xref: /titanic_51/usr/src/uts/common/inet/sctp/sctp_input.c (revision 0c240c64cf90f44c2fdf3439010f6e8b33d85e7d)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #include <sys/types.h>
28 #include <sys/systm.h>
29 #include <sys/stream.h>
30 #include <sys/cmn_err.h>
31 #include <sys/kmem.h>
32 #define	_SUN_TPI_VERSION 2
33 #include <sys/tihdr.h>
34 #include <sys/socket.h>
35 #include <sys/strsun.h>
36 #include <sys/strsubr.h>
37 
38 #include <netinet/in.h>
39 #include <netinet/ip6.h>
40 #include <netinet/tcp_seq.h>
41 #include <netinet/sctp.h>
42 
43 #include <inet/common.h>
44 #include <inet/ip.h>
45 #include <inet/ip_if.h>
46 #include <inet/ip6.h>
47 #include <inet/mib2.h>
48 #include <inet/ipclassifier.h>
49 #include <inet/ipp_common.h>
50 #include <inet/ipsec_impl.h>
51 #include <inet/sctp_ip.h>
52 
53 #include "sctp_impl.h"
54 #include "sctp_asconf.h"
55 #include "sctp_addr.h"
56 
57 static struct kmem_cache *sctp_kmem_set_cache;
58 
59 /*
60  * PR-SCTP comments.
61  *
62  * When we get a valid Forward TSN chunk, we check the fragment list for this
63  * SSN and preceeding SSNs free all them. Further, if this Forward TSN causes
64  * the next expected SSN to be present in the stream queue, we deliver any
65  * such stranded messages upstream. We also update the SACK info. appropriately.
66  * When checking for advancing the cumulative ack (in sctp_cumack()) we must
67  * check for abandoned chunks and messages. While traversing the tramsmit
68  * list if we come across an abandoned chunk, we can skip the message (i.e.
69  * take it out of the (re)transmit list) since this message, and hence this
70  * chunk, has been marked abandoned by sctp_rexmit(). If we come across an
71  * unsent chunk for a message this now abandoned we need to check if a
72  * Forward TSN needs to be sent, this could be a case where we deferred sending
73  * a Forward TSN in sctp_get_msg_to_send(). Further, after processing a
74  * SACK we check if the Advanced peer ack point can be moved ahead, i.e.
75  * if we can send a Forward TSN via sctp_check_abandoned_data().
76  */
77 void
78 sctp_free_set(sctp_set_t *s)
79 {
80 	sctp_set_t *p;
81 
82 	while (s) {
83 		p = s->next;
84 		kmem_cache_free(sctp_kmem_set_cache, s);
85 		s = p;
86 	}
87 }
88 
89 static void
90 sctp_ack_add(sctp_set_t **head, uint32_t tsn, int *num)
91 {
92 	sctp_set_t *p, *t;
93 
94 	if (head == NULL || num == NULL)
95 		return;
96 
97 	ASSERT(*num >= 0);
98 	ASSERT((*num == 0 && *head == NULL) || (*num > 0 && *head != NULL));
99 
100 	if (*head == NULL) {
101 		*head = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
102 		if (*head == NULL)
103 			return;
104 		(*head)->prev = (*head)->next = NULL;
105 		(*head)->begin = tsn;
106 		(*head)->end = tsn;
107 		*num = 1;
108 		return;
109 	}
110 
111 	ASSERT((*head)->prev == NULL);
112 
113 	/*
114 	 * Handle this special case here so we don't have to check
115 	 * for it each time in the loop.
116 	 */
117 	if (SEQ_LT(tsn + 1, (*head)->begin)) {
118 		/* add a new set, and move the head pointer */
119 		t = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
120 		if (t == NULL)
121 			return;
122 		t->next = *head;
123 		t->prev = NULL;
124 		(*head)->prev = t;
125 		t->begin = tsn;
126 		t->end = tsn;
127 		(*num)++;
128 		*head = t;
129 		return;
130 	}
131 
132 	/*
133 	 * We need to handle the following cases, where p points to
134 	 * the current set (as we walk through the loop):
135 	 *
136 	 * 1. tsn is entirely less than p; create a new set before p.
137 	 * 2. tsn borders p from less; coalesce p with tsn.
138 	 * 3. tsn is withing p; do nothing.
139 	 * 4. tsn borders p from greater; coalesce p with tsn.
140 	 * 4a. p may now border p->next from less; if so, coalesce those
141 	 *    two sets.
142 	 * 5. tsn is entirely greater then all sets; add a new set at
143 	 *    the end.
144 	 */
145 	for (p = *head; ; p = p->next) {
146 		if (SEQ_LT(tsn + 1, p->begin)) {
147 			/* 1: add a new set before p. */
148 			t = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
149 			if (t == NULL)
150 				return;
151 			t->next = p;
152 			t->prev = NULL;
153 			t->begin = tsn;
154 			t->end = tsn;
155 			if (p->prev) {
156 				t->prev = p->prev;
157 				p->prev->next = t;
158 			}
159 			p->prev = t;
160 			(*num)++;
161 			return;
162 		}
163 
164 		if ((tsn + 1) == p->begin) {
165 			/* 2: adjust p->begin */
166 			p->begin = tsn;
167 			return;
168 		}
169 
170 		if (SEQ_GEQ(tsn, p->begin) && SEQ_LEQ(tsn, p->end)) {
171 			/* 3; do nothing */
172 			return;
173 		}
174 
175 		if ((p->end + 1) == tsn) {
176 			/* 4; adjust p->end */
177 			p->end = tsn;
178 
179 			if (p->next != NULL && (tsn + 1) == p->next->begin) {
180 				/* 4a: coalesce p and p->next */
181 				t = p->next;
182 				p->end = t->end;
183 				p->next = t->next;
184 				if (t->next != NULL)
185 					t->next->prev = p;
186 				kmem_cache_free(sctp_kmem_set_cache, t);
187 				(*num)--;
188 			}
189 			return;
190 		}
191 
192 		if (p->next == NULL) {
193 			/* 5: add new set at the end */
194 			t = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
195 			if (t == NULL)
196 				return;
197 			t->next = NULL;
198 			t->prev = p;
199 			t->begin = tsn;
200 			t->end = tsn;
201 			p->next = t;
202 			(*num)++;
203 			return;
204 		}
205 
206 		if (SEQ_GT(tsn, p->end + 1))
207 			continue;
208 	}
209 }
210 
211 static void
212 sctp_ack_rem(sctp_set_t **head, uint32_t end, int *num)
213 {
214 	sctp_set_t *p, *t;
215 
216 	if (head == NULL || *head == NULL || num == NULL)
217 		return;
218 
219 	/* Nothing to remove */
220 	if (SEQ_LT(end, (*head)->begin))
221 		return;
222 
223 	/* Find out where to start removing sets */
224 	for (p = *head; p->next; p = p->next) {
225 		if (SEQ_LEQ(end, p->end))
226 			break;
227 	}
228 
229 	if (SEQ_LT(end, p->end) && SEQ_GEQ(end, p->begin)) {
230 		/* adjust p */
231 		p->begin = end + 1;
232 		/* all done */
233 		if (p == *head)
234 			return;
235 	} else if (SEQ_GEQ(end, p->end)) {
236 		/* remove this set too */
237 		p = p->next;
238 	}
239 
240 	/* unlink everything before this set */
241 	t = *head;
242 	*head = p;
243 	if (p != NULL && p->prev != NULL) {
244 		p->prev->next = NULL;
245 		p->prev = NULL;
246 	}
247 
248 	sctp_free_set(t);
249 
250 	/* recount the number of sets */
251 	*num = 0;
252 
253 	for (p = *head; p != NULL; p = p->next)
254 		(*num)++;
255 }
256 
257 void
258 sctp_sets_init()
259 {
260 	sctp_kmem_set_cache = kmem_cache_create("sctp_set_cache",
261 	    sizeof (sctp_set_t), 0, NULL, NULL, NULL, NULL,
262 	    NULL, 0);
263 }
264 
265 void
266 sctp_sets_fini()
267 {
268 	kmem_cache_destroy(sctp_kmem_set_cache);
269 }
270 
271 sctp_chunk_hdr_t *
272 sctp_first_chunk(uchar_t *rptr, ssize_t remaining)
273 {
274 	sctp_chunk_hdr_t *ch;
275 	uint16_t ch_len;
276 
277 	if (remaining < sizeof (*ch)) {
278 		return (NULL);
279 	}
280 
281 	ch = (sctp_chunk_hdr_t *)rptr;
282 	ch_len = ntohs(ch->sch_len);
283 
284 	if (ch_len < sizeof (*ch) || remaining < ch_len) {
285 		return (NULL);
286 	}
287 
288 	return (ch);
289 }
290 
291 sctp_chunk_hdr_t *
292 sctp_next_chunk(sctp_chunk_hdr_t *ch, ssize_t *remaining)
293 {
294 	int pad;
295 	uint16_t ch_len;
296 
297 	if (!ch) {
298 		return (NULL);
299 	}
300 
301 	ch_len = ntohs(ch->sch_len);
302 
303 	if ((pad = ch_len & (SCTP_ALIGN - 1)) != 0) {
304 		pad = SCTP_ALIGN - pad;
305 	}
306 
307 	*remaining -= (ch_len + pad);
308 	ch = (sctp_chunk_hdr_t *)((char *)ch + ch_len + pad);
309 
310 	return (sctp_first_chunk((uchar_t *)ch, *remaining));
311 }
312 
313 /*
314  * Attach ancillary data to a received SCTP segments.
315  * If the source address (fp) is not the primary, send up a
316  * unitdata_ind so recvfrom() can populate the msg_name field.
317  * If ancillary data is also requested, we append it to the
318  * unitdata_req. Otherwise, we just send up an optdata_ind.
319  */
320 static int
321 sctp_input_add_ancillary(sctp_t *sctp, mblk_t **mp, sctp_data_hdr_t *dcp,
322     sctp_faddr_t *fp, ip_pkt_t *ipp, ip_recv_attr_t *ira)
323 {
324 	struct T_unitdata_ind	*tudi;
325 	int			optlen;
326 	int			hdrlen;
327 	uchar_t			*optptr;
328 	struct cmsghdr		*cmsg;
329 	mblk_t			*mp1;
330 	struct sockaddr_in6	sin_buf[1];
331 	struct sockaddr_in6	*sin6;
332 	struct sockaddr_in	*sin4;
333 	crb_t			 addflag;	/* Which pieces to add */
334 	conn_t			*connp = sctp->sctp_connp;
335 
336 	sin4 = NULL;
337 	sin6 = NULL;
338 
339 	optlen = hdrlen = 0;
340 	addflag.crb_all = 0;
341 
342 	/* Figure out address size */
343 	if (connp->conn_family == AF_INET) {
344 		sin4 = (struct sockaddr_in *)sin_buf;
345 		sin4->sin_family = AF_INET;
346 		sin4->sin_port = connp->conn_fport;
347 		IN6_V4MAPPED_TO_IPADDR(&fp->faddr, sin4->sin_addr.s_addr);
348 		hdrlen = sizeof (*tudi) + sizeof (*sin4);
349 	} else {
350 		sin6 = sin_buf;
351 		sin6->sin6_family = AF_INET6;
352 		sin6->sin6_port = connp->conn_fport;
353 		sin6->sin6_addr = fp->faddr;
354 		hdrlen = sizeof (*tudi) + sizeof (*sin6);
355 	}
356 	/* If app asked to receive send / recv info */
357 	if (sctp->sctp_recvsndrcvinfo)
358 		optlen += sizeof (*cmsg) + sizeof (struct sctp_sndrcvinfo);
359 
360 	if (connp->conn_recv_ancillary.crb_all == 0)
361 		goto noancillary;
362 
363 	if (connp->conn_recv_ancillary.crb_ip_recvpktinfo &&
364 	    ira->ira_ruifindex != sctp->sctp_recvifindex) {
365 		optlen += sizeof (*cmsg) + sizeof (struct in6_pktinfo);
366 		if (hdrlen == 0)
367 			hdrlen = sizeof (struct T_unitdata_ind);
368 		addflag.crb_ip_recvpktinfo = 1;
369 	}
370 	/* If app asked for hoplimit and it has changed ... */
371 	if (connp->conn_recv_ancillary.crb_ipv6_recvhoplimit &&
372 	    ipp->ipp_hoplimit != sctp->sctp_recvhops) {
373 		optlen += sizeof (*cmsg) + sizeof (uint_t);
374 		if (hdrlen == 0)
375 			hdrlen = sizeof (struct T_unitdata_ind);
376 		addflag.crb_ipv6_recvhoplimit = 1;
377 	}
378 	/* If app asked for tclass and it has changed ... */
379 	if (connp->conn_recv_ancillary.crb_ipv6_recvtclass &&
380 	    ipp->ipp_tclass != sctp->sctp_recvtclass) {
381 		optlen += sizeof (struct T_opthdr) + sizeof (uint_t);
382 		if (hdrlen == 0)
383 			hdrlen = sizeof (struct T_unitdata_ind);
384 		addflag.crb_ipv6_recvtclass = 1;
385 	}
386 	/* If app asked for hopbyhop headers and it has changed ... */
387 	if (connp->conn_recv_ancillary.crb_ipv6_recvhopopts &&
388 	    ip_cmpbuf(sctp->sctp_hopopts, sctp->sctp_hopoptslen,
389 	    (ipp->ipp_fields & IPPF_HOPOPTS),
390 	    ipp->ipp_hopopts, ipp->ipp_hopoptslen)) {
391 		optlen += sizeof (*cmsg) + ipp->ipp_hopoptslen -
392 		    sctp->sctp_v6label_len;
393 		if (hdrlen == 0)
394 			hdrlen = sizeof (struct T_unitdata_ind);
395 		addflag.crb_ipv6_recvhopopts = 1;
396 		if (!ip_allocbuf((void **)&sctp->sctp_hopopts,
397 		    &sctp->sctp_hopoptslen,
398 		    (ipp->ipp_fields & IPPF_HOPOPTS),
399 		    ipp->ipp_hopopts, ipp->ipp_hopoptslen))
400 			return (-1);
401 	}
402 	/* If app asked for dst headers before routing headers ... */
403 	if (connp->conn_recv_ancillary.crb_ipv6_recvrthdrdstopts &&
404 	    ip_cmpbuf(sctp->sctp_rthdrdstopts, sctp->sctp_rthdrdstoptslen,
405 	    (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
406 	    ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen)) {
407 		optlen += sizeof (*cmsg) + ipp->ipp_rthdrdstoptslen;
408 		if (hdrlen == 0)
409 			hdrlen = sizeof (struct T_unitdata_ind);
410 		addflag.crb_ipv6_recvrthdrdstopts = 1;
411 		if (!ip_allocbuf((void **)&sctp->sctp_rthdrdstopts,
412 		    &sctp->sctp_rthdrdstoptslen,
413 		    (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
414 		    ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen))
415 			return (-1);
416 	}
417 	/* If app asked for routing headers and it has changed ... */
418 	if (connp->conn_recv_ancillary.crb_ipv6_recvrthdr &&
419 	    ip_cmpbuf(sctp->sctp_rthdr, sctp->sctp_rthdrlen,
420 	    (ipp->ipp_fields & IPPF_RTHDR),
421 	    ipp->ipp_rthdr, ipp->ipp_rthdrlen)) {
422 		optlen += sizeof (*cmsg) + ipp->ipp_rthdrlen;
423 		if (hdrlen == 0)
424 			hdrlen = sizeof (struct T_unitdata_ind);
425 		addflag.crb_ipv6_recvrthdr = 1;
426 		if (!ip_allocbuf((void **)&sctp->sctp_rthdr,
427 		    &sctp->sctp_rthdrlen,
428 		    (ipp->ipp_fields & IPPF_RTHDR),
429 		    ipp->ipp_rthdr, ipp->ipp_rthdrlen))
430 			return (-1);
431 	}
432 	/* If app asked for dest headers and it has changed ... */
433 	if (connp->conn_recv_ancillary.crb_ipv6_recvdstopts &&
434 	    ip_cmpbuf(sctp->sctp_dstopts, sctp->sctp_dstoptslen,
435 	    (ipp->ipp_fields & IPPF_DSTOPTS),
436 	    ipp->ipp_dstopts, ipp->ipp_dstoptslen)) {
437 		optlen += sizeof (*cmsg) + ipp->ipp_dstoptslen;
438 		if (hdrlen == 0)
439 			hdrlen = sizeof (struct T_unitdata_ind);
440 		addflag.crb_ipv6_recvdstopts = 1;
441 		if (!ip_allocbuf((void **)&sctp->sctp_dstopts,
442 		    &sctp->sctp_dstoptslen,
443 		    (ipp->ipp_fields & IPPF_DSTOPTS),
444 		    ipp->ipp_dstopts, ipp->ipp_dstoptslen))
445 			return (-1);
446 	}
447 noancillary:
448 	/* Nothing to add */
449 	if (hdrlen == 0)
450 		return (-1);
451 
452 	mp1 = allocb(hdrlen + optlen + sizeof (void *), BPRI_MED);
453 	if (mp1 == NULL)
454 		return (-1);
455 	mp1->b_cont = *mp;
456 	*mp = mp1;
457 	mp1->b_rptr += sizeof (void *);  /* pointer worth of padding */
458 	mp1->b_wptr = mp1->b_rptr + hdrlen + optlen;
459 	DB_TYPE(mp1) = M_PROTO;
460 	tudi = (struct T_unitdata_ind *)mp1->b_rptr;
461 	tudi->PRIM_type = T_UNITDATA_IND;
462 	tudi->SRC_length = sin4 ? sizeof (*sin4) : sizeof (*sin6);
463 	tudi->SRC_offset = sizeof (*tudi);
464 	tudi->OPT_offset = sizeof (*tudi) + tudi->SRC_length;
465 	tudi->OPT_length = optlen;
466 	if (sin4) {
467 		bcopy(sin4, tudi + 1, sizeof (*sin4));
468 	} else {
469 		bcopy(sin6, tudi + 1, sizeof (*sin6));
470 	}
471 	optptr = (uchar_t *)tudi + tudi->OPT_offset;
472 
473 	if (sctp->sctp_recvsndrcvinfo) {
474 		/* XXX need backout method if memory allocation fails. */
475 		struct sctp_sndrcvinfo *sri;
476 
477 		cmsg = (struct cmsghdr *)optptr;
478 		cmsg->cmsg_level = IPPROTO_SCTP;
479 		cmsg->cmsg_type = SCTP_SNDRCV;
480 		cmsg->cmsg_len = sizeof (*cmsg) + sizeof (*sri);
481 		optptr += sizeof (*cmsg);
482 
483 		sri = (struct sctp_sndrcvinfo *)(cmsg + 1);
484 		ASSERT(OK_32PTR(sri));
485 		sri->sinfo_stream = ntohs(dcp->sdh_sid);
486 		sri->sinfo_ssn = ntohs(dcp->sdh_ssn);
487 		if (SCTP_DATA_GET_UBIT(dcp)) {
488 			sri->sinfo_flags = MSG_UNORDERED;
489 		} else {
490 			sri->sinfo_flags = 0;
491 		}
492 		sri->sinfo_ppid = dcp->sdh_payload_id;
493 		sri->sinfo_context = 0;
494 		sri->sinfo_timetolive = 0;
495 		sri->sinfo_tsn = ntohl(dcp->sdh_tsn);
496 		sri->sinfo_cumtsn = sctp->sctp_ftsn;
497 		sri->sinfo_assoc_id = 0;
498 
499 		optptr += sizeof (*sri);
500 	}
501 
502 	/*
503 	 * If app asked for pktinfo and the index has changed ...
504 	 * Note that the local address never changes for the connection.
