xref: /titanic_51/usr/src/uts/common/inet/sctp/sctp_input.c (revision ae53df47ce6510c89a72cb9868322dc60bce861b)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 #include <sys/types.h>
30 #include <sys/systm.h>
31 #include <sys/stream.h>
32 #include <sys/cmn_err.h>
33 #include <sys/kmem.h>
34 #define	_SUN_TPI_VERSION 2
35 #include <sys/tihdr.h>
36 #include <sys/socket.h>
37 #include <sys/strsun.h>
38 #include <sys/strsubr.h>
39 
40 #include <netinet/in.h>
41 #include <netinet/ip6.h>
42 #include <netinet/tcp_seq.h>
43 #include <netinet/sctp.h>
44 
45 #include <inet/common.h>
46 #include <inet/ip.h>
47 #include <inet/ip6.h>
48 #include <inet/mib2.h>
49 #include <inet/ipclassifier.h>
50 #include <inet/ipp_common.h>
51 #include <inet/ipsec_impl.h>
52 #include <inet/sctp_ip.h>
53 
54 #include "sctp_impl.h"
55 #include "sctp_asconf.h"
56 #include "sctp_addr.h"
57 
58 static struct kmem_cache *sctp_kmem_set_cache;
59 
60 /*
61  * PR-SCTP comments.
62  *
63  * When we get a valid Forward TSN chunk, we check the fragment list for this
64  * SSN and preceeding SSNs free all them. Further, if this Forward TSN causes
65  * the next expected SSN to be present in the stream queue, we deliver any
66  * such stranded messages upstream. We also update the SACK info. appropriately.
67  * When checking for advancing the cumulative ack (in sctp_cumack()) we must
68  * check for abandoned chunks and messages. While traversing the tramsmit
69  * list if we come across an abandoned chunk, we can skip the message (i.e.
70  * take it out of the (re)transmit list) since this message, and hence this
71  * chunk, has been marked abandoned by sctp_rexmit(). If we come across an
72  * unsent chunk for a message this now abandoned we need to check if a
73  * Forward TSN needs to be sent, this could be a case where we deferred sending
74  * a Forward TSN in sctp_get_msg_to_send(). Further, after processing a
75  * SACK we check if the Advanced peer ack point can be moved ahead, i.e.
76  * if we can send a Forward TSN via sctp_check_abandoned_data().
77  */
78 void
79 sctp_free_set(sctp_set_t *s)
80 {
81 	sctp_set_t *p;
82 
83 	while (s) {
84 		p = s->next;
85 		kmem_cache_free(sctp_kmem_set_cache, s);
86 		s = p;
87 	}
88 }
89 
90 static void
91 sctp_ack_add(sctp_set_t **head, uint32_t tsn, int *num)
92 {
93 	sctp_set_t *p, *t;
94 
95 	if (head == NULL || num == NULL)
96 		return;
97 
98 	ASSERT(*num >= 0);
99 	ASSERT((*num == 0 && *head == NULL) || (*num > 0 && *head != NULL));
100 
101 	if (*head == NULL) {
102 		*head = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
103 		if (*head == NULL)
104 			return;
105 		(*head)->prev = (*head)->next = NULL;
106 		(*head)->begin = tsn;
107 		(*head)->end = tsn;
108 		*num = 1;
109 		return;
110 	}
111 
112 	ASSERT((*head)->prev == NULL);
113 
114 	/*
115 	 * Handle this special case here so we don't have to check
116 	 * for it each time in the loop.
117 	 */
118 	if (SEQ_LT(tsn + 1, (*head)->begin)) {
119 		/* add a new set, and move the head pointer */
120 		t = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
121 		if (t == NULL)
122 			return;
123 		t->next = *head;
124 		t->prev = NULL;
125 		(*head)->prev = t;
126 		t->begin = tsn;
127 		t->end = tsn;
128 		(*num)++;
129 		*head = t;
130 		return;
131 	}
132 
133 	/*
134 	 * We need to handle the following cases, where p points to
135 	 * the current set (as we walk through the loop):
136 	 *
137 	 * 1. tsn is entirely less than p; create a new set before p.
138 	 * 2. tsn borders p from less; coalesce p with tsn.
139 	 * 3. tsn is withing p; do nothing.
140 	 * 4. tsn borders p from greater; coalesce p with tsn.
141 	 * 4a. p may now border p->next from less; if so, coalesce those
142 	 *    two sets.
143 	 * 5. tsn is entirely greater then all sets; add a new set at
144 	 *    the end.
145 	 */
146 	for (p = *head; ; p = p->next) {
147 		if (SEQ_LT(tsn + 1, p->begin)) {
148 			/* 1: add a new set before p. */
149 			t = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
150 			if (t == NULL)
151 				return;
152 			t->next = p;
153 			t->prev = NULL;
154 			t->begin = tsn;
155 			t->end = tsn;
156 			if (p->prev) {
157 				t->prev = p->prev;
158 				p->prev->next = t;
159 			}
160 			p->prev = t;
161 			(*num)++;
162 			return;
163 		}
164 
165 		if ((tsn + 1) == p->begin) {
166 			/* 2: adjust p->begin */
167 			p->begin = tsn;
168 			return;
169 		}
170 
171 		if (SEQ_GEQ(tsn, p->begin) && SEQ_LEQ(tsn, p->end)) {
172 			/* 3; do nothing */
173 			return;
174 		}
175 
176 		if ((p->end + 1) == tsn) {
177 			/* 4; adjust p->end */
178 			p->end = tsn;
179 
180 			if (p->next != NULL && (tsn + 1) == p->next->begin) {
181 				/* 4a: coalesce p and p->next */
182 				t = p->next;
183 				p->end = t->end;
184 				p->next = t->next;
185 				if (t->next != NULL)
186 					t->next->prev = p;
187 				kmem_cache_free(sctp_kmem_set_cache, t);
188 				(*num)--;
189 			}
190 			return;
191 		}
192 
193 		if (p->next == NULL) {
194 			/* 5: add new set at the end */
195 			t = kmem_cache_alloc(sctp_kmem_set_cache, KM_NOSLEEP);
196 			if (t == NULL)
197 				return;
198 			t->next = NULL;
199 			t->prev = p;
200 			t->begin = tsn;
201 			t->end = tsn;
202 			p->next = t;
203 			(*num)++;
204 			return;
205 		}
206 
207 		if (SEQ_GT(tsn, p->end + 1))
208 			continue;
209 	}
210 }
211 
212 static void
213 sctp_ack_rem(sctp_set_t **head, uint32_t end, int *num)
214 {
215 	sctp_set_t *p, *t;
216 
217 	if (head == NULL || *head == NULL || num == NULL)
218 		return;
219 
220 	/* Nothing to remove */
221 	if (SEQ_LT(end, (*head)->begin))
222 		return;
223 
224 	/* Find out where to start removing sets */
225 	for (p = *head; p->next; p = p->next) {
226 		if (SEQ_LEQ(end, p->end))
227 			break;
228 	}
229 
230 	if (SEQ_LT(end, p->end) && SEQ_GEQ(end, p->begin)) {
231 		/* adjust p */
232 		p->begin = end + 1;
233 		/* all done */
234 		if (p == *head)
235 			return;
236 	} else if (SEQ_GEQ(end, p->end)) {
237 		/* remove this set too */
238 		p = p->next;
239 	}
240 
241 	/* unlink everything before this set */
242 	t = *head;
243 	*head = p;
244 	if (p != NULL && p->prev != NULL) {
245 		p->prev->next = NULL;
246 		p->prev = NULL;
247 	}
248 
249 	sctp_free_set(t);
250 
251 	/* recount the number of sets */
252 	*num = 0;
253 
254 	for (p = *head; p != NULL; p = p->next)
255 		(*num)++;
256 }
257 
258 void
259 sctp_sets_init()
260 {
261 	sctp_kmem_set_cache = kmem_cache_create("sctp_set_cache",
262 	    sizeof (sctp_set_t), 0, NULL, NULL, NULL, NULL,
263 	    NULL, 0);
264 }
265 
266 void
267 sctp_sets_fini()
268 {
269 	kmem_cache_destroy(sctp_kmem_set_cache);
270 }
271 
272 sctp_chunk_hdr_t *
273 sctp_first_chunk(uchar_t *rptr, ssize_t remaining)
274 {
275 	sctp_chunk_hdr_t *ch;
276 	uint16_t ch_len;
277 
278 	if (remaining < sizeof (*ch)) {
279 		return (NULL);
280 	}
281 
282 	ch = (sctp_chunk_hdr_t *)rptr;
283 	ch_len = ntohs(ch->sch_len);
284 
285 	if (ch_len < sizeof (*ch) || remaining < ch_len) {
286 		return (NULL);
287 	}
288 
289 	return (ch);
290 }
291 
292 sctp_chunk_hdr_t *
293 sctp_next_chunk(sctp_chunk_hdr_t *ch, ssize_t *remaining)
294 {
295 	int pad;
296 	uint16_t ch_len;
297 
298 	if (!ch) {
299 		return (NULL);
300 	}
301 
302 	ch_len = ntohs(ch->sch_len);
303 
304 	if ((pad = ch_len & (SCTP_ALIGN - 1)) != 0) {
305 		pad = SCTP_ALIGN - pad;
306 	}
307 
308 	*remaining -= (ch_len + pad);
309 	ch = (sctp_chunk_hdr_t *)((char *)ch + ch_len + pad);
310 
311 	return (sctp_first_chunk((uchar_t *)ch, *remaining));
312 }
313 
314 /*
315  * Attach ancillary data to a received SCTP segments.
316  * If the source address (fp) is not the primary, send up a
317  * unitdata_ind so recvfrom() can populate the msg_name field.
318  * If ancillary data is also requested, we append it to the
319  * unitdata_req. Otherwise, we just send up an optdata_ind.
320  */
321 static int
322 sctp_input_add_ancillary(sctp_t *sctp, mblk_t **mp, sctp_data_hdr_t *dcp,
323     sctp_faddr_t *fp, ip6_pkt_t *ipp)
324 {
325 	struct T_unitdata_ind	*tudi;
326 	int			optlen;
327 	int			hdrlen;
328 	uchar_t			*optptr;
329 	struct cmsghdr		*cmsg;
330 	mblk_t			*mp1;
331 	struct sockaddr_in6	sin_buf[1];
332 	struct sockaddr_in6	*sin6;
333 	struct sockaddr_in	*sin4;
334 	uint_t			addflag = 0;
335 
336 	sin4 = NULL;
337 	sin6 = NULL;
338 
339 	optlen = hdrlen = 0;
340 
341 	/* Figure out address size */
342 	if (sctp->sctp_ipversion == IPV4_VERSION) {
343 		sin4 = (struct sockaddr_in *)sin_buf;
344 		sin4->sin_family = AF_INET;
345 		sin4->sin_port = sctp->sctp_fport;
346 		IN6_V4MAPPED_TO_IPADDR(&fp->faddr, sin4->sin_addr.s_addr);
347 		hdrlen = sizeof (*tudi) + sizeof (*sin4);
348 	} else {
349 		sin6 = sin_buf;
350 		sin6->sin6_family = AF_INET6;
351 		sin6->sin6_port = sctp->sctp_fport;
352 		sin6->sin6_addr = fp->faddr;
353 		hdrlen = sizeof (*tudi) + sizeof (*sin6);
354 	}
355 
356 	/* If app asked to receive send / recv info */
357 	if (sctp->sctp_recvsndrcvinfo) {
358 		optlen += sizeof (*cmsg) + sizeof (struct sctp_sndrcvinfo);
359 		if (hdrlen == 0)
360 			hdrlen = sizeof (struct T_optdata_ind);
361 	}
362 
363 	if (sctp->sctp_ipv6_recvancillary == 0)
364 		goto noancillary;
365 
366 	if ((ipp->ipp_fields & IPPF_IFINDEX) &&
367 	    ipp->ipp_ifindex != sctp->sctp_recvifindex &&
368 	    (sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVPKTINFO)) {
369 		optlen += sizeof (*cmsg) + sizeof (struct in6_pktinfo);
370 		if (hdrlen == 0)
371 			hdrlen = sizeof (struct T_unitdata_ind);
372 		addflag |= SCTP_IPV6_RECVPKTINFO;
373 	}
374 	/* If app asked for hoplimit and it has changed ... */
375 	if ((ipp->ipp_fields & IPPF_HOPLIMIT) &&
376 	    ipp->ipp_hoplimit != sctp->sctp_recvhops &&
377 	    (sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVHOPLIMIT)) {
378 		optlen += sizeof (*cmsg) + sizeof (uint_t);
379 		if (hdrlen == 0)
380 			hdrlen = sizeof (struct T_unitdata_ind);
381 		addflag |= SCTP_IPV6_RECVHOPLIMIT;
382 	}
383 	/* If app asked for hopbyhop headers and it has changed ... */
384 	if ((sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVHOPOPTS) &&
385 	    ip_cmpbuf(sctp->sctp_hopopts, sctp->sctp_hopoptslen,
386 		(ipp->ipp_fields & IPPF_HOPOPTS),
387 		ipp->ipp_hopopts, ipp->ipp_hopoptslen)) {
388 		optlen += sizeof (*cmsg) + ipp->ipp_hopoptslen -
389 		    sctp->sctp_v6label_len;
390 		if (hdrlen == 0)
391 			hdrlen = sizeof (struct T_unitdata_ind);
392 		addflag |= SCTP_IPV6_RECVHOPOPTS;
393 		if (!ip_allocbuf((void **)&sctp->sctp_hopopts,
394 		    &sctp->sctp_hopoptslen,
395 		    (ipp->ipp_fields & IPPF_HOPOPTS),
396 		    ipp->ipp_hopopts, ipp->ipp_hopoptslen))
397 			return (-1);
398 	}
399 	/* If app asked for dst headers before routing headers ... */
400 	if ((sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVRTDSTOPTS) &&
401 	    ip_cmpbuf(sctp->sctp_rtdstopts, sctp->sctp_rtdstoptslen,
402 		(ipp->ipp_fields & IPPF_RTDSTOPTS),
403 		ipp->ipp_rtdstopts, ipp->ipp_rtdstoptslen)) {
404 		optlen += sizeof (*cmsg) + ipp->ipp_rtdstoptslen;
405 		if (hdrlen == 0)
406 			hdrlen = sizeof (struct T_unitdata_ind);
407 		addflag |= SCTP_IPV6_RECVRTDSTOPTS;
408 		if (!ip_allocbuf((void **)&sctp->sctp_rtdstopts,
409 		    &sctp->sctp_rtdstoptslen,
410 		    (ipp->ipp_fields & IPPF_RTDSTOPTS),
411 		    ipp->ipp_rtdstopts, ipp->ipp_rtdstoptslen))
412 			return (-1);
413 	}
414 	/* If app asked for routing headers and it has changed ... */
415 	if (sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVRTHDR) {
416 		if (ip_cmpbuf(sctp->sctp_rthdr, sctp->sctp_rthdrlen,
417 		    (ipp->ipp_fields & IPPF_RTHDR),
418 		    ipp->ipp_rthdr, ipp->ipp_rthdrlen)) {
419 			optlen += sizeof (*cmsg) + ipp->ipp_rthdrlen;
420 			if (hdrlen == 0)
421 				hdrlen = sizeof (struct T_unitdata_ind);
422 			addflag |= SCTP_IPV6_RECVRTHDR;
423 			if (!ip_allocbuf((void **)&sctp->sctp_rthdr,
424 			    &sctp->sctp_rthdrlen,
425 			    (ipp->ipp_fields & IPPF_RTHDR),
426 			    ipp->ipp_rthdr, ipp->ipp_rthdrlen))
427 				return (-1);
428 		}
429 	}
430 	/* If app asked for dest headers and it has changed ... */
431 	if ((sctp->sctp_ipv6_recvancillary & SCTP_IPV6_RECVDSTOPTS) &&
432 	    ip_cmpbuf(sctp->sctp_dstopts, sctp->sctp_dstoptslen,
433 		(ipp->ipp_fields & IPPF_DSTOPTS),
434 		ipp->ipp_dstopts, ipp->ipp_dstoptslen)) {
435 		optlen += sizeof (*cmsg) + ipp->ipp_dstoptslen;
436 		if (hdrlen == 0)
437 			hdrlen = sizeof (struct T_unitdata_ind);
438 		addflag |= SCTP_IPV6_RECVDSTOPTS;
439 		if (!ip_allocbuf((void **)&sctp->sctp_dstopts,
440 		    &sctp->sctp_dstoptslen,
441 		    (ipp->ipp_fields & IPPF_DSTOPTS),
442 		    ipp->ipp_dstopts, ipp->ipp_dstoptslen))
443 			return (-1);
444 	}
445 noancillary:
446 	/* Nothing to add */
447 	if (hdrlen == 0)
448 		return (-1);
449 
450 	mp1 = allocb(hdrlen + optlen + sizeof (void *), BPRI_MED);
451 	if (mp1 == NULL)
452 		return (-1);
453 	mp1->b_cont = *mp;
454 	*mp = mp1;
455 	mp1->b_rptr += sizeof (void *);  /* pointer worth of padding */
456 	mp1->b_wptr = mp1->b_rptr + hdrlen + optlen;
457 	DB_TYPE(mp1) = M_PROTO;
458 	tudi = (struct T_unitdata_ind *)mp1->b_rptr;
459 	tudi->PRIM_type = T_UNITDATA_IND;
460 	tudi->SRC_length = sin4 ? sizeof (*sin4) : sizeof (*sin6);
461 	tudi->SRC_offset = sizeof (*tudi);
462 	tudi->OPT_offset = sizeof (*tudi) + tudi->SRC_length;
463 	tudi->OPT_length = optlen;
464 	if (sin4) {
465 		bcopy(sin4, tudi + 1, sizeof (*sin4));
466 	} else {
467 		bcopy(sin6, tudi + 1, sizeof (*sin6));
468 	}
469 	optptr = (uchar_t *)tudi + tudi->OPT_offset;
470 
471 	if (sctp->sctp_recvsndrcvinfo) {
472 		/* XXX need backout method if memory allocation fails. */
473 		struct sctp_sndrcvinfo *sri;
474 
475 		cmsg = (struct cmsghdr *)optptr;
476 		cmsg->cmsg_level = IPPROTO_SCTP;
477 		cmsg->cmsg_type = SCTP_SNDRCV;
478 		cmsg->cmsg_len = sizeof (*cmsg) + sizeof (*sri);
479 		optptr += sizeof (*cmsg);
480 
481 		sri = (struct sctp_sndrcvinfo *)(cmsg + 1);
482 		ASSERT(OK_32PTR(sri));
483 		sri->sinfo_stream = ntohs(dcp->sdh_sid);
484 		sri->sinfo_ssn = ntohs(dcp->sdh_ssn);
485 		if (SCTP_DATA_GET_UBIT(dcp)) {
486 			sri->sinfo_flags = MSG_UNORDERED;
487 		} else {
488 			sri->sinfo_flags = 0;
489 		}
490 		sri->sinfo_ppid = dcp->sdh_payload_id;
491 		sri->sinfo_context = 0;
492 		sri->sinfo_timetolive = 0;
493 		sri->sinfo_tsn = ntohl(dcp->sdh_tsn);
494 		sri->sinfo_cumtsn = sctp->sctp_ftsn;
495 		sri->sinfo_assoc_id = 0;
496 
497 		optptr += sizeof (*sri);
498 	}
499 
500 	/*
501 	 * If app asked for pktinfo and the index has changed ...
502 	 * Note that the local address never changes for the connection.
