xref: /titanic_50/usr/src/uts/common/inet/sctp/sctp_input.c (revision 507c32411f3f101e90ca2120f042b5ee698ba1d5)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <sys/types.h>
29 #include <sys/systm.h>
30 #include <sys/stream.h>
31 #include <sys/cmn_err.h>
32 #include <sys/kmem.h>
33 #define	_SUN_TPI_VERSION 2
34 #include <sys/tihdr.h>
35 #include <sys/socket.h>
36 #include <sys/strsun.h>
37 #include <sys/strsubr.h>
38 
39 #include <netinet/in.h>
40 #include <netinet/ip6.h>
41 #include <netinet/tcp_seq.h>
42 #include <netinet/sctp.h>
43 
44 #include <inet/common.h>
45 #include <inet/ip.h>
46 #include <inet/ip6.h>
47 #include <inet/mib2.h>
48 #include <inet/ipclassifier.h>
49 #include <inet/ipp_common.h>
50 #include <inet/ipsec_impl.h>
51 #include <inet/sctp_ip.h>
52 
53 #include "sctp_impl.h"
54 #include "sctp_asconf.h"
55 #include "sctp_addr.h"
56 
57 static struct kmem_cache *sctp_kmem_set_cache;
58 
59 /*
60  * PR-SCTP comments.
61  *
62  * When we get a valid Forward TSN chunk, we check the fragment list for this
63  * SSN and preceeding SSNs free all them. Further, if this Forward TSN causes
64  * the next expected SSN to be present in the stream queue, we deliver any
65  * such stranded messages upstream. We also update the SACK info. appropriately.
66  * When checking for advancing the cumulative ack (in sctp_cumack()) we must
67  * check for abandoned chunks and messages. While traversing the tramsmit
68  * list if we come across an abandoned chunk, we can skip the message (i.e.
69  * take it out of the (re)transmit list) since this message, and hence this
70  * chunk, has been marked abandoned by sctp_rexmit(). If we come across an
71  * unsent chunk for a message this now abandoned we need to check if a
72  * Forward TSN needs to be sent, this could be a case where we deferred sending
73  * a Forward TSN in sctp_get_msg_to_send(). Further, after processing a
74  * SACK we check if the Advanced peer ack point can be moved ahead, i.e.
75  * if we can send a Forward TSN via sctp_check_abandoned_data().
76  */
77 void
78 sctp_free_set(sctp_set_t *s)
79 {
80 	sctp_set_t *p;
81 
82 	while (s) {
83 		p = s->next;
84 		kmem_cache_free(sctp_kmem_set_cache, s);
85 		s = p;
86 	}
87 }
88 
89 static void
90 sctp_ack_add(sctp_set_t **head, uint32_t tsn, int *num)
91 {
92 	sctp_set_t *p, *t;
93 
94 	if (head == NULL || num == NULL)
95 		return;
96 
97 	ASSERT(*num >= 0);
98 	ASSERT((*num == 0 && *head == NULL) || (*num > 0 && *head != NULL));
99 
100 	if (*head == NULL) {
101 		*head = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
102 		if (*head == NULL)
103 			return;
104 		(*head)->prev = (*head)->next = NULL;
105 		(*head)->begin = tsn;
106 		(*head)->end = tsn;
107 		*num = 1;
108 		return;
109 	}
110 
111 	ASSERT((*head)->prev == NULL);
112 
113 	/*
114 	 * Handle this special case here so we don't have to check
115 	 * for it each time in the loop.
116 	 */
117 	if (SEQ_LT(tsn + 1, (*head)->begin)) {
118 		/* add a new set, and move the head pointer */
119 		t = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
120 		if (t == NULL)
121 			return;
122 		t->next = *head;
123 		t->prev = NULL;
124 		(*head)->prev = t;
125 		t->begin = tsn;
126 		t->end = tsn;
127 		(*num)++;
128 		*head = t;
129 		return;
130 	}
131 
132 	/*
133 	 * We need to handle the following cases, where p points to
134 	 * the current set (as we walk through the loop):
135 	 *
136 	 * 1. tsn is entirely less than p; create a new set before p.
137 	 * 2. tsn borders p from less; coalesce p with tsn.
138 	 * 3. tsn is withing p; do nothing.
139 	 * 4. tsn borders p from greater; coalesce p with tsn.
140 	 * 4a. p may now border p->next from less; if so, coalesce those
141 	 *    two sets.
142 	 * 5. tsn is entirely greater then all sets; add a new set at
143 	 *    the end.
144 	 */
145 	for (p = *head; ; p = p->next) {
146 		if (SEQ_LT(tsn + 1, p->begin)) {
147 			/* 1: add a new set before p. */
148 			t = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
149 			if (t == NULL)
150 				return;
151 			t->next = p;
152 			t->prev = NULL;
153 			t->begin = tsn;
154 			t->end = tsn;
155 			if (p->prev) {
156 				t->prev = p->prev;
157 				p->prev->next = t;
158 			}
159 			p->prev = t;
160 			(*num)++;
161 			return;
162 		}
163 
164 		if ((tsn + 1) == p->begin) {
165 			/* 2: adjust p->begin */
166 			p->begin = tsn;
167 			return;
168 		}
169 
170 		if (SEQ_GEQ(tsn, p->begin) && SEQ_LEQ(tsn, p->end)) {
171 			/* 3; do nothing */
172 			return;
173 		}
174 
175 		if ((p->end + 1) == tsn) {
176 			/* 4; adjust p->end */
177 			p->end = tsn;
178 
179 			if (p->next != NULL && (tsn + 1) == p->next->begin) {
180 				/* 4a: coalesce p and p->next */
181 				t = p->next;
182 				p->end = t->end;
183 				p->next = t->next;
184 				if (t->next != NULL)
185 					t->next->prev = p;
186 				kmem_cache_free(sctp_kmem_set_cache, t);
187 				(*num)--;
188 			}
189 			return;
190 		}
191 
192 		if (p->next == NULL) {
193 			/* 5: add new set at the end */
194 			t = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
195 			if (t == NULL)
196 				return;
197 			t->next = NULL;
198 			t->prev = p;
199 			t->begin = tsn;
200 			t->end = tsn;
201 			p->next = t;
202 			(*num)++;
203 			return;
204 		}
205 
206 		if (SEQ_GT(tsn, p->end + 1))
207 			continue;
208 	}
209 }
210 
211 static void
212 sctp_ack_rem(sctp_set_t **head, uint32_t end, int *num)
213 {
214 	sctp_set_t *p, *t;
215 
216 	if (head == NULL || *head == NULL || num == NULL)
217 		return;
218 
219 	/* Nothing to remove */
220 	if (SEQ_LT(end, (*head)->begin))
221 		return;
222 
223 	/* Find out where to start removing sets */
224 	for (p = *head; p->next; p = p->next) {
225 		if (SEQ_LEQ(end, p->end))
226 			break;
227 	}
228 
229 	if (SEQ_LT(end, p->end) && SEQ_GEQ(end, p->begin)) {
230 		/* adjust p */
231 		p->begin = end + 1;
232 		/* all done */
233 		if (p == *head)
234 			return;
235 	} else if (SEQ_GEQ(end, p->end)) {
236 		/* remove this set too */
237 		p = p->next;
238 	}
239 
240 	/* unlink everything before this set */
241 	t = *head;
242 	*head = p;
243 	if (p != NULL && p->prev != NULL) {
244 		p->prev->next = NULL;
245 		p->prev = NULL;
246 	}
247 
248 	sctp_free_set(t);
249 
250 	/* recount the number of sets */
251 	*num = 0;
252 
253 	for (p = *head; p != NULL; p = p->next)
254 		(*num)++;
255 }
256 
257 void
258 sctp_sets_init()
259 {
260 	sctp_kmem_set_cache = kmem_cache_create("sctp_set_cache",
261 	    sizeof (sctp_set_t), 0, NULL, NULL, NULL, NULL,
262 	    NULL, 0);
263 }
264 
265 void
266 sctp_sets_fini()
267 {
268 	kmem_cache_destroy(sctp_kmem_set_cache);
269 }
270 
271 sctp_chunk_hdr_t *
272 sctp_first_chunk(uchar_t *rptr, ssize_t remaining)
273 {
274 	sctp_chunk_hdr_t *ch;
275 	uint16_t ch_len;
276 
277 	if (remaining < sizeof (*ch)) {
278 		return (NULL);
279 	}
280 
281 	ch = (sctp_chunk_hdr_t *)rptr;
282 	ch_len = ntohs(ch->sch_len);
283 
284 	if (ch_len < sizeof (*ch) || remaining < ch_len) {
285 		return (NULL);
286 	}
287 
288 	return (ch);
289 }
290 
291 sctp_chunk_hdr_t *
292 sctp_next_chunk(sctp_chunk_hdr_t *ch, ssize_t *remaining)
293 {
294 	int pad;
295 	uint16_t ch_len;
296 
297 	if (!ch) {
298 		return (NULL);
299 	}
300 
301 	ch_len = ntohs(ch->sch_len);
302 
303 	if ((pad = ch_len & (SCTP_ALIGN - 1)) != 0) {
304 		pad = SCTP_ALIGN - pad;
305 	}
306 
307 	*remaining -= (ch_len + pad);
308 	ch = (sctp_chunk_hdr_t *)((char *)ch + ch_len + pad);
309 
310 	return (sctp_first_chunk((uchar_t *)ch, *remaining));
311 }
312 
313 /*
314  * Attach ancillary data to a received SCTP segments.
315  * If the source address (fp) is not the primary, send up a
316  * unitdata_ind so recvfrom() can populate the msg_name field.
317  * If ancillary data is also requested, we append it to the
318  * unitdata_req. Otherwise, we just send up an optdata_ind.
319  */
320 static int
321 sctp_input_add_ancillary(sctp_t *sctp, mblk_t **mp, sctp_data_hdr_t *dcp,
322     sctp_faddr_t *fp, ip6_pkt_t *ipp)
323 {
324 	struct T_unitdata_ind	*tudi;
325 	int			optlen;
326 	int			hdrlen;
327 	uchar_t			*optptr;
328 	struct cmsghdr		*cmsg;
329 	mblk_t			*mp1;
330 	struct sockaddr_in6	sin_buf[1];
331 	struct sockaddr_in6	*sin6;
332 	struct sockaddr_in	*sin4;
333 	uint_t			addflag = 0;
334 
335 	sin4 = NULL;
336 	sin6 = NULL;
337 
338 	optlen = hdrlen = 0;
339 
340 	/* Figure out address size */
341 	if (sctp->sctp_ipversion == IPV4_VERSION) {
342 		sin4 = (struct sockaddr_in *)sin_buf;
343 		sin4->sin_family = AF_INET;
344 		sin4->sin_port = sctp->sctp_fport;
345 		IN6_V4MAPPED_TO_IPADDR(&fp->faddr, sin4->sin_addr.s_addr);
346 		hdrlen = sizeof (*tudi) + sizeof (*sin4);
347 	} else {
348 		sin6 = sin_buf;
349 		sin6->sin6_family = AF_INET6;
350 		sin6->sin6_port = sctp->sctp_fport;
351 		sin6->sin6_addr = fp->faddr;
352 		hdrlen = sizeof (*tudi) + sizeof (*sin6);
353 	}
354 
355 	/* If app asked to receive send / recv info */
356 	if (sctp->sctp_recvsndrcvinfo) {
357 		optlen += sizeof (*cmsg) + sizeof (struct sctp_sndrcvinfo);
358 		if (hdrlen == 0)
359 			hdrlen = sizeof (struct T_optdata_ind);
360 	}
361 
362 	if (sctp->sctp_ipv6_recvancillary == 0)
363 		goto noancillary;
364 
365 	if ((ipp->ipp_fields & IPPF_IFINDEX) &&
366 	    ipp->ipp_ifindex != sctp->sctp_recvifindex &&
367 	    (sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVPKTINFO)) {
368 		optlen += sizeof (*cmsg) + sizeof (struct in6_pktinfo);
369 		if (hdrlen == 0)
370 			hdrlen = sizeof (struct T_unitdata_ind);
371 		addflag |= SCTP_IPV6_RECVPKTINFO;
372 	}
373 	/* If app asked for hoplimit and it has changed ... */
374 	if ((ipp->ipp_fields & IPPF_HOPLIMIT) &&
375 	    ipp->ipp_hoplimit != sctp->sctp_recvhops &&
376 	    (sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVHOPLIMIT)) {
377 		optlen += sizeof (*cmsg) + sizeof (uint_t);
378 		if (hdrlen == 0)
379 			hdrlen = sizeof (struct T_unitdata_ind);
380 		addflag |= SCTP_IPV6_RECVHOPLIMIT;
381 	}
382 	/* If app asked for hopbyhop headers and it has changed ... */
383 	if ((sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVHOPOPTS) &&
384 	    ip_cmpbuf(sctp->sctp_hopopts, sctp->sctp_hopoptslen,
385 		(ipp->ipp_fields & IPPF_HOPOPTS),
386 		ipp->ipp_hopopts, ipp->ipp_hopoptslen)) {
387 		optlen += sizeof (*cmsg) + ipp->ipp_hopoptslen -
388 		    sctp->sctp_v6label_len;
389 		if (hdrlen == 0)
390 			hdrlen = sizeof (struct T_unitdata_ind);
391 		addflag |= SCTP_IPV6_RECVHOPOPTS;
392 		if (!ip_allocbuf((void **)&sctp->sctp_hopopts,
393 		    &sctp->sctp_hopoptslen,
394 		    (ipp->ipp_fields & IPPF_HOPOPTS),
395 		    ipp->ipp_hopopts, ipp->ipp_hopoptslen))
396 			return (-1);
397 	}
398 	/* If app asked for dst headers before routing headers ... */
399 	if ((sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVRTDSTOPTS) &&
400 	    ip_cmpbuf(sctp->sctp_rtdstopts, sctp->sctp_rtdstoptslen,
401 		(ipp->ipp_fields & IPPF_RTDSTOPTS),
402 		ipp->ipp_rtdstopts, ipp->ipp_rtdstoptslen)) {
403 		optlen += sizeof (*cmsg) + ipp->ipp_rtdstoptslen;
404 		if (hdrlen == 0)
405 			hdrlen = sizeof (struct T_unitdata_ind);
406 		addflag |= SCTP_IPV6_RECVRTDSTOPTS;
407 		if (!ip_allocbuf((void **)&sctp->sctp_rtdstopts,
408 		    &sctp->sctp_rtdstoptslen,
409 		    (ipp->ipp_fields & IPPF_RTDSTOPTS),
410 		    ipp->ipp_rtdstopts, ipp->ipp_rtdstoptslen))
411 			return (-1);
412 	}
413 	/* If app asked for routing headers and it has changed ... */
414 	if (sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVRTHDR) {
415 		if (ip_cmpbuf(sctp->sctp_rthdr, sctp->sctp_rthdrlen,
416 		    (ipp->ipp_fields & IPPF_RTHDR),
417 		    ipp->ipp_rthdr, ipp->ipp_rthdrlen)) {
418 			optlen += sizeof (*cmsg) + ipp->ipp_rthdrlen;
419 			if (hdrlen == 0)
420 				hdrlen = sizeof (struct T_unitdata_ind);
421 			addflag |= SCTP_IPV6_RECVRTHDR;
422 			if (!ip_allocbuf((void **)&sctp->sctp_rthdr,
423 			    &sctp->sctp_rthdrlen,
424 			    (ipp->ipp_fields & IPPF_RTHDR),
425 			    ipp->ipp_rthdr, ipp->ipp_rthdrlen))
426 				return (-1);
427 		}
428 	}
429 	/* If app asked for dest headers and it has changed ... */
430 	if ((sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVDSTOPTS) &&
431 	    ip_cmpbuf(sctp->sctp_dstopts, sctp->sctp_dstoptslen,
432 		(ipp->ipp_fields & IPPF_DSTOPTS),
433 		ipp->ipp_dstopts, ipp->ipp_dstoptslen)) {
434 		optlen += sizeof (*cmsg) + ipp->ipp_dstoptslen;
435 		if (hdrlen == 0)
436 			hdrlen = sizeof (struct T_unitdata_ind);
437 		addflag |= SCTP_IPV6_RECVDSTOPTS;
438 		if (!ip_allocbuf((void **)&sctp->sctp_dstopts,
439 		    &sctp->sctp_dstoptslen,
440 		    (ipp->ipp_fields & IPPF_DSTOPTS),
441 		    ipp->ipp_dstopts, ipp->ipp_dstoptslen))
442 			return (-1);
443 	}
444 noancillary:
445 	/* Nothing to add */
446 	if (hdrlen == 0)
447 		return (-1);
448 
449 	mp1 = allocb(hdrlen + optlen + sizeof (void *), BPRI_MED);
450 	if (mp1 == NULL)
451 		return (-1);
452 	mp1->b_cont = *mp;
453 	*mp = mp1;
454 	mp1->b_rptr += sizeof (void *);  /* pointer worth of padding */
455 	mp1->b_wptr = mp1->b_rptr + hdrlen + optlen;
456 	DB_TYPE(mp1) = M_PROTO;
457 	tudi = (struct T_unitdata_ind *)mp1->b_rptr;
458 	tudi->PRIM_type = T_UNITDATA_IND;
459 	tudi->SRC_length = sin4 ? sizeof (*sin4) : sizeof (*sin6);
460 	tudi->SRC_offset = sizeof (*tudi);
461 	tudi->OPT_offset = sizeof (*tudi) + tudi->SRC_length;
462 	tudi->OPT_length = optlen;
463 	if (sin4) {
464 		bcopy(sin4, tudi + 1, sizeof (*sin4));
465 	} else {
466 		bcopy(sin6, tudi + 1, sizeof (*sin6));
467 	}
468 	optptr = (uchar_t *)tudi + tudi->OPT_offset;
469 
470 	if (sctp->sctp_recvsndrcvinfo) {
471 		/* XXX need backout method if memory allocation fails. */
472 		struct sctp_sndrcvinfo *sri;
473 
474 		cmsg = (struct cmsghdr *)optptr;
475 		cmsg->cmsg_level = IPPROTO_SCTP;
476 		cmsg->cmsg_type = SCTP_SNDRCV;
477 		cmsg->cmsg_len = sizeof (*cmsg) + sizeof (*sri);
478 		optptr += sizeof (*cmsg);
479 
480 		sri = (struct sctp_sndrcvinfo *)(cmsg + 1);
481 		ASSERT(OK_32PTR(sri));
482 		sri->sinfo_stream = ntohs(dcp->sdh_sid);
483 		sri->sinfo_ssn = ntohs(dcp->sdh_ssn);
484 		if (SCTP_DATA_GET_UBIT(dcp)) {
485 			sri->sinfo_flags = MSG_UNORDERED;
486 		} else {
487 			sri->sinfo_flags = 0;
488 		}
489 		sri->sinfo_ppid = dcp->sdh_payload_id;
490 		sri->sinfo_context = 0;
491 		sri->sinfo_timetolive = 0;
492 		sri->sinfo_tsn = ntohl(dcp->sdh_tsn);
493 		sri->sinfo_cumtsn = sctp->sctp_ftsn;
494 		sri->sinfo_assoc_id = 0;
495 
496 		optptr += sizeof (*sri);
497 	}
498 
499 	/*
500 	 * If app asked for pktinfo and the index has changed ...
501 	 * Note that the local address never changes for the connection.
