sctp_input.c revision 1.12
1 /* $KAME: sctp_input.c,v 1.28 2005/04/21 18:36:21 nishida Exp $ */ 2 /* $NetBSD: sctp_input.c,v 1.12 2019/02/12 14:40:38 rjs Exp $ */ 3 4 /* 5 * Copyright (C) 2002, 2003, 2004 Cisco Systems Inc, 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 #include <sys/cdefs.h> 34 __KERNEL_RCSID(0, "$NetBSD: sctp_input.c,v 1.12 2019/02/12 14:40:38 rjs Exp $"); 35 36 #ifdef _KERNEL_OPT 37 #include "opt_ipsec.h" 38 #include "opt_inet.h" 39 #include "opt_sctp.h" 40 #endif /* _KERNEL_OPT */ 41 42 #include <sys/param.h> 43 #include <sys/systm.h> 44 #include <sys/malloc.h> 45 #include <sys/mbuf.h> 46 #include <sys/socket.h> 47 #include <sys/socketvar.h> 48 #include <sys/sysctl.h> 49 #include <sys/domain.h> 50 #include <sys/protosw.h> 51 #include <sys/kernel.h> 52 #include <sys/errno.h> 53 #include <sys/syslog.h> 54 55 #include <machine/limits.h> 56 #include <machine/cpu.h> 57 58 #include <net/if.h> 59 #include <net/route.h> 60 #include <net/if_types.h> 61 62 #include <netinet/in.h> 63 #include <netinet/in_systm.h> 64 #include <netinet/ip.h> 65 #include <netinet/in_pcb.h> 66 #include <netinet/in_var.h> 67 #include <netinet/ip_var.h> 68 69 #ifdef INET6 70 #include <netinet/ip6.h> 71 #include <netinet6/ip6_var.h> 72 #endif /* INET6 */ 73 74 #include <netinet/ip_icmp.h> 75 #include <netinet/icmp_var.h> 76 #include <netinet/sctp_var.h> 77 #include <netinet/sctp_pcb.h> 78 #include <netinet/sctp_header.h> 79 #include <netinet/sctputil.h> 80 #include <netinet/sctp_output.h> 81 #include <netinet/sctp_input.h> 82 #include <netinet/sctp_hashdriver.h> 83 #include <netinet/sctp_indata.h> 84 #include <netinet/sctp_asconf.h> 85 86 #ifdef IPSEC 87 #include <netipsec/ipsec.h> 88 #include <netipsec/key.h> 89 #endif /*IPSEC*/ 90 91 #ifdef SCTP_DEBUG 92 extern u_int32_t sctp_debug_on; 93 #endif 94 95 /* INIT handler */ 96 static void 97 sctp_handle_init(struct mbuf *m, int iphlen, int offset, 98 struct sctphdr *sh, struct sctp_init_chunk *cp, struct sctp_inpcb *inp, 99 struct sctp_tcb *stcb, struct sctp_nets *net) 100 { 101 struct sctp_init *init; 102 struct mbuf *op_err; 103 #ifdef SCTP_DEBUG 104 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 105 printf("sctp_handle_init: handling INIT tcb:%p\n", stcb); 106 } 107 #endif 108 op_err = NULL; 109 init = &cp->init; 110 /* First are we accepting? */ 111 if (((inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) == 0) || 112 (inp->sctp_socket->so_qlimit == 0)) { 113 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 114 return; 115 } 116 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) { 117 /* Invalid length */ 118 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 119 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 120 return; 121 } 122 /* validate parameters */ 123 if (init->initiate_tag == 0) { 124 /* protocol error... send abort */ 125 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 126 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 127 return; 128 } 129 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) { 130 /* invalid parameter... send abort */ 131 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 132 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 133 return; 134 } 135 if (init->num_inbound_streams == 0) { 136 /* protocol error... send abort */ 137 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 138 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 139 return; 140 } 141 if (init->num_outbound_streams == 0) { 142 /* protocol error... send abort */ 143 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 144 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 145 return; 146 } 147 148 /* send an INIT-ACK w/cookie */ 149 #ifdef SCTP_DEBUG 150 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 151 printf("sctp_handle_init: sending INIT-ACK\n"); 152 } 153 #endif 154 155 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp); 156 } 157 158 /* 159 * process peer "INIT/INIT-ACK" chunk 160 * returns value < 0 on error 161 */ 162 163 static int 164 sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb, 165 struct sctp_nets *net) 166 { 167 struct sctp_init *init; 168 struct sctp_association *asoc; 169 struct sctp_nets *lnet; 170 unsigned int i; 171 172 init = &cp->init; 173 asoc = &stcb->asoc; 174 /* save off parameters */ 175 asoc->peer_vtag = ntohl(init->initiate_tag); 176 asoc->peers_rwnd = ntohl(init->a_rwnd); 177 178 if (TAILQ_FIRST(&asoc->nets)) { 179 /* update any ssthresh's that may have a default */ 180 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) { 181 lnet->ssthresh = asoc->peers_rwnd; 182 } 183 } 184 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) { 185 unsigned int newcnt; 186 struct sctp_stream_out *outs; 187 struct sctp_tmit_chunk *chk; 188 189 /* cut back on number of streams */ 190 newcnt = ntohs(init->num_inbound_streams); 191 /* This if is probably not needed but I am cautious */ 192 if (asoc->strmout) { 193 /* First make sure no data chunks are trapped */ 194 for (i=newcnt; i < asoc->pre_open_streams; i++) { 195 outs = &asoc->strmout[i]; 196 chk = TAILQ_FIRST(&outs->outqueue); 197 while (chk) { 198 TAILQ_REMOVE(&outs->outqueue, chk, 199 sctp_next); 200 asoc->stream_queue_cnt--; 201 sctp_ulp_notify(SCTP_NOTIFY_DG_FAIL, 202 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT, 203 chk); 204 if (chk->data) { 205 sctp_m_freem(chk->data); 206 chk->data = NULL; 207 } 208 sctp_free_remote_addr(chk->whoTo); 209 chk->whoTo = NULL; 210 chk->asoc = NULL; 211 /* Free the chunk */ 212 SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk); 213 sctppcbinfo.ipi_count_chunk--; 214 if ((int)sctppcbinfo.ipi_count_chunk < 0) { 215 panic("Chunk count is negative"); 216 } 217 sctppcbinfo.ipi_gencnt_chunk++; 218 chk = TAILQ_FIRST(&outs->outqueue); 219 } 220 } 221 } 222 /* cut back the count and abandon the upper streams */ 223 asoc->pre_open_streams = newcnt; 224 } 225 asoc->streamincnt = ntohs(init->num_outbound_streams); 226 if (asoc->streamincnt > MAX_SCTP_STREAMS) { 227 asoc->streamincnt = MAX_SCTP_STREAMS; 228 } 229 230 asoc->streamoutcnt = asoc->pre_open_streams; 231 /* init tsn's */ 232 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1; 233 #ifdef SCTP_MAP_LOGGING 234 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 235 #endif 236 /* This is the next one we expect */ 237 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1; 238 239 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn); 240 asoc->cumulative_tsn = asoc->asconf_seq_in; 241 asoc->last_echo_tsn = asoc->asconf_seq_in; 242 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 243 /* open the requested streams */ 244 if (asoc->strmin != NULL) { 245 /* Free the old ones */ 246 free(asoc->strmin, M_PCB); 247 } 248 asoc->strmin = malloc(asoc->streamincnt * sizeof(struct sctp_stream_in), 249 M_PCB, M_NOWAIT); 250 if (asoc->strmin == NULL) { 251 /* we didn't get memory for the streams! */ 252 #ifdef SCTP_DEBUG 253 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 254 printf("process_init: couldn't get memory for the streams!\n"); 255 } 256 #endif 257 return (-1); 258 } 259 for (i = 0; i < asoc->streamincnt; i++) { 260 asoc->strmin[i].stream_no = i; 261 asoc->strmin[i].last_sequence_delivered = 0xffff; 262 /* 263 * U-stream ranges will be set when the cookie 264 * is unpacked. Or for the INIT sender they 265 * are un set (if pr-sctp not supported) when the 266 * INIT-ACK arrives. 