503 	 */
504 	if (addflag & SCTP_IPV6_RECVPKTINFO) {
505 		struct in6_pktinfo *pkti;
506 
507 		cmsg = (struct cmsghdr *)optptr;
508 		cmsg->cmsg_level = IPPROTO_IPV6;
509 		cmsg->cmsg_type = IPV6_PKTINFO;
510 		cmsg->cmsg_len = sizeof (*cmsg) + sizeof (*pkti);
511 		optptr += sizeof (*cmsg);
512 
513 		pkti = (struct in6_pktinfo *)optptr;
514 		if (sctp->sctp_ipversion == IPV6_VERSION)
515 			pkti->ipi6_addr = sctp->sctp_ip6h->ip6_src;
516 		else
517 			IN6_IPADDR_TO_V4MAPPED(sctp->sctp_ipha->ipha_src,
518 			    &pkti->ipi6_addr);
519 		pkti->ipi6_ifindex = ipp->ipp_ifindex;
520 		optptr += sizeof (*pkti);
521 		ASSERT(OK_32PTR(optptr));
522 		/* Save as "last" value */
523 		sctp->sctp_recvifindex = ipp->ipp_ifindex;
524 	}
525 	/* If app asked for hoplimit and it has changed ... */
526 	if (addflag & SCTP_IPV6_RECVHOPLIMIT) {
527 		cmsg = (struct cmsghdr *)optptr;
528 		cmsg->cmsg_level = IPPROTO_IPV6;
529 		cmsg->cmsg_type = IPV6_HOPLIMIT;
530 		cmsg->cmsg_len = sizeof (*cmsg) + sizeof (uint_t);
531 		optptr += sizeof (*cmsg);
532 
533 		*(uint_t *)optptr = ipp->ipp_hoplimit;
534 		optptr += sizeof (uint_t);
535 		ASSERT(OK_32PTR(optptr));
536 		/* Save as "last" value */
537 		sctp->sctp_recvhops = ipp->ipp_hoplimit;
538 	}
539 	if (addflag & SCTP_IPV6_RECVHOPOPTS) {
540 		cmsg = (struct cmsghdr *)optptr;
541 		cmsg->cmsg_level = IPPROTO_IPV6;
542 		cmsg->cmsg_type = IPV6_HOPOPTS;
543 		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_hopoptslen;
544 		optptr += sizeof (*cmsg);
545 
546 		bcopy(ipp->ipp_hopopts, optptr, ipp->ipp_hopoptslen);
547 		optptr += ipp->ipp_hopoptslen;
548 		ASSERT(OK_32PTR(optptr));
549 		/* Save as last value */
550 		ip_savebuf((void **)&sctp->sctp_hopopts,
551 		    &sctp->sctp_hopoptslen,
552 		    (ipp->ipp_fields & IPPF_HOPOPTS),
553 		    ipp->ipp_hopopts, ipp->ipp_hopoptslen);
554 	}
555 	if (addflag & SCTP_IPV6_RECVRTDSTOPTS) {
556 		cmsg = (struct cmsghdr *)optptr;
557 		cmsg->cmsg_level = IPPROTO_IPV6;
558 		cmsg->cmsg_type = IPV6_RTHDRDSTOPTS;
559 		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_rtdstoptslen;
560 		optptr += sizeof (*cmsg);
561 
562 		bcopy(ipp->ipp_rtdstopts, optptr, ipp->ipp_rtdstoptslen);
563 		optptr += ipp->ipp_rtdstoptslen;
564 		ASSERT(OK_32PTR(optptr));
565 		/* Save as last value */
566 		ip_savebuf((void **)&sctp->sctp_rtdstopts,
567 		    &sctp->sctp_rtdstoptslen,
568 		    (ipp->ipp_fields & IPPF_RTDSTOPTS),
569 		    ipp->ipp_rtdstopts, ipp->ipp_rtdstoptslen);
570 	}
571 	if (addflag & SCTP_IPV6_RECVRTHDR) {
572 		cmsg = (struct cmsghdr *)optptr;
573 		cmsg->cmsg_level = IPPROTO_IPV6;
574 		cmsg->cmsg_type = IPV6_RTHDR;
575 		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_rthdrlen;
576 		optptr += sizeof (*cmsg);
577 
578 		bcopy(ipp->ipp_rthdr, optptr, ipp->ipp_rthdrlen);
579 		optptr += ipp->ipp_rthdrlen;
580 		ASSERT(OK_32PTR(optptr));
581 		/* Save as last value */
582 		ip_savebuf((void **)&sctp->sctp_rthdr,
583 		    &sctp->sctp_rthdrlen,
584 		    (ipp->ipp_fields & IPPF_RTHDR),
585 		    ipp->ipp_rthdr, ipp->ipp_rthdrlen);
586 	}
587 	if (addflag & SCTP_IPV6_RECVDSTOPTS) {
588 		cmsg = (struct cmsghdr *)optptr;
589 		cmsg->cmsg_level = IPPROTO_IPV6;
590 		cmsg->cmsg_type = IPV6_DSTOPTS;
591 		cmsg->cmsg_len = sizeof (*cmsg) + ipp->ipp_dstoptslen;
592 		optptr += sizeof (*cmsg);
593 
594 		bcopy(ipp->ipp_dstopts, optptr, ipp->ipp_dstoptslen);
595 		optptr += ipp->ipp_dstoptslen;
596 		ASSERT(OK_32PTR(optptr));
597 		/* Save as last value */
598 		ip_savebuf((void **)&sctp->sctp_dstopts,
599 		    &sctp->sctp_dstoptslen,
600 		    (ipp->ipp_fields & IPPF_DSTOPTS),
601 		    ipp->ipp_dstopts, ipp->ipp_dstoptslen);
602 	}
603 
604 	ASSERT(optptr == mp1->b_wptr);
605 
606 	return (0);
607 }
608 
609 void
610 sctp_free_reass(sctp_instr_t *sip)
611 {
612 	mblk_t *mp, *mpnext, *mctl;
613 
614 	for (mp = sip->istr_reass; mp != NULL; mp = mpnext) {
615 		mpnext = mp->b_next;
616 		mp->b_next = NULL;
617 		mp->b_prev = NULL;
618 		if (DB_TYPE(mp) == M_CTL) {
619 			mctl = mp;
620 			ASSERT(mp->b_cont != NULL);
621 			mp = mp->b_cont;
622 			mctl->b_cont = NULL;
623 			freeb(mctl);
624 		}
625 		freemsg(mp);
626 	}
627 }
628 
629 /*
630  * If the series of data fragments of which dmp is a part is successfully
631  * reassembled, the first mblk in the series is returned. dc is adjusted
632  * to point at the data chunk in the lead mblk, and b_rptr also points to
633  * the data chunk; the following mblk's b_rptr's point at the actual payload.
634  *
635  * If the series is not yet reassembled, NULL is returned. dc is not changed.
636  * XXX should probably move this up into the state machine.
637  */
638 
639 /* Fragment list for un-ordered messages. Partial delivery is not supported */
640 static mblk_t *
641 sctp_uodata_frag(sctp_t *sctp, mblk_t *dmp, sctp_data_hdr_t **dc)
642 {
643 	mblk_t		*hmp;
644 	mblk_t		*begin = NULL;
645 	mblk_t		*end = NULL;
646 	sctp_data_hdr_t	*qdc;
647 	uint32_t	ntsn;
648 	uint32_t	tsn = ntohl((*dc)->sdh_tsn);
649 #ifdef	DEBUG
650 	mblk_t		*mp1;
651 #endif
652 
653 	/* First frag. */
654 	if (sctp->sctp_uo_frags == NULL) {
655 		sctp->sctp_uo_frags = dmp;
656 		return (NULL);
657 	}
658 	hmp = sctp->sctp_uo_frags;
659 	/*
660 	 * Insert the segment according to the TSN, fragmented unordered
661 	 * chunks are sequenced by TSN.
662 	 */
663 	while (hmp != NULL) {
664 		qdc = (sctp_data_hdr_t *)hmp->b_rptr;
665 		ntsn = ntohl(qdc->sdh_tsn);
666 		if (SEQ_GT(ntsn, tsn)) {
667 			if (hmp->b_prev == NULL) {
668 				dmp->b_next = hmp;
669 				hmp->b_prev = dmp;
670 				sctp->sctp_uo_frags = dmp;
671 			} else {
672 				dmp->b_next = hmp;
673 				dmp->b_prev = hmp->b_prev;
674 				hmp->b_prev->b_next = dmp;
675 				hmp->b_prev = dmp;
676 			}
677 			break;
678 		}
679 		if (hmp->b_next == NULL) {
680 			hmp->b_next = dmp;
681 			dmp->b_prev = hmp;
682 			break;
683 		}
684 		hmp = hmp->b_next;
685 	}
686 	/* check if we completed a msg */
687 	if (SCTP_DATA_GET_BBIT(*dc)) {
688 		begin = dmp;
689 	} else if (SCTP_DATA_GET_EBIT(*dc)) {
690 		end = dmp;
691 	}
692 	/*
693 	 * We walk consecutive TSNs backwards till we get a seg. with
694 	 * the B bit
695 	 */
696 	if (begin == NULL) {
697 		for (hmp = dmp->b_prev; hmp != NULL; hmp = hmp->b_prev) {
698 			qdc = (sctp_data_hdr_t *)hmp->b_rptr;
699 			ntsn = ntohl(qdc->sdh_tsn);
700 			if ((int32_t)(tsn - ntsn) > 1) {
701 				return (NULL);
702 			}
703 			if (SCTP_DATA_GET_BBIT(qdc)) {
704 				begin = hmp;
705 				break;
706 			}
707 			tsn = ntsn;
708 		}
709 	}
710 	tsn = ntohl((*dc)->sdh_tsn);
711 	/*
712 	 * We walk consecutive TSNs till we get a seg. with the E bit
713 	 */
714 	if (end == NULL) {
715 		for (hmp = dmp->b_next; hmp != NULL; hmp = hmp->b_next) {
716 			qdc = (sctp_data_hdr_t *)hmp->b_rptr;
717 			ntsn = ntohl(qdc->sdh_tsn);
718 			if ((int32_t)(ntsn - tsn) > 1) {
719 				return (NULL);
720 			}
721 			if (SCTP_DATA_GET_EBIT(qdc)) {
722 				end = hmp;
723 				break;
724 			}
725 			tsn = ntsn;
726 		}
727 	}
728 	if (begin == NULL || end == NULL) {
729 		return (NULL);
730 	}
731 	/* Got one!, Remove the msg from the list */
732 	if (sctp->sctp_uo_frags == begin) {
733 		ASSERT(begin->b_prev == NULL);
734 		sctp->sctp_uo_frags = end->b_next;
735 		if (end->b_next != NULL)
736 			end->b_next->b_prev = NULL;
737 	} else {
738 		begin->b_prev->b_next = end->b_next;
739 		if (end->b_next != NULL)
740 			end->b_next->b_prev = begin->b_prev;
741 	}
742 	begin->b_prev = NULL;
743 	end->b_next = NULL;
744 
745 	/*
746 	 * Null out b_next and b_prev and chain using b_cont.
747 	 */
748 	dmp = end = begin;
749 	hmp = begin->b_next;
750 	*dc = (sctp_data_hdr_t *)begin->b_rptr;
751 	begin->b_next = NULL;
752 	while (hmp != NULL) {
753 		qdc = (sctp_data_hdr_t *)hmp->b_rptr;
754 		hmp->b_rptr = (uchar_t *)(qdc + 1);
755 		end = hmp->b_next;
756 		dmp->b_cont = hmp;
757 		dmp = hmp;
758 
759 		if (end != NULL)
760 			hmp->b_next = NULL;
761 		hmp->b_prev = NULL;
762 		hmp = end;
763 	}
764 	BUMP_LOCAL(sctp->sctp_reassmsgs);
765 #ifdef	DEBUG
766 	mp1 = begin;
767 	while (mp1 != NULL) {
768 		ASSERT(mp1->b_next == NULL);
769 		ASSERT(mp1->b_prev == NULL);
770 		mp1 = mp1->b_cont;
771 	}
772 #endif
773 	return (begin);
774 }
775 /*
776  * Fragment list for ordered messages.
777  * If no error occures, error is set to 0. If we run out of memory, error
778  * is set to 1. If the peer commits a fatal error (like using different
779  * sequence numbers for the same data fragment series), the association is
780  * aborted and error is set to 2.
781  */
782 static mblk_t *
783 sctp_data_frag(sctp_t *sctp, mblk_t *dmp, sctp_data_hdr_t **dc, int *error,
784     sctp_instr_t *sip, int trypartial, int *tpfinished)
785 {
786 	mblk_t		*hmp;
787 	mblk_t		*pmp;
788 	mblk_t		*qmp;
789 	mblk_t		*mp;
790 	mblk_t		*prev;
791 	mblk_t		*prevprev;
792 	mblk_t		*first_mp;
793 	sctp_reass_t	*srp;
794 	sctp_data_hdr_t	*qdc;
795 	sctp_data_hdr_t	*bdc;
796 	sctp_data_hdr_t	*edc;
797 	uint32_t	tsn;
798 
799 	/*
800 	 * We can overwrite the Link Layer + IP header here, I suppose.
801 	 * The M_CTL does not leave this function. We need to check
802 	 * DB_REF(dmp) before using DB_BASE(dmp), since there could be
803 	 * two fragments for different ssns in the same mblk.
804 	 */
805 #define	SCTP_NEW_REASS(nmp, dmp, srp, seterror)				\
806 	if ((DB_REF(dmp) == 2) && (MBLKHEAD(dmp) >= 			\
807 	    (sizeof (*(srp)) + sizeof (sctp_hdr_t))) &&			\
808 	    (IS_P2ALIGNED(DB_BASE(dmp), sizeof (uintptr_t)))) {		\
809 		(nmp) = (dmp);						\
810 	} else {							\
811 		(nmp) = allocb(sizeof (*(srp)), BPRI_MED); 		\
812 		if ((nmp) == NULL) {					\
813 			switch (seterror) {				\
814 			case B_TRUE:					\
815 				*error = 1;				\
816 				break;					\
817 			}						\
818 			return (NULL);					\
819 		}							\
820 		DB_TYPE(nmp) = M_CTL;					\
821 		(nmp)->b_cont = dmp;					\
822 	}								\
823 	(srp) = (sctp_reass_t *)DB_BASE(nmp);
824 
825 	*error = 0;
826 
827 	/* find the reassembly queue for this data chunk */
828 	hmp = qmp = sip->istr_reass;
829 	for (; hmp != NULL; hmp = hmp->b_next) {
830 		srp = (sctp_reass_t *)DB_BASE(hmp);
831 		if (ntohs((*dc)->sdh_ssn) == srp->ssn)
832 			goto foundit;
833 		else if (SSN_GT(srp->ssn, ntohs((*dc)->sdh_ssn)))
834 			break;
835 		qmp = hmp;
836 	}
837 
838 	SCTP_NEW_REASS(pmp, dmp, srp, B_TRUE);
839 	srp->ssn = ntohs((*dc)->sdh_ssn);
840 	srp->needed = 0;
841 	srp->got = 1;
842 	srp->tail = dmp;
843 	srp->partial_delivered = B_FALSE;
844 
845 	if (hmp != NULL) {
846 		if (sip->istr_reass == hmp) {
847 			sip->istr_reass = pmp;
848 			pmp->b_next = hmp;
849 			pmp->b_prev = NULL;
850 			hmp->b_prev = pmp;
851 		} else {
852 			qmp->b_next = pmp;
853 			pmp->b_prev = qmp;
854 			pmp->b_next = hmp;
855 			hmp->b_prev = pmp;
856 		}
857 	} else {
858 		/* make a new reass head and stick it on the end */
859 		if (sip->istr_reass == NULL) {
860 			sip->istr_reass = pmp;
861 			pmp->b_prev = NULL;
862 		} else {
863 			qmp->b_next = pmp;
864 			pmp->b_prev = qmp;
865 		}
866 		pmp->b_next = NULL;
867 	}
868 	return (NULL);
869 foundit:
870 	/*
871 	 * else already have a reassembly queue. Insert the new data chunk
872 	 * in the reassemble queue. Try the tail first, on the assumption
873 	 * that the fragments are coming in in order.
874 	 */
875 
876 	qmp = srp->tail;
877 	qdc = (sctp_data_hdr_t *)qmp->b_rptr;
878 	ASSERT(qmp->b_cont == NULL);
879 
880 	/* XXXIs it fine to do this just here? */
881 	if ((*dc)->sdh_sid != qdc->sdh_sid) {
882 		/* our peer is fatally confused; XXX abort the assc */
883 		*error = 2;
884 		return (NULL);
885 	}
886 	if (SEQ_GT(ntohl((*dc)->sdh_tsn), ntohl(qdc->sdh_tsn))) {
887 		qmp->b_cont = dmp;
888 		srp->tail = dmp;
889 		dmp->b_cont = NULL;
890 		goto inserted;
891 	}
892 
893 	/* Next check for insertion at the beginning */
894 	qmp = (DB_TYPE(hmp) == M_DATA) ? hmp : hmp->b_cont;
895 	qdc = (sctp_data_hdr_t *)qmp->b_rptr;
896 	if (SEQ_LT(ntohl((*dc)->sdh_tsn), ntohl(qdc->sdh_tsn))) {
897 		if (DB_TYPE(hmp) == M_DATA) {
898 			sctp_reass_t	*srp1 = srp;
899 
900 			SCTP_NEW_REASS(pmp, dmp, srp, B_TRUE);
901 			ASSERT(pmp->b_prev == NULL && pmp->b_next == NULL);
902 			if (sip->istr_reass == hmp) {
903 				sip->istr_reass = pmp;
904 				if (hmp->b_next != NULL) {
905 					hmp->b_next->b_prev = pmp;
906 					pmp->b_next = hmp->b_next;
907 				}
908 			} else {
909 				hmp->b_prev->b_next = pmp;
910 				pmp->b_prev = hmp->b_prev;
911 				if (hmp->b_next != NULL) {
912 					hmp->b_next->b_prev = pmp;
913 					pmp->b_next = hmp->b_next;
914 				}
915 			}
916 			srp->ssn = srp1->ssn;
917 			srp->needed = srp1->needed;
918 			srp->got = srp1->got;
919 			srp->tail = srp1->tail;
920 			srp->partial_delivered = srp1->partial_delivered;
921 			hmp->b_next = hmp->b_prev = NULL;
922 			dmp->b_cont = hmp;
923 			hmp = pmp;
924 		} else {
925 			ASSERT(DB_TYPE(hmp) == M_CTL);
926 			dmp->b_cont = qmp;
927 			hmp->b_cont = dmp;
928 		}
929 		goto inserted;
930 	}
931 
932 	/* Insert somewhere in the middle */
933 	for (;;) {
934 		/* Tail check above should have caught this */
935 		ASSERT(qmp->b_cont != NULL);
936 
937 		qdc = (sctp_data_hdr_t *)qmp->b_cont->b_rptr;
938 		if (SEQ_LT(ntohl((*dc)->sdh_tsn), ntohl(qdc->sdh_tsn))) {
939 			/* insert here */
940 			dmp->b_cont = qmp->b_cont;
941 			qmp->b_cont = dmp;
942 			break;
943 		}
944 		qmp = qmp->b_cont;
945 	}
946 
947 inserted:
948 	(srp->got)++;
949 	first_mp = (DB_TYPE(hmp) == M_DATA) ? hmp : hmp->b_cont;
950 	if (srp->needed == 0) {
951 		/* check if we have the first and last fragments */
952 		bdc = (sctp_data_hdr_t *)first_mp->b_rptr;
953 		edc = (sctp_data_hdr_t *)srp->tail->b_rptr;
954 
955 		/* calculate how many fragments are needed, if possible  */
956 		if (SCTP_DATA_GET_BBIT(bdc) && SCTP_DATA_GET_EBIT(edc))
957 			srp->needed = ntohl(edc->sdh_tsn) -
958 			    ntohl(bdc->sdh_tsn) + 1;
959 	}
960 
961 	if (srp->needed != srp->got) {
962 		if (!trypartial)
963 			return (NULL);
964 		/*
965 		 * Try partial delivery. We need a consecutive run of
966 		 * at least two chunks, starting from the first chunk
967 		 * (which may have been the last + 1 chunk from a
968 		 * previous partial delivery).
969 		 */
970 		dprint(4, ("trypartial: got=%d, needed=%d\n",
971 		    (int)(srp->got), (int)(srp->needed)));
972 		mp = first_mp;
973 		if (mp->b_cont == NULL) {
974 			/* need at least two chunks */
975 			dprint(4, ("trypartial: only 1 chunk\n"));
976 			return (NULL);
977 		}
978 
979 		qdc = (sctp_data_hdr_t *)mp->b_rptr;
980 		if (!SCTP_DATA_GET_BBIT(qdc)) {
981 			/* don't have first chunk; can't do it. */
982 			dprint(4, ("trypartial: no beginning\n"));
983 			return (NULL);
984 		}
985 
986 		tsn = ntohl(qdc->sdh_tsn) + 1;
987 
988 		/*
989 		 * This loop has two exit conditions: the
990 		 * end of received chunks has been reached, or
991 		 * there is a break in the sequence. We want
992 		 * to chop the reassembly list as follows (the
993 		 * numbers are TSNs):
994 		 *   10 -> 11 -> | 12	(end of chunks)
995 		 *   10 -> 11 -> | 12 -> 14 (break in sequence)
996 		 */
997 		prevprev = prev = mp;
998 		mp = mp->b_cont;
999 		while (mp != NULL) {
1000 			qdc = (sctp_data_hdr_t *)mp->b_rptr;
1001 			if (ntohl(qdc->sdh_tsn) != tsn) {
1002 				/*
1003 				 * break in sequence.
1004 				 * 1st and 2nd chunks are not sequntial.
1005 				 */
1006 				if (mp == first_mp->b_cont)
1007 					return (NULL);
1008 				/* Back up mp and prev */
1009 				mp = prev;
1010 				prev = prevprev;
1011 				break;
1012 			}
1013 
1014 			/* end of sequence */
1015 			if (mp->b_cont == NULL)
1016 				break;
1017 
1018 			prevprev = prev;
1019 			prev = mp;
1020 			mp = mp->b_cont;
1021 			tsn++;
1022 		}
1023 		if (DB_TYPE(hmp) == M_DATA) {
1024 			sctp_reass_t	*srp1 = srp;
1025 
1026 			SCTP_NEW_REASS(pmp, mp, srp, B_FALSE);
1027 			ASSERT(pmp->b_prev == NULL && pmp->b_next == NULL);
1028 			if (sip->istr_reass == hmp) {
1029 				sip->istr_reass = pmp;
1030 				if (hmp->b_next != NULL) {
1031 					hmp->b_next->b_prev = pmp;
1032 					pmp->b_next = hmp->b_next;
1033 				}
1034 			} else {
1035 				hmp->b_prev->b_next = pmp;
1036 				pmp->b_prev = hmp->b_prev;
1037 				if (hmp->b_next != NULL) {
1038 					hmp->b_next->b_prev = pmp;
1039 					pmp->b_next = hmp->b_next;
1040 				}
1041 			}
1042 			srp->ssn = srp1->ssn;
1043 			srp->needed = srp1->needed;
1044 			srp->got = srp1->got;
1045 			srp->tail = srp1->tail;
1046 			hmp->b_next = hmp->b_prev = NULL;
1047 			dmp = hmp;
1048 			hmp = pmp;
1049 		} else {
1050 			ASSERT(DB_TYPE(hmp) == M_CTL);
1051 			dmp = hmp->b_cont;
1052 			hmp->b_cont = mp;
1053 		}
1054 		/*
1055 		 * mp now points at the last chunk in the sequence,
1056 		 * and prev points to mp's previous in the list.
1057 		 * We chop the list at prev, and convert mp into the
1058 		 * new list head by setting the B bit. Subsequence
1059 		 * fragment deliveries will follow the normal reassembly
1060 		 * path.
1061 		 */
1062 		prev->b_cont = NULL;
1063 		bdc = (sctp_data_hdr_t *)mp->b_rptr;
1064 		SCTP_DATA_SET_BBIT(bdc);
1065 		*tpfinished = 0;
1066 		srp->partial_delivered = B_TRUE;
1067 
1068 		dprint(4, ("trypartial: got some, got=%d, needed=%d\n",
1069 		    (int)(srp->got), (int)(srp->needed)));
1070 		goto fixup;
1071 	}
1072 
1073 	/*
1074 	 * else reassembly done; prepare the data for delivery.
1075 	 * First unlink hmp from the ssn list.
1076 	 */
1077 	if (sip->istr_reass == hmp) {
1078 		sip->istr_reass = hmp->b_next;
1079 		if (hmp->b_next) {
1080 			hmp->b_next->b_prev = NULL;
1081 		}
1082 	} else {
1083 		ASSERT(hmp->b_prev != NULL);
1084 		hmp->b_prev->b_next = hmp->b_next;
1085 		if (hmp->b_next) {
1086 			hmp->b_next->b_prev = hmp->b_prev;
1087 		}
1088 	}
1089 
1090 	/*
1091 	 * Using b_prev and b_next was a little sinful, but OK since
1092 	 * this mblk is never put*'d. However, freeb() will still
1093 	 * ASSERT that they are unused, so we need to NULL them out now.
1094 	 */
1095 	hmp->b_next = NULL;
1096 	hmp->b_prev = NULL;
1097 	dmp = hmp;
1098 	if (DB_TYPE(hmp) == M_CTL) {
1099 		dmp = dmp->b_cont;
1100 		hmp->b_cont = NULL;
1101 		freeb(hmp);
1102 	}
1103 	*tpfinished = 1;
1104 
1105 fixup:
1106 	/*
1107 	 * Adjust all mblk's except the lead so their rptr's point to the
1108 	 * payload. sctp_data_chunk() will need to process the lead's
1109 	 * data chunk section, so leave it's rptr pointing at the data chunk.
