xref: /titanic_51/usr/src/uts/common/inet/sctp/sctp_bind.c (revision e71ca95ca6de23d33b54cb55cefdef30bc7c969b)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #include <sys/types.h>
28 #include <sys/systm.h>
29 #include <sys/stream.h>
30 #include <sys/cmn_err.h>
31 #include <sys/kmem.h>
32 #define	_SUN_TPI_VERSION 2
33 #include <sys/tihdr.h>
34 #include <sys/stropts.h>
35 #include <sys/socket.h>
36 #include <sys/random.h>
37 #include <sys/policy.h>
38 #include <sys/tsol/tndb.h>
39 #include <sys/tsol/tnet.h>
40 
41 #include <netinet/in.h>
42 #include <netinet/ip6.h>
43 
44 #include <inet/common.h>
45 #include <inet/ip.h>
46 #include <inet/ip6.h>
47 #include <inet/ipclassifier.h>
48 #include "sctp_impl.h"
49 #include "sctp_asconf.h"
50 #include "sctp_addr.h"
51 
52 /*
53  * Returns 0 on success, EACCES on permission failure.
54  */
55 static int
56 sctp_select_port(sctp_t *sctp, in_port_t *requested_port, int *user_specified)
57 {
58 	sctp_stack_t	*sctps = sctp->sctp_sctps;
59 
60 	/*
61 	 * Get a valid port (within the anonymous range and should not
62 	 * be a privileged one) to use if the user has not given a port.
63 	 * If multiple threads are here, they may all start with
64 	 * with the same initial port. But, it should be fine as long as
65 	 * sctp_bindi will ensure that no two threads will be assigned
66 	 * the same port.
67 	 */
68 	if (*requested_port == 0) {
69 		*requested_port = sctp_update_next_port(
70 		    sctps->sctps_next_port_to_try,
71 		    crgetzone(sctp->sctp_credp), sctps);
72 		if (*requested_port == 0)
73 			return (EACCES);
74 		*user_specified = 0;
75 	} else {
76 		int i;
77 		boolean_t priv = B_FALSE;
78 
79 		/*
80 		 * If the requested_port is in the well-known privileged range,
81 		 * verify that the stream was opened by a privileged user.
82 		 * Note: No locks are held when inspecting sctp_g_*epriv_ports
83 		 * but instead the code relies on:
84 		 * - the fact that the address of the array and its size never
85 		 *   changes
86 		 * - the atomic assignment of the elements of the array
87 		 */
88 		if (*requested_port < sctps->sctps_smallest_nonpriv_port) {
89 			priv = B_TRUE;
90 		} else {
91 			for (i = 0; i < sctps->sctps_g_num_epriv_ports; i++) {
92 				if (*requested_port ==
93 				    sctps->sctps_g_epriv_ports[i]) {
94 					priv = B_TRUE;
95 					break;
96 				}
97 			}
98 		}
99 		if (priv) {
100 			/*
101 			 * sctp_bind() should take a cred_t argument so that
102 			 * we can use it here.
