diff options
| author | rrs <rrs@FreeBSD.org> | 2006-11-03 15:23:16 +0000 |
|---|---|---|
| committer | rrs <rrs@FreeBSD.org> | 2006-11-03 15:23:16 +0000 |
| commit | 3d3e3f2242423b47549f89486754bc40030fbe9f (patch) | |
| tree | 0ec895f64207afbb268edd872d01288ffc058501 /sys/netinet/sctp_input.c | |
| parent | d23275fe7d190eab56c82bf462ecb67346e58ab3 (diff) | |
| download | FreeBSD-src-3d3e3f2242423b47549f89486754bc40030fbe9f.zip FreeBSD-src-3d3e3f2242423b47549f89486754bc40030fbe9f.tar.gz | |
Ok, here it is, we finally add SCTP to current. Note that this
work is not just mine, but it is also the works of Peter Lei
and Michael Tuexen. They both are my two key other developers
working on the project.. and they need ata-boy's too:
****
peterlei@cisco.com
tuexen@fh-muenster.de
****
I did do a make sysent which updated the
syscall's and sysproto.. I hope that is correct... without
it you don't build since we have new syscalls for SCTP :-0
So go out and look at the NOTES, add
option SCTP (make sure inet and inet6 are present too)
and play with SCTP.
I will see about comitting some test tools I have after I
figure out where I should place them. I also have a
lib (libsctp.a) that adds some of the missing socketapi
functions that I need to put into lib's.. I will talk
to George about this :-)
There may still be some 64 bit issues in here, none of
us have a 64 bit processor to test with yet.. Michael
may have a MAC but thats another beast too..
If you have a mac and want to use SCTP contact Michael
he maintains a web site with a loadable module with
this code :-)
Reviewed by: gnn
Approved by: gnn
Diffstat (limited to 'sys/netinet/sctp_input.c')
| -rw-r--r-- | sys/netinet/sctp_input.c | 4749 |
1 files changed, 4749 insertions, 0 deletions
diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c new file mode 100644 index 0000000..e417f29 --- /dev/null +++ b/sys/netinet/sctp_input.c @@ -0,0 +1,4749 @@ +/*- + * Copyright (c) 2001-2006, Cisco Systems, Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * a) Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * b) Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the distribution. + * + * c) Neither the name of Cisco Systems, Inc. nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, + * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF + * THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* $KAME: sctp_input.c,v 1.27 2005/03/06 16:04:17 itojun Exp $ */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include "opt_ipsec.h" +#include "opt_compat.h" +#include "opt_inet6.h" +#include "opt_inet.h" +#include "opt_sctp.h" + +#include <sys/param.h> +#include <sys/systm.h> +#include <sys/malloc.h> +#include <sys/mbuf.h> +#include <sys/socket.h> +#include <sys/socketvar.h> +#include <sys/sysctl.h> +#include <sys/domain.h> +#include <sys/protosw.h> +#include <sys/kernel.h> +#include <sys/errno.h> +#include <sys/syslog.h> + +#include <sys/limits.h> +#include <machine/cpu.h> + +#include <net/if.h> +#include <net/route.h> +#include <net/if_types.h> + +#include <netinet/in.h> +#include <netinet/in_systm.h> +#include <netinet/ip.h> +#include <netinet/in_pcb.h> +#include <netinet/in_var.h> +#include <netinet/ip_var.h> + +#ifdef INET6 +#include <netinet/ip6.h> +#include <netinet6/ip6_var.h> +#endif /* INET6 */ + +#include <netinet/ip_icmp.h> +#include <netinet/icmp_var.h> + +#include <netinet/sctp_os.h> +#include <netinet/sctp_var.h> +#include <netinet/sctp_pcb.h> +#include <netinet/sctp_header.h> +#include <netinet/sctputil.h> +#include <netinet/sctp_output.h> +#include <netinet/sctp_input.h> +#include <netinet/sctp_auth.h> +#include <netinet/sctp_indata.h> +#include <netinet/sctp_asconf.h> + +#include <netinet/ip_options.h> + + +#ifdef IPSEC +#include <netinet6/ipsec.h> +#include <netkey/key.h> +#endif /* IPSEC */ + + +#ifdef SCTP_DEBUG +extern uint32_t sctp_debug_on; + +#endif + + +static void +sctp_stop_all_cookie_timers(struct sctp_tcb *stcb) +{ + struct sctp_nets *net; + + SCTP_TCB_LOCK_ASSERT(stcb); + TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { + if ((callout_pending(&net->rxt_timer.timer)) && + (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE)) { + sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, + stcb->sctp_ep, + stcb, + net); + } + } +} + +/* INIT handler */ +static void +sctp_handle_init(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, + struct sctp_init_chunk *cp, struct sctp_inpcb *inp, struct sctp_tcb *stcb, + struct sctp_nets *net) +{ + struct sctp_init *init; + struct mbuf *op_err; + uint32_t init_limit; + +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT2) { + printf("sctp_handle_init: handling INIT tcb:%p\n", stcb); + } +#endif + op_err = NULL; + init = &cp->init; + /* First are we accepting? */ + if ((inp->sctp_socket->so_qlimit == 0) && (stcb == NULL)) { +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT2) { + printf("sctp_handle_init: Abort, so_qlimit:%d\n", inp->sctp_socket->so_qlimit); + } +#endif + /* + * FIX ME ?? What about TCP model and we have a + * match/restart case? + */ + sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); + return; + } + if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) { + /* Invalid length */ + op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); + sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); + return; + } + /* validate parameters */ + if (init->initiate_tag == 0) { + /* protocol error... send abort */ + op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); + sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); + return; + } + if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) { + /* invalid parameter... send abort */ + op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); + sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); + return; + } + if (init->num_inbound_streams == 0) { + /* protocol error... send abort */ + op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); + sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); + return; + } + if (init->num_outbound_streams == 0) { + /* protocol error... send abort */ + op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); + sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); + return; + } + init_limit = offset + ntohs(cp->ch.chunk_length); + if (sctp_validate_init_auth_params(m, offset + sizeof(*cp), + init_limit)) { + /* auth parameter(s) error... send abort */ + sctp_abort_association(inp, stcb, m, iphlen, sh, NULL); + return; + } + /* send an INIT-ACK w/cookie */ +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("sctp_handle_init: sending INIT-ACK\n"); + } +#endif + sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp); +} + +/* + * process peer "INIT/INIT-ACK" chunk returns value < 0 on error + */ +static int +sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb, + struct sctp_nets *net) +{ + struct sctp_init *init; + struct sctp_association *asoc; + struct sctp_nets *lnet; + unsigned int i; + + init = &cp->init; + asoc = &stcb->asoc; + /* save off parameters */ + asoc->peer_vtag = ntohl(init->initiate_tag); + asoc->peers_rwnd = ntohl(init->a_rwnd); + if (TAILQ_FIRST(&asoc->nets)) { + /* update any ssthresh's that may have a default */ + TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) { + lnet->ssthresh = asoc->peers_rwnd; + +#if defined(SCTP_CWND_MONITOR) || defined(SCTP_CWND_LOGGING) + sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION); +#endif + + } + } + if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) { + unsigned int newcnt; + struct sctp_stream_out *outs; + struct sctp_stream_queue_pending *sp; + + /* cut back on number of streams */ + newcnt = ntohs(init->num_inbound_streams); + /* This if is probably not needed but I am cautious */ + if (asoc->strmout) { + /* First make sure no data chunks are trapped */ + for (i = newcnt; i < asoc->pre_open_streams; i++) { + outs = &asoc->strmout[i]; + sp = TAILQ_FIRST(&outs->outqueue); + while (sp) { + TAILQ_REMOVE(&outs->outqueue, sp, + next); + asoc->stream_queue_cnt--; + sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL, + stcb, SCTP_NOTIFY_DATAGRAM_UNSENT, + sp); + if (sp->data) { + sctp_m_freem(sp->data); + sp->data = NULL; + } + sctp_free_remote_addr(sp->net); + sp->net = NULL; + /* Free the chunk */ + printf("sp:%x tcb:%x weird free case\n", + (u_int)sp, (u_int)stcb); + + sctp_free_a_strmoq(stcb, sp); + sp = TAILQ_FIRST(&outs->outqueue); + } + } + } + /* cut back the count and abandon the upper streams */ + asoc->pre_open_streams = newcnt; + } + asoc->streamincnt = ntohs(init->num_outbound_streams); + if (asoc->streamincnt > MAX_SCTP_STREAMS) { + asoc->streamincnt = MAX_SCTP_STREAMS; + } + asoc->streamoutcnt = asoc->pre_open_streams; + /* init tsn's */ + asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1; +#ifdef SCTP_MAP_LOGGING + sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); +#endif + /* This is the next one we expect */ + asoc->str_reset_seq_in = asoc->asconf_seq_in + 1; + + asoc->mapping_array_base_tsn = ntohl(init->initial_tsn); + asoc->cumulative_tsn = asoc->asconf_seq_in; + asoc->last_echo_tsn = asoc->asconf_seq_in; + asoc->advanced_peer_ack_point = asoc->last_acked_seq; + /* open the requested streams */ + if (asoc->strmin != NULL) { + /* Free the old ones */ + SCTP_FREE(asoc->strmin); + } + SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt * + sizeof(struct sctp_stream_in), "StreamsIn"); + if (asoc->strmin == NULL) { + /* we didn't get memory for the streams! */ +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT2) { + printf("process_init: couldn't get memory for the streams!\n"); + } +#endif + return (-1); + } + for (i = 0; i < asoc->streamincnt; i++) { + asoc->strmin[i].stream_no = i; + asoc->strmin[i].last_sequence_delivered = 0xffff; + /* + * U-stream ranges will be set when the cookie is unpacked. + * Or for the INIT sender they are un set (if pr-sctp not + * supported) when the INIT-ACK arrives. + */ + TAILQ_INIT(&asoc->strmin[i].inqueue); + /* + * we are not on any wheel, pr-sctp streams will go on the + * wheel when they have data waiting for reorder. + */ + asoc->strmin[i].next_spoke.tqe_next = 0; + asoc->strmin[i].next_spoke.tqe_prev = 0; + } + + /* + * load_address_from_init will put the addresses into the + * association when the COOKIE is processed or the INIT-ACK is + * processed. Both types of COOKIE's existing and new call this + * routine. It will remove addresses that are no longer in the + * association (for the restarting case where addresses are + * removed). Up front when the INIT arrives we will discard it if it + * is a restart and new addresses have been added. + */ + return (0); +} + +/* + * INIT-ACK message processing/consumption returns value < 0 on error + */ +static int +sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, + struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, + struct sctp_nets *net) +{ + struct sctp_association *asoc; + struct mbuf *op_err; + int retval, abort_flag; + uint32_t initack_limit; + + /* First verify that we have no illegal param's */ + abort_flag = 0; + op_err = NULL; + + op_err = sctp_arethere_unrecognized_parameters(m, + (offset + sizeof(struct sctp_init_chunk)), + &abort_flag, (struct sctp_chunkhdr *)cp); + if (abort_flag) { + /* Send an abort and notify peer */ + if (op_err != NULL) { + sctp_send_operr_to(m, iphlen, op_err, cp->init.initiate_tag); + } else { + /* + * Just notify (abort_assoc does this if we send an + * abort). + */ + sctp_abort_notification(stcb, 0); + /* + * No sense in further INIT's since we will get the + * same param back + */ + sctp_free_assoc(stcb->sctp_ep, stcb, 0); + } + return (-1); + } + asoc = &stcb->asoc; + /* process the peer's parameters in the INIT-ACK */ + retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net); + if (retval < 0) { + return (retval); + } + initack_limit = offset + ntohs(cp->ch.chunk_length); + /* load all addresses */ + if ((retval = sctp_load_addresses_from_init(stcb, m, iphlen, + (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh, + NULL))) { + /* Huh, we should abort */ +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT1) { + printf("Load addresses from INIT causes an abort %d\n", retval); + } +#endif + sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, + NULL); + return (-1); + } + stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs, + stcb->asoc.local_hmacs); + if (op_err) { + sctp_queue_op_err(stcb, op_err); + /* queuing will steal away the mbuf chain to the out queue */ + op_err = NULL; + } + /* extract the cookie and queue it to "echo" it back... */ + stcb->asoc.overall_error_count = 0; + net->error_count = 0; + + /* + * Cancel the INIT timer, We do this first before queueing the + * cookie. We always cancel at the primary to assue that we are + * canceling the timer started by the INIT which always goes to the + * primary. + */ + sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb, + asoc->primary_destination); + + retval = sctp_send_cookie_echo(m, offset, stcb, net); + if (retval < 0) { + /* + * No cookie, we probably should send a op error. But in any + * case if there is no cookie in the INIT-ACK, we can + * abandon the peer, its broke. + */ + if (retval == -3) { + /* We abort with an error of missing mandatory param */ + struct mbuf *op_err; + + op_err = + sctp_generate_invmanparam(SCTP_CAUSE_MISSING_PARAM); + if (op_err) { + /* + * Expand beyond to include the mandatory + * param cookie + */ + struct sctp_inv_mandatory_param *mp; + + op_err->m_len = + sizeof(struct sctp_inv_mandatory_param); + mp = mtod(op_err, + struct sctp_inv_mandatory_param *); + /* Subtract the reserved param */ + mp->length = + htons(sizeof(struct sctp_inv_mandatory_param) - 2); + mp->num_param = htonl(1); + mp->param = htons(SCTP_STATE_COOKIE); + mp->resv = 0; + } + sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, + sh, op_err); + } + return (retval); + } + /* calculate the RTO */ + net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered); + + return (0); +} + +static void +sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, + struct sctp_tcb *stcb, struct sctp_nets *net) +{ + struct sockaddr_storage store; + struct sockaddr_in *sin; + struct sockaddr_in6 *sin6; + struct sctp_nets *r_net; + struct timeval tv; + + if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) { + /* Invalid length */ + return; + } + sin = (struct sockaddr_in *)&store; + sin6 = (struct sockaddr_in6 *)&store; + + memset(&store, 0, sizeof(store)); + if (cp->heartbeat.hb_info.addr_family == AF_INET && + cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) { + sin->sin_family = cp->heartbeat.hb_info.addr_family; + sin->sin_len = cp->heartbeat.hb_info.addr_len; + sin->sin_port = stcb->rport; + memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address, + sizeof(sin->sin_addr)); + } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 && + cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) { + sin6->sin6_family = cp->heartbeat.hb_info.addr_family; + sin6->sin6_len = cp->heartbeat.hb_info.addr_len; + sin6->sin6_port = stcb->rport; + memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address, + sizeof(sin6->sin6_addr)); + } else { + return; + } + r_net = sctp_findnet(stcb, (struct sockaddr *)sin); + if (r_net == NULL) { +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT1) { + printf("Huh? I can't find the address I sent it to, discard\n"); + } +#endif + return; + } + if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) && + (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) && + (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) { + /* + * If the its a HB and it's random value is correct when can + * confirm the destination. + */ + r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED; + sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, + stcb, 0, (void *)r_net); + } + r_net->error_count = 0; + r_net->hb_responded = 1; + tv.tv_sec = cp->heartbeat.hb_info.time_value_1; + tv.tv_usec = cp->heartbeat.hb_info.time_value_2; + if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) { + r_net->dest_state &= ~SCTP_ADDR_NOT_REACHABLE; + r_net->dest_state |= SCTP_ADDR_REACHABLE; + sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, + SCTP_HEARTBEAT_SUCCESS, (void *)r_net); + /* now was it the primary? if so restore */ + if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) { + sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net); + } + } + /* Now lets do a RTO with this */ + r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv); +} + +static void +sctp_handle_abort(struct sctp_abort_chunk *cp, + struct sctp_tcb *stcb, struct sctp_nets *net) +{ + +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT2) { + printf("sctp_handle_abort: handling ABORT\n"); + } +#endif + if (stcb == NULL) + return; + /* verify that the destination addr is in the association */ + /* ignore abort for addresses being deleted */ + + /* stop any receive timers */ + sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net); + /* notify user of the abort and clean