502 	 */
503 	if (addflag & SCTP_IPV6_RECVPKTINFO) {
504 		struct in6_pktinfo *pkti;
505 
506 		cmsg = (struct cmsghdr *)optptr;
507 		cmsg->cmsg_level = IPPROTO_IPV6;
508 		cmsg->cmsg_type = IPV6_PKTINFO;
509 		cmsg->cmsg_len = sizeof (*cmsg) + sizeof (*pkti);
510 		optptr += sizeof (*cmsg);
511 
512 		pkti = (struct in6_pktinfo *)optptr;
513 		if (sctp->sctp_ipversion == IPV6_VERSION)
514 			pkti->ipi6_addr = sctp->sctp_ip6h->ip6_src;
515 		else
516 			IN6_IPADDR_TO_V4MAPPED(sctp->sctp_ipha->ipha_src,
517 			    &pkti->ipi6_addr);
518 		pkti->ipi6_ifindex = ipp->ipp_ifindex;
519 		optptr += sizeof (*pkti);
520 		ASSERT(OK_32PTR(optptr));
521 		/* Save as "last" value */
522 		sctp->sctp_recvifindex = ipp->ipp_ifindex;
523 	}
524 	/* If app asked for hoplimit and it has changed ... */
525 	if (addflag & SCTP_IPV6_RECVHOPLIMIT) {
526 		cmsg = (struct cmsghdr *)optptr;
527 		cmsg->cmsg_level = IPPROTO_IPV6;
528 		cmsg->cmsg_type = IPV6_HOPLIMIT;
529 		cmsg->cmsg_len = sizeof (*cmsg) + sizeof (uint_t);
530 		optptr += sizeof (*cmsg);
531 
532 		*(uint_t *)optptr = ipp->ipp_hoplimit;
533 		optptr += sizeof (uint_t);
534 		ASSERT(OK_32PTR(optptr));
535 		/* Save as "last" value */
536 		sctp->sctp_recvhops = ipp->ipp_hoplimit;
537 	}
538 	if (addflag & SCTP_IPV6_RECVHOPOPTS) {
539 		cmsg = (struct cmsghdr *)optptr;
540 		cmsg->cmsg_level = IPPROTO_IPV6;
541 		cmsg->cmsg_type = IPV6_HOPOPTS;
542 		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_hopoptslen;
543 		optptr += sizeof (*cmsg);
544 
545 		bcopy(ipp->ipp_hopopts, optptr, ipp->ipp_hopoptslen);
546 		optptr += ipp->ipp_hopoptslen;
547 		ASSERT(OK_32PTR(optptr));
548 		/* Save as last value */
549 		ip_savebuf((void **)&sctp->sctp_hopopts,
550 		    &sctp->sctp_hopoptslen,
551 		    (ipp->ipp_fields & IPPF_HOPOPTS),
552 		    ipp->ipp_hopopts, ipp->ipp_hopoptslen);
553 	}
554 	if (addflag & SCTP_IPV6_RECVRTDSTOPTS) {
555 		cmsg = (struct cmsghdr *)optptr;
556 		cmsg->cmsg_level = IPPROTO_IPV6;
557 		cmsg->cmsg_type = IPV6_RTHDRDSTOPTS;
558 		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_rtdstoptslen;
559 		optptr += sizeof (*cmsg);
560 
561 		bcopy(ipp->ipp_rtdstopts, optptr, ipp->ipp_rtdstoptslen);
562 		optptr += ipp->ipp_rtdstoptslen;
563 		ASSERT(OK_32PTR(optptr));
564 		/* Save as last value */
565 		ip_savebuf((void **)&sctp->sctp_rtdstopts,
566 		    &sctp->sctp_rtdstoptslen,
567 		    (ipp->ipp_fields & IPPF_RTDSTOPTS),
568 		    ipp->ipp_rtdstopts, ipp->ipp_rtdstoptslen);
569 	}
570 	if (addflag & SCTP_IPV6_RECVRTHDR) {
571 		cmsg = (struct cmsghdr *)optptr;
572 		cmsg->cmsg_level = IPPROTO_IPV6;
573 		cmsg->cmsg_type = IPV6_RTHDR;
574 		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_rthdrlen;
575 		optptr += sizeof (*cmsg);
576 
577 		bcopy(ipp->ipp_rthdr, optptr, ipp->ipp_rthdrlen);
578 		optptr += ipp->ipp_rthdrlen;
579 		ASSERT(OK_32PTR(optptr));
580 		/* Save as last value */
581 		ip_savebuf((void **)&sctp->sctp_rthdr,
582 		    &sctp->sctp_rthdrlen,
583 		    (ipp->ipp_fields & IPPF_RTHDR),
584 		    ipp->ipp_rthdr, ipp->ipp_rthdrlen);
585 	}
586 	if (addflag & SCTP_IPV6_RECVDSTOPTS) {
587 		cmsg = (struct cmsghdr *)optptr;
588 		cmsg->cmsg_level = IPPROTO_IPV6;
589 		cmsg->cmsg_type = IPV6_DSTOPTS;
590 		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_dstoptslen;
591 		optptr += sizeof (*cmsg);
592 
593 		bcopy(ipp->ipp_dstopts, optptr, ipp->ipp_dstoptslen);
594 		optptr += ipp->ipp_dstoptslen;
595 		ASSERT(OK_32PTR(optptr));
596 		/* Save as last value */
597 		ip_savebuf((void **)&sctp->sctp_dstopts,
598 		    &sctp->sctp_dstoptslen,
599 		    (ipp->ipp_fields & IPPF_DSTOPTS),
600 		    ipp->ipp_dstopts, ipp->ipp_dstoptslen);
601 	}
602 
603 	ASSERT(optptr == mp1->b_wptr);
604 
605 	return (0);
606 }
607 
608 void
609 sctp_free_reass(sctp_instr_t *sip)
610 {
611 	mblk_t *mp, *mpnext, *mctl;
612 
613 	for (mp = sip->istr_reass; mp != NULL; mp = mpnext) {
614 		mpnext = mp->b_next;
615 		mp->b_next = NULL;
616 		mp->b_prev = NULL;
617 		if (DB_TYPE(mp) == M_CTL) {
618 			mctl = mp;
619 			ASSERT(mp->b_cont != NULL);
620 			mp = mp->b_cont;
621 			mctl->b_cont = NULL;
622 			freeb(mctl);
623 		}
624 		freemsg(mp);
625 	}
626 }
627 
628 /*
629  * If the series of data fragments of which dmp is a part is successfully
630  * reassembled, the first mblk in the series is returned. dc is adjusted
631  * to point at the data chunk in the lead mblk, and b_rptr also points to
632  * the data chunk; the following mblk's b_rptr's point at the actual payload.
633  *
634  * If the series is not yet reassembled, NULL is returned. dc is not changed.
635  * XXX should probably move this up into the state machine.
636  */
637 
638 /* Fragment list for un-ordered messages. Partial delivery is not supported */
639 static mblk_t *
640 sctp_uodata_frag(sctp_t *sctp, mblk_t *dmp, sctp_data_hdr_t **dc)
641 {
642 	mblk_t		*hmp;
643 	mblk_t		*begin = NULL;
644 	mblk_t		*end = NULL;
645 	sctp_data_hdr_t	*qdc;
646 	uint32_t	ntsn;
647 	uint32_t	tsn = ntohl((*dc)->sdh_tsn);
648 #ifdef	DEBUG
649 	mblk_t		*mp1;
650 #endif
651 
652 	/* First frag. */
653 	if (sctp->sctp_uo_frags == NULL) {
654 		sctp->sctp_uo_frags = dmp;
655 		return (NULL);
656 	}
657 	hmp = sctp->sctp_uo_frags;
658 	/*
659 	 * Insert the segment according to the TSN, fragmented unordered
660 	 * chunks are sequenced by TSN.
661 	 */
662 	while (hmp != NULL) {
663 		qdc = (sctp_data_hdr_t *)hmp->b_rptr;
664 		ntsn = ntohl(qdc->sdh_tsn);
665 		if (SEQ_GT(ntsn, tsn)) {
666 			if (hmp->b_prev == NULL) {
667 				dmp->b_next = hmp;
668 				hmp->b_prev = dmp;
669 				sctp->sctp_uo_frags = dmp;
670 			} else {
671 				dmp->b_next = hmp;
672 				dmp->b_prev = hmp->b_prev;
673 				hmp->b_prev->b_next = dmp;
674 				hmp->b_prev = dmp;
675 			}
676 			break;
677 		}
678 		if (hmp->b_next == NULL) {
679 			hmp->b_next = dmp;
680 			dmp->b_prev = hmp;
681 			break;
682 		}
683 		hmp = hmp->b_next;
684 	}
685 	/* check if we completed a msg */
686 	if (SCTP_DATA_GET_BBIT(*dc)) {
687 		begin = dmp;
688 	} else if (SCTP_DATA_GET_EBIT(*dc)) {
689 		end = dmp;
690 	}
691 	/*
692 	 * We walk consecutive TSNs backwards till we get a seg. with
693 	 * the B bit
694 	 */
695 	if (begin == NULL) {
696 		for (hmp = dmp->b_prev; hmp != NULL; hmp = hmp->b_prev) {
697 			qdc = (sctp_data_hdr_t *)hmp->b_rptr;
698 			ntsn = ntohl(qdc->sdh_tsn);
699 			if ((int32_t)(tsn - ntsn) > 1) {
700 				return (NULL);
701 			}
702 			if (SCTP_DATA_GET_BBIT(qdc)) {
703 				begin = hmp;
704 				break;
705 			}
706 			tsn = ntsn;
707 		}
708 	}
709 	tsn = ntohl((*dc)->sdh_tsn);
710 	/*
711 	 * We walk consecutive TSNs till we get a seg. with the E bit
712 	 */
713 	if (end == NULL) {
714 		for (hmp = dmp->b_next; hmp != NULL; hmp = hmp->b_next) {
715 			qdc = (sctp_data_hdr_t *)hmp->b_rptr;
716 			ntsn = ntohl(qdc->sdh_tsn);
717 			if ((int32_t)(ntsn - tsn) > 1) {
718 				return (NULL);
719 			}
720 			if (SCTP_DATA_GET_EBIT(qdc)) {
721 				end = hmp;
722 				break;
723 			}
724 			tsn = ntsn;
725 		}
726 	}
727 	if (begin == NULL || end == NULL) {
728 		return (NULL);
729 	}
730 	/* Got one!, Remove the msg from the list */
731 	if (sctp->sctp_uo_frags == begin) {
732 		ASSERT(begin->b_prev == NULL);
733 		sctp->sctp_uo_frags = end->b_next;
734 		if (end->b_next != NULL)
735 			end->b_next->b_prev = NULL;
736 	} else {
737 		begin->b_prev->b_next = end->b_next;
738 		if (end->b_next != NULL)
739 			end->b_next->b_prev = begin->b_prev;
740 	}
741 	begin->b_prev = NULL;
742 	end->b_next = NULL;
743 
744 	/*
745 	 * Null out b_next and b_prev and chain using b_cont.
746 	 */
747 	dmp = end = begin;
748 	hmp = begin->b_next;
749 	*dc = (sctp_data_hdr_t *)begin->b_rptr;
750 	begin->b_next = NULL;
751 	while (hmp != NULL) {
752 		qdc = (sctp_data_hdr_t *)hmp->b_rptr;
753 		hmp->b_rptr = (uchar_t *)(qdc + 1);
754 		end = hmp->b_next;
755 		dmp->b_cont = hmp;
756 		dmp = hmp;
757 
758 		if (end != NULL)
759 			hmp->b_next = NULL;
760 		hmp->b_prev = NULL;
761 		hmp = end;
762 	}
763 	BUMP_LOCAL(sctp->sctp_reassmsgs);
764 #ifdef	DEBUG
765 	mp1 = begin;
766 	while (mp1 != NULL) {
767 		ASSERT(mp1->b_next == NULL);
768 		ASSERT(mp1->b_prev == NULL);
769 		mp1 = mp1->b_cont;
770 	}
771 #endif
772 	return (begin);
773 }
774 /*
775  * Fragment list for ordered messages.
776  * If no error occures, error is set to 0. If we run out of memory, error
777  * is set to 1. If the peer commits a fatal error (like using different
778  * sequence numbers for the same data fragment series), the association is
779  * aborted and error is set to 2.
780  */
781 static mblk_t *
782 sctp_data_frag(sctp_t *sctp, mblk_t *dmp, sctp_data_hdr_t **dc, int *error,
783     sctp_instr_t *sip, int trypartial, int *tpfinished)
784 {
785 	mblk_t		*hmp;
786 	mblk_t		*pmp;
787 	mblk_t		*qmp;
788 	mblk_t		*mp;
789 	mblk_t		*prev;
790 	mblk_t		*prevprev;
791 	mblk_t		*first_mp;
792 	sctp_reass_t	*srp;
793 	sctp_data_hdr_t	*qdc;
794 	sctp_data_hdr_t	*bdc;
795 	sctp_data_hdr_t	*edc;
796 	uint32_t	tsn;
797 
798 	/*
799 	 * We can overwrite the Link Layer + IP header here, I suppose.
800 	 * The M_CTL does not leave this function. We need to check
801 	 * DB_REF(dmp) before using DB_BASE(dmp), since there could be
802 	 * two fragments for different ssns in the same mblk.
803 	 */
804 #define	SCTP_NEW_REASS(nmp, dmp, srp, seterror)				\
805 	if ((DB_REF(dmp) == 2) && (MBLKHEAD(dmp) >= 			\
806 	    (sizeof (*(srp)) + sizeof (sctp_hdr_t)))) {			\
807 		(nmp) = (dmp);						\
808 	} else {							\
809 		(nmp) = allocb(sizeof (*(srp)), BPRI_MED); 		\
810 		if ((nmp) == NULL) {					\
811 			switch (seterror) {				\
812 			case B_TRUE:					\
813 				*error = 1;				\
814 				break;					\
815 			}						\
816 			return (NULL);					\
817 		}							\
818 		DB_TYPE(nmp) = M_CTL;					\
819 		(nmp)->b_cont = dmp;					\
820 	}								\
821 	(srp) = (sctp_reass_t *)DB_BASE(nmp);
822 
823 	*error = 0;
824 
825 	/* find the reassembly queue for this data chunk */
826 	hmp = qmp = sip->istr_reass;
827 	for (; hmp != NULL; hmp = hmp->b_next) {
828 		srp = (sctp_reass_t *)DB_BASE(hmp);
829 		if (ntohs((*dc)->sdh_ssn) == srp->ssn)
830 			goto foundit;
831 		else if (SSN_GT(srp->ssn, ntohs((*dc)->sdh_ssn)))
832 			break;
833 		qmp = hmp;
834 	}
835 
836 	SCTP_NEW_REASS(pmp, dmp, srp, B_TRUE);
837 	srp->ssn = ntohs((*dc)->sdh_ssn);
838 	srp->needed = 0;
839 	srp->got = 1;
840 	srp->tail = dmp;
841 	srp->partial_delivered = B_FALSE;
842 
843 	if (hmp != NULL) {
844 		if (sip->istr_reass == hmp) {
845 			sip->istr_reass = pmp;
846 			pmp->b_next = hmp;
847 			pmp->b_prev = NULL;
848 			hmp->b_prev = pmp;
849 		} else {
850 			qmp->b_next = pmp;
851 			pmp->b_prev = qmp;
852 			pmp->b_next = hmp;
853 			hmp->b_prev = pmp;
854 		}
855 	} else {
856 		/* make a new reass head and stick it on the end */
857 		if (sip->istr_reass == NULL) {
858 			sip->istr_reass = pmp;
859 			pmp->b_prev = NULL;
860 		} else {
861 			qmp->b_next = pmp;
862 			pmp->b_prev = qmp;
863 		}
864 		pmp->b_next = NULL;
865 	}
866 	return (NULL);
867 foundit:
868 	/*
869 	 * else already have a reassembly queue. Insert the new data chunk
870 	 * in the reassemble queue. Try the tail first, on the assumption
871 	 * that the fragments are coming in in order.
872 	 */
873 
874 	qmp = srp->tail;
875 	qdc = (sctp_data_hdr_t *)qmp->b_rptr;
876 	ASSERT(qmp->b_cont == NULL);
877 
878 	/* XXXIs it fine to do this just here? */
879 	if ((*dc)->sdh_sid != qdc->sdh_sid) {
880 		/* our peer is fatally confused; XXX abort the assc */
881 		*error = 2;
882 		return (NULL);
883 	}
884 	if (SEQ_GT(ntohl((*dc)->sdh_tsn), ntohl(qdc->sdh_tsn))) {
885 		qmp->b_cont = dmp;
886 		srp->tail = dmp;
887 		dmp->b_cont = NULL;
888 		goto inserted;
889 	}
890 
891 	/* Next check for insertion at the beginning */
892 	qmp = (DB_TYPE(hmp) == M_DATA) ? hmp : hmp->b_cont;
893 	qdc = (sctp_data_hdr_t *)qmp->b_rptr;
894 	if (SEQ_LT(ntohl((*dc)->sdh_tsn), ntohl(qdc->sdh_tsn))) {
895 		if (DB_TYPE(hmp) == M_DATA) {
896 			sctp_reass_t	*srp1 = srp;
897 
898 			SCTP_NEW_REASS(pmp, dmp, srp, B_TRUE);
899 			ASSERT(pmp->b_prev == NULL && pmp->b_next == NULL);
900 			if (sip->istr_reass == hmp) {
901 				sip->istr_reass = pmp;
902 				if (hmp->b_next != NULL) {
903 					hmp->b_next->b_prev = pmp;
904 					pmp->b_next = hmp->b_next;
905 				}
906 			} else {
907 				hmp->b_prev->b_next = pmp;
908 				pmp->b_prev = hmp->b_prev;
909 				if (hmp->b_next != NULL) {
910 					hmp->b_next->b_prev = pmp;
911 					pmp->b_next = hmp->b_next;
912 				}
913 			}
914 			srp->ssn = srp1->ssn;
915 			srp->needed = srp1->needed;
916 			srp->got = srp1->got;
917 			srp->tail = srp1->tail;
918 			srp->partial_delivered = srp1->partial_delivered;
919 			hmp->b_next = hmp->b_prev = NULL;
920 			dmp->b_cont = hmp;
921 			hmp = pmp;
922 		} else {
923 			ASSERT(DB_TYPE(hmp) == M_CTL);
924 			dmp->b_cont = qmp;
925 			hmp->b_cont = dmp;
926 		}
927 		goto inserted;
928 	}
929 
930 	/* Insert somewhere in the middle */
931 	for (;;) {
932 		/* Tail check above should have caught this */
933 		ASSERT(qmp->b_cont != NULL);
934 
935 		qdc = (sctp_data_hdr_t *)qmp->b_cont->b_rptr;
936 		if (SEQ_LT(ntohl((*dc)->sdh_tsn), ntohl(qdc->sdh_tsn))) {
937 			/* insert here */
938 			dmp->b_cont = qmp->b_cont;
939 			qmp->b_cont = dmp;
940 			break;
941 		}
942 		qmp = qmp->b_cont;
943 	}
944 
945 inserted:
946 	(srp->got)++;
947 	first_mp = (DB_TYPE(hmp) == M_DATA) ? hmp : hmp->b_cont;
948 	if (srp->needed == 0) {
949 		/* check if we have the first and last fragments */
950 		bdc = (sctp_data_hdr_t *)first_mp->b_rptr;
951 		edc = (sctp_data_hdr_t *)srp->tail->b_rptr;
952 
953 		/* calculate how many fragments are needed, if possible  */
954 		if (SCTP_DATA_GET_BBIT(bdc) && SCTP_DATA_GET_EBIT(edc))
955 			srp->needed = ntohl(edc->sdh_tsn) -
956 			    ntohl(bdc->sdh_tsn) + 1;
957 	}
958 
959 	if (srp->needed != srp->got) {
960 		if (!trypartial)
961 			return (NULL);
962 		/*
963 		 * Try partial delivery. We need a consecutive run of
964 		 * at least two chunks, starting from the first chunk
965 		 * (which may have been the last + 1 chunk from a
966 		 * previous partial delivery).
967 		 */
968 		dprint(4, ("trypartial: got=%d, needed=%d\n",
969 		    (int)(srp->got), (int)(srp->needed)));
970 		mp = first_mp;
971 		if (mp->b_cont == NULL) {
972 			/* need at least two chunks */
973 			dprint(4, ("trypartial: only 1 chunk\n"));
974 			return (NULL);
975 		}
976 
977 		qdc = (sctp_data_hdr_t *)mp->b_rptr;
978 		if (!SCTP_DATA_GET_BBIT(qdc)) {
979 			/* don't have first chunk; can't do it. */
980 			dprint(4, ("trypartial: no beginning\n"));
981 			return (NULL);
982 		}
983 
984 		tsn = ntohl(qdc->sdh_tsn) + 1;
985 
986 		/*
987 		 * This loop has two exit conditions: the
988 		 * end of received chunks has been reached, or
989 		 * there is a break in the sequence. We want
990 		 * to chop the reassembly list as follows (the
991 		 * numbers are TSNs):
992 		 *   10 -> 11 -> | 12	(end of chunks)
993 		 *   10 -> 11 -> | 12 -> 14 (break in sequence)
994 		 */
995 		prevprev = prev = mp;
996 		mp = mp->b_cont;
997 		while (mp != NULL) {
998 			qdc = (sctp_data_hdr_t *)mp->b_rptr;
999 			if (ntohl(qdc->sdh_tsn) != tsn) {
1000 				/*
1001 				 * break in sequence.
1002 				 * 1st and 2nd chunks are not sequntial.
1003 				 */
1004 				if (mp == first_mp->b_cont)
1005 					return (NULL);
1006 				/* Back up mp and prev */
1007 				mp = prev;
1008 				prev = prevprev;
1009 				break;
1010 			}
1011 
1012 			/* end of sequence */
1013 			if (mp->b_cont == NULL)
1014 				break;
1015 
1016 			prevprev = prev;
1017 			prev = mp;
1018 			mp = mp->b_cont;
1019 			tsn++;
1020 		}
1021 		if (DB_TYPE(hmp) == M_DATA) {
1022 			sctp_reass_t	*srp1 = srp;
1023 
1024 			SCTP_NEW_REASS(pmp, mp, srp, B_FALSE);
1025 			ASSERT(pmp->b_prev == NULL && pmp->b_next == NULL);
1026 			if (sip->istr_reass == hmp) {
1027 				sip->istr_reass = pmp;
1028 				if (hmp->b_next != NULL) {
1029 					hmp->b_next->b_prev = pmp;
1030 					pmp->b_next = hmp->b_next;
1031 				}
1032 			} else {
1033 				hmp->b_prev->b_next = pmp;
1034 				pmp->b_prev = hmp->b_prev;
1035 				if (hmp->b_next != NULL) {
1036 					hmp->b_next->b_prev = pmp;
1037 					pmp->b_next = hmp->b_next;
1038 				}
1039 			}
1040 			srp->ssn = srp1->ssn;
1041 			srp->needed = srp1->needed;
1042 			srp->got = srp1->got;
1043 			srp->tail = srp1->tail;
1044 			hmp->b_next = hmp->b_prev = NULL;
1045 			dmp = hmp;
1046 			hmp = pmp;
1047 		} else {
1048 			ASSERT(DB_TYPE(hmp) == M_CTL);
1049 			dmp = hmp->b_cont;
1050 			hmp->b_cont = mp;
1051 		}
1052 		/*
1053 		 * mp now points at the last chunk in the sequence,
1054 		 * and prev points to mp's previous in the list.
1055 		 * We chop the list at prev, and convert mp into the
1056 		 * new list head by setting the B bit. Subsequence
1057 		 * fragment deliveries will follow the normal reassembly
1058 		 * path.
1059 		 */
1060 		prev->b_cont = NULL;
1061 		bdc = (sctp_data_hdr_t *)mp->b_rptr;
1062 		SCTP_DATA_SET_BBIT(bdc);
1063 		*tpfinished = 0;
1064 		srp->partial_delivered = B_TRUE;
1065 
1066 		dprint(4, ("trypartial: got some, got=%d, needed=%d\n",
1067 		    (int)(srp->got), (int)(srp->needed)));
1068 		goto fixup;
1069 	}
1070 
1071 	/*
1072 	 * else reassembly done; prepare the data for delivery.