103 			 */
104 			if (secpolicy_net_privaddr(sctp->sctp_credp,
105 			    *requested_port, IPPROTO_SCTP) != 0) {
106 				dprint(1,
107 				    ("sctp_bind(x): no prive for port %d",
108 				    *requested_port));
109 				return (EACCES);
110 			}
111 		}
112 		*user_specified = 1;
113 	}
114 
115 	return (0);
116 }
117 
118 int
119 sctp_listen(sctp_t *sctp)
120 {
121 	sctp_tf_t	*tf;
122 	sctp_stack_t	*sctps = sctp->sctp_sctps;
123 
124 	RUN_SCTP(sctp);
125 	/*
126 	 * TCP handles listen() increasing the backlog, need to check
127 	 * if it should be handled here too
128 	 */
129 	if (sctp->sctp_state > SCTPS_BOUND ||
130 	    (sctp->sctp_connp->conn_state_flags & CONN_CLOSING)) {
131 		WAKE_SCTP(sctp);
132 		return (EINVAL);
133 	}
134 
135 	/* Do an anonymous bind for unbound socket doing listen(). */
136 	if (sctp->sctp_nsaddrs == 0) {
137 		struct sockaddr_storage ss;
138 		int ret;
139 
140 		bzero(&ss, sizeof (ss));
141 		ss.ss_family = sctp->sctp_family;
142 
143 		WAKE_SCTP(sctp);
144 		if ((ret = sctp_bind(sctp, (struct sockaddr *)&ss,
145 		    sizeof (ss))) != 0)
146 			return (ret);
147 		RUN_SCTP(sctp)
148 	}
149 
150 	sctp->sctp_state = SCTPS_LISTEN;
151 	(void) random_get_pseudo_bytes(sctp->sctp_secret, SCTP_SECRET_LEN);
152 	sctp->sctp_last_secret_update = lbolt64;
153 	bzero(sctp->sctp_old_secret, SCTP_SECRET_LEN);
154 	tf = &sctps->sctps_listen_fanout[SCTP_LISTEN_HASH(
155 	    ntohs(sctp->sctp_lport))];
156 	sctp_listen_hash_insert(tf, sctp);
157 	WAKE_SCTP(sctp);
158 	return (0);
159 }
160 
161 /*
162  * Bind the sctp_t to a sockaddr, which includes an address and other
163  * information, such as port or flowinfo.
164  */
165 int
166 sctp_bind(sctp_t *sctp, struct sockaddr *sa, socklen_t len)
167 {
168 	int		user_specified;
169 	boolean_t	bind_to_req_port_only;
170 	in_port_t	requested_port;
171 	in_port_t	allocated_port;
172 	int		err = 0;
173 
174 	ASSERT(sctp != NULL);
175 
176 	RUN_SCTP(sctp);
177 
178 	if ((sctp->sctp_state >= SCTPS_BOUND) ||
179 	    (sctp->sctp_connp->conn_state_flags & CONN_CLOSING) ||
180 	    (sa == NULL || len == 0)) {
181 		/*
182 		 * Multiple binds not allowed for any SCTP socket
183 		 * Also binding with null address is not supported.
184 		 */
185 		err = EINVAL;
186 		goto done;
187 	}
188 
189 	switch (sa->sa_family) {
190 	case AF_INET:
191 		if (len < sizeof (struct sockaddr_in) ||
192 		    sctp->sctp_family == AF_INET6) {
193 			err = EINVAL;
194 			goto done;
195 		}
196 		requested_port = ntohs(((struct sockaddr_in *)sa)->sin_port);
197 		break;
198 	case AF_INET6:
199 		if (len < sizeof (struct sockaddr_in6) ||
200 		    sctp->sctp_family == AF_INET) {
201 			err = EINVAL;
202 			goto done;
203 		}
204 		requested_port = ntohs(((struct sockaddr_in6 *)sa)->sin6_port);
205 		/* Set the flowinfo. */
206 		sctp->sctp_ip6h->ip6_vcf =
207 		    (IPV6_DEFAULT_VERS_AND_FLOW & IPV6_VERS_AND_FLOW_MASK) |
208 		    (((struct sockaddr_in6 *)sa)->sin6_flowinfo &
209 		    ~IPV6_VERS_AND_FLOW_MASK);
210 		break;
211 	default:
212 		err = EAFNOSUPPORT;
213 		goto done;
214 	}
215 	bind_to_req_port_only = requested_port == 0 ? B_FALSE : B_TRUE;
216 
217 	err = sctp_select_port(sctp, &requested_port, &user_specified);
218 	if (err != 0)
219 		goto done;
220 
221 	if ((err = sctp_bind_add(sctp, sa, 1, B_TRUE,
222 	    user_specified == 1 ? htons(requested_port) : 0)) != 0) {
223 		goto done;
224 	}
225 	err = sctp_bindi(sctp, requested_port, bind_to_req_port_only,
226 	    user_specified, &allocated_port);
227 	if (err != 0) {
228 		sctp_free_saddrs(sctp);
229 	} else {
230 		ASSERT(sctp->sctp_state == SCTPS_BOUND);
231 	}
232 done:
233 	WAKE_SCTP(sctp);
234 	return (err);
235 }
236 
237 /*
238  * Perform bind/unbind operation of a list of addresses on a sctp_t
239  */
240 int
241 sctp_bindx(sctp_t *sctp, const void *addrs, int addrcnt, int bindop)
242 {
243 	ASSERT(sctp != NULL);
244 	ASSERT(addrs != NULL);
245 	ASSERT(addrcnt > 0);
246 
247 	switch (bindop) {
248 	case SCTP_BINDX_ADD_ADDR:
249 		return (sctp_bind_add(sctp, addrs, addrcnt, B_FALSE,
250 		    sctp->sctp_lport));
251 	case SCTP_BINDX_REM_ADDR:
252 		return (sctp_bind_del(sctp, addrs, addrcnt, B_FALSE));
253 	default:
254 		return (EINVAL);
255 	}
256 }
257 
258 /*
259  * Add a list of addresses to a sctp_t.
