 0) {
				dprint(1, ("sctp_data_chunk: delivering %lu "
				    "bytes\n", msgdsize(dmp)));
				/*
				 * Meaning of b_flag overloaded for SCTP sockfs
				 * internal use, advise sockfs of partial
				 * delivery semantics.
				 */
				dmp->b_flag = tpfinished ?
				    0 : SCTP_PARTIAL_DATA;
				if (sctp->sctp_flowctrld) {
					sctp->sctp_rwnd -= dlen;
					if (sctp->sctp_rwnd < 0)
						sctp->sctp_rwnd = 0;
				}
				if (sctp->sctp_ulp_recv(sctp->sctp_ulpd, dmp,
				    msgdsize(dmp), 0, &error, NULL) <= 0) {
					sctp->sctp_flowctrld = B_TRUE;
				}
				SCTP_ACK_IT(sctp, tsn);
			} else {
				/* don't ack, the peer will retransmit */
				freemsg(dmp);
				return;
			}
		} else {
			/* Closed above, ack and free the data */
			freemsg(dmp);
			SCTP_ACK_IT(sctp, tsn);
		}
	}

done:

	/*
	 * If there are gap reports pending, check if advancing
	 * the ftsn here closes a gap. If so, we can advance
	 * ftsn to the end of the set.
	 */
	if (sctp->sctp_sack_info != NULL &&
	    sctp->sctp_ftsn == sctp->sctp_sack_info->begin) {
		sctp->sctp_ftsn = sctp->sctp_sack_info->end + 1;
	}
	/*
	 * If ftsn has moved forward, maybe we can remove gap reports.
	 * NB: dmp may now be NULL, so don't dereference it here.
	 */
	if (oftsn != sctp->sctp_ftsn && sctp->sctp_sack_info != NULL) {
		sctp_ack_rem(&sctp->sctp_sack_info, sctp->sctp_ftsn - 1,
		    &sctp->sctp_sack_gaps);
		dprint(2, ("data_chunk: removed acks before %x (num=%d)\n",
		    sctp->sctp_ftsn - 1, sctp->sctp_sack_gaps));
	}

#ifdef	DEBUG
	if (sctp->sctp_sack_info != NULL) {
		ASSERT(sctp->sctp_ftsn != sctp->sctp_sack_info->begin);
	}
#endif

#undef	SCTP_ACK_IT
}

void
sctp_fill_sack(sctp_t *sctp, unsigned char *dst, int sacklen)
{
	sctp_chunk_hdr_t *sch;
	sctp_sack_chunk_t *sc;
	sctp_sack_frag_t *sf;
	uint16_t num_gaps = sctp->sctp_sack_gaps;
	sctp_set_t *sp;

	/* Chunk hdr */
	sch = (sctp_chunk_hdr_t *)dst;
	sch->sch_id = CHUNK_SACK;
	sch->sch_flags = 0;
	sch->sch_len = htons(sacklen);

	/* SACK chunk */
	sctp->sctp_lastacked = sctp->sctp_ftsn - 1;

	sc = (sctp_sack_chunk_t *)(sch + 1);
	sc->ssc_cumtsn = htonl(sctp->sctp_lastacked);
	if (sctp->sctp_rxqueued < sctp->sctp_rwnd) {
		sc->ssc_a_rwnd = htonl(sctp->sctp_rwnd - sctp->sctp_rxqueued);
	} else {
		sc->ssc_a_rwnd = 0;
	}
	/* Remember the last window sent to peer. */
	sctp->sctp_arwnd = sc->ssc_a_rwnd;
	sc->ssc_numfrags = htons(num_gaps);
	sc->ssc_numdups = 0;

	/* lay in gap reports */
	sf = (sctp_sack_frag_t *)(sc + 1);
	for (sp = sctp->sctp_sack_info; sp; sp = sp->next) {
		uint16_t offset;

		/* start */
		if (sp->begin > sctp->sctp_lastacked) {
			offset = (uint16_t)(sp->begin - sctp->sctp_lastacked);
		} else {
			/* sequence number wrap */
			offset = (uint16_t)(UINT32_MAX - sctp->sctp_lastacked +
			    sp->begin);
		}
		sf->ssf_start = htons(offset);

		/* end */
		if (sp->end >= sp->begin) {
			offset += (uint16_t)(sp->end - sp->begin);
		} else {
			/* sequence number wrap */
			offset += (uint16_t)(UINT32_MAX - sp->begin + sp->end);
		}
		sf->ssf_end = htons(offset);

		sf++;
		/* This is just for debugging (a la the following assertion) */
		num_gaps--;
	}

	ASSERT(num_gaps == 0);

	/* If the SACK timer is running, stop it */
	if (sctp->sctp_ack_timer_running) {
		sctp_timer_stop(sctp->sctp_ack_mp);
		sctp->sctp_ack_timer_running = B_FALSE;
	}

	BUMP_LOCAL(sctp->sctp_obchunks);
	BUMP_LOCAL(sctp->sctp_osacks);
}

mblk_t *
sctp_make_sack(sctp_t *sctp, sctp_faddr_t *sendto, mblk_t *dups)
{
	mblk_t *smp;
	size_t slen;
	sctp_chunk_hdr_t *sch;
	sctp_sack_chunk_t *sc;
	int32_t acks_max;
	sctp_stack_t	*sctps = sctp->sctp_sctps;
	uint32_t	dups_len;
	sctp_faddr_t	*fp;

	ASSERT(sendto != NULL);

	if (sctp->sctp_force_sack) {
		sctp->sctp_force_sack = 0;
		goto checks_done;
	}

	acks_max = sctps->sctps_deferred_acks_max;
	if (sctp->sctp_state == SCTPS_ESTABLISHED) {
		if (sctp->sctp_sack_toggle < acks_max) {
			/* no need to SACK right now */
			dprint(2, ("sctp_make_sack: %p no sack (toggle)\n",
			    (void *)sctp));
			return (NULL);
		} else if (sctp->sctp_sack_toggle >= acks_max) {
			sctp->sctp_sack_toggle = 0;
		}
	}

	if (sctp->sctp_ftsn == sctp->sctp_lastacked + 1) {
		dprint(2, ("sctp_make_sack: %p no sack (already)\n",
		    (void *)sctp));
		return (NULL);
	}

checks_done:
	dprint(2, ("sctp_make_sack: acking %x\n", sctp->sctp_ftsn - 1));

	if (dups != NULL)
		dups_len = MBLKL(dups);
	else
		dups_len = 0;
	slen = sizeof (*sch) + sizeof (*sc) +
	    (sizeof (sctp_sack_frag_t) * sctp->sctp_sack_gaps);

	/*
	 * If there are error chunks, check and see if we can send the
	 * SACK chunk and error chunks together in one packet.  If not,
	 * send the error chunks out now.
	 */
	if (sctp->sctp_err_chunks != NULL) {
		fp = SCTP_CHUNK_DEST(sctp->sctp_err_chunks);
		if (sctp->sctp_err_len + slen + dups_len > fp->sf_pmss) {
			if ((smp = sctp_make_mp(sctp, fp, 0)) == NULL) {
				SCTP_KSTAT(sctps, sctp_send_err_failed);
				SCTP_KSTAT(sctps, sctp_send_sack_failed);
				freemsg(sctp->sctp_err_chunks);
				sctp->sctp_err_chunks = NULL;
				sctp->sctp_err_len = 0;
				return (NULL);
			}
			smp->b_cont = sctp->sctp_err_chunks;
			sctp_set_iplen(sctp, smp, fp->sf_ixa);
			(void) conn_ip_output(smp, fp->sf_ixa);
			BUMP_LOCAL(sctp->sctp_opkts);
			sctp->sctp_err_chunks = NULL;
			sctp->sctp_err_len = 0;
		}
	}
	smp = sctp_make_mp(sctp, sendto, slen);
	if (smp == NULL) {
		SCTP_KSTAT(sctps, sctp_send_sack_failed);
		return (NULL);
	}
	sch = (sctp_chunk_hdr_t *)smp->b_wptr;

	sctp_fill_sack(sctp, smp->b_wptr, slen);
	smp->b_wptr += slen;
	if (dups != NULL) {
		sc = (sctp_sack_chunk_t *)(sch + 1);
		sc->ssc_numdups = htons(MBLKL(dups) / sizeof (uint32_t));
		sch->sch_len = htons(slen + dups_len);
		smp->b_cont = dups;
	}

	if (sctp->sctp_err_chunks != NULL) {
		linkb(smp, sctp->sctp_err_chunks);
		sctp->sctp_err_chunks = NULL;
		sctp->sctp_err_len = 0;
	}
	return (smp);
}

/*
 * Check and see if we need to send a SACK chunk.  If it is needed,
 * send it out.  Return true if a SACK chunk is sent, false otherwise.
 */
boolean_t
sctp_sack(sctp_t *sctp, mblk_t *dups)
{
	mblk_t *smp;
	sctp_stack_t	*sctps = sctp->sctp_sctps;

	/* If we are shutting down, let send_shutdown() bundle the SACK */
	if (sctp->sctp_state == SCTPS_SHUTDOWN_SENT) {
		sctp_send_shutdown(sctp, 0);
	}

	ASSERT(sctp->sctp_lastdata != NULL);

	if ((smp = sctp_make_sack(sctp, sctp->sctp_lastdata, dups)) == NULL) {
		/* The caller of sctp_sack() will not free the dups mblk. */
		if (dups != NULL)
			freeb(dups);
		return (B_FALSE);
	}
	dprint(2, ("sctp_sack: sending to %p %x:%x:%x:%x\n",
	    (void *)sctp->sctp_lastdata,
	    SCTP_PRINTADDR(sctp->sctp_lastdata->sf_faddr)));

	sctp->sctp_active = LBOLT_FASTPATH64;

	SCTPS_BUMP_MIB(sctps, sctpOutAck);

	sctp_set_iplen(sctp, smp, sctp->sctp_lastdata->sf_ixa);
	(void) conn_ip_output(smp, sctp->sctp_lastdata->sf_ixa);
	BUMP_LOCAL(sctp->sctp_opkts);
	return (B_TRUE);
}

/*
 * This is called if we have a message that was partially sent and is
 * abandoned. The cum TSN will be the last chunk sent for this message,
 * subsequent chunks will be marked ABANDONED. We send a Forward TSN
 * chunk in this case with the TSN of the last sent chunk so that the
 * peer can clean up its fragment list for this message. This message
 * will be removed from the transmit list when the peer sends a SACK
 * back.
 */
int
sctp_check_abandoned_msg(sctp_t *sctp, mblk_t *meta)
{
	sctp_data_hdr_t	*dh;
	mblk_t		*nmp;
	mblk_t		*head;
	int32_t		unsent = 0;
	mblk_t		*mp1 = meta->b_cont;
	uint32_t	adv_pap = sctp->sctp_adv_pap;
	sctp_faddr_t	*fp = sctp->sctp_current;
	sctp_stack_t	*sctps = sctp->sctp_sctps;

	dh = (sctp_data_hdr_t *)mp1->b_rptr;
	if (SEQ_GEQ(sctp->sctp_lastack_rxd, ntohl(dh->sdh_tsn))) {
		sctp_ftsn_set_t	*sets = NULL;
		uint_t		nsets = 0;
		uint32_t	seglen = sizeof (uint32_t);
		boolean_t	ubit = SCTP_DATA_GET_UBIT(dh);

		while (mp1->b_next != NULL && SCTP_CHUNK_ISSENT(mp1->b_next))
			mp1 = mp1->b_next;
		dh = (sctp_data_hdr_t *)mp1->b_rptr;
		sctp->sctp_adv_pap = ntohl(dh->sdh_tsn);
		if (!ubit &&
		    !sctp_add_ftsn_set(&sets, fp, meta, &nsets, &seglen)) {
			sctp->sctp_adv_pap = adv_pap;
			return (ENOMEM);
		}
		nmp = sctp_make_ftsn_chunk(sctp, fp, sets, nsets, seglen);
		sctp_free_ftsn_set(sets);
		if (nmp == NULL) {
			sctp->sctp_adv_pap = adv_pap;
			return (ENOMEM);
		}
		head = sctp_add_proto_hdr(sctp, fp, nmp, 0, NULL);
		if (head == NULL) {
			sctp->sctp_adv_pap = adv_pap;
			freemsg(nmp);
			SCTP_KSTAT(sctps, sctp_send_ftsn_failed);
			return (ENOMEM);
		}
		SCTP_MSG_SET_ABANDONED(meta);
		sctp_set_iplen(sctp, head, fp->sf_ixa);
		(void) conn_ip_output(head, fp->sf_ixa);
		BUMP_LOCAL(sctp->sctp_opkts);
		if (!fp->sf_timer_running)
			SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto);
		mp1 = mp1->b_next;
		while (mp1 != NULL) {
			ASSERT(!SCTP_CHUNK_ISSENT(mp1));
			ASSERT(!SCTP_CHUNK_ABANDONED(mp1));
			SCTP_ABANDON_CHUNK(mp1);
			dh = (sctp_data_hdr_t *)mp1->b_rptr;
			unsent += ntohs(dh->sdh_len) - sizeof (*dh);
			mp1 = mp1->b_next;
		}
		ASSERT(sctp->sctp_unsent >= unsent);
		sctp->sctp_unsent -= unsent;
		/*
		 * Update ULP the amount of queued data, which is
		 * sent-unack'ed + unsent.
		 */
		if (!SCTP_IS_DETACHED(sctp))
			SCTP_TXQ_UPDATE(sctp);
		return (0);
	}
	return (-1);
}

uint32_t
sctp_cumack(sctp_t *sctp, uint32_t tsn, mblk_t **first_unacked)
{
	mblk_t *ump, *nump, *mp = NULL;
	uint16_t chunklen;
	uint32_t xtsn;
	sctp_faddr_t *fp;
	sctp_data_hdr_t *sdc;
	uint32_t cumack_forward = 0;
	sctp_msg_hdr_t	*mhdr;
	sctp_stack_t	*sctps = sctp->sctp_sctps;

	ump = sctp->sctp_xmit_head;