1073 	 * First unlink hmp from the ssn list.
1074 	 */
1075 	if (sip->istr_reass == hmp) {
1076 		sip->istr_reass = hmp->b_next;
1077 		if (hmp->b_next) {
1078 			hmp->b_next->b_prev = NULL;
1079 		}
1080 	} else {
1081 		ASSERT(hmp->b_prev != NULL);
1082 		hmp->b_prev->b_next = hmp->b_next;
1083 		if (hmp->b_next) {
1084 			hmp->b_next->b_prev = hmp->b_prev;
1085 		}
1086 	}
1087 
1088 	/*
1089 	 * Using b_prev and b_next was a little sinful, but OK since
1090 	 * this mblk is never put*'d. However, freeb() will still
1091 	 * ASSERT that they are unused, so we need to NULL them out now.
1092 	 */
1093 	hmp->b_next = NULL;
1094 	hmp->b_prev = NULL;
1095 	dmp = hmp;
1096 	if (DB_TYPE(hmp) == M_CTL) {
1097 		dmp = dmp->b_cont;
1098 		hmp->b_cont = NULL;
1099 		freeb(hmp);
1100 	}
1101 	*tpfinished = 1;
1102 
1103 fixup:
1104 	/*
1105 	 * Adjust all mblk's except the lead so their rptr's point to the
1106 	 * payload. sctp_data_chunk() will need to process the lead's
1107 	 * data chunk section, so leave it's rptr pointing at the data chunk.
1108 	 */
1109 	*dc = (sctp_data_hdr_t *)dmp->b_rptr;
1110 	if (trypartial && !(*tpfinished)) {
1111 		(srp->got)--;
1112 		ASSERT(srp->got != 0);
1113 		if (srp->needed != 0) {
1114 			(srp->needed)--;
1115 			ASSERT(srp->needed != 0);
1116 		}
1117 	}
1118 	for (qmp = dmp->b_cont; qmp; qmp = qmp->b_cont) {
1119 		qdc = (sctp_data_hdr_t *)qmp->b_rptr;
1120 		qmp->b_rptr = (uchar_t *)(qdc + 1);
1121 
1122 		/*
1123 		 * If in partial delivery, deduct the balance from got
1124 		 * and needed here, now that we know we are actually
1125 		 * delivering these data.
1126 		 */
1127 		if (trypartial && !(*tpfinished)) {
1128 			(srp->got)--;
1129 			ASSERT(srp->got != 0);
1130 			if (srp->needed != 0) {
1131 				(srp->needed)--;
1132 				ASSERT(srp->needed != 0);
1133 			}
1134 		}
1135 	}
1136 	BUMP_LOCAL(sctp->sctp_reassmsgs);
1137 
1138 	return (dmp);
1139 }
1140 
1141 static void
1142 sctp_add_dup(uint32_t tsn, mblk_t **dups)
1143 {
1144 	mblk_t *mp;
1145 	size_t bsize = SCTP_DUP_MBLK_SZ * sizeof (tsn);
1146 
1147 	if (dups == NULL) {
1148 		return;
1149 	}
1150 
1151 	/* first time? */
1152 	if (*dups == NULL) {
1153 		*dups = allocb(bsize, BPRI_MED);
1154 		if (*dups == NULL) {
1155 			return;
1156 		}
1157 	}
1158 
1159 	mp = *dups;
1160 	if ((mp->b_wptr - mp->b_rptr) >= bsize) {
1161 		/* maximum reached */
1162 		return;
1163 	}
1164 
1165 	/* add the duplicate tsn */
1166 	bcopy(&tsn, mp->b_wptr, sizeof (tsn));
1167 	mp->b_wptr += sizeof (tsn);
1168 	ASSERT((mp->b_wptr - mp->b_rptr) <= bsize);
1169 }
1170 
1171 static void
1172 sctp_data_chunk(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *mp, mblk_t **dups,
1173     sctp_faddr_t *fp, ip6_pkt_t *ipp)
1174 {
1175 	sctp_data_hdr_t *dc;
1176 	mblk_t *dmp, *pmp;
1177 	mblk_t *errmp;
1178 	sctp_instr_t *instr;
1179 	int ubit;
1180 	int isfrag;
1181 	uint16_t ssn;
1182 	uint32_t oftsn;
1183 	boolean_t can_deliver = B_TRUE;
1184 	uint32_t tsn;
1185 	int dlen;
1186 	int trypartial = 0;
1187 	int tpfinished = 1;
1188 	int32_t new_rwnd;
1189 
1190 	/* The following are used multiple times, so we inline them */
1191 #define	SCTP_ACK_IT(sctp, tsn)						\
1192 	if (tsn == sctp->sctp_ftsn) {					\
1193 		dprint(2, ("data_chunk: acking next %x\n", tsn));	\
1194 		(sctp->sctp_ftsn)++;					\
1195 	} else if (SEQ_GT(tsn, sctp->sctp_ftsn)) {			\
1196 		/* Got a gap; record it */				\
1197 		dprint(2, ("data_chunk: acking gap %x\n", tsn));	\
1198 		sctp_ack_add(&sctp->sctp_sack_info,			\
1199 				tsn,					\
1200 				&sctp->sctp_sack_gaps);			\
1201 		sctp->sctp_force_sack = 1;				\
1202 	}
1203 
1204 	errmp = NULL;
1205 	dmp = NULL;
1206 
1207 	dc = (sctp_data_hdr_t *)ch;
1208 	tsn = ntohl(dc->sdh_tsn);
1209 
1210 	dprint(3, ("sctp_data_chunk: mp=%p tsn=%x\n", (void *)mp, tsn));
1211 
1212 	/* Check for duplicates */
1213 	if (SEQ_LT(tsn, sctp->sctp_ftsn)) {
1214 		dprint(4, ("sctp_data_chunk: dropping duplicate\n"));
1215 		sctp->sctp_force_sack = 1;
1216 		sctp_add_dup(dc->sdh_tsn, dups);
1217 		return;
1218 	}
1219 
1220 	if (sctp->sctp_sack_info != NULL) {
1221 		sctp_set_t *sp;
1222 
1223 		for (sp = sctp->sctp_sack_info; sp; sp = sp->next) {
1224 			if (SEQ_GEQ(tsn, sp->begin) && SEQ_LEQ(tsn, sp->end)) {
1225 				dprint(4,
1226 				("sctp_data_chunk: dropping dup > cumtsn\n"));
1227 				sctp->sctp_force_sack = 1;
1228 				sctp_add_dup(dc->sdh_tsn, dups);
1229 				return;
1230 			}
1231 		}
1232 	}
1233 
1234 	/* We cannot deliver anything up now but we still need to handle it. */
1235 	if (SCTP_IS_DETACHED(sctp)) {
1236 		BUMP_MIB(&sctp_mib, sctpInClosed);
1237 		can_deliver = B_FALSE;
1238 	}
1239 
1240 	dlen = ntohs(dc->sdh_len) - sizeof (*dc);
1241 
1242 	/* Check for buffer space */
1243 	if (sctp->sctp_rwnd - sctp->sctp_rxqueued < dlen) {
1244 		/* Drop and SACK, but don't advance the cumulative TSN. */
1245 		sctp->sctp_force_sack = 1;
1246 		dprint(0, ("sctp_data_chunk: exceed rwnd %d rxqueued %d "
1247 			"ssn %d tsn %x\n", sctp->sctp_rwnd,
1248 			sctp->sctp_rxqueued, dc->sdh_ssn, ntohl(dc->sdh_tsn)));
1249 		return;
1250 	}
1251 
1252 	if (ntohs(dc->sdh_sid) >= sctp->sctp_num_istr) {
1253 		uint16_t	inval_parm[2];
1254 
1255 		inval_parm[0] = dc->sdh_sid;
1256 		/* RESERVED to be ignored at the receiving end */
1257 		inval_parm[1] = 0;
1258 		/* ack and drop it */
1259 		errmp = sctp_make_err(sctp, SCTP_ERR_BAD_SID,
1260 		    (char *)inval_parm, sizeof (inval_parm));
1261 		SCTP_ACK_IT(sctp, tsn);
1262 		if (errmp != NULL)
1263 			sctp_send_err(sctp, errmp, NULL);
1264 		return;
1265 	}
1266 
1267 	ubit = SCTP_DATA_GET_UBIT(dc);
1268 	ASSERT(sctp->sctp_instr != NULL);
1269 	instr = &sctp->sctp_instr[ntohs(dc->sdh_sid)];
1270 	/* Initialize the stream, if not yet used */
1271 	if (instr->sctp == NULL)
1272 		instr->sctp = sctp;
1273 	/*
1274 	 * If we are getting low on buffers set trypartial to try
1275 	 * a partial delivery if we are reassembling a fragmented
1276 	 * message. Only do this if we can immediately deliver the
1277 	 * partially assembled message, and only partially deliver
1278 	 * one message at a time (i.e. messages cannot be intermixed
1279 	 * arriving at the upper layer). A simple way to enforce
1280 	 * this is to only try partial delivery if this TSN is
1281 	 * the next expected TSN. Partial Delivery not supported
1282 	 * for un-ordered message.
1283 	 */
1284 	isfrag = !(SCTP_DATA_GET_BBIT(dc) && SCTP_DATA_GET_EBIT(dc));
1285 	ssn = ntohs(dc->sdh_ssn);
1286 	if ((sctp->sctp_rwnd - sctp->sctp_rxqueued < SCTP_RECV_LOWATER) &&
1287 	    !ubit && isfrag && (tsn == sctp->sctp_ftsn)) {
1288 		trypartial = 1;
1289 	}
1290 
1291 	dmp = dupb(mp);
1292 	if (dmp == NULL) {
1293 		/* drop it and don't ack it, causing the peer to retransmit */
1294 		return;
1295 	}
1296 	dmp->b_wptr = (uchar_t *)ch + ntohs(ch->sch_len);
1297 
1298 	sctp->sctp_rxqueued += dlen;
1299 
1300 	oftsn = sctp->sctp_ftsn;
1301 
1302 	if (isfrag) {
1303 		int error = 0;
1304 
1305 		/* fragmented data chunk */
1306 		dmp->b_rptr = (uchar_t *)dc;
1307 		if (ubit) {
1308 			dmp = sctp_uodata_frag(sctp, dmp, &dc);
1309 #if	DEBUG
1310 			if (dmp != NULL) {
1311 				ASSERT(instr ==
1312 				    &sctp->sctp_instr[ntohs(dc->sdh_sid)]);
1313 			}
1314 #endif
1315 		} else {
1316 			dmp = sctp_data_frag(sctp, dmp, &dc, &error, instr,
1317 			    trypartial, &tpfinished);
1318 		}
1319 		if (error != 0) {
1320 			sctp->sctp_rxqueued -= dlen;
1321 			if (error == 1) {
1322 				/*
1323 				 * out of memory; don't ack it so
1324 				 * the peer retransmits
1325 				 */
1326 				return;
1327 			} else if (error == 2) {
1328 				/*
1329 				 * fatal error (i.e. peer used different
1330 				 * ssn's for same fragmented data) --
1331 				 * the association has been aborted.
1332 				 * XXX need to return errval so state
1333 				 * machine can also abort processing.
1334 				 */
1335 				dprint(0, ("error 2: must not happen!\n"));
1336 				return;
1337 			}
1338 		}
1339 
1340 		if (dmp == NULL) {
1341 			/*
1342 			 * Can't process this data now, but the cumulative
1343 			 * TSN may be advanced, so do the checks at done.
1344 			 */
1345 			SCTP_ACK_IT(sctp, tsn);
1346 			goto done;
1347 		}
1348 	}
1349 
1350 	if (!ubit && !trypartial && ssn != instr->nextseq) {
1351 		/* Adjust rptr to point at the data chunk for compares */
1352 		dmp->b_rptr = (uchar_t *)dc;
1353 
1354 		dprint(2,
1355 		    ("data_chunk: inserted %x in pq (ssn %d expected %d)\n",
1356 		    ntohl(dc->sdh_tsn), (int)(ssn), (int)(instr->nextseq)));
1357 
1358 		if (instr->istr_msgs == NULL) {
1359 			instr->istr_msgs = dmp;
1360 			ASSERT(dmp->b_prev == NULL && dmp->b_next == NULL);
1361 		} else {
1362 			mblk_t			*imblk = instr->istr_msgs;
1363 			sctp_data_hdr_t		*idc;
1364 
1365 			/*
1366 			 * XXXNeed to take sequence wraps into account,
1367 			 * ... and a more efficient insertion algo.
1368 			 */
1369 			for (;;) {
1370 				idc = (sctp_data_hdr_t *)imblk->b_rptr;
1371 				if (SSN_GT(ntohs(idc->sdh_ssn),
1372 					ntohs(dc->sdh_ssn))) {
1373 					if (instr->istr_msgs == imblk) {
1374 						instr->istr_msgs = dmp;
1375 						dmp->b_next = imblk;
1376 						imblk->b_prev = dmp;
1377 					} else {
1378 						ASSERT(imblk->b_prev != NULL);
1379 						imblk->b_prev->b_next = dmp;
1380 						dmp->b_prev = imblk->b_prev;
1381 						imblk->b_prev = dmp;
1382 						dmp->b_next = imblk;
1383 					}
1384 					break;
1385 				}
1386 				if (imblk->b_next == NULL) {
1387 					imblk->b_next = dmp;
1388 					dmp->b_prev = imblk;
1389 					break;
1390 				}
1391 				imblk = imblk->b_next;
1392 			}
1393 		}
1394 		(instr->istr_nmsgs)++;
1395 		(sctp->sctp_istr_nmsgs)++;
1396 		SCTP_ACK_IT(sctp, tsn);
1397 		return;
1398 	}
1399 
1400 	/*
1401 	 * Else we can deliver the data directly. Recalculate
1402 	 * dlen now since we may have reassembled data.
1403 	 */
1404 	dlen = dmp->b_wptr - (uchar_t *)dc - sizeof (*dc);
1405 	for (pmp = dmp->b_cont; pmp != NULL; pmp = pmp->b_cont)
1406 		dlen += pmp->b_wptr - pmp->b_rptr;
1407 	ASSERT(sctp->sctp_rxqueued >= dlen);
1408 	ASSERT(sctp->sctp_rwnd >= dlen);
1409 
1410 	/* Deliver the message. */
1411 	sctp->sctp_rxqueued -= dlen;
1412 
1413 	if (can_deliver) {
1414 		dmp->b_rptr = (uchar_t *)(dc + 1);
1415 		if (sctp_input_add_ancillary(sctp, &dmp, dc, fp, ipp) == 0) {
1416 			dprint(1, ("sctp_data_chunk: delivering %lu bytes\n",
1417 			    msgdsize(dmp)));
1418 			sctp->sctp_rwnd -= dlen;
1419 			new_rwnd = sctp->sctp_ulp_recv(sctp->sctp_ulpd, dmp,
1420 			    tpfinished ? 0 : SCTP_PARTIAL_DATA);
1421 			if (new_rwnd > sctp->sctp_rwnd) {
1422 				sctp->sctp_rwnd = new_rwnd;
1423 			}
1424 			SCTP_ACK_IT(sctp, tsn);
1425 		} else {
1426 			/* Just free the message if we don't have memory. */
1427 			freemsg(dmp);
1428 			return;
1429 		}
1430 	} else {
1431 		/* About to free the data */
1432 		freemsg(dmp);
1433 		SCTP_ACK_IT(sctp, tsn);
1434 	}
1435 
1436 	/*
1437 	 * data, now enqueued, may already have been processed and free'd
1438 	 * by the ULP (or we may have just freed it above, if we could not
1439 	 * deliver it), so we must not reference it (this is why we kept
1440 	 * the ssn and ubit above).
1441 	 */
1442 	if (ubit != 0) {
1443 		BUMP_LOCAL(sctp->sctp_iudchunks);
1444 		goto done;
1445 	}
1446 	BUMP_LOCAL(sctp->sctp_idchunks);
1447 
1448 	/*
1449 	 * If there was a partial delivery and it has not finished,
1450 	 * don't pull anything from the pqueues.
1451 	 */
1452 	if (!tpfinished) {
1453 		goto done;
1454 	}
1455 
1456 	instr->nextseq = ssn + 1;
1457 	/* Deliver any successive data chunks in the instr queue */
1458 	while (instr->istr_nmsgs > 0) {
1459 		dmp = (mblk_t *)instr->istr_msgs;
1460 		dc = (sctp_data_hdr_t *)dmp->b_rptr;
1461 		ssn = ntohs(dc->sdh_ssn);
1462 		/* Gap in the sequence */
1463 		if (ssn != instr->nextseq)
1464 			break;
1465 
1466 		/* Else deliver the data */
1467 		(instr->istr_nmsgs)--;
1468 		(instr->nextseq)++;
1469 		(sctp->sctp_istr_nmsgs)--;
1470 
1471 		instr->istr_msgs = instr->istr_msgs->b_next;
1472 		if (instr->istr_msgs != NULL)
1473 			instr->istr_msgs->b_prev = NULL;
1474 		dmp->b_next = dmp->b_prev = NULL;
1475 
1476 		dprint(2, ("data_chunk: pulling %x from pq (ssn %d)\n",
1477 		    ntohl(dc->sdh_tsn), (int)ssn));
1478 
1479 		/*
1480 		 * If this chunk was reassembled, each b_cont represents
1481 		 * another TSN; advance ftsn now.
1482 		 */
1483 		dlen = dmp->b_wptr - dmp->b_rptr - sizeof (*dc);
1484 		for (pmp = dmp->b_cont; pmp; pmp = pmp->b_cont)
1485 			dlen += pmp->b_wptr - pmp->b_rptr;
1486 
1487 		ASSERT(sctp->sctp_rxqueued >= dlen);
1488 		ASSERT(sctp->sctp_rwnd >= dlen);
1489 
1490 		sctp->sctp_rxqueued -= dlen;
1491 		if (can_deliver) {
1492 			dmp->b_rptr = (uchar_t *)(dc + 1);
1493 			if (sctp_input_add_ancillary(sctp, &dmp, dc, fp,
1494 			    ipp) == 0) {
1495 				dprint(1, ("sctp_data_chunk: delivering %lu "
1496 				    "bytes\n", msgdsize(dmp)));
1497 				sctp->sctp_rwnd -= dlen;
1498 				new_rwnd = sctp->sctp_ulp_recv(sctp->sctp_ulpd,
1499 				    dmp, tpfinished ? 0 : SCTP_PARTIAL_DATA);
1500 				if (new_rwnd > sctp->sctp_rwnd) {
1501 					sctp->sctp_rwnd = new_rwnd;
1502 				}
1503 				SCTP_ACK_IT(sctp, tsn);
1504 			} else {
1505 				freemsg(dmp);
1506 				return;
1507 			}
1508 		} else {
1509 			/* About to free the data */
1510 			freemsg(dmp);
1511 			SCTP_ACK_IT(sctp, tsn);
1512 		}
1513 	}
1514 
1515 done:
1516 
1517 	/*
1518 	 * If there are gap reports pending, check if advancing
1519 	 * the ftsn here closes a gap. If so, we can advance
1520 	 * ftsn to the end of the set.
1521 	 */
1522 	if (sctp->sctp_sack_info != NULL &&
1523 	    sctp->sctp_ftsn == sctp->sctp_sack_info->begin) {
1524 		sctp->sctp_ftsn = sctp->sctp_sack_info->end + 1;
1525 	}
1526 	/*
1527 	 * If ftsn has moved forward, maybe we can remove gap reports.
1528 	 * NB: dmp may now be NULL, so don't dereference it here.