260  */
261 int
262 sctp_bind_add(sctp_t *sctp, const void *addrs, uint32_t addrcnt,
263     boolean_t caller_hold_lock, in_port_t port)
264 {
265 	int		err = 0;
266 	boolean_t	do_asconf = B_FALSE;
267 	sctp_stack_t	*sctps = sctp->sctp_sctps;
268 
269 	if (!caller_hold_lock)
270 		RUN_SCTP(sctp);
271 
272 	if (sctp->sctp_state > SCTPS_ESTABLISHED ||
273 	    (sctp->sctp_connp->conn_state_flags & CONN_CLOSING)) {
274 		if (!caller_hold_lock)
275 			WAKE_SCTP(sctp);
276 		return (EINVAL);
277 	}
278 
279 	if (sctp->sctp_state > SCTPS_LISTEN) {
280 		/*
281 		 * Let's do some checking here rather than undoing the
282 		 * add later (for these reasons).
283 		 */
284 		if (!sctps->sctps_addip_enabled ||
285 		    !sctp->sctp_understands_asconf ||
286 		    !sctp->sctp_understands_addip) {
287 			if (!caller_hold_lock)
288 				WAKE_SCTP(sctp);
289 			return (EINVAL);
290 		}
291 		do_asconf = B_TRUE;
292 	}
293 	/*
294 	 * On a clustered node, for an inaddr_any bind, we will pass the list
295 	 * of all the addresses in the global list, minus any address on the
296 	 * loopback interface, and expect the clustering susbsystem to give us
297 	 * the correct list for the 'port'. For explicit binds we give the
298 	 * list of addresses  and the clustering module validates it for the
299 	 * 'port'.
300 	 *
301 	 * On a non-clustered node, cl_sctp_check_addrs will be NULL and
302 	 * we proceed as usual.
303 	 */
304 	if (cl_sctp_check_addrs != NULL) {
305 		uchar_t		*addrlist = NULL;
306 		size_t		size = 0;
307 		int		unspec = 0;
308 		boolean_t	do_listen;
309 		uchar_t		*llist = NULL;
310 		size_t		lsize = 0;
311 
312 		/*
313 		 * If we are adding addresses after listening, but before
314 		 * an association is established, we need to update the
315 		 * clustering module with this info.