1110 	 */
1111 	*dc = (sctp_data_hdr_t *)dmp->b_rptr;
1112 	if (trypartial && !(*tpfinished)) {
1113 		(srp->got)--;
1114 		ASSERT(srp->got != 0);
1115 		if (srp->needed != 0) {
1116 			(srp->needed)--;
1117 			ASSERT(srp->needed != 0);
1118 		}
1119 	}
1120 	for (qmp = dmp->b_cont; qmp; qmp = qmp->b_cont) {
1121 		qdc = (sctp_data_hdr_t *)qmp->b_rptr;
1122 		qmp->b_rptr = (uchar_t *)(qdc + 1);
1123 
1124 		/*
1125 		 * If in partial delivery, deduct the balance from got
1126 		 * and needed here, now that we know we are actually
1127 		 * delivering these data.
1128 		 */
1129 		if (trypartial && !(*tpfinished)) {
1130 			(srp->got)--;
1131 			ASSERT(srp->got != 0);
1132 			if (srp->needed != 0) {
1133 				(srp->needed)--;
1134 				ASSERT(srp->needed != 0);
1135 			}
1136 		}
1137 	}
1138 	BUMP_LOCAL(sctp->sctp_reassmsgs);
1139 
1140 	return (dmp);
1141 }
1142 
1143 static void
1144 sctp_add_dup(uint32_t tsn, mblk_t **dups)
1145 {
1146 	mblk_t *mp;
1147 	size_t bsize = SCTP_DUP_MBLK_SZ * sizeof (tsn);
1148 
1149 	if (dups == NULL) {
1150 		return;
1151 	}
1152 
1153 	/* first time? */
1154 	if (*dups == NULL) {
1155 		*dups = allocb(bsize, BPRI_MED);
1156 		if (*dups == NULL) {
1157 			return;
1158 		}
1159 	}
1160 
1161 	mp = *dups;
1162 	if ((mp->b_wptr - mp->b_rptr) >= bsize) {
1163 		/* maximum reached */
1164 		return;
1165 	}
1166 
1167 	/* add the duplicate tsn */
1168 	bcopy(&tsn, mp->b_wptr, sizeof (tsn));
1169 	mp->b_wptr += sizeof (tsn);
1170 	ASSERT((mp->b_wptr - mp->b_rptr) <= bsize);
1171 }
1172 
1173 static void
1174 sctp_data_chunk(sctp_t *sctp, sctp_chunk_hdr_t *ch, mblk_t *mp, mblk_t **dups,
1175     sctp_faddr_t *fp, ip6_pkt_t *ipp)
1176 {
1177 	sctp_data_hdr_t *dc;
1178 	mblk_t *dmp, *pmp;
1179 	mblk_t *errmp;
1180 	sctp_instr_t *instr;
1181 	int ubit;
1182 	int isfrag;
1183 	uint16_t ssn;
1184 	uint32_t oftsn;
1185 	boolean_t can_deliver = B_TRUE;
1186 	uint32_t tsn;
1187 	int dlen;
1188 	int trypartial = 0;
1189 	int tpfinished = 1;
1190 	int32_t new_rwnd;
1191 	sctp_stack_t	*sctps = sctp->sctp_sctps;
1192 
1193 	/* The following are used multiple times, so we inline them */
1194 #define	SCTP_ACK_IT(sctp, tsn)						\
1195 	if (tsn == sctp->sctp_ftsn) {					\
1196 		dprint(2, ("data_chunk: acking next %x\n", tsn));	\
1197 		(sctp)->sctp_ftsn++;					\
1198 		if ((sctp)->sctp_sack_gaps > 0)				\
1199 			(sctp)->sctp_force_sack = 1;			\
1200 	} else if (SEQ_GT(tsn, sctp->sctp_ftsn)) {			\
1201 		/* Got a gap; record it */				\
1202 		dprint(2, ("data_chunk: acking gap %x\n", tsn));	\
1203 		sctp_ack_add(&sctp->sctp_sack_info, tsn,		\
1204 		    &sctp->sctp_sack_gaps);				\
1205 		sctp->sctp_force_sack = 1;				\
1206 	}
1207 
1208 	errmp = NULL;
1209 	dmp = NULL;
1210 
1211 	dc = (sctp_data_hdr_t *)ch;
1212 	tsn = ntohl(dc->sdh_tsn);
1213 
1214 	dprint(3, ("sctp_data_chunk: mp=%p tsn=%x\n", (void *)mp, tsn));
1215 
1216 	/* Check for duplicates */
1217 	if (SEQ_LT(tsn, sctp->sctp_ftsn)) {
1218 		dprint(4, ("sctp_data_chunk: dropping duplicate\n"));
1219 		sctp->sctp_force_sack = 1;
1220 		sctp_add_dup(dc->sdh_tsn, dups);
1221 		return;
1222 	}
1223 
1224 	if (sctp->sctp_sack_info != NULL) {
1225 		sctp_set_t *sp;
1226 
1227 		for (sp = sctp->sctp_sack_info; sp; sp = sp->next) {
1228 			if (SEQ_GEQ(tsn, sp->begin) && SEQ_LEQ(tsn, sp->end)) {
1229 				dprint(4,
1230 				("sctp_data_chunk: dropping dup > cumtsn\n"));
1231 				sctp->sctp_force_sack = 1;
1232 				sctp_add_dup(dc->sdh_tsn, dups);
1233 				return;
1234 			}
1235 		}
1236 	}
1237 
1238 	/* We cannot deliver anything up now but we still need to handle it. */
1239 	if (SCTP_IS_DETACHED(sctp)) {
1240 		BUMP_MIB(&sctps->sctps_mib, sctpInClosed);
1241 		can_deliver = B_FALSE;
1242 	}
1243 
1244 	dlen = ntohs(dc->sdh_len) - sizeof (*dc);
1245 
1246 	/* Check for buffer space */
1247 	if (sctp->sctp_rwnd - sctp->sctp_rxqueued < dlen) {
1248 		/* Drop and SACK, but don't advance the cumulative TSN. */
1249 		sctp->sctp_force_sack = 1;
1250 		dprint(0, ("sctp_data_chunk: exceed rwnd %d rxqueued %d "
1251 		    "dlen %d ssn %d tsn %x\n", sctp->sctp_rwnd,
1252 		    sctp->sctp_rxqueued, dlen, ntohs(dc->sdh_ssn),
1253 		    ntohl(dc->sdh_tsn)));
1254 		return;
1255 	}
1256 
1257 	if (ntohs(dc->sdh_sid) >= sctp->sctp_num_istr) {
1258 		uint16_t	inval_parm[2];
1259 
1260 		inval_parm[0] = dc->sdh_sid;
1261 		/* RESERVED to be ignored at the receiving end */
1262 		inval_parm[1] = 0;
1263 		/* ack and drop it */
1264 		errmp = sctp_make_err(sctp, SCTP_ERR_BAD_SID,
1265 		    (char *)inval_parm, sizeof (inval_parm));
1266 		SCTP_ACK_IT(sctp, tsn);
1267 		if (errmp != NULL)
1268 			sctp_send_err(sctp, errmp, NULL);
1269 		return;
1270 	}
1271 
1272 	ubit = SCTP_DATA_GET_UBIT(dc);
1273 	ASSERT(sctp->sctp_instr != NULL);
1274 	instr = &sctp->sctp_instr[ntohs(dc->sdh_sid)];
1275 	/* Initialize the stream, if not yet used */
1276 	if (instr->sctp == NULL)
1277 		instr->sctp = sctp;
1278 	/*
1279 	 * If we are getting low on buffers set trypartial to try
1280 	 * a partial delivery if we are reassembling a fragmented
1281 	 * message. Only do this if we can immediately deliver the
1282 	 * partially assembled message, and only partially deliver
1283 	 * one message at a time (i.e. messages cannot be intermixed
1284 	 * arriving at the upper layer). A simple way to enforce
1285 	 * this is to only try partial delivery if this TSN is
1286 	 * the next expected TSN. Partial Delivery not supported
1287 	 * for un-ordered message.
1288 	 */
1289 	isfrag = !(SCTP_DATA_GET_BBIT(dc) && SCTP_DATA_GET_EBIT(dc));
1290 	ssn = ntohs(dc->sdh_ssn);
1291 	if ((sctp->sctp_rwnd - sctp->sctp_rxqueued < SCTP_RECV_LOWATER) &&
1292 	    !ubit && isfrag && (tsn == sctp->sctp_ftsn)) {
1293 		trypartial = 1;
1294 	}
1295 
1296 	dmp = dupb(mp);
1297 	if (dmp == NULL) {
1298 		/* drop it and don't ack it, causing the peer to retransmit */
1299 		return;
1300 	}
1301 	dmp->b_wptr = (uchar_t *)ch + ntohs(ch->sch_len);
1302 
1303 	sctp->sctp_rxqueued += dlen;
1304 
1305 	oftsn = sctp->sctp_ftsn;
1306 
1307 	if (isfrag) {
1308 		int error = 0;
1309 
1310 		/* fragmented data chunk */
1311 		dmp->b_rptr = (uchar_t *)dc;
1312 		if (ubit) {
1313 			dmp = sctp_uodata_frag(sctp, dmp, &dc);
1314 #if	DEBUG
1315 			if (dmp != NULL) {
1316 				ASSERT(instr ==
1317 				    &sctp->sctp_instr[ntohs(dc->sdh_sid)]);
1318 			}
1319 #endif
1320 		} else {
1321 			dmp = sctp_data_frag(sctp, dmp, &dc, &error, instr,
1322 			    trypartial, &tpfinished);
1323 		}
1324 		if (error != 0) {
1325 			sctp->sctp_rxqueued -= dlen;
1326 			if (error == 1) {
1327 				/*
1328 				 * out of memory; don't ack it so
1329 				 * the peer retransmits
1330 				 */
1331 				return;
1332 			} else if (error == 2) {
1333 				/*
1334 				 * fatal error (i.e. peer used different
1335 				 * ssn's for same fragmented data) --
1336 				 * the association has been aborted.
1337 				 * XXX need to return errval so state
1338 				 * machine can also abort processing.
1339 				 */
1340 				dprint(0, ("error 2: must not happen!\n"));
1341 				return;
1342 			}
1343 		}
1344 
1345 		if (dmp == NULL) {
1346 			/*
1347 			 * Can't process this data now, but the cumulative
1348 			 * TSN may be advanced, so do the checks at done.
1349 			 */
1350 			SCTP_ACK_IT(sctp, tsn);
1351 			goto done;
1352 		}
1353 	}
1354 
1355 	if (!ubit && !trypartial && ssn != instr->nextseq) {
1356 		/* Adjust rptr to point at the data chunk for compares */
1357 		dmp->b_rptr = (uchar_t *)dc;
1358 
1359 		dprint(2,
1360 		    ("data_chunk: inserted %x in pq (ssn %d expected %d)\n",
1361 		    ntohl(dc->sdh_tsn), (int)(ssn), (int)(instr->nextseq)));
1362 
1363 		if (instr->istr_msgs == NULL) {
1364 			instr->istr_msgs = dmp;
1365 			ASSERT(dmp->b_prev == NULL && dmp->b_next == NULL);
1366 		} else {
1367 			mblk_t			*imblk = instr->istr_msgs;
1368 			sctp_data_hdr_t		*idc;
1369 
1370 			/*
1371 			 * XXXNeed to take sequence wraps into account,
1372 			 * ... and a more efficient insertion algo.
1373 			 */
1374 			for (;;) {
1375 				idc = (sctp_data_hdr_t *)imblk->b_rptr;
1376 				if (SSN_GT(ntohs(idc->sdh_ssn),
1377 					ntohs(dc->sdh_ssn))) {
1378 					if (instr->istr_msgs == imblk) {
1379 						instr->istr_msgs = dmp;
1380 						dmp->b_next = imblk;
1381 						imblk->b_prev = dmp;
1382 					} else {
1383 						ASSERT(imblk->b_prev != NULL);
1384 						imblk->b_prev->b_next = dmp;
1385 						dmp->b_prev = imblk->b_prev;
1386 						imblk->b_prev = dmp;
1387 						dmp->b_next = imblk;
1388 					}
1389 					break;
1390 				}
1391 				if (imblk->b_next == NULL) {
1392 					imblk->b_next = dmp;
1393 					dmp->b_prev = imblk;
1394 					break;
1395 				}
1396 				imblk = imblk->b_next;
1397 			}
1398 		}
1399 		(instr->istr_nmsgs)++;
1400 		(sctp->sctp_istr_nmsgs)++;
1401 		SCTP_ACK_IT(sctp, tsn);
1402 		return;
1403 	}
1404 
1405 	/*
1406 	 * Else we can deliver the data directly. Recalculate
1407 	 * dlen now since we may have reassembled data.
1408 	 */
1409 	dlen = dmp->b_wptr - (uchar_t *)dc - sizeof (*dc);
1410 	for (pmp = dmp->b_cont; pmp != NULL; pmp = pmp->b_cont)
1411 		dlen += pmp->b_wptr - pmp->b_rptr;
1412 	ASSERT(sctp->sctp_rxqueued >= dlen);
1413 	ASSERT(sctp->sctp_rwnd >= dlen);
1414 
1415 	/* Deliver the message. */
1416 	sctp->sctp_rxqueued -= dlen;
1417 
1418 	if (can_deliver) {
1419 		dmp->b_rptr = (uchar_t *)(dc + 1);
1420 		if (sctp_input_add_ancillary(sctp, &dmp, dc, fp, ipp) == 0) {
1421 			dprint(1, ("sctp_data_chunk: delivering %lu bytes\n",
1422 			    msgdsize(dmp)));
1423 			sctp->sctp_rwnd -= dlen;
1424 			new_rwnd = sctp->sctp_ulp_recv(sctp->sctp_ulpd, dmp,
1425 			    tpfinished ? 0 : SCTP_PARTIAL_DATA);
1426 			if (new_rwnd > sctp->sctp_rwnd) {
1427 				sctp->sctp_rwnd = new_rwnd;
1428 			}
1429 			SCTP_ACK_IT(sctp, tsn);
1430 		} else {
1431 			/* Just free the message if we don't have memory. */
1432 			freemsg(dmp);
1433 			return;
1434 		}
1435 	} else {
1436 		/* About to free the data */
1437 		freemsg(dmp);
1438 		SCTP_ACK_IT(sctp, tsn);
1439 	}
1440 
1441 	/*
1442 	 * data, now enqueued, may already have been processed and free'd
1443 	 * by the ULP (or we may have just freed it above, if we could not
1444 	 * deliver it), so we must not reference it (this is why we kept
1445 	 * the ssn and ubit above).
1446 	 */
1447 	if (ubit != 0) {
1448 		BUMP_LOCAL(sctp->sctp_iudchunks);
1449 		goto done;
1450 	}
1451 	BUMP_LOCAL(sctp->sctp_idchunks);
1452 
1453 	/*
1454 	 * If there was a partial delivery and it has not finished,
1455 	 * don't pull anything from the pqueues.
1456 	 */
1457 	if (!tpfinished) {
1458 		goto done;
1459 	}
1460 
1461 	instr->nextseq = ssn + 1;
1462 	/* Deliver any successive data chunks in the instr queue */
1463 	while (instr->istr_nmsgs > 0) {
1464 		dmp = (mblk_t *)instr->istr_msgs;
1465 		dc = (sctp_data_hdr_t *)dmp->b_rptr;
1466 		ssn = ntohs(dc->sdh_ssn);
1467 		/* Gap in the sequence */
1468 		if (ssn != instr->nextseq)
1469 			break;
1470 
1471 		/* Else deliver the data */
1472 		(instr->istr_nmsgs)--;
1473 		(instr->nextseq)++;
1474 		(sctp->sctp_istr_nmsgs)--;
1475 
1476 		instr->istr_msgs = instr->istr_msgs->b_next;
1477 		if (instr->istr_msgs != NULL)
1478 			instr->istr_msgs->b_prev = NULL;
1479 		dmp->b_next = dmp->b_prev = NULL;
1480 
1481 		dprint(2, ("data_chunk: pulling %x from pq (ssn %d)\n",
1482 		    ntohl(dc->sdh_tsn), (int)ssn));
1483 
1484 		/*
1485 		 * If this chunk was reassembled, each b_cont represents
1486 		 * another TSN; advance ftsn now.
1487 		 */
1488 		dlen = dmp->b_wptr - dmp->b_rptr - sizeof (*dc);
1489 		for (pmp = dmp->b_cont; pmp; pmp = pmp->b_cont)
1490 			dlen += pmp->b_wptr - pmp->b_rptr;
1491 
1492 		ASSERT(sctp->sctp_rxqueued >= dlen);
1493 		ASSERT(sctp->sctp_rwnd >= dlen);
1494 
1495 		sctp->sctp_rxqueued -= dlen;
1496 		if (can_deliver) {
1497 			dmp->b_rptr = (uchar_t *)(dc + 1);
1498 			if (sctp_input_add_ancillary(sctp, &dmp, dc, fp,
1499 			    ipp) == 0) {
1500 				dprint(1, ("sctp_data_chunk: delivering %lu "
1501 				    "bytes\n", msgdsize(dmp)));
1502 				sctp->sctp_rwnd -= dlen;
1503 				new_rwnd = sctp->sctp_ulp_recv(sctp->sctp_ulpd,
1504 				    dmp, tpfinished ? 0 : SCTP_PARTIAL_DATA);
1505 				if (new_rwnd > sctp->sctp_rwnd) {
1506 					sctp->sctp_rwnd = new_rwnd;
1507 				}
1508 				SCTP_ACK_IT(sctp, tsn);
1509 			} else {
1510 				freemsg(dmp);
1511 				return;
1512 			}
1513 		} else {
1514 			/* About to free the data */
1515 			freemsg(dmp);
1516 			SCTP_ACK_IT(sctp, tsn);
1517 		}
1518 	}
1519 
1520 done:
1521 
1522 	/*
1523 	 * If there are gap reports pending, check if advancing
1524 	 * the ftsn here closes a gap. If so, we can advance
1525 	 * ftsn to the end of the set.
1526 	 */
1527 	if (sctp->sctp_sack_info != NULL &&
1528 	    sctp->sctp_ftsn == sctp->sctp_sack_info->begin) {
1529 		sctp->sctp_ftsn = sctp->sctp_sack_info->end + 1;
1530 	}
1531 	/*
1532 	 * If ftsn has moved forward, maybe we can remove gap reports.
1533 	 * NB: dmp may now be NULL, so don't dereference it here.
1534 	 */
1535 	if (oftsn != sctp->sctp_ftsn && sctp->sctp_sack_info != NULL) {
1536 		sctp_ack_rem(&sctp->sctp_sack_info, sctp->sctp_ftsn - 1,
1537 		    &sctp->sctp_sack_gaps);
1538 		dprint(2, ("data_chunk: removed acks before %x (num=%d)\n",
1539 		    sctp->sctp_ftsn - 1, sctp->sctp_sack_gaps));
1540 	}
1541 
1542 #ifdef	DEBUG
1543 	if (sctp->sctp_sack_info != NULL) {
1544 		ASSERT(sctp->sctp_ftsn != sctp->sctp_sack_info->begin);
1545 	}
1546 #endif
1547 
1548 #undef	SCTP_ACK_IT
1549 }
1550 
1551 void
1552 sctp_fill_sack(sctp_t *sctp, unsigned char *dst, int sacklen)
1553 {
1554 	sctp_chunk_hdr_t *sch;
1555 	sctp_sack_chunk_t *sc;
1556 	sctp_sack_frag_t *sf;
1557 	uint16_t num_gaps = sctp->sctp_sack_gaps;
1558 	sctp_set_t *sp;
1559 
1560 	/* Chunk hdr */
1561 	sch = (sctp_chunk_hdr_t *)dst;
1562 	sch->sch_id = CHUNK_SACK;
1563 	sch->sch_flags = 0;
1564 	sch->sch_len = htons(sacklen);
1565 
1566 	/* SACK chunk */
1567 	sctp->sctp_lastacked = sctp->sctp_ftsn - 1;
1568 
1569 	sc = (sctp_sack_chunk_t *)(sch + 1);
1570 	sc->ssc_cumtsn = htonl(sctp->sctp_lastacked);
1571 	if (sctp->sctp_rxqueued < sctp->sctp_rwnd) {
1572 		sc->ssc_a_rwnd = htonl(sctp->sctp_rwnd - sctp->sctp_rxqueued);
1573 	} else {
1574 		sc->ssc_a_rwnd = 0;
1575 	}
1576 	sc->ssc_numfrags = htons(num_gaps);
1577 	sc->ssc_numdups = 0;
1578 
1579 	/* lay in gap reports */
1580 	sf = (sctp_sack_frag_t *)(sc + 1);
1581 	for (sp = sctp->sctp_sack_info; sp; sp = sp->next) {
1582 		uint16_t offset;
1583 
1584 		/* start */
1585 		if (sp->begin > sctp->sctp_lastacked) {
1586 			offset = (uint16_t)(sp->begin - sctp->sctp_lastacked);
1587 		} else {
1588 			/* sequence number wrap */
1589 			offset = (uint16_t)(UINT32_MAX - sctp->sctp_lastacked +
1590 			    sp->begin);
1591 		}
1592 		sf->ssf_start = htons(offset);
1593 
1594 		/* end */
1595 		if (sp->end >= sp->begin) {
1596 			offset += (uint16_t)(sp->end - sp->begin);
1597 		} else {
1598 			/* sequence number wrap */
1599 			offset += (uint16_t)(UINT32_MAX - sp->begin + sp->end);
1600 		}
1601 		sf->ssf_end = htons(offset);
1602 
1603 		sf++;
1604 		/* This is just for debugging (a la the following assertion) */
1605 		num_gaps--;
1606 	}
1607 
1608 	ASSERT(num_gaps == 0);
1609 
1610 	/* If the SACK timer is running, stop it */
1611 	if (sctp->sctp_ack_timer_running) {
1612 		sctp_timer_stop(sctp->sctp_ack_mp);
1613 		sctp->sctp_ack_timer_running = B_FALSE;
1614 	}
1615 
1616 	BUMP_LOCAL(sctp->sctp_obchunks);
1617 }
1618 
1619 mblk_t *
1620 sctp_make_sack(sctp_t *sctp, sctp_faddr_t *sendto, mblk_t *dups)
1621 {
1622 	mblk_t *smp;
1623 	size_t slen;
1624 	sctp_chunk_hdr_t *sch;
1625 	sctp_sack_chunk_t *sc;
1626 	int32_t acks_max;
1627 	sctp_stack_t	*sctps = sctp->sctp_sctps;
1628 
1629 	if (sctp->sctp_force_sack) {
1630 		sctp->sctp_force_sack = 0;
1631 		goto checks_done;
1632 	}
1633 
1634 	acks_max = sctps->sctps_deferred_acks_max;
1635 	if (sctp->sctp_state == SCTPS_ESTABLISHED) {
1636 		if (sctp->sctp_sack_toggle < acks_max) {
1637 			/* no need to SACK right now */
1638 			dprint(2, ("sctp_make_sack: %p no sack (toggle)\n",
1639 			    (void *)sctp));
1640 			return (NULL);
1641 		} else if (sctp->sctp_sack_toggle >= acks_max) {
1642 			sctp->sctp_sack_toggle = 0;
1643 		}
1644 	}
1645 
1646 	if (sctp->sctp_ftsn == sctp->sctp_lastacked + 1) {
1647 		dprint(2, ("sctp_make_sack: %p no sack (already)\n",
1648 		    (void *)sctp));
1649 		return (NULL);
1650 	}
1651 
1652 checks_done:
1653 	dprint(2, ("sctp_make_sack: acking %x\n", sctp->sctp_ftsn - 1));
1654 
1655 	slen = sizeof (*sch) + sizeof (*sc) +
1656 	    (sizeof (sctp_sack_frag_t) * sctp->sctp_sack_gaps);
1657 	smp = sctp_make_mp(sctp, sendto, slen);
1658 	if (smp == NULL) {
1659 		SCTP_KSTAT(sctps, sctp_send_sack_failed);
1660 		return (NULL);
1661 	}
1662 	sch = (sctp_chunk_hdr_t *)smp->b_wptr;
1663 
1664 	sctp_fill_sack(sctp, smp->b_wptr, slen);
1665 	smp->b_wptr += slen;
1666 	if (dups) {
1667 		sc = (sctp_sack_chunk_t *)(sch + 1);
1668 		sc->ssc_numdups = htons((dups->b_wptr - dups->b_rptr)
1669 		    / sizeof (uint32_t));
1670 		sch->sch_len = htons(slen + (dups->b_wptr - dups->b_rptr));
1671 		smp->b_cont = dups;
1672 	}
1673 
1674 	return (smp);
1675 }
1676 
1677 void
1678 sctp_sack(sctp_t *sctp, mblk_t *dups)
1679 {
1680 	mblk_t *smp;
1681 	sctp_stack_t	*sctps = sctp->sctp_sctps;
1682 
1683 	/* If we are shutting down, let send_shutdown() bundle the SACK */
1684 	if (sctp->sctp_state == SCTPS_SHUTDOWN_SENT) {
1685 		sctp_send_shutdown(sctp, 0);
1686 	}
1687 
1688 	ASSERT(sctp->sctp_lastdata != NULL);
1689 
1690 	if ((smp = sctp_make_sack(sctp, sctp->sctp_lastdata, dups)) == NULL) {
1691 		/* The caller of sctp_sack() will not free the dups mblk. */
1692 		if (dups != NULL)
1693 			freeb(dups);
1694 		return;
1695 	}
1696 
1697 	sctp_set_iplen(sctp, smp);
1698 
1699 	dprint(2, ("sctp_sack: sending to %p %x:%x:%x:%x\n",
1700 	    (void *)sctp->sctp_lastdata,
1701 	    SCTP_PRINTADDR(sctp->sctp_lastdata->faddr)));
1702 
1703 	sctp->sctp_active = lbolt64;
1704 
1705 	BUMP_MIB(&sctps->sctps_mib, sctpOutAck);
1706 	sctp_add_sendq(sctp, smp);
1707 }
1708 
1709 /*
1710  * This is called if we have a message that was partially sent and is
1711  * abandoned. The cum TSN will be the last chunk sent for this message,
1712  * subsequent chunks will be marked ABANDONED. We send a Forward TSN
1713  * chunk in this case with the TSN of the last sent chunk so that the
1714  * peer can clean up its fragment list for this message. This message
1715  * will be removed from the transmit list when the peer sends a SACK
1716  * back.