267 */ 268 TAILQ_INIT(&asoc->strmin[i].inqueue); 269 /* 270 * we are not on any wheel, pr-sctp streams 271 * will go on the wheel when they have data waiting 272 * for reorder. 273 */ 274 asoc->strmin[i].next_spoke.tqe_next = 0; 275 asoc->strmin[i].next_spoke.tqe_prev = 0; 276 } 277 278 /* 279 * load_address_from_init will put the addresses into the 280 * association when the COOKIE is processed or the INIT-ACK 281 * is processed. Both types of COOKIE's existing and new 282 * call this routine. It will remove addresses that 283 * are no longer in the association (for the restarting 284 * case where addresses are removed). Up front when the 285 * INIT arrives we will discard it if it is a restart 286 * and new addresses have been added. 287 */ 288 return (0); 289 } 290 291 /* 292 * INIT-ACK message processing/consumption 293 * returns value < 0 on error 294 */ 295 static int 296 sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, 297 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 298 struct sctp_nets *net) 299 { 300 struct sctp_association *asoc; 301 struct mbuf *op_err; 302 int retval, abort_flag; 303 uint32_t initack_limit; 304 /* First verify that we have no illegal param's */ 305 abort_flag = 0; 306 op_err = NULL; 307 308 op_err = sctp_arethere_unrecognized_parameters(m, 309 (offset+sizeof(struct sctp_init_chunk)) , 310 &abort_flag, (struct sctp_chunkhdr *)cp); 311 if (abort_flag) { 312 /* Send an abort and notify peer */ 313 if (op_err != NULL) { 314 sctp_send_operr_to(m, iphlen, op_err, cp->init.initiate_tag); 315 } else { 316 /* 317 * Just notify (abort_assoc does this if 318 * we send an abort). 319 */ 320 sctp_abort_notification(stcb, 0); 321 /* 322 * No sense in further INIT's since 323 * we will get the same param back 324 */ 325 sctp_free_assoc(stcb->sctp_ep, stcb); 326 } 327 return (-1); 328 } 329 asoc = &stcb->asoc; 330 /* process the peer's parameters in the INIT-ACK */ 331 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net); 332 if (retval < 0) { 333 return (retval); 334 } 335 336 initack_limit = offset + ntohs(cp->ch.chunk_length); 337 /* load all addresses */ 338 if (sctp_load_addresses_from_init(stcb, m, iphlen, 339 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh, 340 NULL)) { 341 /* Huh, we should abort */ 342 sctp_abort_notification(stcb, 0); 343 sctp_free_assoc(stcb->sctp_ep, stcb); 344 return (-1); 345 } 346 if (op_err) { 347 sctp_queue_op_err(stcb, op_err); 348 /* queuing will steal away the mbuf chain to the out queue */ 349 op_err = NULL; 350 } 351 /* extract the cookie and queue it to "echo" it back... */ 352 stcb->asoc.overall_error_count = 0; 353 net->error_count = 0; 354 retval = sctp_send_cookie_echo(m, offset, stcb, net); 355 if (retval < 0) { 356 /* 357 * No cookie, we probably should send a op error. 358 * But in any case if there is no cookie in the INIT-ACK, 359 * we can abandon the peer, its broke. 360 */ 361 if (retval == -3) { 362 /* We abort with an error of missing mandatory param */ 363 op_err = 364 sctp_generate_invmanparam(SCTP_CAUSE_MISS_PARAM); 365 if (op_err) { 366 /* 367 * Expand beyond to include the mandatory 368 * param cookie 369 */ 370 struct sctp_inv_mandatory_param *mp; 371 op_err->m_len = 372 sizeof(struct sctp_inv_mandatory_param); 373 mp = mtod(op_err, 374 struct sctp_inv_mandatory_param *); 375 /* Subtract the reserved param */ 376 mp->length = 377 htons(sizeof(struct sctp_inv_mandatory_param) - 2); 378 mp->num_param = htonl(1); 379 mp->param = htons(SCTP_STATE_COOKIE); 380 mp->resv = 0; 381 } 382 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 383 sh, op_err); 384 } 385 return (retval); 386 } 387 388 /* 389 * Cancel the INIT timer, We do this first before queueing 390 * the cookie. We always cancel at the primary to assue that 391 * we are canceling the timer started by the INIT which always 392 * goes to the primary. 393 */ 394 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb, 395 asoc->primary_destination); 396 397 /* calculate the RTO */ 398 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered); 399 400 return (0); 401 } 402 403 static void 404 sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, 405 struct sctp_tcb *stcb, struct sctp_nets *net) 406 { 407 struct sockaddr_storage store; 408 struct sockaddr_in *sin; 409 struct sockaddr_in6 *sin6; 410 struct sctp_nets *r_net; 411 struct timeval tv; 412 413 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) { 414 /* Invalid length */ 415 return; 416 } 417 418 sin = (struct sockaddr_in *)&store; 419 sin6 = (struct sockaddr_in6 *)&store; 420 421 memset(&store, 0, sizeof(store)); 422 if (cp->heartbeat.hb_info.addr_family == AF_INET && 423 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) { 424 sin->sin_family = cp->heartbeat.hb_info.addr_family; 425 sin->sin_len = cp->heartbeat.hb_info.addr_len; 426 sin->sin_port = stcb->rport; 427 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address, 428 sizeof(sin->sin_addr)); 429 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 && 430 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) { 431 sin6->sin6_family = cp->heartbeat.hb_info.addr_family; 432 sin6->sin6_len = cp->heartbeat.hb_info.addr_len; 433 sin6->sin6_port = stcb->rport; 434 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address, 435 sizeof(sin6->sin6_addr)); 436 } else { 437 #ifdef SCTP_DEBUG 438 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 439 printf("unsupported address family"); 440 } 441 #endif 442 return; 443 } 444 r_net = sctp_findnet(stcb, (struct sockaddr *)sin); 445 if (r_net == NULL) { 446 #ifdef SCTP_DEBUG 447 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 448 printf("Huh? I can't find the address I sent it to, discard\n"); 449 } 450 #endif 451 return; 452 } 453 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) && 454 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) && 455 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) { 456 /* 457 * If the its a HB and it's random value is correct when 458 * can confirm the destination. 459 */ 460 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 461 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 462 stcb, 0, (void *)r_net); 463 } 464 r_net->error_count = 0; 465 r_net->hb_responded = 1; 466 tv.tv_sec = cp->heartbeat.hb_info.time_value_1; 467 tv.tv_usec = cp->heartbeat.hb_info.time_value_2; 468 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) { 469 r_net->dest_state = SCTP_ADDR_REACHABLE; 470 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 471 SCTP_HEARTBEAT_SUCCESS, (void *)r_net); 472 473 /* now was it the primary? if so restore */ 474 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) { 475 sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net); 476 } 477 } 478 /* Now lets do a RTO with this */ 479 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv); 480 } 481 482 static void 483 sctp_handle_abort(struct sctp_abort_chunk *cp, 484 struct sctp_tcb *stcb, struct sctp_nets *net) 485 { 486 487 #ifdef SCTP_DEBUG 488 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 489 printf("sctp_handle_abort: handling ABORT\n"); 490 } 491 #endif 492 if (stcb == NULL) 493 return; 494 /* verify that the destination addr is in the association */ 495 /* ignore abort for addresses being deleted */ 496 497 /* stop any receive timers */ 498 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net); 499 /* notify user of the abort and clean up... */ 500 sctp_abort_notification(stcb, 0); 501 /* free the