up... */ + sctp_abort_notification(stcb, 0); + /* free the tcb */ + SCTP_STAT_INCR_COUNTER32(sctps_aborted); + if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) || + (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { + SCTP_STAT_DECR_GAUGE32(sctps_currestab); + } + sctp_free_assoc(stcb->sctp_ep, stcb, 0); +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT2) { + printf("sctp_handle_abort: finished\n"); + } +#endif +} + +static void +sctp_handle_shutdown(struct sctp_shutdown_chunk *cp, + struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag) +{ + struct sctp_association *asoc; + int some_on_streamwheel; + +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT2) { + printf("sctp_handle_shutdown: handling SHUTDOWN\n"); + } +#endif + if (stcb == NULL) + return; + + if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_WAIT) || + (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { + return; + } + if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) { + /* Shutdown NOT the expected size */ + return; + } else { + sctp_update_acked(stcb, cp, net, abort_flag); + } + asoc = &stcb->asoc; + if (stcb->asoc.control_pdapi) { + /* + * With a normal shutdown we assume the end of last record. + */ + SCTP_INP_READ_LOCK(stcb->sctp_ep); + stcb->asoc.control_pdapi->end_added = 1; + if (stcb->asoc.control_pdapi->tail_mbuf) { + stcb->asoc.control_pdapi->tail_mbuf->m_flags |= M_EOR; + } + stcb->asoc.control_pdapi = NULL; + SCTP_INP_READ_UNLOCK(stcb->sctp_ep); + } + /* goto SHUTDOWN_RECEIVED state to block new requests */ + if (stcb->sctp_socket) { + if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && + (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { + asoc->state = SCTP_STATE_SHUTDOWN_RECEIVED; + /* + * notify upper layer that peer has initiated a + * shutdown + */ + sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL); + + /* reset time */ + SCTP_GETTIME_TIMEVAL(&asoc->time_entered); + } + } + if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) { + /* + * stop the shutdown timer, since we WILL move to + * SHUTDOWN-ACK-SENT. + */ + sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); + } + /* Now are we there yet? */ + some_on_streamwheel = 0; + if (!TAILQ_EMPTY(&asoc->out_wheel)) { + /* Check to see if some data queued */ + struct sctp_stream_out *outs; + + TAILQ_FOREACH(outs, &asoc->out_wheel, next_spoke) { + if (!TAILQ_EMPTY(&outs->outqueue)) { + some_on_streamwheel = 1; + break; + } + } + } + if (!TAILQ_EMPTY(&asoc->send_queue) || + !TAILQ_EMPTY(&asoc->sent_queue) || + some_on_streamwheel) { + /* By returning we will push more data out */ + return; + } else { + /* no outstanding data to send, so move on... */ + /* send SHUTDOWN-ACK */ + sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); + /* move to SHUTDOWN-ACK-SENT state */ + if (asoc->state == SCTP_STATE_SHUTDOWN_RECEIVED) { + SCTP_STAT_DECR_GAUGE32(sctps_currestab); + } + asoc->state = SCTP_STATE_SHUTDOWN_ACK_SENT; + + /* start SHUTDOWN timer */ + sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, + stcb, net); + } +} + +static void +sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp, + struct sctp_tcb *stcb, struct sctp_nets *net) +{ + struct sctp_association *asoc; + +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT2) { + printf("sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n"); + } +#endif + if (stcb == NULL) + return; + + asoc = &stcb->asoc; + /* process according to association state */ + if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) && + (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) { + /* unexpected SHUTDOWN-ACK... so ignore... */ + SCTP_TCB_UNLOCK(stcb); + return; + } + if (stcb->asoc.control_pdapi) { + /* + * With a normal shutdown we assume the end of last record. + */ + SCTP_INP_READ_LOCK(stcb->sctp_ep); + stcb->asoc.control_pdapi->end_added = 1; + if (stcb->asoc.control_pdapi->tail_mbuf) { + stcb->asoc.control_pdapi->tail_mbuf->m_flags |= M_EOR; + } + stcb->asoc.control_pdapi = NULL; + SCTP_INP_READ_UNLOCK(stcb->sctp_ep); + } + /* are the queues empty? */ + if (!TAILQ_EMPTY(&asoc->send_queue) || + !TAILQ_EMPTY(&asoc->sent_queue) || + !TAILQ_EMPTY(&asoc->out_wheel)) { + sctp_report_all_outbound(stcb); + } + /* stop the timer */ + sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); + /* send SHUTDOWN-COMPLETE */ + sctp_send_shutdown_complete(stcb, net); + /* notify upper layer protocol */ + if (stcb->sctp_socket) { + sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); + if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || + (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { + /* Set the connected flag to disconnected */ + stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0; + } + } + SCTP_STAT_INCR_COUNTER32(sctps_shutdown); + /* free the TCB but first save off the ep */ + sctp_free_assoc(stcb->sctp_ep, stcb, 0); +} + +/* + * Skip past the param header and then we will find the chunk that caused the + * problem. There are two possiblities ASCONF or FWD-TSN other than that and + * our peer must be broken. + */ +static void +sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr, + struct sctp_nets *net) +{ + struct sctp_chunkhdr *chk; + + chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr)); + switch (chk->chunk_type) { + case SCTP_ASCONF_ACK: + case SCTP_ASCONF: + sctp_asconf_cleanup(stcb, net); + break; + case SCTP_FORWARD_CUM_TSN: + stcb->asoc.peer_supports_prsctp = 0; + break; + default: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT2) { + printf("Peer does not support chunk type %d(%x)??\n", + chk->chunk_type, (uint32_t) chk->chunk_type); + } +#endif + break; + } +} + +/* + * Skip past the param header and then we will find the param that caused the + * problem. There are a number of param's in a ASCONF OR the prsctp param + * these will turn of specific features. + */ +static void +sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr) +{ + struct sctp_paramhdr *pbad; + + pbad = phdr + 1; + switch (ntohs(pbad->param_type)) { + /* pr-sctp draft */ + case SCTP_PRSCTP_SUPPORTED: + stcb->asoc.peer_supports_prsctp = 0; + break; + case SCTP_SUPPORTED_CHUNK_EXT: + break; + /* draft-ietf-tsvwg-addip-sctp */ + case SCTP_ECN_NONCE_SUPPORTED: + stcb->asoc.peer_supports_ecn_nonce = 0; + stcb->asoc.ecn_nonce_allowed = 0; + stcb->asoc.ecn_allowed = 0; + break; + case SCTP_ADD_IP_ADDRESS: + case SCTP_DEL_IP_ADDRESS: + case SCTP_SET_PRIM_ADDR: + stcb->asoc.peer_supports_asconf = 0; + break; + case SCTP_SUCCESS_REPORT: + case SCTP_ERROR_CAUSE_IND: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT2) { + printf("Huh, the peer does not support success? or error cause?\n"); + printf("Turning off ASCONF to this strange peer\n"); + } +#endif + stcb->asoc.peer_supports_asconf = 0; + break; + default: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT2) { + printf("Peer does not support param type %d(%x)??\n", + pbad->param_type, (uint32_t) pbad->param_type); + } +#endif + break; + } +} + +static int +sctp_handle_error(struct sctp_chunkhdr *ch, + struct sctp_tcb *stcb, struct sctp_nets *net) +{ + int chklen; + struct sctp_paramhdr *phdr; + uint16_t error_type; + uint16_t error_len; + struct sctp_association *asoc; + + int adjust; + + /* parse through all of the errors and process */ + asoc = &stcb->asoc; + phdr = (struct sctp_paramhdr *)((caddr_t)ch + + sizeof(struct sctp_chunkhdr)); + chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr); + while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) { + /* Process an Error Cause */ + error_type = ntohs(phdr->param_type); + error_len = ntohs(phdr->param_length); + if ((error_len > chklen) || (error_len == 0)) { + /* invalid param length for this param */ +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT1) { + printf("Bogus length in error param- chunk left:%d errorlen:%d\n", + chklen, error_len); + } +#endif /* SCTP_DEBUG */ + return (0); + } + switch (error_type) { + case SCTP_CAUSE_INVALID_STREAM: + case SCTP_CAUSE_MISSING_PARAM: + case SCTP_CAUSE_INVALID_PARAM: + case SCTP_CAUSE_NO_USER_DATA: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT1) { + printf("Software error we got a %d back? We have a bug :/ (or do they?)\n", + error_type); + } +#endif + break; + case SCTP_CAUSE_STALE_COOKIE: + /* + * We only act if we have echoed a cookie and are + * waiting. + */ + if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { + int *p; + + p = (int *)((caddr_t)phdr + sizeof(*phdr)); + /* Save the time doubled */ + asoc->cookie_preserve_req = ntohl(*p) << 1; + asoc->stale_cookie_count++; + if (asoc->stale_cookie_count > + asoc->max_init_times) { + sctp_abort_notification(stcb, 0); + /* now free the asoc */ + sctp_free_assoc(stcb->sctp_ep, stcb, 0); + return (-1); + } + /* blast back to INIT state */ + asoc->state &= ~SCTP_STATE_COOKIE_ECHOED; + asoc->state |= SCTP_STATE_COOKIE_WAIT; + + sctp_stop_all_cookie_timers(stcb); + sctp_send_initiate(stcb->sctp_ep, stcb); + } + break; + case SCTP_CAUSE_UNRESOLVABLE_ADDR: + /* + * Nothing we can do here, we don't do hostname + * addresses so if the peer does not like my IPv6 + * (or IPv4 for that matter) it does not matter. If + * they don't support that type of address, they can + * NOT possibly get that packet type... i.e. with no + * IPv6 you can't recieve a IPv6 packet. so we can + * safely ignore this one. If we ever added support + * for HOSTNAME Addresses, then we would need to do + * something here. + */ + break; + case SCTP_CAUSE_UNRECOG_CHUNK: + sctp_process_unrecog_chunk(stcb, phdr, net); + break; + case SCTP_CAUSE_UNRECOG_PARAM: + sctp_process_unrecog_param(stcb, phdr); + break; + case SCTP_CAUSE_COOKIE_IN_SHUTDOWN: + /* + * We ignore this since the timer will drive out a + * new cookie anyway and there timer will drive us + * to send a SHUTDOWN_COMPLETE. We can't send one + * here since we don't have their tag. + */ + break; + case SCTP_CAUSE_DELETING_LAST_ADDR: + case SCTP_CAUSE_RESOURCE_SHORTAGE: + case SCTP_CAUSE_DELETING_SRC_ADDR: + /* + * We should NOT get these here, but in a + * ASCONF-ACK. n + */ +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT2) { + printf("Peer sends ASCONF errors in a Operational Error?<%d>?\n", + error_type); + } +#endif + break; + case SCTP_CAUSE_OUT_OF_RESC: + /* + * And what, pray tell do we do with the fact that + * the peer is out of resources? Not really sure we + * could do anything but abort. I suspect this n * + * should have came WITH an abort instead of in a + * OP-ERROR. + */ + break; + default: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT1) { + /* don't know what this error cause is... */ + printf("sctp_handle_error: unknown error type = 0x%xh\n", + error_type); + } +#endif /* SCTP_DEBUG */ + break; + } + adjust = SCTP_SIZE32(error_len); + chklen -= adjust; + phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust); + } + return (0); +} + +static int +sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, + struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, + struct sctp_nets *net) +{ + struct sctp_init_ack *init_ack; + int *state; + struct mbuf *op_err; + +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT2) { + printf("sctp_handle_init_ack: handling INIT-ACK\n"); + } +#endif + if (stcb == NULL) { +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT2) { + printf("sctp_handle_init_ack: TCB is null\n"); + } +#endif + return (-1); + } + if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) { + /* Invalid length */ + op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); + sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, + op_err); + return (-1); + } + init_ack = &cp->init; + /* validate parameters */ + if (init_ack->initiate_tag == 0) { + /* protocol error... send an abort */ + op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); + sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, + op_err); + return (-1); + } + if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) { + /* protocol error... send an abort */ + op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); + sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, + op_err); + return (-1); + } + if (init_ack->num_inbound_streams == 0) { + /* protocol error... send an abort */ + op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); + sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, + op_err); + return (-1); + } + if (init_ack->num_outbound_streams == 0) { + /* protocol error... send an abort */ + op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); + sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, + op_err); + return (-1); + } + /* process according to association state... */ + state = &stcb->asoc.state; + switch (*state & SCTP_STATE_MASK) { + case SCTP_STATE_COOKIE_WAIT: + /* this is the expected state for this chunk */ + /* process the INIT-ACK parameters */ + if (stcb->asoc.primary_destination->dest_state & + SCTP_ADDR_UNCONFIRMED) { + /* + * The primary is where we sent the INIT, we can + * always consider it confirmed when the INIT-ACK is + * returned. Do this before we load addresses + * though. + */ + stcb->asoc.primary_destination->dest_state &= + ~SCTP_ADDR_UNCONFIRMED; + sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, + stcb, 0, (void *)stcb->asoc.primary_destination); + } + if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, net + ) < 0) { + /* error in parsing parameters */ + return (-1); + } + /* update our state */ +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT2) { + printf("moving to COOKIE-ECHOED state\n"); + } +#endif + if (*state & SCTP_STATE_SHUTDOWN_PENDING) { + *state = SCTP_STATE_COOKIE_ECHOED | + SCTP_STATE_SHUTDOWN_PENDING; + } else { + *state = SCTP_STATE_COOKIE_ECHOED; + } + + /* reset the RTO calc */ + stcb->asoc.overall_error_count = 0; + SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); + /* + * collapse the init timer back in case of a exponential + * backoff n + */ + sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, + stcb, net); + /* + * the send at the end of the inbound data processing will + * cause the cookie to be sent + */ + break; + case SCTP_STATE_SHUTDOWN_SENT: + /* incorrect state... discard */ + break; + case SCTP_STATE_COOKIE_ECHOED: + /* incorrect state... discard */ + break; + case SCTP_STATE_OPEN: + /* incorrect state... discard */ + break; + case SCTP_STATE_EMPTY: + case SCTP_STATE_INUSE: + default: + /* incorrect state... discard */ + return (-1); + break; + } /* end switch asoc state */ +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT1) { + printf("Leaving handle-init-ack end\n"); + } +#endif + return (0); +} + + +/* + * handle a state cookie for an existing association m: input packet mbuf + * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a + * "split" mbuf and the cookie signature does not exist offset: offset into + * mbuf to the cookie-echo chunk + */ +static struct sctp_tcb * +sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, + struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, + struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, + struct sockaddr *init_src, int *notification, sctp_assoc_t * sac_assoc_id) +{ + struct sctp_association *asoc; + struct sctp_init_chunk *init_cp, init_buf; + struct sctp_init_ack_chunk *initack_cp, initack_buf; + int chk_length; + int init_offset, initack_offset; + int retval; + + /* I know that the TCB is non-NULL from the caller */ + asoc = &stcb->asoc; + + if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { + /* SHUTDOWN came in after sending INIT-ACK */ + struct mbuf *op_err; + struct sctp_paramhdr *ph; + + sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); + op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), + 1, M_DONTWAIT, 1, MT_DATA); + if (op_err == NULL) { + /* FOOBAR */ + return (NULL); + } + /* pre-reserve some space */ + op_err->m_data += sizeof(struct ip6_hdr); + op_err->m_data += sizeof(struct sctphdr); + op_err->m_data += sizeof(struct sctp_chunkhdr); + /* Set the len */ + op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_paramhdr); + ph = mtod(op_err, struct sctp_paramhdr *); + ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN); + ph->param_length = htons(sizeof(struct sctp_paramhdr)); + sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); + return (NULL); + } + /* + * find and validate the INIT chunk in the cookie (peer's info) the + * INIT should start after the cookie-echo header struct (chunk + * header, state cookie header struct) + */ + init_offset = offset += sizeof(struct sctp_cookie_echo_chunk); + + init_cp = (struct sctp_init_chunk *) + sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), + (uint8_t *) & init_buf); + if (init_cp == NULL) { + /* could not pull a INIT chunk in cookie */ + return (NULL); + } + chk_length = ntohs(init_cp->ch.chunk_length); + if (init_cp->ch.chunk_type != SCTP_INITIATION) { + return (NULL); + } + /* + * find and validate the INIT-ACK chunk in the cookie (my info) the + * INIT-ACK follows the INIT chunk + */ + initack_offset = init_offset + SCTP_SIZE32(chk_length); + initack_cp = (struct sctp_init_ack_chunk *) + sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), + (uint8_t *) & initack_buf); + if (initack_cp == NULL) { + /* could not pull INIT-ACK chunk in cookie */ + return (NULL); + } + chk_length = ntohs(initack_cp->ch.chunk_length); + if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { + return (NULL); + } + if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && + (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) { + /* + * case D in Section 5.2.4 Table 2: MMAA process accordingly + * to get into the OPEN state + */ + switch SCTP_GET_STATE + (asoc) { + case SCTP_STATE_COOKIE_WAIT: + /* + * INIT was sent, but got got a COOKIE_ECHO with the + * correct tags... just accept it... + */ + /* First we must process the INIT !! */ + retval = sctp_process_init(init_cp, stcb, net); + if (retval < 0) { + return (NULL); + } + /* intentional fall through to below... */ + + case SCTP_STATE_COOKIE_ECHOED: + /* Duplicate INIT case */ + /* we have already processed the INIT so no problem */ + sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, + net); + sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); + sctp_stop_all_cookie_timers(stcb); + /* update current state */ + if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { + asoc->state = SCTP_STATE_OPEN | + SCTP_STATE_SHUTDOWN_PENDING; + sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, + stcb->sctp_ep, stcb, asoc->primary_destination); + + } else if ((asoc->state & SCTP_STATE_SHUTDOWN_SENT) == 0) { + /* if ok, move to OPEN state */ + asoc->state = SCTP_STATE_OPEN; + } + if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || + (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && + (inp->sctp_socket->so_qlimit == 0) + ) { + /* + * Here is where collision would go if we + * did a connect() and instead got a + * init/init-ack/cookie done before the + * init-ack came back.. + */ + stcb->sctp_ep->sctp_flags |= + SCTP_PCB_FLAGS_CONNECTED; + soisconnected(stcb->sctp_ep->sctp_socket); + } + /* notify upper layer */ + *notification = SCTP_NOTIFY_ASSOC_UP; + /* + * since we did not send a HB make sure we don't + * double things + */ + net->hb_responded = 1; + + if (stcb->asoc.sctp_autoclose_ticks && + (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) { + sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, + inp, stcb, NULL); + } + break; + default: + /* + * we're in the OPEN state (or beyond), so peer must + * have simply lost the COOKIE-ACK + */ + break; + } /* end switch */ + + /* + * We ignore the return code here.. not sure if we should + * somehow abort.. but we do have an existing asoc. This + * really should not fail. + */ + if (sctp_load_addresses_from_init(stcb, m, iphlen, + init_offset + sizeof(struct sctp_init_chunk), + initack_offset, sh, init_src)) { + return (NULL); + } + /* respond with a COOKIE-ACK */ + sctp_send_cookie_ack(stcb); + return (stcb); + } /* end if */ + if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && + ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag && + cookie->tie_tag_my_vtag == 0 && + cookie->tie_tag_peer_vtag == 0) { + /* + * case C in Section 5.2.4 Table 2: XMOO silently discard + */ + return (NULL); + } + if (ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag && + (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag || + init_cp->init.initiate_tag == 0)) { + /* + * case B in Section 5.2.4 Table 2: MXAA or MOAA my info + * should be ok, re-accept peer info + */ + sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); + sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); + sctp_stop_all_cookie_timers(stcb); + /* + * since we did not send a HB make sure we don't double + * things + */ + net->hb_responded = 1; + if (stcb->asoc.sctp_autoclose_ticks && + sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { + sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, + NULL); + } + asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); + asoc->pre_open_streams = + ntohs(initack_cp->init.num_outbound_streams); + asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); + asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = + asoc->init_seq_number; + asoc->last_cwr_tsn = asoc->init_seq_number - 1; + asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; + asoc->str_reset_seq_in = asoc->init_seq_number; + asoc->advanced_peer_ack_point = asoc->last_acked_seq; + + /* process the INIT info (peer's info) */ + retval = sctp_process_init(init_cp, stcb, net); + if (retval < 0) { + return (NULL); + } + if (sctp_load_addresses_from_init(stcb, m, iphlen, + init_offset + sizeof(struct sctp_init_chunk), + initack_offset, sh, init_src)) { + return (NULL); + } + if ((asoc->state & SCTP_STATE_COOKIE_WAIT) || + (asoc->state & SCTP_STATE_COOKIE_ECHOED)) { + *notification = SCTP_NOTIFY_ASSOC_UP; + + if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || + (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && + (inp->sctp_socket->so_qlimit == 0)) { + stcb->sctp_ep->sctp_flags |= + SCTP_PCB_FLAGS_CONNECTED; + soisconnected(stcb->sctp_ep->sctp_socket); + } + } + if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { + asoc->state = SCTP_STATE_OPEN | + SCTP_STATE_SHUTDOWN_PENDING; + sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, + stcb->sctp_ep, stcb, asoc->primary_destination); + + } else { + asoc->state = SCTP_STATE_OPEN; + } + sctp_stop_all_cookie_timers(stcb); + sctp_send_cookie_ack(stcb); + return (stcb); + } + if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && + ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) && + cookie->tie_tag_my_vtag == asoc->my_vtag_nonce && + cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce && + cookie->tie_tag_peer_vtag != 0) { + struct sctpasochead *head; + + /* + * case A in Section 5.2.4 Table 2: XXMM (peer restarted) + */ + sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); + sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); + *sac_assoc_id = sctp_get_associd(stcb); + /* notify upper layer */ + *notification = SCTP_NOTIFY_ASSOC_RESTART; + + + /* send up all the data */ + sctp_report_all_outbound(stcb); + + /* process the INIT-ACK info (my info) */ + asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); + asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); + + /* pull from vtag hash */ + LIST_REMOVE(stcb, sctp_asocs); + /* re-insert to new vtag position */ + head = &sctppcbinfo.sctp_asochash[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, + sctppcbinfo.hashasocmark)]; + /* + * put it in the bucket in the vtag hash of assoc's for the + * system + */ + LIST_INSERT_HEAD(head, stcb, sctp_asocs); + + /* Is this the first restart? */ + if (stcb->asoc.in_restart_hash == 0) { + /* Ok add it to assoc_id vtag hash */ + head = &sctppcbinfo.sctp_restarthash[SCTP_PCBHASH_ASOC(stcb->asoc.assoc_id, + sctppcbinfo.hashrestartmark)]; + LIST_INSERT_HEAD(head, stcb, sctp_tcbrestarhash); + stcb->asoc.in_restart_hash = 1; + } + asoc->pre_open_streams = + ntohs(initack_cp->init.num_outbound_streams); + asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); + asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; + + asoc->last_cwr_tsn = asoc->init_seq_number - 1; + asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; + + asoc->str_reset_seq_in = asoc->init_seq_number; + + asoc->advanced_peer_ack_point = asoc->last_acked_seq; + if (asoc->mapping_array) + memset(asoc->mapping_array, 0, + asoc->mapping_array_size); + /* process the INIT info (peer's info) */ + retval = sctp_process_init(init_cp, stcb, net); + if (retval < 0) { + return (NULL); + } + /* + * since we did not send a HB make sure we don't double + * things + */ + net->hb_responded = 1; + + if (sctp_load_addresses_from_init(stcb, m, iphlen, + init_offset + sizeof(struct sctp_init_chunk), + initack_offset, sh, init_src)) { + return (NULL); + } + if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { + asoc->state = SCTP_STATE_OPEN | + SCTP_STATE_SHUTDOWN_PENDING; + sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, + stcb->sctp_ep, stcb, asoc->primary_destination); + + } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) { + /* move to OPEN state, if not in SHUTDOWN_SENT */ + asoc->state = SCTP_STATE_OPEN; + } + /* respond with a COOKIE-ACK */ + sctp_stop_all_cookie_timers(stcb); + sctp_send_cookie_ack(stcb); + + return (stcb); + } + /* if we are not a restart we need the assoc_id field pop'd */ + asoc->assoc_id = ntohl(initack_cp->init.initiate_tag); + + /* all other cases... */ + return (NULL); +} + +/* + * handle a state cookie for a new association m: input packet mbuf chain-- + * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf + * and the cookie signature does not exist offset: offset into mbuf to the + * cookie-echo chunk length: length of the cookie chunk to: where the init + * was from returns a new TCB + */ +static struct sctp_tcb * +sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, + struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, + struct sctp_inpcb *inp, struct sctp_nets **netp, + struct sockaddr *init_src, int *notification, + int auth_skipped, uint32_t auth_offset, uint32_t auth_len) +{ + struct sctp_tcb *stcb; + struct sctp_init_chunk *init_cp, init_buf; + struct sctp_init_ack_chunk *initack_cp, initack_buf; + struct sockaddr_storage sa_store; + struct sockaddr *initack_src = (struct sockaddr *)&sa_store; + struct sockaddr_in *sin; + struct sockaddr_in6 *sin6; + struct sctp_association *asoc; + int chk_length; + int init_offset, initack_offset, initack_limit; + int retval; + int error = 0; + uint32_t old_tag; + uint8_t chunk_buf[DEFAULT_CHUNK_BUFFER]; + + /* + * find and validate the INIT chunk in the cookie (peer's info) the + * INIT should start after the cookie-echo header struct (chunk + * header, state cookie header struct) + */ + init_offset = offset + sizeof(struct sctp_cookie_echo_chunk); + init_cp = (struct sctp_init_chunk *) + sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), + (uint8_t *) & init_buf); + if (init_cp == NULL) { + /* could not pull a INIT chunk in cookie */ +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT1) { + printf("process_cookie_new: could not pull INIT chunk hdr\n"); + } +#endif /* SCTP_DEBUG */ + return (NULL); + } + chk_length = ntohs(init_cp->ch.chunk_length); + if (init_cp->ch.chunk_type != SCTP_INITIATION) { +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT1) { + printf("HUH? process_cookie_new: could not find INIT chunk!\n"); + } +#endif /* SCTP_DEBUG */ + return (NULL); + } + initack_offset = init_offset + SCTP_SIZE32(chk_length); + /* + * find and validate the INIT-ACK chunk in the cookie (my info) the + * INIT-ACK follows the INIT chunk + */ + initack_cp = (struct sctp_init_ack_chunk *) + sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), + (uint8_t *) & initack_buf); + if (initack_cp == NULL) { + /* could not pull INIT-ACK chunk in cookie */ +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT1) { + printf("process_cookie_new: could not pull INIT-ACK chunk hdr\n"); + } +#endif /* SCTP_DEBUG */ + return (NULL); + } + chk_length = ntohs(initack_cp->ch.chunk_length); + if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { + return (NULL); + } + /* + * NOTE: We can't use the INIT_ACK's chk_length to determine the + * "initack_limit" value. This is because the chk_length field + * includes the length of the cookie, but the cookie is omitted when + * the INIT and INIT_ACK are tacked onto the cookie... + */ + initack_limit = offset + cookie_len; + + /* + * now that we know the INIT/INIT-ACK are in place, create a new TCB + * and popluate + */ + stcb = sctp_aloc_assoc(inp, init_src, 0, &error, + ntohl(initack_cp->init.initiate_tag)); + if (stcb == NULL) { + struct mbuf *op_err; + + /* memory problem? */ +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT1) { + printf("process_cookie_new: no room for another TCB!\n"); + } +#endif /* SCTP_DEBUG */ + op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); + sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, + sh, op_err); + return (NULL); + } + /* get the correct sctp_nets */ + *netp = sctp_findnet(stcb, init_src); + asoc = &stcb->asoc; + /* get scope variables out of cookie */ + asoc->ipv4_local_scope = cookie->ipv4_scope; + asoc->site_scope = cookie->site_scope; + asoc->local_scope = cookie->local_scope; + asoc->loopback_scope = cookie->loopback_scope; + + if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) || + (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) { + struct mbuf *op_err; + + /* + * Houston we have a problem. The EP changed while the + * cookie was in flight. Only recourse is to abort the + * association. + */ + op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); + sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, + sh, op_err); + return (NULL); + } + /* process the INIT-ACK info (my info) */ + old_tag = asoc->my_vtag; + asoc->assoc_id = asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); + asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); + asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); + asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); + asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; + asoc->last_cwr_tsn = asoc->init_seq_number - 1; + asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; + asoc->str_reset_seq_in = asoc->init_seq_number; + + asoc->advanced_peer_ack_point = asoc->last_acked_seq; + + /* process the INIT info (peer's info) */ + retval = sctp_process_init(init_cp, stcb, *netp); + if (retval < 0) { + sctp_free_assoc(inp, stcb, 0); + return (NULL); + } + /* load all addresses */ + if (sctp_load_addresses_from_init(stcb, m, iphlen, + init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh, + init_src)) { + sctp_free_assoc(inp, stcb, 0); + return (NULL); + } + /* + * verify any preceding AUTH chunk that was skipped + */ + /* pull the local authentication parameters from the cookie/init-ack */ + sctp_auth_get_cookie_params(stcb, m, + initack_offset + sizeof(struct sctp_init_ack_chunk), + initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk))); + if (auth_skipped) { + struct sctp_auth_chunk *auth; + + auth = (struct sctp_auth_chunk *) + sctp_m_getptr(m, auth_offset, auth_len, chunk_buf); + if (sctp_handle_auth(stcb, auth, m, auth_offset)) { + /* auth HMAC failed, dump the assoc and packet */ +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_AUTH1) + printf("COOKIE-ECHO: AUTH failed\n"); +#endif /* SCTP_DEBUG */ + sctp_free_assoc(inp, stcb, 0); + return (NULL); + } else { + /* remaining chunks checked... good to go */ + stcb->asoc.authenticated = 1; + } + } + /* update current state */ +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT1) { + printf("moving to OPEN state\n"); + } +#endif + if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { + asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; + sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, + stcb->sctp_ep, stcb, asoc->primary_destination); + } else { + asoc->state = SCTP_STATE_OPEN; + } + SCTP_STAT_INCR_COUNTER32(sctps_passiveestab); + SCTP_STAT_INCR_GAUGE32(sctps_currestab); + sctp_stop_all_cookie_timers(stcb); + /* calculate the RTT */ + (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp, + &cookie->time_entered); + + /* + * if we're doing ASCONFs, check to see if we have any new local + * addresses that need to get added to the peer (eg. addresses + * changed while cookie echo in flight). This needs to be done + * after we go to the OPEN state to do the correct asconf + * processing. else, make sure we have the correct addresses in our + * lists + */ + + /* warning, we re-use sin, sin6, sa_store here! */ + /* pull in local_address (our "from" address) */ + if (cookie->laddr_type == SCTP_IPV4_ADDRESS) { + /* source addr is IPv4 */ + sin = (struct sockaddr_in *)initack_src; + memset(sin, 0, sizeof(*sin)); + sin->sin_family = AF_INET; + sin->sin_len = sizeof(struct sockaddr_in); + sin->sin_addr.s_addr = cookie->laddress[0]; + } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) { + /* source addr is IPv6 */ + sin6 = (struct sockaddr_in6 *)initack_src; + memset(sin6, 0, sizeof(*sin6)); + sin6->sin6_family = AF_INET6; + sin6->sin6_len = sizeof(struct sockaddr_in6); + sin6->sin6_scope_id = cookie->scope_id; + memcpy(&sin6->sin6_addr, cookie->laddress, + sizeof(sin6->sin6_addr)); + } else { + sctp_free_assoc(inp, stcb, 0); + return (NULL); + } + + sctp_check_address_list(stcb, m, + initack_offset + sizeof(struct sctp_init_ack_chunk), + initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)), + initack_src, cookie->local_scope, cookie->site_scope, + cookie->ipv4_scope, cookie->loopback_scope); + + + /* set up to notify upper layer */ + *notification = SCTP_NOTIFY_ASSOC_UP; + if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || + (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && + (inp->sctp_socket->so_qlimit == 0)) { + /* + * This is an endpoint that called connect() how it got a + * cookie that is NEW is a bit