505 	 */
506 	if (addflag.crb_ip_recvpktinfo) {
507 		struct in6_pktinfo *pkti;
508 		uint_t ifindex;
509 
510 		ifindex = ira->ira_ruifindex;
511 		cmsg = (struct cmsghdr *)optptr;
512 		cmsg->cmsg_level = IPPROTO_IPV6;
513 		cmsg->cmsg_type = IPV6_PKTINFO;
514 		cmsg->cmsg_len = sizeof (*cmsg) + sizeof (*pkti);
515 		optptr += sizeof (*cmsg);
516 
517 		pkti = (struct in6_pktinfo *)optptr;
518 		if (connp->conn_family == AF_INET6)
519 			pkti->ipi6_addr = sctp->sctp_ip6h->ip6_src;
520 		else
521 			IN6_IPADDR_TO_V4MAPPED(sctp->sctp_ipha->ipha_src,
522 			    &pkti->ipi6_addr);
523 
524 		pkti->ipi6_ifindex = ifindex;
525 		optptr += sizeof (*pkti);
526 		ASSERT(OK_32PTR(optptr));
527 		/* Save as "last" value */
528 		sctp->sctp_recvifindex = ifindex;
529 	}
530 	/* If app asked for hoplimit and it has changed ... */
531 	if (addflag.crb_ipv6_recvhoplimit) {
532 		cmsg = (struct cmsghdr *)optptr;
533 		cmsg->cmsg_level = IPPROTO_IPV6;
534 		cmsg->cmsg_type = IPV6_HOPLIMIT;
535 		cmsg->cmsg_len = sizeof (*cmsg) + sizeof (uint_t);
536 		optptr += sizeof (*cmsg);
537 
538 		*(uint_t *)optptr = ipp->ipp_hoplimit;
539 		optptr += sizeof (uint_t);
540 		ASSERT(OK_32PTR(optptr));
541 		/* Save as "last" value */
542 		sctp->sctp_recvhops = ipp->ipp_hoplimit;
543 	}
544 	/* If app asked for tclass and it has changed ... */
545 	if (addflag.crb_ipv6_recvtclass) {
546 		cmsg = (struct cmsghdr *)optptr;
547 		cmsg->cmsg_level = IPPROTO_IPV6;
548 		cmsg->cmsg_type = IPV6_TCLASS;
549 		cmsg->cmsg_len = sizeof (*cmsg) + sizeof (uint_t);
550 		optptr += sizeof (*cmsg);
551 
552 		*(uint_t *)optptr = ipp->ipp_tclass;
553 		optptr += sizeof (uint_t);
554 		ASSERT(OK_32PTR(optptr));
555 		/* Save as "last" value */
556 		sctp->sctp_recvtclass = ipp->ipp_tclass;
557 	}
558 	if (addflag.crb_ipv6_recvhopopts) {
559 		cmsg = (struct cmsghdr *)optptr;
560 		cmsg->cmsg_level = IPPROTO_IPV6;
561 		cmsg->cmsg_type = IPV6_HOPOPTS;
562 		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_hopoptslen;
563 		optptr += sizeof (*cmsg);
564 
565 		bcopy(ipp->ipp_hopopts, optptr, ipp->ipp_hopoptslen);
566 		optptr += ipp->ipp_hopoptslen;
567 		ASSERT(OK_32PTR(optptr));
568 		/* Save as last value */
569 		ip_savebuf((void **)&sctp->sctp_hopopts,
570 		    &sctp->sctp_hopoptslen,
571 		    (ipp->ipp_fields & IPPF_HOPOPTS),
572 		    ipp->ipp_hopopts, ipp->ipp_hopoptslen);
573 	}
574 	if (addflag.crb_ipv6_recvrthdrdstopts) {
575 		cmsg = (struct cmsghdr *)optptr;
576 		cmsg->cmsg_level = IPPROTO_IPV6;
577 		cmsg->cmsg_type = IPV6_RTHDRDSTOPTS;
578 		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_rthdrdstoptslen;
579 		optptr += sizeof (*cmsg);
580 
581 		bcopy(ipp->ipp_rthdrdstopts, optptr, ipp->ipp_rthdrdstoptslen);
582 		optptr += ipp->ipp_rthdrdstoptslen;
583 		ASSERT(OK_32PTR(optptr));
584 		/* Save as last value */
585 		ip_savebuf((void **)&sctp->sctp_rthdrdstopts,
586 		    &sctp->sctp_rthdrdstoptslen,
587 		    (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
588 		    ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen);
589 	}
590 	if (addflag.crb_ipv6_recvrthdr) {
591 		cmsg = (struct cmsghdr *)optptr;
592 		cmsg->cmsg_level = IPPROTO_IPV6;
593 		cmsg->cmsg_type = IPV6_RTHDR;
594 		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_rthdrlen;
595 		optptr += sizeof (*cmsg);
596 
597 		bcopy(ipp->ipp_rthdr, optptr, ipp->ipp_rthdrlen);
598 		optptr += ipp->ipp_rthdrlen;
599 		ASSERT(OK_32PTR(optptr));
600 		/* Save as last value */
601 		ip_savebuf((void **)&sctp->sctp_rthdr,
602 		    &sctp->sctp_rthdrlen,
603 		    (ipp->ipp_fields & IPPF_RTHDR),
604 		    ipp->ipp_rthdr, ipp->ipp_rthdrlen);
605 	}
606 	if (addflag.crb_ipv6_recvdstopts) {
607 		cmsg = (struct cmsghdr *)optptr;
608 		cmsg->cmsg_level = IPPROTO_IPV6;
609 		cmsg->cmsg_type = IPV6_DSTOPTS;
610 		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_dstoptslen;
611 		optptr += sizeof (*cmsg);
612 
613 		bcopy(ipp->ipp_dstopts, optptr, ipp->ipp_dstoptslen);
614 		optptr += ipp->ipp_dstoptslen;
615 		ASSERT(OK_32PTR(optptr));
616 		/* Save as last value */
617 		ip_savebuf((void **)&sctp->sctp_dstopts,
618 		    &sctp->sctp_dstoptslen,
619 		    (ipp->ipp_fields & IPPF_DSTOPTS),
620 		    ipp->ipp_dstopts, ipp->ipp_dstoptslen);
621 	}
622 
623 	ASSERT(optptr == mp1->b_wptr);
624 
625 	return (0);
626 }
627 
628 void
629 sctp_free_reass(sctp_instr_t *sip)
630 {
631 	mblk_t *mp, *mpnext, *mctl;
632 
633 	for (mp = sip->istr_reass; mp != NULL; mp = mpnext) {
634 		mpnext = mp->b_next;
635 		mp->b_next = NULL;
636 		mp->b_prev = NULL;
637 		if (DB_TYPE(mp) == M_CTL) {
638 			mctl = mp;
639 			ASSERT(mp->b_cont != NULL);
640 			mp = mp->b_cont;
641 			mctl->b_cont = NULL;
642 			freeb(mctl);
643 		}
644 		freemsg(mp);
645 	}
646 }
647 
648 /*
649  * If the series of data fragments of which dmp is a part is successfully
650  * reassembled, the first mblk in the series is returned. dc is adjusted
651  * to point at the data chunk in the lead mblk, and b_rptr also points to
652  * the data chunk; the following mblk's b_rptr's point at the actual payload.
653  *
654  * If the series is not yet reassembled, NULL is returned. dc is not changed.
655  * XXX should probably move this up into the state machine.
656  */
657 
658 /* Fragment list for un-ordered messages. Partial delivery is not supported */
659 static mblk_t *
660 sctp_uodata_frag(sctp_t *sctp, mblk_t *dmp, sctp_data_hdr_t **dc)
661 {
662 	mblk_t		*hmp;
663 	mblk_t		*begin = NULL;
664 	mblk_t		*end = NULL;
665 	sctp_data_hdr_t	*qdc;
666 	uint32_t	ntsn;
667 	uint32_t	tsn = ntohl((*dc)->sdh_tsn);
668 #ifdef	DEBUG
669 	mblk_t		*mp1;
670 #endif
671 
672 	/* First frag. */
673 	if (sctp->sctp_uo_frags == NULL) {
674 		sctp->sctp_uo_frags = dmp;
675 		return (NULL);
676 	}
677 	hmp = sctp->sctp_uo_frags;
678 	/*
679 	 * Insert the segment according to the TSN, fragmented unordered
680 	 * chunks are sequenced by TSN.
681 	 */
682 	while (hmp != NULL) {
683 		qdc = (sctp_data_hdr_t *)hmp->b_rptr;
684 		ntsn = ntohl(qdc->sdh_tsn);
685 		if (SEQ_GT(ntsn, tsn)) {
686 			if (hmp->b_prev == NULL) {
687 				dmp->b_next = hmp;
688 				hmp->b_prev = dmp;
689 				sctp->sctp_uo_frags = dmp;
690 			} else {
691 				dmp->b_next = hmp;
692 				dmp->b_prev = hmp->b_prev;
693 				hmp->b_prev->b_next = dmp;
694 				hmp->b_prev = dmp;
695 			}
696 			break;
697 		}
698 		if (hmp->b_next == NULL) {
699 			hmp->b_next = dmp;
700 			dmp->b_prev = hmp;
701 			break;
702 		}
703 		hmp = hmp->b_next;
704 	}
705 	/* check if we completed a msg */
706 	if (SCTP_DATA_GET_BBIT(*dc)) {
707 		begin = dmp;
708 	} else if (SCTP_DATA_GET_EBIT(*dc)) {
709 		end = dmp;
710 	}
711 	/*
712 	 * We walk consecutive TSNs backwards till we get a seg. with
713 	 * the B bit
714 	 */
715 	if (begin == NULL) {
716 		for (hmp = dmp->b_prev; hmp != NULL; hmp = hmp->b_prev) {
717 			qdc = (sctp_data_hdr_t *)hmp->b_rptr;
718 			ntsn = ntohl(qdc->sdh_tsn);
719 			if ((int32_t)(tsn - ntsn) > 1) {
720 				return (NULL);
721 			}
722 			if (SCTP_DATA_GET_BBIT(qdc)) {
723 				begin = hmp;
724 				break;
725 			}
726 			tsn = ntsn;
727 		}
728 	}
729 	tsn = ntohl((*dc)->sdh_tsn);
730 	/*
731 	 * We walk consecutive TSNs till we get a seg. with the E bit
732 	 */
733 	if (end == NULL) {
734 		for (hmp = dmp->b_next; hmp != NULL; hmp = hmp->b_next) {
735 			qdc = (sctp_data_hdr_t *)hmp->b_rptr;
736 			ntsn = ntohl(qdc->sdh_tsn);
737 			if ((int32_t)(ntsn - tsn) > 1) {
738 				return (NULL);
739 			}
740 			if (SCTP_DATA_GET_EBIT(qdc)) {
741 				end = hmp;
742 				break;
743 			}
744 			tsn = ntsn;
745 		}
746 	}
747 	if (begin == NULL || end == NULL) {
748 		return (NULL);
749 	}
750 	/* Got one!, Remove the msg from the list */
751 	if (sctp->sctp_uo_frags == begin) {
752 		ASSERT(begin->b_prev == NULL);
753 		sctp->sctp_uo_frags = end->b_next;
754 		if (end->b_next != NULL)
755 			end->b_next->b_prev = NULL;
756 	} else {
757 		begin->b_prev->b_next = end->b_next;
758 		if (end->b_next != NULL)
759 			end->b_next->b_prev = begin->b_prev;
760 	}
761 	begin->b_prev = NULL;
762 	end->b_next = NULL;
763 
764 	/*
765 	 * Null out b_next and b_prev and chain using b_cont.
766 	 */
767 	dmp = end = begin;
768 	hmp = begin->b_next;
769 	*dc = (sctp_data_hdr_t *)begin->b_rptr;
770 	begin->b_next = NULL;
771 	while (hmp != NULL) {
772 		qdc = (sctp_data_hdr_t *)hmp->b_rptr;
773 		hmp->b_rptr = (uchar_t *)(qdc + 1);
774 		end = hmp->b_next;
775 		dmp->b_cont = hmp;
776 		dmp = hmp;
777 
778 		if (end != NULL)
779 			hmp->b_next = NULL;
780 		hmp->b_prev = NULL;
781 		hmp = end;
782 	}
783 	BUMP_LOCAL(sctp->sctp_reassmsgs);
784 #ifdef	DEBUG
785 	mp1 = begin;
786 	while (mp1 != NULL) {
787 		ASSERT(mp1->b_next == NULL);
788 		ASSERT(mp1->b_prev == NULL);
789 		mp1 = mp1->b_cont;
790 	}
791 #endif
792 	return (begin);
793 }
794 
795 /*
796  * Try partial delivery.
797  */
798 static mblk_t *
799 sctp_try_partial_delivery(sctp_t *sctp, mblk_t *hmp, sctp_reass_t *srp,
800     sctp_data_hdr_t **dc)
801 {
802 	mblk_t		*mp;
803 	mblk_t		*dmp;
804 	mblk_t		*qmp;
805 	mblk_t		*prev;
806 	sctp_data_hdr_t	*qdc;
807 	uint32_t	tsn;
808 
809 	ASSERT(DB_TYPE(hmp) == M_CTL);
810 
811 	dprint(4, ("trypartial: got=%d, needed=%d\n",
812 	    (int)(srp->got), (int)(srp->needed)));
813 
814 	mp = hmp->b_cont;
815 	qdc = (sctp_data_hdr_t *)mp->b_rptr;
816 
817 	ASSERT(SCTP_DATA_GET_BBIT(qdc) && srp->hasBchunk);
818 
819 	tsn = ntohl(qdc->sdh_tsn) + 1;
820 
821 	/*
822 	 * This loop has two exit conditions: the
823 	 * end of received chunks has been reached, or
824 	 * there is a break in the sequence. We want
825 	 * to chop the reassembly list as follows (the
826 	 * numbers are TSNs):
827 	 *   10 -> 11 -> 	(end of chunks)
828 	 *   10 -> 11 -> | 13   (break in sequence)
829 	 */
830 	prev = mp;
831 	mp = mp->b_cont;
832 	while (mp != NULL) {
833 		qdc = (sctp_data_hdr_t *)mp->b_rptr;
834 		if (ntohl(qdc->sdh_tsn) != tsn)
835 			break;
836 		prev = mp;
837 		mp = mp->b_cont;
838 		tsn++;
839 	}
840 	/*
841 	 * We are sending all the fragments upstream, we have to retain
842 	 * the srp info for further fragments.
843 	 */
844 	if (mp == NULL) {
845 		dmp = hmp->b_cont;
846 		hmp->b_cont = NULL;
847 		srp->nexttsn = tsn;
848 		srp->msglen = 0;
849 		srp->needed = 0;
850 		srp->got = 0;
851 		srp->partial_delivered = B_TRUE;
852 		srp->tail = NULL;
853 	} else {
854 		dmp = hmp->b_cont;
855 		hmp->b_cont = mp;
856 	}
857 	srp->hasBchunk = B_FALSE;
858 	/*
859 	 * mp now points at the last chunk in the sequence,
860 	 * and prev points to mp's previous in the list.
861 	 * We chop the list at prev, and convert mp into the
862 	 * new list head by setting the B bit. Subsequence
863 	 * fragment deliveries will follow the normal reassembly
864 	 * path.
865 	 */
866 	prev->b_cont = NULL;
867 	srp->partial_delivered = B_TRUE;
868 
869 	dprint(4, ("trypartial: got some, got=%d, needed=%d\n",
870 	    (int)(srp->got), (int)(srp->needed)));
871 
872 	/*
873 	 * Adjust all mblk's except the lead so their rptr's point to the
874 	 * payload. sctp_data_chunk() will need to process the lead's
875 	 * data chunk section, so leave it's rptr pointing at the data chunk.
876 	 */
877 	*dc = (sctp_data_hdr_t *)dmp->b_rptr;
878 	if (srp->tail != NULL) {
879 		srp->got--;
880 		ASSERT(srp->got != 0);
881 		if (srp->needed != 0) {
882 			srp->needed--;
883 			ASSERT(srp->needed != 0);
884 		}
885 		srp->msglen -= ntohs((*dc)->sdh_len);
886 	}
887 	for (qmp = dmp->b_cont; qmp != NULL; qmp = qmp->b_cont) {
888 		qdc = (sctp_data_hdr_t *)qmp->b_rptr;
889 		qmp->b_rptr = (uchar_t *)(qdc + 1);
890 
891 		/*
892 		 * Deduct the balance from got and needed here, now that
893 		 * we know we are actually delivering these data.
894 		 */
895 		if (srp->tail != NULL) {
896 			srp->got--;
897 			ASSERT(srp->got != 0);
898 			if (srp->needed != 0) {
899 				srp->needed--;
900 				ASSERT(srp->needed != 0);
901 			}
902 			srp->msglen -= ntohs(qdc->sdh_len);
903 		}
904 	}
905 	ASSERT(srp->msglen == 0);
906 	BUMP_LOCAL(sctp->sctp_reassmsgs);
907 
908 	return (dmp);
909 }
910 
911 /*
912  * Fragment list for ordered messages.
913  * If no error occures, error is set to 0. If we run out of memory, error
914  * is set to 1. If the peer commits a fatal error (like using different
915  * sequence numbers for the same data fragment series), the association is
916  * aborted and error is set to 2. tpfinished indicates whether we have
917  * assembled a complete message, this is used in sctp_data_chunk() to
918  * see if we can try to send any queued message for this stream.
919  */
920 static mblk_t *
921 sctp_data_frag(sctp_t *sctp, mblk_t *dmp, sctp_data_hdr_t **dc, int *error,
922     sctp_instr_t *sip, boolean_t *tpfinished)
923 {
924 	mblk_t		*hmp;
925 	mblk_t		*pmp;
926 	mblk_t		*qmp;
927 	mblk_t		*first_mp;
928 	sctp_reass_t	*srp;
929 	sctp_data_hdr_t	*qdc;
930 	sctp_data_hdr_t	*bdc;
931 	sctp_data_hdr_t	*edc;
932 	uint32_t	tsn;
933 	uint16_t	fraglen = 0;
934 
935 	*error = 0;
936 
937 	/* find the reassembly queue for this data chunk */
938 	hmp = qmp = sip->istr_reass;
939 	for (; hmp != NULL; hmp = hmp->b_next) {
940 		srp = (sctp_reass_t *)DB_BASE(hmp);
941 		if (ntohs((*dc)->sdh_ssn) == srp->ssn)
942 			goto foundit;
943 		else if (SSN_GT(srp->ssn, ntohs((*dc)->sdh_ssn)))
944 			break;
945 		qmp = hmp;
946 	}
947 
948 	/*
949 	 * Allocate a M_CTL that will contain information about this
950 	 * fragmented message.
951 	 */
952 	if ((pmp = allocb(sizeof (*srp), BPRI_MED)) == NULL) {
953 		*error = 1;
954 		return (NULL);
955 	}
956 	DB_TYPE(pmp) = M_CTL;
957 	srp = (sctp_reass_t *)DB_BASE(pmp);
958 	pmp->b_cont = dmp;
959 
960 	if (hmp != NULL) {
961 		if (sip->istr_reass == hmp) {
962 			sip->istr_reass = pmp;
963 			pmp->b_next = hmp;
964 			pmp->b_prev = NULL;
965 			hmp->b_prev = pmp;
966 		} else {
967 			qmp->b_next = pmp;
968 			pmp->b_prev = qmp;
969 			pmp->b_next = hmp;
970 			hmp->b_prev = pmp;
971 		}
972 	} else {
973 		/* make a new reass head and stick it on the end */
974 		if (sip->istr_reass == NULL) {
975 			sip->istr_reass = pmp;
976 			pmp->b_prev = NULL;
977 		} else {
978 			qmp->b_next = pmp;
979 			pmp->b_prev = qmp;
980 		}
981 		pmp->b_next = NULL;
982 	}
983 	srp->partial_delivered = B_FALSE;
984 	srp->ssn = ntohs((*dc)->sdh_ssn);
985 empty_srp:
986 	srp->needed = 0;
987 	srp->got = 1;
988 	srp->tail = dmp;
989 	if (SCTP_DATA_GET_BBIT(*dc)) {
990 		srp->msglen = ntohs((*dc)->sdh_len);
991 		srp->nexttsn = ntohl((*dc)->sdh_tsn) + 1;
992 		srp->hasBchunk = B_TRUE;
993 	} else if (srp->partial_delivered &&
994 	    srp->nexttsn == ntohl((*dc)->sdh_tsn)) {
995 		SCTP_DATA_SET_BBIT(*dc);
996 		/* Last fragment */
997 		if (SCTP_DATA_GET_EBIT(*dc)) {
998 			srp->needed = 1;
999 			goto frag_done;
1000 		}
1001 		srp->hasBchunk = B_TRUE;
1002 		srp->msglen = ntohs((*dc)->sdh_len);
1003 		srp->nexttsn++;
1004 	}
1005 	return (NULL);
1006 foundit:
1007 	/*
1008 	 * else already have a reassembly queue. Insert the new data chunk
1009 	 * in the reassemble queue. Try the tail first, on the assumption
1010 	 * that the fragments are coming in in order.
1011 	 */
1012 	qmp = srp->tail;
1013 
1014 	/*
1015 	 * This means the message was partially delivered.
1016 	 */
1017 	if (qmp == NULL) {
1018 		ASSERT(srp->got == 0 && srp->needed == 0 &&
1019 		    srp->partial_delivered);
1020 		ASSERT(hmp->b_cont == NULL);
1021 		hmp->b_cont = dmp;
1022 		goto empty_srp;
1023 	}
1024 	qdc = (sctp_data_hdr_t *)qmp->b_rptr;
1025 	ASSERT(qmp->b_cont == NULL);
1026 
1027 	/* XXXIs it fine to do this just here? */
1028 	if ((*dc)->sdh_sid != qdc->sdh_sid) {
1029 		/* our peer is fatally confused; XXX abort the assc */
1030 		*error = 2;
1031 		return (NULL);
1032 	}
1033 	if (SEQ_GT(ntohl((*dc)->sdh_tsn), ntohl(qdc->sdh_tsn))) {
1034 		qmp->b_cont = dmp;
1035 		srp->tail = dmp;
1036 		dmp->b_cont = NULL;
1037 		if (srp->hasBchunk && srp->nexttsn == ntohl((*dc)->sdh_tsn)) {
1038 			srp->msglen += ntohs((*dc)->sdh_len);
1039 			srp->nexttsn++;
1040 		}
1041 		goto inserted;
1042 	}
1043 
1044 	/* Next check for insertion at the beginning */
1045 	qmp = hmp->b_cont;
1046 	qdc = (sctp_data_hdr_t *)qmp->b_rptr;
1047 	if (SEQ_LT(ntohl((*dc)->sdh_tsn), ntohl(qdc->sdh_tsn))) {
1048 		dmp->b_cont = qmp;
1049 		hmp->b_cont = dmp;
1050 		if (SCTP_DATA_GET_BBIT(*dc)) {
1051 			srp->hasBchunk = B_TRUE;
1052 			srp->nexttsn = ntohl((*dc)->sdh_tsn);
1053 		}
1054 		goto preinserted;
1055 	}
1056 
1057 	/* Insert somewhere in the middle */
1058 	for (;;) {
1059 		/* Tail check above should have caught this */
1060 		ASSERT(qmp->b_cont != NULL);
1061 
1062 		qdc = (sctp_data_hdr_t *)qmp->b_cont->b_rptr;
1063 		if (SEQ_LT(ntohl((*dc)->sdh_tsn), ntohl(qdc->sdh_tsn))) {
1064 			/* insert here */
1065 			dmp->b_cont = qmp->b_cont;
1066 			qmp->b_cont = dmp;
1067 			break;
1068 		}
1069 		qmp = qmp->b_cont;
1070 	}
1071 preinserted:
1072 	if (!srp->hasBchunk || ntohl((*dc)->sdh_tsn) != srp->nexttsn)
1073 		goto inserted;
1074 	/*
1075 	 * fraglen contains the length of consecutive chunks of fragments.
1076 	 * starting from the chunk inserted recently.
1077 	 */
1078 	tsn = srp->nexttsn;
1079 	for (qmp = dmp; qmp != NULL; qmp = qmp->b_cont) {
1080 		qdc = (sctp_data_hdr_t *)qmp->b_rptr;
1081 		if (tsn != ntohl(qdc->sdh_tsn))
1082 			break;
1083 		fraglen += ntohs(qdc->sdh_len);
1084 		tsn++;
1085 	}
1086 	srp->nexttsn = tsn;
1087 	srp->msglen += fraglen;
1088 inserted:
1089 	srp->got++;
1090 	first_mp = hmp->b_cont;
1091 	if (srp->needed == 0) {
1092 		/* check if we have the first and last fragments */
1093 		bdc = (sctp_data_hdr_t *)first_mp->b_rptr;
1094 		edc = (sctp_data_hdr_t *)srp->tail->b_rptr;
1095 
1096 		/* calculate how many fragments are needed, if possible  */
1097 		if (SCTP_DATA_GET_BBIT(bdc) && SCTP_DATA_GET_EBIT(edc)) {
1098 			srp->needed = ntohl(edc->sdh_tsn) -
1099 			    ntohl(bdc->sdh_tsn) + 1;
1100 		}
1101 	}
1102 
1103 	/*
1104 	 * Try partial delivery if the message length has exceeded the
1105 	 * partial delivery point. Only do this if we can immediately
1106 	 * deliver the partially assembled message, and only partially
1107 	 * deliver one message at a time (i.e. messages cannot be
1108 	 * intermixed arriving at the upper layer). A simple way to
1109 	 * enforce this is to only try partial delivery if this TSN is
1110 	 * the next expected TSN. Partial Delivery not supported
1111 	 * for un-ordered message.