tcb */ 502 sctp_free_assoc(stcb->sctp_ep, stcb); 503 #ifdef SCTP_DEBUG 504 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 505 printf("sctp_handle_abort: finished\n"); 506 } 507 #endif 508 } 509 510 static void 511 sctp_handle_shutdown(struct sctp_shutdown_chunk *cp, 512 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag) 513 { 514 struct sctp_association *asoc; 515 int some_on_streamwheel; 516 517 #ifdef SCTP_DEBUG 518 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 519 printf("sctp_handle_shutdown: handling SHUTDOWN\n"); 520 } 521 #endif 522 if (stcb == NULL) 523 return; 524 525 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_WAIT) || 526 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 527 return; 528 } 529 530 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) { 531 /* update current data status */ 532 #ifdef SCTP_DEBUG 533 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 534 printf("Warning Shutdown NOT the expected size.. skipping (%d:%d)\n", 535 ntohs(cp->ch.chunk_length), 536 (int)sizeof(struct sctp_shutdown_chunk)); 537 } 538 #endif 539 return; 540 } else { 541 sctp_update_acked(stcb, cp, net, abort_flag); 542 } 543 asoc = &stcb->asoc; 544 /* goto SHUTDOWN_RECEIVED state to block new requests */ 545 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 546 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 547 asoc->state = SCTP_STATE_SHUTDOWN_RECEIVED; 548 #ifdef SCTP_DEBUG 549 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 550 printf("Moving to SHUTDOWN-RECEIVED state\n"); 551 } 552 #endif 553 /* notify upper layer that peer has initiated a shutdown */ 554 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL); 555 556 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 557 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 558 559 /* Set the flag so we cannot send more, we 560 * would call the function but we don't want to 561 * wake up the ulp necessarily. 562 */ 563 #if defined(__FreeBSD__) && __FreeBSD_version >= 502115 564 stcb->sctp_ep->sctp_socket->so_rcv.sb_state |= SBS_CANTSENDMORE; 565 #else 566 stcb->sctp_ep->sctp_socket->so_state |= SS_CANTSENDMORE; 567 #endif 568 } 569 /* reset time */ 570 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 571 } 572 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) { 573 /* 574 * stop the shutdown timer, since we WILL move 575 * to SHUTDOWN-ACK-SENT. 576 */ 577 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); 578 } 579 /* Now are we there yet? */ 580 some_on_streamwheel = 0; 581 if (!TAILQ_EMPTY(&asoc->out_wheel)) { 582 /* Check to see if some data queued */ 583 struct sctp_stream_out *outs; 584 TAILQ_FOREACH(outs, &asoc->out_wheel, next_spoke) { 585 if (!TAILQ_EMPTY(&outs->outqueue)) { 586 some_on_streamwheel = 1; 587 break; 588 } 589 } 590 } 591 #ifdef SCTP_DEBUG 592 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 593 printf("some_on_streamwheel:%d send_q_empty:%d sent_q_empty:%d\n", 594 some_on_streamwheel, 595 !TAILQ_EMPTY(&asoc->send_queue), 596 !TAILQ_EMPTY(&asoc->sent_queue)); 597 } 598 #endif 599 if (!TAILQ_EMPTY(&asoc->send_queue) || 600 !TAILQ_EMPTY(&asoc->sent_queue) || 601 some_on_streamwheel) { 602 /* By returning we will push more data out */ 603 return; 604 } else { 605 /* no outstanding data to send, so move on... */ 606 /* send SHUTDOWN-ACK */ 607 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 608 /* move to SHUTDOWN-ACK-SENT state */ 609 asoc->state = SCTP_STATE_SHUTDOWN_ACK_SENT; 610 #ifdef SCTP_DEBUG 611 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 612 printf("moving to SHUTDOWN_ACK state\n"); 613 } 614 #endif 615 /* start SHUTDOWN timer */ 616 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, 617 stcb, net); 618 } 619 } 620 621 static void 622 sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp, 623 struct sctp_tcb *stcb, struct sctp_nets *net) 624 { 625 struct sctp_association *asoc; 626 627 #ifdef SCTP_DEBUG 628 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 629 printf("sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n"); 630 } 631 #endif 632 if (stcb == NULL) 633 return; 634 635 asoc = &stcb->asoc; 636 /* process according to association state */ 637 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) && 638 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) { 639 /* unexpected SHUTDOWN-ACK... so ignore... */ 640 return; 641 } 642 /* are the queues empty? */ 643 if (!TAILQ_EMPTY(&asoc->send_queue) || 644 !TAILQ_EMPTY(&asoc->sent_queue) || 645 !TAILQ_EMPTY(&asoc->out_wheel)) { 646 sctp_report_all_outbound(stcb); 647 } 648 /* stop the timer */ 649 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); 650 /* send SHUTDOWN-COMPLETE */ 651 sctp_send_shutdown_complete(stcb, net); 652 /* notify upper layer protocol */ 653 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 654 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 655 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 656 stcb->sctp_ep->sctp_flags &= ~SCTP_PCB_FLAGS_CONNECTED; 657 /* Set the connected flag to disconnected */ 658 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0; 659 stcb->sctp_ep->sctp_socket->so_snd.sb_mbcnt = 0; 660 soisdisconnected(stcb->sctp_ep->sctp_socket); 661 } 662 /* free the TCB but first save off the ep */ 663 sctp_free_assoc(stcb->sctp_ep, stcb); 664 } 665 666 /* 667 * Skip past the param header and then we will find the chunk that 668 * caused the problem. There are two possiblities ASCONF or FWD-TSN 669 * other than that and our peer must be broken. 670 */ 671 static void 672 sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr, 673 struct sctp_nets *net) 674 { 675 struct sctp_chunkhdr *chk; 676 677 chk = (struct sctp_chunkhdr *)((vaddr_t)phdr + sizeof(*phdr)); 678 switch (chk->chunk_type) { 679 case SCTP_ASCONF_ACK: 680 #ifdef SCTP_DEBUG 681 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 682 printf("Strange peer, snds ASCONF but does not recongnize asconf-ack?\n"); 683 } 684 #endif 685 case SCTP_ASCONF: 686 #ifdef SCTP_DEBUG 687 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 688 printf("Peer does not support ASCONF/ASCONF-ACK chunks\n"); 689 } 690 #endif /* SCTP_DEBUG */ 691 sctp_asconf_cleanup(stcb, net); 692 break; 693 case SCTP_FORWARD_CUM_TSN: 694 stcb->asoc.peer_supports_prsctp = 0; 695 break; 696 default: 697 #ifdef SCTP_DEBUG 698 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 699 printf("Peer does not support chunk type %d(%x)??\n", 700 chk->chunk_type, (u_int)chk->chunk_type); 701 } 702 #endif 703 break; 704 } 705 } 706 707 /* 708 * Skip past the param header and then we will find the param that 709 * caused the problem. There are a number of param's in a ASCONF 710 * OR the prsctp param these will turn of specific features. 711 */ 712 static void 713 sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr) 714 { 715 struct sctp_paramhdr *pbad; 716 717 pbad = phdr + 1; 718 switch (ntohs(pbad->param_type)) { 719 /* pr-sctp draft */ 720 case SCTP_PRSCTP_SUPPORTED: 721 stcb->asoc.peer_supports_prsctp = 0; 722 break; 723 case SCTP_SUPPORTED_CHUNK_EXT: 724 break; 725 /* draft-ietf-tsvwg-addip-sctp */ 726 case SCTP_ECN_NONCE_SUPPORTED: 727 stcb->asoc.peer_supports_ecn_nonce = 0; 728 stcb->asoc.ecn_nonce_allowed = 0; 729 stcb->asoc.ecn_allowed = 0; 730 break; 731 case SCTP_ADD_IP_ADDRESS: 732 case SCTP_DEL_IP_ADDRESS: 733 stcb->asoc.peer_supports_asconf = 0; 734 break; 735 case SCTP_SET_PRIM_ADDR: 736 stcb->asoc.peer_supports_asconf_setprim = 0; 737 break; 738 case SCTP_SUCCESS_REPORT: 739 case SCTP_ERROR_CAUSE_IND: 740 #ifdef SCTP_DEBUG 741 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 742 printf("Huh, the peer does not support success? or error cause?