316 		 */
317 		do_listen = !do_asconf && sctp->sctp_state > SCTPS_BOUND &&
318 		    cl_sctp_listen != NULL;
319 
320 		err = sctp_get_addrlist(sctp, addrs, &addrcnt, &addrlist,
321 		    &unspec, &size);
322 		if (err != 0) {
323 			ASSERT(addrlist == NULL);
324 			ASSERT(addrcnt == 0);
325 			ASSERT(size == 0);
326 			if (!caller_hold_lock)
327 				WAKE_SCTP(sctp);
328 			SCTP_KSTAT(sctps, sctp_cl_check_addrs);
329 			return (err);
330 		}
331 		ASSERT(addrlist != NULL);
332 		(*cl_sctp_check_addrs)(sctp->sctp_family, port, &addrlist,
333 		    size, &addrcnt, unspec == 1);
334 		if (addrcnt == 0) {
335 			/* We free the list */
336 			kmem_free(addrlist, size);
337 			if (!caller_hold_lock)
338 				WAKE_SCTP(sctp);
339 			return (EINVAL);
340 		}
341 		if (do_listen) {
342 			lsize = sizeof (in6_addr_t) * addrcnt;
343 			llist = kmem_alloc(lsize, KM_SLEEP);
344 		}
345 		err = sctp_valid_addr_list(sctp, addrlist, addrcnt, llist,
346 		    lsize);
347 		if (err == 0 && do_listen) {
348 			(*cl_sctp_listen)(sctp->sctp_family, llist,
349 			    addrcnt, sctp->sctp_lport);
350 			/* list will be freed by the clustering module */
351 		} else if (err != 0 && llist != NULL) {
352 			kmem_free(llist, lsize);
353 		}
354 		/* free the list we allocated */
355 		kmem_free(addrlist, size);
356 	} else {
357 		err = sctp_valid_addr_list(sctp, addrs, addrcnt, NULL, 0);
358 	}
359 	if (err != 0) {
360 		if (!caller_hold_lock)
361 			WAKE_SCTP(sctp);
362 		return (err);
363 	}
364 	/* Need to send  ASCONF messages */
365 	if (do_asconf) {
366 		err = sctp_add_ip(sctp, addrs, addrcnt);
367 		if (err != 0) {
368 			sctp_del_saddr_list(sctp, addrs, addrcnt, B_FALSE);
369 			if (!caller_hold_lock)
370 				WAKE_SCTP(sctp);
371 			return (err);
372 		}
373 	}
374 	if (!caller_hold_lock)
375 		WAKE_SCTP(sctp);
376 	if (do_asconf)
377 		sctp_process_sendq(sctp);
378 	return (0);
379 }
380 
381 /*
382  * Remove one or more addresses bound to the sctp_t.
383  */
384 int
385 sctp_bind_del(sctp_t *sctp, const void *addrs, uint32_t addrcnt,
386     boolean_t caller_hold_lock)
387 {
388 	int		error = 0;
389 	boolean_t	do_asconf = B_FALSE;
390 	uchar_t		*ulist = NULL;
391 	size_t		usize = 0;
392 	sctp_stack_t	*sctps = sctp->sctp_sctps;
393 
394 	if (!caller_hold_lock)
395 		RUN_SCTP(sctp);
396 
397 	if (sctp->sctp_state > SCTPS_ESTABLISHED ||
398 	    (sctp->sctp_connp->conn_state_flags & CONN_CLOSING)) {
399 		if (!caller_hold_lock)
400 			WAKE_SCTP(sctp);
401 		return (EINVAL);
402 	}
403 	/*
404 	 * Fail the remove if we are beyond listen, but can't send this
405 	 * to the peer.