1529 	 */
1530 	if (oftsn != sctp->sctp_ftsn && sctp->sctp_sack_info != NULL) {
1531 		sctp_ack_rem(&sctp->sctp_sack_info, sctp->sctp_ftsn - 1,
1532 		    &sctp->sctp_sack_gaps);
1533 		dprint(2, ("data_chunk: removed acks before %x (num=%d)\n",
1534 		    sctp->sctp_ftsn - 1, sctp->sctp_sack_gaps));
1535 	}
1536 
1537 #ifdef	DEBUG
1538 	if (sctp->sctp_sack_info != NULL) {
1539 		ASSERT(sctp->sctp_ftsn != sctp->sctp_sack_info->begin);
1540 	}
1541 #endif
1542 
1543 #undef	SCTP_ACK_IT
1544 }
1545 
1546 void
1547 sctp_fill_sack(sctp_t *sctp, unsigned char *dst, int sacklen)
1548 {
1549 	sctp_chunk_hdr_t *sch;
1550 	sctp_sack_chunk_t *sc;
1551 	sctp_sack_frag_t *sf;
1552 	uint16_t num_gaps = sctp->sctp_sack_gaps;
1553 	sctp_set_t *sp;
1554 
1555 	/* Chunk hdr */
1556 	sch = (sctp_chunk_hdr_t *)dst;
1557 	sch->sch_id = CHUNK_SACK;
1558 	sch->sch_flags = 0;
1559 	sch->sch_len = htons(sacklen);
1560 
1561 	/* SACK chunk */
1562 	sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
1563 
1564 	sc = (sctp_sack_chunk_t *)(sch + 1);
1565 	sc->ssc_cumtsn = htonl(sctp->sctp_lastacked);
1566 	if (sctp->sctp_rxqueued < sctp->sctp_rwnd) {
1567 		sc->ssc_a_rwnd = htonl(sctp->sctp_rwnd - sctp->sctp_rxqueued);
1568 	} else {
1569 		sc->ssc_a_rwnd = 0;
1570 	}
1571 	sc->ssc_numfrags = htons(num_gaps);
1572 	sc->ssc_numdups = 0;
1573 
1574 	/* lay in gap reports */
1575 	sf = (sctp_sack_frag_t *)(sc + 1);
1576 	for (sp = sctp->sctp_sack_info; sp; sp = sp->next) {
1577 		uint16_t offset;
1578 
1579 		/* start */
1580 		if (sp->begin > sctp->sctp_lastacked) {
1581 			offset = (uint16_t)(sp->begin - sctp->sctp_lastacked);
1582 		} else {
1583 			/* sequence number wrap */
1584 			offset = (uint16_t)(UINT32_MAX - sctp->sctp_lastacked +
1585 			    sp->begin);
1586 		}
1587 		sf->ssf_start = htons(offset);
1588 
1589 		/* end */
1590 		if (sp->end >= sp->begin) {
1591 			offset += (uint16_t)(sp->end - sp->begin);
1592 		} else {
1593 			/* sequence number wrap */
1594 			offset += (uint16_t)(UINT32_MAX - sp->begin + sp->end);
1595 		}
1596 		sf->ssf_end = htons(offset);
1597 
1598 		sf++;
1599 		/* This is just for debugging (a la the following assertion) */
1600 		num_gaps--;
1601 	}
1602 
1603 	ASSERT(num_gaps == 0);
1604 
1605 	/* If the SACK timer is running, stop it */
1606 	if (sctp->sctp_ack_timer_running) {
1607 		sctp_timer_stop(sctp->sctp_ack_mp);
1608 		sctp->sctp_ack_timer_running = B_FALSE;
1609 	}
1610 
1611 	BUMP_LOCAL(sctp->sctp_obchunks);
1612 }
1613 
1614 mblk_t *
1615 sctp_make_sack(sctp_t *sctp, sctp_faddr_t *sendto, mblk_t *dups)
1616 {
1617 	mblk_t *smp;
1618 	size_t slen;
1619 	sctp_chunk_hdr_t *sch;
1620 	sctp_sack_chunk_t *sc;
1621 
1622 	if (sctp->sctp_force_sack) {
1623 		sctp->sctp_force_sack = 0;
1624 		goto checks_done;
1625 	}
1626 
1627 	if (sctp->sctp_state == SCTPS_ESTABLISHED) {
1628 		if (sctp->sctp_sack_toggle < 2) {
1629 			/* no need to SACK right now */
1630 			dprint(2, ("sctp_make_sack: %p no sack (toggle)\n",
1631 			    (void *)sctp));
1632 			return (NULL);
1633 		} else if (sctp->sctp_sack_toggle >= 2) {
1634 			sctp->sctp_sack_toggle = 0;
1635 		}
1636 	}
1637 
1638 	if (sctp->sctp_ftsn == sctp->sctp_lastacked + 1) {
1639 		dprint(2, ("sctp_make_sack: %p no sack (already)\n",
1640 		    (void *)sctp));
1641 		return (NULL);
1642 	}
1643 
1644 checks_done:
1645 	dprint(2, ("sctp_make_sack: acking %x\n", sctp->sctp_ftsn - 1));
1646 
1647 	slen = sizeof (*sch) + sizeof (*sc) +
1648 	    (sizeof (sctp_sack_frag_t) * sctp->sctp_sack_gaps);
1649 	smp = sctp_make_mp(sctp, sendto, slen);
1650 	if (smp == NULL) {
1651 		return (NULL);
1652 	}
1653 	sch = (sctp_chunk_hdr_t *)smp->b_wptr;
1654 
1655 	sctp_fill_sack(sctp, smp->b_wptr, slen);
1656 	smp->b_wptr += slen;
1657 	if (dups) {
1658 		sc = (sctp_sack_chunk_t *)(sch + 1);
1659 		sc->ssc_numdups = htons((dups->b_wptr - dups->b_rptr)
1660 		    / sizeof (uint32_t));
1661 		sch->sch_len = htons(slen + (dups->b_wptr - dups->b_rptr));
1662 		smp->b_cont = dups;
1663 	}
1664 
1665 	return (smp);
1666 }
1667 
1668 void
1669 sctp_sack(sctp_t *sctp, mblk_t *dups)
1670 {
1671 	mblk_t *smp;
1672 
1673 	/* If we are shutting down, let send_shutdown() bundle the SACK */
1674 	if (sctp->sctp_state == SCTPS_SHUTDOWN_SENT) {
1675 		sctp_send_shutdown(sctp, 0);
1676 	}
1677 
1678 	ASSERT(sctp->sctp_lastdata != NULL);
1679 
1680 	if ((smp = sctp_make_sack(sctp, sctp->sctp_lastdata, dups)) == NULL) {
1681 		/* The caller of sctp_sack() will not free the dups mblk. */
1682 		if (dups != NULL)
1683 			freeb(dups);
1684 		return;
1685 	}
1686 
1687 	sctp_set_iplen(sctp, smp);
1688 
1689 	dprint(2, ("sctp_sack: sending to %p %x:%x:%x:%x\n",
1690 	    (void *)sctp->sctp_lastdata,
1691 	    SCTP_PRINTADDR(sctp->sctp_lastdata->faddr)));
1692 
1693 	sctp->sctp_active = lbolt64;
1694 
1695 	BUMP_MIB(&sctp_mib, sctpOutAck);
1696 	sctp_add_sendq(sctp, smp);
1697 }
1698 
1699 /*
1700  * This is called if we have a message that was partially sent and is
1701  * abandoned. The cum TSN will be the last chunk sent for this message,
1702  * subsequent chunks will be marked ABANDONED. We send a Forward TSN
1703  * chunk in this case with the TSN of the last sent chunk so that the
1704  * peer can clean up its fragment list for this message. This message
1705  * will be removed from the transmit list when the peer sends a SACK
1706  * back.
1707  */
1708 int
1709 sctp_check_abandoned_msg(sctp_t *sctp, mblk_t *meta)
1710 {
1711 	sctp_data_hdr_t	*dh;
1712 	mblk_t		*nmp;
1713 	mblk_t		*head;
1714 	int32_t		unsent = 0;
1715 	mblk_t		*mp1 = meta->b_cont;
1716 	uint32_t	adv_pap = sctp->sctp_adv_pap;
1717 	sctp_faddr_t	*fp = sctp->sctp_current;
1718 
1719 	dh = (sctp_data_hdr_t *)mp1->b_rptr;
1720 	if (SEQ_GEQ(sctp->sctp_lastack_rxd, ntohl(dh->sdh_tsn))) {
1721 		sctp_ftsn_set_t	*sets = NULL;
1722 		uint_t		nsets = 0;
1723 		uint32_t	seglen = sizeof (uint32_t);
1724 		boolean_t	ubit = SCTP_DATA_GET_UBIT(dh);
1725 
1726 		while (mp1->b_next != NULL && SCTP_CHUNK_ISSENT(mp1->b_next))
1727 			mp1 = mp1->b_next;
1728 		dh = (sctp_data_hdr_t *)mp1->b_rptr;
1729 		sctp->sctp_adv_pap = ntohl(dh->sdh_tsn);
1730 		if (!ubit &&
1731 		    !sctp_add_ftsn_set(&sets, fp, meta, &nsets, &seglen)) {
1732 			sctp->sctp_adv_pap = adv_pap;
1733 			return (ENOMEM);
1734 		}
1735 		nmp = sctp_make_ftsn_chunk(sctp, fp, sets, nsets, seglen);
1736 		sctp_free_ftsn_set(sets);
1737 		if (nmp == NULL) {
1738 			sctp->sctp_adv_pap = adv_pap;
1739 			return (ENOMEM);
1740 		}
1741 		head = sctp_add_proto_hdr(sctp, fp, nmp, 0, NULL);
1742 		if (head == NULL) {
1743 			sctp->sctp_adv_pap = adv_pap;
1744 			freemsg(nmp);
1745 			return (ENOMEM);
1746 		}
1747 		SCTP_MSG_SET_ABANDONED(meta);
1748 		sctp_set_iplen(sctp, head);
1749 		sctp_add_sendq(sctp, head);
1750 		if (!fp->timer_running)
1751 			SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
1752 		mp1 = mp1->b_next;
1753 		while (mp1 != NULL) {
1754 			ASSERT(!SCTP_CHUNK_ISSENT(mp1));
1755 			ASSERT(!SCTP_CHUNK_ABANDONED(mp1));
1756 			SCTP_ABANDON_CHUNK(mp1);
1757 			dh = (sctp_data_hdr_t *)mp1->b_rptr;
1758 			unsent += ntohs(dh->sdh_len) - sizeof (*dh);
1759 			mp1 = mp1->b_next;
1760 		}
1761 		ASSERT(sctp->sctp_unsent >= unsent);
1762 		sctp->sctp_unsent -= unsent;
1763 		/*
1764 		 * Update ULP the amount of queued data, which is
1765 		 * sent-unack'ed + unsent.
1766 		 */
1767 		if (!SCTP_IS_DETACHED(sctp)) {
1768 			sctp->sctp_ulp_xmitted(sctp->sctp_ulpd,
1769 			    sctp->sctp_unacked + sctp->sctp_unsent);
1770 		}
1771 		return (0);
1772 	}
1773 	return (-1);
1774 }
1775 
1776 uint32_t
1777 sctp_cumack(sctp_t *sctp, uint32_t tsn, mblk_t **first_unacked)
1778 {
1779 	mblk_t *ump, *nump, *mp = NULL;
1780 	uint16_t chunklen;
1781 	uint32_t xtsn;
1782 	sctp_faddr_t *fp;
1783 	sctp_data_hdr_t *sdc;
1784 	uint32_t cumack_forward = 0;
1785 	sctp_msg_hdr_t	*mhdr;
1786 
1787 	ump = sctp->sctp_xmit_head;
1788 
1789 	/*
1790 	 * Free messages only when they're completely acked.
1791 	 */
1792 	while (ump != NULL) {
1793 		mhdr = (sctp_msg_hdr_t *)ump->b_rptr;
1794 		for (mp = ump->b_cont; mp != NULL; mp = mp->b_next) {
1795 			if (SCTP_CHUNK_ABANDONED(mp)) {
1796 				ASSERT(SCTP_IS_MSG_ABANDONED(ump));
1797 				mp = NULL;
1798 				break;
1799 			}
1800 			/*
1801 			 * We check for abandoned message if we are PR-SCTP
1802 			 * aware, if this is not the first chunk in the
1803 			 * message (b_cont) and if the message is marked
1804 			 * abandoned.
1805 			 */
1806 			if (!SCTP_CHUNK_ISSENT(mp)) {
1807 				if (sctp->sctp_prsctp_aware &&
1808 				    mp != ump->b_cont &&
1809 				    (SCTP_IS_MSG_ABANDONED(ump) ||
1810 				    SCTP_MSG_TO_BE_ABANDONED(ump, mhdr,
1811 				    sctp))) {
1812 					(void) sctp_check_abandoned_msg(sctp,
1813 					    ump);
1814 				}
1815 				goto cum_ack_done;
1816 			}
1817 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
1818 			xtsn = ntohl(sdc->sdh_tsn);
1819 			if (SEQ_GEQ(sctp->sctp_lastack_rxd, xtsn))
1820 				continue;
1821 			if (SEQ_GEQ(tsn, xtsn)) {
1822 				fp = SCTP_CHUNK_DEST(mp);
1823 				chunklen = ntohs(sdc->sdh_len);
1824 
1825 				if (sctp->sctp_out_time != 0 &&
1826 				    xtsn == sctp->sctp_rtt_tsn) {
1827 					/* Got a new RTT measurement */
1828 					sctp_update_rtt(sctp, fp,
1829 					    lbolt64 - sctp->sctp_out_time);
1830 					sctp->sctp_out_time = 0;
1831 				}
1832 				if (SCTP_CHUNK_ISACKED(mp))
1833 					continue;
1834 				SCTP_CHUNK_ACKED(mp);
1835 				ASSERT(fp->suna >= chunklen);
1836 				fp->suna -= chunklen;
1837 				fp->acked += chunklen;
1838 				cumack_forward += chunklen;
1839 				ASSERT(sctp->sctp_unacked >=
1840 				    (chunklen - sizeof (*sdc)));
1841 				sctp->sctp_unacked -=
1842 				    (chunklen - sizeof (*sdc));
1843 				if (fp->suna == 0) {
1844 					/* all outstanding data acked */
1845 					fp->pba = 0;
1846 					SCTP_FADDR_TIMER_STOP(fp);
1847 				} else {
1848 					SCTP_FADDR_TIMER_RESTART(sctp, fp,
1849 					    fp->rto);
1850 				}
1851 			} else {
1852 				goto cum_ack_done;
1853 			}
1854 		}
1855 		nump = ump->b_next;
1856 		if (nump != NULL)
1857 			nump->b_prev = NULL;
1858 		if (ump == sctp->sctp_xmit_tail)
1859 			sctp->sctp_xmit_tail = nump;
1860 		if (SCTP_IS_MSG_ABANDONED(ump)) {
1861 			BUMP_LOCAL(sctp->sctp_prsctpdrop);
1862 			ump->b_next = NULL;
1863 			sctp_sendfail_event(sctp, ump, 0, B_TRUE);
1864 		} else {
1865 			sctp_free_msg(ump);
1866 		}
1867 		sctp->sctp_xmit_head = ump = nump;
1868 	}
1869 cum_ack_done:
1870 	*first_unacked = mp;
1871 	if (cumack_forward > 0) {
1872 		BUMP_MIB(&sctp_mib, sctpInAck);
1873 		if (SEQ_GT(sctp->sctp_lastack_rxd, sctp->sctp_recovery_tsn)) {
1874 			sctp->sctp_recovery_tsn = sctp->sctp_lastack_rxd;
1875 		}
1876 
1877 		/*
1878 		 * Update ULP the amount of queued data, which is
1879 		 * sent-unack'ed + unsent.
1880 		 */
1881 		if (!SCTP_IS_DETACHED(sctp)) {
1882 			sctp->sctp_ulp_xmitted(sctp->sctp_ulpd,
1883 			    sctp->sctp_unacked + sctp->sctp_unsent);
1884 		}
1885 
1886 		/* Time to send a shutdown? */
1887 		if (sctp->sctp_state == SCTPS_SHUTDOWN_PENDING) {
1888 			sctp_send_shutdown(sctp, 0);
1889 		}
1890 		sctp->sctp_xmit_unacked = mp;
1891 	} else {
1892 		/* dup ack */
1893 		BUMP_MIB(&sctp_mib, sctpInDupAck);
1894 	}
1895 	sctp->sctp_lastack_rxd = tsn;
1896 	if (SEQ_LT(sctp->sctp_adv_pap, sctp->sctp_lastack_rxd))
1897 		sctp->sctp_adv_pap = sctp->sctp_lastack_rxd;
1898 	ASSERT(sctp->sctp_xmit_head || sctp->sctp_unacked == 0);
1899 
1900 	return (cumack_forward);
1901 }
1902 
1903 static int
1904 sctp_set_frwnd(sctp_t *sctp, uint32_t frwnd)
1905 {
1906 	uint32_t orwnd;
1907 
1908 	if (sctp->sctp_unacked > frwnd) {
1909 		sctp->sctp_frwnd = 0;
1910 		return (0);
1911 	}
1912 	orwnd = sctp->sctp_frwnd;
1913 	sctp->sctp_frwnd = frwnd - sctp->sctp_unacked;
1914 	if (orwnd < sctp->sctp_frwnd) {
1915 		return (1);
1916 	} else {
1917 		return (0);
1918 	}
1919 }
1920 
1921 /*
1922  * For un-ordered messages.
1923  * Walk the sctp->sctp_uo_frag list and remove any fragments with TSN
1924  * less than/equal to ftsn. Fragments for un-ordered messages are
1925  * strictly in sequence (w.r.t TSN).
1926  */
1927 static int
1928 sctp_ftsn_check_uo_frag(sctp_t *sctp, uint32_t ftsn)
1929 {
1930 	mblk_t		*hmp;
1931 	mblk_t		*hmp_next;
1932 	sctp_data_hdr_t	*dc;
1933 	int		dlen = 0;
1934 
1935 	hmp = sctp->sctp_uo_frags;
1936 	while (hmp != NULL) {
1937 		hmp_next = hmp->b_next;
1938 		dc = (sctp_data_hdr_t *)hmp->b_rptr;
1939 		if (SEQ_GT(ntohl(dc->sdh_tsn), ftsn))
1940 			return (dlen);
1941 		sctp->sctp_uo_frags = hmp_next;
1942 		if (hmp_next != NULL)
1943 			hmp_next->b_prev = NULL;
1944 		hmp->b_next = NULL;
1945 		dlen += ntohs(dc->sdh_len) - sizeof (*dc);
1946 		freeb(hmp);
1947 		hmp = hmp_next;
1948 	}
1949 	return (dlen);
1950 }
1951 
1952 /*
1953  * For ordered messages.
1954  * Check for existing fragments for an sid-ssn pair reported as abandoned,
1955  * hence will not receive, in the Forward TSN. If there are fragments, then
1956  * we just nuke them. If and when Partial Delivery API is supported, we
1957  * would need to send a notification to the upper layer about this.
1958  */
1959 static int
1960 sctp_ftsn_check_frag(sctp_t *sctp, uint16_t ssn, sctp_instr_t *sip)
1961 {
1962 	sctp_reass_t	*srp;
1963 	mblk_t		*hmp;
1964 	mblk_t		*dmp;
1965 	mblk_t		*hmp_next;
1966 	sctp_data_hdr_t	*dc;
1967 	int		dlen = 0;
1968 
1969 	hmp = sip->istr_reass;
1970 	while (hmp != NULL) {
1971 		hmp_next = hmp->b_next;
1972 		srp = (sctp_reass_t *)DB_BASE(hmp);
1973 		if (SSN_GT(srp->ssn, ssn))
1974 			return (dlen);
1975 		/*
1976 		 * If we had sent part of this message up, send a partial
1977 		 * delivery event. Since this is ordered delivery, we should
1978 		 * have sent partial message only for the next in sequence,
1979 		 * hence the ASSERT. See comments in sctp_data_chunk() for
1980 		 * trypartial.
1981 		 */
1982 		if (srp->partial_delivered) {
1983 			ASSERT(sip->nextseq == srp->ssn);
1984 			sctp_partial_delivery_event(sctp);
1985 		}
1986 		/* Take it out of the reass queue */
1987 		sip->istr_reass = hmp_next;
1988 		if (hmp_next != NULL)
1989 			hmp_next->b_prev = NULL;
1990 		hmp->b_next = NULL;
1991 		ASSERT(hmp->b_prev == NULL);
1992 		dmp = hmp;
1993 		if (DB_TYPE(hmp) == M_CTL) {
1994 			dmp = hmp->b_cont;
1995 			hmp->b_cont = NULL;
1996 			freeb(hmp);
1997 			hmp = dmp;
1998 		}
1999 		while (dmp != NULL) {
2000 			dc = (sctp_data_hdr_t *)dmp->b_rptr;
2001 			dlen += ntohs(dc->sdh_len) - sizeof (*dc);
2002 			dmp = dmp->b_cont;
2003 		}
2004 		freemsg(hmp);
2005 		hmp = hmp_next;
2006 	}
2007 	return (dlen);
2008 }
2009 
2010 /*
2011  * Update sctp_ftsn to the cumulative TSN from the Forward TSN chunk. Remove
2012  * any SACK gaps less than the newly updated sctp_ftsn. Walk through the
2013  * sid-ssn pair in the Forward TSN and for each, clean the fragment list
2014  * for this pair, if needed, and check if we can deliver subsequent
2015  * messages, if any, from the instream queue (that were waiting for this
2016  * sid-ssn message to show up). Once we are done try to update the SACK
2017  * info. We could get a duplicate Forward TSN, in which case just send
2018  * a SACK. If any of the sid values in the the Forward TSN is invalid,
2019  * send back an "Invalid Stream Identifier" error and continue processing
2020  * the rest.
2021  */
2022 static void
2023 sctp_process_forward_tsn(sctp_t *sctp, sctp_chunk_hdr_t *ch, sctp_faddr_t *fp,
2024     ip6_pkt_t *ipp)
2025 {
2026 	uint32_t	*ftsn = (uint32_t *)(ch + 1);
2027 	ftsn_entry_t	*ftsn_entry;
2028 	sctp_instr_t	*instr;
2029 	boolean_t	can_deliver = B_TRUE;
2030 	size_t		dlen;
2031 	int		flen;
2032 	mblk_t		*dmp;
2033 	mblk_t		*pmp;
2034 	sctp_data_hdr_t	*dc;
2035 	ssize_t		remaining;
2036 
2037 	*ftsn = ntohl(*ftsn);
2038 	remaining =  ntohs(ch->sch_len) - sizeof (*ch) - sizeof (*ftsn);
2039 
2040 	if (SCTP_IS_DETACHED(sctp)) {
2041 		BUMP_MIB(&sctp_mib, sctpInClosed);
2042 		can_deliver = B_FALSE;
2043 	}
2044 	/*
2045 	 * un-ordered messages don't have SID-SSN pair entries, we check
2046 	 * for any fragments (for un-ordered message) to be discarded using
2047 	 * the cumulative FTSN.