\n"); 743 printf("Turning off ASCONF to this strange peer\n"); 744 } 745 #endif 746 stcb->asoc.peer_supports_asconf = 0; 747 stcb->asoc.peer_supports_asconf_setprim = 0; 748 break; 749 default: 750 #ifdef SCTP_DEBUG 751 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 752 printf("Peer does not support base param type %d(%x)??\n", 753 pbad->param_type, (u_int)pbad->param_type); 754 } 755 #endif 756 break; 757 } 758 } 759 760 static int 761 sctp_handle_error(struct sctp_chunkhdr *ch, 762 struct sctp_tcb *stcb, struct sctp_nets *net) 763 { 764 int chklen; 765 struct sctp_paramhdr *phdr; 766 uint16_t error_type; 767 uint16_t error_len; 768 struct sctp_association *asoc; 769 770 int adjust; 771 /* parse through all of the errors and process */ 772 asoc = &stcb->asoc; 773 phdr = (struct sctp_paramhdr *)((vaddr_t)ch + 774 sizeof(struct sctp_chunkhdr)); 775 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr); 776 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) { 777 /* Process an Error Cause */ 778 error_type = ntohs(phdr->param_type); 779 error_len = ntohs(phdr->param_length); 780 if ((error_len > chklen) || (error_len == 0)) { 781 /* invalid param length for this param */ 782 #ifdef SCTP_DEBUG 783 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 784 printf("Bogus length in error param- chunk left:%d errorlen:%d\n", 785 chklen, error_len); 786 } 787 #endif /* SCTP_DEBUG */ 788 return (0); 789 } 790 switch (error_type) { 791 case SCTP_CAUSE_INV_STRM: 792 case SCTP_CAUSE_MISS_PARAM: 793 case SCTP_CAUSE_INVALID_PARAM: 794 case SCTP_CAUSE_NOUSER_DATA: 795 #ifdef SCTP_DEBUG 796 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 797 printf("Software error we got a %d back? We have a bug :/ (or do they?)\n", 798 error_type); 799 } 800 #endif 801 break; 802 case SCTP_CAUSE_STALE_COOKIE: 803 /* We only act if we have echoed a cookie and are waiting. */ 804 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 805 int *p; 806 p = (int *)((vaddr_t)phdr + sizeof(*phdr)); 807 /* Save the time doubled */ 808 asoc->cookie_preserve_req = ntohl(*p) << 1; 809 asoc->stale_cookie_count++; 810 if (asoc->stale_cookie_count > 811 asoc->max_init_times) { 812 sctp_abort_notification(stcb, 0); 813 /* now free the asoc */ 814 sctp_free_assoc(stcb->sctp_ep, stcb); 815 return (-1); 816 } 817 /* blast back to INIT state */ 818 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED; 819 asoc->state |= SCTP_STATE_COOKIE_WAIT; 820 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, 821 stcb->sctp_ep, stcb, net); 822 sctp_send_initiate(stcb->sctp_ep, stcb); 823 } 824 break; 825 case SCTP_CAUSE_UNRESOLV_ADDR: 826 /* 827 * Nothing we can do here, we don't do hostname 828 * addresses so if the peer does not like my IPv6 (or 829 * IPv4 for that matter) it does not matter. If they 830 * don't support that type of address, they can NOT 831 * possibly get that packet type... i.e. with no IPv6 832 * you can't recieve a IPv6 packet. so we can safely 833 * ignore this one. If we ever added support for 834 * HOSTNAME Addresses, then we would need to do 835 * something here. 836 */ 837 break; 838 case SCTP_CAUSE_UNRECOG_CHUNK: 839 sctp_process_unrecog_chunk(stcb, phdr, net); 840 break; 841 case SCTP_CAUSE_UNRECOG_PARAM: 842 sctp_process_unrecog_param(stcb, phdr); 843 break; 844 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN: 845 /* 846 * We ignore this since the timer will drive out a new 847 * cookie anyway and there timer will drive us to send 848 * a SHUTDOWN_COMPLETE. We can't send one here since 849 * we don't have their tag. 850 */ 851 break; 852 case SCTP_CAUSE_DELETEING_LAST_ADDR: 853 case SCTP_CAUSE_OPERATION_REFUSED: 854 case SCTP_CAUSE_DELETING_SRC_ADDR: 855 /* We should NOT get these here, but in a ASCONF-ACK. */ 856 #ifdef SCTP_DEBUG 857 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 858 printf("Peer sends ASCONF errors in a Operational Error?<%d>?\n", 859 error_type); 860 } 861 #endif 862 break; 863 case SCTP_CAUSE_OUT_OF_RESC: 864 /* 865 * And what, pray tell do we do with the fact 866 * that the peer is out of resources? Not 867 * really sure we could do anything but abort. 868 * I suspect this should have came WITH an 869 * abort instead of in a OP-ERROR. 870 */ 871 break; 872 default: 873 #ifdef SCTP_DEBUG 874 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 875 /* don't know what this error cause is... */ 876 printf("sctp_handle_error: unknown error type = 0x%xh\n", 877 error_type); 878 } 879 #endif /* SCTP_DEBUG */ 880 break; 881 } 882 adjust = SCTP_SIZE32(error_len); 883 chklen -= adjust; 884 phdr = (struct sctp_paramhdr *)((vaddr_t)phdr + adjust); 885 } 886 return (0); 887 } 888 889 static int 890 sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 891 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 892 struct sctp_nets *net) 893 { 894 struct sctp_init_ack *init_ack; 895 int *state; 896 struct mbuf *op_err; 897 898 #ifdef SCTP_DEBUG 899 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 900 printf("sctp_handle_init_ack: handling INIT-ACK\n"); 901 } 902 #endif 903 if (stcb == NULL) { 904 #ifdef SCTP_DEBUG 905 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 906 printf("sctp_handle_init_ack: TCB is null\n"); 907 } 908 #endif 909 return (-1); 910 } 911 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) { 912 /* Invalid length */ 913 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 914 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 915 op_err); 916 return (-1); 917 } 918 init_ack = &cp->init; 919 /* validate parameters */ 920 if (init_ack->initiate_tag == 0) { 921 /* protocol error... send an abort */ 922 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 923 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 924 op_err); 925 return (-1); 926 } 927 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) { 928 /* protocol error... send an abort */ 929 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 930 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 931 op_err); 932 return (-1); 933 } 934 if (init_ack->num_inbound_streams == 0) { 935 /* protocol error... send an abort */ 936 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 937 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 938 op_err); 939 return (-1); 940 } 941 if (init_ack->num_outbound_streams == 0) { 942 /* protocol error... send an abort */ 943 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 944 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 945 op_err); 946 return (-1); 947 } 948 949 /* process according to association state... */ 950 state = &stcb->asoc.state; 951 switch (*state & SCTP_STATE_MASK) { 952 case SCTP_STATE_COOKIE_WAIT: 953 /* this is the expected state for this chunk */ 954 /* process the INIT-ACK parameters */ 955 if (stcb->asoc.primary_destination->dest_state & 956 SCTP_ADDR_UNCONFIRMED) { 957 /* 958 * The primary is where we sent the INIT, we can 959 * always consider it confirmed when the INIT-ACK 960 * is returned. Do this before we load addresses 961 * though. 