1717  */
1718 int
1719 sctp_check_abandoned_msg(sctp_t *sctp, mblk_t *meta)
1720 {
1721 	sctp_data_hdr_t	*dh;
1722 	mblk_t		*nmp;
1723 	mblk_t		*head;
1724 	int32_t		unsent = 0;
1725 	mblk_t		*mp1 = meta->b_cont;
1726 	uint32_t	adv_pap = sctp->sctp_adv_pap;
1727 	sctp_faddr_t	*fp = sctp->sctp_current;
1728 	sctp_stack_t	*sctps = sctp->sctp_sctps;
1729 
1730 	dh = (sctp_data_hdr_t *)mp1->b_rptr;
1731 	if (SEQ_GEQ(sctp->sctp_lastack_rxd, ntohl(dh->sdh_tsn))) {
1732 		sctp_ftsn_set_t	*sets = NULL;
1733 		uint_t		nsets = 0;
1734 		uint32_t	seglen = sizeof (uint32_t);
1735 		boolean_t	ubit = SCTP_DATA_GET_UBIT(dh);
1736 
1737 		while (mp1->b_next != NULL && SCTP_CHUNK_ISSENT(mp1->b_next))
1738 			mp1 = mp1->b_next;
1739 		dh = (sctp_data_hdr_t *)mp1->b_rptr;
1740 		sctp->sctp_adv_pap = ntohl(dh->sdh_tsn);
1741 		if (!ubit &&
1742 		    !sctp_add_ftsn_set(&sets, fp, meta, &nsets, &seglen)) {
1743 			sctp->sctp_adv_pap = adv_pap;
1744 			return (ENOMEM);
1745 		}
1746 		nmp = sctp_make_ftsn_chunk(sctp, fp, sets, nsets, seglen);
1747 		sctp_free_ftsn_set(sets);
1748 		if (nmp == NULL) {
1749 			sctp->sctp_adv_pap = adv_pap;
1750 			return (ENOMEM);
1751 		}
1752 		head = sctp_add_proto_hdr(sctp, fp, nmp, 0, NULL);
1753 		if (head == NULL) {
1754 			sctp->sctp_adv_pap = adv_pap;
1755 			freemsg(nmp);
1756 			SCTP_KSTAT(sctps, sctp_send_ftsn_failed);
1757 			return (ENOMEM);
1758 		}
1759 		SCTP_MSG_SET_ABANDONED(meta);
1760 		sctp_set_iplen(sctp, head);
1761 		sctp_add_sendq(sctp, head);
1762 		if (!fp->timer_running)
1763 			SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
1764 		mp1 = mp1->b_next;
1765 		while (mp1 != NULL) {
1766 			ASSERT(!SCTP_CHUNK_ISSENT(mp1));
1767 			ASSERT(!SCTP_CHUNK_ABANDONED(mp1));
1768 			SCTP_ABANDON_CHUNK(mp1);
1769 			dh = (sctp_data_hdr_t *)mp1->b_rptr;
1770 			unsent += ntohs(dh->sdh_len) - sizeof (*dh);
1771 			mp1 = mp1->b_next;
1772 		}
1773 		ASSERT(sctp->sctp_unsent >= unsent);
1774 		sctp->sctp_unsent -= unsent;
1775 		/*
1776 		 * Update ULP the amount of queued data, which is
1777 		 * sent-unack'ed + unsent.
1778 		 */
1779 		if (!SCTP_IS_DETACHED(sctp)) {
1780 			sctp->sctp_ulp_xmitted(sctp->sctp_ulpd,
1781 			    sctp->sctp_unacked + sctp->sctp_unsent);
1782 		}
1783 		return (0);
1784 	}
1785 	return (-1);
1786 }
1787 
1788 uint32_t
1789 sctp_cumack(sctp_t *sctp, uint32_t tsn, mblk_t **first_unacked)
1790 {
1791 	mblk_t *ump, *nump, *mp = NULL;
1792 	uint16_t chunklen;
1793 	uint32_t xtsn;
1794 	sctp_faddr_t *fp;
1795 	sctp_data_hdr_t *sdc;
1796 	uint32_t cumack_forward = 0;
1797 	sctp_msg_hdr_t	*mhdr;
1798 	sctp_stack_t	*sctps = sctp->sctp_sctps;
1799 
1800 	ump = sctp->sctp_xmit_head;
1801 
1802 	/*
1803 	 * Free messages only when they're completely acked.
1804 	 */
1805 	while (ump != NULL) {
1806 		mhdr = (sctp_msg_hdr_t *)ump->b_rptr;
1807 		for (mp = ump->b_cont; mp != NULL; mp = mp->b_next) {
1808 			if (SCTP_CHUNK_ABANDONED(mp)) {
1809 				ASSERT(SCTP_IS_MSG_ABANDONED(ump));
1810 				mp = NULL;
1811 				break;
1812 			}
1813 			/*
1814 			 * We check for abandoned message if we are PR-SCTP
1815 			 * aware, if this is not the first chunk in the
1816 			 * message (b_cont) and if the message is marked
1817 			 * abandoned.
1818 			 */
1819 			if (!SCTP_CHUNK_ISSENT(mp)) {
1820 				if (sctp->sctp_prsctp_aware &&
1821 				    mp != ump->b_cont &&
1822 				    (SCTP_IS_MSG_ABANDONED(ump) ||
1823 				    SCTP_MSG_TO_BE_ABANDONED(ump, mhdr,
1824 				    sctp))) {
1825 					(void) sctp_check_abandoned_msg(sctp,
1826 					    ump);
1827 				}
1828 				goto cum_ack_done;
1829 			}
1830 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
1831 			xtsn = ntohl(sdc->sdh_tsn);
1832 			if (SEQ_GEQ(sctp->sctp_lastack_rxd, xtsn))
1833 				continue;
1834 			if (SEQ_GEQ(tsn, xtsn)) {
1835 				fp = SCTP_CHUNK_DEST(mp);
1836 				chunklen = ntohs(sdc->sdh_len);
1837 
1838 				if (sctp->sctp_out_time != 0 &&
1839 				    xtsn == sctp->sctp_rtt_tsn) {
1840 					/* Got a new RTT measurement */
1841 					sctp_update_rtt(sctp, fp,
1842 					    lbolt64 - sctp->sctp_out_time);
1843 					sctp->sctp_out_time = 0;
1844 				}
1845 				if (SCTP_CHUNK_ISACKED(mp))
1846 					continue;
1847 				SCTP_CHUNK_SET_SACKCNT(mp, 0);
1848 				SCTP_CHUNK_ACKED(mp);
1849 				ASSERT(fp->suna >= chunklen);
1850 				fp->suna -= chunklen;
1851 				fp->acked += chunklen;
1852 				cumack_forward += chunklen;
1853 				ASSERT(sctp->sctp_unacked >=
1854 				    (chunklen - sizeof (*sdc)));
1855 				sctp->sctp_unacked -=
1856 				    (chunklen - sizeof (*sdc));
1857 				if (fp->suna == 0) {
1858 					/* all outstanding data acked */
1859 					fp->pba = 0;
1860 					SCTP_FADDR_TIMER_STOP(fp);
1861 				} else {
1862 					SCTP_FADDR_TIMER_RESTART(sctp, fp,
1863 					    fp->rto);
1864 				}
1865 			} else {
1866 				goto cum_ack_done;
1867 			}
1868 		}
1869 		nump = ump->b_next;
1870 		if (nump != NULL)
1871 			nump->b_prev = NULL;
1872 		if (ump == sctp->sctp_xmit_tail)
1873 			sctp->sctp_xmit_tail = nump;
1874 		if (SCTP_IS_MSG_ABANDONED(ump)) {
1875 			BUMP_LOCAL(sctp->sctp_prsctpdrop);
1876 			ump->b_next = NULL;
1877 			sctp_sendfail_event(sctp, ump, 0, B_TRUE);
1878 		} else {
1879 			sctp_free_msg(ump);
1880 		}
1881 		sctp->sctp_xmit_head = ump = nump;
1882 	}
1883 cum_ack_done:
1884 	*first_unacked = mp;
1885 	if (cumack_forward > 0) {
1886 		BUMP_MIB(&sctps->sctps_mib, sctpInAck);
1887 		if (SEQ_GT(sctp->sctp_lastack_rxd, sctp->sctp_recovery_tsn)) {
1888 			sctp->sctp_recovery_tsn = sctp->sctp_lastack_rxd;
1889 		}
1890 
1891 		/*
1892 		 * Update ULP the amount of queued data, which is
1893 		 * sent-unack'ed + unsent.
1894 		 */
1895 		if (!SCTP_IS_DETACHED(sctp)) {
1896 			sctp->sctp_ulp_xmitted(sctp->sctp_ulpd,
1897 			    sctp->sctp_unacked + sctp->sctp_unsent);
1898 		}
1899 
1900 		/* Time to send a shutdown? */
1901 		if (sctp->sctp_state == SCTPS_SHUTDOWN_PENDING) {
1902 			sctp_send_shutdown(sctp, 0);
1903 		}
1904 		sctp->sctp_xmit_unacked = mp;
1905 	} else {
1906 		/* dup ack */
1907 		BUMP_MIB(&sctps->sctps_mib, sctpInDupAck);
1908 	}
1909 	sctp->sctp_lastack_rxd = tsn;
1910 	if (SEQ_LT(sctp->sctp_adv_pap, sctp->sctp_lastack_rxd))
1911 		sctp->sctp_adv_pap = sctp->sctp_lastack_rxd;
1912 	ASSERT(sctp->sctp_xmit_head || sctp->sctp_unacked == 0);
1913 
1914 	return (cumack_forward);
1915 }
1916 
1917 static int
1918 sctp_set_frwnd(sctp_t *sctp, uint32_t frwnd)
1919 {
1920 	uint32_t orwnd;
1921 
1922 	if (sctp->sctp_unacked > frwnd) {
1923 		sctp->sctp_frwnd = 0;
1924 		return (0);
1925 	}
1926 	orwnd = sctp->sctp_frwnd;
1927 	sctp->sctp_frwnd = frwnd - sctp->sctp_unacked;
1928 	if (orwnd < sctp->sctp_frwnd) {
1929 		return (1);
1930 	} else {
1931 		return (0);
1932 	}
1933 }
1934 
1935 /*
1936  * For un-ordered messages.
1937  * Walk the sctp->sctp_uo_frag list and remove any fragments with TSN
1938  * less than/equal to ftsn. Fragments for un-ordered messages are
1939  * strictly in sequence (w.r.t TSN).
1940  */
1941 static int
1942 sctp_ftsn_check_uo_frag(sctp_t *sctp, uint32_t ftsn)
1943 {
1944 	mblk_t		*hmp;
1945 	mblk_t		*hmp_next;
1946 	sctp_data_hdr_t	*dc;
1947 	int		dlen = 0;
1948 
1949 	hmp = sctp->sctp_uo_frags;
1950 	while (hmp != NULL) {
1951 		hmp_next = hmp->b_next;
1952 		dc = (sctp_data_hdr_t *)hmp->b_rptr;
1953 		if (SEQ_GT(ntohl(dc->sdh_tsn), ftsn))
1954 			return (dlen);
1955 		sctp->sctp_uo_frags = hmp_next;
1956 		if (hmp_next != NULL)
1957 			hmp_next->b_prev = NULL;
1958 		hmp->b_next = NULL;
1959 		dlen += ntohs(dc->sdh_len) - sizeof (*dc);
1960 		freeb(hmp);
1961 		hmp = hmp_next;
1962 	}
1963 	return (dlen);
1964 }
1965 
1966 /*
1967  * For ordered messages.
1968  * Check for existing fragments for an sid-ssn pair reported as abandoned,
1969  * hence will not receive, in the Forward TSN. If there are fragments, then
1970  * we just nuke them. If and when Partial Delivery API is supported, we
1971  * would need to send a notification to the upper layer about this.
1972  */
1973 static int
1974 sctp_ftsn_check_frag(sctp_t *sctp, uint16_t ssn, sctp_instr_t *sip)
1975 {
1976 	sctp_reass_t	*srp;
1977 	mblk_t		*hmp;
1978 	mblk_t		*dmp;
1979 	mblk_t		*hmp_next;
1980 	sctp_data_hdr_t	*dc;
1981 	int		dlen = 0;
1982 
1983 	hmp = sip->istr_reass;
1984 	while (hmp != NULL) {
1985 		hmp_next = hmp->b_next;
1986 		srp = (sctp_reass_t *)DB_BASE(hmp);
1987 		if (SSN_GT(srp->ssn, ssn))
1988 			return (dlen);
1989 		/*
1990 		 * If we had sent part of this message up, send a partial
1991 		 * delivery event. Since this is ordered delivery, we should
1992 		 * have sent partial message only for the next in sequence,
1993 		 * hence the ASSERT. See comments in sctp_data_chunk() for
1994 		 * trypartial.
1995 		 */
1996 		if (srp->partial_delivered) {
1997 			ASSERT(sip->nextseq == srp->ssn);
1998 			sctp_partial_delivery_event(sctp);
1999 		}
2000 		/* Take it out of the reass queue */
2001 		sip->istr_reass = hmp_next;
2002 		if (hmp_next != NULL)
2003 			hmp_next->b_prev = NULL;
2004 		hmp->b_next = NULL;
2005 		ASSERT(hmp->b_prev == NULL);
2006 		dmp = hmp;
2007 		if (DB_TYPE(hmp) == M_CTL) {
2008 			dmp = hmp->b_cont;
2009 			hmp->b_cont = NULL;
2010 			freeb(hmp);
2011 			hmp = dmp;
2012 		}
2013 		while (dmp != NULL) {
2014 			dc = (sctp_data_hdr_t *)dmp->b_rptr;
2015 			dlen += ntohs(dc->sdh_len) - sizeof (*dc);
2016 			dmp = dmp->b_cont;
2017 		}
2018 		freemsg(hmp);
2019 		hmp = hmp_next;
2020 	}
2021 	return (dlen);
2022 }
2023 
2024 /*
2025  * Update sctp_ftsn to the cumulative TSN from the Forward TSN chunk. Remove
2026  * any SACK gaps less than the newly updated sctp_ftsn. Walk through the
2027  * sid-ssn pair in the Forward TSN and for each, clean the fragment list
2028  * for this pair, if needed, and check if we can deliver subsequent
2029  * messages, if any, from the instream queue (that were waiting for this
2030  * sid-ssn message to show up). Once we are done try to update the SACK
2031  * info. We could get a duplicate Forward TSN, in which case just send
2032  * a SACK. If any of the sid values in the the Forward TSN is invalid,
2033  * send back an "Invalid Stream Identifier" error and continue processing
2034  * the rest.
2035  */
2036 static void
2037 sctp_process_forward_tsn(sctp_t *sctp, sctp_chunk_hdr_t *ch, sctp_faddr_t *fp,
2038     ip6_pkt_t *ipp)
2039 {
2040 	uint32_t	*ftsn = (uint32_t *)(ch + 1);
2041 	ftsn_entry_t	*ftsn_entry;
2042 	sctp_instr_t	*instr;
2043 	boolean_t	can_deliver = B_TRUE;
2044 	size_t		dlen;
2045 	int		flen;
2046 	mblk_t		*dmp;
2047 	mblk_t		*pmp;
2048 	sctp_data_hdr_t	*dc;
2049 	ssize_t		remaining;
2050 	sctp_stack_t	*sctps = sctp->sctp_sctps;
2051 
2052 	*ftsn = ntohl(*ftsn);
2053 	remaining =  ntohs(ch->sch_len) - sizeof (*ch) - sizeof (*ftsn);
2054 
2055 	if (SCTP_IS_DETACHED(sctp)) {
2056 		BUMP_MIB(&sctps->sctps_mib, sctpInClosed);
2057 		can_deliver = B_FALSE;
2058 	}
2059 	/*
2060 	 * un-ordered messages don't have SID-SSN pair entries, we check
2061 	 * for any fragments (for un-ordered message) to be discarded using
2062 	 * the cumulative FTSN.
2063 	 */
2064 	flen = sctp_ftsn_check_uo_frag(sctp, *ftsn);
2065 	if (flen > 0) {
2066 		ASSERT(sctp->sctp_rxqueued >= flen);
2067 		sctp->sctp_rxqueued -= flen;
2068 	}
2069 	ftsn_entry = (ftsn_entry_t *)(ftsn + 1);
2070 	while (remaining >= sizeof (*ftsn_entry)) {
2071 		ftsn_entry->ftsn_sid = ntohs(ftsn_entry->ftsn_sid);
2072 		ftsn_entry->ftsn_ssn = ntohs(ftsn_entry->ftsn_ssn);
2073 		if (ftsn_entry->ftsn_sid >= sctp->sctp_num_istr) {
2074 			uint16_t	inval_parm[2];
2075 			mblk_t		*errmp;
2076 
2077 			inval_parm[0] = htons(ftsn_entry->ftsn_sid);
2078 			/* RESERVED to be ignored at the receiving end */
2079 			inval_parm[1] = 0;
2080 			errmp = sctp_make_err(sctp, SCTP_ERR_BAD_SID,
2081 			    (char *)inval_parm, sizeof (inval_parm));
2082 			if (errmp != NULL)
2083 				sctp_send_err(sctp, errmp, NULL);
2084 			ftsn_entry++;
2085 			remaining -= sizeof (*ftsn_entry);
2086 			continue;
2087 		}
2088 		instr = &sctp->sctp_instr[ftsn_entry->ftsn_sid];
2089 		flen = sctp_ftsn_check_frag(sctp, ftsn_entry->ftsn_ssn, instr);
2090 		/* Indicates frags were nuked, update rxqueued */
2091 		if (flen > 0) {
2092 			ASSERT(sctp->sctp_rxqueued >= flen);
2093 			sctp->sctp_rxqueued -= flen;
2094 		}
2095 		/*
2096 		 * It is possible to receive an FTSN chunk with SSN smaller
2097 		 * than then nextseq if this chunk is a retransmission because
2098 		 * of incomplete processing when it was first processed.
2099 		 */
2100 		if (SSN_GE(ftsn_entry->ftsn_ssn, instr->nextseq))
2101 			instr->nextseq = ftsn_entry->ftsn_ssn + 1;
2102 		while (instr->istr_nmsgs > 0) {
2103 			mblk_t	*next;
2104 
2105 			dmp = (mblk_t *)instr->istr_msgs;
2106 			dc = (sctp_data_hdr_t *)dmp->b_rptr;
2107 			if (ntohs(dc->sdh_ssn) != instr->nextseq)
2108 				break;
2109 
2110 			next = dmp->b_next;
2111 			dlen = dmp->b_wptr - dmp->b_rptr - sizeof (*dc);
2112 			for (pmp = dmp->b_cont; pmp != NULL;
2113 			    pmp = pmp->b_cont) {
2114 				dlen += pmp->b_wptr - pmp->b_rptr;
2115 			}
2116 			if (can_deliver) {
2117 				int32_t	nrwnd;
2118 
2119 				dmp->b_rptr = (uchar_t *)(dc + 1);
2120 				dmp->b_next = NULL;
2121 				ASSERT(dmp->b_prev == NULL);
2122 				if (sctp_input_add_ancillary(sctp,
2123 				    &dmp, dc, fp, ipp) == 0) {
2124 					sctp->sctp_rxqueued -= dlen;
2125 					sctp->sctp_rwnd -= dlen;
2126 					nrwnd = sctp->sctp_ulp_recv(
2127 					    sctp->sctp_ulpd, dmp, 0);
2128 					if (nrwnd > sctp->sctp_rwnd)
2129 						sctp->sctp_rwnd = nrwnd;
2130 				} else {
2131 					/*
2132 					 * We will resume processing when
2133 					 * the FTSN chunk is re-xmitted.