406 	 */
407 	if (sctp->sctp_state > SCTPS_LISTEN) {
408 		if (!sctps->sctps_addip_enabled ||
409 		    !sctp->sctp_understands_asconf ||
410 		    !sctp->sctp_understands_addip) {
411 			if (!caller_hold_lock)
412 				WAKE_SCTP(sctp);
413 			return (EINVAL);
414 		}
415 		do_asconf = B_TRUE;
416 	}
417 
418 	/* Can't delete the last address nor all of the addresses */
419 	if (sctp->sctp_nsaddrs == 1 || addrcnt >= sctp->sctp_nsaddrs) {
420 		if (!caller_hold_lock)
421 			WAKE_SCTP(sctp);
422 		return (EINVAL);
423 	}
424 
425 	if (cl_sctp_unlisten != NULL && !do_asconf &&
426 	    sctp->sctp_state > SCTPS_BOUND) {
427 		usize = sizeof (in6_addr_t) * addrcnt;
428 		ulist = kmem_alloc(usize, KM_SLEEP);
429 	}
430 
431 	error = sctp_del_ip(sctp, addrs, addrcnt, ulist, usize);
432 	if (error != 0) {
433 		if (ulist != NULL)
434 			kmem_free(ulist, usize);
435 		if (!caller_hold_lock)
436 			WAKE_SCTP(sctp);
437 		return (error);
438 	}
439 	/* ulist will be non-NULL only if cl_sctp_unlisten is non-NULL */
440 	if (ulist != NULL) {
441 		ASSERT(cl_sctp_unlisten != NULL);
442 		(*cl_sctp_unlisten)(sctp->sctp_family, ulist, addrcnt,
443 		    sctp->sctp_lport);
444 		/* ulist will be freed by the clustering module */
445 	}
446 	if (!caller_hold_lock)
447 		WAKE_SCTP(sctp);
448 	if (do_asconf)
449 		sctp_process_sendq(sctp);
450 	return (error);
451 }
452 
453 /*
454  * Returns 0 for success, errno value otherwise.
455  *
456  * If the "bind_to_req_port_only" parameter is set and the requested port
457  * number is available, then set allocated_port to it.  If not available,
458  * return an error.
459  *
460  * If the "bind_to_req_port_only" parameter is not set and the requested port
461  * number is available, then set allocated_port to it.  If not available,
462  * find the first anonymous port we can and set allocated_port to that.  If no
463  * anonymous ports are available, return an error.
464  *
465  * In either case, when succeeding, update the sctp_t to record the port number
466  * and insert it in the bind hash table.
467  */
468 int
469 sctp_bindi(sctp_t *sctp, in_port_t port, boolean_t bind_to_req_port_only,
470     int user_specified, in_port_t *allocated_port)
471 {
472 	/* number of times we have run around the loop */
473 	int count = 0;
474 	/* maximum number of times to run around the loop */
475 	int loopmax;
476 	zoneid_t zoneid = sctp->sctp_zoneid;
477 	zone_t *zone = crgetzone(sctp->sctp_credp);
478 	sctp_stack_t	*sctps = sctp->sctp_sctps;
479 
480 	/*
481 	 * Lookup for free addresses is done in a loop and "loopmax"
482 	 * influences how long we spin in the loop
483 	 */
484 	if (bind_to_req_port_only) {
485 		/*
486 		 * If the requested port is busy, don't bother to look
487 		 * for a new one. Setting loop maximum count to 1 has
488 		 * that effect.
489 		 */
490 		loopmax = 1;
491 	} else {
492 		/*
493 		 * If the requested port is busy, look for a free one
494 		 * in the anonymous port range.
495 		 * Set loopmax appropriately so that one does not look
496 		 * forever in the case all of the anonymous ports are in use.
497 		 */
498 		loopmax = (sctps->sctps_largest_anon_port -
499 		    sctps->sctps_smallest_anon_port + 1);
500 	}
501 	do {
502 		uint16_t	lport;
503 		sctp_tf_t	*tbf;
504 		sctp_t		*lsctp;
505 		int		addrcmp;
506 
507 		lport = htons(port);
508 
509 		/*
510 		 * Ensure that the sctp_t is not currently in the bind hash.
511 		 * Hold the lock on the hash bucket to ensure that
512 		 * the duplicate check plus the insertion is an atomic
513 		 * operation.