	/*
	 * Free messages only when they're completely acked.
	 */
	while (ump != NULL) {
		mhdr = (sctp_msg_hdr_t *)ump->b_rptr;
		for (mp = ump->b_cont; mp != NULL; mp = mp->b_next) {
			if (SCTP_CHUNK_ABANDONED(mp)) {
				ASSERT(SCTP_IS_MSG_ABANDONED(ump));
				mp = NULL;
				break;
			}
			/*
			 * We check for abandoned message if we are PR-SCTP
			 * aware, if this is not the first chunk in the
			 * message (b_cont) and if the message is marked
			 * abandoned.
			 */
			if (!SCTP_CHUNK_ISSENT(mp)) {
				if (sctp->sctp_prsctp_aware &&
				    mp != ump->b_cont &&
				    (SCTP_IS_MSG_ABANDONED(ump) ||
				    SCTP_MSG_TO_BE_ABANDONED(ump, mhdr,
				    sctp))) {
					(void) sctp_check_abandoned_msg(sctp,
					    ump);
				}
				goto cum_ack_done;
			}
			sdc = (sctp_data_hdr_t *)mp->b_rptr;
			xtsn = ntohl(sdc->sdh_tsn);
			if (SEQ_GEQ(sctp->sctp_lastack_rxd, xtsn))
				continue;
			if (SEQ_GEQ(tsn, xtsn)) {
				fp = SCTP_CHUNK_DEST(mp);
				chunklen = ntohs(sdc->sdh_len);

				if (sctp->sctp_out_time != 0 &&
				    xtsn == sctp->sctp_rtt_tsn) {
					/* Got a new RTT measurement */
					sctp_update_rtt(sctp, fp,
					    ddi_get_lbolt64() -
					    sctp->sctp_out_time);
					sctp->sctp_out_time = 0;
				}
				if (SCTP_CHUNK_ISACKED(mp))
					continue;
				SCTP_CHUNK_SET_SACKCNT(mp, 0);
				SCTP_CHUNK_ACKED(mp);
				ASSERT(fp->sf_suna >= chunklen);
				fp->sf_suna -= chunklen;
				fp->sf_acked += chunklen;
				cumack_forward += chunklen;
				ASSERT(sctp->sctp_unacked >=
				    (chunklen - sizeof (*sdc)));
				sctp->sctp_unacked -=
				    (chunklen - sizeof (*sdc));
				if (fp->sf_suna == 0) {
					/* all outstanding data acked */
					fp->sf_pba = 0;
					SCTP_FADDR_TIMER_STOP(fp);
				} else {
					SCTP_FADDR_TIMER_RESTART(sctp, fp,
					    fp->sf_rto);
				}
			} else {
				goto cum_ack_done;
			}
		}
		nump = ump->b_next;
		if (nump != NULL)
			nump->b_prev = NULL;
		if (ump == sctp->sctp_xmit_tail)
			sctp->sctp_xmit_tail = nump;
		if (SCTP_IS_MSG_ABANDONED(ump)) {
			BUMP_LOCAL(sctp->sctp_prsctpdrop);
			ump->b_next = NULL;
			sctp_sendfail_event(sctp, ump, 0, B_TRUE);
		} else {
			sctp_free_msg(ump);
		}
		sctp->sctp_xmit_head = ump = nump;
	}
cum_ack_done:
	*first_unacked = mp;
	if (cumack_forward > 0) {
		SCTPS_BUMP_MIB(sctps, sctpInAck);
		if (SEQ_GT(sctp->sctp_lastack_rxd, sctp->sctp_recovery_tsn)) {
			sctp->sctp_recovery_tsn = sctp->sctp_lastack_rxd;
		}

		/*
		 * Update ULP the amount of queued data, which is
		 * sent-unack'ed + unsent.
		 */
		if (!SCTP_IS_DETACHED(sctp))
			SCTP_TXQ_UPDATE(sctp);

		/* Time to send a shutdown? */
		if (sctp->sctp_state == SCTPS_SHUTDOWN_PENDING) {
			sctp_send_shutdown(sctp, 0);
		}
		sctp->sctp_xmit_unacked = mp;
	} else {
		/* dup ack */
		SCTPS_BUMP_MIB(sctps, sctpInDupAck);
	}
	sctp->sctp_lastack_rxd = tsn;
	if (SEQ_LT(sctp->sctp_adv_pap, sctp->sctp_lastack_rxd))
		sctp->sctp_adv_pap = sctp->sctp_lastack_rxd;
	ASSERT(sctp->sctp_xmit_head || sctp->sctp_unacked == 0);

	return (cumack_forward);
}

static int
sctp_set_frwnd(sctp_t *sctp, uint32_t frwnd)
{
	uint32_t orwnd;

	if (sctp->sctp_unacked > frwnd) {
		sctp->sctp_frwnd = 0;
		return (0);
	}
	orwnd = sctp->sctp_frwnd;
	sctp->sctp_frwnd = frwnd - sctp->sctp_unacked;
	if (orwnd < sctp->sctp_frwnd) {
		return (1);
	} else {
		return (0);
	}
}

/*
 * For un-ordered messages.
 * Walk the sctp->sctp_uo_frag list and remove any fragments with TSN
 * less than/equal to ftsn. Fragments for un-ordered messages are
 * strictly in sequence (w.r.t TSN).
 */
static int
sctp_ftsn_check_uo_frag(sctp_t *sctp, uint32_t ftsn)
{
	mblk_t		*hmp;
	mblk_t		*hmp_next;
	sctp_data_hdr_t	*dc;
	int		dlen = 0;

	hmp = sctp->sctp_uo_frags;
	while (hmp != NULL) {
		hmp_next = hmp->b_next;
		dc = (sctp_data_hdr_t *)hmp->b_rptr;
		if (SEQ_GT(ntohl(dc->sdh_tsn), ftsn))
			return (dlen);
		sctp->sctp_uo_frags = hmp_next;
		if (hmp_next != NULL)
			hmp_next->b_prev = NULL;
		hmp->b_next = NULL;
		dlen += ntohs(dc->sdh_len) - sizeof (*dc);
		freeb(hmp);
		hmp = hmp_next;
	}
	return (dlen);
}

/*
 * For ordered messages.
 * Check for existing fragments for an sid-ssn pair reported as abandoned,
 * hence will not receive, in the Forward TSN. If there are fragments, then
 * we just nuke them. If and when Partial Delivery API is supported, we
 * would need to send a notification to the upper layer about this.
 */
static int
sctp_ftsn_check_frag(sctp_t *sctp, uint16_t ssn, sctp_instr_t *sip)
{
	sctp_reass_t	*srp;
	mblk_t		*hmp;
	mblk_t		*dmp;
	mblk_t		*hmp_next;
	sctp_data_hdr_t	*dc;
	int		dlen = 0;

	hmp = sip->istr_reass;
	while (hmp != NULL) {
		hmp_next = hmp->b_next;
		srp = (sctp_reass_t *)DB_BASE(hmp);
		if (SSN_GT(srp->sr_ssn, ssn))
			return (dlen);
		/*
		 * If we had sent part of this message up, send a partial
		 * delivery event. Since this is ordered delivery, we should
		 * have sent partial message only for the next in sequence,
		 * hence the ASSERT. See comments in sctp_data_chunk() for
		 * trypartial.
		 */
		if (srp->sr_partial_delivered) {
			if (srp->sr_ssn != sip->nextseq)
				cmn_err(CE_WARN, "sctp partial"
				    " delivery notify, sctp 0x%p"
				    " sip = 0x%p ssn != nextseq"
				    " ssn 0x%x nextseq 0x%x",
				    (void *)sctp, (void *)sip,
				    srp->sr_ssn, sip->nextseq);
			ASSERT(sip->nextseq == srp->sr_ssn);
			sctp_partial_delivery_event(sctp);
		}
		/* Take it out of the reass queue */
		sip->istr_reass = hmp_next;
		if (hmp_next != NULL)
			hmp_next->b_prev = NULL;
		hmp->b_next = NULL;
		ASSERT(hmp->b_prev == NULL);
		dmp = hmp;
		ASSERT(DB_TYPE(hmp) == M_CTL);
		dmp = hmp->b_cont;
		hmp->b_cont = NULL;
		freeb(hmp);
		hmp = dmp;
		while (dmp != NULL) {
			dc = (sctp_data_hdr_t *)dmp->b_rptr;
			dlen += ntohs(dc->sdh_len) - sizeof (*dc);
			dmp = dmp->b_cont;
		}
		freemsg(hmp);
		hmp = hmp_next;
	}
	return (dlen);
}

/*
 * Update sctp_ftsn to the cumulative TSN from the Forward TSN chunk. Remove
 * any SACK gaps less than the newly updated sctp_ftsn. Walk through the
 * sid-ssn pair in the Forward TSN and for each, clean the fragment list
 * for this pair, if needed, and check if we can deliver subsequent
 * messages, if any, from the instream queue (that were waiting for this
 * sid-ssn message to show up). Once we are done try to update the SACK
 * info. We could get a duplicate Forward TSN, in which case just send
 * a SACK. If any of the sid values in the Forward TSN is invalid,
 * send back an "Invalid Stream Identifier" error and continue processing
 * the rest.
 */
static void
sctp_process_forward_tsn(sctp_t *sctp, sctp_chunk_hdr_t *ch, sctp_faddr_t *fp,
    ip_pkt_t *ipp, ip_recv_attr_t *ira)
{
	uint32_t	*ftsn = (uint32_t *)(ch + 1);
	ftsn_entry_t	*ftsn_entry;
	sctp_instr_t	*instr;
	boolean_t	can_deliver = B_TRUE;
	size_t		dlen;
	int		flen;
	mblk_t		*dmp;
	mblk_t		*pmp;
	sctp_data_hdr_t	*dc;
	ssize_t		remaining;
	sctp_stack_t	*sctps = sctp->sctp_sctps;

	*ftsn = ntohl(*ftsn);
	remaining =  ntohs(ch->sch_len) - sizeof (*ch) - sizeof (*ftsn);

	if (SCTP_IS_DETACHED(sctp)) {
		SCTPS_BUMP_MIB(sctps, sctpInClosed);
		can_deliver = B_FALSE;
	}
	/*
	 * un-ordered messages don't have SID-SSN pair entries, we check
	 * for any fragments (for un-ordered message) to be discarded using
	 * the cumulative FTSN.
	 */
	flen = sctp_ftsn_check_uo_frag(sctp, *ftsn);
	if (flen > 0) {
		ASSERT(sctp->sctp_rxqueued >= flen);
		sctp->sctp_rxqueued -= flen;
	}
	ftsn_entry = (ftsn_entry_t *)(ftsn + 1);
	while (remaining >= sizeof (*ftsn_entry)) {
		ftsn_entry->ftsn_sid = ntohs(ftsn_entry->ftsn_sid);
		ftsn_entry->ftsn_ssn = ntohs(ftsn_entry->ftsn_ssn);
		if (ftsn_entry->ftsn_sid >= sctp->sctp_num_istr) {
			sctp_bsc_t	inval_parm;