962 */ 963 stcb->asoc.primary_destination->dest_state &= 964 ~SCTP_ADDR_UNCONFIRMED; 965 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 966 stcb, 0, (void *)stcb->asoc.primary_destination); 967 } 968 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, net 969 ) < 0) { 970 /* error in parsing parameters */ 971 #ifdef SCTP_DEBUG 972 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 973 printf("sctp_process_init_ack: error in msg, discarding\n"); 974 } 975 #endif 976 return (-1); 977 } 978 /* update our state */ 979 #ifdef SCTP_DEBUG 980 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 981 printf("moving to COOKIE-ECHOED state\n"); 982 } 983 #endif 984 if (*state & SCTP_STATE_SHUTDOWN_PENDING) { 985 *state = SCTP_STATE_COOKIE_ECHOED | 986 SCTP_STATE_SHUTDOWN_PENDING; 987 } else { 988 *state = SCTP_STATE_COOKIE_ECHOED; 989 } 990 991 /* reset the RTO calc */ 992 stcb->asoc.overall_error_count = 0; 993 SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 994 /* 995 * collapse the init timer back in case of a exponential backoff 996 */ 997 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, 998 stcb, net); 999 /* 1000 * the send at the end of the inbound data processing will 1001 * cause the cookie to be sent 1002 */ 1003 break; 1004 case SCTP_STATE_SHUTDOWN_SENT: 1005 /* incorrect state... discard */ 1006 break; 1007 case SCTP_STATE_COOKIE_ECHOED: 1008 /* incorrect state... discard */ 1009 break; 1010 case SCTP_STATE_OPEN: 1011 /* incorrect state... discard */ 1012 break; 1013 case SCTP_STATE_EMPTY: 1014 case SCTP_STATE_INUSE: 1015 default: 1016 /* incorrect state... discard */ 1017 #ifdef SCTP_DEBUG 1018 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1019 printf("Leaving handle-init-ack default\n"); 1020 } 1021 #endif 1022 return (-1); 1023 break; 1024 } /* end switch asoc state */ 1025 #ifdef SCTP_DEBUG 1026 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1027 printf("Leaving handle-init-ack end\n"); 1028 } 1029 #endif 1030 return (0); 1031 } 1032 1033 1034 /* 1035 * handle a state cookie for an existing association 1036 * m: input packet mbuf chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk 1037 * note: this is a "split" mbuf and the cookie signature does not exist 1038 * offset: offset into mbuf to the cookie-echo chunk 1039 */ 1040 static struct sctp_tcb * 1041 sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, 1042 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1043 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 1044 struct sockaddr *init_src, int *notification) 1045 { 1046 struct sctp_association *asoc; 1047 struct sctp_init_chunk *init_cp, init_buf; 1048 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1049 int chk_length; 1050 int init_offset, initack_offset; 1051 int retval; 1052 1053 /* I know that the TCB is non-NULL from the caller */ 1054 asoc = &stcb->asoc; 1055 1056 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 1057 /* SHUTDOWN came in after sending INIT-ACK */ 1058 struct mbuf *op_err; 1059 struct sctp_paramhdr *ph; 1060 1061 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 1062 #ifdef SCTP_DEBUG 1063 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1064 printf("sctp_handle_cookie: got a cookie, while shutting down!\n"); 1065 } 1066 #endif 1067 MGETHDR(op_err, M_DONTWAIT, MT_HEADER); 1068 if (op_err == NULL) { 1069 /* FOOBAR */ 1070 return (NULL); 1071 } 1072 /* pre-reserve some space */ 1073 op_err->m_data += sizeof(struct ip6_hdr); 1074 op_err->m_data += sizeof(struct sctphdr); 1075 op_err->m_data += sizeof(struct sctp_chunkhdr); 1076 /* Set the len */ 1077 op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_paramhdr); 1078 ph = mtod(op_err, struct sctp_paramhdr *); 1079 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN); 1080 ph->param_length = htons(sizeof(struct sctp_paramhdr)); 1081 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 1082 return (NULL); 1083 } 1084 /* 1085 * find and validate the INIT chunk in the cookie (peer's info) 1086 * the INIT should start after the cookie-echo header struct 1087 * (chunk header, state cookie header struct) 1088 */ 1089 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk); 1090 1091 init_cp = (struct sctp_init_chunk *) 1092 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1093 (u_int8_t *)&init_buf); 1094 if (init_cp == NULL) { 1095 /* could not pull a INIT chunk in cookie */ 1096 #ifdef SCTP_DEBUG 1097 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1098 printf("process_cookie_existing: could not pull INIT chunk hdr\n"); 1099 } 1100 #endif /* SCTP_DEBUG */ 1101 return (NULL); 1102 } 1103 chk_length = ntohs(init_cp->ch.chunk_length); 1104 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1105 #ifdef SCTP_DEBUG 1106 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1107 printf("process_cookie_existing: could not find INIT chunk!\n"); 1108 } 1109 #endif /* SCTP_DEBUG */ 1110 return (NULL); 1111 } 1112 1113 /* 1114 * find and validate the INIT-ACK chunk in the cookie (my info) 1115 * the INIT-ACK follows the INIT chunk 1116 */ 1117 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1118 initack_cp = (struct sctp_init_ack_chunk *) 1119 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1120 (u_int8_t *)&initack_buf); 1121 if (initack_cp == NULL) { 1122 /* could not pull INIT-ACK chunk in cookie */ 1123 #ifdef SCTP_DEBUG 1124 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1125 printf("process_cookie_existing: could not pull INIT-ACK chunk hdr\n"); 1126 } 1127 #endif /* SCTP_DEBUG */ 1128 return (NULL); 1129 } 1130 chk_length = ntohs(initack_cp->ch.chunk_length); 1131 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1132 #ifdef SCTP_DEBUG 1133 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1134 printf("process_cookie_existing: could not find INIT-ACK chunk!\n"); 1135 } 1136 #endif /* SCTP_DEBUG */ 1137 return (NULL); 1138 } 1139 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1140 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) { 1141 /* 1142 * case D in Section 5.2.4 Table 2: MMAA 1143 * process accordingly to get into the OPEN state 1144 */ 1145 switch SCTP_GET_STATE(asoc) { 1146 case SCTP_STATE_COOKIE_WAIT: 1147 /* 1148 * INIT was sent, but got got a COOKIE_ECHO with 1149 * the correct tags... just accept it... 1150 */ 1151 /* First we must process the INIT !! */ 1152 retval = sctp_process_init(init_cp, stcb, net); 1153 if (retval < 0) { 1154 #ifdef SCTP_DEBUG 1155 printf("process_cookie_existing: INIT processing failed\n"); 1156 #endif 1157 return (NULL); 1158 } 1159 /* FALLTHROUGH */ 1160 /* intentional fall through to below... */ 1161 1162 case SCTP_STATE_COOKIE_ECHOED: 1163 /* Duplicate INIT case */ 1164 /* we have already processed the INIT so no problem */ 1165 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1166 net); 1167 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); 1168 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb, 1169 net); 1170 /* update current state */ 1171 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1172 asoc->state = SCTP_STATE_OPEN | 1173 SCTP_STATE_SHUTDOWN_PENDING; 1174 } else if ((asoc->state & SCTP_STATE_SHUTDOWN_SENT) == 0) { 1175 /* if ok, move to OPEN state */ 1176 asoc->state = SCTP_STATE_OPEN; 1177 } 1178 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1179 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1180 (!