2048 	 */
2049 	flen = sctp_ftsn_check_uo_frag(sctp, *ftsn);
2050 	if (flen > 0) {
2051 		ASSERT(sctp->sctp_rxqueued >= flen);
2052 		sctp->sctp_rxqueued -= flen;
2053 	}
2054 	ftsn_entry = (ftsn_entry_t *)(ftsn + 1);
2055 	while (remaining >= sizeof (*ftsn_entry)) {
2056 		ftsn_entry->ftsn_sid = ntohs(ftsn_entry->ftsn_sid);
2057 		ftsn_entry->ftsn_ssn = ntohs(ftsn_entry->ftsn_ssn);
2058 		if (ftsn_entry->ftsn_sid >= sctp->sctp_num_istr) {
2059 			uint16_t	inval_parm[2];
2060 			mblk_t		*errmp;
2061 
2062 			inval_parm[0] = htons(ftsn_entry->ftsn_sid);
2063 			/* RESERVED to be ignored at the receiving end */
2064 			inval_parm[1] = 0;
2065 			errmp = sctp_make_err(sctp, SCTP_ERR_BAD_SID,
2066 			    (char *)inval_parm, sizeof (inval_parm));
2067 			if (errmp != NULL)
2068 				sctp_send_err(sctp, errmp, NULL);
2069 			ftsn_entry++;
2070 			remaining -= sizeof (*ftsn_entry);
2071 			continue;
2072 		}
2073 		instr = &sctp->sctp_instr[ftsn_entry->ftsn_sid];
2074 		flen = sctp_ftsn_check_frag(sctp, ftsn_entry->ftsn_ssn, instr);
2075 		/* Indicates frags were nuked, update rxqueued */
2076 		if (flen > 0) {
2077 			ASSERT(sctp->sctp_rxqueued >= flen);
2078 			sctp->sctp_rxqueued -= flen;
2079 		}
2080 		/*
2081 		 * It is possible to receive an FTSN chunk with SSN smaller
2082 		 * than then nextseq if this chunk is a retransmission because
2083 		 * of incomplete processing when it was first processed.
2084 		 */
2085 		if (SSN_GE(ftsn_entry->ftsn_ssn, instr->nextseq))
2086 			instr->nextseq = ftsn_entry->ftsn_ssn + 1;
2087 		while (instr->istr_nmsgs > 0) {
2088 			mblk_t	*next;
2089 
2090 			dmp = (mblk_t *)instr->istr_msgs;
2091 			dc = (sctp_data_hdr_t *)dmp->b_rptr;
2092 			if (ntohs(dc->sdh_ssn) != instr->nextseq)
2093 				break;
2094 
2095 			next = dmp->b_next;
2096 			dlen = dmp->b_wptr - dmp->b_rptr - sizeof (*dc);
2097 			for (pmp = dmp->b_cont; pmp != NULL;
2098 			    pmp = pmp->b_cont) {
2099 				dlen += pmp->b_wptr - pmp->b_rptr;
2100 			}
2101 			if (can_deliver) {
2102 				int32_t	nrwnd;
2103 
2104 				dmp->b_rptr = (uchar_t *)(dc + 1);
2105 				dmp->b_next = NULL;
2106 				ASSERT(dmp->b_prev == NULL);
2107 				if (sctp_input_add_ancillary(sctp,
2108 				    &dmp, dc, fp, ipp) == 0) {
2109 					sctp->sctp_rxqueued -= dlen;
2110 					sctp->sctp_rwnd -= dlen;
2111 					nrwnd = sctp->sctp_ulp_recv(
2112 					    sctp->sctp_ulpd, dmp, 0);
2113 					if (nrwnd > sctp->sctp_rwnd)
2114 						sctp->sctp_rwnd = nrwnd;
2115 				} else {
2116 					/*
2117 					 * We will resume processing when
2118 					 * the FTSN chunk is re-xmitted.
2119 					 */
2120 					dmp->b_rptr = (uchar_t *)dc;
2121 					dmp->b_next = next;
2122 					dprint(0,
2123 					    ("FTSN dequeuing %u failed\n",
2124 					    ntohs(dc->sdh_ssn)));
2125 					return;
2126 				}
2127 			} else {
2128 				sctp->sctp_rxqueued -= dlen;
2129 				ASSERT(dmp->b_prev == NULL);
2130 				dmp->b_next = NULL;
2131 				freemsg(dmp);
2132 			}
2133 			instr->istr_nmsgs--;
2134 			instr->nextseq++;
2135 			sctp->sctp_istr_nmsgs--;
2136 			if (next != NULL)
2137 				next->b_prev = NULL;
2138 			instr->istr_msgs = next;
2139 		}
2140 		ftsn_entry++;
2141 		remaining -= sizeof (*ftsn_entry);
2142 	}
2143 	/* Duplicate FTSN */
2144 	if (*ftsn <= (sctp->sctp_ftsn - 1)) {
2145 		sctp->sctp_force_sack = 1;
2146 		return;
2147 	}
2148 	/* Advance cum TSN to that reported in the Forward TSN chunk */
2149 	sctp->sctp_ftsn = *ftsn + 1;
2150 
2151 	/* Remove all the SACK gaps before the new cum TSN */
2152 	if (sctp->sctp_sack_info != NULL) {
2153 		sctp_ack_rem(&sctp->sctp_sack_info, sctp->sctp_ftsn - 1,
2154 		    &sctp->sctp_sack_gaps);
2155 	}
2156 	/*
2157 	 * If there are gap reports pending, check if advancing
2158 	 * the ftsn here closes a gap. If so, we can advance
2159 	 * ftsn to the end of the set.
2160 	 * If ftsn has moved forward, maybe we can remove gap reports.
2161 	 */
2162 	if (sctp->sctp_sack_info != NULL &&
2163 	    sctp->sctp_ftsn == sctp->sctp_sack_info->begin) {
2164 		sctp->sctp_ftsn = sctp->sctp_sack_info->end + 1;
2165 		sctp_ack_rem(&sctp->sctp_sack_info, sctp->sctp_ftsn - 1,
2166 		    &sctp->sctp_sack_gaps);
2167 	}
2168 }
2169 
2170 /*
2171  * When we have processed a SACK we check to see if we can advance the
2172  * cumulative TSN if there are abandoned chunks immediately following
2173  * the updated cumulative TSN. If there are, we attempt to send a
2174  * Forward TSN chunk.
2175  */
2176 static void
2177 sctp_check_abandoned_data(sctp_t *sctp, sctp_faddr_t *fp)
2178 {
2179 	mblk_t		*meta = sctp->sctp_xmit_head;
2180 	mblk_t		*mp;
2181 	mblk_t		*nmp;
2182 	uint32_t	seglen;
2183 	uint32_t	adv_pap = sctp->sctp_adv_pap;
2184 
2185 	/*
2186 	 * We only check in the first meta since otherwise we can't
2187 	 * advance the cumulative ack point. We just look for chunks
2188 	 * marked for retransmission, else we might prematurely
2189 	 * send an FTSN for a sent, but unacked, chunk.
2190 	 */
2191 	for (mp = meta->b_cont; mp != NULL; mp = mp->b_next) {
2192 		if (!SCTP_CHUNK_ISSENT(mp))
2193 			return;
2194 		if (SCTP_CHUNK_WANT_REXMIT(mp))
2195 			break;
2196 	}
2197 	if (mp == NULL)
2198 		return;
2199 	sctp_check_adv_ack_pt(sctp, meta, mp);
2200 	if (SEQ_GT(sctp->sctp_adv_pap, adv_pap)) {
2201 		sctp_make_ftsns(sctp, meta, mp, &nmp, fp, &seglen);
2202 		if (nmp == NULL) {
2203 			sctp->sctp_adv_pap = adv_pap;
2204 			if (!fp->timer_running)
2205 				SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
2206 			return;
2207 		}
2208 		sctp_set_iplen(sctp, nmp);
2209 		sctp_add_sendq(sctp, nmp);
2210 		if (!fp->timer_running)
2211 			SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
2212 	}
2213 }
2214 
2215 /*
2216  * The processing here follows the same logic in sctp_got_sack(), the reason
2217  * we do this separately is because, usually, gap blocks are ordered and
2218  * we can process it in sctp_got_sack(). However if they aren't we would
2219  * need to do some additional non-optimal stuff when we start processing the
2220  * unordered gaps. To that effect sctp_got_sack() does the processing in the
2221  * simple case and this does the same in the more involved case.
2222  */
2223 static uint32_t
2224 sctp_process_uo_gaps(sctp_t *sctp, uint32_t ctsn, sctp_sack_frag_t *ssf,
2225     int num_gaps, mblk_t *umphead, mblk_t *mphead, int *trysend,
2226     boolean_t *fast_recovery, uint32_t fr_xtsn)
2227 {
2228 	uint32_t		xtsn;
2229 	uint32_t		gapstart = 0;
2230 	uint32_t		gapend = 0;
2231 	int			gapcnt;
2232 	uint16_t		chunklen;
2233 	sctp_data_hdr_t		*sdc;
2234 	int			gstart;
2235 	mblk_t			*ump = umphead;
2236 	mblk_t			*mp = mphead;
2237 	sctp_faddr_t		*fp;
2238 	uint32_t		acked = 0;
2239 
2240 	/*
2241 	 * gstart tracks the last (in the order of TSN) gapstart that
2242 	 * we process in this SACK gaps walk.
2243 	 */
2244 	gstart = ctsn;
2245 
2246 	sdc = (sctp_data_hdr_t *)mp->b_rptr;
2247 	xtsn = ntohl(sdc->sdh_tsn);
2248 	for (gapcnt = 0; gapcnt < num_gaps; gapcnt++, ssf++) {
2249 		if (gapstart != 0) {
2250 			/*
2251 			 * If we have reached the end of the transmit list or
2252 			 * hit an unsent chunk or encountered an unordered gap
2253 			 * block start from the ctsn again.
2254 			 */
2255 			if (ump == NULL || !SCTP_CHUNK_ISSENT(mp) ||
2256 			    SEQ_LT(ctsn + ntohs(ssf->ssf_start), xtsn)) {
2257 				ump = umphead;
2258 				mp = mphead;
2259 				sdc = (sctp_data_hdr_t *)mp->b_rptr;
2260 				xtsn = ntohl(sdc->sdh_tsn);
2261 			}
2262 		}
2263 
2264 		gapstart = ctsn + ntohs(ssf->ssf_start);
2265 		gapend = ctsn + ntohs(ssf->ssf_end);
2266 
2267 		/* SACK for TSN we have not sent - ABORT */
2268 		if (SEQ_GT(gapstart, sctp->sctp_ltsn - 1) ||
2269 		    SEQ_GT(gapend, sctp->sctp_ltsn - 1)) {
2270 			BUMP_MIB(&sctp_mib, sctpInAckUnsent);
2271 			*trysend = -1;
2272 			return (acked);
2273 		} else if (SEQ_LT(gapend, gapstart)) {
2274 			break;
2275 		}
2276 		/*
2277 		 * The xtsn can be the TSN processed for the last gap
2278 		 * (gapend) or it could be the cumulative TSN. We continue
2279 		 * with the last xtsn as long as the gaps are ordered, when
2280 		 * we hit an unordered gap, we re-start from the cumulative
2281 		 * TSN. For the first gap it is always the cumulative TSN.
2282 		 */
2283 		while (xtsn != gapstart) {
2284 			/*
2285 			 * We can't reliably check for reneged chunks
2286 			 * when walking the unordered list, so we don't.
2287 			 * In case the peer reneges then we will end up
2288 			 * sending the reneged chunk via timeout.
2289 			 */
2290 			mp = mp->b_next;
2291 			if (mp == NULL) {
2292 				ump = ump->b_next;
2293 				/*
2294 				 * ump can't be NULL because of the sanity
2295 				 * check above.
2296 				 */
2297 				ASSERT(ump != NULL);
2298 				mp = ump->b_cont;
2299 			}
2300 			/*
2301 			 * mp can't be unsent because of the sanity check
2302 			 * above.
2303 			 */
2304 			ASSERT(SCTP_CHUNK_ISSENT(mp));
2305 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
2306 			xtsn = ntohl(sdc->sdh_tsn);
2307 		}
2308 		/*
2309 		 * Now that we have found the chunk with TSN == 'gapstart',
2310 		 * let's walk till we hit the chunk with TSN == 'gapend'.
2311 		 * All intermediate chunks will be marked ACKED, if they
2312 		 * haven't already been.
2313 		 */
2314 		while (SEQ_LEQ(xtsn, gapend)) {
2315 			/*
2316 			 * SACKed
2317 			 */
2318 			SCTP_CHUNK_SET_SACKCNT(mp, 0);
2319 			if (!SCTP_CHUNK_ISACKED(mp)) {
2320 				SCTP_CHUNK_ACKED(mp);
2321 
2322 				fp = SCTP_CHUNK_DEST(mp);
2323 				chunklen = ntohs(sdc->sdh_len);
2324 				ASSERT(fp->suna >= chunklen);
2325 				fp->suna -= chunklen;
2326 				if (fp->suna == 0) {
2327 					/* All outstanding data acked. */
2328 					fp->pba = 0;
2329 					SCTP_FADDR_TIMER_STOP(fp);
2330 				}
2331 				fp->acked += chunklen;
2332 				acked += chunklen;
2333 				sctp->sctp_unacked -= chunklen - sizeof (*sdc);
2334 				ASSERT(sctp->sctp_unacked >= 0);
2335 			}
2336 			/*
2337 			 * Move to the next message in the transmit list
2338 			 * if we are done with all the chunks from the current
2339 			 * message. Note, it is possible to hit the end of the
2340 			 * transmit list here, i.e. if we have already completed
2341 			 * processing the gap block.
2342 			 */
2343 			mp = mp->b_next;
2344 			if (mp == NULL) {
2345 				ump = ump->b_next;
2346 				if (ump == NULL) {
2347 					ASSERT(xtsn == gapend);
2348 					break;
2349 				}
2350 				mp = ump->b_cont;
2351 			}
2352 			/*
2353 			 * Likewise, we can hit an unsent chunk once we have
2354 			 * completed processing the gap block.
2355 			 */
2356 			if (!SCTP_CHUNK_ISSENT(mp)) {
2357 				ASSERT(xtsn == gapend);
2358 				break;
2359 			}
2360 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
2361 			xtsn = ntohl(sdc->sdh_tsn);
2362 		}
2363 		/*
2364 		 * We keep track of the last gap we successfully processed
2365 		 * so that we can terminate the walk below for incrementing
2366 		 * the SACK count.
2367 		 */
2368 		if (SEQ_LT(gstart, gapstart))
2369 			gstart = gapstart;
2370 	}
2371 	/*
2372 	 * Check if have incremented the SACK count for all unacked TSNs in
2373 	 * sctp_got_sack(), if so we are done.
2374 	 */
2375 	if (SEQ_LEQ(gstart, fr_xtsn))
2376 		return (acked);
2377 
2378 	ump = umphead;
2379 	mp = mphead;
2380 	sdc = (sctp_data_hdr_t *)mp->b_rptr;
2381 	xtsn = ntohl(sdc->sdh_tsn);
2382 	while (SEQ_LT(xtsn, gstart)) {
2383 		/*
2384 		 * We have incremented SACK count for TSNs less than fr_tsn
2385 		 * in sctp_got_sack(), so don't increment them again here.
2386 		 */
2387 		if (SEQ_GT(xtsn, fr_xtsn) && !SCTP_CHUNK_ISACKED(mp)) {
2388 			SCTP_CHUNK_SET_SACKCNT(mp, SCTP_CHUNK_SACKCNT(mp) + 1);
2389 			if (SCTP_CHUNK_SACKCNT(mp) == sctp_fast_rxt_thresh) {
2390 				SCTP_CHUNK_REXMIT(mp);
2391 				sctp->sctp_chk_fast_rexmit = B_TRUE;
2392 				*trysend = 1;
2393 				if (!*fast_recovery) {
2394 					/*
2395 					 * Entering fast recovery.
2396 					 */
2397 					fp = SCTP_CHUNK_DEST(mp);
2398 					fp->ssthresh = fp->cwnd / 2;
2399 					if (fp->ssthresh < 2 * fp->sfa_pmss) {
2400 						fp->ssthresh =
2401 						    2 * fp->sfa_pmss;
2402 					}
2403 					fp->cwnd = fp->ssthresh;
2404 					fp->pba = 0;
2405 					sctp->sctp_recovery_tsn =
2406 					    sctp->sctp_ltsn - 1;
2407 					*fast_recovery = B_TRUE;
2408 				}
2409 			}
2410 		}
2411 		mp = mp->b_next;
2412 		if (mp == NULL) {
2413 			ump = ump->b_next;
2414 			/* We can't get to the end of the transmit list here */
2415 			ASSERT(ump != NULL);
2416 			mp = ump->b_cont;
2417 		}
2418 		/* We can't hit an unsent chunk here */
2419 		ASSERT(SCTP_CHUNK_ISSENT(mp));
2420 		sdc = (sctp_data_hdr_t *)mp->b_rptr;
2421 		xtsn = ntohl(sdc->sdh_tsn);
2422 	}
2423 	return (acked);
2424 }
2425 
2426 static int
2427 sctp_got_sack(sctp_t *sctp, sctp_chunk_hdr_t *sch)
2428 {
2429 	sctp_sack_chunk_t	*sc;
2430 	sctp_data_hdr_t		*sdc;
2431 	sctp_sack_frag_t	*ssf;
2432 	mblk_t			*ump;
2433 	mblk_t			*mp;
2434 	mblk_t			*mp1;
2435 	uint32_t		cumtsn;
2436 	uint32_t		xtsn;
2437 	uint32_t		gapstart = 0;
2438 	uint32_t		gapend = 0;
2439 	uint32_t		acked = 0;
2440 	uint16_t		chunklen;
2441 	sctp_faddr_t		*fp;
2442 	int			num_gaps;
2443 	int			trysend = 0;
2444 	int			i;
2445 	boolean_t		fast_recovery = B_FALSE;
2446 	boolean_t		cumack_forward = B_FALSE;
2447 	boolean_t		fwd_tsn = B_FALSE;
2448 
2449 	BUMP_LOCAL(sctp->sctp_ibchunks);
2450 	chunklen = ntohs(sch->sch_len);
2451 	if (chunklen < (sizeof (*sch) + sizeof (*sc)))
2452 		return (0);
2453 
2454 	sc = (sctp_sack_chunk_t *)(sch + 1);
2455 	cumtsn = ntohl(sc->ssc_cumtsn);
2456 
2457 	dprint(2, ("got sack cumtsn %x -> %x\n", sctp->sctp_lastack_rxd,
2458 	    cumtsn));
2459 
2460 	/* out of order */
2461 	if (SEQ_LT(cumtsn, sctp->sctp_lastack_rxd))
2462 		return (0);
2463 
2464 	if (SEQ_GT(cumtsn, sctp->sctp_ltsn - 1)) {
2465 		BUMP_MIB(&sctp_mib, sctpInAckUnsent);
2466 		/* Send an ABORT */
2467 		return (-1);
2468 	}
2469 
2470 	/*
2471 	 * Cwnd only done when not in fast recovery mode.
2472 	 */
2473 	if (SEQ_LT(sctp->sctp_lastack_rxd, sctp->sctp_recovery_tsn))
2474 		fast_recovery = B_TRUE;
2475 
2476 	/*
2477 	 * .. and if the cum TSN is not moving ahead on account Forward TSN
2478 	 */
2479 	if (SEQ_LT(sctp->sctp_lastack_rxd, sctp->sctp_adv_pap))
2480 		fwd_tsn = B_TRUE;
2481 
2482 	if (cumtsn == sctp->sctp_lastack_rxd &&
2483 	    (sctp->sctp_xmit_unacked == NULL ||
2484 	    !SCTP_CHUNK_ABANDONED(sctp->sctp_xmit_unacked))) {
2485 		if (sctp->sctp_xmit_unacked != NULL)
2486 			mp = sctp->sctp_xmit_unacked;
2487 		else if (sctp->sctp_xmit_head != NULL)
2488 			mp = sctp->sctp_xmit_head->b_cont;
2489 		else
2490 			mp = NULL;
2491 		BUMP_MIB(&sctp_mib, sctpInDupAck);
2492 	} else {
2493 		acked = sctp_cumack(sctp, cumtsn, &mp);
2494 		sctp->sctp_xmit_unacked = mp;
2495 		if (acked > 0) {
2496 			trysend = 1;
2497 			cumack_forward = B_TRUE;
2498 			if (fwd_tsn && SEQ_GEQ(sctp->sctp_lastack_rxd,
2499 			    sctp->sctp_adv_pap)) {
2500 				cumack_forward = B_FALSE;
2501 			}
2502 		}
2503 	}
2504 	num_gaps = ntohs(sc->ssc_numfrags);
2505 	if (num_gaps == 0 || mp == NULL || !SCTP_CHUNK_ISSENT(mp) ||
2506 	    chunklen < (sizeof (*sch) + sizeof (*sc) +
2507 	    num_gaps * sizeof (*ssf))) {
2508 		goto ret;
2509 	}
2510 #ifdef	DEBUG
2511 	/*
2512 	 * Since we delete any message that has been acked completely,
2513 	 * the unacked chunk must belong to sctp_xmit_head (as
2514 	 * we don't have a back pointer from the mp to the meta data
2515 	 * we do this).
2516 	 */
2517 	{
2518 		mblk_t	*mp2 = sctp->sctp_xmit_head->b_cont;
2519 
2520 		while (mp2 != NULL) {
2521 			if (mp2 == mp)
2522 				break;
2523 			mp2 = mp2->b_next;
2524 		}
2525 		ASSERT(mp2 != NULL);
2526 	}
2527 #endif
2528 	ump = sctp->sctp_xmit_head;
2529 
2530 	/*
2531 	 * Just remember where we started from, in case we need to call
2532 	 * sctp_process_uo_gaps() if the gap blocks are unordered.
2533 	 */
2534 	mp1 = mp;
2535 
2536 	sdc = (sctp_data_hdr_t *)mp->b_rptr;
2537 	xtsn = ntohl(sdc->sdh_tsn);
2538 	ASSERT(xtsn == cumtsn + 1);
2539 
2540 	/*
2541 	 * Go through SACK gaps. They are ordered based on start TSN.