			/* Will populate the CAUSE block in the ERROR chunk. */
			inval_parm.bsc_sid = htons(ftsn_entry->ftsn_sid);
			/* RESERVED, ignored at the receiving end */
			inval_parm.bsc_pad = 0;

			sctp_add_err(sctp, SCTP_ERR_BAD_SID,
			    (void *)&inval_parm, sizeof (sctp_bsc_t), fp);
			ftsn_entry++;
			remaining -= sizeof (*ftsn_entry);
			continue;
		}
		instr = &sctp->sctp_instr[ftsn_entry->ftsn_sid];
		flen = sctp_ftsn_check_frag(sctp, ftsn_entry->ftsn_ssn, instr);
		/* Indicates frags were nuked, update rxqueued */
		if (flen > 0) {
			ASSERT(sctp->sctp_rxqueued >= flen);
			sctp->sctp_rxqueued -= flen;
		}
		/*
		 * It is possible to receive an FTSN chunk with SSN smaller
		 * than then nextseq if this chunk is a retransmission because
		 * of incomplete processing when it was first processed.
		 */
		if (SSN_GE(ftsn_entry->ftsn_ssn, instr->nextseq))
			instr->nextseq = ftsn_entry->ftsn_ssn + 1;
		while (instr->istr_nmsgs > 0) {
			mblk_t	*next;

			dmp = (mblk_t *)instr->istr_msgs;
			dc = (sctp_data_hdr_t *)dmp->b_rptr;
			if (ntohs(dc->sdh_ssn) != instr->nextseq)
				break;

			next = dmp->b_next;
			dlen = dmp->b_wptr - dmp->b_rptr - sizeof (*dc);
			for (pmp = dmp->b_cont; pmp != NULL;
			    pmp = pmp->b_cont) {
				dlen += MBLKL(pmp);
			}
			if (can_deliver) {
				int error;

				dmp->b_rptr = (uchar_t *)(dc + 1);
				dmp->b_next = NULL;
				ASSERT(dmp->b_prev == NULL);
				if (sctp_input_add_ancillary(sctp,
				    &dmp, dc, fp, ipp, ira) == 0) {
					sctp->sctp_rxqueued -= dlen;
					/*
					 * Override b_flag for SCTP sockfs
					 * internal use
					 */

					dmp->b_flag = 0;
					if (sctp->sctp_flowctrld) {
						sctp->sctp_rwnd -= dlen;
						if (sctp->sctp_rwnd < 0)
							sctp->sctp_rwnd = 0;
					}
					if (sctp->sctp_ulp_recv(
					    sctp->sctp_ulpd, dmp, msgdsize(dmp),
					    0, &error, NULL) <= 0) {
						sctp->sctp_flowctrld = B_TRUE;
					}
				} else {
					/*
					 * We will resume processing when
					 * the FTSN chunk is re-xmitted.
					 */
					dmp->b_rptr = (uchar_t *)dc;
					dmp->b_next = next;
					dprint(0,
					    ("FTSN dequeuing %u failed\n",
					    ntohs(dc->sdh_ssn)));
					return;
				}
			} else {
				sctp->sctp_rxqueued -= dlen;
				ASSERT(dmp->b_prev == NULL);
				dmp->b_next = NULL;
				freemsg(dmp);
			}
			instr->istr_nmsgs--;
			instr->nextseq++;
			sctp->sctp_istr_nmsgs--;
			if (next != NULL)
				next->b_prev = NULL;
			instr->istr_msgs = next;
		}
		ftsn_entry++;
		remaining -= sizeof (*ftsn_entry);
	}
	/* Duplicate FTSN */
	if (*ftsn <= (sctp->sctp_ftsn - 1)) {
		sctp->sctp_force_sack = 1;
		return;
	}
	/* Advance cum TSN to that reported in the Forward TSN chunk */
	sctp->sctp_ftsn = *ftsn + 1;

	/* Remove all the SACK gaps before the new cum TSN */
	if (sctp->sctp_sack_info != NULL) {
		sctp_ack_rem(&sctp->sctp_sack_info, sctp->sctp_ftsn - 1,
		    &sctp->sctp_sack_gaps);
	}
	/*
	 * If there are gap reports pending, check if advancing
	 * the ftsn here closes a gap. If so, we can advance
	 * ftsn to the end of the set.
	 * If ftsn has moved forward, maybe we can remove gap reports.
	 */
	if (sctp->sctp_sack_info != NULL &&
	    sctp->sctp_ftsn == sctp->sctp_sack_info->begin) {
		sctp->sctp_ftsn = sctp->sctp_sack_info->end + 1;
		sctp_ack_rem(&sctp->sctp_sack_info, sctp->sctp_ftsn - 1,
		    &sctp->sctp_sack_gaps);
	}
}

/*
 * When we have processed a SACK we check to see if we can advance the
 * cumulative TSN if there are abandoned chunks immediately following
 * the updated cumulative TSN. If there are, we attempt to send a
 * Forward TSN chunk.
 */
static void
sctp_check_abandoned_data(sctp_t *sctp, sctp_faddr_t *fp)
{
	mblk_t		*meta = sctp->sctp_xmit_head;
	mblk_t		*mp;
	mblk_t		*nmp;
	uint32_t	seglen;
	uint32_t	adv_pap = sctp->sctp_adv_pap;

	/*
	 * We only check in the first meta since otherwise we can't
	 * advance the cumulative ack point. We just look for chunks
	 * marked for retransmission, else we might prematurely
	 * send an FTSN for a sent, but unacked, chunk.
	 */
	for (mp = meta->b_cont; mp != NULL; mp = mp->b_next) {
		if (!SCTP_CHUNK_ISSENT(mp))
			return;
		if (SCTP_CHUNK_WANT_REXMIT(mp))
			break;
	}
	if (mp == NULL)
		return;
	sctp_check_adv_ack_pt(sctp, meta, mp);
	if (SEQ_GT(sctp->sctp_adv_pap, adv_pap)) {
		sctp_make_ftsns(sctp, meta, mp, &nmp, fp, &seglen);
		if (nmp == NULL) {
			sctp->sctp_adv_pap = adv_pap;
			if (!fp->sf_timer_running)
				SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto);
			return;
		}
		sctp_set_iplen(sctp, nmp, fp->sf_ixa);
		(void) conn_ip_output(nmp, fp->sf_ixa);
		BUMP_LOCAL(sctp->sctp_opkts);
		if (!fp->sf_timer_running)
			SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->sf_rto);
	}
}

/*
 * The processing here follows the same logic in sctp_got_sack(), the reason
 * we do this separately is because, usually, gap blocks are ordered and
 * we can process it in sctp_got_sack(). However if they aren't we would
 * need to do some additional non-optimal stuff when we start processing the
 * unordered gaps. To that effect sctp_got_sack() does the processing in the
 * simple case and this does the same in the more involved case.
 */
static uint32_t
sctp_process_uo_gaps(sctp_t *sctp, uint32_t ctsn, sctp_sack_frag_t *ssf,
    int num_gaps, mblk_t *umphead, mblk_t *mphead, int *trysend,
    boolean_t *fast_recovery, uint32_t fr_xtsn)
{
	uint32_t		xtsn;
	uint32_t		gapstart = 0;
	uint32_t		gapend = 0;
	int			gapcnt;
	uint16_t		chunklen;
	sctp_data_hdr_t		*sdc;
	int			gstart;
	mblk_t			*ump = umphead;
	mblk_t			*mp = mphead;
	sctp_faddr_t		*fp;
	uint32_t		acked = 0;
	sctp_stack_t		*sctps = sctp->sctp_sctps;

	/*
	 * gstart tracks the last (in the order of TSN) gapstart that
	 * we process in this SACK gaps walk.
	 */
	gstart = ctsn;

	sdc = (sctp_data_hdr_t *)mp->b_rptr;
	xtsn = ntohl(sdc->sdh_tsn);
	for (gapcnt = 0; gapcnt < num_gaps; gapcnt++, ssf++) {
		if (gapstart != 0) {
			/*
			 * If we have reached the end of the transmit list or
			 * hit an unsent chunk or encountered an unordered gap
			 * block start from the ctsn again.
			 */
			if (ump == NULL || !SCTP_CHUNK_ISSENT(mp) ||
			    SEQ_LT(ctsn + ntohs(ssf->ssf_start), xtsn)) {
				ump = umphead;
				mp = mphead;
				sdc = (sctp_data_hdr_t *)mp->b_rptr;
				xtsn = ntohl(sdc->sdh_tsn);
			}
		}

		gapstart = ctsn + ntohs(ssf->ssf_start);
		gapend = ctsn + ntohs(ssf->ssf_end);

		/*
		 * Sanity checks:
		 *
		 * 1. SACK for TSN we have not sent - ABORT
		 * 2. Invalid or spurious gaps, ignore all gaps
		 */
		if (SEQ_GT(gapstart, sctp->sctp_ltsn - 1) ||
		    SEQ_GT(gapend, sctp->sctp_ltsn - 1)) {
			SCTPS_BUMP_MIB(sctps, sctpInAckUnsent);
			*trysend = -1;
			return (acked);
		} else if (SEQ_LT(gapend, gapstart) ||
		    SEQ_LEQ(gapstart, ctsn)) {
			break;
		}
		/*
		 * The xtsn can be the TSN processed for the last gap
		 * (gapend) or it could be the cumulative TSN. We continue
		 * with the last xtsn as long as the gaps are ordered, when
		 * we hit an unordered gap, we re-start from the cumulative
		 * TSN. For the first gap it is always the cumulative TSN.
		 */
		while (xtsn != gapstart) {
			/*
			 * We can't reliably check for reneged chunks
			 * when walking the unordered list, so we don't.
			 * In case the peer reneges then we will end up
			 * sending the reneged chunk via timeout.
			 */
			mp = mp->b_next;
			if (mp == NULL) {
				ump = ump->b_next;
				/*
				 * ump can't be NULL because of the sanity
				 * check above.
				 */
				ASSERT(ump != NULL);
				mp = ump->b_cont;
			}
			/*
			 * mp can't be unsent because of the sanity check
			 * above.
			 */
			ASSERT(SCTP_CHUNK_ISSENT(mp));
			sdc = (sctp_data_hdr_t *)mp->b_rptr;
			xtsn = ntohl(sdc->sdh_tsn);
		}
		/*
		 * Now that we have found the chunk with TSN == 'gapstart',
		 * let's walk till we hit the chunk with TSN == 'gapend'.
		 * All intermediate chunks will be marked ACKED, if they
		 * haven't already been.
		 */
		while (SEQ_LEQ(xtsn, gapend)) {
			/*
			 * SACKed
			 */
			SCTP_CHUNK_SET_SACKCNT(mp, 0);
			if (!SCTP_CHUNK_ISACKED(mp)) {
				SCTP_CHUNK_ACKED(mp);

				fp = SCTP_CHUNK_DEST(mp);
				chunklen = ntohs(sdc->sdh_len);
				ASSERT(fp->sf_suna >= chunklen);
				fp->sf_suna -= chunklen;
				if (fp->sf_suna == 0) {
					/* All outstanding data acked. */
					fp->sf_pba = 0;
					SCTP_FADDR_TIMER_STOP(fp);
				}
				fp->sf_acked += chunklen;
				acked += chunklen;
				sctp->sctp_unacked -= chunklen - sizeof (*sdc);
				ASSERT(sctp->sctp_unacked >= 0);
			}
			/*
			 * Move to the next message in the transmit list
			 * if we are done with all the chunks from the current
			 * message. Note, it is possible to hit the end of the
			 * transmit list here, i.e. if we have already completed
			 * processing the gap block.
			 */
			mp = mp->b_next;
			if (mp == NULL) {
				ump = ump->b_next;
				if (ump == NULL) {
					ASSERT(xtsn == gapend);
					break;
				}
				mp = ump->b_cont;
			}
			/*
			 * Likewise, we can hit an unsent chunk once we have
			 * completed processing the gap block.
			 */
			if (!SCTP_CHUNK_ISSENT(mp)) {
				ASSERT(xtsn == gapend);
				break;
			}
			sdc = (sctp_data_hdr_t *)mp->b_rptr;
			xtsn = ntohl(sdc->sdh_tsn);
		}
		/*
		 * We keep track of the last gap we successfully processed
		 * so that we can terminate the walk below for incrementing
		 * the SACK count.
		 */
		if (SEQ_LT(gstart, gapstart))
			gstart = gapstart;
	}
	/*
	 * Check if have incremented the SACK count for all unacked TSNs in
	 * sctp_got_sack(), if so we are done.
	 */
	if (SEQ_LEQ(gstart, fr_xtsn))
		return (acked);