(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING))) { 1181 /* 1182 * Here is where collision would go if we did a 1183 * connect() and instead got a 1184 * init/init-ack/cookie done before the 1185 * init-ack came back.. 1186 */ 1187 stcb->sctp_ep->sctp_flags |= 1188 SCTP_PCB_FLAGS_CONNECTED; 1189 soisconnected(stcb->sctp_ep->sctp_socket); 1190 } 1191 /* notify upper layer */ 1192 *notification = SCTP_NOTIFY_ASSOC_UP; 1193 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1194 net); 1195 /* 1196 * since we did not send a HB make sure we don't double 1197 * things 1198 */ 1199 net->hb_responded = 1; 1200 1201 if (stcb->asoc.sctp_autoclose_ticks && 1202 (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) { 1203 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 1204 inp, stcb, NULL); 1205 } 1206 break; 1207 default: 1208 /* 1209 * we're in the OPEN state (or beyond), so peer 1210 * must have simply lost the COOKIE-ACK 1211 */ 1212 break; 1213 } /* end switch */ 1214 1215 /* 1216 * We ignore the return code here.. not sure if we should 1217 * somehow abort.. but we do have an existing asoc. This 1218 * really should not fail. 1219 */ 1220 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1221 init_offset + sizeof(struct sctp_init_chunk), 1222 initack_offset, sh, init_src)) { 1223 #ifdef SCTP_DEBUG 1224 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1225 printf("Weird cookie load_address failure on cookie existing - 1\n"); 1226 } 1227 #endif 1228 return (NULL); 1229 } 1230 1231 /* respond with a COOKIE-ACK */ 1232 sctp_send_cookie_ack(stcb); 1233 return (stcb); 1234 } /* end if */ 1235 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1236 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag && 1237 cookie->tie_tag_my_vtag == 0 && 1238 cookie->tie_tag_peer_vtag == 0) { 1239 /* 1240 * case C in Section 5.2.4 Table 2: XMOO 1241 * silently discard 1242 */ 1243 return (NULL); 1244 } 1245 if (ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag && 1246 (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag || 1247 init_cp->init.initiate_tag == 0)) { 1248 /* 1249 * case B in Section 5.2.4 Table 2: MXAA or MOAA 1250 * my info should be ok, re-accept peer info 1251 */ 1252 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1253 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); 1254 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net); 1255 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1256 /* 1257 * since we did not send a HB make sure we don't double things 1258 */ 1259 net->hb_responded = 1; 1260 if (stcb->asoc.sctp_autoclose_ticks && 1261 (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) { 1262 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, 1263 NULL); 1264 } 1265 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1266 asoc->pre_open_streams = 1267 ntohs(initack_cp->init.num_outbound_streams); 1268 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1269 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = 1270 asoc->init_seq_number; 1271 asoc->t3timeout_highest_marked = asoc->asconf_seq_out; 1272 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1273 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1274 asoc->str_reset_seq_in = asoc->init_seq_number; 1275 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1276 1277 /* process the INIT info (peer's info) */ 1278 retval = sctp_process_init(init_cp, stcb, net); 1279 if (retval < 0) { 1280 #ifdef SCTP_DEBUG 1281 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1282 printf("process_cookie_existing: INIT processing failed\n"); 1283 } 1284 #endif 1285 return (NULL); 1286 } 1287 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1288 init_offset + sizeof(struct sctp_init_chunk), 1289 initack_offset, sh, init_src)) { 1290 #ifdef SCTP_DEBUG 1291 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1292 printf("Weird cookie load_address failure on cookie existing - 2\n"); 1293 } 1294 #endif 1295 return (NULL); 1296 } 1297 1298 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) || 1299 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) { 1300 *notification = SCTP_NOTIFY_ASSOC_UP; 1301 1302 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1303 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1304 !(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) { 1305 stcb->sctp_ep->sctp_flags |= 1306 SCTP_PCB_FLAGS_CONNECTED; 1307 soisconnected(stcb->sctp_ep->sctp_socket); 1308 } 1309 } 1310 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1311 asoc->state = SCTP_STATE_OPEN | 1312 SCTP_STATE_SHUTDOWN_PENDING; 1313 } else { 1314 asoc->state = SCTP_STATE_OPEN; 1315 } 1316 sctp_send_cookie_ack(stcb); 1317 return (stcb); 1318 } 1319 1320 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1321 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) && 1322 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce && 1323 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce && 1324 cookie->tie_tag_peer_vtag != 0) { 1325 /* 1326 * case A in Section 5.2.4 Table 2: XXMM (peer restarted) 1327 */ 1328 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); 1329 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net); 1330 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1331 1332 /* notify upper layer */ 1333 *notification = SCTP_NOTIFY_ASSOC_RESTART; 1334 1335 /* send up all the data */ 1336 sctp_report_all_outbound(stcb); 1337 1338 /* process the INIT-ACK info (my info) */ 1339 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1340 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1341 asoc->pre_open_streams = 1342 ntohs(initack_cp->init.num_outbound_streams); 1343 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1344 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = 1345 asoc->init_seq_number; 1346 asoc->t3timeout_highest_marked = asoc->asconf_seq_out; 1347 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1348 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1349 asoc->str_reset_seq_in = asoc->init_seq_number; 1350 1351 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1352 if (asoc->mapping_array) 1353 memset(asoc->mapping_array, 0, 1354 asoc->mapping_array_size); 1355 /* process the INIT info (peer's info) */ 1356 retval = sctp_process_init(init_cp, stcb, net); 1357 if (retval < 0) { 1358 #ifdef SCTP_DEBUG 1359 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1360 printf("process_cookie_existing: INIT processing failed\n"); 1361 } 1362 #endif 1363 return (NULL); 1364 } 1365 1366 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1367 /* 1368 * since we did not send a HB make sure we don't double things 1369 */ 1370 net->hb_responded = 1; 1371 1372 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1373 init_offset + sizeof(struct sctp_init_chunk), 1374 initack_offset, sh, init_src)) { 1375 #ifdef SCTP_DEBUG 1376 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1377 printf("Weird cookie load_address failure on cookie existing - 3\n"); 1378 } 1379 #endif 1380 return (NULL); 1381 } 1382 1383 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1384 asoc->state = SCTP_STATE_OPEN | 1385 SCTP_STATE_SHUTDOWN_PENDING; 1386 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) { 1387 /* move to OPEN state, if not in SHUTDOWN_SENT */ 1388 asoc->state = SCTP_STATE_OPEN; 1389 } 1390 /* respond with a COOKIE-ACK */ 1391 sctp_send_cookie_ack(stcb); 1392 1393 return (stcb); 1394 } 1395 /* all other cases... */ 1396 return (NULL); 1397 } 1398 1399 /* 1400 * handle a state cookie for a new association 1401 * m: input packet mbuf chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk 1402 * note: this is a "split" mbuf and the cookie signature does not exist 1403 * offset: offset into mbuf to the cookie-echo chunk 1404 * length: length of the cookie chunk 1405 * to: where the init was from 1406 * returns a new TCB 1407 */ 1408 static struct sctp_tcb * 1409 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1410 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1411 struct sctp_inpcb *inp, struct sctp_nets **netp, 1412 struct sockaddr *init_src, int *notification) 1413 { 1414 struct sctp_tcb *stcb; 1415 struct sctp_init_chunk *init_cp, init_buf; 1416 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1417 struct sockaddr_storage sa_store; 1418 struct sockaddr *initack_src = (struct sockaddr *)&sa_store; 1419 struct sockaddr_in *sin; 1420 struct sockaddr_in6 *sin6; 1421 struct sctp_association *asoc; 1422 int chk_length; 1423 int init_offset, initack_offset, initack_limit; 1424 int retval; 1425 int error = 0; 1426 /* 1427 * find and validate the INIT chunk in the cookie (peer's info) 1428 * the INIT should start after the cookie-echo header struct 1429 * (chunk header, state cookie header struct) 1430 */ 1431 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk); 1432 init_cp = (struct sctp_init_chunk *) 1433 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1434 (u_int8_t *)&init_buf); 1435 if (init_cp == NULL) { 1436 /* could not pull a INIT chunk in cookie */ 1437 #ifdef SCTP_DEBUG 1438 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1439 printf("process_cookie_new: could not pull INIT chunk hdr\n"); 1440 } 1441 #endif /* SCTP_DEBUG */ 1442 return (NULL); 1443 } 1444 chk_length = ntohs(init_cp->ch.chunk_length); 1445 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1446 #ifdef SCTP_DEBUG 1447 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1448 printf("HUH? process_cookie_new: could not find INIT chunk!\n"); 1449 } 1450 #endif /* SCTP_DEBUG */ 1451 return (NULL); 1452 } 1453 1454 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1455 /* 1456 * find and validate the INIT-ACK chunk in the cookie (my info) 1457 * the INIT-ACK follows the INIT chunk 1458 */ 1459 initack_cp = (struct sctp_init_ack_chunk *) 1460 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1461 (u_int8_t *)&initack_buf); 1462 if (initack_cp == NULL) { 1463 /* could not pull INIT-ACK chunk in cookie */ 1464 #ifdef SCTP_DEBUG 1465 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1466 printf("process_cookie_new: could not pull INIT-ACK chunk hdr\n"); 1467 } 1468 #endif /* SCTP_DEBUG */ 1469 return (NULL); 1470 } 1471 chk_length = ntohs(initack_cp->ch.chunk_length); 1472 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1473 #ifdef SCTP_DEBUG 1474 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1475 u_int8_t *pp; 1476 pp = (u_int8_t *)initack_cp; 1477 printf("process_cookie_new: could not find INIT-ACK chunk!\n"); 1478 printf("Found bytes %x %x %x %x at postion %d\n", 1479 (u_int)pp[0], (u_int)pp[1], (u_int)pp[2], 1480 (u_int)pp[3], initack_offset); 1481 } 1482 #endif /* SCTP_DEBUG */ 1483 return (NULL); 1484 } 1485 initack_limit = initack_offset + SCTP_SIZE32(chk_length); 1486 1487 /* 1488 * now that we know the INIT/INIT-ACK are in place, 1489 * create a new TCB and popluate 1490 */ 1491 stcb = sctp_aloc_assoc(inp, init_src, 0, &error, ntohl(initack_cp->init.initiate_tag)); 1492 if (stcb == NULL) { 1493 struct mbuf *op_err; 1494 /* memory problem? */ 1495 #ifdef SCTP_DEBUG 1496 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1497 printf("process_cookie_new: no room for another TCB!\n"); 1498 } 1499 #endif /* SCTP_DEBUG */ 1500 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1501 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1502 sh, op_err); 1503 return (NULL); 1504 } 1505 1506 /* get the correct sctp_nets */ 1507 *netp = sctp_findnet(stcb, init_src); 1508 asoc = &stcb->asoc; 1509 /* get scope variables out of cookie */ 1510 asoc->ipv4_local_scope = cookie->ipv4_scope; 1511 asoc->site_scope = cookie->site_scope; 1512 asoc->local_scope = cookie->local_scope; 1513 asoc->loopback_scope = cookie->loopback_scope; 1514 1515 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) || 1516 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) { 1517 struct mbuf *op_err; 1518 /* 1519 * Houston we have a problem. The EP changed while the cookie 1520 * was in flight. Only recourse is to abort the association. 1521 */ 1522 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1523 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1524 sh, op_err); 1525 return (NULL); 1526 } 1527 1528 /* process the INIT-ACK info (my info) */ 1529 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1530 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1531 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1532 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1533 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1534 asoc->t3timeout_highest_marked = asoc->asconf_seq_out; 1535 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1536 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1537 asoc->str_reset_seq_in = asoc->init_seq_number; 1538 1539 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1540 1541 /* process the INIT info (peer's info) */ 1542 retval = sctp_process_init(init_cp, stcb, *netp); 1543 if (retval < 0) { 1544 #ifdef SCTP_DEBUG 1545 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1546 printf("process_cookie_new: INIT processing failed\n"); 1547 } 1548 #endif 1549 sctp_free_assoc(inp, stcb); 1550 return (NULL); 1551 } 1552 /* load all addresses */ 1553 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1554 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh, 1555 init_src)) { 1556 sctp_free_assoc(inp, stcb); 1557 return (NULL); 1558 } 1559 1560 /* update current state */ 1561 #ifdef SCTP_DEBUG 1562 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1563 printf("moving to OPEN state\n"); 1564 } 1565 #endif 1566 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1567 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1568 } else { 1569 asoc->state = SCTP_STATE_OPEN; 1570 } 1571 /* calculate the RTT */ 1572 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp, 1573 &cookie->time_entered); 1574 1575 /* 1576 * if we're doing ASCONFs, check to see if we have any new 1577 * local addresses that need to get added to the peer (eg. 1578 * addresses changed while cookie echo in flight). This needs 1579 * to be done after we go to the OPEN state to do the correct 1580 * asconf processing. 1581 * else, make sure we have the correct addresses in our lists 1582 */ 1583 1584 /* warning, we re-use sin, sin6, sa_store here! */ 1585 /* pull in local_address (our "from" address) */ 1586 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) { 1587 /* source addr is IPv4 */ 1588 sin = (struct sockaddr_in *)initack_src; 1589 memset(sin, 0, sizeof(*sin)); 1590 sin->sin_family = AF_INET; 1591 sin->sin_len = sizeof(struct sockaddr_in); 1592 sin->sin_addr.s_addr = cookie->laddress[0]; 1593 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) { 1594 /* source addr is IPv6 */ 1595 sin6 = (struct sockaddr_in6 *)initack_src; 1596 memset(sin6, 0, sizeof(*sin6)); 1597 sin6->sin6_family = AF_INET6; 1598 sin6->sin6_len = sizeof(struct sockaddr_in6); 1599 sin6->sin6_scope_id = cookie->scope_id; 1600 memcpy(&sin6->sin6_addr, cookie->laddress, 1601 sizeof(sin6->sin6_addr)); 1602 } else { 1603 sctp_free_assoc(inp, stcb); 1604 return (NULL); 1605 } 1606 1607 sctp_check_address_list(stcb, m, initack_offset + 1608 sizeof(struct sctp_init_ack_chunk), initack_limit, 1609 initack_src, cookie->local_scope, cookie->site_scope, 1610 cookie->ipv4_scope, cookie->loopback_scope); 1611 1612 1613 /* set up to notify upper layer */ 1614 *notification = SCTP_NOTIFY_ASSOC_UP; 1615 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1616 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1617 !