1112 	 */
1113 	if (srp->needed != srp->got) {
1114 		dmp = NULL;
1115 		if (ntohl((*dc)->sdh_tsn) == sctp->sctp_ftsn &&
1116 		    srp->msglen >= sctp->sctp_pd_point) {
1117 			dmp = sctp_try_partial_delivery(sctp, hmp, srp, dc);
1118 			*tpfinished = B_FALSE;
1119 		}
1120 		return (dmp);
1121 	}
1122 frag_done:
1123 	/*
1124 	 * else reassembly done; prepare the data for delivery.
1125 	 * First unlink hmp from the ssn list.
1126 	 */
1127 	if (sip->istr_reass == hmp) {
1128 		sip->istr_reass = hmp->b_next;
1129 		if (hmp->b_next)
1130 			hmp->b_next->b_prev = NULL;
1131 	} else {
1132 		ASSERT(hmp->b_prev != NULL);
1133 		hmp->b_prev->b_next = hmp->b_next;
1134 		if (hmp->b_next)
1135 			hmp->b_next->b_prev = hmp->b_prev;
1136 	}
1137 
1138 	/*
1139 	 * Using b_prev and b_next was a little sinful, but OK since
1140 	 * this mblk is never put*'d. However, freeb() will still
1141 	 * ASSERT that they are unused, so we need to NULL them out now.
1142 	 */
1143 	hmp->b_next = NULL;
1144 	hmp->b_prev = NULL;
1145 	dmp = hmp;
1146 	dmp = dmp->b_cont;
1147 	hmp->b_cont = NULL;
1148 	freeb(hmp);
1149 	*tpfinished = B_TRUE;
1150 
1151 	/*
1152 	 * Adjust all mblk's except the lead so their rptr's point to the
1153 	 * payload. sctp_data_chunk() will need to process the lead's
1154 	 * data chunk section, so leave it's rptr pointing at the data chunk.
1155 	 */
1156 	*dc = (sctp_data_hdr_t *)dmp->b_rptr;
1157 	for (qmp = dmp->b_cont; qmp != NULL; qmp = qmp->b_cont) {
1158 		qdc = (sctp_data_hdr_t *)qmp->b_rptr;
1159 		qmp->b_rptr = (uchar_t *)(qdc + 1);
1160 	}
1161 	BUMP_LOCAL(sctp->sctp_reassmsgs);
1162 
1163 	return (dmp);
1164 }
1165 static void
1166 sctp_add_dup(uint32_t tsn, mblk_t **dups)
1167 {
1168 	mblk_t *mp;
1169 	size_t bsize = SCTP_DUP_MBLK_SZ * sizeof (tsn);
1170 
1171 	if (dups == NULL) {
1172 		return;
1173 	}
1174 
1175 	/* first time? */
1176 	if (*dups == NULL) {
1177 		*dups = allocb(bsize, BPRI_MED);
1178 		if (*dups == NULL) {
1179 			return;
1180 		}
1181 	}
1182 
1183 	mp = *dups;
1184 	if ((mp->b_wptr - mp->b_rptr) >= bsize) {
1185 		/* maximum reached */
1186 		return;
1187 	}
1188 
1189 	/* add the duplicate tsn */
1190 	bcopy(&tsn, mp->b_wptr, sizeof (tsn));
1191 	mp->b_wptr += sizeof (tsn);
1192 	ASSERT((mp->b_wptr - mp->b_rptr) <= bsize);
1193 }
1194 
1195 static void
1196 sctp_data_chunk(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *mp, mblk_t **dups,
1197     sctp_faddr_t *fp, ip_pkt_t *ipp, ip_recv_attr_t *ira)
1198 {
1199 	sctp_data_hdr_t *dc;
1200 	mblk_t *dmp, *pmp;
1201 	sctp_instr_t *instr;
1202 	int ubit;
1203 	int isfrag;
1204 	uint16_t ssn;
1205 	uint32_t oftsn;
1206 	boolean_t can_deliver = B_TRUE;
1207 	uint32_t tsn;
1208 	int dlen;
1209 	boolean_t tpfinished = B_TRUE;
1210 	int32_t new_rwnd;
1211 	sctp_stack_t	*sctps = sctp->sctp_sctps;
1212 	int	error;
1213 
1214 	/* The following are used multiple times, so we inline them */
1215 #define	SCTP_ACK_IT(sctp, tsn)						\
1216 	if (tsn == sctp->sctp_ftsn) {					\
1217 		dprint(2, ("data_chunk: acking next %x\n", tsn));	\
1218 		(sctp)->sctp_ftsn++;					\
1219 		if ((sctp)->sctp_sack_gaps > 0)				\
1220 			(sctp)->sctp_force_sack = 1;			\
1221 	} else if (SEQ_GT(tsn, sctp->sctp_ftsn)) {			\
1222 		/* Got a gap; record it */				\
1223 		BUMP_LOCAL(sctp->sctp_outseqtsns);			\
1224 		dprint(2, ("data_chunk: acking gap %x\n", tsn));	\
1225 		sctp_ack_add(&sctp->sctp_sack_info, tsn,		\
1226 		    &sctp->sctp_sack_gaps);				\
1227 		sctp->sctp_force_sack = 1;				\
1228 	}
1229 
1230 	dmp = NULL;
1231 
1232 	dc = (sctp_data_hdr_t *)ch;
1233 	tsn = ntohl(dc->sdh_tsn);
1234 
1235 	dprint(3, ("sctp_data_chunk: mp=%p tsn=%x\n", (void *)mp, tsn));
1236 
1237 	/* Check for duplicates */
1238 	if (SEQ_LT(tsn, sctp->sctp_ftsn)) {
1239 		dprint(4, ("sctp_data_chunk: dropping duplicate\n"));
1240 		BUMP_LOCAL(sctp->sctp_idupchunks);
1241 		sctp->sctp_force_sack = 1;
1242 		sctp_add_dup(dc->sdh_tsn, dups);
1243 		return;
1244 	}
1245 
1246 	if (sctp->sctp_sack_info != NULL) {
1247 		sctp_set_t *sp;
1248 
1249 		for (sp = sctp->sctp_sack_info; sp; sp = sp->next) {
1250 			if (SEQ_GEQ(tsn, sp->begin) && SEQ_LEQ(tsn, sp->end)) {
1251 				dprint(4,
1252 				    ("sctp_data_chunk: dropping dup > "
1253 				    "cumtsn\n"));
1254 				BUMP_LOCAL(sctp->sctp_idupchunks);
1255 				sctp->sctp_force_sack = 1;
1256 				sctp_add_dup(dc->sdh_tsn, dups);
1257 				return;
1258 			}
1259 		}
1260 	}
1261 
1262 	/* We cannot deliver anything up now but we still need to handle it. */
1263 	if (SCTP_IS_DETACHED(sctp)) {
1264 		BUMP_MIB(&sctps->sctps_mib, sctpInClosed);
1265 		can_deliver = B_FALSE;
1266 	}
1267 
1268 	dlen = ntohs(dc->sdh_len) - sizeof (*dc);
1269 
1270 	/*
1271 	 * Check for buffer space. Note if this is the next expected TSN
1272 	 * we have to take it to avoid deadlock because we cannot deliver
1273 	 * later queued TSNs and thus clear buffer space without it.
1274 	 * We drop anything that is purely zero window probe data here.
1275 	 */
1276 	if ((sctp->sctp_rwnd - sctp->sctp_rxqueued < dlen) &&
1277 	    (tsn != sctp->sctp_ftsn || sctp->sctp_rwnd == 0)) {
1278 		/* Drop and SACK, but don't advance the cumulative TSN. */
1279 		sctp->sctp_force_sack = 1;
1280 		dprint(0, ("sctp_data_chunk: exceed rwnd %d rxqueued %d "
1281 		    "dlen %d ssn %d tsn %x\n", sctp->sctp_rwnd,
1282 		    sctp->sctp_rxqueued, dlen, ntohs(dc->sdh_ssn),
1283 		    ntohl(dc->sdh_tsn)));
1284 		return;
1285 	}
1286 
1287 	if (ntohs(dc->sdh_sid) >= sctp->sctp_num_istr) {
1288 		sctp_bsc_t	inval_parm;
1289 
1290 		/* Will populate the CAUSE block in the ERROR chunk. */
1291 		inval_parm.bsc_sid = dc->sdh_sid;
1292 		/* RESERVED, ignored at the receiving end */
1293 		inval_parm.bsc_pad = 0;
1294 
1295 		/* ack and drop it */
1296 		sctp_add_err(sctp, SCTP_ERR_BAD_SID, (void *)&inval_parm,
1297 		    sizeof (sctp_bsc_t), fp);
1298 		SCTP_ACK_IT(sctp, tsn);
1299 		return;
1300 	}
1301 
1302 	ubit = SCTP_DATA_GET_UBIT(dc);
1303 	ASSERT(sctp->sctp_instr != NULL);
1304 	instr = &sctp->sctp_instr[ntohs(dc->sdh_sid)];
1305 	/* Initialize the stream, if not yet used */
1306 	if (instr->sctp == NULL)
1307 		instr->sctp = sctp;
1308 
1309 	isfrag = !(SCTP_DATA_GET_BBIT(dc) && SCTP_DATA_GET_EBIT(dc));
1310 	ssn = ntohs(dc->sdh_ssn);
1311 
1312 	dmp = dupb(mp);
1313 	if (dmp == NULL) {
1314 		/* drop it and don't ack it, causing the peer to retransmit */
1315 		return;
1316 	}
1317 	dmp->b_wptr = (uchar_t *)ch + ntohs(ch->sch_len);
1318 
1319 	sctp->sctp_rxqueued += dlen;
1320 
1321 	oftsn = sctp->sctp_ftsn;
1322 
1323 	if (isfrag) {
1324 
1325 		error = 0;
1326 		/* fragmented data chunk */
1327 		dmp->b_rptr = (uchar_t *)dc;
1328 		if (ubit) {
1329 			dmp = sctp_uodata_frag(sctp, dmp, &dc);
1330 #if	DEBUG
1331 			if (dmp != NULL) {
1332 				ASSERT(instr ==
1333 				    &sctp->sctp_instr[ntohs(dc->sdh_sid)]);
1334 			}
1335 #endif
1336 		} else {
1337 			dmp = sctp_data_frag(sctp, dmp, &dc, &error, instr,
1338 			    &tpfinished);
1339 		}
1340 		if (error != 0) {
1341 			sctp->sctp_rxqueued -= dlen;
1342 			if (error == 1) {
1343 				/*
1344 				 * out of memory; don't ack it so
1345 				 * the peer retransmits
1346 				 */
1347 				return;
1348 			} else if (error == 2) {
1349 				/*
1350 				 * fatal error (i.e. peer used different
1351 				 * ssn's for same fragmented data) --
1352 				 * the association has been aborted.
1353 				 * XXX need to return errval so state
1354 				 * machine can also abort processing.
1355 				 */
1356 				dprint(0, ("error 2: must not happen!\n"));
1357 				return;
1358 			}
1359 		}
1360 
1361 		if (dmp == NULL) {
1362 			/*
1363 			 * Can't process this data now, but the cumulative
1364 			 * TSN may be advanced, so do the checks at done.
1365 			 */
1366 			SCTP_ACK_IT(sctp, tsn);
1367 			goto done;
1368 		}
1369 	}
1370 
1371 	/*
1372 	 * Insert complete messages in correct order for ordered delivery.
1373 	 * tpfinished is true when the incoming chunk contains a complete
1374 	 * message or is the final missing fragment which completed a message.
1375 	 */
1376 	if (!ubit && tpfinished && ssn != instr->nextseq) {
1377 		/* Adjust rptr to point at the data chunk for compares */
1378 		dmp->b_rptr = (uchar_t *)dc;
1379 
1380 		dprint(2,
1381 		    ("data_chunk: inserted %x in pq (ssn %d expected %d)\n",
1382 		    ntohl(dc->sdh_tsn), (int)(ssn), (int)(instr->nextseq)));
1383 
1384 		if (instr->istr_msgs == NULL) {
1385 			instr->istr_msgs = dmp;
1386 			ASSERT(dmp->b_prev == NULL && dmp->b_next == NULL);
1387 		} else {
1388 			mblk_t			*imblk = instr->istr_msgs;
1389 			sctp_data_hdr_t		*idc;
1390 
1391 			/*
1392 			 * XXXNeed to take sequence wraps into account,
1393 			 * ... and a more efficient insertion algo.
1394 			 */
1395 			for (;;) {
1396 				idc = (sctp_data_hdr_t *)imblk->b_rptr;
1397 				if (SSN_GT(ntohs(idc->sdh_ssn),
1398 				    ntohs(dc->sdh_ssn))) {
1399 					if (instr->istr_msgs == imblk) {
1400 						instr->istr_msgs = dmp;
1401 						dmp->b_next = imblk;
1402 						imblk->b_prev = dmp;
1403 					} else {
1404 						ASSERT(imblk->b_prev != NULL);
1405 						imblk->b_prev->b_next = dmp;
1406 						dmp->b_prev = imblk->b_prev;
1407 						imblk->b_prev = dmp;
1408 						dmp->b_next = imblk;
1409 					}
1410 					break;
1411 				}
1412 				if (imblk->b_next == NULL) {
1413 					imblk->b_next = dmp;
1414 					dmp->b_prev = imblk;
1415 					break;
1416 				}
1417 				imblk = imblk->b_next;
1418 			}
1419 		}
1420 		(instr->istr_nmsgs)++;
1421 		(sctp->sctp_istr_nmsgs)++;
1422 		SCTP_ACK_IT(sctp, tsn);
1423 		return;
1424 	}
1425 
1426 	/*
1427 	 * Else we can deliver the data directly. Recalculate
1428 	 * dlen now since we may have reassembled data.
1429 	 */
1430 	dlen = dmp->b_wptr - (uchar_t *)dc - sizeof (*dc);
1431 	for (pmp = dmp->b_cont; pmp != NULL; pmp = pmp->b_cont)
1432 		dlen += MBLKL(pmp);
1433 	ASSERT(sctp->sctp_rxqueued >= dlen);
1434 
1435 	/* Deliver the message. */
1436 	sctp->sctp_rxqueued -= dlen;
1437 
1438 	if (can_deliver) {
1439 
1440 		dmp->b_rptr = (uchar_t *)(dc + 1);
1441 		if (sctp_input_add_ancillary(sctp, &dmp, dc, fp,
1442 		    ipp, ira) == 0) {
1443 			dprint(1, ("sctp_data_chunk: delivering %lu bytes\n",
1444 			    msgdsize(dmp)));
1445 			sctp->sctp_rwnd -= dlen;
1446 			/*
1447 			 * Override b_flag for SCTP sockfs internal use
1448 			 */
1449 			dmp->b_flag = tpfinished ? 0 : SCTP_PARTIAL_DATA;
1450 			new_rwnd = sctp->sctp_ulp_recv(sctp->sctp_ulpd, dmp,
1451 			    msgdsize(dmp), 0, &error, NULL);
1452 			/*
1453 			 * Since we always deliver the next TSN data chunk,
1454 			 * we may buffer a little more than allowed. In
1455 			 * that case, just mark the window as 0.
1456 			 */
1457 			if (new_rwnd < 0)
1458 				sctp->sctp_rwnd = 0;
1459 			else if (new_rwnd > sctp->sctp_rwnd)
1460 				sctp->sctp_rwnd = new_rwnd;
1461 			SCTP_ACK_IT(sctp, tsn);
1462 		} else {
1463 			/* Just free the message if we don't have memory. */
1464 			freemsg(dmp);
1465 			return;
1466 		}
1467 	} else {
1468 		/* About to free the data */
1469 		freemsg(dmp);
1470 		SCTP_ACK_IT(sctp, tsn);
1471 	}
1472 
1473 	/*
1474 	 * data, now enqueued, may already have been processed and free'd
1475 	 * by the ULP (or we may have just freed it above, if we could not
1476 	 * deliver it), so we must not reference it (this is why we kept
1477 	 * the ssn and ubit above).
1478 	 */
1479 	if (ubit != 0) {
1480 		BUMP_LOCAL(sctp->sctp_iudchunks);
1481 		goto done;
1482 	}
1483 	BUMP_LOCAL(sctp->sctp_idchunks);
1484 
1485 	/*
1486 	 * If there was a partial delivery and it has not finished,
1487 	 * don't pull anything from the pqueues.
1488 	 */
1489 	if (!tpfinished) {
1490 		goto done;
1491 	}
1492 
1493 	instr->nextseq = ssn + 1;
1494 	/* Deliver any successive data chunks in the instr queue */
1495 	while (instr->istr_nmsgs > 0) {
1496 		dmp = (mblk_t *)instr->istr_msgs;
1497 		dc = (sctp_data_hdr_t *)dmp->b_rptr;
1498 		ssn = ntohs(dc->sdh_ssn);
1499 		/* Gap in the sequence */
1500 		if (ssn != instr->nextseq)
1501 			break;
1502 
1503 		/* Else deliver the data */
1504 		(instr->istr_nmsgs)--;
1505 		(instr->nextseq)++;
1506 		(sctp->sctp_istr_nmsgs)--;
1507 
1508 		instr->istr_msgs = instr->istr_msgs->b_next;
1509 		if (instr->istr_msgs != NULL)
1510 			instr->istr_msgs->b_prev = NULL;
1511 		dmp->b_next = dmp->b_prev = NULL;
1512 
1513 		dprint(2, ("data_chunk: pulling %x from pq (ssn %d)\n",
1514 		    ntohl(dc->sdh_tsn), (int)ssn));
1515 
1516 		/*
1517 		 * If this chunk was reassembled, each b_cont represents
1518 		 * another TSN; advance ftsn now.
1519 		 */
1520 		dlen = dmp->b_wptr - dmp->b_rptr - sizeof (*dc);
1521 		for (pmp = dmp->b_cont; pmp; pmp = pmp->b_cont)
1522 			dlen += MBLKL(pmp);
1523 
1524 		ASSERT(sctp->sctp_rxqueued >= dlen);
1525 
1526 		sctp->sctp_rxqueued -= dlen;
1527 		if (can_deliver) {
1528 			dmp->b_rptr = (uchar_t *)(dc + 1);
1529 			if (sctp_input_add_ancillary(sctp, &dmp, dc, fp,
1530 			    ipp, ira) == 0) {
1531 				dprint(1, ("sctp_data_chunk: delivering %lu "
1532 				    "bytes\n", msgdsize(dmp)));
1533 				sctp->sctp_rwnd -= dlen;
1534 				/*
1535 				 * Override b_flag for SCTP sockfs internal use
1536 				 */
1537 				dmp->b_flag = tpfinished ?
1538 				    0 : SCTP_PARTIAL_DATA;
1539 				new_rwnd = sctp->sctp_ulp_recv(sctp->sctp_ulpd,
1540 				    dmp, msgdsize(dmp), 0, &error, NULL);
1541 				if (new_rwnd < 0)
1542 					sctp->sctp_rwnd = 0;
1543 				else if (new_rwnd > sctp->sctp_rwnd)
1544 					sctp->sctp_rwnd = new_rwnd;
1545 				SCTP_ACK_IT(sctp, tsn);
1546 			} else {
1547 				freemsg(dmp);
1548 				return;
1549 			}
1550 		} else {
1551 			/* About to free the data */
1552 			freemsg(dmp);
1553 			SCTP_ACK_IT(sctp, tsn);
1554 		}
1555 	}
1556 
1557 done:
1558 
1559 	/*
1560 	 * If there are gap reports pending, check if advancing
1561 	 * the ftsn here closes a gap. If so, we can advance
1562 	 * ftsn to the end of the set.
1563 	 */
1564 	if (sctp->sctp_sack_info != NULL &&
1565 	    sctp->sctp_ftsn == sctp->sctp_sack_info->begin) {
1566 		sctp->sctp_ftsn = sctp->sctp_sack_info->end + 1;
1567 	}
1568 	/*
1569 	 * If ftsn has moved forward, maybe we can remove gap reports.
1570 	 * NB: dmp may now be NULL, so don't dereference it here.