2542 	 */
2543 	ssf = (sctp_sack_frag_t *)(sc + 1);
2544 	for (i = 0; i < num_gaps; i++, ssf++) {
2545 		if (gapstart != 0) {
2546 			/* check for unordered gap */
2547 			if (SEQ_LEQ(cumtsn + ntohs(ssf->ssf_start), gapstart)) {
2548 				acked += sctp_process_uo_gaps(sctp,
2549 				    cumtsn, ssf, num_gaps - i,
2550 				    sctp->sctp_xmit_head, mp1,
2551 				    &trysend, &fast_recovery, gapstart);
2552 				if (trysend < 0) {
2553 					BUMP_MIB(&sctp_mib, sctpInAckUnsent);
2554 					return (-1);
2555 				}
2556 				break;
2557 			}
2558 		}
2559 		gapstart = cumtsn + ntohs(ssf->ssf_start);
2560 		gapend = cumtsn + ntohs(ssf->ssf_end);
2561 
2562 		/* SACK for TSN we have not sent - ABORT */
2563 		if (SEQ_GT(gapstart, sctp->sctp_ltsn - 1) ||
2564 		    SEQ_GT(gapend, sctp->sctp_ltsn - 1)) {
2565 			BUMP_MIB(&sctp_mib, sctpInAckUnsent);
2566 			return (-1);
2567 		} else if (SEQ_LT(gapend, gapstart)) {
2568 			break;
2569 		}
2570 		/*
2571 		 * Let's start at the current TSN (for the 1st gap we start
2572 		 * from the cumulative TSN, for subsequent ones we start from
2573 		 * where the previous gapend was found - second while loop
2574 		 * below) and walk the transmit list till we find the TSN
2575 		 * corresponding to gapstart. All the unacked chunks till we
2576 		 * get to the chunk with TSN == gapstart will have their
2577 		 * SACKCNT incremented by 1. Note since the gap blocks are
2578 		 * ordered, we won't be incrementing the SACKCNT for an
2579 		 * unacked chunk by more than one while processing the gap
2580 		 * blocks. If the SACKCNT for any unacked chunk exceeds
2581 		 * the fast retransmit threshold, we will fast retransmit
2582 		 * after processing all the gap blocks.
2583 		 */
2584 		ASSERT(SEQ_LT(xtsn, gapstart));
2585 		while (xtsn != gapstart) {
2586 			SCTP_CHUNK_SET_SACKCNT(mp, SCTP_CHUNK_SACKCNT(mp) + 1);
2587 			if (SCTP_CHUNK_SACKCNT(mp) == sctp_fast_rxt_thresh) {
2588 				SCTP_CHUNK_REXMIT(mp);
2589 				sctp->sctp_chk_fast_rexmit = B_TRUE;
2590 				trysend = 1;
2591 				if (!fast_recovery) {
2592 					/*
2593 					 * Entering fast recovery.
2594 					 */
2595 					fp = SCTP_CHUNK_DEST(mp);
2596 					fp->ssthresh = fp->cwnd / 2;
2597 					if (fp->ssthresh < 2 * fp->sfa_pmss) {
2598 						fp->ssthresh =
2599 						    2 * fp->sfa_pmss;
2600 					}
2601 					fp->cwnd = fp->ssthresh;
2602 					fp->pba = 0;
2603 					sctp->sctp_recovery_tsn =
2604 					    sctp->sctp_ltsn - 1;
2605 					fast_recovery = B_TRUE;
2606 				}
2607 			}
2608 
2609 			/*
2610 			 * Peer may have reneged on this chunk, so un-sack
2611 			 * it now. If the peer did renege, we need to
2612 			 * readjust unacked.
2613 			 */
2614 			if (SCTP_CHUNK_ISACKED(mp)) {
2615 				chunklen = ntohs(sdc->sdh_len);
2616 				fp = SCTP_CHUNK_DEST(mp);
2617 				fp->suna += chunklen;
2618 				sctp->sctp_unacked += chunklen - sizeof (*sdc);
2619 				SCTP_CHUNK_CLEAR_ACKED(mp);
2620 				if (!fp->timer_running) {
2621 					SCTP_FADDR_TIMER_RESTART(sctp, fp,
2622 					    fp->rto);
2623 				}
2624 			}
2625 
2626 			mp = mp->b_next;
2627 			if (mp == NULL) {
2628 				ump = ump->b_next;
2629 				/*
2630 				 * ump can't be NULL given the sanity check
2631 				 * above.
2632 				 */
2633 				ASSERT(ump != NULL);
2634 				mp = ump->b_cont;
2635 			}
2636 			/*
2637 			 * mp can't be unsent given the sanity check above.
2638 			 */
2639 			ASSERT(SCTP_CHUNK_ISSENT(mp));
2640 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
2641 			xtsn = ntohl(sdc->sdh_tsn);
2642 		}
2643 		/*
2644 		 * Now that we have found the chunk with TSN == 'gapstart',
2645 		 * let's walk till we hit the chunk with TSN == 'gapend'.
2646 		 * All intermediate chunks will be marked ACKED, if they
2647 		 * haven't already been.
2648 		 */
2649 		while (SEQ_LEQ(xtsn, gapend)) {
2650 			/*
2651 			 * SACKed
2652 			 */
2653 			SCTP_CHUNK_SET_SACKCNT(mp, 0);
2654 			if (!SCTP_CHUNK_ISACKED(mp)) {
2655 				SCTP_CHUNK_ACKED(mp);
2656 
2657 				fp = SCTP_CHUNK_DEST(mp);
2658 				chunklen = ntohs(sdc->sdh_len);
2659 				ASSERT(fp->suna >= chunklen);
2660 				fp->suna -= chunklen;
2661 				if (fp->suna == 0) {
2662 					/* All outstanding data acked. */
2663 					fp->pba = 0;
2664 					SCTP_FADDR_TIMER_STOP(fp);
2665 				}
2666 				fp->acked += chunklen;
2667 				acked += chunklen;
2668 				sctp->sctp_unacked -= chunklen - sizeof (*sdc);
2669 				ASSERT(sctp->sctp_unacked >= 0);
2670 			}
2671 			/* Go to the next chunk of the current message */
2672 			mp = mp->b_next;
2673 			/*
2674 			 * Move to the next message in the transmit list
2675 			 * if we are done with all the chunks from the current
2676 			 * message. Note, it is possible to hit the end of the
2677 			 * transmit list here, i.e. if we have already completed
2678 			 * processing the gap block.
2679 			 * Also, note that we break here, which means we
2680 			 * continue processing gap blocks, if any. In case of
2681 			 * ordered gap blocks there can't be any following
2682 			 * this (if there is it will fail the sanity check
2683 			 * above). In case of un-ordered gap blocks we will
2684 			 * switch to sctp_process_uo_gaps().  In either case
2685 			 * it should be fine to continue with NULL ump/mp,
2686 			 * but we just reset it to xmit_head.
2687 			 */
2688 			if (mp == NULL) {
2689 				ump = ump->b_next;
2690 				if (ump == NULL) {
2691 					ASSERT(xtsn == gapend);
2692 					ump = sctp->sctp_xmit_head;
2693 					mp = mp1;
2694 					sdc = (sctp_data_hdr_t *)mp->b_rptr;
2695 					xtsn = ntohl(sdc->sdh_tsn);
2696 					break;
2697 				}
2698 				mp = ump->b_cont;
2699 			}
2700 			/*
2701 			 * Likewise, we could hit an unsent chunk once we have
2702 			 * completed processing the gap block. Again, it is
2703 			 * fine to continue processing gap blocks with mp
2704 			 * pointing to the unsent chunk, because if there
2705 			 * are more ordered gap blocks, they will fail the
2706 			 * sanity check, and if there are un-ordered gap blocks,
2707 			 * we will continue processing in sctp_process_uo_gaps()
2708 			 * We just reset the mp to the one we started with.
2709 			 */
2710 			if (!SCTP_CHUNK_ISSENT(mp)) {
2711 				ASSERT(xtsn == gapend);
2712 				ump = sctp->sctp_xmit_head;
2713 				mp = mp1;
2714 				sdc = (sctp_data_hdr_t *)mp->b_rptr;
2715 				xtsn = ntohl(sdc->sdh_tsn);
2716 				break;
2717 			}
2718 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
2719 			xtsn = ntohl(sdc->sdh_tsn);
2720 		}
2721 	}
2722 	if (sctp->sctp_prsctp_aware)
2723 		sctp_check_abandoned_data(sctp, sctp->sctp_current);
2724 	if (sctp->sctp_chk_fast_rexmit)
2725 		sctp_fast_rexmit(sctp);
2726 ret:
2727 	trysend += sctp_set_frwnd(sctp, ntohl(sc->ssc_a_rwnd));
2728 
2729 	/*
2730 	 * If receive window is closed while there is unsent data,
2731 	 * set a timer for doing zero window probes.
2732 	 */
2733 	if (sctp->sctp_frwnd == 0 && sctp->sctp_unacked == 0 &&
2734 	    sctp->sctp_unsent != 0) {
2735 		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
2736 		    sctp->sctp_current->rto);
2737 	}
2738 
2739 	/*
2740 	 * Set cwnd for all destinations.
2741 	 * Congestion window gets increased only when cumulative
2742 	 * TSN moves forward, we're not in fast recovery, and
2743 	 * cwnd has been fully utilized (almost fully, need to allow
2744 	 * some leeway due to non-MSS sized messages).
2745 	 */
2746 	if (sctp->sctp_current->acked == acked) {
2747 		/*
2748 		 * Fast-path, only data sent to sctp_current got acked.
2749 		 */
2750 		fp = sctp->sctp_current;
2751 		if (cumack_forward && !fast_recovery &&
2752 		    (fp->acked + fp->suna > fp->cwnd - fp->sfa_pmss)) {
2753 			if (fp->cwnd < fp->ssthresh) {
2754 				/*
2755 				 * Slow start
2756 				 */
2757 				if (fp->acked > fp->sfa_pmss) {
2758 					fp->cwnd += fp->sfa_pmss;
2759 				} else {
2760 					fp->cwnd += fp->acked;
2761 				}
2762 				fp->cwnd = MIN(fp->cwnd, sctp->sctp_cwnd_max);
2763 			} else {
2764 				/*
2765 				 * Congestion avoidance
2766 				 */
2767 				fp->pba += fp->acked;
2768 				if (fp->pba >= fp->cwnd) {
2769 					fp->pba -= fp->cwnd;
2770 					fp->cwnd += fp->sfa_pmss;
2771 					fp->cwnd = MIN(fp->cwnd,
2772 					    sctp->sctp_cwnd_max);
2773 				}
2774 			}
2775 		}
2776 		/*
2777 		 * Limit the burst of transmitted data segments.
2778 		 */
2779 		if (fp->suna + sctp_maxburst * fp->sfa_pmss < fp->cwnd) {
2780 			fp->cwnd = fp->suna + sctp_maxburst * fp->sfa_pmss;
2781 		}
2782 		fp->acked = 0;
2783 		return (trysend);
2784 	}
2785 	for (fp = sctp->sctp_faddrs; fp; fp = fp->next) {
2786 		if (cumack_forward && fp->acked && !fast_recovery &&
2787 		    (fp->acked + fp->suna > fp->cwnd - fp->sfa_pmss)) {
2788 			if (fp->cwnd < fp->ssthresh) {
2789 				if (fp->acked > fp->sfa_pmss) {
2790 					fp->cwnd += fp->sfa_pmss;
2791 				} else {
2792 					fp->cwnd += fp->acked;
2793 				}
2794 				fp->cwnd = MIN(fp->cwnd, sctp->sctp_cwnd_max);
2795 			} else {
2796 				fp->pba += fp->acked;
2797 				if (fp->pba >= fp->cwnd) {
2798 					fp->pba -= fp->cwnd;
2799 					fp->cwnd += fp->sfa_pmss;
2800 					fp->cwnd = MIN(fp->cwnd,
2801 					    sctp->sctp_cwnd_max);
2802 				}
2803 			}
2804 		}
2805 		if (fp->suna + sctp_maxburst * fp->sfa_pmss < fp->cwnd) {
2806 			fp->cwnd = fp->suna + sctp_maxburst * fp->sfa_pmss;
2807 		}
2808 		fp->acked = 0;
2809 	}
2810 	return (trysend);
2811 }
2812 
2813 /*
2814  * Returns 0 if the caller should stop processing any more chunks,
2815  * 1 if the caller should skip this chunk and continue processing.
2816  */
2817 static int
2818 sctp_strange_chunk(sctp_t *sctp, sctp_chunk_hdr_t *ch, sctp_faddr_t *fp)
2819 {
2820 	mblk_t *errmp;
2821 	size_t len;
2822 
2823 	BUMP_LOCAL(sctp->sctp_ibchunks);
2824 	/* check top two bits for action required */
2825 	if (ch->sch_id & 0x40) {	/* also matches 0xc0 */
2826 		len = ntohs(ch->sch_len);
2827 		errmp = sctp_make_err(sctp, SCTP_ERR_UNREC_CHUNK, ch, len);
2828 		if (errmp != NULL)
2829 			sctp_send_err(sctp, errmp, fp);
2830 		if ((ch->sch_id & 0xc0) == 0xc0) {
2831 			/* skip and continue */
2832 			return (1);
2833 		} else {
2834 			/* stop processing */
2835 			return (0);
2836 		}
2837 	}
2838 	if (ch->sch_id & 0x80) {
2839 		/* skip and continue, no error */
2840 		return (1);
2841 	}
2842 	/* top two bits are clear; stop processing and no error */
2843 	return (0);
2844 }
2845 
2846 /*
2847  * Basic sanity checks on all input chunks and parameters: they must
2848  * be of legitimate size for their purported type, and must follow
2849  * ordering conventions as defined in rfc2960.
2850  *
2851  * Returns 1 if the chunk and all encloded params are legitimate,
2852  * 0 otherwise.
2853  */
2854 /*ARGSUSED*/
2855 static int
2856 sctp_check_input(sctp_t *sctp, sctp_chunk_hdr_t *ch, ssize_t len, int first)
2857 {
2858 	sctp_parm_hdr_t	*ph;
2859 	void		*p = NULL;
2860 	ssize_t		clen;
2861 	uint16_t	ch_len;
2862 
2863 	ch_len = ntohs(ch->sch_len);
2864 	if (ch_len > len) {
2865 		return (0);
2866 	}
2867 
2868 	switch (ch->sch_id) {
2869 	case CHUNK_DATA:
2870 		if (ch_len < sizeof (sctp_data_hdr_t)) {
2871 			return (0);
2872 		}
2873 		return (1);
2874 	case CHUNK_INIT:
2875 	case CHUNK_INIT_ACK:
2876 		{
2877 			ssize_t	remlen = len;
2878 
2879 			/*
2880 			 * INIT and INIT-ACK chunks must not be bundled with
2881 			 * any other.
2882 			 */
2883 			if (!first || sctp_next_chunk(ch, &remlen) != NULL ||
2884 			    (ch_len < (sizeof (*ch) +
2885 			    sizeof (sctp_init_chunk_t)))) {
2886 				return (0);
2887 			}
2888 			/* may have params that need checking */
2889 			p = (char *)(ch + 1) + sizeof (sctp_init_chunk_t);
2890 			clen = ch_len - (sizeof (*ch) +
2891 			    sizeof (sctp_init_chunk_t));
2892 		}
2893 		break;
2894 	case CHUNK_SACK:
2895 		if (ch_len < (sizeof (*ch) + sizeof (sctp_sack_chunk_t))) {
2896 			return (0);
2897 		}
2898 		/* dup and gap reports checked by got_sack() */
2899 		return (1);
2900 	case CHUNK_SHUTDOWN:
2901 		if (ch_len < (sizeof (*ch) + sizeof (uint32_t))) {
2902 			return (0);
2903 		}
2904 		return (1);
2905 	case CHUNK_ABORT:
2906 	case CHUNK_ERROR:
2907 		if (ch_len < sizeof (*ch)) {
2908 			return (0);
2909 		}
2910 		/* may have params that need checking */
2911 		p = ch + 1;
2912 		clen = ch_len - sizeof (*ch);
2913 		break;
2914 	case CHUNK_ECNE:
2915 	case CHUNK_CWR:
2916 	case CHUNK_HEARTBEAT:
2917 	case CHUNK_HEARTBEAT_ACK:
2918 	/* Full ASCONF chunk and parameter checks are in asconf.c */
2919 	case CHUNK_ASCONF:
2920 	case CHUNK_ASCONF_ACK:
2921 		if (ch_len < sizeof (*ch)) {
2922 			return (0);
2923 		}
2924 		/* heartbeat data checked by process_heartbeat() */
2925 		return (1);
2926 	case CHUNK_SHUTDOWN_COMPLETE:
2927 		{
2928 			ssize_t remlen = len;
2929 
2930 			/*
2931 			 * SHUTDOWN-COMPLETE chunk must not be bundled with any
2932 			 * other
2933 			 */
2934 			if (!first || sctp_next_chunk(ch, &remlen) != NULL ||
2935 			    ch_len < sizeof (*ch)) {
2936 				return (0);
2937 			}
2938 		}
2939 		return (1);
2940 	case CHUNK_COOKIE:
2941 	case CHUNK_COOKIE_ACK:
2942 	case CHUNK_SHUTDOWN_ACK:
2943 		if (ch_len < sizeof (*ch) || !first) {
2944 			return (0);
2945 		}
2946 		return (1);
2947 	case CHUNK_FORWARD_TSN:
2948 		if (ch_len < (sizeof (*ch) + sizeof (uint32_t)))
2949 			return (0);
2950 		return (1);
2951 	default:
2952 		return (1);	/* handled by strange_chunk() */
2953 	}
2954 
2955 	/* check and byteorder parameters */
2956 	if (clen <= 0) {
2957 		return (1);
2958 	}
2959 	ASSERT(p != NULL);
2960 
2961 	ph = p;
2962 	while (ph != NULL && clen > 0) {
2963 		ch_len = ntohs(ph->sph_len);
2964 		if (ch_len > len || ch_len < sizeof (*ph)) {
2965 			return (0);
2966 		}
2967 		ph = sctp_next_parm(ph, &clen);
2968 	}
2969 
2970 	/* All OK */
2971 	return (1);
2972 }
2973 
2974 /* ARGSUSED */
2975 static sctp_hdr_t *
2976 find_sctp_hdrs(mblk_t *mp, in6_addr_t *src, in6_addr_t *dst,
2977     uint_t *ifindex, uint_t *ip_hdr_len, ip6_pkt_t *ipp, in_pktinfo_t *pinfo)
2978 {
2979 	uchar_t	*rptr;
2980 	ipha_t	*ip4h;
2981 	ip6_t	*ip6h;
2982 	mblk_t	*mp1;
2983 
2984 	rptr = mp->b_rptr;
2985 	if (IPH_HDR_VERSION(rptr) == IPV4_VERSION) {
2986 		*ip_hdr_len = IPH_HDR_LENGTH(rptr);
2987 		ip4h = (ipha_t *)rptr;
2988 		IN6_IPADDR_TO_V4MAPPED(ip4h->ipha_src, src);
2989 		IN6_IPADDR_TO_V4MAPPED(ip4h->ipha_dst, dst);
2990 
2991 		ipp->ipp_fields |= IPPF_HOPLIMIT;
2992 		ipp->ipp_hoplimit = ((ipha_t *)rptr)->ipha_ttl;
2993 		if (pinfo != NULL && (pinfo->in_pkt_flags & IPF_RECVIF)) {
2994 			ipp->ipp_fields |= IPPF_IFINDEX;
2995 			ipp->ipp_ifindex = pinfo->in_pkt_ifindex;
2996 		}
2997 	} else {
2998 		ASSERT(IPH_HDR_VERSION(rptr) == IPV6_VERSION);
2999 		ip6h = (ip6_t *)rptr;
3000 		ipp->ipp_fields = IPPF_HOPLIMIT;
3001 		ipp->ipp_hoplimit = ip6h->ip6_hops;
3002 
3003 		if (ip6h->ip6_nxt != IPPROTO_SCTP) {
3004 			/* Look for ifindex information */
3005 			if (ip6h->ip6_nxt == IPPROTO_RAW) {
3006 				ip6i_t *ip6i = (ip6i_t *)ip6h;
3007 
3008 				if (ip6i->ip6i_flags & IP6I_IFINDEX) {
3009 					ASSERT(ip6i->ip6i_ifindex != 0);
3010 					ipp->ipp_fields |= IPPF_IFINDEX;
3011 					ipp->ipp_ifindex = ip6i->ip6i_ifindex;
3012 				}
3013 				rptr = (uchar_t *)&ip6i[1];
3014 				mp->b_rptr = rptr;
3015 				if (rptr == mp->b_wptr) {
3016 					mp1 = mp->b_cont;
3017 					freeb(mp);
3018 					mp = mp1;
3019 					rptr = mp->b_rptr;
3020 				}
3021 				ASSERT(mp->b_wptr - rptr >=
3022 				    IPV6_HDR_LEN + sizeof (sctp_hdr_t));
3023 				ip6h = (ip6_t *)rptr;
3024 			}
3025 			/*
3026 			 * Find any potentially interesting extension headers
3027 			 * as well as the length of the IPv6 + extension
3028 			 * headers.