2134 					 */
2135 					dmp->b_rptr = (uchar_t *)dc;
2136 					dmp->b_next = next;
2137 					dprint(0,
2138 					    ("FTSN dequeuing %u failed\n",
2139 					    ntohs(dc->sdh_ssn)));
2140 					return;
2141 				}
2142 			} else {
2143 				sctp->sctp_rxqueued -= dlen;
2144 				ASSERT(dmp->b_prev == NULL);
2145 				dmp->b_next = NULL;
2146 				freemsg(dmp);
2147 			}
2148 			instr->istr_nmsgs--;
2149 			instr->nextseq++;
2150 			sctp->sctp_istr_nmsgs--;
2151 			if (next != NULL)
2152 				next->b_prev = NULL;
2153 			instr->istr_msgs = next;
2154 		}
2155 		ftsn_entry++;
2156 		remaining -= sizeof (*ftsn_entry);
2157 	}
2158 	/* Duplicate FTSN */
2159 	if (*ftsn <= (sctp->sctp_ftsn - 1)) {
2160 		sctp->sctp_force_sack = 1;
2161 		return;
2162 	}
2163 	/* Advance cum TSN to that reported in the Forward TSN chunk */
2164 	sctp->sctp_ftsn = *ftsn + 1;
2165 
2166 	/* Remove all the SACK gaps before the new cum TSN */
2167 	if (sctp->sctp_sack_info != NULL) {
2168 		sctp_ack_rem(&sctp->sctp_sack_info, sctp->sctp_ftsn - 1,
2169 		    &sctp->sctp_sack_gaps);
2170 	}
2171 	/*
2172 	 * If there are gap reports pending, check if advancing
2173 	 * the ftsn here closes a gap. If so, we can advance
2174 	 * ftsn to the end of the set.
2175 	 * If ftsn has moved forward, maybe we can remove gap reports.
2176 	 */
2177 	if (sctp->sctp_sack_info != NULL &&
2178 	    sctp->sctp_ftsn == sctp->sctp_sack_info->begin) {
2179 		sctp->sctp_ftsn = sctp->sctp_sack_info->end + 1;
2180 		sctp_ack_rem(&sctp->sctp_sack_info, sctp->sctp_ftsn - 1,
2181 		    &sctp->sctp_sack_gaps);
2182 	}
2183 }
2184 
2185 /*
2186  * When we have processed a SACK we check to see if we can advance the
2187  * cumulative TSN if there are abandoned chunks immediately following
2188  * the updated cumulative TSN. If there are, we attempt to send a
2189  * Forward TSN chunk.
2190  */
2191 static void
2192 sctp_check_abandoned_data(sctp_t *sctp, sctp_faddr_t *fp)
2193 {
2194 	mblk_t		*meta = sctp->sctp_xmit_head;
2195 	mblk_t		*mp;
2196 	mblk_t		*nmp;
2197 	uint32_t	seglen;
2198 	uint32_t	adv_pap = sctp->sctp_adv_pap;
2199 
2200 	/*
2201 	 * We only check in the first meta since otherwise we can't
2202 	 * advance the cumulative ack point. We just look for chunks
2203 	 * marked for retransmission, else we might prematurely
2204 	 * send an FTSN for a sent, but unacked, chunk.
2205 	 */
2206 	for (mp = meta->b_cont; mp != NULL; mp = mp->b_next) {
2207 		if (!SCTP_CHUNK_ISSENT(mp))
2208 			return;
2209 		if (SCTP_CHUNK_WANT_REXMIT(mp))
2210 			break;
2211 	}
2212 	if (mp == NULL)
2213 		return;
2214 	sctp_check_adv_ack_pt(sctp, meta, mp);
2215 	if (SEQ_GT(sctp->sctp_adv_pap, adv_pap)) {
2216 		sctp_make_ftsns(sctp, meta, mp, &nmp, fp, &seglen);
2217 		if (nmp == NULL) {
2218 			sctp->sctp_adv_pap = adv_pap;
2219 			if (!fp->timer_running)
2220 				SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
2221 			return;
2222 		}
2223 		sctp_set_iplen(sctp, nmp);
2224 		sctp_add_sendq(sctp, nmp);
2225 		if (!fp->timer_running)
2226 			SCTP_FADDR_TIMER_RESTART(sctp, fp, fp->rto);
2227 	}
2228 }
2229 
2230 /*
2231  * The processing here follows the same logic in sctp_got_sack(), the reason
2232  * we do this separately is because, usually, gap blocks are ordered and
2233  * we can process it in sctp_got_sack(). However if they aren't we would
2234  * need to do some additional non-optimal stuff when we start processing the
2235  * unordered gaps. To that effect sctp_got_sack() does the processing in the
2236  * simple case and this does the same in the more involved case.
2237  */
2238 static uint32_t
2239 sctp_process_uo_gaps(sctp_t *sctp, uint32_t ctsn, sctp_sack_frag_t *ssf,
2240     int num_gaps, mblk_t *umphead, mblk_t *mphead, int *trysend,
2241     boolean_t *fast_recovery, uint32_t fr_xtsn)
2242 {
2243 	uint32_t		xtsn;
2244 	uint32_t		gapstart = 0;
2245 	uint32_t		gapend = 0;
2246 	int			gapcnt;
2247 	uint16_t		chunklen;
2248 	sctp_data_hdr_t		*sdc;
2249 	int			gstart;
2250 	mblk_t			*ump = umphead;
2251 	mblk_t			*mp = mphead;
2252 	sctp_faddr_t		*fp;
2253 	uint32_t		acked = 0;
2254 	sctp_stack_t		*sctps = sctp->sctp_sctps;
2255 
2256 	/*
2257 	 * gstart tracks the last (in the order of TSN) gapstart that
2258 	 * we process in this SACK gaps walk.
2259 	 */
2260 	gstart = ctsn;
2261 
2262 	sdc = (sctp_data_hdr_t *)mp->b_rptr;
2263 	xtsn = ntohl(sdc->sdh_tsn);
2264 	for (gapcnt = 0; gapcnt < num_gaps; gapcnt++, ssf++) {
2265 		if (gapstart != 0) {
2266 			/*
2267 			 * If we have reached the end of the transmit list or
2268 			 * hit an unsent chunk or encountered an unordered gap
2269 			 * block start from the ctsn again.
2270 			 */
2271 			if (ump == NULL || !SCTP_CHUNK_ISSENT(mp) ||
2272 			    SEQ_LT(ctsn + ntohs(ssf->ssf_start), xtsn)) {
2273 				ump = umphead;
2274 				mp = mphead;
2275 				sdc = (sctp_data_hdr_t *)mp->b_rptr;
2276 				xtsn = ntohl(sdc->sdh_tsn);
2277 			}
2278 		}
2279 
2280 		gapstart = ctsn + ntohs(ssf->ssf_start);
2281 		gapend = ctsn + ntohs(ssf->ssf_end);
2282 
2283 		/* SACK for TSN we have not sent - ABORT */
2284 		if (SEQ_GT(gapstart, sctp->sctp_ltsn - 1) ||
2285 		    SEQ_GT(gapend, sctp->sctp_ltsn - 1)) {
2286 			BUMP_MIB(&sctps->sctps_mib, sctpInAckUnsent);
2287 			*trysend = -1;
2288 			return (acked);
2289 		} else if (SEQ_LT(gapend, gapstart)) {
2290 			break;
2291 		}
2292 		/*
2293 		 * The xtsn can be the TSN processed for the last gap
2294 		 * (gapend) or it could be the cumulative TSN. We continue
2295 		 * with the last xtsn as long as the gaps are ordered, when
2296 		 * we hit an unordered gap, we re-start from the cumulative
2297 		 * TSN. For the first gap it is always the cumulative TSN.
2298 		 */
2299 		while (xtsn != gapstart) {
2300 			/*
2301 			 * We can't reliably check for reneged chunks
2302 			 * when walking the unordered list, so we don't.
2303 			 * In case the peer reneges then we will end up
2304 			 * sending the reneged chunk via timeout.
2305 			 */
2306 			mp = mp->b_next;
2307 			if (mp == NULL) {
2308 				ump = ump->b_next;
2309 				/*
2310 				 * ump can't be NULL because of the sanity
2311 				 * check above.
2312 				 */
2313 				ASSERT(ump != NULL);
2314 				mp = ump->b_cont;
2315 			}
2316 			/*
2317 			 * mp can't be unsent because of the sanity check
2318 			 * above.
2319 			 */
2320 			ASSERT(SCTP_CHUNK_ISSENT(mp));
2321 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
2322 			xtsn = ntohl(sdc->sdh_tsn);
2323 		}
2324 		/*
2325 		 * Now that we have found the chunk with TSN == 'gapstart',
2326 		 * let's walk till we hit the chunk with TSN == 'gapend'.
2327 		 * All intermediate chunks will be marked ACKED, if they
2328 		 * haven't already been.
2329 		 */
2330 		while (SEQ_LEQ(xtsn, gapend)) {
2331 			/*
2332 			 * SACKed
2333 			 */
2334 			SCTP_CHUNK_SET_SACKCNT(mp, 0);
2335 			if (!SCTP_CHUNK_ISACKED(mp)) {
2336 				SCTP_CHUNK_ACKED(mp);
2337 
2338 				fp = SCTP_CHUNK_DEST(mp);
2339 				chunklen = ntohs(sdc->sdh_len);
2340 				ASSERT(fp->suna >= chunklen);
2341 				fp->suna -= chunklen;
2342 				if (fp->suna == 0) {
2343 					/* All outstanding data acked. */
2344 					fp->pba = 0;
2345 					SCTP_FADDR_TIMER_STOP(fp);
2346 				}
2347 				fp->acked += chunklen;
2348 				acked += chunklen;
2349 				sctp->sctp_unacked -= chunklen - sizeof (*sdc);
2350 				ASSERT(sctp->sctp_unacked >= 0);
2351 			}
2352 			/*
2353 			 * Move to the next message in the transmit list
2354 			 * if we are done with all the chunks from the current
2355 			 * message. Note, it is possible to hit the end of the
2356 			 * transmit list here, i.e. if we have already completed
2357 			 * processing the gap block.
2358 			 */
2359 			mp = mp->b_next;
2360 			if (mp == NULL) {
2361 				ump = ump->b_next;
2362 				if (ump == NULL) {
2363 					ASSERT(xtsn == gapend);
2364 					break;
2365 				}
2366 				mp = ump->b_cont;
2367 			}
2368 			/*
2369 			 * Likewise, we can hit an unsent chunk once we have
2370 			 * completed processing the gap block.
2371 			 */
2372 			if (!SCTP_CHUNK_ISSENT(mp)) {
2373 				ASSERT(xtsn == gapend);
2374 				break;
2375 			}
2376 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
2377 			xtsn = ntohl(sdc->sdh_tsn);
2378 		}
2379 		/*
2380 		 * We keep track of the last gap we successfully processed
2381 		 * so that we can terminate the walk below for incrementing
2382 		 * the SACK count.
2383 		 */
2384 		if (SEQ_LT(gstart, gapstart))
2385 			gstart = gapstart;
2386 	}
2387 	/*
2388 	 * Check if have incremented the SACK count for all unacked TSNs in
2389 	 * sctp_got_sack(), if so we are done.
2390 	 */
2391 	if (SEQ_LEQ(gstart, fr_xtsn))
2392 		return (acked);
2393 
2394 	ump = umphead;
2395 	mp = mphead;
2396 	sdc = (sctp_data_hdr_t *)mp->b_rptr;
2397 	xtsn = ntohl(sdc->sdh_tsn);
2398 	while (SEQ_LT(xtsn, gstart)) {
2399 		/*
2400 		 * We have incremented SACK count for TSNs less than fr_tsn
2401 		 * in sctp_got_sack(), so don't increment them again here.
2402 		 */
2403 		if (SEQ_GT(xtsn, fr_xtsn) && !SCTP_CHUNK_ISACKED(mp)) {
2404 			SCTP_CHUNK_SET_SACKCNT(mp, SCTP_CHUNK_SACKCNT(mp) + 1);
2405 			if (SCTP_CHUNK_SACKCNT(mp) ==
2406 			    sctps->sctps_fast_rxt_thresh) {
2407 				SCTP_CHUNK_REXMIT(mp);
2408 				sctp->sctp_chk_fast_rexmit = B_TRUE;
2409 				*trysend = 1;
2410 				if (!*fast_recovery) {
2411 					/*
2412 					 * Entering fast recovery.
2413 					 */
2414 					fp = SCTP_CHUNK_DEST(mp);
2415 					fp->ssthresh = fp->cwnd / 2;
2416 					if (fp->ssthresh < 2 * fp->sfa_pmss) {
2417 						fp->ssthresh =
2418 						    2 * fp->sfa_pmss;
2419 					}
2420 					fp->cwnd = fp->ssthresh;
2421 					fp->pba = 0;
2422 					sctp->sctp_recovery_tsn =
2423 					    sctp->sctp_ltsn - 1;
2424 					*fast_recovery = B_TRUE;
2425 				}
2426 			}
2427 		}
2428 		mp = mp->b_next;
2429 		if (mp == NULL) {
2430 			ump = ump->b_next;
2431 			/* We can't get to the end of the transmit list here */
2432 			ASSERT(ump != NULL);
2433 			mp = ump->b_cont;
2434 		}
2435 		/* We can't hit an unsent chunk here */
2436 		ASSERT(SCTP_CHUNK_ISSENT(mp));
2437 		sdc = (sctp_data_hdr_t *)mp->b_rptr;
2438 		xtsn = ntohl(sdc->sdh_tsn);
2439 	}
2440 	return (acked);
2441 }
2442 
2443 static int
2444 sctp_got_sack(sctp_t *sctp, sctp_chunk_hdr_t *sch)
2445 {
2446 	sctp_sack_chunk_t	*sc;
2447 	sctp_data_hdr_t		*sdc;
2448 	sctp_sack_frag_t	*ssf;
2449 	mblk_t			*ump;
2450 	mblk_t			*mp;
2451 	mblk_t			*mp1;
2452 	uint32_t		cumtsn;
2453 	uint32_t		xtsn;
2454 	uint32_t		gapstart = 0;
2455 	uint32_t		gapend = 0;
2456 	uint32_t		acked = 0;
2457 	uint16_t		chunklen;
2458 	sctp_faddr_t		*fp;
2459 	int			num_gaps;
2460 	int			trysend = 0;
2461 	int			i;
2462 	boolean_t		fast_recovery = B_FALSE;
2463 	boolean_t		cumack_forward = B_FALSE;
2464 	boolean_t		fwd_tsn = B_FALSE;
2465 	sctp_stack_t		*sctps = sctp->sctp_sctps;
2466 
2467 	BUMP_LOCAL(sctp->sctp_ibchunks);
2468 	chunklen = ntohs(sch->sch_len);
2469 	if (chunklen < (sizeof (*sch) + sizeof (*sc)))
2470 		return (0);
2471 
2472 	sc = (sctp_sack_chunk_t *)(sch + 1);
2473 	cumtsn = ntohl(sc->ssc_cumtsn);
2474 
2475 	dprint(2, ("got sack cumtsn %x -> %x\n", sctp->sctp_lastack_rxd,
2476 	    cumtsn));
2477 
2478 	/* out of order */
2479 	if (SEQ_LT(cumtsn, sctp->sctp_lastack_rxd))
2480 		return (0);
2481 
2482 	if (SEQ_GT(cumtsn, sctp->sctp_ltsn - 1)) {
2483 		BUMP_MIB(&sctps->sctps_mib, sctpInAckUnsent);
2484 		/* Send an ABORT */
2485 		return (-1);
2486 	}
2487 
2488 	/*
2489 	 * Cwnd only done when not in fast recovery mode.
2490 	 */
2491 	if (SEQ_LT(sctp->sctp_lastack_rxd, sctp->sctp_recovery_tsn))
2492 		fast_recovery = B_TRUE;
2493 
2494 	/*
2495 	 * .. and if the cum TSN is not moving ahead on account Forward TSN
2496 	 */
2497 	if (SEQ_LT(sctp->sctp_lastack_rxd, sctp->sctp_adv_pap))
2498 		fwd_tsn = B_TRUE;
2499 
2500 	if (cumtsn == sctp->sctp_lastack_rxd &&
2501 	    (sctp->sctp_xmit_unacked == NULL ||
2502 	    !SCTP_CHUNK_ABANDONED(sctp->sctp_xmit_unacked))) {
2503 		if (sctp->sctp_xmit_unacked != NULL)
2504 			mp = sctp->sctp_xmit_unacked;
2505 		else if (sctp->sctp_xmit_head != NULL)
2506 			mp = sctp->sctp_xmit_head->b_cont;
2507 		else
2508 			mp = NULL;
2509 		BUMP_MIB(&sctps->sctps_mib, sctpInDupAck);
2510 		/*
2511 		 * If we were doing a zero win probe and the win
2512 		 * has now opened to at least MSS, re-transmit the
2513 		 * zero win probe via sctp_rexmit_packet().
2514 		 */
2515 		if (mp != NULL && sctp->sctp_zero_win_probe &&
2516 		    ntohl(sc->ssc_a_rwnd) >= sctp->sctp_current->sfa_pmss) {
2517 			mblk_t	*pkt;
2518 			uint_t	pkt_len;
2519 			mblk_t	*mp1 = mp;
2520 			mblk_t	*meta = sctp->sctp_xmit_head;
2521 
2522 			/*
2523 			 * Reset the RTO since we have been backing-off
2524 			 * to send the ZWP.
2525 			 */
2526 			fp = sctp->sctp_current;
2527 			fp->rto = fp->srtt + 4 * fp->rttvar;
2528 			/* Resend the ZWP */
2529 			pkt = sctp_rexmit_packet(sctp, &meta, &mp1, fp,
2530 			    &pkt_len);
2531 			if (pkt == NULL) {
2532 				SCTP_KSTAT(sctps, sctp_ss_rexmit_failed);
2533 				return (0);
2534 			}
2535 			ASSERT(pkt_len <= fp->sfa_pmss);
2536 			sctp->sctp_zero_win_probe = B_FALSE;
2537 			sctp->sctp_rxt_nxttsn = sctp->sctp_ltsn;
2538 			sctp->sctp_rxt_maxtsn = sctp->sctp_ltsn;
2539 			sctp_set_iplen(sctp, pkt);
2540 			sctp_add_sendq(sctp, pkt);
2541 		}
2542 	} else {
2543 		if (sctp->sctp_zero_win_probe) {
2544 			/*
2545 			 * Reset the RTO since we have been backing-off
2546 			 * to send the ZWP.
2547 			 */
2548 			fp = sctp->sctp_current;
2549 			fp->rto = fp->srtt + 4 * fp->rttvar;
2550 			sctp->sctp_zero_win_probe = B_FALSE;
2551 			/* This is probably not required */
2552 			if (!sctp->sctp_rexmitting) {
2553 				sctp->sctp_rxt_nxttsn = sctp->sctp_ltsn;
2554 				sctp->sctp_rxt_maxtsn = sctp->sctp_ltsn;
2555 			}
2556 		}
2557 		acked = sctp_cumack(sctp, cumtsn, &mp);
2558 		sctp->sctp_xmit_unacked = mp;
2559 		if (acked > 0) {
2560 			trysend = 1;
2561 			cumack_forward = B_TRUE;
2562 			if (fwd_tsn && SEQ_GEQ(sctp->sctp_lastack_rxd,
2563 			    sctp->sctp_adv_pap)) {
2564 				cumack_forward = B_FALSE;
2565 			}
2566 		}
2567 	}
2568 	num_gaps = ntohs(sc->ssc_numfrags);
2569 	if (num_gaps == 0 || mp == NULL || !SCTP_CHUNK_ISSENT(mp) ||
2570 	    chunklen < (sizeof (*sch) + sizeof (*sc) +
2571 	    num_gaps * sizeof (*ssf))) {
2572 		goto ret;
2573 	}
2574 #ifdef	DEBUG
2575 	/*
2576 	 * Since we delete any message that has been acked completely,
2577 	 * the unacked chunk must belong to sctp_xmit_head (as
2578 	 * we don't have a back pointer from the mp to the meta data
2579 	 * we do this).
2580 	 */
2581 	{
2582 		mblk_t	*mp2 = sctp->sctp_xmit_head->b_cont;
2583 
2584 		while (mp2 != NULL) {
2585 			if (mp2 == mp)
2586 				break;
2587 			mp2 = mp2->b_next;
2588 		}
2589 		ASSERT(mp2 != NULL);
2590 	}
2591 #endif
2592 	ump = sctp->sctp_xmit_head;
2593 
2594 	/*
2595 	 * Just remember where we started from, in case we need to call
2596 	 * sctp_process_uo_gaps() if the gap blocks are unordered.
2597 	 */
2598 	mp1 = mp;
2599 
2600 	sdc = (sctp_data_hdr_t *)mp->b_rptr;
2601 	xtsn = ntohl(sdc->sdh_tsn);
2602 	ASSERT(xtsn == cumtsn + 1);
2603 
2604 	/*
2605 	 * Go through SACK gaps. They are ordered based on start TSN.