1571 	 */
1572 	if (oftsn != sctp->sctp_ftsn && sctp->sctp_sack_info != NULL) {
1573 		sctp_ack_rem(&sctp->sctp_sack_info, sctp->sctp_ftsn - 1,
1574 		    &sctp->sctp_sack_gaps);
1575 		dprint(2, ("data_chunk: removed acks before %x (num=%d)\n",
1576 		    sctp->sctp_ftsn - 1, sctp->sctp_sack_gaps));
1577 	}
1578 
1579 #ifdef	DEBUG
1580 	if (sctp->sctp_sack_info != NULL) {
1581 		ASSERT(sctp->sctp_ftsn != sctp->sctp_sack_info->begin);
1582 	}
1583 #endif
1584 
1585 #undef	SCTP_ACK_IT
1586 }
1587 
1588 void
1589 sctp_fill_sack(sctp_t *sctp, unsigned char *dst, int sacklen)
1590 {
1591 	sctp_chunk_hdr_t *sch;
1592 	sctp_sack_chunk_t *sc;
1593 	sctp_sack_frag_t *sf;
1594 	uint16_t num_gaps = sctp->sctp_sack_gaps;
1595 	sctp_set_t *sp;
1596 
1597 	/* Chunk hdr */
1598 	sch = (sctp_chunk_hdr_t *)dst;
1599 	sch->sch_id = CHUNK_SACK;
1600 	sch->sch_flags = 0;
1601 	sch->sch_len = htons(sacklen);
1602 
1603 	/* SACK chunk */
1604 	sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
1605 
1606 	sc = (sctp_sack_chunk_t *)(sch + 1);
1607 	sc->ssc_cumtsn = htonl(sctp->sctp_lastacked);
1608 	if (sctp->sctp_rxqueued < sctp->sctp_rwnd) {
1609 		sc->ssc_a_rwnd = htonl(sctp->sctp_rwnd - sctp->sctp_rxqueued);
1610 	} else {
1611 		sc->ssc_a_rwnd = 0;
1612 	}
1613 	sc->ssc_numfrags = htons(num_gaps);
1614 	sc->ssc_numdups = 0;
1615 
1616 	/* lay in gap reports */
1617 	sf = (sctp_sack_frag_t *)(sc + 1);
1618 	for (sp = sctp->sctp_sack_info; sp; sp = sp->next) {
1619 		uint16_t offset;
1620 
1621 		/* start */
1622 		if (sp->begin > sctp->sctp_lastacked) {
1623 			offset = (uint16_t)(sp->begin - sctp->sctp_lastacked);
1624 		} else {
1625 			/* sequence number wrap */
1626 			offset = (uint16_t)(UINT32_MAX - sctp->sctp_lastacked +
1627 			    sp->begin);
1628 		}
1629 		sf->ssf_start = htons(offset);
1630 
1631 		/* end */
1632 		if (sp->end >= sp->begin) {
1633 			offset += (uint16_t)(sp->end - sp->begin);
1634 		} else {
1635 			/* sequence number wrap */
1636 			offset += (uint16_t)(UINT32_MAX - sp->begin + sp->end);
1637 		}
1638 		sf->ssf_end = htons(offset);
1639 
1640 		sf++;
1641 		/* This is just for debugging (a la the following assertion) */
1642 		num_gaps--;
1643 	}
1644 
1645 	ASSERT(num_gaps == 0);
1646 
1647 	/* If the SACK timer is running, stop it */
1648 	if (sctp->sctp_ack_timer_running) {
1649 		sctp_timer_stop(sctp->sctp_ack_mp);
1650 		sctp->sctp_ack_timer_running = B_FALSE;
1651 	}
1652 
1653 	BUMP_LOCAL(sctp->sctp_obchunks);
1654 	BUMP_LOCAL(sctp->sctp_osacks);
1655 }
1656 
1657 mblk_t *
1658 sctp_make_sack(sctp_t *sctp, sctp_faddr_t *sendto, mblk_t *dups)
1659 {
1660 	mblk_t *smp;
1661 	size_t slen;
1662 	sctp_chunk_hdr_t *sch;
1663 	sctp_sack_chunk_t *sc;
1664 	int32_t acks_max;
1665 	sctp_stack_t	*sctps = sctp->sctp_sctps;
1666 	uint32_t	dups_len;
1667 	sctp_faddr_t	*fp;
1668 
1669 	ASSERT(sendto != NULL);
1670 
1671 	if (sctp->sctp_force_sack) {
1672 		sctp->sctp_force_sack = 0;
1673 		goto checks_done;
1674 	}
1675 
1676 	acks_max = sctps->sctps_deferred_acks_max;
1677 	if (sctp->sctp_state == SCTPS_ESTABLISHED) {
1678 		if (sctp->sctp_sack_toggle < acks_max) {
1679 			/* no need to SACK right now */
1680 			dprint(2, ("sctp_make_sack: %p no sack (toggle)\n",
1681 			    (void *)sctp));
1682 			return (NULL);
1683 		} else if (sctp->sctp_sack_toggle >= acks_max) {
1684 			sctp->sctp_sack_toggle = 0;
1685 		}
1686 	}
1687 
1688 	if (sctp->sctp_ftsn == sctp->sctp_lastacked + 1) {
1689 		dprint(2, ("sctp_make_sack: %p no sack (already)\n",
1690 		    (void *)sctp));
1691 		return (NULL);
1692 	}
1693 
1694 checks_done:
1695 	dprint(2, ("sctp_make_sack: acking %x\n", sctp->sctp_ftsn - 1));
1696 
1697 	if (dups != NULL)
1698 		dups_len = MBLKL(dups);
1699 	else
1700 		dups_len = 0;
1701 	slen = sizeof (*sch) + sizeof (*sc) +
1702 	    (sizeof (sctp_sack_frag_t) * sctp->sctp_sack_gaps);
1703 
1704 	/*
1705 	 * If there are error chunks, check and see if we can send the
1706 	 * SACK chunk and error chunks together in one packet.  If not,
1707 	 * send the error chunks out now.
1708 	 */
1709 	if (sctp->sctp_err_chunks != NULL) {
1710 		fp = SCTP_CHUNK_DEST(sctp->sctp_err_chunks);
1711 		if (sctp->sctp_err_len + slen + dups_len > fp->sfa_pmss) {
1712 			if ((smp = sctp_make_mp(sctp, fp, 0)) == NULL) {
1713 				SCTP_KSTAT(sctps, sctp_send_err_failed);
1714 				SCTP_KSTAT(sctps, sctp_send_sack_failed);
1715 				freemsg(sctp->sctp_err_chunks);
1716 				sctp->sctp_err_chunks = NULL;
1717 				sctp->sctp_err_len = 0;
1718 				return (NULL);
1719 			}
1720 			smp->b_cont = sctp->sctp_err_chunks;
1721 			sctp_set_iplen(sctp, smp, fp->ixa);
1722 			(void) conn_ip_output(smp, fp->ixa);
1723 			BUMP_LOCAL(sctp->sctp_opkts);
1724 			sctp->sctp_err_chunks = NULL;
1725 			sctp->sctp_err_len = 0;
1726 		}
1727 	}
1728 	smp = sctp_make_mp(sctp, sendto, slen);
1729 	if (smp == NULL) {
1730 		SCTP_KSTAT(sctps, sctp_send_sack_failed);
1731 		return (NULL);
1732 	}
1733 	sch = (sctp_chunk_hdr_t *)smp->b_wptr;
1734 
1735 	sctp_fill_sack(sctp, smp->b_wptr, slen);
1736 	smp->b_wptr += slen;
1737 	if (dups != NULL) {
1738 		sc = (sctp_sack_chunk_t *)(sch + 1);
1739 		sc->ssc_numdups = htons(MBLKL(dups) / sizeof (uint32_t));
1740 		sch->sch_len = htons(slen + dups_len);
1741 		smp->b_cont = dups;
1742 	}
1743 
1744 	if (sctp->sctp_err_chunks != NULL) {
1745 		linkb(smp, sctp->sctp_err_chunks);
1746 		sctp->sctp_err_chunks = NULL;
1747 		sctp->sctp_err_len = 0;
1748 	}
1749 	return (smp);
1750 }
1751 
1752 /*
1753  * Check and see if we need to send a SACK chunk.  If it is needed,
1754  * send it out.  Return true if a SACK chunk is sent, false otherwise.
1755  */
1756 boolean_t
1757 sctp_sack(sctp_t *sctp, mblk_t *dups)
1758 {
1759 	mblk_t *smp;
1760 	sctp_stack_t	*sctps = sctp->sctp_sctps;
1761 
1762 	/* If we are shutting down, let send_shutdown() bundle the SACK */
1763 	if (sctp->sctp_state == SCTPS_SHUTDOWN_SENT) {
1764 		sctp_send_shutdown(sctp, 0);
1765 	}
1766 
1767 	ASSERT(sctp->sctp_lastdata != NULL);
1768 
1769 	if ((smp = sctp_make_sack(sctp, sctp->sctp_lastdata, dups)) == NULL) {
1770 		/* The caller of sctp_sack() will not free the dups mblk. */
1771 		if (dups != NULL)
1772 			freeb(dups);
1773 		return (B_FALSE);
1774 	}
1775 	dprint(2, ("sctp_sack: sending to %p %x:%x:%x:%x\n",
1776 	    (void *)sctp->sctp_lastdata,
1777 	    SCTP_PRINTADDR(sctp->sctp_lastdata->faddr)));
1778 
1779 	sctp->sctp_active = lbolt64;
1780 
1781 	BUMP_MIB(&sctps->sctps_mib, sctpOutAck);
1782 
1783 	sctp_set_iplen(sctp, smp, sctp->sctp_lastdata->ixa);
1784 	(void) conn_ip_output(smp, sctp->sctp_lastdata->ixa);
1785 	BUMP_LOCAL(sctp->sctp_opkts);
1786 	return (B_TRUE);
1787 }
1788 
1789 /*
1790  * This is called if we have a message that was partially sent and is
1791  * abandoned. The cum TSN will be the last chunk sent for this message,
1792  * subsequent chunks will be marked ABANDONED. We send a Forward TSN
1793  * chunk in this case with the TSN of the last sent chunk so that the
1794  * peer can clean up its fragment list for this message. This message
1795  * will be removed from the transmit list when the peer sends a SACK
1796  * back.
1797  */
1798 int
1799 sctp_check_abandoned_msg(sctp_t *sctp, mblk_t *meta)
1800 {
1801 	sctp_data_hdr_t	*dh;
1802 	mblk_t		*nmp;
1803 	mblk_t		*head;
1804 	int32_t		unsent = 0;
1805 	mblk_t		*mp1 = meta->b_cont;
1806 	uint32_t	adv_pap = sctp->sctp_adv_pap;
1807 	sctp_faddr_t	*fp = sctp->sctp_current;
1808 	sctp_stack_t	*sctps = sctp->sctp_sctps;
1809 
1810 	dh = (sctp_data_hdr_t *)mp1->b_rptr;
1811 	if (SEQ_GEQ(sctp->sctp_lastack_rxd, ntohl(dh->sdh_tsn))) {
1812 		sctp_ftsn_set_t	*sets = NULL;
1813 		uint_t		nsets = 0;
1814 		uint32_t	seglen = sizeof (uint32_t);
1815 		boolean_t	ubit = SCTP_DATA_GET_UBIT(dh);
1816 
1817 		while (mp1->b_next != NULL && SCTP_CHUNK_ISSENT(mp1->b_next))
1818 			mp1 = mp1->b_next;
1819 		dh = (sctp_data_hdr_t *)mp1->b_rptr;
1820 		sctp->sctp_adv_pap = ntohl(dh->sdh_tsn);
1821 		if (!ubit &&
1822 		    !sctp_add_ftsn_set(&sets, fp, meta, &nsets, &seglen)) {
1823 			sctp->sctp_adv_pap = adv_pap;
1824 			return (ENOMEM);
1825 		}
1826 		nmp = sctp_make_ftsn_chunk(sctp, fp, sets, nsets, seglen);
1827 		sctp_free_ftsn_set(sets);
1828 		if (nmp == NULL) {
1829 			sctp->sctp_adv_pap = adv_pap;
1830 			return (ENOMEM);
1831 		}
1832 		head = sctp_add_proto_hdr(sctp, fp, nmp, 0, NULL);
1833 		if (head == NULL) {
1834 			sctp->sctp_adv_pap = adv_pap;
1835 			freemsg(nmp);
1836 			SCTP_KSTAT(sctps, sctp_send_ftsn_failed);
1837 			return (ENOMEM);
1838 		}
1839 		SCTP_MSG_SET_ABANDONED(meta);
1840 		sctp_set_iplen(sctp, head, fp->ixa);
1841 		(void) conn_ip_output(head, fp->ixa);
1842 		BUMP_LOCAL(sctp->sctp_opkts);
1843 		if (!fp->timer_running)
1844 			SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
1845 		mp1 = mp1->b_next;
1846 		while (mp1 != NULL) {
1847 			ASSERT(!SCTP_CHUNK_ISSENT(mp1));
1848 			ASSERT(!SCTP_CHUNK_ABANDONED(mp1));
1849 			SCTP_ABANDON_CHUNK(mp1);
1850 			dh = (sctp_data_hdr_t *)mp1->b_rptr;
1851 			unsent += ntohs(dh->sdh_len) - sizeof (*dh);
1852 			mp1 = mp1->b_next;
1853 		}
1854 		ASSERT(sctp->sctp_unsent >= unsent);
1855 		sctp->sctp_unsent -= unsent;
1856 		/*
1857 		 * Update ULP the amount of queued data, which is
1858 		 * sent-unack'ed + unsent.
1859 		 */
1860 		if (!SCTP_IS_DETACHED(sctp))
1861 			SCTP_TXQ_UPDATE(sctp);
1862 		return (0);
1863 	}
1864 	return (-1);
1865 }
1866 
1867 uint32_t
1868 sctp_cumack(sctp_t *sctp, uint32_t tsn, mblk_t **first_unacked)
1869 {
1870 	mblk_t *ump, *nump, *mp = NULL;
1871 	uint16_t chunklen;
1872 	uint32_t xtsn;
1873 	sctp_faddr_t *fp;
1874 	sctp_data_hdr_t *sdc;
1875 	uint32_t cumack_forward = 0;
1876 	sctp_msg_hdr_t	*mhdr;
1877 	sctp_stack_t	*sctps = sctp->sctp_sctps;
1878 
1879 	ump = sctp->sctp_xmit_head;
1880 
1881 	/*
1882 	 * Free messages only when they're completely acked.
1883 	 */
1884 	while (ump != NULL) {
1885 		mhdr = (sctp_msg_hdr_t *)ump->b_rptr;
1886 		for (mp = ump->b_cont; mp != NULL; mp = mp->b_next) {
1887 			if (SCTP_CHUNK_ABANDONED(mp)) {
1888 				ASSERT(SCTP_IS_MSG_ABANDONED(ump));
1889 				mp = NULL;
1890 				break;
1891 			}
1892 			/*
1893 			 * We check for abandoned message if we are PR-SCTP
1894 			 * aware, if this is not the first chunk in the
1895 			 * message (b_cont) and if the message is marked
1896 			 * abandoned.
1897 			 */
1898 			if (!SCTP_CHUNK_ISSENT(mp)) {
1899 				if (sctp->sctp_prsctp_aware &&
1900 				    mp != ump->b_cont &&
1901 				    (SCTP_IS_MSG_ABANDONED(ump) ||
1902 				    SCTP_MSG_TO_BE_ABANDONED(ump, mhdr,
1903 				    sctp))) {
1904 					(void) sctp_check_abandoned_msg(sctp,
1905 					    ump);
1906 				}
1907 				goto cum_ack_done;
1908 			}
1909 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
1910 			xtsn = ntohl(sdc->sdh_tsn);
1911 			if (SEQ_GEQ(sctp->sctp_lastack_rxd, xtsn))
1912 				continue;
1913 			if (SEQ_GEQ(tsn, xtsn)) {
1914 				fp = SCTP_CHUNK_DEST(mp);
1915 				chunklen = ntohs(sdc->sdh_len);
1916 
1917 				if (sctp->sctp_out_time != 0 &&
1918 				    xtsn == sctp->sctp_rtt_tsn) {
1919 					/* Got a new RTT measurement */
1920 					sctp_update_rtt(sctp, fp,
1921 					    lbolt64 - sctp->sctp_out_time);
1922 					sctp->sctp_out_time = 0;
1923 				}
1924 				if (SCTP_CHUNK_ISACKED(mp))
1925 					continue;
1926 				SCTP_CHUNK_SET_SACKCNT(mp, 0);
1927 				SCTP_CHUNK_ACKED(mp);
1928 				ASSERT(fp->suna >= chunklen);
1929 				fp->suna -= chunklen;
1930 				fp->acked += chunklen;
1931 				cumack_forward += chunklen;
1932 				ASSERT(sctp->sctp_unacked >=
1933 				    (chunklen - sizeof (*sdc)));
1934 				sctp->sctp_unacked -=
1935 				    (chunklen - sizeof (*sdc));
1936 				if (fp->suna == 0) {
1937 					/* all outstanding data acked */
1938 					fp->pba = 0;
1939 					SCTP_FADDR_TIMER_STOP(fp);
1940 				} else {
1941 					SCTP_FADDR_TIMER_RESTART(sctp, fp,
1942 					    fp->rto);
1943 				}
1944 			} else {
1945 				goto cum_ack_done;
1946 			}
1947 		}
1948 		nump = ump->b_next;
1949 		if (nump != NULL)
1950 			nump->b_prev = NULL;
1951 		if (ump == sctp->sctp_xmit_tail)
1952 			sctp->sctp_xmit_tail = nump;
1953 		if (SCTP_IS_MSG_ABANDONED(ump)) {
1954 			BUMP_LOCAL(sctp->sctp_prsctpdrop);
1955 			ump->b_next = NULL;
1956 			sctp_sendfail_event(sctp, ump, 0, B_TRUE);
1957 		} else {
1958 			sctp_free_msg(ump);
1959 		}
1960 		sctp->sctp_xmit_head = ump = nump;
1961 	}
1962 cum_ack_done:
1963 	*first_unacked = mp;
1964 	if (cumack_forward > 0) {
1965 		BUMP_MIB(&sctps->sctps_mib, sctpInAck);
1966 		if (SEQ_GT(sctp->sctp_lastack_rxd, sctp->sctp_recovery_tsn)) {
1967 			sctp->sctp_recovery_tsn = sctp->sctp_lastack_rxd;
1968 		}
1969 
1970 		/*
1971 		 * Update ULP the amount of queued data, which is
1972 		 * sent-unack'ed + unsent.
1973 		 */
1974 		if (!SCTP_IS_DETACHED(sctp))
1975 			SCTP_TXQ_UPDATE(sctp);
1976 
1977 		/* Time to send a shutdown? */
1978 		if (sctp->sctp_state == SCTPS_SHUTDOWN_PENDING) {
1979 			sctp_send_shutdown(sctp, 0);
1980 		}
1981 		sctp->sctp_xmit_unacked = mp;
1982 	} else {
1983 		/* dup ack */
1984 		BUMP_MIB(&sctps->sctps_mib, sctpInDupAck);
1985 	}
1986 	sctp->sctp_lastack_rxd = tsn;
1987 	if (SEQ_LT(sctp->sctp_adv_pap, sctp->sctp_lastack_rxd))
1988 		sctp->sctp_adv_pap = sctp->sctp_lastack_rxd;
1989 	ASSERT(sctp->sctp_xmit_head || sctp->sctp_unacked == 0);
1990 
1991 	return (cumack_forward);
1992 }
1993 
1994 static int
1995 sctp_set_frwnd(sctp_t *sctp, uint32_t frwnd)
1996 {
1997 	uint32_t orwnd;
1998 
1999 	if (sctp->sctp_unacked > frwnd) {
2000 		sctp->sctp_frwnd = 0;
2001 		return (0);
2002 	}
2003 	orwnd = sctp->sctp_frwnd;
2004 	sctp->sctp_frwnd = frwnd - sctp->sctp_unacked;
2005 	if (orwnd < sctp->sctp_frwnd) {
2006 		return (1);
2007 	} else {
2008 		return (0);
2009 	}
2010 }
2011 
2012 /*
2013  * For un-ordered messages.
2014  * Walk the sctp->sctp_uo_frag list and remove any fragments with TSN
2015  * less than/equal to ftsn. Fragments for un-ordered messages are
2016  * strictly in sequence (w.r.t TSN).
2017  */
2018 static int
2019 sctp_ftsn_check_uo_frag(sctp_t *sctp, uint32_t ftsn)
2020 {
2021 	mblk_t		*hmp;
2022 	mblk_t		*hmp_next;
2023 	sctp_data_hdr_t	*dc;
2024 	int		dlen = 0;
2025 
2026 	hmp = sctp->sctp_uo_frags;
2027 	while (hmp != NULL) {
2028 		hmp_next = hmp->b_next;
2029 		dc = (sctp_data_hdr_t *)hmp->b_rptr;
2030 		if (SEQ_GT(ntohl(dc->sdh_tsn), ftsn))
2031 			return (dlen);
2032 		sctp->sctp_uo_frags = hmp_next;
2033 		if (hmp_next != NULL)
2034 			hmp_next->b_prev = NULL;
2035 		hmp->b_next = NULL;
2036 		dlen += ntohs(dc->sdh_len) - sizeof (*dc);
2037 		freeb(hmp);
2038 		hmp = hmp_next;
2039 	}
2040 	return (dlen);
2041 }
2042 
2043 /*
2044  * For ordered messages.
2045  * Check for existing fragments for an sid-ssn pair reported as abandoned,
2046  * hence will not receive, in the Forward TSN. If there are fragments, then
2047  * we just nuke them. If and when Partial Delivery API is supported, we
2048  * would need to send a notification to the upper layer about this.
2049  */
2050 static int
2051 sctp_ftsn_check_frag(sctp_t *sctp, uint16_t ssn, sctp_instr_t *sip)
2052 {
2053 	sctp_reass_t	*srp;
2054 	mblk_t		*hmp;
2055 	mblk_t		*dmp;
2056 	mblk_t		*hmp_next;
2057 	sctp_data_hdr_t	*dc;
2058 	int		dlen = 0;
2059 
2060 	hmp = sip->istr_reass;
2061 	while (hmp != NULL) {
2062 		hmp_next = hmp->b_next;
2063 		srp = (sctp_reass_t *)DB_BASE(hmp);
2064 		if (SSN_GT(srp->ssn, ssn))
2065 			return (dlen);
2066 		/*
2067 		 * If we had sent part of this message up, send a partial
2068 		 * delivery event. Since this is ordered delivery, we should
2069 		 * have sent partial message only for the next in sequence,
2070 		 * hence the ASSERT. See comments in sctp_data_chunk() for
2071 		 * trypartial.
2072 		 */
2073 		if (srp->partial_delivered) {
2074 			ASSERT(sip->nextseq == srp->ssn);
2075 			sctp_partial_delivery_event(sctp);
2076 		}
2077 		/* Take it out of the reass queue */
2078 		sip->istr_reass = hmp_next;
2079 		if (hmp_next != NULL)
2080 			hmp_next->b_prev = NULL;
2081 		hmp->b_next = NULL;
2082 		ASSERT(hmp->b_prev == NULL);
2083 		dmp = hmp;
2084 		ASSERT(DB_TYPE(hmp) == M_CTL);
2085 		dmp = hmp->b_cont;
2086 		hmp->b_cont = NULL;
2087 		freeb(hmp);
2088 		hmp = dmp;
2089 		while (dmp != NULL) {
2090 			dc = (sctp_data_hdr_t *)dmp->b_rptr;
2091 			dlen += ntohs(dc->sdh_len) - sizeof (*dc);
2092 			dmp = dmp->b_cont;
2093 		}
2094 		freemsg(hmp);
2095 		hmp = hmp_next;
2096 	}
2097 	return (dlen);
2098 }
2099 
2100 /*
2101  * Update sctp_ftsn to the cumulative TSN from the Forward TSN chunk. Remove
2102  * any SACK gaps less than the newly updated sctp_ftsn. Walk through the
2103  * sid-ssn pair in the Forward TSN and for each, clean the fragment list
2104  * for this pair, if needed, and check if we can deliver subsequent
2105  * messages, if any, from the instream queue (that were waiting for this
2106  * sid-ssn message to show up). Once we are done try to update the SACK
2107  * info. We could get a duplicate Forward TSN, in which case just send
2108  * a SACK. If any of the sid values in the Forward TSN is invalid,
2109  * send back an "Invalid Stream Identifier" error and continue processing
2110  * the rest.