	ump = umphead;
	mp = mphead;
	sdc = (sctp_data_hdr_t *)mp->b_rptr;
	xtsn = ntohl(sdc->sdh_tsn);
	while (SEQ_LT(xtsn, gstart)) {
		/*
		 * We have incremented SACK count for TSNs less than fr_tsn
		 * in sctp_got_sack(), so don't increment them again here.
		 */
		if (SEQ_GT(xtsn, fr_xtsn) && !SCTP_CHUNK_ISACKED(mp)) {
			SCTP_CHUNK_SET_SACKCNT(mp, SCTP_CHUNK_SACKCNT(mp) + 1);
			if (SCTP_CHUNK_SACKCNT(mp) ==
			    sctps->sctps_fast_rxt_thresh) {
				SCTP_CHUNK_REXMIT(sctp, mp);
				sctp->sctp_chk_fast_rexmit = B_TRUE;
				*trysend = 1;
				if (!*fast_recovery) {
					/*
					 * Entering fast recovery.
					 */
					fp = SCTP_CHUNK_DEST(mp);
					fp->sf_ssthresh = fp->sf_cwnd / 2;
					if (fp->sf_ssthresh < 2 * fp->sf_pmss) {
						fp->sf_ssthresh =
						    2 * fp->sf_pmss;
					}
					fp->sf_cwnd = fp->sf_ssthresh;
					fp->sf_pba = 0;
					sctp->sctp_recovery_tsn =
					    sctp->sctp_ltsn - 1;
					*fast_recovery = B_TRUE;
				}
			}
		}
		mp = mp->b_next;
		if (mp == NULL) {
			ump = ump->b_next;
			/* We can't get to the end of the transmit list here */
			ASSERT(ump != NULL);
			mp = ump->b_cont;
		}
		/* We can't hit an unsent chunk here */
		ASSERT(SCTP_CHUNK_ISSENT(mp));
		sdc = (sctp_data_hdr_t *)mp->b_rptr;
		xtsn = ntohl(sdc->sdh_tsn);
	}
	return (acked);
}

static int
sctp_got_sack(sctp_t *sctp, sctp_chunk_hdr_t *sch)
{
	sctp_sack_chunk_t	*sc;
	sctp_data_hdr_t		*sdc;
	sctp_sack_frag_t	*ssf;
	mblk_t			*ump;
	mblk_t			*mp;
	mblk_t			*mp1;
	uint32_t		cumtsn;
	uint32_t		xtsn;
	uint32_t		gapstart = 0;
	uint32_t		gapend = 0;
	uint32_t		acked = 0;
	uint16_t		chunklen;
	sctp_faddr_t		*fp;
	int			num_gaps;
	int			trysend = 0;
	int			i;
	boolean_t		fast_recovery = B_FALSE;
	boolean_t		cumack_forward = B_FALSE;
	boolean_t		fwd_tsn = B_FALSE;
	sctp_stack_t		*sctps = sctp->sctp_sctps;

	BUMP_LOCAL(sctp->sctp_ibchunks);
	BUMP_LOCAL(sctp->sctp_isacks);
	chunklen = ntohs(sch->sch_len);
	if (chunklen < (sizeof (*sch) + sizeof (*sc)))
		return (0);

	sc = (sctp_sack_chunk_t *)(sch + 1);
	cumtsn = ntohl(sc->ssc_cumtsn);

	dprint(2, ("got sack cumtsn %x -> %x\n", sctp->sctp_lastack_rxd,
	    cumtsn));

	/* out of order */
	if (SEQ_LT(cumtsn, sctp->sctp_lastack_rxd))
		return (0);

	if (SEQ_GT(cumtsn, sctp->sctp_ltsn - 1)) {
		SCTPS_BUMP_MIB(sctps, sctpInAckUnsent);
		/* Send an ABORT */
		return (-1);
	}

	/*
	 * Cwnd only done when not in fast recovery mode.
	 */
	if (SEQ_LT(sctp->sctp_lastack_rxd, sctp->sctp_recovery_tsn))
		fast_recovery = B_TRUE;

	/*
	 * .. and if the cum TSN is not moving ahead on account Forward TSN
	 */
	if (SEQ_LT(sctp->sctp_lastack_rxd, sctp->sctp_adv_pap))
		fwd_tsn = B_TRUE;

	if (cumtsn == sctp->sctp_lastack_rxd &&
	    (sctp->sctp_xmit_unacked == NULL ||
	    !SCTP_CHUNK_ABANDONED(sctp->sctp_xmit_unacked))) {
		if (sctp->sctp_xmit_unacked != NULL)
			mp = sctp->sctp_xmit_unacked;
		else if (sctp->sctp_xmit_head != NULL)
			mp = sctp->sctp_xmit_head->b_cont;
		else
			mp = NULL;
		SCTPS_BUMP_MIB(sctps, sctpInDupAck);
		/*
		 * If we were doing a zero win probe and the win
		 * has now opened to at least MSS, re-transmit the
		 * zero win probe via sctp_rexmit_packet().
		 */
		if (mp != NULL && sctp->sctp_zero_win_probe &&
		    ntohl(sc->ssc_a_rwnd) >= sctp->sctp_current->sf_pmss) {
			mblk_t	*pkt;
			uint_t	pkt_len;
			mblk_t	*mp1 = mp;
			mblk_t	*meta = sctp->sctp_xmit_head;

			/*
			 * Reset the RTO since we have been backing-off
			 * to send the ZWP.
			 */
			fp = sctp->sctp_current;
			fp->sf_rto = fp->sf_srtt + 4 * fp->sf_rttvar;
			SCTP_MAX_RTO(sctp, fp);
			/* Resend the ZWP */
			pkt = sctp_rexmit_packet(sctp, &meta, &mp1, fp,
			    &pkt_len);
			if (pkt == NULL) {
				SCTP_KSTAT(sctps, sctp_ss_rexmit_failed);
				return (0);
			}
			ASSERT(pkt_len <= fp->sf_pmss);
			sctp->sctp_zero_win_probe = B_FALSE;
			sctp->sctp_rxt_nxttsn = sctp->sctp_ltsn;
			sctp->sctp_rxt_maxtsn = sctp->sctp_ltsn;
			sctp_set_iplen(sctp, pkt, fp->sf_ixa);
			(void) conn_ip_output(pkt, fp->sf_ixa);
			BUMP_LOCAL(sctp->sctp_opkts);
		}
	} else {
		if (sctp->sctp_zero_win_probe) {
			/*
			 * Reset the RTO since we have been backing-off
			 * to send the ZWP.
			 */
			fp = sctp->sctp_current;
			fp->sf_rto = fp->sf_srtt + 4 * fp->sf_rttvar;
			SCTP_MAX_RTO(sctp, fp);
			sctp->sctp_zero_win_probe = B_FALSE;
			/* This is probably not required */
			if (!sctp->sctp_rexmitting) {
				sctp->sctp_rxt_nxttsn = sctp->sctp_ltsn;
				sctp->sctp_rxt_maxtsn = sctp->sctp_ltsn;
			}
		}
		acked = sctp_cumack(sctp, cumtsn, &mp);
		sctp->sctp_xmit_unacked = mp;
		if (acked > 0) {
			trysend = 1;
			cumack_forward = B_TRUE;
			if (fwd_tsn && SEQ_GEQ(sctp->sctp_lastack_rxd,
			    sctp->sctp_adv_pap)) {
				cumack_forward = B_FALSE;
			}
		}
	}
	num_gaps = ntohs(sc->ssc_numfrags);
	UPDATE_LOCAL(sctp->sctp_gapcnt, num_gaps);
	if (num_gaps == 0 || mp == NULL || !SCTP_CHUNK_ISSENT(mp) ||
	    chunklen < (sizeof (*sch) + sizeof (*sc) +
	    num_gaps * sizeof (*ssf))) {
		goto ret;
	}
#ifdef	DEBUG
	/*
	 * Since we delete any message that has been acked completely,
	 * the unacked chunk must belong to sctp_xmit_head (as
	 * we don't have a back pointer from the mp to the meta data
	 * we do this).
	 */
	{
		mblk_t	*mp2 = sctp->sctp_xmit_head->b_cont;

		while (mp2 != NULL) {
			if (mp2 == mp)
				break;
			mp2 = mp2->b_next;
		}
		ASSERT(mp2 != NULL);
	}
#endif
	ump = sctp->sctp_xmit_head;

	/*
	 * Just remember where we started from, in case we need to call
	 * sctp_process_uo_gaps() if the gap blocks are unordered.
	 */
	mp1 = mp;

	sdc = (sctp_data_hdr_t *)mp->b_rptr;
	xtsn = ntohl(sdc->sdh_tsn);
	ASSERT(xtsn == cumtsn + 1);

	/*
	 * Go through SACK gaps. They are ordered based on start TSN.
	 */
	ssf = (sctp_sack_frag_t *)(sc + 1);
	for (i = 0; i < num_gaps; i++, ssf++) {
		if (gapstart != 0) {
			/* check for unordered gap */
			if (SEQ_LEQ(cumtsn + ntohs(ssf->ssf_start), gapstart)) {
				acked += sctp_process_uo_gaps(sctp,
				    cumtsn, ssf, num_gaps - i,
				    sctp->sctp_xmit_head, mp1,
				    &trysend, &fast_recovery, gapstart);
				if (trysend < 0) {
					SCTPS_BUMP_MIB(sctps, sctpInAckUnsent);
					return (-1);
				}
				break;
			}
		}
		gapstart = cumtsn + ntohs(ssf->ssf_start);
		gapend = cumtsn + ntohs(ssf->ssf_end);

		/*
		 * Sanity checks:
		 *
		 * 1. SACK for TSN we have not sent - ABORT
		 * 2. Invalid or spurious gaps, ignore all gaps
		 */
		if (SEQ_GT(gapstart, sctp->sctp_ltsn - 1) ||
		    SEQ_GT(gapend, sctp->sctp_ltsn - 1)) {
			SCTPS_BUMP_MIB(sctps, sctpInAckUnsent);
			return (-1);
		} else if (SEQ_LT(gapend, gapstart) ||
		    SEQ_LEQ(gapstart, cumtsn)) {
			break;
		}
		/*
		 * Let's start at the current TSN (for the 1st gap we start
		 * from the cumulative TSN, for subsequent ones we start from
		 * where the previous gapend was found - second while loop
		 * below) and walk the transmit list till we find the TSN
		 * corresponding to gapstart. All the unacked chunks till we
		 * get to the chunk with TSN == gapstart will have their
		 * SACKCNT incremented by 1. Note since the gap blocks are
		 * ordered, we won't be incrementing the SACKCNT for an
		 * unacked chunk by more than one while processing the gap
		 * blocks. If the SACKCNT for any unacked chunk exceeds
		 * the fast retransmit threshold, we will fast retransmit
		 * after processing all the gap blocks.
		 */
		ASSERT(SEQ_LEQ(xtsn, gapstart));
		while (xtsn != gapstart) {
			SCTP_CHUNK_SET_SACKCNT(mp, SCTP_CHUNK_SACKCNT(mp) + 1);
			if (SCTP_CHUNK_SACKCNT(mp) ==
			    sctps->sctps_fast_rxt_thresh) {
				SCTP_CHUNK_REXMIT(sctp, mp);
				sctp->sctp_chk_fast_rexmit = B_TRUE;
				trysend = 1;
				if (!fast_recovery) {
					/*
					 * Entering fast recovery.
					 */
					fp = SCTP_CHUNK_DEST(mp);
					fp->sf_ssthresh = fp->sf_cwnd / 2;
					if (fp->sf_ssthresh < 2 * fp->sf_pmss) {
						fp->sf_ssthresh =
						    2 * fp->sf_pmss;
					}
					fp->sf_cwnd = fp->sf_ssthresh;
					fp->sf_pba = 0;
					sctp->sctp_recovery_tsn =
					    sctp->sctp_ltsn - 1;
					fast_recovery = B_TRUE;
				}
			}