of a mystery. It must be that + * the INIT was sent, but before it got there.. a complete + * INIT/INIT-ACK/COOKIE arrived. But of course then it + * should have went to the other code.. not here.. oh well.. + * a bit of protection is worth having.. + */ + stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; + soisconnected(stcb->sctp_ep->sctp_socket); + } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && + (inp->sctp_socket->so_qlimit)) { + /* + * We don't want to do anything with this one. Since it is + * the listening guy. The timer will get started for + * accepted connections in the caller. + */ + ; + } + /* since we did not send a HB make sure we don't double things */ + (*netp)->hb_responded = 1; + + if (stcb->asoc.sctp_autoclose_ticks && + sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { + sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); + } + /* respond with a COOKIE-ACK */ + sctp_send_cookie_ack(stcb); + return (stcb); +} + + +/* + * handles a COOKIE-ECHO message stcb: modified to either a new or left as + * existing (non-NULL) TCB + */ +static struct mbuf * +sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, + struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp, + struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp, + int auth_skipped, uint32_t auth_offset, uint32_t auth_len) +{ + struct sctp_state_cookie *cookie; + struct sockaddr_in6 sin6; + struct sockaddr_in sin; + struct sctp_tcb *l_stcb = *stcb; + struct sctp_inpcb *l_inp; + struct sockaddr *to; + sctp_assoc_t sac_restart_id; + struct sctp_pcb *ep; + struct mbuf *m_sig; + uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE]; + uint8_t *sig; + uint8_t cookie_ok = 0; + unsigned int size_of_pkt, sig_offset, cookie_offset; + unsigned int cookie_len; + struct timeval now; + struct timeval time_expires; + struct sockaddr_storage dest_store; + struct sockaddr *localep_sa = (struct sockaddr *)&dest_store; + struct ip *iph; + int notification = 0; + struct sctp_nets *netl; + int had_a_existing_tcb = 0; + +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT2) { + printf("sctp_handle_cookie: handling COOKIE-ECHO\n"); + } +#endif + + if (inp_p == NULL) { + return (NULL); + } + /* First get the destination address setup too. */ + iph = mtod(m, struct ip *); + if (iph->ip_v == IPVERSION) { + /* its IPv4 */ + struct sockaddr_in *sin; + + sin = (struct sockaddr_in *)(localep_sa); + memset(sin, 0, sizeof(*sin)); + sin->sin_family = AF_INET; + sin->sin_len = sizeof(*sin); + sin->sin_port = sh->dest_port; + sin->sin_addr.s_addr = iph->ip_dst.s_addr; + } else if (iph->ip_v == (IPV6_VERSION >> 4)) { + /* its IPv6 */ + struct ip6_hdr *ip6; + struct sockaddr_in6 *sin6; + + sin6 = (struct sockaddr_in6 *)(localep_sa); + memset(sin6, 0, sizeof(*sin6)); + sin6->sin6_family = AF_INET6; + sin6->sin6_len = sizeof(struct sockaddr_in6); + ip6 = mtod(m, struct ip6_hdr *); + sin6->sin6_port = sh->dest_port; + sin6->sin6_addr = ip6->ip6_dst; + } else { + return (NULL); + } + + cookie = &cp->cookie; + cookie_offset = offset + sizeof(struct sctp_chunkhdr); + cookie_len = ntohs(cp->ch.chunk_length); + + if ((cookie->peerport != sh->src_port) && + (cookie->myport != sh->dest_port) && + (cookie->my_vtag != sh->v_tag)) { + /* + * invalid ports or bad tag. Note that we always leave the + * v_tag in the header in network order and when we stored + * it in the my_vtag slot we also left it in network order. + * This maintians the match even though it may be in the + * opposite byte order of the machine :-> + */ + return (NULL); + } + /* compute size of packet */ + if (m->m_flags & M_PKTHDR) { + size_of_pkt = m->m_pkthdr.len; + } else { + /* Should have a pkt hdr really */ + struct mbuf *mat; + + mat = m; + size_of_pkt = 0; + while (mat != NULL) { + size_of_pkt += mat->m_len; + mat = mat->m_next; + } + } + if (cookie_len > size_of_pkt || + cookie_len < sizeof(struct sctp_cookie_echo_chunk) + + sizeof(struct sctp_init_chunk) + + sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { + /* cookie too long! or too small */ + return (NULL); + } + /* + * split off the signature into its own mbuf (since it should not be + * calculated in the sctp_hmac_m() call). + */ + sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE; + if (sig_offset > size_of_pkt) { + /* packet not correct size! */ + /* XXX this may already be accounted for earlier... */ + return (NULL); + } + m_sig = m_split(m, sig_offset, M_DONTWAIT); + if (m_sig == NULL) { + /* out of memory or ?? */ + return (NULL); + } + /* + * compute the signature/digest for the cookie + */ + ep = &(*inp_p)->sctp_ep; + l_inp = *inp_p; + if (l_stcb) { + SCTP_TCB_UNLOCK(l_stcb); + } + SCTP_INP_RLOCK(l_inp); + if (l_stcb) { + SCTP_TCB_LOCK(l_stcb); + } + /* which cookie is it? */ + if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) && + (ep->current_secret_number != ep->last_secret_number)) { + /* it's the old cookie */ + sctp_hmac_m(SCTP_HMAC, + (uint8_t *) ep->secret_key[(int)ep->last_secret_number], + SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); + } else { + /* it's the current cookie */ + sctp_hmac_m(SCTP_HMAC, + (uint8_t *) ep->secret_key[(int)ep->current_secret_number], + SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); + } + /* get the signature */ + SCTP_INP_RUNLOCK(l_inp); + sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig); + if (sig == NULL) { + /* couldn't find signature */ + return (NULL); + } + /* compare the received digest with the computed digest */ + if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) { + /* try the old cookie? */ + if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) && + (ep->current_secret_number != ep->last_secret_number)) { + /* compute digest with old */ + sctp_hmac_m(SCTP_HMAC, + (uint8_t *) ep->secret_key[(int)ep->last_secret_number], + SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); + /* compare */ + if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0) + cookie_ok = 1; + } + } else { + cookie_ok = 1; + } + + /* + * Now before we continue we must reconstruct our mbuf so that + * normal processing of any other chunks will work. + */ + { + struct mbuf *m_at; + + m_at = m; + while (m_at->m_next != NULL) { + m_at = m_at->m_next; + } + m_at->m_next = m_sig; + if (m->m_flags & M_PKTHDR) { + /* + * We should only do this if and only if the front + * mbuf has a m_pkthdr... it should in theory. + */ + if (m_sig->m_flags & M_PKTHDR) { + /* Add back to the pkt hdr of main m chain */ + m->m_pkthdr.len += m_sig->m_pkthdr.len; + } else { + /* + * Got a problem, no pkthdr in split chain. + * TSNH but we will handle it just in case + */ + int mmlen = 0; + struct mbuf *lat; + + printf("Warning: Hitting m_split join TSNH code - fixed\n"); + lat = m_sig; + while (lat) { + mmlen += lat->m_len; + lat = lat->m_next; + } + m->m_pkthdr.len += mmlen; + } + } + } + + if (cookie_ok == 0) { +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT2) { + printf("handle_cookie_echo: cookie signature validation failed!\n"); + printf("offset = %u, cookie_offset = %u, sig_offset = %u\n", + (uint32_t) offset, cookie_offset, sig_offset); + } +#endif + return (NULL); + } + /* + * check the cookie timestamps to be sure it's not stale + */ + SCTP_GETTIME_TIMEVAL(&now); + /* Expire time is in Ticks, so we convert to seconds */ + time_expires.tv_sec = cookie->time_entered.tv_sec + cookie->cookie_life; + time_expires.tv_usec = cookie->time_entered.tv_usec; + if (timevalcmp(&now, &time_expires, >)) { + /* cookie is stale! */ + struct mbuf *op_err; + struct sctp_stale_cookie_msg *scm; + uint32_t tim; + + op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_stale_cookie_msg), + 1, M_DONTWAIT, 1, MT_DATA); + if (op_err == NULL) { + /* FOOBAR */ + return (NULL); + } + /* pre-reserve some space */ + op_err->m_data += sizeof(struct ip6_hdr); + op_err->m_data += sizeof(struct sctphdr); + op_err->m_data += sizeof(struct sctp_chunkhdr); + + /* Set the len */ + op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_stale_cookie_msg); + scm = mtod(op_err, struct sctp_stale_cookie_msg *); + scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE); + scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) + + (sizeof(uint32_t)))); + /* seconds to usec */ + tim = (now.tv_sec - time_expires.tv_sec) * 1000000; + /* add in usec */ + if (tim == 0) + tim = now.tv_usec - cookie->time_entered.tv_usec; + scm->time_usec = htonl(tim); + sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); + return (NULL); + } + /* + * Now we must see with the lookup address if we have an existing + * asoc. This will only happen if we were in the COOKIE-WAIT state + * and a INIT collided with us and somewhere the peer sent the + * cookie on another address besides the single address our assoc + * had for him. In this case we will have one of the tie-tags set at + * least AND the address field in the cookie can be used to look it + * up. + */ + to = NULL; + if (cookie->addr_type == SCTP_IPV6_ADDRESS) { + memset(&sin6, 0, sizeof(sin6)); + sin6.sin6_family = AF_INET6; + sin6.sin6_len = sizeof(sin6); + sin6.sin6_port = sh->src_port; + sin6.sin6_scope_id = cookie->scope_id; + memcpy(&sin6.sin6_addr.s6_addr, cookie->address, + sizeof(sin6.sin6_addr.s6_addr)); + to = (struct sockaddr *)&sin6; + } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) { + memset(&sin, 0, sizeof(sin)); + sin.sin_family = AF_INET; + sin.sin_len = sizeof(sin); + sin.sin_port = sh->src_port; + sin.sin_addr.s_addr = cookie->address[0]; + to = (struct sockaddr *)&sin; + } + if ((*stcb == NULL) && to) { + /* Yep, lets check */ + *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL); + if (*stcb == NULL) { + /* + * We should have only got back the same inp. If we + * got back a different ep we have a problem. The + * original findep got back l_inp and now + */ + if (l_inp != *inp_p) { + printf("Bad problem find_ep got a diff inp then special_locate?\n"); + } + } + } + cookie_len -= SCTP_SIGNATURE_SIZE; + if (*stcb == NULL) { + /* this is the "normal" case... get a new TCB */ + *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie, + cookie_len, *inp_p, netp, to, ¬ification, + auth_skipped, auth_offset, auth_len); + } else { + /* this is abnormal... cookie-echo on existing TCB */ + had_a_existing_tcb = 1; + *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh, + cookie, cookie_len, *inp_p, *stcb, *netp, to, ¬ification, + &sac_restart_id); + } + + if (*stcb == NULL) { + /* still no TCB... must be bad cookie-echo */ + return (NULL); + } + /* + * Ok, we built an association so confirm the address we sent the + * INIT-ACK to. + */ + netl = sctp_findnet(*stcb, to); + /* + * This code should in theory NOT run but + */ + if (netl == NULL) { + /* TSNH! Huh, why do I need to add this address here? */ + int ret; + + ret = sctp_add_remote_addr(*stcb, to, 0, 100); + netl = sctp_findnet(*stcb, to); + } + if (netl) { + if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) { + netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED; + sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL, + netl); + sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, + (*stcb), 0, (void *)netl); + } + } + if (*stcb) { + sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, *inp_p, + *stcb, NULL); + } + if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) { + if (!had_a_existing_tcb || + (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) { + /* + * If we have a NEW cookie or the connect never + * reached the connected state during collision we + * must do the TCP accept thing. + */ + struct socket *so, *oso; + struct sctp_inpcb *inp; + + if (notification == SCTP_NOTIFY_ASSOC_RESTART) { + /* + * For a restart we will keep the same + * socket, no need to do anything. I THINK!! + */ + sctp_ulp_notify(notification, *stcb, 0, (void *)&sac_restart_id); + return (m); + } + oso = (*inp_p)->sctp_socket; + /* + * We do this to keep the sockets side happy durin + * the sonewcon ONLY. + */ + NET_LOCK_GIANT(); + SCTP_TCB_UNLOCK((*stcb)); + so = sonewconn(oso, SS_ISCONNECTED + ); + NET_UNLOCK_GIANT(); + SCTP_INP_WLOCK((*stcb)->sctp_ep); + SCTP_TCB_LOCK((*stcb)); + SCTP_INP_WUNLOCK((*stcb)->sctp_ep); + if (so == NULL) { + struct mbuf *op_err; + + /* Too many sockets */ +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT1) { + printf("process_cookie_new: no room for another socket!\n"); + } +#endif /* SCTP_DEBUG */ + op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); + sctp_abort_association(*inp_p, NULL, m, iphlen, + sh, op_err); + sctp_free_assoc(*inp_p, *stcb, 0); + return (NULL); + } + inp = (struct sctp_inpcb *)so->so_pcb; + inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE | + SCTP_PCB_FLAGS_CONNECTED | + SCTP_PCB_FLAGS_IN_TCPPOOL | + (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) | + SCTP_PCB_FLAGS_DONT_WAKE); + inp->sctp_features = (*inp_p)->sctp_features; + inp->sctp_socket = so; + inp->sctp_frag_point = (*inp_p)->sctp_frag_point; + inp->partial_delivery_point = (*inp_p)->partial_delivery_point; + inp->sctp_context = (*inp_p)->sctp_context; + inp->inp_starting_point_for_iterator = NULL; + /* + * copy in the authentication parameters from the + * original endpoint + */ + if (inp->sctp_ep.local_hmacs) + sctp_free_hmaclist(inp->sctp_ep.local_hmacs); + inp->sctp_ep.local_hmacs = + sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs); + if (inp->sctp_ep.local_auth_chunks) + sctp_free_chunklist(inp->sctp_ep.local_auth_chunks); + inp->sctp_ep.local_auth_chunks = + sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks); + (void)sctp_copy_skeylist(&(*inp_p)->sctp_ep.shared_keys, + &inp->sctp_ep.shared_keys); + + /* + * Now we must move it from one hash table to + * another and get the tcb in the right place. + */ + sctp_move_pcb_and_assoc(*inp_p, inp, *stcb); + + sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb); + + /* Switch over to the new guy */ + *inp_p = inp; + + sctp_ulp_notify(notification, *stcb, 0, NULL); + return (m); + } + } + if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) { + sctp_ulp_notify(notification, *stcb, 0, NULL); + } + return (m); +} + +static void +sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp, + struct sctp_tcb *stcb, struct sctp_nets *net) +{ + /* cp must not be used, others call this without a c-ack :-) */ + struct sctp_association *asoc; + +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT2) { + printf("sctp_handle_cookie_ack: handling COOKIE-ACK\n"); + } +#endif + if (stcb == NULL) + return; + + asoc = &stcb->asoc; + + sctp_stop_all_cookie_timers(stcb); + /* process according to association state */ + if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { + /* state change only needed when I am in right state */ +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT2) { + printf("moving to OPEN state\n"); + } +#endif + if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { + asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; + sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, + stcb->sctp_ep, stcb, asoc->primary_destination); + + } else { + asoc->state = SCTP_STATE_OPEN; + } + /* update RTO */ + SCTP_STAT_INCR_COUNTER32(sctps_activeestab); + SCTP_STAT_INCR_GAUGE32(sctps_currestab); + if (asoc->overall_error_count == 0) { + net->RTO = sctp_calculate_rto(stcb, asoc, net, + &asoc->time_entered); + } + SCTP_GETTIME_TIMEVAL(&asoc->time_entered); + sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL); + if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || + (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { + stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; + soisconnected(stcb->sctp_ep->sctp_socket); + } + sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, + stcb, net); + /* + * since we did not send a HB make sure we don't double + * things + */ + net->hb_responded = 1; + + if (stcb->asoc.sctp_autoclose_ticks && + sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) { + sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, + stcb->sctp_ep, stcb, NULL); + } + /* + * set ASCONF timer if ASCONFs are pending and allowed (eg. + * addresses changed when init/cookie echo in flight) + */ + if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) && + (stcb->asoc.peer_supports_asconf) && + (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) { + sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, + stcb->sctp_ep, stcb, + stcb->asoc.primary_destination); + } + } + /* Toss the cookie if I can */ + sctp_toss_old_cookies(stcb, asoc); + if (!TAILQ_EMPTY(&asoc->sent_queue)) { + /* Restart the timer if we have pending data */ + struct sctp_tmit_chunk *chk; + + chk = TAILQ_FIRST(&asoc->sent_queue); + if (chk) { + sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, + stcb, chk->whoTo); + } + } +} + +static void +sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp, + struct sctp_tcb *stcb) +{ + struct sctp_nets *net; + struct sctp_tmit_chunk *lchk; + uint32_t tsn; + + if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) { + return; + } + SCTP_STAT_INCR(sctps_recvecne); + tsn = ntohl(cp->tsn); + /* ECN Nonce stuff: need a resync and disable the nonce sum check */ + /* Also we make sure we disable the nonce_wait */ + lchk = TAILQ_FIRST(&stcb->asoc.send_queue); + if (lchk == NULL) { + stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq; + } else { + stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq; + } + stcb->asoc.nonce_wait_for_ecne = 0; + stcb->asoc.nonce_sum_check = 0; + + /* Find where it was sent, if possible */ + net = NULL; + lchk = TAILQ_FIRST(&stcb->asoc.sent_queue); + while (lchk) { + if (lchk->rec.data.TSN_seq == tsn) { + net = lchk->whoTo; + break; + } + if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ)) + break; + lchk = TAILQ_NEXT(lchk, sctp_next); + } + if (net == NULL) + /* default is we use the primary */ + net = stcb->asoc.primary_destination; + + if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) { +#ifdef SCTP_CWND_MONITOR + int old_cwnd; + + old_cwnd = net->cwnd; +#endif + SCTP_STAT_INCR(sctps_ecnereducedcwnd); + net->ssthresh = net->cwnd / 2; + if (net->ssthresh < net->mtu) { + net->ssthresh = net->mtu; + /* here back off the timer as well, to slow us down */ + net->RTO <<= 2; + } + net->cwnd = net->ssthresh; +#ifdef SCTP_CWND_MONITOR + sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), SCTP_CWND_LOG_FROM_SAT); +#endif + /* + * we reduce once every RTT. So we will only lower cwnd at + * the next sending seq i.e. the resync_tsn. + */ + stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn; + } + /* + * We always send a CWR this way if our previous one was lost our + * peer will get an update, or if it is not time again to reduce we + * still get the cwr to the peer. + */ + sctp_send_cwr(stcb, net, tsn); +} + +static void +sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb) +{ + /* + * Here we get a CWR from the peer. We must look in the outqueue and + * make sure that we have a covered ECNE in teh control chunk part. + * If so remove it. + */ + struct sctp_tmit_chunk *chk; + struct sctp_ecne_chunk *ecne; + + TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) { + if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) { + continue; + } + /* + * Look for and remove if it is the right TSN. Since there + * is only ONE ECNE on the control queue at any one time we + * don't need to worry about more than one! + */ + ecne = mtod(chk->data, struct sctp_ecne_chunk *); + if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn), + MAX_TSN) || (cp->tsn == ecne->tsn)) { + /* this covers this ECNE, we can remove it */ + stcb->asoc.ecn_echo_cnt_onq--; + TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, + sctp_next); + if (chk->data) { + sctp_m_freem(chk->data); + chk->data = NULL; + } + stcb->asoc.ctrl_queue_cnt--; + sctp_free_remote_addr(chk->whoTo); + sctp_free_a_chunk(stcb, chk); + break; + } + } +} + +static void +sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp, + struct sctp_tcb *stcb, struct sctp_nets *net) +{ + struct sctp_association *asoc; + +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT2) { + printf("sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n"); + } +#endif + if (stcb == NULL) + return; + + asoc = &stcb->asoc; + /* process according to association state */ + if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) { + /* unexpected SHUTDOWN-COMPLETE... so ignore... */ + SCTP_TCB_UNLOCK(stcb); + return; + } + /* notify upper layer protocol */ + if (stcb->sctp_socket) { + sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); + /* are the queues empty? they should be */ + if (!TAILQ_EMPTY(&asoc->send_queue) || + !TAILQ_EMPTY(&asoc->sent_queue) || + !TAILQ_EMPTY(&asoc->out_wheel)) { + sctp_report_all_outbound(stcb); + } + } + /* stop the timer */ + sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); + SCTP_STAT_INCR_COUNTER32(sctps_shutdown); + /* free the TCB */ + sctp_free_assoc(stcb->sctp_ep, stcb, 0); + return; +} + +static int +process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc, + struct sctp_nets *net, uint8_t flg) +{ + switch (desc->chunk_type) { + case SCTP_DATA: + /* find the tsn to resend (possibly */ + { + uint32_t tsn; + struct sctp_tmit_chunk *tp1; + + tsn = ntohl(desc->tsn_ifany); + tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); + while (tp1) { + if (tp1->rec.data.TSN_seq == tsn) { + /* found it */ + break; + } + if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn, + MAX_TSN)) { + /* not found */ + tp1 = NULL; + break; + } + tp1 = TAILQ_NEXT(tp1, sctp_next); + } + if (tp1 == NULL) { + /* + * Do it the other way , aka without paying + * attention to queue seq order. + */ + SCTP_STAT_INCR(sctps_pdrpdnfnd); + tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); + while (tp1) { + if (tp1->rec.data.TSN_seq == tsn) { + /* found it */ + break; + } + tp1 = TAILQ_NEXT(tp1, sctp_next); + } + } + if (tp1 == NULL) { + SCTP_STAT_INCR(sctps_pdrptsnnf); + } + if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) { + uint8_t *ddp; + + if ((stcb->asoc.peers_rwnd == 0) && + ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { + SCTP_STAT_INCR(sctps_pdrpdiwnp); + return (0); + } + if (stcb->asoc.peers_rwnd == 0 && + (flg & SCTP_FROM_MIDDLE_BOX)) { + SCTP_STAT_INCR(sctps_pdrpdizrw); + return (0); + } + ddp = (uint8_t *) (mtod(tp1->data, caddr_t)+ + sizeof(struct sctp_data_chunk)); + { + unsigned int iii; + + for (iii = 0; iii < sizeof(desc->data_bytes); + iii++) { + if (ddp[iii] != desc->data_bytes[iii]) { + SCTP_STAT_INCR(sctps_pdrpbadd); + return (-1); + } + } + } + /* + * We zero out the nonce so resync not + * needed + */ + tp1->rec.data.ect_nonce = 0; + + if (tp1->do_rtt) { + /* + * this guy had a RTO calculation + * pending on it, cancel it + */ + tp1->whoTo->rto_pending = 0; + tp1->do_rtt = 0; + } + SCTP_STAT_INCR(sctps_pdrpmark); + if (tp1->sent != SCTP_DATAGRAM_RESEND) + sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); + tp1->sent = SCTP_DATAGRAM_RESEND; + /* + * mark it as if we were doing a FR, since + * we will be getting gap ack reports behind + * the info from the router. + */ + tp1->rec.data.doing_fast_retransmit = 1; + /* + * mark the tsn with what sequences can + * cause a new FR. + */ + if (TAILQ_EMPTY(&stcb->asoc.send_queue)) { + tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq; + } else { + tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq; + } + + /* restart the timer */ + sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, + stcb, tp1->whoTo); + sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, + stcb, tp1->whoTo); + + /* fix counts and things */ + if (tp1->whoTo->flight_size >= tp1->book_size) + tp1->whoTo->flight_size -= tp1->book_size; + else + tp1->whoTo->flight_size = 0; + + if (stcb->asoc.total_flight >= tp1->book_size) { + stcb->asoc.total_flight -= tp1->book_size; + if (stcb->asoc.total_flight_count > 0) + stcb->asoc.total_flight_count--; + } else { + stcb->asoc.total_flight = 0; + stcb->asoc.total_flight_count = 0; + } + tp1->snd_count--; + } { + /* audit code */ + unsigned int audit; + + audit = 0; + TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { + if (tp1->sent == SCTP_DATAGRAM_RESEND) + audit++; + } + TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue, + sctp_next) { + if (tp1->sent == SCTP_DATAGRAM_RESEND) + audit++; + } + if (audit != stcb->asoc.sent_queue_retran_cnt) { + printf("**Local Audit finds cnt:%d asoc cnt:%d\n", + audit, stcb->asoc.sent_queue_retran_cnt); +#ifndef SCTP_AUDITING_ENABLED + stcb->asoc.sent_queue_retran_cnt = audit; +#endif + } + } + } + break; + case SCTP_ASCONF: + { + struct sctp_tmit_chunk *asconf; + + TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue, + sctp_next) { + if (asconf->rec.chunk_id.id == SCTP_ASCONF) { + break; + } + } + if (asconf) { + if (asconf->sent != SCTP_DATAGRAM_RESEND) + sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); + asconf->sent = SCTP_DATAGRAM_RESEND; + asconf->snd_count--; + } + } + break; + case SCTP_INITIATION: + /* resend the INIT */ + stcb->asoc.dropped_special_cnt++; + if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) { + /* + * If we can get it in, in a few attempts we do + * this, otherwise we let the timer fire. + */ + sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, + stcb, net); + sctp_send_initiate(stcb->sctp_ep, stcb); + } + break; + case SCTP_SELECTIVE_ACK: + /* resend the sack */ + sctp_send_sack(stcb); + break; + case SCTP_HEARTBEAT_REQUEST: + /* resend a demand HB */ + sctp_send_hb(stcb, 1, net); + break; + case SCTP_SHUTDOWN: + sctp_send_shutdown(stcb, net); + break; + case SCTP_SHUTDOWN_ACK: + sctp_send_shutdown_ack(stcb, net); + break; + case SCTP_COOKIE_ECHO: + { + struct sctp_tmit_chunk *cookie; + + cookie = NULL; + TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue, + sctp_next) { + if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) { + break; + } + } + if (cookie) { + if (cookie->sent != SCTP_DATAGRAM_RESEND) + sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); + cookie->sent = SCTP_DATAGRAM_RESEND; + sctp_stop_all_cookie_timers(stcb); + } + } + break; + case SCTP_COOKIE_ACK: + sctp_send_cookie_ack(stcb); + break; + case SCTP_ASCONF_ACK: + /* resend last asconf ack */ + sctp_send_asconf_ack(stcb, 1); + break; + case SCTP_FORWARD_CUM_TSN: + send_forward_tsn(stcb, &stcb->asoc); + break; + /* can't do anything with these */ + case SCTP_PACKET_DROPPED: + case SCTP_INITIATION_ACK: /* this should not happen */ + case SCTP_HEARTBEAT_ACK: + case SCTP_ABORT_ASSOCIATION: + case SCTP_OPERATION_ERROR: + case SCTP_SHUTDOWN_COMPLETE: + case SCTP_ECN_ECHO: + case SCTP_ECN_CWR: + default: + break; + } + return (0); +} + +void +sctp_reset_in_stream(struct sctp_tcb *stcb, int number_entries, uint16_t * list) +{ + int i; + uint16_t temp; + + /* + * We set things to 0xffff since this is the last delivered sequence + * and we will be sending in 0 after the reset. + */ + + if (number_entries) { + for (i = 0; i < number_entries; i++) { + temp = ntohs(list[i]); + if (temp >= stcb->asoc.streamincnt) { + continue; + } + stcb->asoc.strmin[temp].last_sequence_delivered = 0xffff; + } + } else { + list = NULL; + for (i = 0; i < stcb->asoc.streamincnt; i++) { + stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; + } + } + sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list); +} + +static void +sctp_reset_out_streams(struct sctp_tcb *stcb, int number_entries, uint16_t * list) +{ + int i; + + if (number_entries == 0) { + for (i = 0; i < stcb->asoc.streamoutcnt; i++) { + stcb->asoc.strmout[i].next_sequence_sent = 0; + } + } else if (number_entries) { + for (i = 0; i < number_entries; i++) { + uint16_t temp; + + temp = ntohs(list[i]); + if (temp >= stcb->asoc.streamoutcnt) { + /* no such stream */ + continue; + } + stcb->asoc.strmout[temp].next_sequence_sent = 0; + } + } + sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list); +} + + +struct sctp_stream_reset_out_request * +sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk) +{ + struct sctp_association *asoc; + struct sctp_stream_reset_out_req *req; + struct sctp_stream_reset_out_request *r; + struct sctp_tmit_chunk *chk; + int len, clen; + + asoc = &stcb->asoc; + if (TAILQ_EMPTY(&stcb->asoc.control_send_queue)) { + return (NULL); + } + if (stcb->asoc.str_reset == NULL) { + return (NULL); + } + chk = stcb->asoc.str_reset; + if (chk->data == NULL) { + return (NULL); + } + if (bchk) { + /* he wants a copy of the chk pointer */ + *bchk = chk; + } + clen = chk->send_size; + req = mtod(chk->data, struct sctp_stream_reset_out_req *); + r = &req->sr_req; + if (ntohl(r->request_seq) == seq) { + /* found it */ + return (r); + } + len = SCTP_SIZE32(ntohs(r->ph.param_length)); + if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) { + /* move to the next one, there can only be a max of two */ + r = (struct sctp_stream_reset_out_request *)((caddr_t)r + len); + if (ntohl(r->request_seq) == seq) { + return (r); + } + } + /* that seq is not here */ + return (NULL); +} + +static void +sctp_clean_up_stream_reset(struct sctp_tcb *stcb) +{ + struct sctp_association *asoc; + + asoc = &stcb->asoc; + struct sctp_tmit_chunk *chk = stcb->asoc.str_reset; + + if (stcb->asoc.str_reset == NULL) { + return; + } + sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); + TAILQ_REMOVE(&asoc->control_send_queue, + chk, + sctp_next); + if (chk->data) { + sctp_m_freem(chk->data); + chk->data = NULL; + } + asoc->ctrl_queue_cnt--; + sctp_free_remote_addr(chk->whoTo); + + sctp_free_a_chunk(stcb, chk); + stcb->asoc.str_reset = NULL; +} + + +static int +sctp_handle_stream_reset_response(struct sctp_tcb *stcb, + uint32_t seq, uint32_t action, + struct sctp_stream_reset_response *respin +) +{ + uint16_t type; + int lparm_len; + struct sctp_association *asoc = &stcb->asoc; + struct sctp_tmit_chunk *chk; + struct sctp_stream_reset_out_request *srparam; + int number_entries; + + if (asoc->stream_reset_outstanding == 0) { + /* duplicate */ + return (0); + } + if (seq == stcb->asoc.str_reset_seq_out) { + srparam = sctp_find_stream_reset(stcb, seq, &chk); + if (srparam) { + stcb->asoc.str_reset_seq_out++; + type = ntohs(srparam->ph.param_type); + lparm_len = ntohs(srparam->ph.param_length); + number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); + if (type == SCTP_STR_RESET_OUT_REQUEST) { + asoc->stream_reset_out_is_outstanding = 0; + if (asoc->stream_reset_outstanding) + asoc->stream_reset_outstanding--; + if (action == SCTP_STREAM_RESET_PERFORMED) { + /* do it */ + sctp_reset_out_streams(stcb, number_entries, srparam->list_of_streams); + } else { + sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, srparam->list_of_streams); + } + } else if (type == SCTP_STR_RESET_IN_REQUEST) { + /* Answered my request */ + if (asoc->stream_reset_outstanding) + asoc->stream_reset_outstanding--; + if (action != SCTP_STREAM_RESET_PERFORMED) { + sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb, number_entries, srparam->list_of_streams); + } + } else if (type == SCTP_STR_RESET_TSN_REQUEST) { + /** + * a) Adopt the new in tsn. + * b) reset the map + * c) Adopt the new out-tsn + */ + struct sctp_stream_reset_response_tsn *resp; + struct sctp_forward_tsn_chunk fwdtsn; + int abort_flag = 0; + + if (respin == NULL) { + /* huh ? */ + return (0); + } + if (action == SCTP_STREAM_RESET_PERFORMED) { + resp = (struct sctp_stream_reset_response_tsn *)respin; + asoc->stream_reset_outstanding--; + fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); + fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; + fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1); + sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag); + if (abort_flag) { + return (1); + } + stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1); + stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; + stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn); + memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); + stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn); + stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn; + + sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); + sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); + + } + } + /* get rid of the request and get the request flags */ + if (asoc->stream_reset_outstanding == 0) { + sctp_clean_up_stream_reset(stcb); + } + } + } + return (0); +} + +static void +sctp_handle_str_reset_request_in(struct sctp_tcb *stcb, + struct sctp_tmit_chunk *chk, + struct sctp_stream_reset_in_request *req) +{ + uint32_t seq; + int len, i; + int number_entries; + uint16_t temp; + + /* + * peer wants me to send a str-reset to him for my outgoing seq's if + * seq_in is right. + */ + struct sctp_association *asoc = &stcb->asoc; + + seq = ntohl(req->request_seq); + if (asoc->str_reset_seq_in == seq) { + if (stcb->asoc.stream_reset_out_is_outstanding == 0) { + len = ntohs(req->ph.param_length); + number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t)); + for (i = 0; i < number_entries; i++) { + temp = ntohs(req->list_of_streams[i]); + req->list_of_streams[i] = temp; + } + /* move the reset action back one */ + asoc->last_reset_action[1] = asoc->last_reset_action[0]; + asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; + sctp_add_stream_reset_out(chk, number_entries, req->list_of_streams, + asoc->str_reset_seq_out, + seq, (asoc->sending_seq - 1)); + asoc->stream_reset_out_is_outstanding = 1; + asoc->str_reset = chk; + sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); + stcb->asoc.stream_reset_outstanding++; + } else { + /* Can't do it, since we have sent one out */ + asoc->last_reset_action[1] = asoc->last_reset_action[0]; + asoc->last_reset_action[0] = SCTP_STREAM_RESET_TRY_LATER; + sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); + } + asoc->str_reset_seq_in++; + } else if (asoc->str_reset_seq_in - 1 == seq) { + sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); + } else if (asoc->str_reset_seq_in - 2 == seq) { + sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); + } else { + sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); + } +} + +static