2111  */
2112 static void
2113 sctp_process_forward_tsn(sctp_t *sctp, sctp_chunk_hdr_t *ch, sctp_faddr_t *fp,
2114     ip_pkt_t *ipp, ip_recv_attr_t *ira)
2115 {
2116 	uint32_t	*ftsn = (uint32_t *)(ch + 1);
2117 	ftsn_entry_t	*ftsn_entry;
2118 	sctp_instr_t	*instr;
2119 	boolean_t	can_deliver = B_TRUE;
2120 	size_t		dlen;
2121 	int		flen;
2122 	mblk_t		*dmp;
2123 	mblk_t		*pmp;
2124 	sctp_data_hdr_t	*dc;
2125 	ssize_t		remaining;
2126 	sctp_stack_t	*sctps = sctp->sctp_sctps;
2127 
2128 	*ftsn = ntohl(*ftsn);
2129 	remaining =  ntohs(ch->sch_len) - sizeof (*ch) - sizeof (*ftsn);
2130 
2131 	if (SCTP_IS_DETACHED(sctp)) {
2132 		BUMP_MIB(&sctps->sctps_mib, sctpInClosed);
2133 		can_deliver = B_FALSE;
2134 	}
2135 	/*
2136 	 * un-ordered messages don't have SID-SSN pair entries, we check
2137 	 * for any fragments (for un-ordered message) to be discarded using
2138 	 * the cumulative FTSN.
2139 	 */
2140 	flen = sctp_ftsn_check_uo_frag(sctp, *ftsn);
2141 	if (flen > 0) {
2142 		ASSERT(sctp->sctp_rxqueued >= flen);
2143 		sctp->sctp_rxqueued -= flen;
2144 	}
2145 	ftsn_entry = (ftsn_entry_t *)(ftsn + 1);
2146 	while (remaining >= sizeof (*ftsn_entry)) {
2147 		ftsn_entry->ftsn_sid = ntohs(ftsn_entry->ftsn_sid);
2148 		ftsn_entry->ftsn_ssn = ntohs(ftsn_entry->ftsn_ssn);
2149 		if (ftsn_entry->ftsn_sid >= sctp->sctp_num_istr) {
2150 			sctp_bsc_t	inval_parm;
2151 
2152 			/* Will populate the CAUSE block in the ERROR chunk. */
2153 			inval_parm.bsc_sid = htons(ftsn_entry->ftsn_sid);
2154 			/* RESERVED, ignored at the receiving end */
2155 			inval_parm.bsc_pad = 0;
2156 
2157 			sctp_add_err(sctp, SCTP_ERR_BAD_SID,
2158 			    (void *)&inval_parm, sizeof (sctp_bsc_t), fp);
2159 			ftsn_entry++;
2160 			remaining -= sizeof (*ftsn_entry);
2161 			continue;
2162 		}
2163 		instr = &sctp->sctp_instr[ftsn_entry->ftsn_sid];
2164 		flen = sctp_ftsn_check_frag(sctp, ftsn_entry->ftsn_ssn, instr);
2165 		/* Indicates frags were nuked, update rxqueued */
2166 		if (flen > 0) {
2167 			ASSERT(sctp->sctp_rxqueued >= flen);
2168 			sctp->sctp_rxqueued -= flen;
2169 		}
2170 		/*
2171 		 * It is possible to receive an FTSN chunk with SSN smaller
2172 		 * than then nextseq if this chunk is a retransmission because
2173 		 * of incomplete processing when it was first processed.
2174 		 */
2175 		if (SSN_GE(ftsn_entry->ftsn_ssn, instr->nextseq))
2176 			instr->nextseq = ftsn_entry->ftsn_ssn + 1;
2177 		while (instr->istr_nmsgs > 0) {
2178 			mblk_t	*next;
2179 
2180 			dmp = (mblk_t *)instr->istr_msgs;
2181 			dc = (sctp_data_hdr_t *)dmp->b_rptr;
2182 			if (ntohs(dc->sdh_ssn) != instr->nextseq)
2183 				break;
2184 
2185 			next = dmp->b_next;
2186 			dlen = dmp->b_wptr - dmp->b_rptr - sizeof (*dc);
2187 			for (pmp = dmp->b_cont; pmp != NULL;
2188 			    pmp = pmp->b_cont) {
2189 				dlen += MBLKL(pmp);
2190 			}
2191 			if (can_deliver) {
2192 				int32_t	nrwnd;
2193 				int error;
2194 
2195 				dmp->b_rptr = (uchar_t *)(dc + 1);
2196 				dmp->b_next = NULL;
2197 				ASSERT(dmp->b_prev == NULL);
2198 				if (sctp_input_add_ancillary(sctp,
2199 				    &dmp, dc, fp, ipp, ira) == 0) {
2200 					sctp->sctp_rxqueued -= dlen;
2201 					sctp->sctp_rwnd -= dlen;
2202 					/*
2203 					 * Override b_flag for SCTP sockfs
2204 					 * internal use
2205 					 */
2206 
2207 					dmp->b_flag = 0;
2208 					nrwnd = sctp->sctp_ulp_recv(
2209 					    sctp->sctp_ulpd, dmp, msgdsize(dmp),
2210 					    0, &error, NULL);
2211 					if (nrwnd < 0)
2212 						sctp->sctp_rwnd = 0;
2213 					else if (nrwnd > sctp->sctp_rwnd)
2214 						sctp->sctp_rwnd = nrwnd;
2215 				} else {
2216 					/*
2217 					 * We will resume processing when
2218 					 * the FTSN chunk is re-xmitted.
2219 					 */
2220 					dmp->b_rptr = (uchar_t *)dc;
2221 					dmp->b_next = next;
2222 					dprint(0,
2223 					    ("FTSN dequeuing %u failed\n",
2224 					    ntohs(dc->sdh_ssn)));
2225 					return;
2226 				}
2227 			} else {
2228 				sctp->sctp_rxqueued -= dlen;
2229 				ASSERT(dmp->b_prev == NULL);
2230 				dmp->b_next = NULL;
2231 				freemsg(dmp);
2232 			}
2233 			instr->istr_nmsgs--;
2234 			instr->nextseq++;
2235 			sctp->sctp_istr_nmsgs--;
2236 			if (next != NULL)
2237 				next->b_prev = NULL;
2238 			instr->istr_msgs = next;
2239 		}
2240 		ftsn_entry++;
2241 		remaining -= sizeof (*ftsn_entry);
2242 	}
2243 	/* Duplicate FTSN */
2244 	if (*ftsn <= (sctp->sctp_ftsn - 1)) {
2245 		sctp->sctp_force_sack = 1;
2246 		return;
2247 	}
2248 	/* Advance cum TSN to that reported in the Forward TSN chunk */
2249 	sctp->sctp_ftsn = *ftsn + 1;
2250 
2251 	/* Remove all the SACK gaps before the new cum TSN */
2252 	if (sctp->sctp_sack_info != NULL) {
2253 		sctp_ack_rem(&sctp->sctp_sack_info, sctp->sctp_ftsn - 1,
2254 		    &sctp->sctp_sack_gaps);
2255 	}
2256 	/*
2257 	 * If there are gap reports pending, check if advancing
2258 	 * the ftsn here closes a gap. If so, we can advance
2259 	 * ftsn to the end of the set.
2260 	 * If ftsn has moved forward, maybe we can remove gap reports.
2261 	 */
2262 	if (sctp->sctp_sack_info != NULL &&
2263 	    sctp->sctp_ftsn == sctp->sctp_sack_info->begin) {
2264 		sctp->sctp_ftsn = sctp->sctp_sack_info->end + 1;
2265 		sctp_ack_rem(&sctp->sctp_sack_info, sctp->sctp_ftsn - 1,
2266 		    &sctp->sctp_sack_gaps);
2267 	}
2268 }
2269 
2270 /*
2271  * When we have processed a SACK we check to see if we can advance the
2272  * cumulative TSN if there are abandoned chunks immediately following
2273  * the updated cumulative TSN. If there are, we attempt to send a
2274  * Forward TSN chunk.
2275  */
2276 static void
2277 sctp_check_abandoned_data(sctp_t *sctp, sctp_faddr_t *fp)
2278 {
2279 	mblk_t		*meta = sctp->sctp_xmit_head;
2280 	mblk_t		*mp;
2281 	mblk_t		*nmp;
2282 	uint32_t	seglen;
2283 	uint32_t	adv_pap = sctp->sctp_adv_pap;
2284 
2285 	/*
2286 	 * We only check in the first meta since otherwise we can't
2287 	 * advance the cumulative ack point. We just look for chunks
2288 	 * marked for retransmission, else we might prematurely
2289 	 * send an FTSN for a sent, but unacked, chunk.
2290 	 */
2291 	for (mp = meta->b_cont; mp != NULL; mp = mp->b_next) {
2292 		if (!SCTP_CHUNK_ISSENT(mp))
2293 			return;
2294 		if (SCTP_CHUNK_WANT_REXMIT(mp))
2295 			break;
2296 	}
2297 	if (mp == NULL)
2298 		return;
2299 	sctp_check_adv_ack_pt(sctp, meta, mp);
2300 	if (SEQ_GT(sctp->sctp_adv_pap, adv_pap)) {
2301 		sctp_make_ftsns(sctp, meta, mp, &nmp, fp, &seglen);
2302 		if (nmp == NULL) {
2303 			sctp->sctp_adv_pap = adv_pap;
2304 			if (!fp->timer_running)
2305 				SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
2306 			return;
2307 		}
2308 		sctp_set_iplen(sctp, nmp, fp->ixa);
2309 		(void) conn_ip_output(nmp, fp->ixa);
2310 		BUMP_LOCAL(sctp->sctp_opkts);
2311 		if (!fp->timer_running)
2312 			SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
2313 	}
2314 }
2315 
2316 /*
2317  * The processing here follows the same logic in sctp_got_sack(), the reason
2318  * we do this separately is because, usually, gap blocks are ordered and
2319  * we can process it in sctp_got_sack(). However if they aren't we would
2320  * need to do some additional non-optimal stuff when we start processing the
2321  * unordered gaps. To that effect sctp_got_sack() does the processing in the
2322  * simple case and this does the same in the more involved case.
2323  */
2324 static uint32_t
2325 sctp_process_uo_gaps(sctp_t *sctp, uint32_t ctsn, sctp_sack_frag_t *ssf,
2326     int num_gaps, mblk_t *umphead, mblk_t *mphead, int *trysend,
2327     boolean_t *fast_recovery, uint32_t fr_xtsn)
2328 {
2329 	uint32_t		xtsn;
2330 	uint32_t		gapstart = 0;
2331 	uint32_t		gapend = 0;
2332 	int			gapcnt;
2333 	uint16_t		chunklen;
2334 	sctp_data_hdr_t		*sdc;
2335 	int			gstart;
2336 	mblk_t			*ump = umphead;
2337 	mblk_t			*mp = mphead;
2338 	sctp_faddr_t		*fp;
2339 	uint32_t		acked = 0;
2340 	sctp_stack_t		*sctps = sctp->sctp_sctps;
2341 
2342 	/*
2343 	 * gstart tracks the last (in the order of TSN) gapstart that
2344 	 * we process in this SACK gaps walk.
2345 	 */
2346 	gstart = ctsn;
2347 
2348 	sdc = (sctp_data_hdr_t *)mp->b_rptr;
2349 	xtsn = ntohl(sdc->sdh_tsn);
2350 	for (gapcnt = 0; gapcnt < num_gaps; gapcnt++, ssf++) {
2351 		if (gapstart != 0) {
2352 			/*
2353 			 * If we have reached the end of the transmit list or
2354 			 * hit an unsent chunk or encountered an unordered gap
2355 			 * block start from the ctsn again.
2356 			 */
2357 			if (ump == NULL || !SCTP_CHUNK_ISSENT(mp) ||
2358 			    SEQ_LT(ctsn + ntohs(ssf->ssf_start), xtsn)) {
2359 				ump = umphead;
2360 				mp = mphead;
2361 				sdc = (sctp_data_hdr_t *)mp->b_rptr;
2362 				xtsn = ntohl(sdc->sdh_tsn);
2363 			}
2364 		}
2365 
2366 		gapstart = ctsn + ntohs(ssf->ssf_start);
2367 		gapend = ctsn + ntohs(ssf->ssf_end);
2368 
2369 		/*
2370 		 * Sanity checks:
2371 		 *
2372 		 * 1. SACK for TSN we have not sent - ABORT
2373 		 * 2. Invalid or spurious gaps, ignore all gaps
2374 		 */
2375 		if (SEQ_GT(gapstart, sctp->sctp_ltsn - 1) ||
2376 		    SEQ_GT(gapend, sctp->sctp_ltsn - 1)) {
2377 			BUMP_MIB(&sctps->sctps_mib, sctpInAckUnsent);
2378 			*trysend = -1;
2379 			return (acked);
2380 		} else if (SEQ_LT(gapend, gapstart) ||
2381 		    SEQ_LEQ(gapstart, ctsn)) {
2382 			break;
2383 		}
2384 		/*
2385 		 * The xtsn can be the TSN processed for the last gap
2386 		 * (gapend) or it could be the cumulative TSN. We continue
2387 		 * with the last xtsn as long as the gaps are ordered, when
2388 		 * we hit an unordered gap, we re-start from the cumulative
2389 		 * TSN. For the first gap it is always the cumulative TSN.
2390 		 */
2391 		while (xtsn != gapstart) {
2392 			/*
2393 			 * We can't reliably check for reneged chunks
2394 			 * when walking the unordered list, so we don't.
2395 			 * In case the peer reneges then we will end up
2396 			 * sending the reneged chunk via timeout.
2397 			 */
2398 			mp = mp->b_next;
2399 			if (mp == NULL) {
2400 				ump = ump->b_next;
2401 				/*
2402 				 * ump can't be NULL because of the sanity
2403 				 * check above.
2404 				 */
2405 				ASSERT(ump != NULL);
2406 				mp = ump->b_cont;
2407 			}
2408 			/*
2409 			 * mp can't be unsent because of the sanity check
2410 			 * above.
2411 			 */
2412 			ASSERT(SCTP_CHUNK_ISSENT(mp));
2413 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
2414 			xtsn = ntohl(sdc->sdh_tsn);
2415 		}
2416 		/*
2417 		 * Now that we have found the chunk with TSN == 'gapstart',
2418 		 * let's walk till we hit the chunk with TSN == 'gapend'.
2419 		 * All intermediate chunks will be marked ACKED, if they
2420 		 * haven't already been.
2421 		 */
2422 		while (SEQ_LEQ(xtsn, gapend)) {
2423 			/*
2424 			 * SACKed
2425 			 */
2426 			SCTP_CHUNK_SET_SACKCNT(mp, 0);
2427 			if (!SCTP_CHUNK_ISACKED(mp)) {
2428 				SCTP_CHUNK_ACKED(mp);
2429 
2430 				fp = SCTP_CHUNK_DEST(mp);
2431 				chunklen = ntohs(sdc->sdh_len);
2432 				ASSERT(fp->suna >= chunklen);
2433 				fp->suna -= chunklen;
2434 				if (fp->suna == 0) {
2435 					/* All outstanding data acked. */
2436 					fp->pba = 0;
2437 					SCTP_FADDR_TIMER_STOP(fp);
2438 				}
2439 				fp->acked += chunklen;
2440 				acked += chunklen;
2441 				sctp->sctp_unacked -= chunklen - sizeof (*sdc);
2442 				ASSERT(sctp->sctp_unacked >= 0);
2443 			}
2444 			/*
2445 			 * Move to the next message in the transmit list
2446 			 * if we are done with all the chunks from the current
2447 			 * message. Note, it is possible to hit the end of the
2448 			 * transmit list here, i.e. if we have already completed
2449 			 * processing the gap block.
2450 			 */
2451 			mp = mp->b_next;
2452 			if (mp == NULL) {
2453 				ump = ump->b_next;
2454 				if (ump == NULL) {
2455 					ASSERT(xtsn == gapend);
2456 					break;
2457 				}
2458 				mp = ump->b_cont;
2459 			}
2460 			/*
2461 			 * Likewise, we can hit an unsent chunk once we have
2462 			 * completed processing the gap block.
2463 			 */
2464 			if (!SCTP_CHUNK_ISSENT(mp)) {
2465 				ASSERT(xtsn == gapend);
2466 				break;
2467 			}
2468 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
2469 			xtsn = ntohl(sdc->sdh_tsn);
2470 		}
2471 		/*
2472 		 * We keep track of the last gap we successfully processed
2473 		 * so that we can terminate the walk below for incrementing
2474 		 * the SACK count.
2475 		 */
2476 		if (SEQ_LT(gstart, gapstart))
2477 			gstart = gapstart;
2478 	}
2479 	/*
2480 	 * Check if have incremented the SACK count for all unacked TSNs in
2481 	 * sctp_got_sack(), if so we are done.
2482 	 */
2483 	if (SEQ_LEQ(gstart, fr_xtsn))
2484 		return (acked);
2485 
2486 	ump = umphead;
2487 	mp = mphead;
2488 	sdc = (sctp_data_hdr_t *)mp->b_rptr;
2489 	xtsn = ntohl(sdc->sdh_tsn);
2490 	while (SEQ_LT(xtsn, gstart)) {
2491 		/*
2492 		 * We have incremented SACK count for TSNs less than fr_tsn
2493 		 * in sctp_got_sack(), so don't increment them again here.
2494 		 */
2495 		if (SEQ_GT(xtsn, fr_xtsn) && !SCTP_CHUNK_ISACKED(mp)) {
2496 			SCTP_CHUNK_SET_SACKCNT(mp, SCTP_CHUNK_SACKCNT(mp) + 1);
2497 			if (SCTP_CHUNK_SACKCNT(mp) ==
2498 			    sctps->sctps_fast_rxt_thresh) {
2499 				SCTP_CHUNK_REXMIT(mp);
2500 				sctp->sctp_chk_fast_rexmit = B_TRUE;
2501 				*trysend = 1;
2502 				if (!*fast_recovery) {
2503 					/*
2504 					 * Entering fast recovery.
2505 					 */
2506 					fp = SCTP_CHUNK_DEST(mp);
2507 					fp->ssthresh = fp->cwnd / 2;
2508 					if (fp->ssthresh < 2 * fp->sfa_pmss) {
2509 						fp->ssthresh =
2510 						    2 * fp->sfa_pmss;
2511 					}
2512 					fp->cwnd = fp->ssthresh;
2513 					fp->pba = 0;
2514 					sctp->sctp_recovery_tsn =
2515 					    sctp->sctp_ltsn - 1;
2516 					*fast_recovery = B_TRUE;
2517 				}
2518 			}
2519 		}
2520 		mp = mp->b_next;
2521 		if (mp == NULL) {
2522 			ump = ump->b_next;
2523 			/* We can't get to the end of the transmit list here */
2524 			ASSERT(ump != NULL);
2525 			mp = ump->b_cont;
2526 		}
2527 		/* We can't hit an unsent chunk here */
2528 		ASSERT(SCTP_CHUNK_ISSENT(mp));
2529 		sdc = (sctp_data_hdr_t *)mp->b_rptr;
2530 		xtsn = ntohl(sdc->sdh_tsn);
2531 	}
2532 	return (acked);
2533 }
2534 
2535 static int
2536 sctp_got_sack(sctp_t *sctp, sctp_chunk_hdr_t *sch)
2537 {
2538 	sctp_sack_chunk_t	*sc;
2539 	sctp_data_hdr_t		*sdc;
2540 	sctp_sack_frag_t	*ssf;
2541 	mblk_t			*ump;
2542 	mblk_t			*mp;
2543 	mblk_t			*mp1;
2544 	uint32_t		cumtsn;
2545 	uint32_t		xtsn;
2546 	uint32_t		gapstart = 0;
2547 	uint32_t		gapend = 0;
2548 	uint32_t		acked = 0;
2549 	uint16_t		chunklen;
2550 	sctp_faddr_t		*fp;
2551 	int			num_gaps;
2552 	int			trysend = 0;
2553 	int			i;
2554 	boolean_t		fast_recovery = B_FALSE;
2555 	boolean_t		cumack_forward = B_FALSE;
2556 	boolean_t		fwd_tsn = B_FALSE;
2557 	sctp_stack_t		*sctps = sctp->sctp_sctps;
2558 
2559 	BUMP_LOCAL(sctp->sctp_ibchunks);
2560 	BUMP_LOCAL(sctp->sctp_isacks);
2561 	chunklen = ntohs(sch->sch_len);
2562 	if (chunklen < (sizeof (*sch) + sizeof (*sc)))
2563 		return (0);
2564 
2565 	sc = (sctp_sack_chunk_t *)(sch + 1);
2566 	cumtsn = ntohl(sc->ssc_cumtsn);
2567 
2568 	dprint(2, ("got sack cumtsn %x -> %x\n", sctp->sctp_lastack_rxd,
2569 	    cumtsn));
2570 
2571 	/* out of order */
2572 	if (SEQ_LT(cumtsn, sctp->sctp_lastack_rxd))
2573 		return (0);
2574 
2575 	if (SEQ_GT(cumtsn, sctp->sctp_ltsn - 1)) {
2576 		BUMP_MIB(&sctps->sctps_mib, sctpInAckUnsent);
2577 		/* Send an ABORT */
2578 		return (-1);
2579 	}
2580 
2581 	/*
2582 	 * Cwnd only done when not in fast recovery mode.
2583 	 */
2584 	if (SEQ_LT(sctp->sctp_lastack_rxd, sctp->sctp_recovery_tsn))
2585 		fast_recovery = B_TRUE;
2586 
2587 	/*
2588 	 * .. and if the cum TSN is not moving ahead on account Forward TSN
2589 	 */
2590 	if (SEQ_LT(sctp->sctp_lastack_rxd, sctp->sctp_adv_pap))
2591 		fwd_tsn = B_TRUE;
2592 
2593 	if (cumtsn == sctp->sctp_lastack_rxd &&
2594 	    (sctp->sctp_xmit_unacked == NULL ||
2595 	    !SCTP_CHUNK_ABANDONED(sctp->sctp_xmit_unacked))) {
2596 		if (sctp->sctp_xmit_unacked != NULL)
2597 			mp = sctp->sctp_xmit_unacked;
2598 		else if (sctp->sctp_xmit_head != NULL)
2599 			mp = sctp->sctp_xmit_head->b_cont;
2600 		else
2601 			mp = NULL;
2602 		BUMP_MIB(&sctps->sctps_mib, sctpInDupAck);
2603 		/*
2604 		 * If we were doing a zero win probe and the win
2605 		 * has now opened to at least MSS, re-transmit the
2606 		 * zero win probe via sctp_rexmit_packet().
2607 		 */
2608 		if (mp != NULL && sctp->sctp_zero_win_probe &&
2609 		    ntohl(sc->ssc_a_rwnd) >= sctp->sctp_current->sfa_pmss) {
2610 			mblk_t	*pkt;
2611 			uint_t	pkt_len;
2612 			mblk_t	*mp1 = mp;
2613 			mblk_t	*meta = sctp->sctp_xmit_head;
2614 
2615 			/*
2616 			 * Reset the RTO since we have been backing-off
2617 			 * to send the ZWP.