2606 	 */
2607 	ssf = (sctp_sack_frag_t *)(sc + 1);
2608 	for (i = 0; i < num_gaps; i++, ssf++) {
2609 		if (gapstart != 0) {
2610 			/* check for unordered gap */
2611 			if (SEQ_LEQ(cumtsn + ntohs(ssf->ssf_start), gapstart)) {
2612 				acked += sctp_process_uo_gaps(sctp,
2613 				    cumtsn, ssf, num_gaps - i,
2614 				    sctp->sctp_xmit_head, mp1,
2615 				    &trysend, &fast_recovery, gapstart);
2616 				if (trysend < 0) {
2617 					BUMP_MIB(&sctps->sctps_mib,
2618 					    sctpInAckUnsent);
2619 					return (-1);
2620 				}
2621 				break;
2622 			}
2623 		}
2624 		gapstart = cumtsn + ntohs(ssf->ssf_start);
2625 		gapend = cumtsn + ntohs(ssf->ssf_end);
2626 
2627 		/* SACK for TSN we have not sent - ABORT */
2628 		if (SEQ_GT(gapstart, sctp->sctp_ltsn - 1) ||
2629 		    SEQ_GT(gapend, sctp->sctp_ltsn - 1)) {
2630 			BUMP_MIB(&sctps->sctps_mib, sctpInAckUnsent);
2631 			return (-1);
2632 		} else if (SEQ_LT(gapend, gapstart)) {
2633 			break;
2634 		}
2635 		/*
2636 		 * Let's start at the current TSN (for the 1st gap we start
2637 		 * from the cumulative TSN, for subsequent ones we start from
2638 		 * where the previous gapend was found - second while loop
2639 		 * below) and walk the transmit list till we find the TSN
2640 		 * corresponding to gapstart. All the unacked chunks till we
2641 		 * get to the chunk with TSN == gapstart will have their
2642 		 * SACKCNT incremented by 1. Note since the gap blocks are
2643 		 * ordered, we won't be incrementing the SACKCNT for an
2644 		 * unacked chunk by more than one while processing the gap
2645 		 * blocks. If the SACKCNT for any unacked chunk exceeds
2646 		 * the fast retransmit threshold, we will fast retransmit
2647 		 * after processing all the gap blocks.
2648 		 */
2649 		ASSERT(SEQ_LT(xtsn, gapstart));
2650 		while (xtsn != gapstart) {
2651 			SCTP_CHUNK_SET_SACKCNT(mp, SCTP_CHUNK_SACKCNT(mp) + 1);
2652 			if (SCTP_CHUNK_SACKCNT(mp) ==
2653 			    sctps->sctps_fast_rxt_thresh) {
2654 				SCTP_CHUNK_REXMIT(mp);
2655 				sctp->sctp_chk_fast_rexmit = B_TRUE;
2656 				trysend = 1;
2657 				if (!fast_recovery) {
2658 					/*
2659 					 * Entering fast recovery.
2660 					 */
2661 					fp = SCTP_CHUNK_DEST(mp);
2662 					fp->ssthresh = fp->cwnd / 2;
2663 					if (fp->ssthresh < 2 * fp->sfa_pmss) {
2664 						fp->ssthresh =
2665 						    2 * fp->sfa_pmss;
2666 					}
2667 					fp->cwnd = fp->ssthresh;
2668 					fp->pba = 0;
2669 					sctp->sctp_recovery_tsn =
2670 					    sctp->sctp_ltsn - 1;
2671 					fast_recovery = B_TRUE;
2672 				}
2673 			}
2674 
2675 			/*
2676 			 * Peer may have reneged on this chunk, so un-sack
2677 			 * it now. If the peer did renege, we need to
2678 			 * readjust unacked.
2679 			 */
2680 			if (SCTP_CHUNK_ISACKED(mp)) {
2681 				chunklen = ntohs(sdc->sdh_len);
2682 				fp = SCTP_CHUNK_DEST(mp);
2683 				fp->suna += chunklen;
2684 				sctp->sctp_unacked += chunklen - sizeof (*sdc);
2685 				SCTP_CHUNK_CLEAR_ACKED(mp);
2686 				if (!fp->timer_running) {
2687 					SCTP_FADDR_TIMER_RESTART(sctp, fp,
2688 					    fp->rto);
2689 				}
2690 			}
2691 
2692 			mp = mp->b_next;
2693 			if (mp == NULL) {
2694 				ump = ump->b_next;
2695 				/*
2696 				 * ump can't be NULL given the sanity check
2697 				 * above.
2698 				 */
2699 				ASSERT(ump != NULL);
2700 				mp = ump->b_cont;
2701 			}
2702 			/*
2703 			 * mp can't be unsent given the sanity check above.
2704 			 */
2705 			ASSERT(SCTP_CHUNK_ISSENT(mp));
2706 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
2707 			xtsn = ntohl(sdc->sdh_tsn);
2708 		}
2709 		/*
2710 		 * Now that we have found the chunk with TSN == 'gapstart',
2711 		 * let's walk till we hit the chunk with TSN == 'gapend'.
2712 		 * All intermediate chunks will be marked ACKED, if they
2713 		 * haven't already been.
2714 		 */
2715 		while (SEQ_LEQ(xtsn, gapend)) {
2716 			/*
2717 			 * SACKed
2718 			 */
2719 			SCTP_CHUNK_SET_SACKCNT(mp, 0);
2720 			if (!SCTP_CHUNK_ISACKED(mp)) {
2721 				SCTP_CHUNK_ACKED(mp);
2722 
2723 				fp = SCTP_CHUNK_DEST(mp);
2724 				chunklen = ntohs(sdc->sdh_len);
2725 				ASSERT(fp->suna >= chunklen);
2726 				fp->suna -= chunklen;
2727 				if (fp->suna == 0) {
2728 					/* All outstanding data acked. */
2729 					fp->pba = 0;
2730 					SCTP_FADDR_TIMER_STOP(fp);
2731 				}
2732 				fp->acked += chunklen;
2733 				acked += chunklen;
2734 				sctp->sctp_unacked -= chunklen - sizeof (*sdc);
2735 				ASSERT(sctp->sctp_unacked >= 0);
2736 			}
2737 			/* Go to the next chunk of the current message */
2738 			mp = mp->b_next;
2739 			/*
2740 			 * Move to the next message in the transmit list
2741 			 * if we are done with all the chunks from the current
2742 			 * message. Note, it is possible to hit the end of the
2743 			 * transmit list here, i.e. if we have already completed
2744 			 * processing the gap block.
2745 			 * Also, note that we break here, which means we
2746 			 * continue processing gap blocks, if any. In case of
2747 			 * ordered gap blocks there can't be any following
2748 			 * this (if there is it will fail the sanity check
2749 			 * above). In case of un-ordered gap blocks we will
2750 			 * switch to sctp_process_uo_gaps().  In either case
2751 			 * it should be fine to continue with NULL ump/mp,
2752 			 * but we just reset it to xmit_head.
2753 			 */
2754 			if (mp == NULL) {
2755 				ump = ump->b_next;
2756 				if (ump == NULL) {
2757 					ASSERT(xtsn == gapend);
2758 					ump = sctp->sctp_xmit_head;
2759 					mp = mp1;
2760 					sdc = (sctp_data_hdr_t *)mp->b_rptr;
2761 					xtsn = ntohl(sdc->sdh_tsn);
2762 					break;
2763 				}
2764 				mp = ump->b_cont;
2765 			}
2766 			/*
2767 			 * Likewise, we could hit an unsent chunk once we have
2768 			 * completed processing the gap block. Again, it is
2769 			 * fine to continue processing gap blocks with mp
2770 			 * pointing to the unsent chunk, because if there
2771 			 * are more ordered gap blocks, they will fail the
2772 			 * sanity check, and if there are un-ordered gap blocks,
2773 			 * we will continue processing in sctp_process_uo_gaps()
2774 			 * We just reset the mp to the one we started with.
2775 			 */
2776 			if (!SCTP_CHUNK_ISSENT(mp)) {
2777 				ASSERT(xtsn == gapend);
2778 				ump = sctp->sctp_xmit_head;
2779 				mp = mp1;
2780 				sdc = (sctp_data_hdr_t *)mp->b_rptr;
2781 				xtsn = ntohl(sdc->sdh_tsn);
2782 				break;
2783 			}
2784 			sdc = (sctp_data_hdr_t *)mp->b_rptr;
2785 			xtsn = ntohl(sdc->sdh_tsn);
2786 		}
2787 	}
2788 	if (sctp->sctp_prsctp_aware)
2789 		sctp_check_abandoned_data(sctp, sctp->sctp_current);
2790 	if (sctp->sctp_chk_fast_rexmit)
2791 		sctp_fast_rexmit(sctp);
2792 ret:
2793 	trysend += sctp_set_frwnd(sctp, ntohl(sc->ssc_a_rwnd));
2794 
2795 	/*
2796 	 * If receive window is closed while there is unsent data,
2797 	 * set a timer for doing zero window probes.
2798 	 */
2799 	if (sctp->sctp_frwnd == 0 && sctp->sctp_unacked == 0 &&
2800 	    sctp->sctp_unsent != 0) {
2801 		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
2802 		    sctp->sctp_current->rto);
2803 	}
2804 
2805 	/*
2806 	 * Set cwnd for all destinations.
2807 	 * Congestion window gets increased only when cumulative
2808 	 * TSN moves forward, we're not in fast recovery, and
2809 	 * cwnd has been fully utilized (almost fully, need to allow
2810 	 * some leeway due to non-MSS sized messages).
2811 	 */
2812 	if (sctp->sctp_current->acked == acked) {
2813 		/*
2814 		 * Fast-path, only data sent to sctp_current got acked.
2815 		 */
2816 		fp = sctp->sctp_current;
2817 		if (cumack_forward && !fast_recovery &&
2818 		    (fp->acked + fp->suna > fp->cwnd - fp->sfa_pmss)) {
2819 			if (fp->cwnd < fp->ssthresh) {
2820 				/*
2821 				 * Slow start
2822 				 */
2823 				if (fp->acked > fp->sfa_pmss) {
2824 					fp->cwnd += fp->sfa_pmss;
2825 				} else {
2826 					fp->cwnd += fp->acked;
2827 				}
2828 				fp->cwnd = MIN(fp->cwnd, sctp->sctp_cwnd_max);
2829 			} else {
2830 				/*
2831 				 * Congestion avoidance
2832 				 */
2833 				fp->pba += fp->acked;
2834 				if (fp->pba >= fp->cwnd) {
2835 					fp->pba -= fp->cwnd;
2836 					fp->cwnd += fp->sfa_pmss;
2837 					fp->cwnd = MIN(fp->cwnd,
2838 					    sctp->sctp_cwnd_max);
2839 				}
2840 			}
2841 		}
2842 		/*
2843 		 * Limit the burst of transmitted data segments.
2844 		 */
2845 		if (fp->suna + sctps->sctps_maxburst * fp->sfa_pmss <
2846 		    fp->cwnd) {
2847 			fp->cwnd = fp->suna + sctps->sctps_maxburst *
2848 			    fp->sfa_pmss;
2849 		}
2850 		fp->acked = 0;
2851 		goto check_ss_rxmit;
2852 	}
2853 	for (fp = sctp->sctp_faddrs; fp != NULL; fp = fp->next) {
2854 		if (cumack_forward && fp->acked && !fast_recovery &&
2855 		    (fp->acked + fp->suna > fp->cwnd - fp->sfa_pmss)) {
2856 			if (fp->cwnd < fp->ssthresh) {
2857 				if (fp->acked > fp->sfa_pmss) {
2858 					fp->cwnd += fp->sfa_pmss;
2859 				} else {
2860 					fp->cwnd += fp->acked;
2861 				}
2862 				fp->cwnd = MIN(fp->cwnd, sctp->sctp_cwnd_max);
2863 			} else {
2864 				fp->pba += fp->acked;
2865 				if (fp->pba >= fp->cwnd) {
2866 					fp->pba -= fp->cwnd;
2867 					fp->cwnd += fp->sfa_pmss;
2868 					fp->cwnd = MIN(fp->cwnd,
2869 					    sctp->sctp_cwnd_max);
2870 				}
2871 			}
2872 		}
2873 		if (fp->suna + sctps->sctps_maxburst * fp->sfa_pmss <
2874 		    fp->cwnd) {
2875 			fp->cwnd = fp->suna + sctps->sctps_maxburst *
2876 			    fp->sfa_pmss;
2877 		}
2878 		fp->acked = 0;
2879 	}
2880 check_ss_rxmit:
2881 	/*
2882 	 * If this is a SACK following a timeout, check if there are
2883 	 * still unacked chunks (sent before the timeout) that we can
2884 	 * send.
2885 	 */
2886 	if (sctp->sctp_rexmitting) {
2887 		if (SEQ_LT(sctp->sctp_lastack_rxd, sctp->sctp_rxt_maxtsn)) {
2888 			/*
2889 			 * As we are in retransmission phase, we may get a
2890 			 * SACK which indicates some new chunks are received
2891 			 * but cum_tsn does not advance.  During this
2892 			 * phase, the other side advances cum_tsn only because
2893 			 * it receives our retransmitted chunks.  Only
2894 			 * this signals that some chunks are still
2895 			 * missing.
2896 			 */
2897 			if (cumack_forward) {
2898 				fp->rxt_unacked -= acked;
2899 				sctp_ss_rexmit(sctp);
2900 			}
2901 		} else {
2902 			sctp->sctp_rexmitting = B_FALSE;
2903 			sctp->sctp_rxt_nxttsn = sctp->sctp_ltsn;
2904 			sctp->sctp_rxt_maxtsn = sctp->sctp_ltsn;
2905 			fp->rxt_unacked = 0;
2906 		}
2907 	}
2908 	return (trysend);
2909 }
2910 
2911 /*
2912  * Returns 0 if the caller should stop processing any more chunks,
2913  * 1 if the caller should skip this chunk and continue processing.
2914  */
2915 static int
2916 sctp_strange_chunk(sctp_t *sctp, sctp_chunk_hdr_t *ch, sctp_faddr_t *fp)
2917 {
2918 	mblk_t *errmp;
2919 	size_t len;
2920 
2921 	BUMP_LOCAL(sctp->sctp_ibchunks);
2922 	/* check top two bits for action required */
2923 	if (ch->sch_id & 0x40) {	/* also matches 0xc0 */
2924 		len = ntohs(ch->sch_len);
2925 		errmp = sctp_make_err(sctp, SCTP_ERR_UNREC_CHUNK, ch, len);
2926 		if (errmp != NULL)
2927 			sctp_send_err(sctp, errmp, fp);
2928 		if ((ch->sch_id & 0xc0) == 0xc0) {
2929 			/* skip and continue */
2930 			return (1);
2931 		} else {
2932 			/* stop processing */
2933 			return (0);
2934 		}
2935 	}
2936 	if (ch->sch_id & 0x80) {
2937 		/* skip and continue, no error */
2938 		return (1);
2939 	}
2940 	/* top two bits are clear; stop processing and no error */
2941 	return (0);
2942 }
2943 
2944 /*
2945  * Basic sanity checks on all input chunks and parameters: they must
2946  * be of legitimate size for their purported type, and must follow
2947  * ordering conventions as defined in rfc2960.
2948  *
2949  * Returns 1 if the chunk and all encloded params are legitimate,
2950  * 0 otherwise.
2951  */
2952 /*ARGSUSED*/
2953 static int
2954 sctp_check_input(sctp_t *sctp, sctp_chunk_hdr_t *ch, ssize_t len, int first)
2955 {
2956 	sctp_parm_hdr_t	*ph;
2957 	void		*p = NULL;
2958 	ssize_t		clen;
2959 	uint16_t	ch_len;
2960 
2961 	ch_len = ntohs(ch->sch_len);
2962 	if (ch_len > len) {
2963 		return (0);
2964 	}
2965 
2966 	switch (ch->sch_id) {
2967 	case CHUNK_DATA:
2968 		if (ch_len < sizeof (sctp_data_hdr_t)) {
2969 			return (0);
2970 		}
2971 		return (1);
2972 	case CHUNK_INIT:
2973 	case CHUNK_INIT_ACK:
2974 		{
2975 			ssize_t	remlen = len;
2976 
2977 			/*
2978 			 * INIT and INIT-ACK chunks must not be bundled with
2979 			 * any other.
2980 			 */
2981 			if (!first || sctp_next_chunk(ch, &remlen) != NULL ||
2982 			    (ch_len < (sizeof (*ch) +
2983 			    sizeof (sctp_init_chunk_t)))) {
2984 				return (0);
2985 			}
2986 			/* may have params that need checking */
2987 			p = (char *)(ch + 1) + sizeof (sctp_init_chunk_t);
2988 			clen = ch_len - (sizeof (*ch) +
2989 			    sizeof (sctp_init_chunk_t));
2990 		}
2991 		break;
2992 	case CHUNK_SACK:
2993 		if (ch_len < (sizeof (*ch) + sizeof (sctp_sack_chunk_t))) {
2994 			return (0);
2995 		}
2996 		/* dup and gap reports checked by got_sack() */
2997 		return (1);
2998 	case CHUNK_SHUTDOWN:
2999 		if (ch_len < (sizeof (*ch) + sizeof (uint32_t))) {
3000 			return (0);
3001 		}
3002 		return (1);
3003 	case CHUNK_ABORT:
3004 	case CHUNK_ERROR:
3005 		if (ch_len < sizeof (*ch)) {
3006 			return (0);
3007 		}
3008 		/* may have params that need checking */
3009 		p = ch + 1;
3010 		clen = ch_len - sizeof (*ch);
3011 		break;
3012 	case CHUNK_ECNE:
3013 	case CHUNK_CWR:
3014 	case CHUNK_HEARTBEAT:
3015 	case CHUNK_HEARTBEAT_ACK:
3016 	/* Full ASCONF chunk and parameter checks are in asconf.c */
3017 	case CHUNK_ASCONF:
3018 	case CHUNK_ASCONF_ACK:
3019 		if (ch_len < sizeof (*ch)) {
3020 			return (0);
3021 		}
3022 		/* heartbeat data checked by process_heartbeat() */
3023 		return (1);
3024 	case CHUNK_SHUTDOWN_COMPLETE:
3025 		{
3026 			ssize_t remlen = len;
3027 
3028 			/*
3029 			 * SHUTDOWN-COMPLETE chunk must not be bundled with any
3030 			 * other
3031 			 */
3032 			if (!first || sctp_next_chunk(ch, &remlen) != NULL ||
3033 			    ch_len < sizeof (*ch)) {
3034 				return (0);
3035 			}
3036 		}
3037 		return (1);
3038 	case CHUNK_COOKIE:
3039 	case CHUNK_COOKIE_ACK:
3040 	case CHUNK_SHUTDOWN_ACK:
3041 		if (ch_len < sizeof (*ch) || !first) {
3042 			return (0);
3043 		}
3044 		return (1);
3045 	case CHUNK_FORWARD_TSN:
3046 		if (ch_len < (sizeof (*ch) + sizeof (uint32_t)))
3047 			return (0);
3048 		return (1);
3049 	default:
3050 		return (1);	/* handled by strange_chunk() */
3051 	}
3052 
3053 	/* check and byteorder parameters */
3054 	if (clen <= 0) {
3055 		return (1);
3056 	}
3057 	ASSERT(p != NULL);
3058 
3059 	ph = p;
3060 	while (ph != NULL && clen > 0) {
3061 		ch_len = ntohs(ph->sph_len);
3062 		if (ch_len > len || ch_len < sizeof (*ph)) {
3063 			return (0);
3064 		}
3065 		ph = sctp_next_parm(ph, &clen);
3066 	}
3067 
3068 	/* All OK */
3069 	return (1);
3070 }
3071 
3072 /* ARGSUSED */
3073 static sctp_hdr_t *
3074 find_sctp_hdrs(mblk_t *mp, in6_addr_t *src, in6_addr_t *dst,
3075     uint_t *ifindex, uint_t *ip_hdr_len, ip6_pkt_t *ipp, ip_pktinfo_t *pinfo)
3076 {
3077 	uchar_t	*rptr;
3078 	ipha_t	*ip4h;
3079 	ip6_t	*ip6h;
3080 	mblk_t	*mp1;
3081 
3082 	rptr = mp->b_rptr;
3083 	if (IPH_HDR_VERSION(rptr) == IPV4_VERSION) {
3084 		*ip_hdr_len = IPH_HDR_LENGTH(rptr);
3085 		ip4h = (ipha_t *)rptr;
3086 		IN6_IPADDR_TO_V4MAPPED(ip4h->ipha_src, src);
3087 		IN6_IPADDR_TO_V4MAPPED(ip4h->ipha_dst, dst);
3088 
3089 		ipp->ipp_fields |= IPPF_HOPLIMIT;
3090 		ipp->ipp_hoplimit = ((ipha_t *)rptr)->ipha_ttl;
3091 		if (pinfo != NULL && (pinfo->ip_pkt_flags & IPF_RECVIF)) {
3092 			ipp->ipp_fields |= IPPF_IFINDEX;
3093 			ipp->ipp_ifindex = pinfo->ip_pkt_ifindex;
3094 		}
3095 	} else {
3096 		ASSERT(IPH_HDR_VERSION(rptr) == IPV6_VERSION);
3097 		ip6h = (ip6_t *)rptr;
3098 		ipp->ipp_fields = IPPF_HOPLIMIT;
3099 		ipp->ipp_hoplimit = ip6h->ip6_hops;
3100 
3101 		if (ip6h->ip6_nxt != IPPROTO_SCTP) {
3102 			/* Look for ifindex information */
3103 			if (ip6h->ip6_nxt == IPPROTO_RAW) {
3104 				ip6i_t *ip6i = (ip6i_t *)ip6h;
3105 
3106 				if (ip6i->ip6i_flags & IP6I_IFINDEX) {
3107 					ASSERT(ip6i->ip6i_ifindex != 0);
3108 					ipp->ipp_fields |= IPPF_IFINDEX;
3109 					ipp->ipp_ifindex = ip6i->ip6i_ifindex;
3110 				}
3111 				rptr = (uchar_t *)&ip6i[1];
3112 				mp->b_rptr = rptr;
3113 				if (rptr == mp->b_wptr) {
3114 					mp1 = mp->b_cont;
3115 					freeb(mp);
3116 					mp = mp1;
3117 					rptr = mp->b_rptr;
3118 				}
3119 				ASSERT(mp->b_wptr - rptr >=
3120 				    IPV6_HDR_LEN + sizeof (sctp_hdr_t));
3121 				ip6h = (ip6_t *)rptr;
3122 			}
3123 			/*
3124 			 * Find any potentially interesting extension headers
3125 			 * as well as the length of the IPv6 + extension
3126 			 * headers.