int +sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb, + struct sctp_tmit_chunk *chk, + struct sctp_stream_reset_tsn_request *req) +{ + /* reset all in and out and update the tsn */ + /* + * A) reset my str-seq's on in and out. B) Select a receive next, + * and set cum-ack to it. Also process this selected number as a + * fwd-tsn as well. C) set in the response my next sending seq. + */ + struct sctp_forward_tsn_chunk fwdtsn; + struct sctp_association *asoc = &stcb->asoc; + int abort_flag = 0; + uint32_t seq; + + seq = ntohl(req->request_seq); + if (asoc->str_reset_seq_in == seq) { + fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); + fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; + fwdtsn.ch.chunk_flags = 0; + fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1); + sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag); + if (abort_flag) { + return (1); + } + stcb->asoc.highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA; + stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; + stcb->asoc.mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1; + memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); + atomic_add_int(&stcb->asoc.sending_seq, 1); + /* save off historical data for retrans */ + stcb->asoc.last_sending_seq[1] = stcb->asoc.last_sending_seq[0]; + stcb->asoc.last_sending_seq[0] = stcb->asoc.sending_seq; + stcb->asoc.last_base_tsnsent[1] = stcb->asoc.last_base_tsnsent[0]; + stcb->asoc.last_base_tsnsent[0] = stcb->asoc.mapping_array_base_tsn; + + sctp_add_stream_reset_result_tsn(chk, + ntohl(req->request_seq), + SCTP_STREAM_RESET_PERFORMED, + stcb->asoc.sending_seq, + stcb->asoc.mapping_array_base_tsn); + sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); + sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); + stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; + stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; + + asoc->str_reset_seq_in++; + } else if (asoc->str_reset_seq_in - 1 == seq) { + sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0], + stcb->asoc.last_sending_seq[0], + stcb->asoc.last_base_tsnsent[0] + ); + } else if (asoc->str_reset_seq_in - 2 == seq) { + sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1], + stcb->asoc.last_sending_seq[1], + stcb->asoc.last_base_tsnsent[1] + ); + } else { + sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); + } + return (0); +} + +static void +sctp_handle_str_reset_request_out(struct sctp_tcb *stcb, + struct sctp_tmit_chunk *chk, + struct sctp_stream_reset_out_request *req) +{ + uint32_t seq, tsn; + int number_entries, len; + struct sctp_association *asoc = &stcb->asoc; + + seq = ntohl(req->request_seq); + + /* now if its not a duplicate we process it */ + if (asoc->str_reset_seq_in == seq) { + len = ntohs(req->ph.param_length); + number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t)); + /* + * the sender is resetting, handle the list issue.. we must + * a) verify if we can do the reset, if so no problem b) If + * we can't do the reset we must copy the request. c) queue + * it, and setup the data in processor to trigger it off + * when needed and dequeue all the queued data. + */ + tsn = ntohl(req->send_reset_at_tsn); + + /* move the reset action back one */ + asoc->last_reset_action[1] = asoc->last_reset_action[0]; + if ((tsn == asoc->cumulative_tsn) || + (compare_with_wrap(asoc->cumulative_tsn, tsn, MAX_TSN))) { + /* we can do it now */ + sctp_reset_in_stream(stcb, number_entries, req->list_of_streams); + sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); + asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; + } else { + /* + * we must queue it up and thus wait for the TSN's + * to arrive that are at or before tsn + */ + struct sctp_stream_reset_list *liste; + int siz; + + siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t)); + SCTP_MALLOC(liste, struct sctp_stream_reset_list *, + siz, "StrRstList"); + if (liste == NULL) { + /* gak out of memory */ + sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED); + asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; + return; + } + liste->tsn = tsn; + liste->number_entries = number_entries; + memcpy(&liste->req, req, + (sizeof(struct sctp_stream_reset_out_request) + (number_entries * sizeof(uint16_t)))); + TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp); + sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); + asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; + } + asoc->str_reset_seq_in++; + } else if ((asoc->str_reset_seq_in - 1) == seq) { + /* + * one seq back, just echo back last action since my + * response was lost. + */ + sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); + } else if ((asoc->str_reset_seq_in - 2) == seq) { + /* + * two seq back, just echo back last action since my + * response was lost. + */ + sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); + } else { + sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); + } +} + +static int +sctp_handle_stream_reset(struct sctp_tcb *stcb, struct sctp_stream_reset_out_req *sr_req) +{ + int chk_length, param_len, ptype; + uint32_t seq; + int num_req = 0; + struct sctp_tmit_chunk *chk; + struct sctp_chunkhdr *ch; + struct sctp_paramhdr *ph; + + /* now it may be a reset or a reset-response */ + chk_length = ntohs(sr_req->ch.chunk_length); + int ret_code = 0; + int num_param = 0; + + /* setup for adding the response */ + sctp_alloc_a_chunk(stcb, chk); + if (chk == NULL) { + return (ret_code); + } + chk->rec.chunk_id.id = SCTP_STREAM_RESET; + chk->asoc = &stcb->asoc; + chk->no_fr_allowed = 0; + chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr); + chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 1, M_DONTWAIT, 1, MT_DATA); + if (chk->data == NULL) { +strres_nochunk: + if (chk->data) { + sctp_m_freem(chk->data); + chk->data = NULL; + } + sctp_free_a_chunk(stcb, chk); + return (ret_code); + } + chk->data->m_data += SCTP_MIN_OVERHEAD; + + /* setup chunk parameters */ + chk->sent = SCTP_DATAGRAM_UNSENT; + chk->snd_count = 0; + chk->whoTo = stcb->asoc.primary_destination; + atomic_add_int(&chk->whoTo->ref_count, 1); + + ch = mtod(chk->data, struct sctp_chunkhdr *); + ch->chunk_type = SCTP_STREAM_RESET; + ch->chunk_flags = 0; + ch->chunk_length = htons(chk->send_size); + chk->data->m_pkthdr.len = chk->data->m_len = SCTP_SIZE32(chk->send_size); + + + ph = (struct sctp_paramhdr *)&sr_req->sr_req; + while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) { + param_len = ntohs(ph->param_length); + if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) { + /* bad param */ + break; + } + ptype = ntohs(ph->param_type); + num_param++; + if (num_param > SCTP_MAX_RESET_PARAMS) { + /* hit the max of parameters already sorry.. */ + break; + } + if (ptype == SCTP_STR_RESET_OUT_REQUEST) { + struct sctp_stream_reset_out_request *req_out; + + req_out = (struct sctp_stream_reset_out_request *)ph; + num_req++; + if (stcb->asoc.stream_reset_outstanding) { + seq = ntohl(req_out->response_seq); + if (seq == stcb->asoc.str_reset_seq_out) { + /* implicit ack */ + sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_PERFORMED, NULL); + } + } + sctp_handle_str_reset_request_out(stcb, chk, req_out); + } else if (ptype == SCTP_STR_RESET_IN_REQUEST) { + struct sctp_stream_reset_in_request *req_in; + + num_req++; + req_in = (struct sctp_stream_reset_in_request *)ph; + sctp_handle_str_reset_request_in(stcb, chk, req_in); + } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) { + struct sctp_stream_reset_tsn_request *req_tsn; + + num_req++; + req_tsn = (struct sctp_stream_reset_tsn_request *)ph; + if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) { + ret_code = 1; + goto strres_nochunk; + } + /* no more */ + break; + } else if (ptype == SCTP_STR_RESET_RESPONSE) { + struct sctp_stream_reset_response *resp; + uint32_t result; + + resp = (struct sctp_stream_reset_response *)ph; + seq = ntohl(resp->response_seq); + result = ntohl(resp->result); + if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) { + ret_code = 1; + goto strres_nochunk; + } + } else { + break; + } + + ph = (struct sctp_paramhdr *)((caddr_t)ph + SCTP_SIZE32(param_len)); + chk_length -= SCTP_SIZE32(param_len); + } + if (num_req == 0) { + /* we have no response free the stuff */ + goto strres_nochunk; + } + /* ok we have a chunk to link in */ + TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, + chk, + sctp_next); + stcb->asoc.ctrl_queue_cnt++; + return (ret_code); +} + +/* + * Handle a router or endpoints report of a packet loss, there are two ways + * to handle this, either we get the whole packet and must disect it + * ourselves (possibly with truncation and or corruption) or it is a summary + * from a middle box that did the disectting for us. + */ +static void +sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp, + struct sctp_tcb *stcb, struct sctp_nets *net) +{ + uint32_t bottle_bw, on_queue; + uint16_t trunc_len; + unsigned int chlen; + unsigned int at; + struct sctp_chunk_desc desc; + struct sctp_chunkhdr *ch; + + chlen = ntohs(cp->ch.chunk_length); + chlen -= sizeof(struct sctp_pktdrop_chunk); + /* XXX possible chlen underflow */ + if (chlen == 0) { + ch = NULL; + if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) + SCTP_STAT_INCR(sctps_pdrpbwrpt); + } else { + ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr)); + chlen -= sizeof(struct sctphdr); + /* XXX possible chlen underflow */ + memset(&desc, 0, sizeof(desc)); + } + trunc_len = (uint16_t) ntohs(cp->trunc_len); + /* now the chunks themselves */ + while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) { + desc.chunk_type = ch->chunk_type; + /* get amount we need to move */ + at = ntohs(ch->chunk_length); + if (at < sizeof(struct sctp_chunkhdr)) { + /* corrupt chunk, maybe at the end? */ + SCTP_STAT_INCR(sctps_pdrpcrupt); + break; + } + if (trunc_len == 0) { + /* we are supposed to have all of it */ + if (at > chlen) { + /* corrupt skip it */ + SCTP_STAT_INCR(sctps_pdrpcrupt); + break; + } + } else { + /* is there enough of it left ? */ + if (desc.chunk_type == SCTP_DATA) { + if (chlen < (sizeof(struct sctp_data_chunk) + + sizeof(desc.data_bytes))) { + break; + } + } else { + if (chlen < sizeof(struct sctp_chunkhdr)) { + break; + } + } + } + if (desc.chunk_type == SCTP_DATA) { + /* can we get out the tsn? */ + if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) + SCTP_STAT_INCR(sctps_pdrpmbda); + + if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(uint32_t))) { + /* yep */ + struct sctp_data_chunk *dcp; + uint8_t *ddp; + unsigned int iii; + + dcp = (struct sctp_data_chunk *)ch; + ddp = (uint8_t *) (dcp + 1); + for (iii = 0; iii < sizeof(desc.data_bytes); iii++) { + desc.data_bytes[iii] = ddp[iii]; + } + desc.tsn_ifany = dcp->dp.tsn; + } else { + /* nope we are done. */ + SCTP_STAT_INCR(sctps_pdrpnedat); + break; + } + } else { + if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) + SCTP_STAT_INCR(sctps_pdrpmbct); + } + + if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) { + SCTP_STAT_INCR(sctps_pdrppdbrk); + break; + } + if (SCTP_SIZE32(at) > chlen) { + break; + } + chlen -= SCTP_SIZE32(at); + if (chlen < sizeof(struct sctp_chunkhdr)) { + /* done, none left */ + break; + } + ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at)); + } + /* Now update any rwnd --- possibly */ + if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) { + /* From a peer, we get a rwnd report */ + uint32_t a_rwnd; + + SCTP_STAT_INCR(sctps_pdrpfehos); + + bottle_bw = ntohl(cp->bottle_bw); + on_queue = ntohl(cp->current_onq); + if (bottle_bw && on_queue) { + /* a rwnd report is in here */ + if (bottle_bw > on_queue) + a_rwnd = bottle_bw - on_queue; + else + a_rwnd = 0; + + if (a_rwnd == 0) + stcb->asoc.peers_rwnd = 0; + else { + if (a_rwnd > stcb->asoc.total_flight) { + stcb->asoc.peers_rwnd = + a_rwnd - stcb->asoc.total_flight; + } else { + stcb->asoc.peers_rwnd = 0; + } + if (stcb->asoc.peers_rwnd < + stcb->sctp_ep->sctp_ep.sctp_sws_sender) { + /* SWS sender side engages */ + stcb->asoc.peers_rwnd = 0; + } + } + } + } else { + SCTP_STAT_INCR(sctps_pdrpfmbox); + } + + /* now middle boxes in sat networks get a cwnd bump */ + if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) && + (stcb->asoc.sat_t3_loss_recovery == 0) && + (stcb->asoc.sat_network)) { + /* + * This is debateable but for sat networks it makes sense + * Note if a T3 timer has went off, we will prohibit any + * changes to cwnd until we exit the t3 loss recovery. + */ + uint32_t bw_avail; + int rtt, incr; + +#ifdef SCTP_CWND_MONITOR + int old_cwnd = net->cwnd; + +#endif + /* need real RTT for this calc */ + rtt = ((net->lastsa >> 2) + net->lastsv) >> 1; + /* get bottle neck bw */ + bottle_bw = ntohl(cp->bottle_bw); + /* and whats on queue */ + on_queue = ntohl(cp->current_onq); + /* + * adjust the on-queue if our flight is more it could be + * that the router has not yet gotten data "in-flight" to it + */ + if (on_queue < net->flight_size) + on_queue = net->flight_size; + + /* calculate the available space */ + bw_avail = (bottle_bw * rtt) / 1000; + if (bw_avail > bottle_bw) { + /* + * Cap the growth to no more than the bottle neck. + * This can happen as RTT slides up due to queues. + * It also means if you have more than a 1 second + * RTT with a empty queue you will be limited to the + * bottle_bw per second no matter if other points + * have 1/2 the RTT and you could get more out... + */ + bw_avail = bottle_bw; + } + if (on_queue > bw_avail) { + /* + * No room for anything else don't allow anything + * else to be "added to the fire". + */ + int seg_inflight, seg_onqueue, my_portion; + + net->partial_bytes_acked = 0; + + /* how much are we over queue size? */ + incr = on_queue - bw_avail; + if (stcb->asoc.seen_a_sack_this_pkt) { + /* + * undo any cwnd adjustment that the sack + * might have made + */ + net->cwnd = net->prev_cwnd; + } + /* Now how much of that is mine? */ + seg_inflight = net->flight_size / net->mtu; + seg_onqueue = on_queue / net->mtu; + my_portion = (incr * seg_inflight) / seg_onqueue; + + /* Have I made an adjustment already */ + if (net->cwnd > net->flight_size) { + /* + * for this flight I made an adjustment we + * need to decrease the portion by a share + * our previous adjustment. + */ + int diff_adj; + + diff_adj = net->cwnd - net->flight_size; + if (diff_adj > my_portion) + my_portion = 0; + else + my_portion -= diff_adj; + } + /* + * back down to the previous cwnd (assume we have + * had a sack before this packet). minus what ever + * portion of the overage is my fault. + */ + net->cwnd -= my_portion; + + /* we will NOT back down more than 1 MTU */ + if (net->cwnd <= net->mtu) { + net->cwnd = net->mtu; + } + /* force into CA */ + net->ssthresh = net->cwnd - 1; + } else { + /* + * Take 1/4 of the space left or max burst up .. + * whichever is less. + */ + incr = min((bw_avail - on_queue) >> 2, + (int)stcb->asoc.max_burst * (int)net->mtu); + net->cwnd += incr; + } + if (net->cwnd > bw_avail) { + /* We can't exceed the pipe size */ + net->cwnd = bw_avail; + } + if (net->cwnd < net->mtu) { + /* We always have 1 MTU */ + net->cwnd = net->mtu; + } +#ifdef SCTP_CWND_MONITOR + if (net->cwnd - old_cwnd != 0) { + /* log only changes */ + sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), + SCTP_CWND_LOG_FROM_SAT); + } +#endif + } +} + +extern int sctp_strict_init; +extern int sctp_abort_if_one_2_one_hits_limit; + +/* + * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to + * still contain IP/SCTP header - stcb: is the tcb found for this packet - + * offset: offset into the mbuf chain to first chunkhdr - length: is the + * length of the complete packet outputs: - length: modified to remaining + * length after control processing - netp: modified to new sctp_nets after + * cookie-echo processing - return NULL to discard the packet (ie. no asoc, + * bad packet,...) otherwise return the tcb for this packet + */ +static struct sctp_tcb * +sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, + struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp, + struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen) +{ + struct sctp_association *asoc; + uint32_t vtag_in; + int num_chunks = 0; /* number of control chunks processed */ + int chk_length; + int ret; + + /* + * How big should this be, and should it be alloc'd? Lets try the + * d-mtu-ceiling for now (2k) and that should hopefully work ... + * until we get into jumbo grams and such.. + */ + uint8_t chunk_buf[DEFAULT_CHUNK_BUFFER]; + struct sctp_tcb *locked_tcb = stcb; + int got_auth = 0; + uint32_t auth_offset = 0, auth_len = 0; + int auth_skipped = 0; + +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT1) { + printf("sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n", + iphlen, *offset, length, stcb); + } +#endif /* SCTP_DEBUG */ + + /* validate chunk header length... */ + if (ntohs(ch->chunk_length) < sizeof(*ch)) { + return (NULL); + } + /* + * validate the verification tag + */ + vtag_in = ntohl(sh->v_tag); + + if (ch->chunk_type == SCTP_INITIATION) { + if (vtag_in != 0) { + /* protocol error- silently discard... */ + SCTP_STAT_INCR(sctps_badvtag); + if (locked_tcb) + SCTP_TCB_UNLOCK(locked_tcb); + return (NULL); + } + } else if (ch->chunk_type != SCTP_COOKIE_ECHO) { + /* + * If there is no stcb, skip the AUTH chunk and process + * later after a stcb is found (to validate the lookup was + * valid. + */ + if ((ch->chunk_type == SCTP_AUTHENTICATION) && + (stcb == NULL) && !sctp_auth_disable) { + /* save this chunk for later processing */ + auth_skipped = 1; + auth_offset = *offset; + auth_len = ntohs(ch->chunk_length); + + /* (temporarily) move past this chunk */ + *offset += SCTP_SIZE32(auth_len); + if (*offset >= length) { + /* no more data left in the mbuf chain */ + *offset = length; + return (NULL); + } + ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, + sizeof(struct sctp_chunkhdr), chunk_buf); + } + if (ch->chunk_type == SCTP_COOKIE_ECHO) { + goto process_control_chunks; + } + /* + * first check if it's an ASCONF with an unknown src addr we + * need to look inside to find the association + */ + if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) { + /* inp's refcount may be reduced */ + SCTP_INP_INCR_REF(inp); + + stcb = sctp_findassociation_ep_asconf(m, iphlen, + *offset, sh, &inp, netp); + if (stcb == NULL) { + /* + * reduce inp's refcount if not reduced in + * sctp_findassociation_ep_asconf(). + */ + SCTP_INP_DECR_REF(inp); + } + /* now go back and verify any auth chunk to be sure */ + if (auth_skipped && (stcb != NULL)) { + struct sctp_auth_chunk *auth; + + auth = (struct sctp_auth_chunk *) + sctp_m_getptr(m, auth_offset, + auth_len, chunk_buf); + got_auth = 1; + auth_skipped = 0; + if (sctp_handle_auth(stcb, auth, m, + auth_offset)) { + /* auth HMAC failed so dump it */ + *offset = length; + return (NULL); + } else { + /* remaining chunks are HMAC checked */ + stcb->asoc.authenticated = 1; + } + } + } + if (stcb == NULL) { + /* no association, so it's out of the blue... */ + sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL); + *offset = length; + if (locked_tcb) + SCTP_TCB_UNLOCK(locked_tcb); + return (NULL); + } + asoc = &stcb->asoc; + /* ABORT and SHUTDOWN can use either v_tag... */ + if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) || + (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) || + (ch->chunk_type == SCTP_PACKET_DROPPED)) { + if ((vtag_in == asoc->my_vtag) || + ((ch->chunk_flags & SCTP_HAD_NO_TCB) && + (vtag_in == asoc->peer_vtag))) { + /* this is valid */ + } else { + /* drop this packet... */ + SCTP_STAT_INCR(sctps_badvtag); + if (locked_tcb) + SCTP_TCB_UNLOCK(locked_tcb); + return (NULL); + } + } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { + if (vtag_in != asoc->my_vtag) { + /* + * this could be a stale SHUTDOWN-ACK or the + * peer never got the SHUTDOWN-COMPLETE and + * is still hung; we have started a new asoc + * but it won't complete until the shutdown + * is completed + */ + if (locked_tcb) + SCTP_TCB_UNLOCK(locked_tcb); + sctp_handle_ootb(m, iphlen, *offset, sh, inp, + NULL); + return (NULL); + } + } else { + /* for all other chunks, vtag must match */ + if (vtag_in != asoc->my_vtag) { + /* invalid vtag... */ +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("invalid vtag: %xh, expect %xh\n", vtag_in, asoc->my_vtag); + } +#endif /* SCTP_DEBUG */ + SCTP_STAT_INCR(sctps_badvtag); + if (locked_tcb) + SCTP_TCB_UNLOCK(locked_tcb); + *offset = length; + return (NULL); + } + } + } /* end if !SCTP_COOKIE_ECHO */ + /* + * process all control chunks... + */ + if (((ch->chunk_type == SCTP_SELECTIVE_ACK) || + (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) && + (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { + /* implied cookie-ack.. we must have lost the ack */ + stcb->asoc.overall_error_count = 0; + sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, + *netp); + } +process_control_chunks: + + while (IS_SCTP_CONTROL(ch)) { + /* validate chunk length */ + chk_length = ntohs(ch->chunk_length); +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT2) { + printf("sctp_process_control: processing a chunk type=%u, len=%u\n", + ch->chunk_type, chk_length); + } +#endif /* SCTP_DEBUG */ + if ((size_t)chk_length < sizeof(*ch) || + (*offset + chk_length) > length) { + *offset = length; + if (locked_tcb) + SCTP_TCB_UNLOCK(locked_tcb); + return (NULL); + } + SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks); + /* + * INIT-ACK only gets the init ack "header" portion only + * because we don't have to process the peer's COOKIE. All + * others get a complete chunk. + */ + if (ch->chunk_type == SCTP_INITIATION_ACK) { + /* get an init-ack chunk */ + ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, + sizeof(struct sctp_init_ack_chunk), chunk_buf); + if (ch == NULL) { + *offset = length; + if (locked_tcb) + SCTP_TCB_UNLOCK(locked_tcb); + return (NULL); + } + } else { + /* get a complete chunk... */ + if ((size_t)chk_length > sizeof(chunk_buf)) { + struct mbuf *oper; + struct sctp_paramhdr *phdr; + + oper = NULL; + oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), + 1, M_DONTWAIT, 1, MT_DATA); + if (oper) { + /* pre-reserve some space */ + oper->m_data += sizeof(struct sctp_chunkhdr); + oper->m_len = sizeof(struct sctp_paramhdr); + oper->m_pkthdr.len = oper->m_len; + phdr = mtod(oper, struct sctp_paramhdr *); + phdr->param_type = htons(SCTP_CAUSE_OUT_OF_RESC); + phdr->param_length = htons(sizeof(struct sctp_paramhdr)); + sctp_queue_op_err(stcb, oper); + } + if (locked_tcb) + SCTP_TCB_UNLOCK(locked_tcb); + return (NULL); + } + ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, + chk_length, chunk_buf); + if (ch == NULL) { + printf("sctp_process_control: Can't get the all data....\n"); + *offset = length; + if (locked_tcb) + SCTP_TCB_UNLOCK(locked_tcb); + return (NULL); + } + } + num_chunks++; + /* Save off the last place we got a control from */ + if (stcb != NULL) { + if ((*netp != NULL) || (ch->chunk_type == SCTP_ASCONF)) { + /* + * allow last_control to be NULL if + * ASCONF... ASCONF processing will find the + * right net later + */ + stcb->asoc.last_control_chunk_from = *netp; + } + } +#ifdef SCTP_AUDITING_ENABLED + sctp_audit_log(0xB0, ch->chunk_type); +#endif + + /* check to see if this chunk required auth, but isn't */ + if ((stcb != NULL) && !sctp_auth_disable && + sctp_auth_is_required_chunk(ch->chunk_type, + stcb->asoc.local_auth_chunks) && + !stcb->asoc.authenticated) { + /* "silently" ignore */ + SCTP_STAT_INCR(sctps_recvauthmissing); + goto next_chunk; + } + switch (ch->chunk_type) { + case SCTP_INITIATION: + /* must be first and only chunk */ +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("SCTP_INIT\n"); + } +#endif /* SCTP_DEBUG */ + if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { + /* We are not interested anymore? */ + if ((stcb) && (stcb->asoc.total_output_queue_size)) { + /* + * collision case where we are + * sending to them too + */ + ; + } else { + if (locked_tcb) + SCTP_TCB_UNLOCK(locked_tcb); + *offset = length; + return (NULL); + } + } + if ((num_chunks > 1) || + (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { + *offset = length; + if (locked_tcb) + SCTP_TCB_UNLOCK(locked_tcb); + return (NULL); + } + if ((stcb != NULL) && + (SCTP_GET_STATE(&stcb->asoc) == + SCTP_STATE_SHUTDOWN_ACK_SENT)) { + sctp_send_shutdown_ack(stcb, + stcb->asoc.primary_destination); + *offset = length; + sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); + if (locked_tcb) + SCTP_TCB_UNLOCK(locked_tcb); + return (NULL); + } + sctp_handle_init(m, iphlen, *offset, sh, + (struct sctp_init_chunk *)ch, inp, stcb, *netp); + *offset = length; + if (locked_tcb) + SCTP_TCB_UNLOCK(locked_tcb); + return (NULL); + break; + case SCTP_INITIATION_ACK: + /* must be first and only chunk */ +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("SCTP_INIT-ACK\n"); + } +#endif /* SCTP_DEBUG */ + if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { + /* We are not interested anymore */ + if ((stcb) && (stcb->asoc.total_output_queue_size)) { + ; + } else { + if (locked_tcb) + SCTP_TCB_UNLOCK(locked_tcb); + *offset = length; + if (stcb) { + sctp_free_assoc(inp, stcb, 0); + } + return (NULL); + } + } + if ((num_chunks > 1) || + (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { + *offset = length; + if (locked_tcb) + SCTP_TCB_UNLOCK(locked_tcb); + return (NULL); + } + ret = sctp_handle_init_ack(m, iphlen, *offset, sh, + (struct sctp_init_ack_chunk *)ch, stcb, *netp); + /* + * Special case, I must call the output routine to + * get the cookie echoed + */ + if ((stcb) && ret == 0) + sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); + *offset = length; + if (locked_tcb) + SCTP_TCB_UNLOCK(locked_tcb); + return (NULL); + break; + case SCTP_SELECTIVE_ACK: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("SCTP_SACK\n"); + } +#endif /* SCTP_DEBUG */ + SCTP_STAT_INCR(sctps_recvsacks); + { + struct sctp_sack_chunk *sack; + int abort_now = 0; + uint32_t a_rwnd, cum_ack; + uint16_t num_seg; + int nonce_sum_flag; + + sack = (struct sctp_sack_chunk *)ch; + + nonce_sum_flag = ch->chunk_flags & SCTP_SACK_NONCE_SUM; + cum_ack = ntohl(sack->sack.cum_tsn_ack); + num_seg = ntohs(sack->sack.num_gap_ack_blks); + a_rwnd = (uint32_t) ntohl(sack->sack.a_rwnd); + stcb->asoc.seen_a_sack_this_pkt = 1; + if ((stcb->asoc.pr_sctp_cnt == 0) && + (num_seg == 0) && + ((compare_with_wrap(cum_ack, stcb->asoc.last_acked_seq, MAX_TSN)) || + (cum_ack == stcb->asoc.last_acked_seq)) && + (stcb->asoc.saw_sack_with_frags == 0) && + (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) + ) { + /* + * We have a SIMPLE sack having no + * prior segments and data on sent + * queue to be acked.. Use the + * faster path sack processing. We + * also allow window update sacks + * with no missing segments to go + * this way too. + */ + sctp_express_handle_sack(stcb, cum_ack, a_rwnd, nonce_sum_flag, &abort_now); + } else { + sctp_handle_sack(sack, stcb, *netp, &abort_now); + } + if (abort_now) { + /* ABORT signal from sack processing */ + *offset = length; + return (NULL); + } + } + break; + case SCTP_HEARTBEAT_REQUEST: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("SCTP_HEARTBEAT\n"); + } +#endif /* SCTP_DEBUG */ + SCTP_STAT_INCR(sctps_recvheartbeat); + sctp_send_heartbeat_ack(stcb, m, *offset, chk_length, + *netp); + + /* He's alive so give him credit */ + stcb->asoc.overall_error_count = 0; + break; + case SCTP_HEARTBEAT_ACK: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("SCTP_HEARTBEAT-ACK\n"); + } +#endif /* SCTP_DEBUG */ + + /* He's alive so give him credit */ + stcb->asoc.overall_error_count = 0; + SCTP_STAT_INCR(sctps_recvheartbeatack); + sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch, + stcb, *netp); + break; + case SCTP_ABORT_ASSOCIATION: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("SCTP_ABORT\n"); + } +#endif /* SCTP_DEBUG */ + sctp_handle_abort((struct sctp_abort_chunk *)ch, + stcb, *netp); + *offset = length; + return (NULL); + break; + case SCTP_SHUTDOWN: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("SCTP_SHUTDOWN\n"); + } +#endif /* SCTP_DEBUG */ + { + int abort_flag = 0; + + sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch, + stcb, *netp, &abort_flag); + if (abort_flag) { + *offset = length; + return (NULL); + } + } + break; + case SCTP_SHUTDOWN_ACK: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("SCTP_SHUTDOWN-ACK\n"); + } +#endif /* SCTP_DEBUG */ + sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp); + *offset = length; + return (NULL); + break; + case SCTP_OPERATION_ERROR: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("SCTP_OP-ERR\n"); + } +#endif /* SCTP_DEBUG */ + if (sctp_handle_error(ch, stcb, *netp) < 0) { + *offset = length; + return (NULL); + } + break; + case SCTP_COOKIE_ECHO: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("SCTP_COOKIE-ECHO stcb is %p\n", stcb); + } +#endif /* SCTP_DEBUG */ + if ((stcb) && (stcb->asoc.total_output_queue_size)) { + ; + } else { + if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) && + (stcb == NULL)) { + /* We are not interested anymore */ + *offset = length; + return (NULL); + } + } + /* + * First are we accepting? We do this again here + * since it is possible that a previous endpoint WAS + * listening responded to a INIT-ACK and then + * closed. We opened and bound.. and are now no + * longer listening. + */ + if (inp->sctp_socket->so_qlimit == 0) { + if ((stcb) && (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { + /* + * special case, is this a retran'd + * COOKIE-ECHO or a restarting assoc + * that is a peeled off or + * one-to-one style socket. + */ + goto process_cookie_anyway; + } + sctp_abort_association(inp, stcb, m, iphlen, sh, + NULL); + *offset = length; + return (NULL); + } else if (inp->sctp_socket->so_qlimit) { + /* we are accepting so check limits like TCP */ + if (inp->sctp_socket->so_qlen > + inp->sctp_socket->so_qlimit) { + /* no space */ + struct mbuf *oper; + struct sctp_paramhdr *phdr; + + if (sctp_abort_if_one_2_one_hits_limit) { + oper = NULL; + oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), + 1, M_DONTWAIT, 1, MT_DATA); + if (oper) { + oper->m_len = + oper->m_pkthdr.len = + sizeof(struct sctp_paramhdr); + phdr = mtod(oper, + struct sctp_paramhdr *); + phdr->param_type = + htons(SCTP_CAUSE_OUT_OF_RESC); + phdr->param_length = + htons(sizeof(struct sctp_paramhdr)); + } + sctp_abort_association(inp, stcb, m, + iphlen, sh, oper); + } + *offset = length; + return (NULL); + } + } + process_cookie_anyway: + { + struct mbuf *ret_buf; + + ret_buf = + sctp_handle_cookie_echo(m, iphlen, + *offset, sh, + (struct sctp_cookie_echo_chunk *)ch, + &inp, &stcb, netp, + auth_skipped, + auth_offset, + auth_len); + + if (ret_buf == NULL) { + if (locked_tcb) { + SCTP_TCB_UNLOCK(locked_tcb); + } +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("GAK, null buffer\n"); + } +#endif /* SCTP_DEBUG */ + auth_skipped = 0; + *offset = length; + return (NULL); + } + /* if AUTH skipped, see if it verified... */ + if (auth_skipped) { + got_auth = 1; + auth_skipped = 0; + } + if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) { + /* + * Restart the timer if we have + * pending data + */ + struct sctp_tmit_chunk *chk; + + chk = TAILQ_FIRST(&stcb->asoc.sent_queue); + if (chk) { + sctp_timer_start(SCTP_TIMER_TYPE_SEND, + stcb->sctp_ep, stcb, + chk->whoTo); + } + } + } + break; + case SCTP_COOKIE_ACK: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("SCTP_COOKIE-ACK\n"); + } +#endif /* SCTP_DEBUG */ + + if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { + /* We are not interested anymore */ + if ((stcb) && (stcb->asoc.total_output_queue_size)) { + ; + } else { + sctp_free_assoc(inp, stcb, 0); + *offset = length; + return (NULL); + } + } + /* He's alive so give him credit */ + stcb->asoc.overall_error_count = 0; + sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp); + break; + case SCTP_ECN_ECHO: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("SCTP_ECN-ECHO\n"); + } +#endif /* SCTP_DEBUG */ + /* He's alive so give him credit */ + stcb->asoc.overall_error_count = 0; + sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, + stcb); + break; + case SCTP_ECN_CWR: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("SCTP_ECN-CWR\n"); + } +#endif /* SCTP_DEBUG */ + /* He's alive so give him credit */ + stcb->asoc.overall_error_count = 0; + + sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb); + break; + case SCTP_SHUTDOWN_COMPLETE: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("SCTP_SHUTDOWN-COMPLETE\n"); + } +#endif /* SCTP_DEBUG */ + /* must be first and only chunk */ + if ((num_chunks > 1) || + (length - *offset > SCTP_SIZE32(chk_length))) { + *offset = length; + if (locked_tcb) + SCTP_TCB_UNLOCK(locked_tcb); + + return (NULL); + } + sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch, + stcb, *netp); + *offset = length; + return (NULL); + break; + case SCTP_ASCONF: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("SCTP_ASCONF\n"); + } +#endif /* SCTP_DEBUG */ + /* He's alive so give him credit */ + stcb->asoc.overall_error_count = 0; + + sctp_handle_asconf(m, *offset, + (struct sctp_asconf_chunk *)ch, stcb); + break; + case SCTP_ASCONF_ACK: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("SCTP_ASCONF-ACK\n"); + } +#endif /* SCTP_DEBUG */ + /* He's alive so give him credit */ + stcb->asoc.overall_error_count = 0; + + sctp_handle_asconf_ack(m, *offset, + (struct sctp_asconf_ack_chunk *)ch, stcb, *netp); + break; + case SCTP_FORWARD_CUM_TSN: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("SCTP_FWD-TSN\n"); + } +#endif /* SCTP_DEBUG */ + /* He's alive so give him credit */ + { + int abort_flag = 0; + + stcb->asoc.overall_error_count = 0; + *fwd_tsn_seen = 1; + if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { + /* We are not interested anymore */ + sctp_free_assoc(inp, stcb, 0); + *offset = length; + return (NULL); + } + sctp_handle_forward_tsn(stcb, + (struct sctp_forward_tsn_chunk *)ch, &abort_flag); + if (abort_flag) { + *offset = length; + return (NULL); + } else { + stcb->asoc.overall_error_count = 0; + } + + } + break; + case SCTP_STREAM_RESET: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("SCTP_STREAM_RESET\n"); + } +#endif /* SCTP_DEBUG */ + ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, + chk_length, chunk_buf); + if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { + /* We are not interested anymore */ + sctp_free_assoc(inp, stcb, 0); + *offset = length; + return (NULL); + } + if (stcb->asoc.peer_supports_strreset == 0) { + /* + * hmm, peer should have announced this, but + * we will turn it on since he is sending us + * a stream reset. + */ + stcb->asoc.peer_supports_strreset = 1; + } + if (sctp_handle_stream_reset(stcb, (struct sctp_stream_reset_out_req *)ch)) { + /* stop processing */ + *offset = length; + return (NULL); + } + break; + case SCTP_PACKET_DROPPED: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("SCTP_PACKET_DROPPED\n"); + } +#endif /* SCTP_DEBUG */ + /* re-get it all please */ + ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, + chk_length, chunk_buf); + + sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch, + stcb, *netp); + + break; + + case SCTP_AUTHENTICATION: +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("SCTP_AUTHENTICATION\n"); + } +#endif /* SCTP_DEBUG */ + if (sctp_auth_disable) + goto unknown_chunk; + + if (stcb == NULL) { + /* save the first AUTH for later processing */ + if (auth_skipped == 0) { + auth_offset = *offset; + auth_len = chk_length; + auth_skipped = 1; + } + /* skip this chunk (temporarily) */ + goto next_chunk; + } + if (got_auth == 1) { + /* skip this chunk... it's already auth'd */ + goto next_chunk; + } + ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, + chk_length, chunk_buf); + got_auth = 1; + if (sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch, + m, *offset)) { + /* auth HMAC failed so dump the packet */ + *offset = length; + return (stcb); + } else { + /* remaining chunks are HMAC checked */ + stcb->asoc.authenticated = 1; + } + break; + + default: + unknown_chunk: + /* it's an unknown chunk! */ + if ((ch->chunk_type & 0x40) && (stcb != NULL)) { + struct mbuf *mm; + struct sctp_paramhdr *phd; + + mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), + 1, M_DONTWAIT, 1, MT_DATA); + if (mm) { + phd = mtod(mm, struct sctp_paramhdr *); + /* + * We cheat and use param type since + * we did not bother to define a + * error cause struct. They are the + * same basic format with different + * names. + */ + phd->param_type = htons(SCTP_CAUSE_UNRECOG_CHUNK); + phd->param_length = htons(chk_length + sizeof(*phd)); + mm->m_len = sizeof(*phd); + mm->m_next = sctp_m_copym(m, *offset, SCTP_SIZE32(chk_length), + M_DONTWAIT); + if (mm->m_next) { + mm->m_pkthdr.len = SCTP_SIZE32(chk_length) + sizeof(*phd); + sctp_queue_op_err(stcb, mm); + } else { + sctp_m_freem(mm); + } + } + } + if ((ch->chunk_type & 0x80) == 0) { + /* discard this packet */ + *offset = length; + return (stcb); + } /* else skip this bad chunk and continue... */ + break; + } /* switch (ch->chunk_type) */ + + +next_chunk: + /* get the next chunk */ + *offset += SCTP_SIZE32(chk_length); + if (*offset >= length) { + /* no more data left in the mbuf chain */ + break; + } + ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, + sizeof(struct sctp_chunkhdr), chunk_buf); + if (ch == NULL) { + if (locked_tcb) + SCTP_TCB_UNLOCK(locked_tcb); + *offset = length; + return (NULL); + } + } /* while */ + return (stcb); +} + + +/* + * Process the ECN bits we have something set so we must look to see if it is + * ECN(0) or ECN(1) or CE + */ +static __inline void +sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net, + uint8_t ecn_bits) +{ + if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { + ; + } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) { + /* + * we only add to the nonce sum for ECT1, ECT0 does not + * change the NS bit (that we have yet to find a way to send + * it yet). + */ + + /* ECN Nonce stuff */ + stcb->asoc.receiver_nonce_sum++; + stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM; + + /* + * Drag up the last_echo point if cumack is larger since we + * don't want the point falling way behind by more than + * 2^^31 and then having it be incorrect. + */ + if (compare_with_wrap(stcb->asoc.cumulative_tsn, + stcb->asoc.last_echo_tsn, MAX_TSN)) { + stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; + } + } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) { + /* + * Drag up the last_echo point if cumack is larger since we + * don't want the point falling way behind by more than + * 2^^31 and then having it be incorrect. + */ + if (compare_with_wrap(stcb->asoc.cumulative_tsn, + stcb->asoc.last_echo_tsn, MAX_TSN)) { + stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; + } + } +} + +static __inline void +sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net, + uint32_t high_tsn, uint8_t ecn_bits) +{ + if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { + /* + * we possibly must notify the sender that a congestion + * window reduction is in order. We do this by adding a ECNE + * chunk to the output chunk queue. The incoming CWR will + * remove this chunk. + */ + if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn, + MAX_TSN)) { + /* Yep, we need to add a ECNE */ + sctp_send_ecn_echo(stcb, net, high_tsn); + stcb->asoc.last_echo_tsn = high_tsn; + } + } +} + +/* + * common input chunk processing (v4 and v6) + */ +int +sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, + int length, struct sctphdr *sh, struct sctp_chunkhdr *ch, + struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, + uint8_t ecn_bits) +{ + /* + * Control chunk processing + */ + uint32_t high_tsn; + int fwd_tsn_seen = 0, data_processed = 0; + struct mbuf *m = *mm; + int abort_flag = 0; + int un_sent; + + SCTP_STAT_INCR(sctps_recvdatagrams); +#ifdef SCTP_AUDITING_ENABLED + sctp_audit_log(0xE0, 1); + sctp_auditing(0, inp, stcb, net); +#endif + +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT1) { + printf("Ok, Common input processing called, m:%x iphlen:%d offset:%d\n", + (uint32_t) m, iphlen, offset); + } +#endif /* SCTP_DEBUG */ + + if (stcb) { + /* always clear this before beginning a packet */ + stcb->asoc.authenticated = 0; + stcb->asoc.seen_a_sack_this_pkt = 0; + } + if (IS_SCTP_CONTROL(ch)) { + /* process the control portion of the SCTP packet */ + stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch, + inp, stcb, &net, &fwd_tsn_seen); + if (stcb) { + /* + * This covers us if the cookie-echo was there and + * it changes our INP. + */ + inp = stcb->sctp_ep; + } + } else { + /* + * no control chunks, so pre-process DATA chunks (these + * checks are taken care of by control processing) + */ + + /* + * if DATA only packet, and auth is required, then punt... + * can't have authenticated without any AUTH (control) + * chunks + */ + if ((stcb != NULL) && !sctp_auth_disable && + sctp_auth_is_required_chunk(SCTP_DATA, + stcb->asoc.local_auth_chunks)) { + /* "silently" ignore */ + SCTP_STAT_INCR(sctps_recvauthmissing); + SCTP_TCB_UNLOCK(stcb); + return (1); + } + if (stcb == NULL) { + /* out of the blue DATA chunk */ + sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); + return (1); + } + if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) { + /* v_tag mismatch! */ + SCTP_STAT_INCR(sctps_badvtag); + SCTP_TCB_UNLOCK(stcb); + return (1); + } + } + + if (stcb == NULL) { + /* + * no valid TCB for this packet, or we found it's a bad + * packet while processing control, or we're done with this + * packet (done or skip rest of data), so we drop it... + */ + return (1); + } + /* + * DATA chunk processing + */ + /* plow through the data chunks while length > offset */ + + /* + * Rest should be DATA only. Check authentication state if AUTH for + * DATA is required. + */ + if ((stcb != NULL) && !sctp_auth_disable && + sctp_auth_is_required_chunk(SCTP_DATA, + stcb->asoc.local_auth_chunks) && + !stcb->asoc.authenticated) { + /* "silently" ignore */ + SCTP_STAT_INCR(sctps_recvauthmissing); +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_AUTH1) + printf("Data chunk requires AUTH, skipped\n"); +#endif + SCTP_TCB_UNLOCK(stcb); + return (1); + } + if (length > offset) { + int retval; + + /* + * First check to make sure our state is correct. We would + * not get here unless we really did have a tag, so we don't + * abort if this happens, just dump the chunk silently. + */ + switch (SCTP_GET_STATE(&stcb->asoc)) { + case SCTP_STATE_COOKIE_ECHOED: + /* + * we consider data with valid tags in this state + * shows us the cookie-ack was lost. Imply it was + * there. + */ + stcb->asoc.overall_error_count = 0; + sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net); + break; + case SCTP_STATE_COOKIE_WAIT: + /* + * We consider OOTB any data sent during asoc setup. + */ + sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); + SCTP_TCB_UNLOCK(stcb); + return (1); + break; + case SCTP_STATE_EMPTY: /* should not happen */ + case SCTP_STATE_INUSE: /* should not happen */ + case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */ + case SCTP_STATE_SHUTDOWN_ACK_SENT: + default: + SCTP_TCB_UNLOCK(stcb); + return (1); + break; + case SCTP_STATE_OPEN: + case SCTP_STATE_SHUTDOWN_SENT: + break; + } + /* take care of ECN, part 1. */ + if (stcb->asoc.ecn_allowed && + (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { + sctp_process_ecn_marked_a(stcb, net, ecn_bits); + } + /* plow through the data chunks while length > offset */ + retval = sctp_process_data(mm, iphlen, &offset, length, sh, + inp, stcb, net, &high_tsn); + if (retval == 2) { + /* + * The association aborted, NO UNLOCK needed since + * the association is destroyed. + */ + return (0); + } + data_processed = 1; + if (retval == 0) { + /* take care of ecn part 2. */ + if (stcb->asoc.ecn_allowed && + (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { + sctp_process_ecn_marked_b(stcb, net, high_tsn, + ecn_bits); + } + } + /* + * Anything important needs to have been m_copy'ed in + * process_data + */ + } + if ((data_processed == 0) && (fwd_tsn_seen)) { + int was_a_gap = 0; + + if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map, + stcb->asoc.cumulative_tsn, MAX_TSN)) { + /* there was a gap before this data was processed */ + was_a_gap = 1; + } + sctp_sack_check(stcb, 1, was_a_gap, &abort_flag); + if (abort_flag) { + /* Again, we aborted so NO UNLOCK needed */ + return (0); + } + } + /* trigger send of any chunks in queue... */ +#ifdef SCTP_AUDITING_ENABLED + sctp_audit_log(0xE0, 2); + sctp_auditing(1, inp, stcb, net); +#endif +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT1) { + printf("Check for chunk output prw:%d tqe:%d tf=%d\n", + stcb->asoc.peers_rwnd, + TAILQ_EMPTY(&stcb->asoc.control_send_queue), + stcb->asoc.total_flight); + } +#endif + un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight); + + if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue) || + ((un_sent) && + (stcb->asoc.peers_rwnd > 0 || + (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)))) { +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("Calling chunk OUTPUT\n"); + } +#endif + sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT3) { + printf("chunk OUTPUT returns\n"); + } +#endif + } +#ifdef SCTP_AUDITING_ENABLED + sctp_audit_log(0xE0, 3); + sctp_auditing(2, inp, stcb, net); +#endif + SCTP_TCB_UNLOCK(stcb); + return (0); +} + +extern int sctp_no_csum_on_loopback; + + +void +sctp_input(m, off) + struct mbuf *m; + int off; + +{ +#ifdef SCTP_MBUF_LOGGING + struct mbuf *mat; + +#endif + int iphlen; + int s; + uint8_t ecn_bits; + struct ip *ip; + struct sctphdr *sh; + struct sctp_inpcb *inp = NULL; + + uint32_t check, calc_check; + struct sctp_nets *net; + struct sctp_tcb *stcb = NULL; + struct sctp_chunkhdr *ch; + int refcount_up = 0; + int length, mlen, offset; + + + iphlen = off; + net = NULL; + SCTP_STAT_INCR(sctps_recvpackets); + SCTP_STAT_INCR_COUNTER64(sctps_inpackets); + + /* + * Strip IP options, we don't allow any in or out. + */ +#ifdef SCTP_MBUF_LOGGING + /* Log in any input mbufs */ + mat = m; + while (mat) { + if (mat->m_flags & M_EXT) { + sctp_log_mb(mat, SCTP_MBUF_INPUT); + } + mat = mat->m_next; + } +#endif + if ((size_t)iphlen > sizeof(struct ip)) { + ip_stripoptions(m, (struct mbuf *)0); + iphlen = sizeof(struct ip); + } + /* + * Get IP, SCTP, and first chunk header together in first mbuf. + */ + ip = mtod(m, struct ip *); + offset = iphlen + sizeof(*sh) + sizeof(*ch); + if (m->m_len < offset) { + if ((m = m_pullup(m, offset)) == 0) { + SCTP_STAT_INCR(sctps_hdrops); + return; + } + ip = mtod(m, struct ip *); + } + sh = (struct sctphdr *)((caddr_t)ip + iphlen); + ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(*sh)); + + /* SCTP does not allow broadcasts or multicasts */ + if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { + goto bad; + } + if (((ch->chunk_type == SCTP_INITIATION) || + (ch->chunk_type == SCTP_INITIATION_ACK) || + (ch->chunk_type == SCTP_COOKIE_ECHO)) && + (in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif))) { + /* + * We only look at broadcast if its a front state, All + * others we will not have a tcb for anyway. + */ + goto bad; + } + /* destination port of 0 is illegal, based on RFC2960. */ + if (sh->dest_port == 0) { + SCTP_STAT_INCR(sctps_hdrops); + goto bad; + } + /* validate SCTP checksum */ + if ((sctp_no_csum_on_loopback == 0) || + (m->m_pkthdr.rcvif == NULL) || + (m->m_pkthdr.rcvif->if_type != IFT_LOOP)) { + /* + * we do NOT validate things from the loopback if the sysctl + * is set to 1. + */ + check = sh->checksum; /* save incoming checksum */ + if ((check == 0) && (sctp_no_csum_on_loopback)) { + /* + * special hook for where we got a local address + * somehow routed across a non IFT_LOOP type + * interface + */ + if (ip->ip_src.s_addr == ip->ip_dst.s_addr) + goto sctp_skip_csum_4; + } + sh->checksum = 0; /* prepare for calc */ + calc_check = sctp_calculate_sum(m, &mlen, iphlen); + if (calc_check != check) { +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT1) { + printf("Bad CSUM on SCTP packet calc_check:%x check:%x m:%x mlen:%d iphlen:%d\n", + calc_check, check, (uint32_t) m, mlen, iphlen); + } +#endif + + stcb = sctp_findassociation_addr(m, iphlen, + offset - sizeof(*ch), + sh, ch, &inp, &net); + if ((inp) && (stcb)) { + sctp_send_packet_dropped(stcb, net, m, iphlen, 1); + sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR); + } else if ((inp != NULL) && (stcb == NULL)) { + refcount_up = 1; + } + SCTP_STAT_INCR(sctps_badsum); + SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors); + goto bad; + } + sh->checksum = calc_check; + } else { +sctp_skip_csum_4: + mlen = m->m_pkthdr.len; + } + /* validate mbuf chain length with IP payload length */ + if (mlen < (ip->ip_len - iphlen)) { + SCTP_STAT_INCR(sctps_hdrops); + goto bad; + } + /* + * Locate pcb and tcb for datagram sctp_findassociation_addr() wants + * IP/SCTP/first chunk header... + */ + stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch), + sh, ch, &inp, &net); + /* inp's ref-count increased && stcb locked */ + if (inp == NULL) { + struct sctp_init_chunk *init_chk, chunk_buf; + + SCTP_STAT_INCR(sctps_noport); +#ifdef ICMP_BANDLIM + /* + * we use the bandwidth limiting to protect against sending + * too many ABORTS all at once. In this case these count the + * same as an ICMP message. + */ + if (badport_bandlim(0) < 0) + goto bad; +#endif /* ICMP_BANDLIM */ +#ifdef SCTP_DEBUG + if (sctp_debug_on & SCTP_DEBUG_INPUT1) { + printf("Sending a ABORT from packet entry!\n"); + } +#endif + if (ch->chunk_type == SCTP_INITIATION) { + /* + * we do a trick here to get the INIT tag, dig in + * and get the tag from the INIT and put it in the + * common header. + */ + init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m, + iphlen + sizeof(*sh), sizeof(*init_chk), + (uint8_t *) & chunk_buf); + if (init_chk != NULL) + sh->v_tag = init_chk->init.initiate_tag; + } + sctp_send_abort(m, iphlen, sh, 0, NULL); + goto bad; + } else if (stcb == NULL) { + refcount_up = 1; + } +#ifdef IPSEC + /* + * I very much doubt any of the IPSEC stuff will work but I have no + * idea, so I will leave it in place. + */ + + if (ipsec4_in_reject_so(m, inp->ip_inp.inp.inp_socket)) { + ipsecstat.in_polvio++; + SCTP_STAT_INCR(sctps_hdrops); + goto bad; + } +#endif /* IPSEC */ + + + + /* + * common chunk processing + */ + length = ip->ip_len + iphlen; + offset -= sizeof(struct sctp_chunkhdr); + + ecn_bits = ip->ip_tos; + s = splnet(); + + sctp_common_input_processing(&m, iphlen, offset, length, sh, ch, + inp, stcb, net, ecn_bits); + /* inp's ref-count reduced && stcb unlocked */ + splx(s); + if (m) { + sctp_m_freem(m); + } + if ((inp) && (refcount_up)) { + /* reduce ref-count */ + SCTP_INP_WLOCK(inp); + SCTP_INP_DECR_REF(inp); + SCTP_INP_WUNLOCK(inp); + } + return; +bad: + if (stcb) + SCTP_TCB_UNLOCK(stcb); + + if ((inp) && (refcount_up)) { + /* reduce ref-count */ + SCTP_INP_WLOCK(inp); + SCTP_INP_DECR_REF(inp); + SCTP_INP_WUNLOCK(inp); + } + if (m) { + sctp_m_freem(m); + } + return; +} |