2618 			 */
2619 			fp = sctp->sctp_current;
2620 			fp->rto = fp->srtt + 4 * fp->rttvar;
2621 			SCTP_MAX_RTO(sctp, fp);
2622 			/* Resend the ZWP */
2623 			pkt = sctp_rexmit_packet(sctp, &meta, &mp1, fp,
2624 			    &pkt_len);
2625 			if (pkt == NULL) {
2626 				SCTP_KSTAT(sctps, sctp_ss_rexmit_failed);
2627 				return (0);
2628 			}
2629 			ASSERT(pkt_len <= fp->sfa_pmss);
2630 			sctp->sctp_zero_win_probe = B_FALSE;
2631 			sctp->sctp_rxt_nxttsn = sctp->sctp_ltsn;
2632 			sctp->sctp_rxt_maxtsn = sctp->sctp_ltsn;
2633 			sctp_set_iplen(sctp, pkt, fp->ixa);
2634 			(void) conn_ip_output(pkt, fp->ixa);
2635 			BUMP_LOCAL(sctp->sctp_opkts);
2636 		}
2637 	} else {
2638 		if (sctp->sctp_zero_win_probe) {
2639 			/*
2640 			 * Reset the RTO since we have been backing-off
2641 			 * to send the ZWP.
2642 			 */
2643 			fp = sctp->sctp_current;
2644 			fp->rto = fp->srtt + 4 * fp->rttvar;
2645 			SCTP_MAX_RTO(sctp, fp);
2646 			sctp->sctp_zero_win_probe = B_FALSE;
2647 			/* This is probably not required */
2648 			if (!sctp->sctp_rexmitting) {
2649 				sctp->sctp_rxt_nxttsn = sctp->sctp_ltsn;
2650 				sctp->sctp_rxt_maxtsn = sctp->sctp_ltsn;
2651 			}
2652 		}
2653 		acked = sctp_cumack(sctp, cumtsn, &mp);
2654 		sctp->sctp_xmit_unacked = mp;
2655 		if (acked > 0) {
2656 			trysend = 1;
2657 			cumack_forward = B_TRUE;
2658 			if (fwd_tsn && SEQ_GEQ(sctp->sctp_lastack_rxd,
2659 			    sctp->sctp_adv_pap)) {
2660 				cumack_forward = B_FALSE;
2661 			}
2662 		}
2663 	}
2664 	num_gaps = ntohs(sc->ssc_numfrags);
2665 	UPDATE_LOCAL(sctp->sctp_gapcnt, num_gaps);
2666 	if (num_gaps == 0 || mp == NULL || !SCTP_CHUNK_ISSENT(mp) ||
2667 	    chunklen < (sizeof (*sch) + sizeof (*sc) +
2668 	    num_gaps * sizeof (*ssf))) {
2669 		goto ret;
2670 	}
2671 #ifdef	DEBUG
2672 	/*
2673 	 * Since we delete any message that has been acked completely,
2674 	 * the unacked chunk must belong to sctp_xmit_head (as
2675 	 * we don't have a back pointer from the mp to the meta data
2676 	 * we do this).
2677 	 */
2678 	{
2679 		mblk_t	*mp2 = sctp->sctp_xmit_head->b_cont;
2680 
2681 		while (mp2 != NULL) {
2682 			if (mp2 == mp)
2683 				break;
2684 			mp2 = mp2->b_next;
2685 		}
2686 		ASSERT(mp2 != NULL);
2687 	}
2688 #endif
2689 	ump = sctp->sctp_xmit_head;
2690 
2691 	/*
2692 	 * Just remember where we started from, in case we need to call
2693 	 * sctp_process_uo_gaps() if the gap blocks are unordered.
2694 	 */
2695 	mp1 = mp;
2696 
2697 	sdc = (sctp_data_hdr_t *)mp->b_rptr;
2698 	xtsn = ntohl(sdc->sdh_tsn);
2699 	ASSERT(xtsn == cumtsn + 1);
2700 
2701 	/*
2702 	 * Go through SACK gaps. They are ordered based on start TSN.
2703 	 */
2704 	ssf = (sctp_sack_frag_t *)(sc + 1);
2705 	for (i = 0; i < num_gaps; i++, ssf++) {
2706 		if (gapstart != 0) {
2707 			/* check for unordered gap */
2708 			if (SEQ_LEQ(cumtsn + ntohs(ssf->ssf_start), gapstart)) {
2709 				acked += sctp_process_uo_gaps(sctp,
2710 				    cumtsn, ssf, num_gaps - i,
2711 				    sctp->sctp_xmit_head, mp1,
2712 				    &trysend, &fast_recovery, gapstart);
2713 				if (trysend < 0) {
2714 					BUMP_MIB(&sctps->sctps_mib,
2715 					    sctpInAckUnsent);
2716 					return (-1);
2717 				}
2718 				break;
2719 			}
2720 		}
2721 		gapstart = cumtsn + ntohs(ssf->ssf_start);
2722 		gapend = cumtsn + ntohs(ssf->ssf_end);
2723 
2724 		/*
2725 		 * Sanity checks:
2726 		 *
2727 		 * 1. SACK for TSN we have not sent - ABORT
2728 		 * 2. Invalid or spurious gaps, ignore all gaps
2729 		 */
2730 		if (SEQ_GT(gapstart, sctp->sctp_ltsn - 1) ||
2731 		    SEQ_GT(gapend, sctp->sctp_ltsn - 1)) {
2732 			BUMP_MIB(&sctps->sctps_mib, sctpInAckUnsent);
2733 			return (-1);
2734 		} else if (SEQ_LT(gapend, gapstart) ||
2735 		    SEQ_LEQ(gapstart, cumtsn)) {
2736 			break;
2737 		}
2738 		/*
2739 		 * Let's start at the current TSN (for the 1st gap we start
2740 		 * from the cumulative TSN, for subsequent ones we start from
2741 		 * where the previous gapend was found - second while loop
2742 		 * below) and walk the transmit list till we find the TSN
2743 		 * corresponding to gapstart. All the unacked chunks till we
2744 		 * get to the chunk with TSN == gapstart will have their
2745 		 * SACKCNT incremented by 1. Note since the gap blocks are
2746 		 * ordered, we won't be incrementing the SACKCNT for an
2747 		 * unacked chunk by more than one while processing the gap
2748 		 * blocks. If the SACKCNT for any unacked chunk exceeds
2749 		 * the fast retransmit threshold, we will fast retransmit
2750 		 * after processing all the gap blocks.
2751 		 */
2752 		ASSERT(SEQ_LEQ(xtsn, gapstart));
2753 		while (xtsn != gapstart) {
2754 			SCTP_CHUNK_SET_SACKCNT(mp, SCTP_CHUNK_SACKCNT(mp) + 1);
2755 			if (SCTP_CHUNK_SACKCNT(mp) ==
2756 			    sctps->sctps_fast_rxt_thresh) {
2757 				SCTP_CHUNK_REXMIT(mp);
2758 				sctp->sctp_chk_fast_rexmit = B_TRUE;
2759 				trysend = 1;
2760 				if (!fast_recovery) {
2761 					/*
2762 					 * Entering fast recovery.
2763 					 */
2764 					fp = SCTP_CHUNK_DEST(mp);
2765 					fp->ssthresh = fp->cwnd / 2;
2766 					if (fp->ssthresh < 2 * fp->sfa_pmss) {
2767 						fp->ssthresh =
2768 						    2 * fp->sfa_pmss;
2769 					}
2770 					fp->cwnd = fp->ssthresh;
2771 					fp->pba = 0;
2772 					sctp->sctp_recovery_tsn =
2773 					    sctp->sctp_ltsn - 1;
2774 					fast_recovery = B_TRUE;
2775 				}
2776 			}
2777 
2778 			/*
2779 			 * Peer may have reneged on this chunk, so un-sack
2780 			 * it now. If the peer did renege, we need to
2781 			 * readjust unacked.
2782 			 */
2783 			if (SCTP_CHUNK_ISACKED(mp)) {
2784 				chunklen = ntohs(sdc->sdh_len);
2785 				fp = SCTP_CHUNK_DEST(mp);
2786 				fp->suna += chunklen;
2787 				sctp->sctp_unacked += chunklen - sizeof (*sdc);
2788 				SCTP_CHUNK_CLEAR_ACKED(mp);
2789 				if (!fp->timer_running) {
2790 					SCTP_FADDR_TIMER_RESTART(sctp, fp,
2791 					    fp->rto);
2792 				}
2793 			}
2794 
2795 			mp = mp->b_next;
2796 			if (mp == NULL) {
2797 				ump = ump->b_next;
2798 				/*
2799 				 * ump can't be NULL given the sanity check
2800 				 * above.  But if it is NULL, it means that
2801 				 * there is a data corruption.  We'd better
2802 				 * panic.
2803 				 */
2804 				if (ump == NULL) {
2805 					panic("Memory corruption detected: gap "
2806 					    "start TSN 0x%x missing from the "
2807 					    "xmit list: %p", gapstart,
2808 					    (void *)sctp);
2809 				}
2810 				mp = ump->b_cont;
2811 			}
2812 			/*
2813 			 * mp can't be unsent given the sanity check above.
2814 			 */
2815 			ASSERT(SCTP_CHUNK_ISSENT(mp));
2816 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
2817 			xtsn = ntohl(sdc->sdh_tsn);
2818 		}
2819 		/*
2820 		 * Now that we have found the chunk with TSN == 'gapstart',
2821 		 * let's walk till we hit the chunk with TSN == 'gapend'.
2822 		 * All intermediate chunks will be marked ACKED, if they
2823 		 * haven't already been.
2824 		 */
2825 		while (SEQ_LEQ(xtsn, gapend)) {
2826 			/*
2827 			 * SACKed
2828 			 */
2829 			SCTP_CHUNK_SET_SACKCNT(mp, 0);
2830 			if (!SCTP_CHUNK_ISACKED(mp)) {
2831 				SCTP_CHUNK_ACKED(mp);
2832 
2833 				fp = SCTP_CHUNK_DEST(mp);
2834 				chunklen = ntohs(sdc->sdh_len);
2835 				ASSERT(fp->suna >= chunklen);
2836 				fp->suna -= chunklen;
2837 				if (fp->suna == 0) {
2838 					/* All outstanding data acked. */
2839 					fp->pba = 0;
2840 					SCTP_FADDR_TIMER_STOP(fp);
2841 				}
2842 				fp->acked += chunklen;
2843 				acked += chunklen;
2844 				sctp->sctp_unacked -= chunklen - sizeof (*sdc);
2845 				ASSERT(sctp->sctp_unacked >= 0);
2846 			}
2847 			/* Go to the next chunk of the current message */
2848 			mp = mp->b_next;
2849 			/*
2850 			 * Move to the next message in the transmit list
2851 			 * if we are done with all the chunks from the current
2852 			 * message. Note, it is possible to hit the end of the
2853 			 * transmit list here, i.e. if we have already completed
2854 			 * processing the gap block.  But the TSN must be equal
2855 			 * to the gapend because of the above sanity check.
2856 			 * If it is not equal, it means that some data is
2857 			 * missing.
2858 			 * Also, note that we break here, which means we
2859 			 * continue processing gap blocks, if any. In case of
2860 			 * ordered gap blocks there can't be any following
2861 			 * this (if there is it will fail the sanity check
2862 			 * above). In case of un-ordered gap blocks we will
2863 			 * switch to sctp_process_uo_gaps().  In either case
2864 			 * it should be fine to continue with NULL ump/mp,
2865 			 * but we just reset it to xmit_head.
2866 			 */
2867 			if (mp == NULL) {
2868 				ump = ump->b_next;
2869 				if (ump == NULL) {
2870 					if (xtsn != gapend) {
2871 						panic("Memory corruption "
2872 						    "detected: gap end TSN "
2873 						    "0x%x missing from the "
2874 						    "xmit list: %p", gapend,
2875 						    (void *)sctp);
2876 					}
2877 					ump = sctp->sctp_xmit_head;
2878 					mp = mp1;
2879 					sdc = (sctp_data_hdr_t *)mp->b_rptr;
2880 					xtsn = ntohl(sdc->sdh_tsn);
2881 					break;
2882 				}
2883 				mp = ump->b_cont;
2884 			}
2885 			/*
2886 			 * Likewise, we could hit an unsent chunk once we have
2887 			 * completed processing the gap block. Again, it is
2888 			 * fine to continue processing gap blocks with mp
2889 			 * pointing to the unsent chunk, because if there
2890 			 * are more ordered gap blocks, they will fail the
2891 			 * sanity check, and if there are un-ordered gap blocks,
2892 			 * we will continue processing in sctp_process_uo_gaps()
2893 			 * We just reset the mp to the one we started with.
2894 			 */
2895 			if (!SCTP_CHUNK_ISSENT(mp)) {
2896 				ASSERT(xtsn == gapend);
2897 				ump = sctp->sctp_xmit_head;
2898 				mp = mp1;
2899 				sdc = (sctp_data_hdr_t *)mp->b_rptr;
2900 				xtsn = ntohl(sdc->sdh_tsn);
2901 				break;
2902 			}
2903 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
2904 			xtsn = ntohl(sdc->sdh_tsn);
2905 		}
2906 	}
2907 	if (sctp->sctp_prsctp_aware)
2908 		sctp_check_abandoned_data(sctp, sctp->sctp_current);
2909 	if (sctp->sctp_chk_fast_rexmit)
2910 		sctp_fast_rexmit(sctp);
2911 ret:
2912 	trysend += sctp_set_frwnd(sctp, ntohl(sc->ssc_a_rwnd));
2913 
2914 	/*
2915 	 * If receive window is closed while there is unsent data,
2916 	 * set a timer for doing zero window probes.
2917 	 */
2918 	if (sctp->sctp_frwnd == 0 && sctp->sctp_unacked == 0 &&
2919 	    sctp->sctp_unsent != 0) {
2920 		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
2921 		    sctp->sctp_current->rto);
2922 	}
2923 
2924 	/*
2925 	 * Set cwnd for all destinations.
2926 	 * Congestion window gets increased only when cumulative
2927 	 * TSN moves forward, we're not in fast recovery, and
2928 	 * cwnd has been fully utilized (almost fully, need to allow
2929 	 * some leeway due to non-MSS sized messages).
2930 	 */
2931 	if (sctp->sctp_current->acked == acked) {
2932 		/*
2933 		 * Fast-path, only data sent to sctp_current got acked.
2934 		 */
2935 		fp = sctp->sctp_current;
2936 		if (cumack_forward && !fast_recovery &&
2937 		    (fp->acked + fp->suna > fp->cwnd - fp->sfa_pmss)) {
2938 			if (fp->cwnd < fp->ssthresh) {
2939 				/*
2940 				 * Slow start
2941 				 */
2942 				if (fp->acked > fp->sfa_pmss) {
2943 					fp->cwnd += fp->sfa_pmss;
2944 				} else {
2945 					fp->cwnd += fp->acked;
2946 				}
2947 				fp->cwnd = MIN(fp->cwnd, sctp->sctp_cwnd_max);
2948 			} else {
2949 				/*
2950 				 * Congestion avoidance
2951 				 */
2952 				fp->pba += fp->acked;
2953 				if (fp->pba >= fp->cwnd) {
2954 					fp->pba -= fp->cwnd;
2955 					fp->cwnd += fp->sfa_pmss;
2956 					fp->cwnd = MIN(fp->cwnd,
2957 					    sctp->sctp_cwnd_max);
2958 				}
2959 			}
2960 		}
2961 		/*
2962 		 * Limit the burst of transmitted data segments.
2963 		 */
2964 		if (fp->suna + sctps->sctps_maxburst * fp->sfa_pmss <
2965 		    fp->cwnd) {
2966 			fp->cwnd = fp->suna + sctps->sctps_maxburst *
2967 			    fp->sfa_pmss;
2968 		}
2969 		fp->acked = 0;
2970 		goto check_ss_rxmit;
2971 	}
2972 	for (fp = sctp->sctp_faddrs; fp != NULL; fp = fp->next) {
2973 		if (cumack_forward && fp->acked && !fast_recovery &&
2974 		    (fp->acked + fp->suna > fp->cwnd - fp->sfa_pmss)) {
2975 			if (fp->cwnd < fp->ssthresh) {
2976 				if (fp->acked > fp->sfa_pmss) {
2977 					fp->cwnd += fp->sfa_pmss;
2978 				} else {
2979 					fp->cwnd += fp->acked;
2980 				}
2981 				fp->cwnd = MIN(fp->cwnd, sctp->sctp_cwnd_max);
2982 			} else {
2983 				fp->pba += fp->acked;
2984 				if (fp->pba >= fp->cwnd) {
2985 					fp->pba -= fp->cwnd;
2986 					fp->cwnd += fp->sfa_pmss;
2987 					fp->cwnd = MIN(fp->cwnd,
2988 					    sctp->sctp_cwnd_max);
2989 				}
2990 			}
2991 		}
2992 		if (fp->suna + sctps->sctps_maxburst * fp->sfa_pmss <
2993 		    fp->cwnd) {
2994 			fp->cwnd = fp->suna + sctps->sctps_maxburst *
2995 			    fp->sfa_pmss;
2996 		}
2997 		fp->acked = 0;
2998 	}
2999 	fp = sctp->sctp_current;
3000 check_ss_rxmit:
3001 	/*
3002 	 * If this is a SACK following a timeout, check if there are
3003 	 * still unacked chunks (sent before the timeout) that we can
3004 	 * send.
3005 	 */
3006 	if (sctp->sctp_rexmitting) {
3007 		if (SEQ_LT(sctp->sctp_lastack_rxd, sctp->sctp_rxt_maxtsn)) {
3008 			/*
3009 			 * As we are in retransmission phase, we may get a
3010 			 * SACK which indicates some new chunks are received
3011 			 * but cum_tsn does not advance.  During this
3012 			 * phase, the other side advances cum_tsn only because
3013 			 * it receives our retransmitted chunks.  Only
3014 			 * this signals that some chunks are still
3015 			 * missing.
3016 			 */
3017 			if (cumack_forward) {
3018 				fp->rxt_unacked -= acked;
3019 				sctp_ss_rexmit(sctp);
3020 			}
3021 		} else {
3022 			sctp->sctp_rexmitting = B_FALSE;
3023 			sctp->sctp_rxt_nxttsn = sctp->sctp_ltsn;
3024 			sctp->sctp_rxt_maxtsn = sctp->sctp_ltsn;
3025 			fp->rxt_unacked = 0;
3026 		}
3027 	}
3028 	return (trysend);
3029 }
3030 
3031 /*
3032  * Returns 0 if the caller should stop processing any more chunks,
3033  * 1 if the caller should skip this chunk and continue processing.
3034  */
3035 static int
3036 sctp_strange_chunk(sctp_t *sctp, sctp_chunk_hdr_t *ch, sctp_faddr_t *fp)
3037 {
3038 	size_t len;
3039 
3040 	BUMP_LOCAL(sctp->sctp_ibchunks);
3041 	/* check top two bits for action required */
3042 	if (ch->sch_id & 0x40) {	/* also matches 0xc0 */
3043 		len = ntohs(ch->sch_len);
3044 		sctp_add_err(sctp, SCTP_ERR_UNREC_CHUNK, ch, len, fp);
3045 
3046 		if ((ch->sch_id & 0xc0) == 0xc0) {
3047 			/* skip and continue */
3048 			return (1);
3049 		} else {
3050 			/* stop processing */
3051 			return (0);
3052 		}
3053 	}
3054 	if (ch->sch_id & 0x80) {
3055 		/* skip and continue, no error */
3056 		return (1);
3057 	}
3058 	/* top two bits are clear; stop processing and no error */
3059 	return (0);
3060 }
3061 
3062 /*
3063  * Basic sanity checks on all input chunks and parameters: they must
3064  * be of legitimate size for their purported type, and must follow
3065  * ordering conventions as defined in rfc2960.
3066  *
3067  * Returns 1 if the chunk and all encloded params are legitimate,
3068  * 0 otherwise.
3069  */
3070 /*ARGSUSED*/
3071 static int
3072 sctp_check_input(sctp_t *sctp, sctp_chunk_hdr_t *ch, ssize_t len, int first)
3073 {
3074 	sctp_parm_hdr_t	*ph;
3075 	void		*p = NULL;
3076 	ssize_t		clen;
3077 	uint16_t	ch_len;
3078 
3079 	ch_len = ntohs(ch->sch_len);
3080 	if (ch_len > len) {
3081 		return (0);
3082 	}
3083 
3084 	switch (ch->sch_id) {
3085 	case CHUNK_DATA:
3086 		if (ch_len < sizeof (sctp_data_hdr_t)) {
3087 			return (0);
3088 		}
3089 		return (1);
3090 	case CHUNK_INIT:
3091 	case CHUNK_INIT_ACK:
3092 		{
3093 			ssize_t	remlen = len;
3094 
3095 			/*
3096 			 * INIT and INIT-ACK chunks must not be bundled with
3097 			 * any other.