			/*
			 * Peer may have reneged on this chunk, so un-sack
			 * it now. If the peer did renege, we need to
			 * readjust unacked.
			 */
			if (SCTP_CHUNK_ISACKED(mp)) {
				chunklen = ntohs(sdc->sdh_len);
				fp = SCTP_CHUNK_DEST(mp);
				fp->sf_suna += chunklen;
				sctp->sctp_unacked += chunklen - sizeof (*sdc);
				SCTP_CHUNK_CLEAR_ACKED(sctp, mp);
				if (!fp->sf_timer_running) {
					SCTP_FADDR_TIMER_RESTART(sctp, fp,
					    fp->sf_rto);
				}
			}

			mp = mp->b_next;
			if (mp == NULL) {
				ump = ump->b_next;
				/*
				 * ump can't be NULL given the sanity check
				 * above.  But if it is NULL, it means that
				 * there is a data corruption.  We'd better
				 * panic.
				 */
				if (ump == NULL) {
					panic("Memory corruption detected: gap "
					    "start TSN 0x%x missing from the "
					    "xmit list: %p", gapstart,
					    (void *)sctp);
				}
				mp = ump->b_cont;
			}
			/*
			 * mp can't be unsent given the sanity check above.
			 */
			ASSERT(SCTP_CHUNK_ISSENT(mp));
			sdc = (sctp_data_hdr_t *)mp->b_rptr;
			xtsn = ntohl(sdc->sdh_tsn);
		}
		/*
		 * Now that we have found the chunk with TSN == 'gapstart',
		 * let's walk till we hit the chunk with TSN == 'gapend'.
		 * All intermediate chunks will be marked ACKED, if they
		 * haven't already been.
		 */
		while (SEQ_LEQ(xtsn, gapend)) {
			/*
			 * SACKed
			 */
			SCTP_CHUNK_SET_SACKCNT(mp, 0);
			if (!SCTP_CHUNK_ISACKED(mp)) {
				SCTP_CHUNK_ACKED(mp);

				fp = SCTP_CHUNK_DEST(mp);
				chunklen = ntohs(sdc->sdh_len);
				ASSERT(fp->sf_suna >= chunklen);
				fp->sf_suna -= chunklen;
				if (fp->sf_suna == 0) {
					/* All outstanding data acked. */
					fp->sf_pba = 0;
					SCTP_FADDR_TIMER_STOP(fp);
				}
				fp->sf_acked += chunklen;
				acked += chunklen;
				sctp->sctp_unacked -= chunklen - sizeof (*sdc);
				ASSERT(sctp->sctp_unacked >= 0);
			}
			/* Go to the next chunk of the current message */
			mp = mp->b_next;
			/*
			 * Move to the next message in the transmit list
			 * if we are done with all the chunks from the current
			 * message. Note, it is possible to hit the end of the
			 * transmit list here, i.e. if we have already completed
			 * processing the gap block.  But the TSN must be equal
			 * to the gapend because of the above sanity check.
			 * If it is not equal, it means that some data is
			 * missing.
			 * Also, note that we break here, which means we
			 * continue processing gap blocks, if any. In case of
			 * ordered gap blocks there can't be any following
			 * this (if there is it will fail the sanity check
			 * above). In case of un-ordered gap blocks we will
			 * switch to sctp_process_uo_gaps().  In either case
			 * it should be fine to continue with NULL ump/mp,
			 * but we just reset it to xmit_head.
			 */
			if (mp == NULL) {
				ump = ump->b_next;
				if (ump == NULL) {
					if (xtsn != gapend) {
						panic("Memory corruption "
						    "detected: gap end TSN "
						    "0x%x missing from the "
						    "xmit list: %p", gapend,
						    (void *)sctp);
					}
					ump = sctp->sctp_xmit_head;
					mp = mp1;
					sdc = (sctp_data_hdr_t *)mp->b_rptr;
					xtsn = ntohl(sdc->sdh_tsn);
					break;
				}
				mp = ump->b_cont;
			}
			/*
			 * Likewise, we could hit an unsent chunk once we have
			 * completed processing the gap block. Again, it is
			 * fine to continue processing gap blocks with mp
			 * pointing to the unsent chunk, because if there
			 * are more ordered gap blocks, they will fail the
			 * sanity check, and if there are un-ordered gap blocks,
			 * we will continue processing in sctp_process_uo_gaps()
			 * We just reset the mp to the one we started with.
			 */
			if (!SCTP_CHUNK_ISSENT(mp)) {
				ASSERT(xtsn == gapend);
				ump = sctp->sctp_xmit_head;
				mp = mp1;
				sdc = (sctp_data_hdr_t *)mp->b_rptr;
				xtsn = ntohl(sdc->sdh_tsn);
				break;
			}
			sdc = (sctp_data_hdr_t *)mp->b_rptr;
			xtsn = ntohl(sdc->sdh_tsn);
		}
	}
	if (sctp->sctp_prsctp_aware)
		sctp_check_abandoned_data(sctp, sctp->sctp_current);
	if (sctp->sctp_chk_fast_rexmit)
		sctp_fast_rexmit(sctp);
ret:
	trysend += sctp_set_frwnd(sctp, ntohl(sc->ssc_a_rwnd));

	/*
	 * If receive window is closed while there is unsent data,
	 * set a timer for doing zero window probes.
	 */
	if (sctp->sctp_frwnd == 0 && sctp->sctp_unacked == 0 &&
	    sctp->sctp_unsent != 0) {
		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
		    sctp->sctp_current->sf_rto);
	}

	/*
	 * Set cwnd for all destinations.
	 * Congestion window gets increased only when cumulative
	 * TSN moves forward, we're not in fast recovery, and
	 * cwnd has been fully utilized (almost fully, need to allow
	 * some leeway due to non-MSS sized messages).
	 */
	if (sctp->sctp_current->sf_acked == acked) {
		/*
		 * Fast-path, only data sent to sctp_current got acked.
		 */
		fp = sctp->sctp_current;
		if (cumack_forward && !fast_recovery &&
		    (fp->sf_acked + fp->sf_suna > fp->sf_cwnd - fp->sf_pmss)) {
			if (fp->sf_cwnd < fp->sf_ssthresh) {
				/*
				 * Slow start
				 */
				if (fp->sf_acked > fp->sf_pmss) {
					fp->sf_cwnd += fp->sf_pmss;
				} else {
					fp->sf_cwnd += fp->sf_acked;
				}
				fp->sf_cwnd = MIN(fp->sf_cwnd,
				    sctp->sctp_cwnd_max);
			} else {
				/*
				 * Congestion avoidance
				 */
				fp->sf_pba += fp->sf_acked;
				if (fp->sf_pba >= fp->sf_cwnd) {
					fp->sf_pba -= fp->sf_cwnd;
					fp->sf_cwnd += fp->sf_pmss;
					fp->sf_cwnd = MIN(fp->sf_cwnd,
					    sctp->sctp_cwnd_max);
				}
			}
		}
		/*
		 * Limit the burst of transmitted data segments.
		 */
		if (fp->sf_suna + sctps->sctps_maxburst * fp->sf_pmss <
		    fp->sf_cwnd) {
			fp->sf_cwnd = fp->sf_suna + sctps->sctps_maxburst *
			    fp->sf_pmss;
		}
		fp->sf_acked = 0;
		goto check_ss_rxmit;
	}
	for (fp = sctp->sctp_faddrs; fp != NULL; fp = fp->sf_next) {
		if (cumack_forward && fp->sf_acked && !fast_recovery &&
		    (fp->sf_acked + fp->sf_suna > fp->sf_cwnd - fp->sf_pmss)) {
			if (fp->sf_cwnd < fp->sf_ssthresh) {
				if (fp->sf_acked > fp->sf_pmss) {
					fp->sf_cwnd += fp->sf_pmss;
				} else {
					fp->sf_cwnd += fp->sf_acked;
				}
				fp->sf_cwnd = MIN(fp->sf_cwnd,
				    sctp->sctp_cwnd_max);
			} else {
				fp->sf_pba += fp->sf_acked;
				if (fp->sf_pba >= fp->sf_cwnd) {
					fp->sf_pba -= fp->sf_cwnd;
					fp->sf_cwnd += fp->sf_pmss;
					fp->sf_cwnd = MIN(fp->sf_cwnd,
					    sctp->sctp_cwnd_max);
				}
			}
		}
		if (fp->sf_suna + sctps->sctps_maxburst * fp->sf_pmss <
		    fp->sf_cwnd) {
			fp->sf_cwnd = fp->sf_suna + sctps->sctps_maxburst *
			    fp->sf_pmss;
		}
		fp->sf_acked = 0;
	}
	fp = sctp->sctp_current;
check_ss_rxmit:
	/*
	 * If this is a SACK following a timeout, check if there are
	 * still unacked chunks (sent before the timeout) that we can
	 * send.
	 */
	if (sctp->sctp_rexmitting) {
		if (SEQ_LT(sctp->sctp_lastack_rxd, sctp->sctp_rxt_maxtsn)) {
			/*
			 * As we are in retransmission phase, we may get a
			 * SACK which indicates some new chunks are received
			 * but cum_tsn does not advance.  During this
			 * phase, the other side advances cum_tsn only because
			 * it receives our retransmitted chunks.  Only
			 * this signals that some chunks are still
			 * missing.
			 */
			if (cumack_forward) {
				fp->sf_rxt_unacked -= acked;
				sctp_ss_rexmit(sctp);
			}
		} else {
			sctp->sctp_rexmitting = B_FALSE;
			sctp->sctp_rxt_nxttsn = sctp->sctp_ltsn;
			sctp->sctp_rxt_maxtsn = sctp->sctp_ltsn;
			fp->sf_rxt_unacked = 0;
		}
	}
	return (trysend);
}

/*
 * Returns 0 if the caller should stop processing any more chunks,
 * 1 if the caller should skip this chunk and continue processing.
 */
static int
sctp_strange_chunk(sctp_t *sctp, sctp_chunk_hdr_t *ch, sctp_faddr_t *fp)
{
	size_t len;

	BUMP_LOCAL(sctp->sctp_ibchunks);
	/* check top two bits for action required */
	if (ch->sch_id & 0x40) {	/* also matches 0xc0 */
		len = ntohs(ch->sch_len);
		sctp_add_err(sctp, SCTP_ERR_UNREC_CHUNK, ch, len, fp);

		if ((ch->sch_id & 0xc0) == 0xc0) {
			/* skip and continue */
			return (1);
		} else {
			/* stop processing */
			return (0);
		}
	}
	if (ch->sch_id & 0x80) {
		/* skip and continue, no error */
		return (1);
	}
	/* top two bits are clear; stop processing and no error */
	return (0);
}

/*
 * Basic sanity checks on all input chunks and parameters: they must
 * be of legitimate size for their purported type, and must follow
 * ordering conventions as defined in rfc2960.
 *
 * Returns 1 if the chunk and all encloded params are legitimate,
 * 0 otherwise.
 */
/*ARGSUSED*/
static int
sctp_check_input(sctp_t *sctp, sctp_chunk_hdr_t *ch, ssize_t len, int first)
{
	sctp_parm_hdr_t	*ph;
	void		*p = NULL;
	ssize_t		clen;
	uint16_t	ch_len;

	ch_len = ntohs(ch->sch_len);
	if (ch_len > len) {
		return (0);
	}

	switch (ch->sch_id) {
	case CHUNK_DATA:
		if (ch_len < sizeof (sctp_data_hdr_t)) {
			return (0);
		}
		return (1);
	case CHUNK_INIT:
	case CHUNK_INIT_ACK:
		{
			ssize_t	remlen = len;

			/*
			 * INIT and INIT-ACK chunks must not be bundled with
			 * any other.
			 */
			if (!first || sctp_next_chunk(ch, &remlen) != NULL ||
			    (ch_len < (sizeof (*ch) +
			    sizeof (sctp_init_chunk_t)))) {
				return (0);
			}
			/* may have params that need checking */
			p = (char *)(ch + 1) + sizeof (sctp_init_chunk_t);
			clen = ch_len - (sizeof (*ch) +
			    sizeof (sctp_init_chunk_t));
		}
		break;
	case CHUNK_SACK:
		if (ch_len < (sizeof (*ch) + sizeof (sctp_sack_chunk_t))) {
			return (0);
		}
		/* dup and gap reports checked by got_sack() */
		return (1);
	case CHUNK_SHUTDOWN:
		if (ch_len < (sizeof (*ch) + sizeof (uint32_t))) {
			return (0);
		}
		return (1);
	case CHUNK_ABORT:
	case CHUNK_ERROR:
		if (ch_len < sizeof (*ch)) {
			return (0);
		}
		/* may have params that need checking */
		p = ch + 1;
		clen = ch_len - sizeof (*ch);
		break;
	case CHUNK_ECNE:
	case CHUNK_CWR:
	case CHUNK_HEARTBEAT:
	case CHUNK_HEARTBEAT_ACK:
	/* Full ASCONF chunk and parameter checks are in asconf.c */
	case CHUNK_ASCONF:
	case CHUNK_ASCONF_ACK:
		if (ch_len < sizeof (*ch)) {
			return (0);
		}
		/* heartbeat data checked by process_heartbeat() */
		return (1);
	case CHUNK_SHUTDOWN_COMPLETE:
		{
			ssize_t remlen = len;

			/*
			 * SHUTDOWN-COMPLETE chunk must not be bundled with any
			 * other
			 */
			if (!first || sctp_next_chunk(ch, &remlen) != NULL ||
			    ch_len < sizeof (*ch)) {
				return (0);
			}
		}
		return (1);
	case CHUNK_COOKIE:
	case CHUNK_COOKIE_ACK:
	case CHUNK_SHUTDOWN_ACK:
		if (ch_len < sizeof (*ch) || !first) {
			return (0);
		}
		return (1);
	case CHUNK_FORWARD_TSN:
		if (ch_len < (sizeof (*ch) + sizeof (uint32_t)))
			return (0);
		return (1);
	default:
		return (1);	/* handled by strange_chunk() */
	}