3127 			 */
3128 			*ip_hdr_len = ip_find_hdr_v6(mp, ip6h, ipp, NULL);
3129 		} else {
3130 			*ip_hdr_len = IPV6_HDR_LEN;
3131 		}
3132 		*src = ip6h->ip6_src;
3133 		*dst = ip6h->ip6_dst;
3134 	}
3135 	ASSERT((uintptr_t)(mp->b_wptr - rptr) <= (uintptr_t)INT_MAX);
3136 	return ((sctp_hdr_t *)&rptr[*ip_hdr_len]);
3137 #undef IPVER
3138 }
3139 
3140 static mblk_t *
3141 sctp_check_in_policy(mblk_t *mp, mblk_t *ipsec_mp)
3142 {
3143 	ipsec_in_t *ii;
3144 	boolean_t check = B_TRUE;
3145 	boolean_t policy_present;
3146 	ipha_t *ipha;
3147 	ip6_t *ip6h;
3148 	netstack_t	*ns;
3149 	ipsec_stack_t	*ipss;
3150 
3151 	ii = (ipsec_in_t *)ipsec_mp->b_rptr;
3152 	ASSERT(ii->ipsec_in_type == IPSEC_IN);
3153 	ns = ii->ipsec_in_ns;
3154 	ipss = ns->netstack_ipsec;
3155 
3156 	if (ii->ipsec_in_dont_check) {
3157 		check = B_FALSE;
3158 		if (!ii->ipsec_in_secure) {
3159 			freeb(ipsec_mp);
3160 			ipsec_mp = NULL;
3161 		}
3162 	}
3163 	if (IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION) {
3164 		policy_present = ipss->ipsec_inbound_v4_policy_present;
3165 		ipha = (ipha_t *)mp->b_rptr;
3166 		ip6h = NULL;
3167 	} else {
3168 		policy_present = ipss->ipsec_inbound_v6_policy_present;
3169 		ipha = NULL;
3170 		ip6h = (ip6_t *)mp->b_rptr;
3171 	}
3172 
3173 	if (check && policy_present) {
3174 		/*
3175 		 * The conn_t parameter is NULL because we already know
3176 		 * nobody's home.
3177 		 */
3178 		ipsec_mp = ipsec_check_global_policy(ipsec_mp, (conn_t *)NULL,
3179 		    ipha, ip6h, B_TRUE, ns);
3180 		if (ipsec_mp == NULL)
3181 			return (NULL);
3182 	}
3183 	if (ipsec_mp != NULL)
3184 		freeb(ipsec_mp);
3185 	return (mp);
3186 }
3187 
3188 /* Handle out-of-the-blue packets */
3189 void
3190 sctp_ootb_input(mblk_t *mp, ill_t *recv_ill, zoneid_t zoneid,
3191     boolean_t mctl_present)
3192 {
3193 	sctp_t			*sctp;
3194 	sctp_chunk_hdr_t	*ch;
3195 	sctp_hdr_t		*sctph;
3196 	in6_addr_t		src, dst;
3197 	uint_t			ip_hdr_len;
3198 	uint_t			ifindex;
3199 	ip6_pkt_t		ipp;
3200 	ssize_t			mlen;
3201 	ip_pktinfo_t		*pinfo = NULL;
3202 	mblk_t			*first_mp;
3203 	sctp_stack_t		*sctps;
3204 	ip_stack_t		*ipst;
3205 
3206 	ASSERT(recv_ill != NULL);
3207 	ipst = recv_ill->ill_ipst;
3208 	sctps = ipst->ips_netstack->netstack_sctp;
3209 
3210 	BUMP_MIB(&sctps->sctps_mib, sctpOutOfBlue);
3211 	BUMP_MIB(&sctps->sctps_mib, sctpInSCTPPkts);
3212 
3213 	if (sctps->sctps_gsctp == NULL) {
3214 		/*
3215 		 * For non-zero stackids the default queue isn't created
3216 		 * until the first open, thus there can be a need to send
3217 		 * an error before then. But we can't do that, hence we just
3218 		 * drop the packet. Later during boot, when the default queue
3219 		 * has been setup, a retransmitted packet from the peer
3220 		 * will result in a error.
3221 		 */
3222 		ASSERT(sctps->sctps_netstack->netstack_stackid !=
3223 		    GLOBAL_NETSTACKID);
3224 		freemsg(mp);
3225 		return;
3226 	}
3227 
3228 	first_mp = mp;
3229 	if (mctl_present)
3230 		mp = mp->b_cont;
3231 
3232 	/* Initiate IPPf processing, if needed. */
3233 	if (IPP_ENABLED(IPP_LOCAL_IN, ipst)) {
3234 		ip_process(IPP_LOCAL_IN, &mp,
3235 		    recv_ill->ill_phyint->phyint_ifindex);
3236 		if (mp == NULL) {
3237 			if (mctl_present)
3238 				freeb(first_mp);
3239 			return;
3240 		}
3241 	}
3242 
3243 	if (mp->b_cont != NULL) {
3244 		/*
3245 		 * All subsequent code is vastly simplified if it can
3246 		 * assume a single contiguous chunk of data.
3247 		 */
3248 		if (pullupmsg(mp, -1) == 0) {
3249 			BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsInDiscards);
3250 			freemsg(first_mp);
3251 			return;
3252 		}
3253 	}
3254 
3255 	/*
3256 	 * We don't really need to call this function...  Need to
3257 	 * optimize later.
3258 	 */
3259 	sctph = find_sctp_hdrs(mp, &src, &dst, &ifindex, &ip_hdr_len,
3260 	    &ipp, pinfo);
3261 	mlen = mp->b_wptr - (uchar_t *)(sctph + 1);
3262 	if ((ch = sctp_first_chunk((uchar_t *)(sctph + 1), mlen)) == NULL) {
3263 		dprint(3, ("sctp_ootb_input: invalid packet\n"));
3264 		BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsInDiscards);
3265 		freemsg(first_mp);
3266 		return;
3267 	}
3268 
3269 	switch (ch->sch_id) {
3270 	case CHUNK_INIT:
3271 		/* no listener; send abort  */
3272 		if (mctl_present && sctp_check_in_policy(mp, first_mp) == NULL)
3273 			return;
3274 		sctp_send_abort(sctps->sctps_gsctp, sctp_init2vtag(ch), 0,
3275 		    NULL, 0, mp, 0, B_TRUE);
3276 		break;
3277 	case CHUNK_INIT_ACK:
3278 		/* check for changed src addr */
3279 		sctp = sctp_addrlist2sctp(mp, sctph, ch, zoneid, sctps);
3280 		if (sctp != NULL) {
3281 			/* success; proceed to normal path */
3282 			mutex_enter(&sctp->sctp_lock);
3283 			if (sctp->sctp_running) {
3284 				if (!sctp_add_recvq(sctp, mp, B_FALSE)) {
3285 					BUMP_MIB(recv_ill->ill_ip_mib,
3286 					    ipIfStatsInDiscards);
3287 					freemsg(mp);
3288 				}
3289 				mutex_exit(&sctp->sctp_lock);
3290 			} else {
3291 				/*
3292 				 * If the source address is changed, we
3293 				 * don't need to worry too much about
3294 				 * out of order processing.  So we don't
3295 				 * check if the recvq is empty or not here.
3296 				 */
3297 				sctp->sctp_running = B_TRUE;
3298 				mutex_exit(&sctp->sctp_lock);
3299 				sctp_input_data(sctp, mp, NULL);
3300 				WAKE_SCTP(sctp);
3301 				sctp_process_sendq(sctp);
3302 			}
3303 			SCTP_REFRELE(sctp);
3304 			return;
3305 		}
3306 		if (mctl_present)
3307 			freeb(first_mp);
3308 		/* else bogus init ack; drop it */
3309 		break;
3310 	case CHUNK_SHUTDOWN_ACK:
3311 		if (mctl_present && sctp_check_in_policy(mp, first_mp) == NULL)
3312 			return;
3313 		sctp_ootb_shutdown_ack(sctps->sctps_gsctp, mp, ip_hdr_len);
3314 		sctp_process_sendq(sctps->sctps_gsctp);
3315 		return;
3316 	case CHUNK_ERROR:
3317 	case CHUNK_ABORT:
3318 	case CHUNK_COOKIE_ACK:
3319 	case CHUNK_SHUTDOWN_COMPLETE:
3320 		if (mctl_present)
3321 			freeb(first_mp);
3322 		break;
3323 	default:
3324 		if (mctl_present && sctp_check_in_policy(mp, first_mp) == NULL)
3325 			return;
3326 		sctp_send_abort(sctps->sctps_gsctp, sctph->sh_verf, 0,
3327 		    NULL, 0, mp, 0, B_TRUE);
3328 		break;
3329 	}
3330 	sctp_process_sendq(sctps->sctps_gsctp);
3331 	freemsg(mp);
3332 }
3333 
3334 void
3335 sctp_input(conn_t *connp, ipha_t *ipha, mblk_t *mp, mblk_t *first_mp,
3336     ill_t *recv_ill, boolean_t isv4, boolean_t mctl_present)
3337 {
3338 	sctp_t *sctp = CONN2SCTP(connp);
3339 	ip_stack_t	*ipst = recv_ill->ill_ipst;
3340 	ipsec_stack_t	*ipss = ipst->ips_netstack->netstack_ipsec;
3341 
3342 	/*
3343 	 * We check some fields in conn_t without holding a lock.
3344 	 * This should be fine.
3345 	 */
3346 	if (CONN_INBOUND_POLICY_PRESENT(connp, ipss) || mctl_present) {
3347 		first_mp = ipsec_check_inbound_policy(first_mp, connp,
3348 		    ipha, NULL, mctl_present);
3349 		if (first_mp == NULL) {
3350 			BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsInDiscards);
3351 			SCTP_REFRELE(sctp);
3352 			return;
3353 		}
3354 	}
3355 
3356 	/* Initiate IPPF processing for fastpath */
3357 	if (IPP_ENABLED(IPP_LOCAL_IN, ipst)) {
3358 		ip_process(IPP_LOCAL_IN, &mp,
3359 		    recv_ill->ill_phyint->phyint_ifindex);
3360 		if (mp == NULL) {
3361 			SCTP_REFRELE(sctp);
3362 			if (mctl_present)
3363 				freeb(first_mp);
3364 			return;
3365 		} else if (mctl_present) {
3366 			/*
3367 			 * ip_process might return a new mp.
3368 			 */
3369 			ASSERT(first_mp != mp);
3370 			first_mp->b_cont = mp;
3371 		} else {
3372 			first_mp = mp;
3373 		}
3374 	}
3375 
3376 	if (connp->conn_recvif || connp->conn_recvslla ||
3377 	    connp->conn_ip_recvpktinfo) {
3378 		int in_flags = 0;
3379 
3380 		if (connp->conn_recvif || connp->conn_ip_recvpktinfo) {
3381 			in_flags = IPF_RECVIF;
3382 		}
3383 		if (connp->conn_recvslla) {
3384 			in_flags |= IPF_RECVSLLA;
3385 		}
3386 		if (isv4) {
3387 			mp = ip_add_info(mp, recv_ill, in_flags,
3388 			    IPCL_ZONEID(connp), ipst);
3389 		} else {
3390 			mp = ip_add_info_v6(mp, recv_ill,
3391 			    &(((ip6_t *)ipha)->ip6_dst));
3392 		}
3393 		if (mp == NULL) {
3394 			BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsInDiscards);
3395 			SCTP_REFRELE(sctp);
3396 			if (mctl_present)
3397 				freeb(first_mp);
3398 			return;
3399 		} else if (mctl_present) {
3400 			/*
3401 			 * ip_add_info might return a new mp.
3402 			 */
3403 			ASSERT(first_mp != mp);
3404 			first_mp->b_cont = mp;
3405 		} else {
3406 			first_mp = mp;
3407 		}
3408 	}
3409 
3410 	mutex_enter(&sctp->sctp_lock);
3411 	if (sctp->sctp_running) {
3412 		if (mctl_present)
3413 			mp->b_prev = first_mp;
3414 		if (!sctp_add_recvq(sctp, mp, B_FALSE)) {
3415 			BUMP_MIB(recv_ill->ill_ip_mib, ipIfStatsInDiscards);
3416 			freemsg(first_mp);
3417 		}
3418 		mutex_exit(&sctp->sctp_lock);
3419 		SCTP_REFRELE(sctp);
3420 		return;
3421 	} else {
3422 		sctp->sctp_running = B_TRUE;
3423 		mutex_exit(&sctp->sctp_lock);
3424 
3425 		mutex_enter(&sctp->sctp_recvq_lock);
3426 		if (sctp->sctp_recvq != NULL) {
3427 			if (mctl_present)
3428 				mp->b_prev = first_mp;
3429 			if (!sctp_add_recvq(sctp, mp, B_TRUE)) {
3430 				BUMP_MIB(recv_ill->ill_ip_mib,
3431 				    ipIfStatsInDiscards);
3432 				freemsg(first_mp);
3433 			}
3434 			mutex_exit(&sctp->sctp_recvq_lock);
3435 			WAKE_SCTP(sctp);
3436 			SCTP_REFRELE(sctp);
3437 			return;
3438 		}
3439 	}
3440 	mutex_exit(&sctp->sctp_recvq_lock);
3441 	sctp_input_data(sctp, mp, (mctl_present ? first_mp : NULL));
3442 	WAKE_SCTP(sctp);
3443 	sctp_process_sendq(sctp);
3444 	SCTP_REFRELE(sctp);
3445 }
3446 
3447 static void
3448 sctp_process_abort(sctp_t *sctp, sctp_chunk_hdr_t *ch, int err)
3449 {
3450 	sctp_stack_t	*sctps = sctp->sctp_sctps;
3451 
3452 	BUMP_MIB(&sctps->sctps_mib, sctpAborted);
3453 	BUMP_LOCAL(sctp->sctp_ibchunks);
3454 
3455 	sctp_assoc_event(sctp, SCTP_COMM_LOST,
3456 	    ntohs(((sctp_parm_hdr_t *)(ch + 1))->sph_type), ch);
3457 	sctp_clean_death(sctp, err);
3458 }
3459 
3460 void
3461 sctp_input_data(sctp_t *sctp, mblk_t *mp, mblk_t *ipsec_mp)
3462 {
3463 	sctp_chunk_hdr_t	*ch;
3464 	ssize_t			mlen;
3465 	int			gotdata;
3466 	int			trysend;
3467 	sctp_faddr_t		*fp;
3468 	sctp_init_chunk_t	*iack;
3469 	uint32_t		tsn;
3470 	sctp_data_hdr_t		*sdc;
3471 	ip6_pkt_t		ipp;
3472 	in6_addr_t		src;
3473 	in6_addr_t		dst;
3474 	uint_t			ifindex;
3475 	sctp_hdr_t		*sctph;
3476 	uint_t			ip_hdr_len;
3477 	mblk_t			*dups = NULL;
3478 	int			recv_adaption;
3479 	boolean_t		wake_eager = B_FALSE;
3480 	mblk_t			*pinfo_mp;
3481 	ip_pktinfo_t		*pinfo = NULL;
3482 	in6_addr_t		peer_src;
3483 	int64_t			now;
3484 	sctp_stack_t		*sctps = sctp->sctp_sctps;
3485 	ip_stack_t		*ipst = sctps->sctps_netstack->netstack_ip;
3486 
3487 	if (DB_TYPE(mp) != M_DATA) {
3488 		ASSERT(DB_TYPE(mp) == M_CTL);
3489 		if (MBLKL(mp) == sizeof (ip_pktinfo_t) &&
3490 		    ((ip_pktinfo_t *)mp->b_rptr)->ip_pkt_ulp_type ==
3491 		    IN_PKTINFO) {
3492 			pinfo = (ip_pktinfo_t *)mp->b_rptr;
3493 			pinfo_mp = mp;
3494 			mp = mp->b_cont;
3495 		} else {
3496 			if (ipsec_mp != NULL)
3497 				freeb(ipsec_mp);
3498 			sctp_icmp_error(sctp, mp);
3499 			return;
3500 		}
3501 	}
3502 	ASSERT(DB_TYPE(mp) == M_DATA);
3503 
3504 	if (mp->b_cont != NULL) {
3505 		/*
3506 		 * All subsequent code is vastly simplified if it can
3507 		 * assume a single contiguous chunk of data.
3508 		 */
3509 		if (pullupmsg(mp, -1) == 0) {
3510 			BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
3511 			if (ipsec_mp != NULL)
3512 				freeb(ipsec_mp);
3513 			if (pinfo != NULL)
3514 				freeb(pinfo_mp);
3515 			freemsg(mp);
3516 			return;
3517 		}
3518 	}
3519 
3520 	BUMP_LOCAL(sctp->sctp_ipkts);
3521 	sctph = find_sctp_hdrs(mp, &src, &dst, &ifindex, &ip_hdr_len,
3522 	    &ipp, pinfo);
3523 	if (pinfo != NULL)
3524 		freeb(pinfo_mp);
3525 	mlen = mp->b_wptr - (uchar_t *)(sctph + 1);
3526 	ch = sctp_first_chunk((uchar_t *)(sctph + 1), mlen);
3527 	if (ch == NULL) {
3528 		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
3529 		if (ipsec_mp != NULL)
3530 			freeb(ipsec_mp);
3531 		freemsg(mp);
3532 		return;
3533 	}
3534 
3535 	if (!sctp_check_input(sctp, ch, mlen, 1)) {
3536 		BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
3537 		goto done;
3538 	}
3539 	/*
3540 	 * Check verfication tag (special handling for INIT,
3541 	 * COOKIE, SHUTDOWN_COMPLETE and SHUTDOWN_ACK chunks).
3542 	 * ABORTs are handled in the chunk processing loop, since
3543 	 * may not appear first. All other checked chunks must
3544 	 * appear first, or will have been dropped by check_input().
3545 	 */
3546 	switch (ch->sch_id) {
3547 	case CHUNK_INIT:
3548 		if (sctph->sh_verf != 0) {
3549 			/* drop it */
3550 			goto done;
3551 		}
3552 		break;
3553 	case CHUNK_SHUTDOWN_COMPLETE:
3554 		if (sctph->sh_verf == sctp->sctp_lvtag)
3555 			break;
3556 		if (sctph->sh_verf == sctp->sctp_fvtag &&
3557 		    SCTP_GET_TBIT(ch)) {
3558 			break;
3559 		}
3560 		/* else drop it */
3561 		goto done;
3562 	case CHUNK_ABORT:
3563 	case CHUNK_COOKIE:
3564 		/* handled below */
3565 		break;
3566 	case CHUNK_SHUTDOWN_ACK:
3567 		if (sctp->sctp_state > SCTPS_BOUND &&
3568 		    sctp->sctp_state < SCTPS_ESTABLISHED) {
3569 			/* treat as OOTB */
3570 			sctp_ootb_shutdown_ack(sctp, mp, ip_hdr_len);
3571 			if (ipsec_mp != NULL)
3572 				freeb(ipsec_mp);
3573 			return;
3574 		}
3575 		/* else fallthru */
3576 	default:
3577 		/*
3578 		 * All other packets must have a valid
3579 		 * verification tag, however if this is a
3580 		 * listener, we use a refined version of
3581 		 * out-of-the-blue logic.
3582 		 */
3583 		if (sctph->sh_verf != sctp->sctp_lvtag &&
3584 		    sctp->sctp_state != SCTPS_LISTEN) {
3585 			/* drop it */
3586 			goto done;
3587 		}
3588 		break;
3589 	}
3590 
3591 	/* Have a valid sctp for this packet */
3592 	fp = sctp_lookup_faddr(sctp, &src);
3593 	dprint(2, ("sctp_dispatch_rput: mp=%p fp=%p sctp=%p\n", (void *)mp,
3594 	    (void *)fp, (void *)sctp));
3595 
3596 	gotdata = 0;
3597 	trysend = 0;
3598 
3599 	now = lbolt64;
3600 	/* Process the chunks */
3601 	do {
3602 		dprint(3, ("sctp_dispatch_rput: state=%d, chunk id=%d\n",
3603 		    sctp->sctp_state, (int)(ch->sch_id)));
3604 
3605 		if (ch->sch_id == CHUNK_ABORT) {
3606 			if (sctph->sh_verf != sctp->sctp_lvtag &&
3607 			    sctph->sh_verf != sctp->sctp_fvtag) {
3608 				/* drop it */
3609 				goto done;
3610 			}
3611 		}
3612 
3613 		switch (sctp->sctp_state) {
3614 
3615 		case SCTPS_ESTABLISHED:
3616 		case SCTPS_SHUTDOWN_PENDING:
3617 		case SCTPS_SHUTDOWN_SENT:
3618 			switch (ch->sch_id) {
3619 			case CHUNK_DATA:
3620 				/* 0-length data chunks are not allowed */
3621 				if (ntohs(ch->sch_len) == sizeof (*sdc)) {
3622 					sdc = (sctp_data_hdr_t *)ch;
3623 					tsn = sdc->sdh_tsn;
3624 					sctp_send_abort(sctp, sctp->sctp_fvtag,
3625 					    SCTP_ERR_NO_USR_DATA, (char *)&tsn,
3626 					    sizeof (tsn), mp, 0, B_FALSE);
3627 					sctp_assoc_event(sctp, SCTP_COMM_LOST,
3628 					    0, NULL);
3629 					sctp_clean_death(sctp, ECONNABORTED);
3630 					goto done;
3631 				}
3632 
3633 				ASSERT(fp != NULL);
3634 				sctp->sctp_lastdata = fp;
3635 				sctp_data_chunk(sctp, ch, mp, &dups, fp, &ipp);
3636 				gotdata = 1;
3637 				/* Restart shutdown timer if shutting down */
3638 				if (sctp->sctp_state == SCTPS_SHUTDOWN_SENT) {
3639 					/*
3640 					 * If we have exceeded our max
3641 					 * wait bound for waiting for a
3642 					 * shutdown ack from the peer,
3643 					 * abort the association.
3644 					 */
3645 					if (sctps->sctps_shutack_wait_bound !=
3646 					    0 &&
3647 					    TICK_TO_MSEC(now -
3648 					    sctp->sctp_out_time) >
3649 					    sctps->sctps_shutack_wait_bound) {
3650 						sctp_send_abort(sctp,
3651 						    sctp->sctp_fvtag, 0, NULL,
3652 						    0, mp, 0, B_FALSE);
3653 						sctp_assoc_event(sctp,
3654 						    SCTP_COMM_LOST, 0, NULL);
3655 						sctp_clean_death(sctp,
3656 						    ECONNABORTED);
3657 						goto done;
3658 					}
3659 					SCTP_FADDR_TIMER_RESTART(sctp, fp,
3660 					    fp->rto);
3661 				}
3662 				break;
3663 			case CHUNK_SACK:
3664 				ASSERT(fp != NULL);
3665 				/*
3666 				 * Peer is real and alive if it can ack our
3667 				 * data.