3098 			 */
3099 			if (!first || sctp_next_chunk(ch, &remlen) != NULL ||
3100 			    (ch_len < (sizeof (*ch) +
3101 			    sizeof (sctp_init_chunk_t)))) {
3102 				return (0);
3103 			}
3104 			/* may have params that need checking */
3105 			p = (char *)(ch + 1) + sizeof (sctp_init_chunk_t);
3106 			clen = ch_len - (sizeof (*ch) +
3107 			    sizeof (sctp_init_chunk_t));
3108 		}
3109 		break;
3110 	case CHUNK_SACK:
3111 		if (ch_len < (sizeof (*ch) + sizeof (sctp_sack_chunk_t))) {
3112 			return (0);
3113 		}
3114 		/* dup and gap reports checked by got_sack() */
3115 		return (1);
3116 	case CHUNK_SHUTDOWN:
3117 		if (ch_len < (sizeof (*ch) + sizeof (uint32_t))) {
3118 			return (0);
3119 		}
3120 		return (1);
3121 	case CHUNK_ABORT:
3122 	case CHUNK_ERROR:
3123 		if (ch_len < sizeof (*ch)) {
3124 			return (0);
3125 		}
3126 		/* may have params that need checking */
3127 		p = ch + 1;
3128 		clen = ch_len - sizeof (*ch);
3129 		break;
3130 	case CHUNK_ECNE:
3131 	case CHUNK_CWR:
3132 	case CHUNK_HEARTBEAT:
3133 	case CHUNK_HEARTBEAT_ACK:
3134 	/* Full ASCONF chunk and parameter checks are in asconf.c */
3135 	case CHUNK_ASCONF:
3136 	case CHUNK_ASCONF_ACK:
3137 		if (ch_len < sizeof (*ch)) {
3138 			return (0);
3139 		}
3140 		/* heartbeat data checked by process_heartbeat() */
3141 		return (1);
3142 	case CHUNK_SHUTDOWN_COMPLETE:
3143 		{
3144 			ssize_t remlen = len;
3145 
3146 			/*
3147 			 * SHUTDOWN-COMPLETE chunk must not be bundled with any
3148 			 * other
3149 			 */
3150 			if (!first || sctp_next_chunk(ch, &remlen) != NULL ||
3151 			    ch_len < sizeof (*ch)) {
3152 				return (0);
3153 			}
3154 		}
3155 		return (1);
3156 	case CHUNK_COOKIE:
3157 	case CHUNK_COOKIE_ACK:
3158 	case CHUNK_SHUTDOWN_ACK:
3159 		if (ch_len < sizeof (*ch) || !first) {
3160 			return (0);
3161 		}
3162 		return (1);
3163 	case CHUNK_FORWARD_TSN:
3164 		if (ch_len < (sizeof (*ch) + sizeof (uint32_t)))
3165 			return (0);
3166 		return (1);
3167 	default:
3168 		return (1);	/* handled by strange_chunk() */
3169 	}
3170 
3171 	/* check and byteorder parameters */
3172 	if (clen <= 0) {
3173 		return (1);
3174 	}
3175 	ASSERT(p != NULL);
3176 
3177 	ph = p;
3178 	while (ph != NULL && clen > 0) {
3179 		ch_len = ntohs(ph->sph_len);
3180 		if (ch_len > len || ch_len < sizeof (*ph)) {
3181 			return (0);
3182 		}
3183 		ph = sctp_next_parm(ph, &clen);
3184 	}
3185 
3186 	/* All OK */
3187 	return (1);
3188 }
3189 
3190 static mblk_t *
3191 sctp_check_in_policy(mblk_t *mp, ip_recv_attr_t *ira, ip_stack_t *ipst)
3192 {
3193 	boolean_t policy_present;
3194 	ipha_t *ipha;
3195 	ip6_t *ip6h;
3196 	netstack_t	*ns = ipst->ips_netstack;
3197 	ipsec_stack_t	*ipss = ns->netstack_ipsec;
3198 
3199 	if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) {
3200 		policy_present = ipss->ipsec_inbound_v4_policy_present;
3201 		ipha = (ipha_t *)mp->b_rptr;
3202 		ip6h = NULL;
3203 	} else {
3204 		policy_present = ipss->ipsec_inbound_v6_policy_present;
3205 		ipha = NULL;
3206 		ip6h = (ip6_t *)mp->b_rptr;
3207 	}
3208 
3209 	if (policy_present) {
3210 		/*
3211 		 * The conn_t parameter is NULL because we already know
3212 		 * nobody's home.
3213 		 */
3214 		mp = ipsec_check_global_policy(mp, (conn_t *)NULL,
3215 		    ipha, ip6h, ira, ns);
3216 		if (mp == NULL)
3217 			return (NULL);
3218 	}
3219 	return (mp);
3220 }
3221 
3222 /* Handle out-of-the-blue packets */
3223 void
3224 sctp_ootb_input(mblk_t *mp, ip_recv_attr_t *ira, ip_stack_t *ipst)
3225 {
3226 	sctp_t			*sctp;
3227 	sctp_chunk_hdr_t	*ch;
3228 	sctp_hdr_t		*sctph;
3229 	in6_addr_t		src, dst;
3230 	uint_t			ip_hdr_len = ira->ira_ip_hdr_length;
3231 	ssize_t			mlen;
3232 	sctp_stack_t		*sctps;
3233 	boolean_t		secure;
3234 	zoneid_t		zoneid = ira->ira_zoneid;
3235 	uchar_t			*rptr;
3236 
3237 	ASSERT(ira->ira_ill == NULL);
3238 
3239 	secure = ira->ira_flags & IRAF_IPSEC_SECURE;
3240 
3241 	sctps = ipst->ips_netstack->netstack_sctp;
3242 
3243 	BUMP_MIB(&sctps->sctps_mib, sctpOutOfBlue);
3244 	BUMP_MIB(&sctps->sctps_mib, sctpInSCTPPkts);
3245 
3246 	if (mp->b_cont != NULL) {
3247 		/*
3248 		 * All subsequent code is vastly simplified if it can
3249 		 * assume a single contiguous chunk of data.
3250 		 */
3251 		if (pullupmsg(mp, -1) == 0) {
3252 			BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
3253 			ip_drop_input("ipIfStatsInDiscards", mp, NULL);
3254 			freemsg(mp);
3255 			return;
3256 		}
3257 	}
3258 
3259 	rptr = mp->b_rptr;
3260 	sctph = ((sctp_hdr_t *)&rptr[ip_hdr_len]);
3261 	if (ira->ira_flags & IRAF_IS_IPV4) {
3262 		ipha_t *ipha;
3263 
3264 		ipha = (ipha_t *)rptr;
3265 		IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &src);
3266 		IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &dst);
3267 	} else {
3268 		ip6_t *ip6h;
3269 
3270 		ip6h = (ip6_t *)rptr;
3271 		src = ip6h->ip6_src;
3272 		dst = ip6h->ip6_dst;
3273 	}
3274 
3275 	mlen = mp->b_wptr - (uchar_t *)(sctph + 1);
3276 	if ((ch = sctp_first_chunk((uchar_t *)(sctph + 1), mlen)) == NULL) {
3277 		dprint(3, ("sctp_ootb_input: invalid packet\n"));
3278 		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
3279 		ip_drop_input("ipIfStatsInDiscards", mp, NULL);
3280 		freemsg(mp);
3281 		return;
3282 	}
3283 
3284 	switch (ch->sch_id) {
3285 	case CHUNK_INIT:
3286 		/* no listener; send abort  */
3287 		if (secure && sctp_check_in_policy(mp, ira, ipst) == NULL)
3288 			return;
3289 		sctp_ootb_send_abort(sctp_init2vtag(ch), 0,
3290 		    NULL, 0, mp, 0, B_TRUE, ira, ipst);
3291 		break;
3292 	case CHUNK_INIT_ACK:
3293 		/* check for changed src addr */
3294 		sctp = sctp_addrlist2sctp(mp, sctph, ch, zoneid, sctps);
3295 		if (sctp != NULL) {
3296 			/* success; proceed to normal path */
3297 			mutex_enter(&sctp->sctp_lock);
3298 			if (sctp->sctp_running) {
3299 				sctp_add_recvq(sctp, mp, B_FALSE, ira);
3300 				mutex_exit(&sctp->sctp_lock);
3301 			} else {
3302 				/*
3303 				 * If the source address is changed, we
3304 				 * don't need to worry too much about
3305 				 * out of order processing.  So we don't
3306 				 * check if the recvq is empty or not here.
3307 				 */
3308 				sctp->sctp_running = B_TRUE;
3309 				mutex_exit(&sctp->sctp_lock);
3310 				sctp_input_data(sctp, mp, ira);
3311 				WAKE_SCTP(sctp);
3312 			}
3313 			SCTP_REFRELE(sctp);
3314 			return;
3315 		}
3316 		/* else bogus init ack; drop it */
3317 		break;
3318 	case CHUNK_SHUTDOWN_ACK:
3319 		if (secure && sctp_check_in_policy(mp, ira, ipst) == NULL)
3320 			return;
3321 		sctp_ootb_shutdown_ack(mp, ip_hdr_len, ira, ipst);
3322 		return;
3323 	case CHUNK_ERROR:
3324 	case CHUNK_ABORT:
3325 	case CHUNK_COOKIE_ACK:
3326 	case CHUNK_SHUTDOWN_COMPLETE:
3327 		break;
3328 	default:
3329 		if (secure && sctp_check_in_policy(mp, ira, ipst) == NULL)
3330 			return;
3331 		sctp_ootb_send_abort(sctph->sh_verf, 0,
3332 		    NULL, 0, mp, 0, B_TRUE, ira, ipst);
3333 		break;
3334 	}
3335 	freemsg(mp);
3336 }
3337 
3338 /*
3339  * Handle sctp packets.
3340  * Note that we rele the sctp_t (the caller got a reference on it).
3341  */
3342 void
3343 sctp_input(conn_t *connp, ipha_t *ipha, ip6_t *ip6h, mblk_t *mp,
3344     ip_recv_attr_t *ira)
3345 {
3346 	sctp_t		*sctp = CONN2SCTP(connp);
3347 	boolean_t	secure;
3348 	ill_t		*ill = ira->ira_ill;
3349 	ip_stack_t	*ipst = ill->ill_ipst;
3350 	ipsec_stack_t	*ipss = ipst->ips_netstack->netstack_ipsec;
3351 	iaflags_t	iraflags = ira->ira_flags;
3352 	ill_t		*rill = ira->ira_rill;
3353 
3354 	secure = iraflags & IRAF_IPSEC_SECURE;
3355 
3356 	/*
3357 	 * We check some fields in conn_t without holding a lock.
3358 	 * This should be fine.
3359 	 */
3360 	if (((iraflags & IRAF_IS_IPV4) ?
3361 	    CONN_INBOUND_POLICY_PRESENT(connp, ipss) :
3362 	    CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss)) ||
3363 	    secure) {
3364 		mp = ipsec_check_inbound_policy(mp, connp, ipha,
3365 		    ip6h, ira);
3366 		if (mp == NULL) {
3367 			BUMP_MIB(ill->ill_ip_mib, ipIfStatsInDiscards);
3368 			/* Note that mp is NULL */
3369 			ip_drop_input("ipIfStatsInDiscards", mp, ill);
3370 			SCTP_REFRELE(sctp);
3371 			return;
3372 		}
3373 	}
3374 
3375 	ira->ira_ill = ira->ira_rill = NULL;
3376 
3377 	mutex_enter(&sctp->sctp_lock);
3378 	if (sctp->sctp_running) {
3379 		sctp_add_recvq(sctp, mp, B_FALSE, ira);
3380 		mutex_exit(&sctp->sctp_lock);
3381 		goto done;
3382 	} else {
3383 		sctp->sctp_running = B_TRUE;
3384 		mutex_exit(&sctp->sctp_lock);
3385 
3386 		mutex_enter(&sctp->sctp_recvq_lock);
3387 		if (sctp->sctp_recvq != NULL) {
3388 			sctp_add_recvq(sctp, mp, B_TRUE, ira);
3389 			mutex_exit(&sctp->sctp_recvq_lock);
3390 			WAKE_SCTP(sctp);
3391 			goto done;
3392 		}
3393 	}
3394 	mutex_exit(&sctp->sctp_recvq_lock);
3395 	if (ira->ira_flags & IRAF_ICMP_ERROR)
3396 		sctp_icmp_error(sctp, mp);
3397 	else
3398 		sctp_input_data(sctp, mp, ira);
3399 	WAKE_SCTP(sctp);
3400 
3401 done:
3402 	SCTP_REFRELE(sctp);
3403 	ira->ira_ill = ill;
3404 	ira->ira_rill = rill;
3405 }
3406 
3407 static void
3408 sctp_process_abort(sctp_t *sctp, sctp_chunk_hdr_t *ch, int err)
3409 {
3410 	sctp_stack_t	*sctps = sctp->sctp_sctps;
3411 
3412 	BUMP_MIB(&sctps->sctps_mib, sctpAborted);
3413 	BUMP_LOCAL(sctp->sctp_ibchunks);
3414 
3415 	sctp_assoc_event(sctp, SCTP_COMM_LOST,
3416 	    ntohs(((sctp_parm_hdr_t *)(ch + 1))->sph_type), ch);
3417 	sctp_clean_death(sctp, err);
3418 }
3419 
3420 void
3421 sctp_input_data(sctp_t *sctp, mblk_t *mp, ip_recv_attr_t *ira)
3422 {
3423 	sctp_chunk_hdr_t	*ch;
3424 	ssize_t			mlen;
3425 	int			gotdata;
3426 	int			trysend;
3427 	sctp_faddr_t		*fp;
3428 	sctp_init_chunk_t	*iack;
3429 	uint32_t		tsn;
3430 	sctp_data_hdr_t		*sdc;
3431 	ip_pkt_t		ipp;
3432 	in6_addr_t		src;
3433 	in6_addr_t		dst;
3434 	uint_t			ifindex;
3435 	sctp_hdr_t		*sctph;
3436 	uint_t			ip_hdr_len = ira->ira_ip_hdr_length;
3437 	mblk_t			*dups = NULL;
3438 	int			recv_adaptation;
3439 	boolean_t		wake_eager = B_FALSE;
3440 	in6_addr_t		peer_src;
3441 	int64_t			now;
3442 	sctp_stack_t		*sctps = sctp->sctp_sctps;
3443 	ip_stack_t		*ipst = sctps->sctps_netstack->netstack_ip;
3444 	boolean_t		hb_already = B_FALSE;
3445 	cred_t			*cr;
3446 	pid_t			cpid;
3447 	uchar_t			*rptr;
3448 	conn_t			*connp = sctp->sctp_connp;
3449 
3450 	ASSERT(DB_TYPE(mp) == M_DATA);
3451 	ASSERT(ira->ira_ill == NULL);
3452 
3453 	if (mp->b_cont != NULL) {
3454 		/*
3455 		 * All subsequent code is vastly simplified if it can
3456 		 * assume a single contiguous chunk of data.
3457 		 */
3458 		if (pullupmsg(mp, -1) == 0) {
3459 			BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
3460 			ip_drop_input("ipIfStatsInDiscards", mp, NULL);
3461 			freemsg(mp);
3462 			return;
3463 		}
3464 	}
3465 
3466 	BUMP_LOCAL(sctp->sctp_ipkts);
3467 	ifindex = ira->ira_ruifindex;
3468 
3469 	rptr = mp->b_rptr;
3470 
3471 	ipp.ipp_fields = 0;
3472 	if (connp->conn_recv_ancillary.crb_all != 0) {
3473 		/*
3474 		 * Record packet information in the ip_pkt_t
3475 		 */
3476 		if (ira->ira_flags & IRAF_IS_IPV4) {
3477 			(void) ip_find_hdr_v4((ipha_t *)rptr, &ipp,
3478 			    B_FALSE);
3479 		} else {
3480 			uint8_t nexthdrp;
3481 
3482 			/*
3483 			 * IPv6 packets can only be received by applications
3484 			 * that are prepared to receive IPv6 addresses.
3485 			 * The IP fanout must ensure this.
3486 			 */
3487 			ASSERT(connp->conn_family == AF_INET6);
3488 
3489 			(void) ip_find_hdr_v6(mp, (ip6_t *)rptr, B_TRUE, &ipp,
3490 			    &nexthdrp);
3491 			ASSERT(nexthdrp == IPPROTO_SCTP);
3492 
3493 			/* Could have caused a pullup? */
3494 			rptr = mp->b_rptr;
3495 		}
3496 	}
3497 
3498 	sctph = ((sctp_hdr_t *)&rptr[ip_hdr_len]);
3499 
3500 	if (ira->ira_flags & IRAF_IS_IPV4) {
3501 		ipha_t *ipha;
3502 
3503 		ipha = (ipha_t *)rptr;
3504 		IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &src);
3505 		IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &dst);
3506 	} else {
3507 		ip6_t *ip6h;
3508 
3509 		ip6h = (ip6_t *)rptr;
3510 		src = ip6h->ip6_src;
3511 		dst = ip6h->ip6_dst;
3512 	}
3513 
3514 	mlen = mp->b_wptr - (uchar_t *)(sctph + 1);
3515 	ch = sctp_first_chunk((uchar_t *)(sctph + 1), mlen);
3516 	if (ch == NULL) {
3517 		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
3518 		ip_drop_input("ipIfStatsInDiscards", mp, NULL);
3519 		freemsg(mp);
3520 		return;
3521 	}
3522 
3523 	if (!sctp_check_input(sctp, ch, mlen, 1)) {
3524 		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
3525 		ip_drop_input("ipIfStatsInDiscards", mp, NULL);
3526 		goto done;
3527 	}
3528 	/*
3529 	 * Check verfication tag (special handling for INIT,
3530 	 * COOKIE, SHUTDOWN_COMPLETE and SHUTDOWN_ACK chunks).
3531 	 * ABORTs are handled in the chunk processing loop, since
3532 	 * may not appear first. All other checked chunks must
3533 	 * appear first, or will have been dropped by check_input().
3534 	 */
3535 	switch (ch->sch_id) {
3536 	case CHUNK_INIT:
3537 		if (sctph->sh_verf != 0) {
3538 			/* drop it */
3539 			goto done;
3540 		}
3541 		break;
3542 	case CHUNK_SHUTDOWN_COMPLETE:
3543 		if (sctph->sh_verf == sctp->sctp_lvtag)
3544 			break;
3545 		if (sctph->sh_verf == sctp->sctp_fvtag &&
3546 		    SCTP_GET_TBIT(ch)) {
3547 			break;
3548 		}
3549 		/* else drop it */
3550 		goto done;
3551 	case CHUNK_ABORT:
3552 	case CHUNK_COOKIE:
3553 		/* handled below */
3554 		break;
3555 	case CHUNK_SHUTDOWN_ACK:
3556 		if (sctp->sctp_state > SCTPS_BOUND &&
3557 		    sctp->sctp_state < SCTPS_ESTABLISHED) {
3558 			/* treat as OOTB */
3559 			sctp_ootb_shutdown_ack(mp, ip_hdr_len, ira, ipst);
3560 			return;
3561 		}
3562 		/* else fallthru */
3563 	default:
3564 		/*
3565 		 * All other packets must have a valid
3566 		 * verification tag, however if this is a
3567 		 * listener, we use a refined version of
3568 		 * out-of-the-blue logic.
3569 		 */
3570 		if (sctph->sh_verf != sctp->sctp_lvtag &&
3571 		    sctp->sctp_state != SCTPS_LISTEN) {
3572 			/* drop it */
3573 			goto done;
3574 		}
3575 		break;
3576 	}
3577 
3578 	/* Have a valid sctp for this packet */
3579 	fp = sctp_lookup_faddr(sctp, &src);
3580 	dprint(2, ("sctp_dispatch_rput: mp=%p fp=%p sctp=%p\n", (void *)mp,
3581 	    (void *)fp, (void *)sctp));
3582 
3583 	gotdata = 0;
3584 	trysend = 0;
3585 
3586 	now = lbolt64;
3587 	/* Process the chunks */
3588 	do {
3589 		dprint(3, ("sctp_dispatch_rput: state=%d, chunk id=%d\n",
3590 		    sctp->sctp_state, (int)(ch->sch_id)));
3591 
3592 		if (ch->sch_id == CHUNK_ABORT) {
3593 			if (sctph->sh_verf != sctp->sctp_lvtag &&
3594 			    sctph->sh_verf != sctp->sctp_fvtag) {
3595 				/* drop it */
3596 				goto done;
3597 			}
3598 		}
3599 
3600 		switch (sctp->sctp_state) {
3601 
3602 		case SCTPS_ESTABLISHED:
3603 		case SCTPS_SHUTDOWN_PENDING:
3604 		case SCTPS_SHUTDOWN_SENT:
3605 			switch (ch->sch_id) {
3606 			case CHUNK_DATA:
3607 				/* 0-length data chunks are not allowed */
3608 				if (ntohs(ch->sch_len) == sizeof (*sdc)) {
3609 					sdc = (sctp_data_hdr_t *)ch;
3610 					tsn = sdc->sdh_tsn;
3611 					sctp_send_abort(sctp, sctp->sctp_fvtag,
3612 					    SCTP_ERR_NO_USR_DATA, (char *)&tsn,
3613 					    sizeof (tsn), mp, 0, B_FALSE, ira);
3614 					sctp_assoc_event(sctp, SCTP_COMM_LOST,
3615 					    0, NULL);
3616 					sctp_clean_death(sctp, ECONNABORTED);
3617 					goto done;
3618 				}
3619 
3620 				ASSERT(fp != NULL);
3621 				sctp->sctp_lastdata = fp;
3622 				sctp_data_chunk(sctp, ch, mp, &dups, fp,
3623 				    &ipp, ira);
3624 				gotdata = 1;
3625 				/* Restart shutdown timer if shutting down */
3626 				if (sctp->sctp_state == SCTPS_SHUTDOWN_SENT) {
3627 					/*
3628 					 * If we have exceeded our max
3629 					 * wait bound for waiting for a
3630 					 * shutdown ack from the peer,
3631 					 * abort the association.
3632 					 */
3633 					if (sctps->sctps_shutack_wait_bound !=
3634 					    0 &&
3635 					    TICK_TO_MSEC(now -
3636 					    sctp->sctp_out_time) >
3637 					    sctps->sctps_shutack_wait_bound) {
3638 						sctp_send_abort(sctp,
3639 						    sctp->sctp_fvtag, 0, NULL,
3640 						    0, mp, 0, B_FALSE, ira);
3641 						sctp_assoc_event(sctp,
3642 						    SCTP_COMM_LOST, 0, NULL);
3643 						sctp_clean_death(sctp,
3644 						    ECONNABORTED);
3645 						goto done;
3646 					}
3647 					SCTP_FADDR_TIMER_RESTART(sctp, fp,
3648 					    fp->rto);
3649 				}
3650 				break;
3651 			case CHUNK_SACK:
3652 				ASSERT(fp != NULL);
3653 				/*
3654 				 * Peer is real and alive if it can ack our
3655 				 * data.
3656 				 */
3657 				sctp_faddr_alive(sctp, fp);
3658 				trysend = sctp_got_sack(sctp, ch);
3659 				if (trysend < 0) {
3660 					sctp_send_abort(sctp, sctph->sh_verf,
3661 					    0, NULL, 0, mp, 0, B_FALSE, ira);
3662 					sctp_assoc_event(sctp,
3663 					    SCTP_COMM_LOST, 0, NULL);
3664 					sctp_clean_death(sctp,
3665 					    ECONNABORTED);
3666 					goto done;
3667 				}
3668 				break;
3669 			case CHUNK_HEARTBEAT:
3670 				if (!hb_already) {
3671 					/*
3672 					 * In any one packet, there should
3673 					 * only be one heartbeat chunk.  So
3674 					 * we should not process more than
3675 					 * once.