	/* check and byteorder parameters */
	if (clen <= 0) {
		return (1);
	}
	ASSERT(p != NULL);

	ph = p;
	while (ph != NULL && clen > 0) {
		ch_len = ntohs(ph->sph_len);
		if (ch_len > len || ch_len < sizeof (*ph)) {
			return (0);
		}
		ph = sctp_next_parm(ph, &clen);
	}

	/* All OK */
	return (1);
}

static mblk_t *
sctp_check_in_policy(mblk_t *mp, ip_recv_attr_t *ira, ip_stack_t *ipst)
{
	boolean_t policy_present;
	ipha_t *ipha;
	ip6_t *ip6h;
	netstack_t	*ns = ipst->ips_netstack;
	ipsec_stack_t	*ipss = ns->netstack_ipsec;

	if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) {
		policy_present = ipss->ipsec_inbound_v4_policy_present;
		ipha = (ipha_t *)mp->b_rptr;
		ip6h = NULL;
	} else {
		policy_present = ipss->ipsec_inbound_v6_policy_present;
		ipha = NULL;
		ip6h = (ip6_t *)mp->b_rptr;
	}

	if (policy_present) {
		/*
		 * The conn_t parameter is NULL because we already know
		 * nobody's home.
		 */
		mp = ipsec_check_global_policy(mp, (conn_t *)NULL,
		    ipha, ip6h, ira, ns);
		if (mp == NULL)
			return (NULL);
	}
	return (mp);
}

/* Handle out-of-the-blue packets */
void
sctp_ootb_input(mblk_t *mp, ip_recv_attr_t *ira, ip_stack_t *ipst)
{
	sctp_t			*sctp;
	sctp_chunk_hdr_t	*ch;
	sctp_hdr_t		*sctph;
	in6_addr_t		src, dst;
	uint_t			ip_hdr_len = ira->ira_ip_hdr_length;
	ssize_t			mlen;
	sctp_stack_t		*sctps;
	boolean_t		secure;
	zoneid_t		zoneid = ira->ira_zoneid;
	uchar_t			*rptr;

	ASSERT(ira->ira_ill == NULL);

	secure = ira->ira_flags & IRAF_IPSEC_SECURE;

	sctps = ipst->ips_netstack->netstack_sctp;

	SCTPS_BUMP_MIB(sctps, sctpOutOfBlue);
	SCTPS_BUMP_MIB(sctps, sctpInSCTPPkts);

	if (mp->b_cont != NULL) {
		/*
		 * All subsequent code is vastly simplified if it can
		 * assume a single contiguous chunk of data.
		 */
		if (pullupmsg(mp, -1) == 0) {
			BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
			ip_drop_input("ipIfStatsInDiscards", mp, NULL);
			freemsg(mp);
			return;
		}
	}

	rptr = mp->b_rptr;
	sctph = ((sctp_hdr_t *)&rptr[ip_hdr_len]);
	if (ira->ira_flags & IRAF_IS_IPV4) {
		ipha_t *ipha;

		ipha = (ipha_t *)rptr;
		IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &src);
		IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &dst);
	} else {
		ip6_t *ip6h;

		ip6h = (ip6_t *)rptr;
		src = ip6h->ip6_src;
		dst = ip6h->ip6_dst;
	}

	mlen = mp->b_wptr - (uchar_t *)(sctph + 1);
	if ((ch = sctp_first_chunk((uchar_t *)(sctph + 1), mlen)) == NULL) {
		dprint(3, ("sctp_ootb_input: invalid packet\n"));
		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
		ip_drop_input("ipIfStatsInDiscards", mp, NULL);
		freemsg(mp);
		return;
	}

	switch (ch->sch_id) {
	case CHUNK_INIT:
		/* no listener; send abort  */
		if (secure && sctp_check_in_policy(mp, ira, ipst) == NULL)
			return;
		sctp_ootb_send_abort(sctp_init2vtag(ch), 0,
		    NULL, 0, mp, 0, B_TRUE, ira, ipst);
		break;
	case CHUNK_INIT_ACK:
		/* check for changed src addr */
		sctp = sctp_addrlist2sctp(mp, sctph, ch, zoneid, sctps);
		if (sctp != NULL) {
			/* success; proceed to normal path */
			mutex_enter(&sctp->sctp_lock);
			if (sctp->sctp_running) {
				sctp_add_recvq(sctp, mp, B_FALSE, ira);
				mutex_exit(&sctp->sctp_lock);
			} else {
				/*
				 * If the source address is changed, we
				 * don't need to worry too much about
				 * out of order processing.  So we don't
				 * check if the recvq is empty or not here.
				 */
				sctp->sctp_running = B_TRUE;
				mutex_exit(&sctp->sctp_lock);
				sctp_input_data(sctp, mp, ira);
				WAKE_SCTP(sctp);
			}
			SCTP_REFRELE(sctp);
			return;
		}
		/* else bogus init ack; drop it */
		break;
	case CHUNK_SHUTDOWN_ACK:
		if (secure && sctp_check_in_policy(mp, ira, ipst) == NULL)
			return;
		sctp_ootb_shutdown_ack(mp, ip_hdr_len, ira, ipst);
		return;
	case CHUNK_ERROR:
	case CHUNK_ABORT:
	case CHUNK_COOKIE_ACK:
	case CHUNK_SHUTDOWN_COMPLETE:
		break;
	default:
		if (secure && sctp_check_in_policy(mp, ira, ipst) == NULL)
			return;
		sctp_ootb_send_abort(sctph->sh_verf, 0,
		    NULL, 0, mp, 0, B_TRUE, ira, ipst);
		break;
	}
	freemsg(mp);
}

/*
 * Handle sctp packets.
 * Note that we rele the sctp_t (the caller got a reference on it).
 */
void
sctp_input(conn_t *connp, ipha_t *ipha, ip6_t *ip6h, mblk_t *mp,
    ip_recv_attr_t *ira)
{
	sctp_t		*sctp = CONN2SCTP(connp);
	boolean_t	secure;
	ill_t		*ill = ira->ira_ill;
	ip_stack_t	*ipst = ill->ill_ipst;
	ipsec_stack_t	*ipss = ipst->ips_netstack->netstack_ipsec;
	iaflags_t	iraflags = ira->ira_flags;
	ill_t		*rill = ira->ira_rill;

	secure = iraflags & IRAF_IPSEC_SECURE;

	/*
	 * We check some fields in conn_t without holding a lock.
	 * This should be fine.
	 */
	if (((iraflags & IRAF_IS_IPV4) ?
	    CONN_INBOUND_POLICY_PRESENT(connp, ipss) :
	    CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss)) ||
	    secure) {
		mp = ipsec_check_inbound_policy(mp, connp, ipha,
		    ip6h, ira);
		if (mp == NULL) {
			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
			/* Note that mp is NULL */
			ip_drop_input("ipIfStatsInDiscards", mp, ill);
			SCTP_REFRELE(sctp);
			return;
		}
	}

	ira->ira_ill = ira->ira_rill = NULL;

	mutex_enter(&sctp->sctp_lock);
	if (sctp->sctp_running) {
		sctp_add_recvq(sctp, mp, B_FALSE, ira);
		mutex_exit(&sctp->sctp_lock);
		goto done;
	} else {
		sctp->sctp_running = B_TRUE;
		mutex_exit(&sctp->sctp_lock);

		mutex_enter(&sctp->sctp_recvq_lock);
		if (sctp->sctp_recvq != NULL) {
			sctp_add_recvq(sctp, mp, B_TRUE, ira);
			mutex_exit(&sctp->sctp_recvq_lock);
			WAKE_SCTP(sctp);
			goto done;
		}
	}
	mutex_exit(&sctp->sctp_recvq_lock);
	if (ira->ira_flags & IRAF_ICMP_ERROR)
		sctp_icmp_error(sctp, mp);
	else
		sctp_input_data(sctp, mp, ira);
	WAKE_SCTP(sctp);

done:
	SCTP_REFRELE(sctp);
	ira->ira_ill = ill;
	ira->ira_rill = rill;
}

static void
sctp_process_abort(sctp_t *sctp, sctp_chunk_hdr_t *ch, int err)
{
	sctp_stack_t	*sctps = sctp->sctp_sctps;

	SCTPS_BUMP_MIB(sctps, sctpAborted);
	BUMP_LOCAL(sctp->sctp_ibchunks);

	/*
	 * SCTP_COMM_LOST is only sent up if the association is
	 * established (sctp_state >= SCTPS_ESTABLISHED).
	 */
	if (sctp->sctp_state >= SCTPS_ESTABLISHED) {
		sctp_assoc_event(sctp, SCTP_COMM_LOST,
		    ntohs(((sctp_parm_hdr_t *)(ch + 1))->sph_type), ch);
	}

	sctp_clean_death(sctp, err);
}

void
sctp_input_data(sctp_t *sctp, mblk_t *mp, ip_recv_attr_t *ira)
{
	sctp_chunk_hdr_t	*ch;
	ssize_t			mlen;
	int			gotdata;
	int			trysend;
	sctp_faddr_t		*fp;
	sctp_init_chunk_t	*iack;
	uint32_t		tsn;
	sctp_data_hdr_t		*sdc;
	ip_pkt_t		ipp;
	in6_addr_t		src;
	in6_addr_t		dst;
	uint_t			ifindex;
	sctp_hdr_t		*sctph;
	uint_t			ip_hdr_len = ira->ira_ip_hdr_length;
	mblk_t			*dups = NULL;
	int			recv_adaptation;
	boolean_t		wake_eager = B_FALSE;
	in6_addr_t		peer_src;
	int64_t			now;
	sctp_stack_t		*sctps = sctp->sctp_sctps;
	ip_stack_t		*ipst = sctps->sctps_netstack->netstack_ip;
	boolean_t		hb_already = B_FALSE;
	cred_t			*cr;
	pid_t			cpid;
	uchar_t			*rptr;
	conn_t			*connp = sctp->sctp_connp;
	boolean_t		shutdown_ack_needed = B_FALSE;

	ASSERT(DB_TYPE(mp) == M_DATA);
	ASSERT(ira->ira_ill == NULL);

	if (mp->b_cont != NULL) {
		/*
		 * All subsequent code is vastly simplified if it can
		 * assume a single contiguous chunk of data.
		 */
		if (pullupmsg(mp, -1) == 0) {
			BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
			ip_drop_input("ipIfStatsInDiscards", mp, NULL);
			freemsg(mp);
			return;
		}
	}

	BUMP_LOCAL(sctp->sctp_ipkts);
	ifindex = ira->ira_ruifindex;

	rptr = mp->b_rptr;

	ipp.ipp_fields = 0;
	if (connp->conn_recv_ancillary.crb_all != 0) {
		/*
		 * Record packet information in the ip_pkt_t
		 */
		if (ira->ira_flags & IRAF_IS_IPV4) {
			(void) ip_find_hdr_v4((ipha_t *)rptr, &ipp,
			    B_FALSE);
		} else {
			uint8_t nexthdrp;

			/*
			 * IPv6 packets can only be received by applications
			 * that are prepared to receive IPv6 addresses.
			 * The IP fanout must ensure this.
			 */
			ASSERT(connp->conn_family == AF_INET6);

			(void) ip_find_hdr_v6(mp, (ip6_t *)rptr, B_TRUE, &ipp,
			    &nexthdrp);
			ASSERT(nexthdrp == IPPROTO_SCTP);