3668 				 */
3669 				sctp_faddr_alive(sctp, fp);
3670 				trysend = sctp_got_sack(sctp, ch);
3671 				if (trysend < 0) {
3672 					sctp_send_abort(sctp, sctph->sh_verf,
3673 					    0, NULL, 0, mp, 0, B_FALSE);
3674 					sctp_assoc_event(sctp,
3675 					    SCTP_COMM_LOST, 0, NULL);
3676 					sctp_clean_death(sctp,
3677 					    ECONNABORTED);
3678 					goto done;
3679 				}
3680 				break;
3681 			case CHUNK_HEARTBEAT:
3682 				sctp_return_heartbeat(sctp, ch, mp);
3683 				break;
3684 			case CHUNK_HEARTBEAT_ACK:
3685 				sctp_process_heartbeat(sctp, ch);
3686 				break;
3687 			case CHUNK_SHUTDOWN:
3688 				sctp_shutdown_event(sctp);
3689 				trysend = sctp_shutdown_received(sctp, ch,
3690 				    B_FALSE, B_FALSE, fp);
3691 				BUMP_LOCAL(sctp->sctp_ibchunks);
3692 				break;
3693 			case CHUNK_SHUTDOWN_ACK:
3694 				BUMP_LOCAL(sctp->sctp_ibchunks);
3695 				if (sctp->sctp_state == SCTPS_SHUTDOWN_SENT) {
3696 					sctp_shutdown_complete(sctp);
3697 					BUMP_MIB(&sctps->sctps_mib,
3698 					    sctpShutdowns);
3699 					sctp_assoc_event(sctp,
3700 					    SCTP_SHUTDOWN_COMP, 0, NULL);
3701 					sctp_clean_death(sctp, 0);
3702 					goto done;
3703 				}
3704 				break;
3705 			case CHUNK_ABORT: {
3706 				sctp_saddr_ipif_t *sp;
3707 
3708 				/* Ignore if delete pending */
3709 				sp = sctp_saddr_lookup(sctp, &dst, 0);
3710 				ASSERT(sp != NULL);
3711 				if (sp->saddr_ipif_delete_pending) {
3712 					BUMP_LOCAL(sctp->sctp_ibchunks);
3713 					break;
3714 				}
3715 
3716 				sctp_process_abort(sctp, ch, ECONNRESET);
3717 				goto done;
3718 			}
3719 			case CHUNK_INIT:
3720 				sctp_send_initack(sctp, sctph, ch, mp);
3721 				break;
3722 			case CHUNK_COOKIE:
3723 				if (sctp_process_cookie(sctp, ch, mp, &iack,
3724 				    sctph, &recv_adaption, NULL) != -1) {
3725 					sctp_send_cookie_ack(sctp);
3726 					sctp_assoc_event(sctp, SCTP_RESTART,
3727 					    0, NULL);
3728 					if (recv_adaption) {
3729 						sctp->sctp_recv_adaption = 1;
3730 						sctp_adaption_event(sctp);
3731 					}
3732 				} else {
3733 					BUMP_MIB(&sctps->sctps_mib,
3734 					    sctpInInvalidCookie);
3735 				}
3736 				break;
3737 			case CHUNK_ERROR: {
3738 				int error;
3739 
3740 				BUMP_LOCAL(sctp->sctp_ibchunks);
3741 				error = sctp_handle_error(sctp, sctph, ch, mp);
3742 				if (error != 0) {
3743 					sctp_assoc_event(sctp, SCTP_COMM_LOST,
3744 					    0, NULL);
3745 					sctp_clean_death(sctp, error);
3746 					goto done;
3747 				}
3748 				break;
3749 			}
3750 			case CHUNK_ASCONF:
3751 				ASSERT(fp != NULL);
3752 				sctp_input_asconf(sctp, ch, fp);
3753 				BUMP_LOCAL(sctp->sctp_ibchunks);
3754 				break;
3755 			case CHUNK_ASCONF_ACK:
3756 				ASSERT(fp != NULL);
3757 				sctp_faddr_alive(sctp, fp);
3758 				sctp_input_asconf_ack(sctp, ch, fp);
3759 				BUMP_LOCAL(sctp->sctp_ibchunks);
3760 				break;
3761 			case CHUNK_FORWARD_TSN:
3762 				ASSERT(fp != NULL);
3763 				sctp->sctp_lastdata = fp;
3764 				sctp_process_forward_tsn(sctp, ch, fp, &ipp);
3765 				gotdata = 1;
3766 				BUMP_LOCAL(sctp->sctp_ibchunks);
3767 				break;
3768 			default:
3769 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
3770 					goto nomorechunks;
3771 				} /* else skip and continue processing */
3772 				break;
3773 			}
3774 			break;
3775 
3776 		case SCTPS_LISTEN:
3777 			switch (ch->sch_id) {
3778 			case CHUNK_INIT:
3779 				sctp_send_initack(sctp, sctph, ch, mp);
3780 				break;
3781 			case CHUNK_COOKIE: {
3782 				sctp_t *eager;
3783 
3784 				if (sctp_process_cookie(sctp, ch, mp, &iack,
3785 				    sctph, &recv_adaption, &peer_src) == -1) {
3786 					BUMP_MIB(&sctps->sctps_mib,
3787 					    sctpInInvalidCookie);
3788 					goto done;
3789 				}
3790 
3791 				/*
3792 				 * The cookie is good; ensure that
3793 				 * the peer used the verification
3794 				 * tag from the init ack in the header.
3795 				 */
3796 				if (iack->sic_inittag != sctph->sh_verf)
3797 					goto done;
3798 
3799 				eager = sctp_conn_request(sctp, mp, ifindex,
3800 				    ip_hdr_len, iack, ipsec_mp);
3801 				if (eager == NULL) {
3802 					sctp_send_abort(sctp, sctph->sh_verf,
3803 					    SCTP_ERR_NO_RESOURCES, NULL, 0, mp,
3804 					    0, B_FALSE);
3805 					goto done;
3806 				}
3807 
3808 				/*
3809 				 * If there were extra chunks
3810 				 * bundled with the cookie,
3811 				 * they must be processed
3812 				 * on the eager's queue. We
3813 				 * accomplish this by refeeding
3814 				 * the whole packet into the
3815 				 * state machine on the right
3816 				 * q. The packet (mp) gets
3817 				 * there via the eager's
3818 				 * cookie_mp field (overloaded
3819 				 * with the active open role).
3820 				 * This is picked up when
3821 				 * processing the null bind
3822 				 * request put on the eager's
3823 				 * q by sctp_accept(). We must
3824 				 * first revert the cookie
3825 				 * chunk's length field to network
3826 				 * byteorder so it can be
3827 				 * properly reprocessed on the
3828 				 * eager's queue.
3829 				 */
3830 				BUMP_MIB(&sctps->sctps_mib, sctpPassiveEstab);
3831 				if (mlen > ntohs(ch->sch_len)) {
3832 					eager->sctp_cookie_mp = dupb(mp);
3833 					mblk_setcred(eager->sctp_cookie_mp,
3834 					    CONN_CRED(eager->sctp_connp));
3835 					/*
3836 					 * If no mem, just let
3837 					 * the peer retransmit.
3838 					 */
3839 				}
3840 				sctp_assoc_event(eager, SCTP_COMM_UP, 0, NULL);
3841 				if (recv_adaption) {
3842 					eager->sctp_recv_adaption = 1;
3843 					eager->sctp_rx_adaption_code =
3844 					    sctp->sctp_rx_adaption_code;
3845 					sctp_adaption_event(eager);
3846 				}
3847 
3848 				eager->sctp_active = now;
3849 				sctp_send_cookie_ack(eager);
3850 
3851 				wake_eager = B_TRUE;
3852 
3853 				/*
3854 				 * Process rest of the chunks with eager.
3855 				 */
3856 				sctp = eager;
3857 				fp = sctp_lookup_faddr(sctp, &peer_src);
3858 				/*
3859 				 * Confirm peer's original source.  fp can
3860 				 * only be NULL if peer does not use the
3861 				 * original source as one of its addresses...
3862 				 */
3863 				if (fp == NULL)
3864 					fp = sctp_lookup_faddr(sctp, &src);
3865 				else
3866 					sctp_faddr_alive(sctp, fp);
3867 
3868 				/*
3869 				 * Validate the peer addresses.  It also starts
3870 				 * the heartbeat timer.
3871 				 */
3872 				sctp_validate_peer(sctp);
3873 				break;
3874 			}
3875 			/* Anything else is considered out-of-the-blue */
3876 			case CHUNK_ERROR:
3877 			case CHUNK_ABORT:
3878 			case CHUNK_COOKIE_ACK:
3879 			case CHUNK_SHUTDOWN_COMPLETE:
3880 				BUMP_LOCAL(sctp->sctp_ibchunks);
3881 				goto done;
3882 			default:
3883 				BUMP_LOCAL(sctp->sctp_ibchunks);
3884 				sctp_send_abort(sctp, sctph->sh_verf, 0, NULL,
3885 				    0, mp, 0, B_TRUE);
3886 				goto done;
3887 			}
3888 			break;
3889 
3890 		case SCTPS_COOKIE_WAIT:
3891 			switch (ch->sch_id) {
3892 			case CHUNK_INIT_ACK:
3893 				sctp_stop_faddr_timers(sctp);
3894 				sctp_faddr_alive(sctp, sctp->sctp_current);
3895 				sctp_send_cookie_echo(sctp, ch, mp);
3896 				BUMP_LOCAL(sctp->sctp_ibchunks);
3897 				break;
3898 			case CHUNK_ABORT:
3899 				sctp_process_abort(sctp, ch, ECONNREFUSED);
3900 				goto done;
3901 			case CHUNK_INIT:
3902 				sctp_send_initack(sctp, sctph, ch, mp);
3903 				break;
3904 			case CHUNK_COOKIE:
3905 				if (sctp_process_cookie(sctp, ch, mp, &iack,
3906 				    sctph, &recv_adaption, NULL) == -1) {
3907 					BUMP_MIB(&sctps->sctps_mib,
3908 					    sctpInInvalidCookie);
3909 					break;
3910 				}
3911 				sctp_send_cookie_ack(sctp);
3912 				sctp_stop_faddr_timers(sctp);
3913 				if (!SCTP_IS_DETACHED(sctp)) {
3914 				    sctp->sctp_ulp_connected(sctp->sctp_ulpd);
3915 				    sctp_set_ulp_prop(sctp);
3916 				}
3917 				sctp->sctp_state = SCTPS_ESTABLISHED;
3918 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
3919 				BUMP_MIB(&sctps->sctps_mib, sctpActiveEstab);
3920 				if (sctp->sctp_cookie_mp) {
3921 					freemsg(sctp->sctp_cookie_mp);
3922 					sctp->sctp_cookie_mp = NULL;
3923 				}
3924 
3925 				/* Validate the peer addresses. */
3926 				sctp->sctp_active = now;
3927 				sctp_validate_peer(sctp);
3928 
3929 				sctp_assoc_event(sctp, SCTP_COMM_UP, 0, NULL);
3930 				if (recv_adaption) {
3931 					sctp->sctp_recv_adaption = 1;
3932 					sctp_adaption_event(sctp);
3933 				}
3934 				/* Try sending queued data, or ASCONFs */
3935 				trysend = 1;
3936 				break;
3937 			default:
3938 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
3939 					goto nomorechunks;
3940 				} /* else skip and continue processing */
3941 				break;
3942 			}
3943 			break;
3944 
3945 		case SCTPS_COOKIE_ECHOED:
3946 			switch (ch->sch_id) {
3947 			case CHUNK_COOKIE_ACK:
3948 				if (!SCTP_IS_DETACHED(sctp)) {
3949 				    sctp->sctp_ulp_connected(sctp->sctp_ulpd);
3950 				    sctp_set_ulp_prop(sctp);
3951 				}
3952 				if (sctp->sctp_unacked == 0)
3953 					sctp_stop_faddr_timers(sctp);
3954 				sctp->sctp_state = SCTPS_ESTABLISHED;
3955 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
3956 				BUMP_MIB(&sctps->sctps_mib, sctpActiveEstab);
3957 				BUMP_LOCAL(sctp->sctp_ibchunks);
3958 				if (sctp->sctp_cookie_mp) {
3959 					freemsg(sctp->sctp_cookie_mp);
3960 					sctp->sctp_cookie_mp = NULL;
3961 				}
3962 				sctp_faddr_alive(sctp, fp);
3963 				/* Validate the peer addresses. */
3964 				sctp->sctp_active = now;
3965 				sctp_validate_peer(sctp);
3966 
3967 				/* Try sending queued data, or ASCONFs */
3968 				trysend = 1;
3969 				sctp_assoc_event(sctp, SCTP_COMM_UP, 0, NULL);
3970 				sctp_adaption_event(sctp);
3971 				break;
3972 			case CHUNK_ABORT:
3973 				sctp_process_abort(sctp, ch, ECONNREFUSED);
3974 				goto done;
3975 			case CHUNK_COOKIE:
3976 				if (sctp_process_cookie(sctp, ch, mp, &iack,
3977 				    sctph, &recv_adaption, NULL) == -1) {
3978 					BUMP_MIB(&sctps->sctps_mib,
3979 					    sctpInInvalidCookie);
3980 					break;
3981 				}
3982 				sctp_send_cookie_ack(sctp);
3983 
3984 				if (!SCTP_IS_DETACHED(sctp)) {
3985 				    sctp->sctp_ulp_connected(sctp->sctp_ulpd);
3986 				    sctp_set_ulp_prop(sctp);
3987 				}
3988 				if (sctp->sctp_unacked == 0)
3989 					sctp_stop_faddr_timers(sctp);
3990 				sctp->sctp_state = SCTPS_ESTABLISHED;
3991 				sctp->sctp_assoc_start_time = (uint32_t)lbolt;
3992 				BUMP_MIB(&sctps->sctps_mib, sctpActiveEstab);
3993 				if (sctp->sctp_cookie_mp) {
3994 					freemsg(sctp->sctp_cookie_mp);
3995 					sctp->sctp_cookie_mp = NULL;
3996 				}
3997 				/* Validate the peer addresses. */
3998 				sctp->sctp_active = now;
3999 				sctp_validate_peer(sctp);
4000 
4001 				sctp_assoc_event(sctp, SCTP_COMM_UP, 0, NULL);
4002 				if (recv_adaption) {
4003 					sctp->sctp_recv_adaption = 1;
4004 					sctp_adaption_event(sctp);
4005 				}
4006 				/* Try sending queued data, or ASCONFs */
4007 				trysend = 1;
4008 				break;
4009 			case CHUNK_INIT:
4010 				sctp_send_initack(sctp, sctph, ch, mp);
4011 				break;
4012 			case CHUNK_ERROR: {
4013 				sctp_parm_hdr_t *p;
4014 
4015 				BUMP_LOCAL(sctp->sctp_ibchunks);
4016 				/* check for a stale cookie */
4017 				if (ntohs(ch->sch_len) >=
4018 				    (sizeof (*p) + sizeof (*ch)) +
4019 				    sizeof (uint32_t)) {
4020 
4021 					p = (sctp_parm_hdr_t *)(ch + 1);
4022 					if (p->sph_type ==
4023 					    htons(SCTP_ERR_STALE_COOKIE)) {
4024 						BUMP_MIB(&sctps->sctps_mib,
4025 						    sctpAborted);
4026 						sctp_error_event(sctp, ch);
4027 						sctp_assoc_event(sctp,
4028 						    SCTP_COMM_LOST, 0, NULL);
4029 						sctp_clean_death(sctp,
4030 						    ECONNREFUSED);
4031 						goto done;
4032 					}
4033 				}
4034 				break;
4035 			}
4036 			case CHUNK_HEARTBEAT:
4037 				sctp_return_heartbeat(sctp, ch, mp);
4038 				break;
4039 			default:
4040 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
4041 					goto nomorechunks;
4042 				} /* else skip and continue processing */
4043 			} /* switch (ch->sch_id) */
4044 			break;
4045 
4046 		case SCTPS_SHUTDOWN_ACK_SENT:
4047 			switch (ch->sch_id) {
4048 			case CHUNK_ABORT:
4049 				/* Pass gathered wisdom to IP for keeping */
4050 				sctp_update_ire(sctp);
4051 				sctp_process_abort(sctp, ch, 0);
4052 				goto done;
4053 			case CHUNK_SHUTDOWN_COMPLETE:
4054 				BUMP_LOCAL(sctp->sctp_ibchunks);
4055 				BUMP_MIB(&sctps->sctps_mib, sctpShutdowns);
4056 				sctp_assoc_event(sctp, SCTP_SHUTDOWN_COMP, 0,
4057 				    NULL);
4058 
4059 				/* Pass gathered wisdom to IP for keeping */
4060 				sctp_update_ire(sctp);
4061 				sctp_clean_death(sctp, 0);
4062 				goto done;
4063 			case CHUNK_SHUTDOWN_ACK:
4064 				sctp_shutdown_complete(sctp);
4065 				BUMP_LOCAL(sctp->sctp_ibchunks);
4066 				BUMP_MIB(&sctps->sctps_mib, sctpShutdowns);
4067 				sctp_assoc_event(sctp, SCTP_SHUTDOWN_COMP, 0,
4068 				    NULL);
4069 				sctp_clean_death(sctp, 0);
4070 				goto done;
4071 			case CHUNK_COOKIE:
4072 				(void) sctp_shutdown_received(sctp, NULL,
4073 				    B_TRUE, B_FALSE, fp);
4074 				BUMP_LOCAL(sctp->sctp_ibchunks);
4075 				break;
4076 			case CHUNK_HEARTBEAT:
4077 				sctp_return_heartbeat(sctp, ch, mp);
4078 				break;
4079 			default:
4080 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
4081 					goto nomorechunks;
4082 				} /* else skip and continue processing */
4083 				break;
4084 			}
4085 			break;
4086 
4087 		case SCTPS_SHUTDOWN_RECEIVED:
4088 			switch (ch->sch_id) {
4089 			case CHUNK_SHUTDOWN:
4090 				trysend = sctp_shutdown_received(sctp, ch,
4091 				    B_FALSE, B_FALSE, fp);
4092 				break;
4093 			case CHUNK_SACK:
4094 				trysend = sctp_got_sack(sctp, ch);
4095 				if (trysend < 0) {
4096 					sctp_send_abort(sctp, sctph->sh_verf,
4097 					    0, NULL, 0, mp, 0, B_FALSE);
4098 					sctp_assoc_event(sctp,
4099 					    SCTP_COMM_LOST, 0, NULL);
4100 					sctp_clean_death(sctp,
4101 					    ECONNABORTED);
4102 					goto done;
4103 				}
4104 				break;
4105 			case CHUNK_ABORT:
4106 				sctp_process_abort(sctp, ch, ECONNRESET);
4107 				goto done;
4108 			case CHUNK_HEARTBEAT:
4109 				sctp_return_heartbeat(sctp, ch, mp);
4110 				break;
4111 			default:
4112 				if (sctp_strange_chunk(sctp, ch, fp) == 0) {
4113 					goto nomorechunks;
4114 				} /* else skip and continue processing */
4115 				break;
4116 			}
4117 			break;
4118 
4119 		default:
4120 			/*
4121 			 * The only remaining states are SCTPS_IDLE and
4122 			 * SCTPS_BOUND, and we should not be getting here
4123 			 * for these.
4124 			 */
4125 			ASSERT(0);
4126 		} /* switch (sctp->sctp_state) */
4127 
4128 		ch = sctp_next_chunk(ch, &mlen);
4129 		if (ch != NULL && !sctp_check_input(sctp, ch, mlen, 0))
4130 			goto done;
4131 	} while (ch != NULL);
4132 
4133 	/* Finished processing all chunks in packet */
4134 
4135 nomorechunks:
4136 	/* SACK if necessary */
4137 	if (gotdata) {
4138 		(sctp->sctp_sack_toggle)++;
4139 		sctp_sack(sctp, dups);
4140 		dups = NULL;
4141 
4142 		if (!sctp->sctp_ack_timer_running) {
4143 			sctp->sctp_ack_timer_running = B_TRUE;
4144 			sctp_timer(sctp, sctp->sctp_ack_mp,
4145 			    MSEC_TO_TICK(sctps->sctps_deferred_ack_interval));
4146 		}
4147 	}
4148 
4149 	if (trysend) {
4150 		sctp_output(sctp, UINT_MAX);
4151 		if (sctp->sctp_cxmit_list != NULL)
4152 			sctp_wput_asconf(sctp, NULL);
4153 	}
4154 	/* If there is unsent data, make sure a timer is running */
4155 	if (sctp->sctp_unsent > 0 && !sctp->sctp_current->timer_running) {
4156 		SCTP_FADDR_TIMER_RESTART(sctp, sctp->sctp_current,
4157 		    sctp->sctp_current->rto);
4158 	}
4159 
4160 done:
4161 	if (dups != NULL)
4162 		freeb(dups);
4163 	if (ipsec_mp != NULL)
4164 		freeb(ipsec_mp);
4165 	freemsg(mp);
4166 
4167 	if (wake_eager) {
4168 		/*
4169 		 * sctp points to newly created control block, need to
4170 		 * release it before exiting.  Before releasing it and
4171 		 * processing the sendq, need to grab a hold on it.
4172 		 * Otherwise, another thread can close it while processing
4173 		 * the sendq.
4174 		 */
4175 		SCTP_REFHOLD(sctp);
4176 		WAKE_SCTP(sctp);
4177 		sctp_process_sendq(sctp);
4178 		SCTP_REFRELE(sctp);
4179 	}
4180 }
4181 
4182 /*
4183  * Some amount of data got removed from rx q.
4184  * Check if we should send a window update.
4185  *
4186  * Due to way sctp_rwnd updates are made, ULP can give reports out-of-order.
4187  * To keep from dropping incoming data due to this, we only update
4188  * sctp_rwnd when if it's larger than what we've reported to peer earlier.
4189  */
4190 void
4191 sctp_recvd(sctp_t *sctp, int len)
4192 {
4193 	int32_t old, new;
4194 	sctp_stack_t	*sctps = sctp->sctp_sctps;
4195 
4196 	ASSERT(sctp != NULL);
4197 	RUN_SCTP(sctp);
4198 
4199 	if (len < sctp->sctp_rwnd) {
4200 		WAKE_SCTP(sctp);
4201 		return;
4202 	}
4203 	ASSERT(sctp->sctp_rwnd >= sctp->sctp_rxqueued);
4204 	old = sctp->sctp_rwnd - sctp->sctp_rxqueued;
4205 	new = len - sctp->sctp_rxqueued;
4206 	sctp->sctp_rwnd = len;
4207 
4208 	if (sctp->sctp_state >= SCTPS_ESTABLISHED &&
4209 	    ((old <= new >> 1) || (old < sctp->sctp_mss))) {
4210 		sctp->sctp_force_sack = 1;
4211 		BUMP_MIB(&sctps->sctps_mib, sctpOutWinUpdate);
4212 		sctp_sack(sctp, NULL);
4213 		old = 1;
4214 	} else {
4215 		old = 0;
4216 	}
4217 	WAKE_SCTP(sctp);
4218 	if (old > 0) {
4219 		sctp_process_sendq(sctp);
4220 	}
4221 }
4222