514 		 *
515 		 * This function does an inline lookup on the bind hash list
516 		 * Make sure that we access only members of sctp_t
517 		 * and that we don't look at sctp_sctp, since we are not
518 		 * doing a SCTPB_REFHOLD. For more details please see the notes
519 		 * in sctp_compress()
520 		 */
521 		sctp_bind_hash_remove(sctp);
522 		tbf = &sctps->sctps_bind_fanout[SCTP_BIND_HASH(port)];
523 		mutex_enter(&tbf->tf_lock);
524 		for (lsctp = tbf->tf_sctp; lsctp != NULL;
525 		    lsctp = lsctp->sctp_bind_hash) {
526 
527 			if (lport != lsctp->sctp_lport ||
528 			    lsctp->sctp_state < SCTPS_BOUND)
529 				continue;
530 
531 			/*
532 			 * On a labeled system, we must treat bindings to ports
533 			 * on shared IP addresses by sockets with MAC exemption
534 			 * privilege as being in all zones, as there's
535 			 * otherwise no way to identify the right receiver.
536 			 */
537 			if (lsctp->sctp_zoneid != zoneid &&
538 			    !lsctp->sctp_mac_exempt && !sctp->sctp_mac_exempt)
539 				continue;
540 
541 			addrcmp = sctp_compare_saddrs(sctp, lsctp);
542 			if (addrcmp != SCTP_ADDR_DISJOINT) {
543 				if (!sctp->sctp_reuseaddr) {
544 					/* in use */
545 					break;
546 				} else if (lsctp->sctp_state == SCTPS_BOUND ||
547 				    lsctp->sctp_state == SCTPS_LISTEN) {
548 					/*
549 					 * socket option SO_REUSEADDR is set
550 					 * on the binding sctp_t.
551 					 *
552 					 * We have found a match of IP source
553 					 * address and source port, which is
554 					 * refused regardless of the
555 					 * SO_REUSEADDR setting, so we break.
556 					 */
557 					break;
558 				}
559 			}
560 		}
561 		if (lsctp != NULL) {
562 			/* The port number is busy */
563 			mutex_exit(&tbf->tf_lock);
564 		} else {
565 			conn_t *connp = sctp->sctp_connp;
566 
567 			if (is_system_labeled()) {
568 				mlp_type_t addrtype, mlptype;
569 
570 				/*
571 				 * On a labeled system we must check the type
572 				 * of the binding requested by the user (either
573 				 * MLP or SLP on shared and private addresses),
574 				 * and that the user's requested binding
575 				 * is permitted.
576 				 */
577 				addrtype = tsol_mlp_addr_type(
578 				    connp->conn_allzones ? ALL_ZONES :
579 				    zone->zone_id,
580 				    sctp->sctp_ipversion,
581 				    sctp->sctp_ipversion == IPV4_VERSION ?
582 				    (void *)&sctp->sctp_ipha->ipha_src :
583 				    (void *)&sctp->sctp_ip6h->ip6_src,
584 				    sctps->sctps_netstack->netstack_ip);
585 
586 				/*
587 				 * tsol_mlp_addr_type returns the possibilities
588 				 * for the selected address.  Since all local
589 				 * addresses are either private or shared, the
590 				 * return value mlptSingle means "local address
591 				 * not valid (interface not present)."
592 				 */
593 				if (addrtype == mlptSingle) {
594 					mutex_exit(&tbf->tf_lock);
595 					return (EADDRNOTAVAIL);
596 				}
597 				mlptype = tsol_mlp_port_type(zone, IPPROTO_SCTP,
598 				    port, addrtype);
599 				if (mlptype != mlptSingle) {
600 					if (secpolicy_net_bindmlp(connp->
601 					    conn_cred) != 0) {
602 						mutex_exit(&tbf->tf_lock);
603 						return (EACCES);
604 					}
605 					/*
606 					 * If we're binding a shared MLP, then
607 					 * make sure that this zone is the one
608 					 * that owns that MLP.  Shared MLPs can
609 					 * be owned by at most one zone.
610 					 *
611 					 * No need to handle exclusive-stack
612 					 * zones since ALL_ZONES only applies
613 					 * to the shared stack.