			/* Could have caused a pullup? */
			rptr = mp->b_rptr;
		}
	}

	sctph = ((sctp_hdr_t *)&rptr[ip_hdr_len]);

	if (ira->ira_flags & IRAF_IS_IPV4) {
		ipha_t *ipha;

		ipha = (ipha_t *)rptr;
		IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &src);
		IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &dst);
	} else {
		ip6_t *ip6h;

		ip6h = (ip6_t *)rptr;
		src = ip6h->ip6_src;
		dst = ip6h->ip6_dst;
	}

	mlen = mp->b_wptr - (uchar_t *)(sctph + 1);
	ch = sctp_first_chunk((uchar_t *)(sctph + 1), mlen);
	if (ch == NULL) {
		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
		ip_drop_input("ipIfStatsInDiscards", mp, NULL);
		freemsg(mp);
		return;
	}

	if (!sctp_check_input(sctp, ch, mlen, 1)) {
		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
		ip_drop_input("ipIfStatsInDiscards", mp, NULL);
		goto done;
	}
	/*
	 * Check verfication tag (special handling for INIT,
	 * COOKIE, SHUTDOWN_COMPLETE and SHUTDOWN_ACK chunks).
	 * ABORTs are handled in the chunk processing loop, since
	 * may not appear first. All other checked chunks must
	 * appear first, or will have been dropped by check_input().
	 */
	switch (ch->sch_id) {
	case CHUNK_INIT:
		if (sctph->sh_verf != 0) {
			/* drop it */
			goto done;
		}
		break;
	case CHUNK_SHUTDOWN_COMPLETE:
		if (sctph->sh_verf == sctp->sctp_lvtag)
			break;
		if (sctph->sh_verf == sctp->sctp_fvtag &&
		    SCTP_GET_TBIT(ch)) {
			break;
		}
		/* else drop it */
		goto done;
	case CHUNK_ABORT:
	case CHUNK_COOKIE:
		/* handled below */
		break;
	case CHUNK_SHUTDOWN_ACK:
		if (sctp->sctp_state > SCTPS_BOUND &&
		    sctp->sctp_state < SCTPS_ESTABLISHED) {
			/* treat as OOTB */
			sctp_ootb_shutdown_ack(mp, ip_hdr_len, ira, ipst);
			return;
		}
		/* else fallthru */
	default:
		/*
		 * All other packets must have a valid
		 * verification tag, however if this is a
		 * listener, we use a refined version of
		 * out-of-the-blue logic.
		 */
		if (sctph->sh_verf != sctp->sctp_lvtag &&
		    sctp->sctp_state != SCTPS_LISTEN) {
			/* drop it */
			goto done;
		}
		break;
	}

	/* Have a valid sctp for this packet */
	fp = sctp_lookup_faddr(sctp, &src);
	dprint(2, ("sctp_dispatch_rput: mp=%p fp=%p sctp=%p\n", (void *)mp,
	    (void *)fp, (void *)sctp));

	gotdata = 0;
	trysend = 0;

	now = LBOLT_FASTPATH64;
	/* Process the chunks */
	do {
		dprint(3, ("sctp_dispatch_rput: state=%d, chunk id=%d\n",
		    sctp->sctp_state, (int)(ch->sch_id)));

		if (ch->sch_id == CHUNK_ABORT) {
			if (sctph->sh_verf != sctp->sctp_lvtag &&
			    sctph->sh_verf != sctp->sctp_fvtag) {
				/* drop it */
				goto done;
			}
		}

		switch (sctp->sctp_state) {

		case SCTPS_ESTABLISHED:
		case SCTPS_SHUTDOWN_PENDING:
		case SCTPS_SHUTDOWN_SENT:
			switch (ch->sch_id) {
			case CHUNK_DATA:
				/* 0-length data chunks are not allowed */
				if (ntohs(ch->sch_len) == sizeof (*sdc)) {
					sdc = (sctp_data_hdr_t *)ch;
					tsn = sdc->sdh_tsn;
					sctp_send_abort(sctp, sctp->sctp_fvtag,
					    SCTP_ERR_NO_USR_DATA, (char *)&tsn,
					    sizeof (tsn), mp, 0, B_FALSE, ira);
					sctp_assoc_event(sctp, SCTP_COMM_LOST,
					    0, NULL);
					sctp_clean_death(sctp, ECONNABORTED);
					goto done;
				}

				ASSERT(fp != NULL);
				sctp->sctp_lastdata = fp;
				sctp_data_chunk(sctp, ch, mp, &dups, fp,
				    &ipp, ira);
				gotdata = 1;
				/* Restart shutdown timer if shutting down */
				if (sctp->sctp_state == SCTPS_SHUTDOWN_SENT) {
					/*
					 * If we have exceeded our max
					 * wait bound for waiting for a
					 * shutdown ack from the peer,
					 * abort the association.
					 */
					if (sctps->sctps_shutack_wait_bound !=
					    0 &&
					    TICK_TO_MSEC(now -
					    sctp->sctp_out_time) >
					    sctps->sctps_shutack_wait_bound) {
						sctp_send_abort(sctp,
						    sctp->sctp_fvtag, 0, NULL,
						    0, mp, 0, B_FALSE, ira);
						sctp_assoc_event(sctp,
						    SCTP_COMM_LOST, 0, NULL);
						sctp_clean_death(sctp,
						    ECONNABORTED);
						goto done;
					}
					SCTP_FADDR_TIMER_RESTART(sctp, fp,
					    fp->sf_rto);
				}
				break;
			case CHUNK_SACK:
				ASSERT(fp != NULL);
				/*
				 * Peer is real and alive if it can ack our
				 * data.
				 */
				sctp_faddr_alive(sctp, fp);
				trysend = sctp_got_sack(sctp, ch);
				if (trysend < 0) {
					sctp_send_abort(sctp, sctph->sh_verf,
					    0, NULL, 0, mp, 0, B_FALSE, ira);
					sctp_assoc_event(sctp,
					    SCTP_COMM_LOST, 0, NULL);
					sctp_clean_death(sctp,
					    ECONNABORTED);
					goto done;
				}
				break;
			case CHUNK_HEARTBEAT:
				if (!hb_already) {
					/*
					 * In any one packet, there should
					 * only be one heartbeat chunk.  So
					 * we should not process more than
					 * once.
					 */
					sctp_return_heartbeat(sctp, ch, mp);
					hb_already = B_TRUE;
				}
				break;
			case CHUNK_HEARTBEAT_ACK:
				sctp_process_heartbeat(sctp, ch);
				break;
			case CHUNK_SHUTDOWN:
				sctp_shutdown_event(sctp);
				trysend = sctp_shutdown_received(sctp, ch,
				    B_FALSE, B_FALSE, fp);
				BUMP_LOCAL(sctp->sctp_ibchunks);
				break;
			case CHUNK_SHUTDOWN_ACK:
				BUMP_LOCAL(sctp->sctp_ibchunks);
				if (sctp->sctp_state == SCTPS_SHUTDOWN_SENT) {
					sctp_shutdown_complete(sctp);
					SCTPS_BUMP_MIB(sctps, sctpShutdowns);
					sctp_assoc_event(sctp,
					    SCTP_SHUTDOWN_COMP, 0, NULL);
					sctp_clean_death(sctp, 0);
					goto done;
				}
				break;
			case CHUNK_ABORT: {
				sctp_saddr_ipif_t *sp;

				/* Ignore if delete pending */
				sp = sctp_saddr_lookup(sctp, &dst, 0);
				ASSERT(sp != NULL);
				if (sp->saddr_ipif_delete_pending) {
					BUMP_LOCAL(sctp->sctp_ibchunks);
					break;
				}

				sctp_process_abort(sctp, ch, ECONNRESET);
				goto done;
			}
			case CHUNK_INIT:
				sctp_send_initack(sctp, sctph, ch, mp, ira);
				break;
			case CHUNK_COOKIE:
				if (sctp_process_cookie(sctp, ch, mp, &iack,
				    sctph, &recv_adaptation, NULL, ira) != -1) {
					sctp_send_cookie_ack(sctp);
					sctp_assoc_event(sctp, SCTP_RESTART,
					    0, NULL);
					if (recv_adaptation) {
						sctp->sctp_recv_adaptation = 1;
						sctp_adaptation_event(sctp);
					}
				} else {
					SCTPS_BUMP_MIB(sctps,
					    sctpInInvalidCookie);
				}
				break;
			case CHUNK_ERROR: {
				int error;

				BUMP_LOCAL(sctp->sctp_ibchunks);
				error = sctp_handle_error(sctp, sctph, ch, mp,
				    ira);
				if (error != 0) {
					sctp_assoc_event(sctp, SCTP_COMM_LOST,
					    0, NULL);
					sctp_clean_death(sctp, error);
					goto done;
				}
				break;
			}
			case CHUNK_ASCONF:
				ASSERT(fp != NULL);
				sctp_input_asconf(sctp, ch, fp);
				BUMP_LOCAL(sctp->sctp_ibchunks);
				break;
			case CHUNK_ASCONF_ACK:
				ASSERT(fp != NULL);
				sctp_faddr_alive(sctp, fp);
				sctp_input_asconf_ack(sctp, ch, fp);
				BUMP_LOCAL(sctp->sctp_ibchunks);
				break;
			case CHUNK_FORWARD_TSN:
				ASSERT(fp != NULL);
				sctp->sctp_lastdata = fp;
				sctp_process_forward_tsn(sctp, ch, fp,
				    &ipp, ira);
				gotdata = 1;
				BUMP_LOCAL(sctp->sctp_ibchunks);
				break;
			default:
				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
					goto nomorechunks;
				} /* else skip and continue processing */
				break;
			}
			break;

		case SCTPS_LISTEN:
			switch (ch->sch_id) {
			case CHUNK_INIT:
				sctp_send_initack(sctp, sctph, ch, mp, ira);
				break;
			case CHUNK_COOKIE: {
				sctp_t *eager;

				if (sctp_process_cookie(sctp, ch, mp, &iack,
				    sctph, &recv_adaptation, &peer_src,
				    ira) == -1) {
					SCTPS_BUMP_MIB(sctps,
					    sctpInInvalidCookie);
					goto done;
				}

				/*
				 * The cookie is good; ensure that
				 * the peer used the verification
				 * tag from the init ack in the header.
				 */
				if (iack->sic_inittag != sctph->sh_verf)
					goto done;

				eager = sctp_conn_request(sctp, mp, ifindex,
				    ip_hdr_len, iack, ira);
				if (eager == NULL) {
					sctp_send_abort(sctp, sctph->sh_verf,
					    SCTP_ERR_NO_RESOURCES, NULL, 0, mp,
					    0, B_FALSE, ira);
					goto done;
				}

				/*
				 * If there were extra chunks
				 * bundled with the cookie,
				 * they must be processed
				 * on the eager's queue. We
				 * accomplish this by refeeding
				 * the whole packet into the
				 * state machine on the right
				 * q. The packet (mp) gets
				 * there via the eager's
				 * cookie_mp field (overloaded
				 * with the active open role).
				 * This is picked up when
				 * processing the null bind
				 * request put on the eager's
				 * q by sctp_accept(). We must
				 * first revert the cookie
				 * chunk's length field to network
				 * byteorder so it can be
				 * properly reprocessed on the
				 * eager's queue.
				 */
				SCTPS_BUMP_MIB(sctps, sctpPassiveEstab);
				if (mlen > ntohs(ch->sch_len)) {
					eager->sctp_cookie_mp = dupb(mp);
					/*
					 * If no mem, just let
					 * the peer retransmit.
					 */
				}
				sctp_assoc_event(eager, SCTP_COMM_UP, 0, NULL);
				if (recv_adaptation) {
					eager->sctp_recv_adaptation = 1;
					eager->sctp_rx_adaptation_code =
					    sctp->sctp_rx_adaptation_code;
					sctp_adaptation_event(eager);
				}

				eager->sctp_active = now;
				sctp_send_cookie_ack(eager);

				wake_eager = B_TRUE;

				/*
				 * Process rest of the chunks with eager.
				 */
				sctp = eager;
				fp = sctp_lookup_faddr(sctp, &peer_src);
				/*
				 * Confirm peer's original source.  fp can
				 * only be NULL if peer does not use the
				 * original source as one of its addresses...
				 */
				if (fp == NULL)
					fp = sctp_lookup_faddr(sctp, &src);
				else
					sctp_faddr_alive(sctp, fp);

				/*
				 * Validate the peer addresses.  It also starts
				 * the heartbeat timer.
				 */
				sctp_validate_peer(sctp);
				break;
			}
			/* Anything else is considered out-of-the-blue */
			case CHUNK_ERROR:
			case CHUNK_ABORT:
			case CHUNK_COOKIE_ACK:
			case CHUNK_SHUTDOWN_COMPLETE:
				BUMP_LOCAL(sctp->sctp_ibchunks);
				goto done;
			default:
				BUMP_LOCAL(sctp->sctp_ibchunks);
				sctp_send_abort(sctp, sctph->sh_verf, 0, NULL,
				    0, mp, 0, B_TRUE, ira);
				goto done;
			}
			break;

		case SCTPS_COOKIE_WAIT:
			switch (ch->sch_id) {
			case CHUNK_INIT_ACK:
				sctp_stop_faddr_timers(sctp);
				sctp_faddr_alive(sctp, sctp->sctp_current);
				sctp_send_cookie_echo(sctp, ch, mp, ira);
				BUMP_LOCAL(sctp->sctp_ibchunks);
				break;
			case CHUNK_ABORT:
				sctp_process_abort(sctp, ch, ECONNREFUSED);
				goto done;
			case CHUNK_INIT:
				sctp_send_initack(sctp, sctph, ch, mp, ira);
				break;
			case CHUNK_COOKIE:
				cr = ira->ira_cred;
				cpid = ira->ira_cpid;

				if (sctp_process_cookie(sctp, ch, mp, &iack,
				    sctph, &recv_adaptation, NULL, ira) == -1) {
					SCTPS_BUMP_MIB(sctps,
					    sctpInInvalidCookie);
					break;
				}
				sctp_send_cookie_ack(sctp);
				sctp_stop_faddr_timers(sctp);
				if (!SCTP_IS_DETACHED(sctp)) {
					sctp->sctp_ulp_connected(
					    sctp->sctp_ulpd, 0, cr, cpid);
					sctp_set_ulp_prop(sctp);