3029 			 */
3030 			*ip_hdr_len = ip_find_hdr_v6(mp, ip6h, ipp, NULL);
3031 		} else {
3032 			*ip_hdr_len = IPV6_HDR_LEN;
3033 		}
3034 		*src = ip6h->ip6_src;
3035 		*dst = ip6h->ip6_dst;
3036 	}
3037 	ASSERT((uintptr_t)(mp->b_wptr - rptr) <= (uintptr_t)INT_MAX);
3038 	return ((sctp_hdr_t *)&rptr[*ip_hdr_len]);
3039 #undef IPVER
3040 }
3041 
3042 static mblk_t *
3043 sctp_check_in_policy(mblk_t *mp, mblk_t *ipsec_mp)
3044 {
3045 	ipsec_in_t *ii;
3046 	boolean_t check = B_TRUE;
3047 	boolean_t policy_present;
3048 	ipha_t *ipha;
3049 	ip6_t *ip6h;
3050 
3051 	ii = (ipsec_in_t *)ipsec_mp->b_rptr;
3052 	ASSERT(ii->ipsec_in_type == IPSEC_IN);
3053 	if (ii->ipsec_in_dont_check) {
3054 		check = B_FALSE;
3055 		if (!ii->ipsec_in_secure) {
3056 			freeb(ipsec_mp);
3057 			ipsec_mp = NULL;
3058 		}
3059 	}
3060 	if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) {
3061 		policy_present = ipsec_inbound_v4_policy_present;
3062 		ipha = (ipha_t *)mp->b_rptr;
3063 		ip6h = NULL;
3064 	} else {
3065 		policy_present = ipsec_inbound_v6_policy_present;
3066 		ipha = NULL;
3067 		ip6h = (ip6_t *)mp->b_rptr;
3068 	}
3069 
3070 	if (check && policy_present) {
3071 		/*
3072 		 * The conn_t parameter is NULL because we already know
3073 		 * nobody's home.
3074 		 */
3075 		ipsec_mp = ipsec_check_global_policy(ipsec_mp, (conn_t *)NULL,
3076 		    ipha, ip6h, B_TRUE);
3077 		if (ipsec_mp == NULL)
3078 			return (NULL);
3079 	}
3080 	if (ipsec_mp != NULL)
3081 		freeb(ipsec_mp);
3082 	return (mp);
3083 }
3084 
3085 /* Handle out-of-the-blue packets */
3086 void
3087 sctp_ootb_input(mblk_t *mp, ill_t *recv_ill, uint_t ipif_seqid,
3088     zoneid_t zoneid, boolean_t mctl_present)
3089 {
3090 	sctp_t			*sctp;
3091 	sctp_chunk_hdr_t	*ch;
3092 	sctp_hdr_t		*sctph;
3093 	in6_addr_t		src, dst;
3094 	uint_t			ip_hdr_len;
3095 	uint_t			ifindex;
3096 	ip6_pkt_t		ipp;
3097 	ssize_t			mlen;
3098 	in_pktinfo_t		*pinfo = NULL;
3099 	mblk_t			*first_mp;
3100 
3101 	BUMP_MIB(&sctp_mib, sctpOutOfBlue);
3102 	BUMP_MIB(&sctp_mib, sctpInSCTPPkts);
3103 
3104 	first_mp = mp;
3105 	if (mctl_present)
3106 		mp = mp->b_cont;
3107 
3108 	/* Initiate IPPf processing, if needed. */
3109 	if (IPP_ENABLED(IPP_LOCAL_IN)) {
3110 		ip_process(IPP_LOCAL_IN, &mp,
3111 		    recv_ill->ill_phyint->phyint_ifindex);
3112 		if (mp == NULL) {
3113 			if (mctl_present)
3114 				freeb(first_mp);
3115 			return;
3116 		}
3117 	}
3118 
3119 	if (mp->b_cont != NULL) {
3120 		/*
3121 		 * All subsequent code is vastly simplified if it can
3122 		 * assume a single contiguous chunk of data.
3123 		 */
3124 		if (pullupmsg(mp, -1) == 0) {
3125 			BUMP_MIB(&ip_mib, ipInDiscards);
3126 			freemsg(first_mp);
3127 			return;
3128 		}
3129 	}
3130 
3131 	/*
3132 	 * We don't really need to call this function...  Need to
3133 	 * optimize later.
3134 	 */
3135 	sctph = find_sctp_hdrs(mp, &src, &dst, &ifindex, &ip_hdr_len,
3136 	    &ipp, pinfo);
3137 	mlen = mp->b_wptr - (uchar_t *)(sctph + 1);
3138 	if ((ch = sctp_first_chunk((uchar_t *)(sctph + 1), mlen)) == NULL) {
3139 		dprint(3, ("sctp_ootb_input: invalid packet\n"));
3140 		BUMP_MIB(&ip_mib, ipInDiscards);
3141 		freemsg(first_mp);
3142 		return;
3143 	}
3144 
3145 	switch (ch->sch_id) {
3146 	case CHUNK_INIT:
3147 		/* no listener; send abort  */
3148 		if (mctl_present && sctp_check_in_policy(mp, first_mp) == NULL)
3149 			return;
3150 		sctp_send_abort(gsctp, sctp_init2vtag(ch), 0,
3151 		    NULL, 0, mp, 0, B_TRUE);
3152 		break;
3153 	case CHUNK_INIT_ACK:
3154 		/* check for changed src addr */
3155 		sctp = sctp_addrlist2sctp(mp, sctph, ch, ipif_seqid, zoneid);
3156 		if (sctp != NULL) {
3157 			/* success; proceed to normal path */
3158 			mutex_enter(&sctp->sctp_lock);
3159 			if (sctp->sctp_running) {
3160 				if (!sctp_add_recvq(sctp, mp, B_FALSE)) {
3161 					BUMP_MIB(&ip_mib, ipInDiscards);
3162 					freemsg(mp);
3163 				}
3164 				mutex_exit(&sctp->sctp_lock);
3165 			} else {
3166 				/*
3167 				 * If the source address is changed, we
3168 				 * don't need to worry too much about
3169 				 * out of order processing.  So we don't
3170 				 * check if the recvq is empty or not here.
3171 				 */
3172 				sctp->sctp_running = B_TRUE;
3173 				mutex_exit(&sctp->sctp_lock);
3174 				sctp_input_data(sctp, mp, NULL);
3175 				WAKE_SCTP(sctp);
3176 				sctp_process_sendq(sctp);
3177 			}
3178 			SCTP_REFRELE(sctp);
3179 			return;
3180 		}
3181 		if (mctl_present)
3182 			freeb(first_mp);
3183 		/* else bogus init ack; drop it */
3184 		break;
3185 	case CHUNK_SHUTDOWN_ACK:
3186 		if (mctl_present && sctp_check_in_policy(mp, first_mp) == NULL)
3187 			return;
3188 		sctp_ootb_shutdown_ack(gsctp, mp, ip_hdr_len);
3189 		sctp_process_sendq(gsctp);
3190 		return;
3191 	case CHUNK_ERROR:
3192 	case CHUNK_ABORT:
3193 	case CHUNK_COOKIE_ACK:
3194 	case CHUNK_SHUTDOWN_COMPLETE:
3195 		if (mctl_present)
3196 			freeb(first_mp);
3197 		break;
3198 	default:
3199 		if (mctl_present && sctp_check_in_policy(mp, first_mp) == NULL)
3200 			return;
3201 		sctp_send_abort(gsctp, sctph->sh_verf, 0, NULL, 0, mp, 0,
3202 		    B_TRUE);
3203 		break;
3204 	}
3205 	sctp_process_sendq(gsctp);
3206 	freemsg(mp);
3207 }
3208 
3209 void
3210 sctp_input(conn_t *connp, ipha_t *ipha, mblk_t *mp, mblk_t *first_mp,
3211     ill_t *recv_ill, boolean_t isv4, boolean_t mctl_present)
3212 {
3213 	sctp_t *sctp = CONN2SCTP(connp);
3214 
3215 	/*
3216 	 * We check some fields in conn_t without holding a lock.
3217 	 * This should be fine.
3218 	 */
3219 	if (CONN_INBOUND_POLICY_PRESENT(connp) || mctl_present) {
3220 		first_mp = ipsec_check_inbound_policy(first_mp, connp,
3221 		    ipha, NULL, mctl_present);
3222 		if (first_mp == NULL) {
3223 			SCTP_REFRELE(sctp);
3224 			return;
3225 		}
3226 	}
3227 
3228 	/* Initiate IPPF processing for fastpath */
3229 	if (IPP_ENABLED(IPP_LOCAL_IN)) {
3230 		ip_process(IPP_LOCAL_IN, &mp,
3231 		    recv_ill->ill_phyint->phyint_ifindex);
3232 		if (mp == NULL) {
3233 			SCTP_REFRELE(sctp);
3234 			if (mctl_present)
3235 				freeb(first_mp);
3236 			return;
3237 		} else if (mctl_present) {
3238 			/*
3239 			 * ip_process might return a new mp.
3240 			 */
3241 			ASSERT(first_mp != mp);
3242 			first_mp->b_cont = mp;
3243 		} else {
3244 			first_mp = mp;
3245 		}
3246 	}
3247 
3248 	if (connp->conn_recvif || connp->conn_recvslla ||
3249 	    connp->conn_ipv6_recvpktinfo) {
3250 		int in_flags = 0;
3251 
3252 		if (connp->conn_recvif || connp->conn_ipv6_recvpktinfo) {
3253 			in_flags = IPF_RECVIF;
3254 		}
3255 		if (connp->conn_recvslla) {
3256 			in_flags |= IPF_RECVSLLA;
3257 		}
3258 		if (isv4) {
3259 			mp = ip_add_info(mp, recv_ill, in_flags);
3260 		} else {
3261 			mp = ip_add_info_v6(mp, recv_ill,
3262 			    &(((ip6_t *)ipha)->ip6_dst));
3263 		}
3264 		if (mp == NULL) {
3265 			SCTP_REFRELE(sctp);
3266 			if (mctl_present)
3267 				freeb(first_mp);
3268 			return;
3269 		} else if (mctl_present) {
3270 			/*
3271 			 * ip_add_info might return a new mp.
3272 			 */
3273 			ASSERT(first_mp != mp);
3274 			first_mp->b_cont = mp;
3275 		} else {
3276 			first_mp = mp;
3277 		}
3278 	}
3279 
3280 	mutex_enter(&sctp->sctp_lock);
3281 	if (sctp->sctp_running) {
3282 		if (mctl_present)
3283 			mp->b_prev = first_mp;
3284 		if (!sctp_add_recvq(sctp, mp, B_FALSE)) {
3285 			BUMP_MIB(&ip_mib, ipInDiscards);
3286 			freemsg(first_mp);
3287 		}
3288 		mutex_exit(&sctp->sctp_lock);
3289 		SCTP_REFRELE(sctp);
3290 		return;
3291 	} else {
3292 		sctp->sctp_running = B_TRUE;
3293 		mutex_exit(&sctp->sctp_lock);
3294 
3295 		mutex_enter(&sctp->sctp_recvq_lock);
3296 		if (sctp->sctp_recvq != NULL) {
3297 			if (mctl_present)
3298 				mp->b_prev = first_mp;
3299 			if (!sctp_add_recvq(sctp, mp, B_TRUE)) {
3300 				BUMP_MIB(&ip_mib, ipInDiscards);
3301 				freemsg(first_mp);
3302 			}
3303 			mutex_exit(&sctp->sctp_recvq_lock);
3304 			WAKE_SCTP(sctp);
3305 			SCTP_REFRELE(sctp);
3306 			return;
3307 		}
3308 	}
3309 	mutex_exit(&sctp->sctp_recvq_lock);
3310 	sctp_input_data(sctp, mp, (mctl_present ? first_mp : NULL));
3311 	WAKE_SCTP(sctp);
3312 	sctp_process_sendq(sctp);
3313 	SCTP_REFRELE(sctp);
3314 }
3315 
3316 static void
3317 sctp_process_abort(sctp_t *sctp, sctp_chunk_hdr_t *ch, int err)
3318 {
3319 	BUMP_MIB(&sctp_mib, sctpAborted);
3320 	BUMP_LOCAL(sctp->sctp_ibchunks);
3321 
3322 	sctp_assoc_event(sctp, SCTP_COMM_LOST,
3323 	    ntohs(((sctp_parm_hdr_t *)(ch + 1))->sph_type), ch);
3324 	sctp_clean_death(sctp, err);
3325 }
3326 
3327 void
3328 sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
3329 {
3330 	sctp_chunk_hdr_t	*ch;
3331 	ssize_t			mlen;
3332 	int			gotdata;
3333 	int			trysend;
3334 	sctp_faddr_t		*fp;
3335 	sctp_init_chunk_t	*iack;
3336 	uint32_t		tsn;
3337 	sctp_data_hdr_t		*sdc;
3338 	ip6_pkt_t		ipp;
3339 	in6_addr_t		src;
3340 	in6_addr_t		dst;
3341 	uint_t			ifindex;
3342 	sctp_hdr_t		*sctph;
3343 	uint_t			ip_hdr_len;
3344 	mblk_t			*dups = NULL;
3345 	int			recv_adaption;
3346 	boolean_t		wake_eager = B_FALSE;
3347 	mblk_t			*pinfo_mp;
3348 	in_pktinfo_t		*pinfo = NULL;
3349 	in6_addr_t		peer_src;
3350 	int64_t			now;
3351 
3352 	if (DB_TYPE(mp) != M_DATA) {
3353 		ASSERT(DB_TYPE(mp) == M_CTL);
3354 		if (MBLKL(mp) == sizeof (in_pktinfo_t) &&
3355 		    ((in_pktinfo_t *)mp->b_rptr)->in_pkt_ulp_type ==
3356 		    IN_PKTINFO) {
3357 			pinfo = (in_pktinfo_t *)mp->b_rptr;
3358 			pinfo_mp = mp;
3359 			mp = mp->b_cont;
3360 		} else {
3361 			if (ipsec_mp != NULL)
3362 				freeb(ipsec_mp);
3363 			sctp_icmp_error(sctp, mp);
3364 			return;
3365 		}
3366 	}
3367 	ASSERT(DB_TYPE(mp) == M_DATA);
3368 
3369 	if (mp->b_cont != NULL) {
3370 		/*
3371 		 * All subsequent code is vastly simplified if it can
3372 		 * assume a single contiguous chunk of data.
3373 		 */
3374 		if (pullupmsg(mp, -1) == 0) {
3375 			BUMP_MIB(&ip_mib, ipInDiscards);
3376 			if (ipsec_mp != NULL)
3377 				freeb(ipsec_mp);
3378 			if (pinfo != NULL)
3379 				freeb(pinfo_mp);
3380 			freemsg(mp);
3381 			return;
3382 		}
3383 	}
3384 
3385 	BUMP_LOCAL(sctp->sctp_ipkts);
3386 	sctph = find_sctp_hdrs(mp, &src, &dst, &ifindex, &ip_hdr_len,
3387 	    &ipp, pinfo);
3388 	if (pinfo != NULL)
3389 		freeb(pinfo_mp);
3390 	mlen = mp->b_wptr - (uchar_t *)(sctph + 1);
3391 	ch = sctp_first_chunk((uchar_t *)(sctph + 1), mlen);
3392 	if (ch == NULL) {
3393 		BUMP_MIB(&ip_mib, ipInDiscards);
3394 		if (ipsec_mp != NULL)
3395 			freeb(ipsec_mp);
3396 		freemsg(mp);
3397 		return;
3398 	}
3399 
3400 	if (!sctp_check_input(sctp, ch, mlen, 1)) {
3401 		BUMP_MIB(&ip_mib, ipInDiscards);
3402 		goto done;
3403 	}
3404 	/*
3405 	 * Check verfication tag (special handling for INIT,
3406 	 * COOKIE, SHUTDOWN_COMPLETE and SHUTDOWN_ACK chunks).
3407 	 * ABORTs are handled in the chunk processing loop, since
3408 	 * may not appear first. All other checked chunks must
3409 	 * appear first, or will have been dropped by check_input().
3410 	 */
3411 	switch (ch->sch_id) {
3412 	case CHUNK_INIT:
3413 		if (sctph->sh_verf != 0) {
3414 			/* drop it */
3415 			goto done;
3416 		}
3417 		break;
3418 	case CHUNK_SHUTDOWN_COMPLETE:
3419 		if (sctph->sh_verf == sctp->sctp_lvtag)
3420 			break;
3421 		if (sctph->sh_verf == sctp->sctp_fvtag &&
3422 		    SCTP_GET_TBIT(ch)) {
3423 			break;
3424 		}
3425 		/* else drop it */
3426 		goto done;
3427 	case CHUNK_ABORT:
3428 	case CHUNK_COOKIE:
3429 		/* handled below */
3430 		break;
3431 	case CHUNK_SHUTDOWN_ACK:
3432 		if (sctp->sctp_state > SCTPS_BOUND &&
3433 		    sctp->sctp_state < SCTPS_ESTABLISHED) {
3434 			/* treat as OOTB */
3435 			sctp_ootb_shutdown_ack(sctp, mp, ip_hdr_len);
3436 			if (ipsec_mp != NULL)
3437 				freeb(ipsec_mp);
3438 			return;
3439 		}
3440 		/* else fallthru */
3441 	default:
3442 		/*
3443 		 * All other packets must have a valid
3444 		 * verification tag, however if this is a
3445 		 * listener, we use a refined version of
3446 		 * out-of-the-blue logic.
3447 		 */
3448 		if (sctph->sh_verf != sctp->sctp_lvtag &&
3449 		    sctp->sctp_state != SCTPS_LISTEN) {
3450 			/* drop it */
3451 			goto done;
3452 		}
3453 		break;
3454 	}
3455 
3456 	/* Have a valid sctp for this packet */
3457 	fp = sctp_lookup_faddr(sctp, &src);
3458 	dprint(2, ("sctp_dispatch_rput: mp=%p fp=%p sctp=%p\n", (void *)mp,
3459 	    (void *)fp, (void *)sctp));
3460 
3461 	gotdata = 0;
3462 	trysend = 0;
3463 
3464 	now = lbolt64;
3465 	/* Process the chunks */
3466 	do {
3467 		dprint(3, ("sctp_dispatch_rput: state=%d, chunk id=%d\n",
3468 		    sctp->sctp_state, (int)(ch->sch_id)));
3469 
3470 		if (ch->sch_id == CHUNK_ABORT) {
3471 			if (sctph->sh_verf != sctp->sctp_lvtag &&
3472 			    sctph->sh_verf != sctp->sctp_fvtag) {
3473 				/* drop it */
3474 				goto done;
3475 			}
3476 		}
3477 
3478 		switch (sctp->sctp_state) {
3479 
3480 		case SCTPS_ESTABLISHED:
3481 		case SCTPS_SHUTDOWN_PENDING:
3482 		case SCTPS_SHUTDOWN_SENT:
3483 			switch (ch->sch_id) {
3484 			case CHUNK_DATA:
3485 				/* 0-length data chunks are not allowed */
3486 				if (ntohs(ch->sch_len) == sizeof (*sdc)) {
3487 					sdc = (sctp_data_hdr_t *)ch;
3488 					tsn = sdc->sdh_tsn;
3489 					sctp_send_abort(sctp, sctp->sctp_fvtag,
3490 					    SCTP_ERR_NO_USR_DATA, (char *)&tsn,
3491 					    sizeof (tsn), mp, 0, B_FALSE);
3492 					sctp_assoc_event(sctp, SCTP_COMM_LOST,
3493 					    0, NULL);
3494 					sctp_clean_death(sctp, ECONNABORTED);
3495 					goto done;
3496 				}
3497 
3498 				ASSERT(fp != NULL);
3499 				sctp->sctp_lastdata = fp;
3500 				sctp_data_chunk(sctp, ch, mp, &dups, fp, &ipp);
3501 				gotdata = 1;
3502 				/* Restart shutdown timer if shutting down */
3503 				if (sctp->sctp_state == SCTPS_SHUTDOWN_SENT) {
3504 					/*
3505 					 * If we have exceeded our max
3506 					 * wait bound for waiting for a
3507 					 * shutdown ack from the peer,
3508 					 * abort the association.
3509 					 */
3510 					if (sctp_shutack_wait_bound != 0 &&
3511 					    TICK_TO_MSEC(now -
3512 					    sctp->sctp_out_time) >
3513 					    sctp_shutack_wait_bound) {
3514 						sctp_send_abort(sctp,
3515 						    sctp->sctp_fvtag, 0, NULL,
3516 						    0, mp, 0, B_FALSE);
3517 						sctp_assoc_event(sctp,
3518 						    SCTP_COMM_LOST, 0, NULL);
3519 						sctp_clean_death(sctp,
3520 						    ECONNABORTED);
3521 						goto done;
3522 					}
3523 					SCTP_FADDR_TIMER_RESTART(sctp, fp,
3524 					    fp->rto);
3525 				}
3526 				break;
3527 			case CHUNK_SACK:
3528 				ASSERT(fp != NULL);
3529 				/*
3530 				 * Peer is real and alive if it can ack our
3531 				 * data.