614 					 */
615 
616 					if (mlptype == mlptShared &&
617 					    addrtype == mlptShared &&
618 					    connp->conn_zoneid !=
619 					    tsol_mlp_findzone(IPPROTO_SCTP,
620 					    lport)) {
621 						mutex_exit(&tbf->tf_lock);
622 						return (EACCES);
623 					}
624 					connp->conn_mlp_type = mlptype;
625 				}
626 			}
627 			/*
628 			 * This port is ours. Insert in fanout and mark as
629 			 * bound to prevent others from getting the port
630 			 * number.
631 			 */
632 			sctp->sctp_state = SCTPS_BOUND;
633 			sctp->sctp_lport = lport;
634 			sctp->sctp_sctph->sh_sport = lport;
635 
636 			ASSERT(&sctps->sctps_bind_fanout[
637 			    SCTP_BIND_HASH(port)] == tbf);
638 			sctp_bind_hash_insert(tbf, sctp, 1);
639 
640 			mutex_exit(&tbf->tf_lock);
641 
642 			/*
643 			 * We don't want sctp_next_port_to_try to "inherit"
644 			 * a port number supplied by the user in a bind.
645 			 *
646 			 * This is the only place where sctp_next_port_to_try
647 			 * is updated. After the update, it may or may not
648 			 * be in the valid range.
649 			 */
650 			if (user_specified == 0)
651 				sctps->sctps_next_port_to_try = port + 1;
652 
653 			*allocated_port = port;
654 
655 			return (0);
656 		}
657 
658 		if ((count == 0) && (user_specified)) {
659 			/*
660 			 * We may have to return an anonymous port. So
661 			 * get one to start with.
662 			 */
663 			port = sctp_update_next_port(
664 			    sctps->sctps_next_port_to_try,
665 			    zone, sctps);
666 			user_specified = 0;
667 		} else {
668 			port = sctp_update_next_port(port + 1, zone, sctps);
669 		}
670 		if (port == 0)
671 			break;
672 
673 		/*
674 		 * Don't let this loop run forever in the case where
675 		 * all of the anonymous ports are in use.
676 		 */
677 	} while (++count < loopmax);
678 
679 	return (bind_to_req_port_only ? EADDRINUSE : EADDRNOTAVAIL);
680 }
681 
682 /*
683  * Don't let port fall into the privileged range.
684  * Since the extra privileged ports can be arbitrary we also
685  * ensure that we exclude those from consideration.
686  * sctp_g_epriv_ports is not sorted thus we loop over it until
687  * there are no changes.
688  *
689  * Note: No locks are held when inspecting sctp_g_*epriv_ports
690  * but instead the code relies on:
691  * - the fact that the address of the array and its size never changes
692  * - the atomic assignment of the elements of the array
693  */
694 in_port_t
695 sctp_update_next_port(in_port_t port, zone_t *zone, sctp_stack_t *sctps)
696 {
697 	int i;
698 	boolean_t restart = B_FALSE;
699 
700 retry:
701 	if (port < sctps->sctps_smallest_anon_port)
702 		port = sctps->sctps_smallest_anon_port;
703 
704 	if (port > sctps->sctps_largest_anon_port) {
705 		if (restart)
706 			return (0);
707 		restart = B_TRUE;
708 		port = sctps->sctps_smallest_anon_port;
709 	}
710 
711 	if (port < sctps->sctps_smallest_nonpriv_port)
712 		port = sctps->sctps_smallest_nonpriv_port;
713 
714 	for (i = 0; i < sctps->sctps_g_num_epriv_ports; i++) {
715 		if (port == sctps->sctps_g_epriv_ports[i]) {
716 			port++;
717 			/*
718 			 * Make sure whether the port is in the
719 			 * valid range.
720 			 *
721 			 * XXX Note that if sctp_g_epriv_ports contains
722 			 * all the anonymous ports this will be an
723 			 * infinite loop.
724 			 */
725 			goto retry;
726 		}
727 	}
728 
729 	if (is_system_labeled() &&
730 	    (i = tsol_next_port(zone, port, IPPROTO_SCTP, B_TRUE)) != 0) {
731 		port = i;
732 		goto retry;
733 	}
734 
735 	return (port);
736 }
737