				}
				SCTP_ASSOC_EST(sctps, sctp);
				SCTPS_BUMP_MIB(sctps, sctpActiveEstab);
				if (sctp->sctp_cookie_mp) {
					freemsg(sctp->sctp_cookie_mp);
					sctp->sctp_cookie_mp = NULL;
				}

				/* Validate the peer addresses. */
				sctp->sctp_active = now;
				sctp_validate_peer(sctp);

				sctp_assoc_event(sctp, SCTP_COMM_UP, 0, NULL);
				if (recv_adaptation) {
					sctp->sctp_recv_adaptation = 1;
					sctp_adaptation_event(sctp);
				}
				/* Try sending queued data, or ASCONFs */
				trysend = 1;
				break;
			default:
				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
					goto nomorechunks;
				} /* else skip and continue processing */
				break;
			}
			break;

		case SCTPS_COOKIE_ECHOED:
			switch (ch->sch_id) {
			case CHUNK_COOKIE_ACK:
				cr = ira->ira_cred;
				cpid = ira->ira_cpid;

				if (!SCTP_IS_DETACHED(sctp)) {
					sctp->sctp_ulp_connected(
					    sctp->sctp_ulpd, 0, cr, cpid);
					sctp_set_ulp_prop(sctp);
				}
				if (sctp->sctp_unacked == 0)
					sctp_stop_faddr_timers(sctp);
				SCTP_ASSOC_EST(sctps, sctp);
				SCTPS_BUMP_MIB(sctps, sctpActiveEstab);
				BUMP_LOCAL(sctp->sctp_ibchunks);
				if (sctp->sctp_cookie_mp) {
					freemsg(sctp->sctp_cookie_mp);
					sctp->sctp_cookie_mp = NULL;
				}
				sctp_faddr_alive(sctp, fp);
				/* Validate the peer addresses. */
				sctp->sctp_active = now;
				sctp_validate_peer(sctp);

				/* Try sending queued data, or ASCONFs */
				trysend = 1;
				sctp_assoc_event(sctp, SCTP_COMM_UP, 0, NULL);
				sctp_adaptation_event(sctp);
				break;
			case CHUNK_ABORT:
				sctp_process_abort(sctp, ch, ECONNREFUSED);
				goto done;
			case CHUNK_COOKIE:
				cr = ira->ira_cred;
				cpid = ira->ira_cpid;

				if (sctp_process_cookie(sctp, ch, mp, &iack,
				    sctph, &recv_adaptation, NULL, ira) == -1) {
					SCTPS_BUMP_MIB(sctps,
					    sctpInInvalidCookie);
					break;
				}
				sctp_send_cookie_ack(sctp);

				if (!SCTP_IS_DETACHED(sctp)) {
					sctp->sctp_ulp_connected(
					    sctp->sctp_ulpd, 0, cr, cpid);
					sctp_set_ulp_prop(sctp);

				}
				if (sctp->sctp_unacked == 0)
					sctp_stop_faddr_timers(sctp);
				SCTP_ASSOC_EST(sctps, sctp);
				SCTPS_BUMP_MIB(sctps, sctpActiveEstab);
				if (sctp->sctp_cookie_mp) {
					freemsg(sctp->sctp_cookie_mp);
					sctp->sctp_cookie_mp = NULL;
				}
				/* Validate the peer addresses. */
				sctp->sctp_active = now;
				sctp_validate_peer(sctp);

				sctp_assoc_event(sctp, SCTP_COMM_UP, 0, NULL);
				if (recv_adaptation) {
					sctp->sctp_recv_adaptation = 1;
					sctp_adaptation_event(sctp);
				}
				/* Try sending queued data, or ASCONFs */
				trysend = 1;
				break;
			case CHUNK_INIT:
				sctp_send_initack(sctp, sctph, ch, mp, ira);
				break;
			case CHUNK_ERROR: {
				sctp_parm_hdr_t *p;

				BUMP_LOCAL(sctp->sctp_ibchunks);
				/* check for a stale cookie */
				if (ntohs(ch->sch_len) >=
				    (sizeof (*p) + sizeof (*ch)) +
				    sizeof (uint32_t)) {

					p = (sctp_parm_hdr_t *)(ch + 1);
					if (p->sph_type ==
					    htons(SCTP_ERR_STALE_COOKIE)) {
						SCTPS_BUMP_MIB(sctps,
						    sctpAborted);
						sctp_error_event(sctp,
						    ch, B_FALSE);
						sctp_assoc_event(sctp,
						    SCTP_COMM_LOST, 0, NULL);
						sctp_clean_death(sctp,
						    ECONNREFUSED);
						goto done;
					}
				}
				break;
			}
			case CHUNK_HEARTBEAT:
				if (!hb_already) {
					sctp_return_heartbeat(sctp, ch, mp);
					hb_already = B_TRUE;
				}
				break;
			default:
				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
					goto nomorechunks;
				} /* else skip and continue processing */
			} /* switch (ch->sch_id) */
			break;

		case SCTPS_SHUTDOWN_ACK_SENT:
			switch (ch->sch_id) {
			case CHUNK_ABORT:
				/* Pass gathered wisdom to IP for keeping */
				sctp_update_dce(sctp);
				sctp_process_abort(sctp, ch, 0);
				goto done;
			case CHUNK_SHUTDOWN_COMPLETE:
				BUMP_LOCAL(sctp->sctp_ibchunks);
				SCTPS_BUMP_MIB(sctps, sctpShutdowns);
				sctp_assoc_event(sctp, SCTP_SHUTDOWN_COMP, 0,
				    NULL);

				/* Pass gathered wisdom to IP for keeping */
				sctp_update_dce(sctp);
				sctp_clean_death(sctp, 0);
				goto done;
			case CHUNK_SHUTDOWN_ACK:
				sctp_shutdown_complete(sctp);
				BUMP_LOCAL(sctp->sctp_ibchunks);
				SCTPS_BUMP_MIB(sctps, sctpShutdowns);
				sctp_assoc_event(sctp, SCTP_SHUTDOWN_COMP, 0,
				    NULL);
				sctp_clean_death(sctp, 0);
				goto done;
			case CHUNK_COOKIE:
				(void) sctp_shutdown_received(sctp, NULL,
				    B_TRUE, B_FALSE, fp);
				BUMP_LOCAL(sctp->sctp_ibchunks);
				break;
			case CHUNK_HEARTBEAT:
				if (!hb_already) {
					sctp_return_heartbeat(sctp, ch, mp);
					hb_already = B_TRUE;
				}
				break;
			default:
				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
					goto nomorechunks;
				} /* else skip and continue processing */
				break;
			}
			break;

		case SCTPS_SHUTDOWN_RECEIVED:
			switch (ch->sch_id) {
			case CHUNK_SHUTDOWN:
				trysend = sctp_shutdown_received(sctp, ch,
				    B_FALSE, B_FALSE, fp);
				/*
				 * shutdown_ack_needed may have been set as
				 * mentioned in the case CHUNK_SACK below.
				 * If sctp_shutdown_received() above found
				 * the xmit queue empty the SHUTDOWN ACK chunk
				 * has already been sent (or scheduled to be
				 * sent on the timer) and the SCTP state
				 * changed, so reset shutdown_ack_needed.
				 */
				if (shutdown_ack_needed && (sctp->sctp_state ==
				    SCTPS_SHUTDOWN_ACK_SENT))
					shutdown_ack_needed = B_FALSE;
				break;
			case CHUNK_SACK:
				trysend = sctp_got_sack(sctp, ch);
				if (trysend < 0) {
					sctp_send_abort(sctp, sctph->sh_verf,
					    0, NULL, 0, mp, 0, B_FALSE, ira);
					sctp_assoc_event(sctp,
					    SCTP_COMM_LOST, 0, NULL);
					sctp_clean_death(sctp,
					    ECONNABORTED);
					goto done;
				}

				/*
				 * All data acknowledgement after a shutdown
				 * should be done with SHUTDOWN chunk.
				 * However some peer SCTP do not conform with
				 * this and can unexpectedly send a SACK chunk.
				 * If all data are acknowledged, set
				 * shutdown_ack_needed here indicating that
				 * SHUTDOWN ACK needs to be sent later by
				 * sctp_send_shutdown_ack().
				 */
				if ((sctp->sctp_xmit_head == NULL) &&
				    (sctp->sctp_xmit_unsent == NULL))
					shutdown_ack_needed = B_TRUE;
				break;
			case CHUNK_ABORT:
				sctp_process_abort(sctp, ch, ECONNRESET);
				goto done;
			case CHUNK_HEARTBEAT:
				if (!hb_already) {
					sctp_return_heartbeat(sctp, ch, mp);
					hb_already = B_TRUE;
				}
				break;
			default:
				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
					goto nomorechunks;
				} /* else skip and continue processing */
				break;
			}
			break;

		default:
			/*
			 * The only remaining states are SCTPS_IDLE and
			 * SCTPS_BOUND, and we should not be getting here
			 * for these.
			 */
			ASSERT(0);
		} /* switch (sctp->sctp_state) */

		ch = sctp_next_chunk(ch, &mlen);
		if (ch != NULL && !sctp_check_input(sctp, ch, mlen, 0))
			goto done;
	} while (ch != NULL);

	/* Finished processing all chunks in packet */

nomorechunks:

	if (shutdown_ack_needed)
		sctp_send_shutdown_ack(sctp, fp, B_FALSE);

	/* SACK if necessary */
	if (gotdata) {
		boolean_t sack_sent;

		(sctp->sctp_sack_toggle)++;
		sack_sent = sctp_sack(sctp, dups);
		dups = NULL;

		/* If a SACK is sent, no need to restart the timer. */
		if (!sack_sent && !sctp->sctp_ack_timer_running) {
			sctp->sctp_ack_timer_running = B_TRUE;
			sctp_timer(sctp, sctp->sctp_ack_mp,
			    MSEC_TO_TICK(sctps->sctps_deferred_ack_interval));
		}
	}

	if (trysend) {
		sctp_output(sctp, UINT_MAX);
		if (sctp->sctp_cxmit_list != NULL)
			sctp_wput_asconf(sctp, NULL);
	}
	/*
	 * If there is unsent data, make sure a timer is running, check
	 * timer_mp, if sctp_closei_local() ran the timers may be free.
	 */
	if (sctp->sctp_unsent > 0 && !sctp->sctp_current->sf_timer_running &&
	    sctp->sctp_current->sf_timer_mp != NULL) {
		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
		    sctp->sctp_current->sf_rto);
	}

done:
	if (dups != NULL)
		freeb(dups);
	freemsg(mp);

	if (sctp->sctp_err_chunks != NULL)
		sctp_process_err(sctp);

	if (wake_eager) {
		/*
		 * sctp points to newly created control block, need to
		 * release it before exiting.
		 */
		WAKE_SCTP(sctp);
	}
}

/*
 * Some amount of data got removed from ULP's receive queue and we can
 * push messages up if we are flow controlled before.  Reset the receive
 * window to full capacity (conn_rcvbuf) and check if we should send a
 * window update.
 */
void
sctp_recvd(sctp_t *sctp, int len)
{
	sctp_stack_t	*sctps = sctp->sctp_sctps;
	conn_t		*connp = sctp->sctp_connp;
	boolean_t	send_sack = B_FALSE;

	ASSERT(sctp != NULL);
	RUN_SCTP(sctp);

	sctp->sctp_flowctrld = B_FALSE;
	/* This is the amount of data queued in ULP. */
	sctp->sctp_ulp_rxqueued = connp->conn_rcvbuf - len;

	if (connp->conn_rcvbuf - sctp->sctp_arwnd >= sctp->sctp_mss)
		send_sack = B_TRUE;
	sctp->sctp_rwnd = connp->conn_rcvbuf;

	if (sctp->sctp_state >= SCTPS_ESTABLISHED && send_sack) {
		sctp->sctp_force_sack = 1;
		SCTPS_BUMP_MIB(sctps, sctpOutWinUpdate);
		(void) sctp_sack(sctp, NULL);
	}
	WAKE_SCTP(sctp);
}