3532 				 */
3533 				sctp_faddr_alive(sctp, fp);
3534 				trysend = sctp_got_sack(sctp, ch);
3535 				if (trysend < 0) {
3536 					sctp_send_abort(sctp, sctph->sh_verf,
3537 					    0, NULL, 0, mp, 0, B_FALSE);
3538 					sctp_assoc_event(sctp,
3539 					    SCTP_COMM_LOST, 0, NULL);
3540 					sctp_clean_death(sctp,
3541 					    ECONNABORTED);
3542 					goto done;
3543 				}
3544 				break;
3545 			case CHUNK_HEARTBEAT:
3546 				sctp_return_heartbeat(sctp, ch, mp);
3547 				break;
3548 			case CHUNK_HEARTBEAT_ACK:
3549 				sctp_process_heartbeat(sctp, ch);
3550 				break;
3551 			case CHUNK_SHUTDOWN:
3552 				sctp_shutdown_event(sctp);
3553 				trysend = sctp_shutdown_received(sctp, ch,
3554 				    0, 0);
3555 				BUMP_LOCAL(sctp->sctp_ibchunks);
3556 				break;
3557 			case CHUNK_SHUTDOWN_ACK:
3558 				BUMP_LOCAL(sctp->sctp_ibchunks);
3559 				if (sctp->sctp_state == SCTPS_SHUTDOWN_SENT) {
3560 					sctp_shutdown_complete(sctp);
3561 					BUMP_MIB(&sctp_mib, sctpShutdowns);
3562 					sctp_assoc_event(sctp,
3563 					    SCTP_SHUTDOWN_COMP, 0, NULL);
3564 					sctp_clean_death(sctp, 0);
3565 					goto done;
3566 				}
3567 				break;
3568 			case CHUNK_ABORT: {
3569 				sctp_saddr_ipif_t *sp;
3570 
3571 				/* Ignore if delete pending */
3572 				sp = sctp_saddr_lookup(sctp, &dst, 0);
3573 				ASSERT(sp != NULL);
3574 				if (sp->saddr_ipif_delete_pending) {
3575 					BUMP_LOCAL(sctp->sctp_ibchunks);
3576 					break;
3577 				}
3578 
3579 				sctp_process_abort(sctp, ch, ECONNRESET);
3580 				goto done;
3581 			}
3582 			case CHUNK_INIT:
3583 				sctp_send_initack(sctp, ch, mp);
3584 				break;
3585 			case CHUNK_COOKIE:
3586 				if (sctp_process_cookie(sctp, ch, mp, &iack,
3587 				    sctph, &recv_adaption, NULL) != -1) {
3588 					sctp_send_cookie_ack(sctp);
3589 					sctp_assoc_event(sctp, SCTP_RESTART,
3590 					    0, NULL);
3591 					if (recv_adaption) {
3592 						sctp->sctp_recv_adaption = 1;
3593 						sctp_adaption_event(sctp);
3594 					}
3595 				} else {
3596 					BUMP_MIB(&sctp_mib,
3597 					    sctpInInvalidCookie);
3598 				}
3599 				break;
3600 			case CHUNK_ERROR: {
3601 				int error;
3602 
3603 				BUMP_LOCAL(sctp->sctp_ibchunks);
3604 				error = sctp_handle_error(sctp, sctph, ch, mp);
3605 				if (error != 0) {
3606 					sctp_clean_death(sctp, error);
3607 					goto done;
3608 				}
3609 				break;
3610 			}
3611 			case CHUNK_ASCONF:
3612 				ASSERT(fp != NULL);
3613 				sctp_input_asconf(sctp, ch, fp);
3614 				BUMP_LOCAL(sctp->sctp_ibchunks);
3615 				break;
3616 			case CHUNK_ASCONF_ACK:
3617 				ASSERT(fp != NULL);
3618 				sctp_faddr_alive(sctp, fp);
3619 				sctp_input_asconf_ack(sctp, ch, fp);
3620 				BUMP_LOCAL(sctp->sctp_ibchunks);
3621 				break;
3622 			case CHUNK_FORWARD_TSN:
3623 				ASSERT(fp != NULL);
3624 				sctp->sctp_lastdata = fp;
3625 				sctp_process_forward_tsn(sctp, ch, fp, &ipp);
3626 				gotdata = 1;
3627 				BUMP_LOCAL(sctp->sctp_ibchunks);
3628 				break;
3629 			default:
3630 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
3631 					goto nomorechunks;
3632 				} /* else skip and continue processing */
3633 				break;
3634 			}
3635 			break;
3636 
3637 		case SCTPS_LISTEN:
3638 			switch (ch->sch_id) {
3639 			case CHUNK_INIT:
3640 				sctp_send_initack(sctp, ch, mp);
3641 				break;
3642 			case CHUNK_COOKIE: {
3643 				sctp_t *eager;
3644 
3645 				if (sctp_process_cookie(sctp, ch, mp, &iack,
3646 				    sctph, &recv_adaption, &peer_src) == -1) {
3647 					BUMP_MIB(&sctp_mib,
3648 					    sctpInInvalidCookie);
3649 					goto done;
3650 				}
3651 
3652 				/*
3653 				 * The cookie is good; ensure that
3654 				 * the peer used the verification
3655 				 * tag from the init ack in the header.
3656 				 */
3657 				if (iack->sic_inittag != sctph->sh_verf)
3658 					goto done;
3659 
3660 				eager = sctp_conn_request(sctp, mp, ifindex,
3661 				    ip_hdr_len, iack, ipsec_mp);
3662 				if (eager == NULL) {
3663 					sctp_send_abort(sctp, sctph->sh_verf,
3664 					    SCTP_ERR_NO_RESOURCES, NULL, 0, mp,
3665 					    0, B_FALSE);
3666 					goto done;
3667 				}
3668 
3669 				/*
3670 				 * If there were extra chunks
3671 				 * bundled with the cookie,
3672 				 * they must be processed
3673 				 * on the eager's queue. We
3674 				 * accomplish this by refeeding
3675 				 * the whole packet into the
3676 				 * state machine on the right
3677 				 * q. The packet (mp) gets
3678 				 * there via the eager's
3679 				 * cookie_mp field (overloaded
3680 				 * with the active open role).
3681 				 * This is picked up when
3682 				 * processing the null bind
3683 				 * request put on the eager's
3684 				 * q by sctp_accept(). We must
3685 				 * first revert the cookie
3686 				 * chunk's length field to network
3687 				 * byteorder so it can be
3688 				 * properly reprocessed on the
3689 				 * eager's queue.
3690 				 */
3691 				BUMP_MIB(&sctp_mib, sctpPassiveEstab);
3692 				if (mlen > ntohs(ch->sch_len)) {
3693 					eager->sctp_cookie_mp = dupb(mp);
3694 					mblk_setcred(eager->sctp_cookie_mp,
3695 					    CONN_CRED(eager->sctp_connp));
3696 					/*
3697 					 * If no mem, just let
3698 					 * the peer retransmit.
3699 					 */
3700 				}
3701 				sctp_assoc_event(eager, SCTP_COMM_UP, 0, NULL);
3702 				if (recv_adaption) {
3703 					eager->sctp_recv_adaption = 1;
3704 					eager->sctp_rx_adaption_code =
3705 					    sctp->sctp_rx_adaption_code;
3706 					sctp_adaption_event(eager);
3707 				}
3708 
3709 				eager->sctp_active = now;
3710 				sctp_send_cookie_ack(eager);
3711 
3712 				wake_eager = B_TRUE;
3713 
3714 				/*
3715 				 * Process rest of the chunks with eager.
3716 				 */
3717 				sctp = eager;
3718 				fp = sctp_lookup_faddr(sctp, &peer_src);
3719 				/*
3720 				 * Confirm peer's original source.  fp can
3721 				 * only be NULL if peer does not use the
3722 				 * original source as one of its addresses...
3723 				 */
3724 				if (fp == NULL)
3725 					fp = sctp_lookup_faddr(sctp, &src);
3726 				else
3727 					sctp_faddr_alive(sctp, fp);
3728 
3729 				/*
3730 				 * Validate the peer addresses.  It also starts
3731 				 * the heartbeat timer.
3732 				 */
3733 				sctp_validate_peer(sctp);
3734 				break;
3735 			}
3736 			/* Anything else is considered out-of-the-blue */
3737 			case CHUNK_ERROR:
3738 			case CHUNK_ABORT:
3739 			case CHUNK_COOKIE_ACK:
3740 			case CHUNK_SHUTDOWN_COMPLETE:
3741 				BUMP_LOCAL(sctp->sctp_ibchunks);
3742 				goto done;
3743 			default:
3744 				BUMP_LOCAL(sctp->sctp_ibchunks);
3745 				sctp_send_abort(sctp, sctph->sh_verf, 0, NULL,
3746 				    0, mp, 0, B_TRUE);
3747 				goto done;
3748 			}
3749 			break;
3750 
3751 		case SCTPS_COOKIE_WAIT:
3752 			switch (ch->sch_id) {
3753 			case CHUNK_INIT_ACK:
3754 				sctp_stop_faddr_timers(sctp);
3755 				sctp_faddr_alive(sctp, sctp->sctp_current);
3756 				sctp_send_cookie_echo(sctp, ch, mp);
3757 				BUMP_LOCAL(sctp->sctp_ibchunks);
3758 				break;
3759 			case CHUNK_ABORT:
3760 				sctp_process_abort(sctp, ch, ECONNREFUSED);
3761 				goto done;
3762 			case CHUNK_INIT:
3763 				sctp_send_initack(sctp, ch, mp);
3764 				break;
3765 			case CHUNK_COOKIE:
3766 				if (sctp_process_cookie(sctp, ch, mp, &iack,
3767 				    sctph, &recv_adaption, NULL) == -1) {
3768 					BUMP_MIB(&sctp_mib,
3769 					    sctpInInvalidCookie);
3770 					break;
3771 				}
3772 				sctp_send_cookie_ack(sctp);
3773 				sctp_stop_faddr_timers(sctp);
3774 				if (!SCTP_IS_DETACHED(sctp)) {
3775 				    sctp->sctp_ulp_connected(sctp->sctp_ulpd);
3776 				    sctp_set_ulp_prop(sctp);
3777 				}
3778 				sctp->sctp_state = SCTPS_ESTABLISHED;
3779 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
3780 				BUMP_MIB(&sctp_mib, sctpActiveEstab);
3781 				if (sctp->sctp_cookie_mp) {
3782 					freemsg(sctp->sctp_cookie_mp);
3783 					sctp->sctp_cookie_mp = NULL;
3784 				}
3785 
3786 				/* Validate the peer addresses. */
3787 				sctp->sctp_active = now;
3788 				sctp_validate_peer(sctp);
3789 
3790 				sctp_assoc_event(sctp, SCTP_COMM_UP, 0, NULL);
3791 				if (recv_adaption) {
3792 					sctp->sctp_recv_adaption = 1;
3793 					sctp_adaption_event(sctp);
3794 				}
3795 				/* Try sending queued data, or ASCONFs */
3796 				trysend = 1;
3797 				break;
3798 			default:
3799 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
3800 					goto nomorechunks;
3801 				} /* else skip and continue processing */
3802 				break;
3803 			}
3804 			break;
3805 
3806 		case SCTPS_COOKIE_ECHOED:
3807 			switch (ch->sch_id) {
3808 			case CHUNK_COOKIE_ACK:
3809 				if (!SCTP_IS_DETACHED(sctp)) {
3810 				    sctp->sctp_ulp_connected(sctp->sctp_ulpd);
3811 				    sctp_set_ulp_prop(sctp);
3812 				}
3813 				if (sctp->sctp_unacked == 0)
3814 					sctp_stop_faddr_timers(sctp);
3815 				sctp->sctp_state = SCTPS_ESTABLISHED;
3816 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
3817 				BUMP_MIB(&sctp_mib, sctpActiveEstab);
3818 				BUMP_LOCAL(sctp->sctp_ibchunks);
3819 				if (sctp->sctp_cookie_mp) {
3820 					freemsg(sctp->sctp_cookie_mp);
3821 					sctp->sctp_cookie_mp = NULL;
3822 				}
3823 				sctp_faddr_alive(sctp, fp);
3824 				/* Validate the peer addresses. */
3825 				sctp->sctp_active = now;
3826 				sctp_validate_peer(sctp);
3827 
3828 				/* Try sending queued data, or ASCONFs */
3829 				trysend = 1;
3830 				sctp_assoc_event(sctp, SCTP_COMM_UP, 0, NULL);
3831 				sctp_adaption_event(sctp);
3832 				break;
3833 			case CHUNK_ABORT:
3834 				sctp_process_abort(sctp, ch, ECONNREFUSED);
3835 				goto done;
3836 			case CHUNK_COOKIE:
3837 				if (sctp_process_cookie(sctp, ch, mp, &iack,
3838 				    sctph, &recv_adaption, NULL) == -1) {
3839 					BUMP_MIB(&sctp_mib,
3840 					    sctpInInvalidCookie);
3841 					break;
3842 				}
3843 				sctp_send_cookie_ack(sctp);
3844 
3845 				if (!SCTP_IS_DETACHED(sctp)) {
3846 				    sctp->sctp_ulp_connected(sctp->sctp_ulpd);
3847 				    sctp_set_ulp_prop(sctp);
3848 				}
3849 				if (sctp->sctp_unacked == 0)
3850 					sctp_stop_faddr_timers(sctp);
3851 				sctp->sctp_state = SCTPS_ESTABLISHED;
3852 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
3853 				BUMP_MIB(&sctp_mib, sctpActiveEstab);
3854 				if (sctp->sctp_cookie_mp) {
3855 					freemsg(sctp->sctp_cookie_mp);
3856 					sctp->sctp_cookie_mp = NULL;
3857 				}
3858 				/* Validate the peer addresses. */
3859 				sctp->sctp_active = now;
3860 				sctp_validate_peer(sctp);
3861 
3862 				sctp_assoc_event(sctp, SCTP_COMM_UP, 0, NULL);
3863 				if (recv_adaption) {
3864 					sctp->sctp_recv_adaption = 1;
3865 					sctp_adaption_event(sctp);
3866 				}
3867 				/* Try sending queued data, or ASCONFs */
3868 				trysend = 1;
3869 				break;
3870 			case CHUNK_INIT:
3871 				sctp_send_initack(sctp, ch, mp);
3872 				break;
3873 			case CHUNK_ERROR: {
3874 				sctp_parm_hdr_t *p;
3875 
3876 				BUMP_LOCAL(sctp->sctp_ibchunks);
3877 				/* check for a stale cookie */
3878 				if (ntohs(ch->sch_len) >=
3879 				    (sizeof (*p) + sizeof (*ch)) +
3880 				    sizeof (uint32_t)) {
3881 
3882 					p = (sctp_parm_hdr_t *)(ch + 1);
3883 					if (p->sph_type ==
3884 					    htons(SCTP_ERR_STALE_COOKIE)) {
3885 						BUMP_MIB(&sctp_mib,
3886 						    sctpAborted);
3887 						sctp_error_event(sctp, ch);
3888 						sctp_clean_death(sctp,
3889 						    ECONNREFUSED);
3890 						goto done;
3891 					}
3892 				}
3893 				break;
3894 			}
3895 			case CHUNK_HEARTBEAT:
3896 				sctp_return_heartbeat(sctp, ch, mp);
3897 				break;
3898 			default:
3899 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
3900 					goto nomorechunks;
3901 				} /* else skip and continue processing */
3902 			} /* switch (ch->sch_id) */
3903 			break;
3904 
3905 		case SCTPS_SHUTDOWN_ACK_SENT:
3906 			switch (ch->sch_id) {
3907 			case CHUNK_ABORT:
3908 				/* Pass gathered wisdom to IP for keeping */
3909 				for (fp = sctp->sctp_faddrs; fp != NULL;
3910 				    fp = fp->next) {
3911 					sctp_faddr2ire(sctp, fp);
3912 				}
3913 				sctp_process_abort(sctp, ch, 0);
3914 				goto done;
3915 			case CHUNK_SHUTDOWN_COMPLETE:
3916 				BUMP_LOCAL(sctp->sctp_ibchunks);
3917 				BUMP_MIB(&sctp_mib, sctpShutdowns);
3918 				sctp_assoc_event(sctp, SCTP_SHUTDOWN_COMP, 0,
3919 				    NULL);
3920 
3921 				/* Pass gathered wisdom to IP for keeping */
3922 				for (fp = sctp->sctp_faddrs; fp != NULL;
3923 				    fp = fp->next) {
3924 					sctp_faddr2ire(sctp, fp);
3925 				}
3926 				sctp_clean_death(sctp, 0);
3927 				goto done;
3928 			case CHUNK_SHUTDOWN_ACK:
3929 				sctp_shutdown_complete(sctp);
3930 				BUMP_LOCAL(sctp->sctp_ibchunks);
3931 				BUMP_MIB(&sctp_mib, sctpShutdowns);
3932 				sctp_assoc_event(sctp, SCTP_SHUTDOWN_COMP, 0,
3933 				    NULL);
3934 				sctp_clean_death(sctp, 0);
3935 				goto done;
3936 			case CHUNK_COOKIE:
3937 				(void) sctp_shutdown_received(sctp, NULL,
3938 				    1, 0);
3939 				BUMP_LOCAL(sctp->sctp_ibchunks);
3940 				break;
3941 			case CHUNK_HEARTBEAT:
3942 				sctp_return_heartbeat(sctp, ch, mp);
3943 				break;
3944 			default:
3945 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
3946 					goto nomorechunks;
3947 				} /* else skip and continue processing */
3948 				break;
3949 			}
3950 			break;
3951 
3952 		case SCTPS_SHUTDOWN_RECEIVED:
3953 			switch (ch->sch_id) {
3954 			case CHUNK_SHUTDOWN:
3955 				trysend = sctp_shutdown_received(sctp, ch,
3956 				    0, 0);
3957 				break;
3958 			case CHUNK_SACK:
3959 				trysend = sctp_got_sack(sctp, ch);
3960 				if (trysend < 0) {
3961 					sctp_send_abort(sctp, sctph->sh_verf,
3962 					    0, NULL, 0, mp, 0, B_FALSE);
3963 					sctp_assoc_event(sctp,
3964 					    SCTP_COMM_LOST, 0, NULL);
3965 					sctp_clean_death(sctp,
3966 					    ECONNABORTED);
3967 					goto done;
3968 				}
3969 				break;
3970 			case CHUNK_ABORT:
3971 				sctp_process_abort(sctp, ch, ECONNRESET);
3972 				goto done;
3973 			case CHUNK_HEARTBEAT:
3974 				sctp_return_heartbeat(sctp, ch, mp);
3975 				break;
3976 			default:
3977 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
3978 					goto nomorechunks;
3979 				} /* else skip and continue processing */
3980 				break;
3981 			}
3982 			break;
3983 
3984 		default:
3985 			BUMP_LOCAL(sctp->sctp_ibchunks);
3986 			cmn_err(CE_WARN, "XXXdefault in dispatch state %d",
3987 			    sctp->sctp_state);
3988 			break;
3989 		} /* switch (sctp->sctp_state) */
3990 
3991 		ch = sctp_next_chunk(ch, &mlen);
3992 		if (ch != NULL && !sctp_check_input(sctp, ch, mlen, 0))
3993 			goto done;
3994 	} while (ch != NULL);
3995 
3996 	/* Finished processing all chunks in packet */
3997 
3998 nomorechunks:
3999 	/* SACK if necessary */
4000 	if (gotdata) {
4001 		(sctp->sctp_sack_toggle)++;
4002 		sctp_sack(sctp, dups);
4003 		dups = NULL;
4004 
4005 		if (!sctp->sctp_ack_timer_running) {
4006 			sctp->sctp_ack_timer_running = B_TRUE;
4007 			sctp_timer(sctp, sctp->sctp_ack_mp,
4008 			    MSEC_TO_TICK(sctp_deferred_ack_interval));
4009 		}
4010 	}
4011 
4012 	if (trysend) {
4013 		sctp_output(sctp);
4014 		if (sctp->sctp_cxmit_list != NULL)
4015 			sctp_wput_asconf(sctp, NULL);
4016 	}
4017 	/* If there is unsent data, make sure a timer is running */
4018 	if (sctp->sctp_unsent > 0 && !sctp->sctp_current->timer_running) {
4019 		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
4020 		    sctp->sctp_current->rto);
4021 	}
4022 
4023 done:
4024 	if (dups != NULL)
4025 		freeb(dups);
4026 	if (ipsec_mp != NULL)
4027 		freeb(ipsec_mp);
4028 	freemsg(mp);
4029 
4030 	if (wake_eager) {
4031 		/*
4032 		 * sctp points to newly created control block, need to
4033 		 * release it before exiting.  Before releasing it and
4034 		 * processing the sendq, need to grab a hold on it.
4035 		 * Otherwise, another thread can close it while processing
4036 		 * the sendq.
4037 		 */
4038 		SCTP_REFHOLD(sctp);
4039 		WAKE_SCTP(sctp);
4040 		sctp_process_sendq(sctp);
4041 		SCTP_REFRELE(sctp);
4042 	}
4043 }
4044 
4045 /*
4046  * Some amount of data got removed from rx q.
4047  * Check if we should send a window update.
4048  *
4049  * Due to way sctp_rwnd updates are made, ULP can give reports out-of-order.
4050  * To keep from dropping incoming data due to this, we only update
4051  * sctp_rwnd when if it's larger than what we've reported to peer earlier.
4052  */
4053 void
4054 sctp_recvd(sctp_t *sctp, int len)
4055 {
4056 	int32_t old, new;
4057 
4058 	ASSERT(sctp != NULL);
4059 	RUN_SCTP(sctp);
4060 
4061 	if (len < sctp->sctp_rwnd) {
4062 		WAKE_SCTP(sctp);
4063 		return;
4064 	}
4065 	ASSERT(sctp->sctp_rwnd >= sctp->sctp_rxqueued);
4066 	old = sctp->sctp_rwnd - sctp->sctp_rxqueued;
4067 	new = len - sctp->sctp_rxqueued;
4068 	sctp->sctp_rwnd = len;
4069 
4070 	if (sctp->sctp_state >= SCTPS_ESTABLISHED &&
4071 	    ((old <= new >> 1) || (old < sctp->sctp_mss))) {
4072 		sctp->sctp_force_sack = 1;
4073 		BUMP_MIB(&sctp_mib, sctpOutWinUpdate);
4074 		sctp_sack(sctp, NULL);
4075 		old = 1;
4076 	} else {
4077 		old = 0;
4078 	}
4079 	WAKE_SCTP(sctp);
4080 	if (old > 0) {
4081 		sctp_process_sendq(sctp);
4082 	}
4083 }
4084