3676 					 */
3677 					sctp_return_heartbeat(sctp, ch, mp);
3678 					hb_already = B_TRUE;
3679 				}
3680 				break;
3681 			case CHUNK_HEARTBEAT_ACK:
3682 				sctp_process_heartbeat(sctp, ch);
3683 				break;
3684 			case CHUNK_SHUTDOWN:
3685 				sctp_shutdown_event(sctp);
3686 				trysend = sctp_shutdown_received(sctp, ch,
3687 				    B_FALSE, B_FALSE, fp);
3688 				BUMP_LOCAL(sctp->sctp_ibchunks);
3689 				break;
3690 			case CHUNK_SHUTDOWN_ACK:
3691 				BUMP_LOCAL(sctp->sctp_ibchunks);
3692 				if (sctp->sctp_state == SCTPS_SHUTDOWN_SENT) {
3693 					sctp_shutdown_complete(sctp);
3694 					BUMP_MIB(&sctps->sctps_mib,
3695 					    sctpShutdowns);
3696 					sctp_assoc_event(sctp,
3697 					    SCTP_SHUTDOWN_COMP, 0, NULL);
3698 					sctp_clean_death(sctp, 0);
3699 					goto done;
3700 				}
3701 				break;
3702 			case CHUNK_ABORT: {
3703 				sctp_saddr_ipif_t *sp;
3704 
3705 				/* Ignore if delete pending */
3706 				sp = sctp_saddr_lookup(sctp, &dst, 0);
3707 				ASSERT(sp != NULL);
3708 				if (sp->saddr_ipif_delete_pending) {
3709 					BUMP_LOCAL(sctp->sctp_ibchunks);
3710 					break;
3711 				}
3712 
3713 				sctp_process_abort(sctp, ch, ECONNRESET);
3714 				goto done;
3715 			}
3716 			case CHUNK_INIT:
3717 				sctp_send_initack(sctp, sctph, ch, mp, ira);
3718 				break;
3719 			case CHUNK_COOKIE:
3720 				if (sctp_process_cookie(sctp, ch, mp, &iack,
3721 				    sctph, &recv_adaptation, NULL, ira) != -1) {
3722 					sctp_send_cookie_ack(sctp);
3723 					sctp_assoc_event(sctp, SCTP_RESTART,
3724 					    0, NULL);
3725 					if (recv_adaptation) {
3726 						sctp->sctp_recv_adaptation = 1;
3727 						sctp_adaptation_event(sctp);
3728 					}
3729 				} else {
3730 					BUMP_MIB(&sctps->sctps_mib,
3731 					    sctpInInvalidCookie);
3732 				}
3733 				break;
3734 			case CHUNK_ERROR: {
3735 				int error;
3736 
3737 				BUMP_LOCAL(sctp->sctp_ibchunks);
3738 				error = sctp_handle_error(sctp, sctph, ch, mp,
3739 				    ira);
3740 				if (error != 0) {
3741 					sctp_assoc_event(sctp, SCTP_COMM_LOST,
3742 					    0, NULL);
3743 					sctp_clean_death(sctp, error);
3744 					goto done;
3745 				}
3746 				break;
3747 			}
3748 			case CHUNK_ASCONF:
3749 				ASSERT(fp != NULL);
3750 				sctp_input_asconf(sctp, ch, fp);
3751 				BUMP_LOCAL(sctp->sctp_ibchunks);
3752 				break;
3753 			case CHUNK_ASCONF_ACK:
3754 				ASSERT(fp != NULL);
3755 				sctp_faddr_alive(sctp, fp);
3756 				sctp_input_asconf_ack(sctp, ch, fp);
3757 				BUMP_LOCAL(sctp->sctp_ibchunks);
3758 				break;
3759 			case CHUNK_FORWARD_TSN:
3760 				ASSERT(fp != NULL);
3761 				sctp->sctp_lastdata = fp;
3762 				sctp_process_forward_tsn(sctp, ch, fp,
3763 				    &ipp, ira);
3764 				gotdata = 1;
3765 				BUMP_LOCAL(sctp->sctp_ibchunks);
3766 				break;
3767 			default:
3768 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
3769 					goto nomorechunks;
3770 				} /* else skip and continue processing */
3771 				break;
3772 			}
3773 			break;
3774 
3775 		case SCTPS_LISTEN:
3776 			switch (ch->sch_id) {
3777 			case CHUNK_INIT:
3778 				sctp_send_initack(sctp, sctph, ch, mp, ira);
3779 				break;
3780 			case CHUNK_COOKIE: {
3781 				sctp_t *eager;
3782 
3783 				if (sctp_process_cookie(sctp, ch, mp, &iack,
3784 				    sctph, &recv_adaptation, &peer_src,
3785 				    ira) == -1) {
3786 					BUMP_MIB(&sctps->sctps_mib,
3787 					    sctpInInvalidCookie);
3788 					goto done;
3789 				}
3790 
3791 				/*
3792 				 * The cookie is good; ensure that
3793 				 * the peer used the verification
3794 				 * tag from the init ack in the header.
3795 				 */
3796 				if (iack->sic_inittag != sctph->sh_verf)
3797 					goto done;
3798 
3799 				eager = sctp_conn_request(sctp, mp, ifindex,
3800 				    ip_hdr_len, iack, ira);
3801 				if (eager == NULL) {
3802 					sctp_send_abort(sctp, sctph->sh_verf,
3803 					    SCTP_ERR_NO_RESOURCES, NULL, 0, mp,
3804 					    0, B_FALSE, ira);
3805 					goto done;
3806 				}
3807 
3808 				/*
3809 				 * If there were extra chunks
3810 				 * bundled with the cookie,
3811 				 * they must be processed
3812 				 * on the eager's queue. We
3813 				 * accomplish this by refeeding
3814 				 * the whole packet into the
3815 				 * state machine on the right
3816 				 * q. The packet (mp) gets
3817 				 * there via the eager's
3818 				 * cookie_mp field (overloaded
3819 				 * with the active open role).
3820 				 * This is picked up when
3821 				 * processing the null bind
3822 				 * request put on the eager's
3823 				 * q by sctp_accept(). We must
3824 				 * first revert the cookie
3825 				 * chunk's length field to network
3826 				 * byteorder so it can be
3827 				 * properly reprocessed on the
3828 				 * eager's queue.
3829 				 */
3830 				BUMP_MIB(&sctps->sctps_mib, sctpPassiveEstab);
3831 				if (mlen > ntohs(ch->sch_len)) {
3832 					eager->sctp_cookie_mp = dupb(mp);
3833 					/*
3834 					 * If no mem, just let
3835 					 * the peer retransmit.
3836 					 */
3837 				}
3838 				sctp_assoc_event(eager, SCTP_COMM_UP, 0, NULL);
3839 				if (recv_adaptation) {
3840 					eager->sctp_recv_adaptation = 1;
3841 					eager->sctp_rx_adaptation_code =
3842 					    sctp->sctp_rx_adaptation_code;
3843 					sctp_adaptation_event(eager);
3844 				}
3845 
3846 				eager->sctp_active = now;
3847 				sctp_send_cookie_ack(eager);
3848 
3849 				wake_eager = B_TRUE;
3850 
3851 				/*
3852 				 * Process rest of the chunks with eager.
3853 				 */
3854 				sctp = eager;
3855 				fp = sctp_lookup_faddr(sctp, &peer_src);
3856 				/*
3857 				 * Confirm peer's original source.  fp can
3858 				 * only be NULL if peer does not use the
3859 				 * original source as one of its addresses...
3860 				 */
3861 				if (fp == NULL)
3862 					fp = sctp_lookup_faddr(sctp, &src);
3863 				else
3864 					sctp_faddr_alive(sctp, fp);
3865 
3866 				/*
3867 				 * Validate the peer addresses.  It also starts
3868 				 * the heartbeat timer.
3869 				 */
3870 				sctp_validate_peer(sctp);
3871 				break;
3872 			}
3873 			/* Anything else is considered out-of-the-blue */
3874 			case CHUNK_ERROR:
3875 			case CHUNK_ABORT:
3876 			case CHUNK_COOKIE_ACK:
3877 			case CHUNK_SHUTDOWN_COMPLETE:
3878 				BUMP_LOCAL(sctp->sctp_ibchunks);
3879 				goto done;
3880 			default:
3881 				BUMP_LOCAL(sctp->sctp_ibchunks);
3882 				sctp_send_abort(sctp, sctph->sh_verf, 0, NULL,
3883 				    0, mp, 0, B_TRUE, ira);
3884 				goto done;
3885 			}
3886 			break;
3887 
3888 		case SCTPS_COOKIE_WAIT:
3889 			switch (ch->sch_id) {
3890 			case CHUNK_INIT_ACK:
3891 				sctp_stop_faddr_timers(sctp);
3892 				sctp_faddr_alive(sctp, sctp->sctp_current);
3893 				sctp_send_cookie_echo(sctp, ch, mp, ira);
3894 				BUMP_LOCAL(sctp->sctp_ibchunks);
3895 				break;
3896 			case CHUNK_ABORT:
3897 				sctp_process_abort(sctp, ch, ECONNREFUSED);
3898 				goto done;
3899 			case CHUNK_INIT:
3900 				sctp_send_initack(sctp, sctph, ch, mp, ira);
3901 				break;
3902 			case CHUNK_COOKIE:
3903 				cr = ira->ira_cred;
3904 				cpid = ira->ira_cpid;
3905 
3906 				if (sctp_process_cookie(sctp, ch, mp, &iack,
3907 				    sctph, &recv_adaptation, NULL, ira) == -1) {
3908 					BUMP_MIB(&sctps->sctps_mib,
3909 					    sctpInInvalidCookie);
3910 					break;
3911 				}
3912 				sctp_send_cookie_ack(sctp);
3913 				sctp_stop_faddr_timers(sctp);
3914 				if (!SCTP_IS_DETACHED(sctp)) {
3915 					sctp->sctp_ulp_connected(
3916 					    sctp->sctp_ulpd, 0, cr, cpid);
3917 					sctp_set_ulp_prop(sctp);
3918 
3919 				}
3920 				sctp->sctp_state = SCTPS_ESTABLISHED;
3921 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
3922 				BUMP_MIB(&sctps->sctps_mib, sctpActiveEstab);
3923 				if (sctp->sctp_cookie_mp) {
3924 					freemsg(sctp->sctp_cookie_mp);
3925 					sctp->sctp_cookie_mp = NULL;
3926 				}
3927 
3928 				/* Validate the peer addresses. */
3929 				sctp->sctp_active = now;
3930 				sctp_validate_peer(sctp);
3931 
3932 				sctp_assoc_event(sctp, SCTP_COMM_UP, 0, NULL);
3933 				if (recv_adaptation) {
3934 					sctp->sctp_recv_adaptation = 1;
3935 					sctp_adaptation_event(sctp);
3936 				}
3937 				/* Try sending queued data, or ASCONFs */
3938 				trysend = 1;
3939 				break;
3940 			default:
3941 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
3942 					goto nomorechunks;
3943 				} /* else skip and continue processing */
3944 				break;
3945 			}
3946 			break;
3947 
3948 		case SCTPS_COOKIE_ECHOED:
3949 			switch (ch->sch_id) {
3950 			case CHUNK_COOKIE_ACK:
3951 				cr = ira->ira_cred;
3952 				cpid = ira->ira_cpid;
3953 
3954 				if (!SCTP_IS_DETACHED(sctp)) {
3955 					sctp->sctp_ulp_connected(
3956 					    sctp->sctp_ulpd, 0, cr, cpid);
3957 					sctp_set_ulp_prop(sctp);
3958 				}
3959 				if (sctp->sctp_unacked == 0)
3960 					sctp_stop_faddr_timers(sctp);
3961 				sctp->sctp_state = SCTPS_ESTABLISHED;
3962 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
3963 				BUMP_MIB(&sctps->sctps_mib, sctpActiveEstab);
3964 				BUMP_LOCAL(sctp->sctp_ibchunks);
3965 				if (sctp->sctp_cookie_mp) {
3966 					freemsg(sctp->sctp_cookie_mp);
3967 					sctp->sctp_cookie_mp = NULL;
3968 				}
3969 				sctp_faddr_alive(sctp, fp);
3970 				/* Validate the peer addresses. */
3971 				sctp->sctp_active = now;
3972 				sctp_validate_peer(sctp);
3973 
3974 				/* Try sending queued data, or ASCONFs */
3975 				trysend = 1;
3976 				sctp_assoc_event(sctp, SCTP_COMM_UP, 0, NULL);
3977 				sctp_adaptation_event(sctp);
3978 				break;
3979 			case CHUNK_ABORT:
3980 				sctp_process_abort(sctp, ch, ECONNREFUSED);
3981 				goto done;
3982 			case CHUNK_COOKIE:
3983 				cr = ira->ira_cred;
3984 				cpid = ira->ira_cpid;
3985 
3986 				if (sctp_process_cookie(sctp, ch, mp, &iack,
3987 				    sctph, &recv_adaptation, NULL, ira) == -1) {
3988 					BUMP_MIB(&sctps->sctps_mib,
3989 					    sctpInInvalidCookie);
3990 					break;
3991 				}
3992 				sctp_send_cookie_ack(sctp);
3993 
3994 				if (!SCTP_IS_DETACHED(sctp)) {
3995 					sctp->sctp_ulp_connected(
3996 					    sctp->sctp_ulpd, 0, cr, cpid);
3997 					sctp_set_ulp_prop(sctp);
3998 
3999 				}
4000 				if (sctp->sctp_unacked == 0)
4001 					sctp_stop_faddr_timers(sctp);
4002 				sctp->sctp_state = SCTPS_ESTABLISHED;
4003 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
4004 				BUMP_MIB(&sctps->sctps_mib, sctpActiveEstab);
4005 				if (sctp->sctp_cookie_mp) {
4006 					freemsg(sctp->sctp_cookie_mp);
4007 					sctp->sctp_cookie_mp = NULL;
4008 				}
4009 				/* Validate the peer addresses. */
4010 				sctp->sctp_active = now;
4011 				sctp_validate_peer(sctp);
4012 
4013 				sctp_assoc_event(sctp, SCTP_COMM_UP, 0, NULL);
4014 				if (recv_adaptation) {
4015 					sctp->sctp_recv_adaptation = 1;
4016 					sctp_adaptation_event(sctp);
4017 				}
4018 				/* Try sending queued data, or ASCONFs */
4019 				trysend = 1;
4020 				break;
4021 			case CHUNK_INIT:
4022 				sctp_send_initack(sctp, sctph, ch, mp, ira);
4023 				break;
4024 			case CHUNK_ERROR: {
4025 				sctp_parm_hdr_t *p;
4026 
4027 				BUMP_LOCAL(sctp->sctp_ibchunks);
4028 				/* check for a stale cookie */
4029 				if (ntohs(ch->sch_len) >=
4030 				    (sizeof (*p) + sizeof (*ch)) +
4031 				    sizeof (uint32_t)) {
4032 
4033 					p = (sctp_parm_hdr_t *)(ch + 1);
4034 					if (p->sph_type ==
4035 					    htons(SCTP_ERR_STALE_COOKIE)) {
4036 						BUMP_MIB(&sctps->sctps_mib,
4037 						    sctpAborted);
4038 						sctp_error_event(sctp, ch);
4039 						sctp_assoc_event(sctp,
4040 						    SCTP_COMM_LOST, 0, NULL);
4041 						sctp_clean_death(sctp,
4042 						    ECONNREFUSED);
4043 						goto done;
4044 					}
4045 				}
4046 				break;
4047 			}
4048 			case CHUNK_HEARTBEAT:
4049 				if (!hb_already) {
4050 					sctp_return_heartbeat(sctp, ch, mp);
4051 					hb_already = B_TRUE;
4052 				}
4053 				break;
4054 			default:
4055 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
4056 					goto nomorechunks;
4057 				} /* else skip and continue processing */
4058 			} /* switch (ch->sch_id) */
4059 			break;
4060 
4061 		case SCTPS_SHUTDOWN_ACK_SENT:
4062 			switch (ch->sch_id) {
4063 			case CHUNK_ABORT:
4064 				/* Pass gathered wisdom to IP for keeping */
4065 				sctp_update_dce(sctp);
4066 				sctp_process_abort(sctp, ch, 0);
4067 				goto done;
4068 			case CHUNK_SHUTDOWN_COMPLETE:
4069 				BUMP_LOCAL(sctp->sctp_ibchunks);
4070 				BUMP_MIB(&sctps->sctps_mib, sctpShutdowns);
4071 				sctp_assoc_event(sctp, SCTP_SHUTDOWN_COMP, 0,
4072 				    NULL);
4073 
4074 				/* Pass gathered wisdom to IP for keeping */
4075 				sctp_update_dce(sctp);
4076 				sctp_clean_death(sctp, 0);
4077 				goto done;
4078 			case CHUNK_SHUTDOWN_ACK:
4079 				sctp_shutdown_complete(sctp);
4080 				BUMP_LOCAL(sctp->sctp_ibchunks);
4081 				BUMP_MIB(&sctps->sctps_mib, sctpShutdowns);
4082 				sctp_assoc_event(sctp, SCTP_SHUTDOWN_COMP, 0,
4083 				    NULL);
4084 				sctp_clean_death(sctp, 0);
4085 				goto done;
4086 			case CHUNK_COOKIE:
4087 				(void) sctp_shutdown_received(sctp, NULL,
4088 				    B_TRUE, B_FALSE, fp);
4089 				BUMP_LOCAL(sctp->sctp_ibchunks);
4090 				break;
4091 			case CHUNK_HEARTBEAT:
4092 				if (!hb_already) {
4093 					sctp_return_heartbeat(sctp, ch, mp);
4094 					hb_already = B_TRUE;
4095 				}
4096 				break;
4097 			default:
4098 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
4099 					goto nomorechunks;
4100 				} /* else skip and continue processing */
4101 				break;
4102 			}
4103 			break;
4104 
4105 		case SCTPS_SHUTDOWN_RECEIVED:
4106 			switch (ch->sch_id) {
4107 			case CHUNK_SHUTDOWN:
4108 				trysend = sctp_shutdown_received(sctp, ch,
4109 				    B_FALSE, B_FALSE, fp);
4110 				break;
4111 			case CHUNK_SACK:
4112 				trysend = sctp_got_sack(sctp, ch);
4113 				if (trysend < 0) {
4114 					sctp_send_abort(sctp, sctph->sh_verf,
4115 					    0, NULL, 0, mp, 0, B_FALSE, ira);
4116 					sctp_assoc_event(sctp,
4117 					    SCTP_COMM_LOST, 0, NULL);
4118 					sctp_clean_death(sctp,
4119 					    ECONNABORTED);
4120 					goto done;
4121 				}
4122 				break;
4123 			case CHUNK_ABORT:
4124 				sctp_process_abort(sctp, ch, ECONNRESET);
4125 				goto done;
4126 			case CHUNK_HEARTBEAT:
4127 				if (!hb_already) {
4128 					sctp_return_heartbeat(sctp, ch, mp);
4129 					hb_already = B_TRUE;
4130 				}
4131 				break;
4132 			default:
4133 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
4134 					goto nomorechunks;
4135 				} /* else skip and continue processing */
4136 				break;
4137 			}
4138 			break;
4139 
4140 		default:
4141 			/*
4142 			 * The only remaining states are SCTPS_IDLE and
4143 			 * SCTPS_BOUND, and we should not be getting here
4144 			 * for these.
4145 			 */
4146 			ASSERT(0);
4147 		} /* switch (sctp->sctp_state) */
4148 
4149 		ch = sctp_next_chunk(ch, &mlen);
4150 		if (ch != NULL && !sctp_check_input(sctp, ch, mlen, 0))
4151 			goto done;
4152 	} while (ch != NULL);
4153 
4154 	/* Finished processing all chunks in packet */
4155 
4156 nomorechunks:
4157 	/* SACK if necessary */
4158 	if (gotdata) {
4159 		boolean_t sack_sent;
4160 
4161 		(sctp->sctp_sack_toggle)++;
4162 		sack_sent = sctp_sack(sctp, dups);
4163 		dups = NULL;
4164 
4165 		/* If a SACK is sent, no need to restart the timer. */
4166 		if (!sack_sent && !sctp->sctp_ack_timer_running) {
4167 			sctp->sctp_ack_timer_running = B_TRUE;
4168 			sctp_timer(sctp, sctp->sctp_ack_mp,
4169 			    MSEC_TO_TICK(sctps->sctps_deferred_ack_interval));
4170 		}
4171 	}
4172 
4173 	if (trysend) {
4174 		sctp_output(sctp, UINT_MAX);
4175 		if (sctp->sctp_cxmit_list != NULL)
4176 			sctp_wput_asconf(sctp, NULL);
4177 	}
4178 	/* If there is unsent data, make sure a timer is running */
4179 	if (sctp->sctp_unsent > 0 && !sctp->sctp_current->timer_running) {
4180 		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
4181 		    sctp->sctp_current->rto);
4182 	}
4183 
4184 done:
4185 	if (dups != NULL)
4186 		freeb(dups);
4187 	freemsg(mp);
4188 
4189 	if (sctp->sctp_err_chunks != NULL)
4190 		sctp_process_err(sctp);
4191 
4192 	if (wake_eager) {
4193 		/*
4194 		 * sctp points to newly created control block, need to
4195 		 * release it before exiting.
4196 		 */
4197 		WAKE_SCTP(sctp);
4198 	}
4199 }
4200 
4201 /*
4202  * Some amount of data got removed from rx q.
4203  * Check if we should send a window update.
4204  *
4205  * Due to way sctp_rwnd updates are made, ULP can give reports out-of-order.
4206  * To keep from dropping incoming data due to this, we only update
4207  * sctp_rwnd when if it's larger than what we've reported to peer earlier.
4208  */
4209 void
4210 sctp_recvd(sctp_t *sctp, int len)
4211 {
4212 	int32_t old, new;
4213 	sctp_stack_t	*sctps = sctp->sctp_sctps;
4214 
4215 	ASSERT(sctp != NULL);
4216 	RUN_SCTP(sctp);
4217 
4218 	if (len < sctp->sctp_rwnd) {
4219 		WAKE_SCTP(sctp);
4220 		return;
4221 	}
4222 	ASSERT(sctp->sctp_rwnd >= sctp->sctp_rxqueued);
4223 	old = sctp->sctp_rwnd - sctp->sctp_rxqueued;
4224 	new = len - sctp->sctp_rxqueued;
4225 	sctp->sctp_rwnd = len;
4226 
4227 	if (sctp->sctp_state >= SCTPS_ESTABLISHED &&
4228 	    ((old <= new >> 1) || (old < sctp->sctp_mss))) {
4229 		sctp->sctp_force_sack = 1;
4230 		BUMP_MIB(&sctps->sctps_mib, sctpOutWinUpdate);
4231 		(void) sctp_sack(sctp, NULL);
4232 	}
4233 	WAKE_SCTP(sctp);
4234 }
4235