(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) { 1618 /* 1619 * This is an endpoint that called connect() 1620 * how it got a cookie that is NEW is a bit of 1621 * a mystery. It must be that the INIT was sent, but 1622 * before it got there.. a complete INIT/INIT-ACK/COOKIE 1623 * arrived. But of course then it should have went to 1624 * the other code.. not here.. oh well.. a bit of protection 1625 * is worth having.. 1626 */ 1627 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 1628 soisconnected(stcb->sctp_ep->sctp_socket); 1629 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, *netp); 1630 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 1631 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) { 1632 /* 1633 * We don't want to do anything with this 1634 * one. Since it is the listening guy. The timer will 1635 * get started for accepted connections in the caller. 1636 */ 1637 ; 1638 } else { 1639 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, *netp); 1640 } 1641 /* since we did not send a HB make sure we don't double things */ 1642 (*netp)->hb_responded = 1; 1643 1644 if (stcb->asoc.sctp_autoclose_ticks && 1645 (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) { 1646 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); 1647 } 1648 1649 /* respond with a COOKIE-ACK */ 1650 sctp_send_cookie_ack(stcb); 1651 1652 return (stcb); 1653 } 1654 1655 1656 /* 1657 * handles a COOKIE-ECHO message 1658 * stcb: modified to either a new or left as existing (non-NULL) TCB 1659 */ 1660 static struct mbuf * 1661 sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, 1662 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp, 1663 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp) 1664 { 1665 struct sctp_state_cookie *cookie; 1666 struct sockaddr_in6 sin6; 1667 struct sockaddr_in sin; 1668 struct sctp_tcb *l_stcb=*stcb; 1669 struct sctp_inpcb *l_inp; 1670 struct sockaddr *to; 1671 struct sctp_pcb *ep; 1672 struct mbuf *m_sig; 1673 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE]; 1674 uint8_t *sig; 1675 uint8_t cookie_ok = 0; 1676 unsigned int size_of_pkt, sig_offset, cookie_offset; 1677 unsigned int cookie_len; 1678 struct timeval now; 1679 struct timeval time_expires; 1680 struct sockaddr_storage dest_store; 1681 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store; 1682 struct ip *iph; 1683 int notification = 0; 1684 struct sctp_nets *netl; 1685 int had_a_existing_tcb = 0; 1686 1687 #ifdef SCTP_DEBUG 1688 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1689 printf("sctp_handle_cookie: handling COOKIE-ECHO\n"); 1690 } 1691 #endif 1692 1693 if (inp_p == NULL) { 1694 #ifdef SCTP_DEBUG 1695 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1696 printf("sctp_handle_cookie: null inp_p!\n"); 1697 } 1698 #endif 1699 return (NULL); 1700 } 1701 /* First get the destination address setup too. */ 1702 iph = mtod(m, struct ip *); 1703 if (iph->ip_v == IPVERSION) { 1704 /* its IPv4 */ 1705 struct sockaddr_in *sin_d; 1706 sin_d = (struct sockaddr_in *)(localep_sa); 1707 memset(sin_d, 0, sizeof(*sin_d)); 1708 sin_d->sin_family = AF_INET; 1709 sin_d->sin_len = sizeof(*sin_d); 1710 sin_d->sin_port = sh->dest_port; 1711 sin_d->sin_addr.s_addr = iph->ip_dst.s_addr ; 1712 } else if (iph->ip_v == (IPV6_VERSION >> 4)) { 1713 /* its IPv6 */ 1714 struct ip6_hdr *ip6; 1715 struct sockaddr_in6 *sin6_d; 1716 sin6_d = (struct sockaddr_in6 *)(localep_sa); 1717 memset(sin6_d, 0, sizeof(*sin6_d)); 1718 sin6_d->sin6_family = AF_INET6; 1719 sin6_d->sin6_len = sizeof(struct sockaddr_in6); 1720 ip6 = mtod(m, struct ip6_hdr *); 1721 sin6_d->sin6_port = sh->dest_port; 1722 sin6_d->sin6_addr = ip6->ip6_dst; 1723 } else { 1724 return (NULL); 1725 } 1726 1727 cookie = &cp->cookie; 1728 cookie_offset = offset + sizeof(struct sctp_chunkhdr); 1729 cookie_len = ntohs(cp->ch.chunk_length); 1730 1731 /* compute size of packet */ 1732 if (m->m_flags & M_PKTHDR) { 1733 size_of_pkt = m->m_pkthdr.len; 1734 } else { 1735 /* Should have a pkt hdr really */ 1736 struct mbuf *mat; 1737 mat = m; 1738 size_of_pkt = 0; 1739 while (mat != NULL) { 1740 size_of_pkt += mat->m_len; 1741 mat = mat->m_next; 1742 } 1743 } 1744 if (cookie_len > size_of_pkt || 1745 cookie_len < sizeof(struct sctp_cookie_echo_chunk) + 1746 sizeof(struct sctp_init_chunk) + 1747 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { 1748 /* cookie too long! or too small */ 1749 #ifdef SCTP_DEBUG 1750 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1751 printf("sctp_handle_cookie: cookie_len=%u, pkt size=%u\n", cookie_len, size_of_pkt); 1752 } 1753 #endif /* SCTP_DEBUG */ 1754 return (NULL); 1755 } 1756 1757 if ((cookie->peerport != sh->src_port) && 1758 (cookie->myport != sh->dest_port) && 1759 (cookie->my_vtag != sh->v_tag)) { 1760 /* 1761 * invalid ports or bad tag. Note that we always leave 1762 * the v_tag in the header in network order and when we 1763 * stored it in the my_vtag slot we also left it in network 1764 * order. This maintians the match even though it may be in 1765 * the opposite byte order of the machine :-> 1766 */ 1767 return (NULL); 1768 } 1769 1770 /* 1771 * split off the signature into its own mbuf (since it 1772 * should not be calculated in the sctp_hash_digest_m() call). 1773 */ 1774 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE; 1775 if (sig_offset > size_of_pkt) { 1776 /* packet not correct size! */ 1777 /* XXX this may already be accounted for earlier... */ 1778 #ifdef SCTP_DEBUG 1779 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1780 printf("sctp_handle_cookie: sig offset=%u, pkt size=%u\n", sig_offset, size_of_pkt); 1781 } 1782 #endif 1783 return (NULL); 1784 } 1785 1786 m_sig = m_split(m, sig_offset, M_DONTWAIT); 1787 if (m_sig == NULL) { 1788 /* out of memory or ?? */ 1789 #ifdef SCTP_DEBUG 1790 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1791 printf("sctp_handle_cookie: couldn't m_split the signature\n"); 1792 } 1793 #endif 1794 return (NULL); 1795 } 1796 /* 1797 * compute the signature/digest for the cookie 1798 */ 1799 ep = &(*inp_p)->sctp_ep; 1800 l_inp = *inp_p; 1801 if (l_stcb) { 1802 SCTP_TCB_UNLOCK(l_stcb); 1803 } 1804 SCTP_INP_RLOCK(l_inp); 1805 if (l_stcb) { 1806 SCTP_TCB_LOCK(l_stcb); 1807 } 1808 /* which cookie is it? */ 1809 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) && 1810 (ep->current_secret_number != ep->last_secret_number)) { 1811 /* it's the old cookie */ 1812 #ifdef SCTP_DEBUG 1813 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1814 printf("sctp_handle_cookie: old cookie sig\n"); 1815 } 1816 #endif 1817 sctp_hash_digest_m((char *)ep->secret_key[(int)ep->last_secret_number], 1818 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1819 } else { 1820 /* it's the current cookie */ 1821 #ifdef SCTP_DEBUG 1822 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1823 printf("sctp_handle_cookie: current cookie sig\n"); 1824 } 1825 #endif 1826 sctp_hash_digest_m((char *)ep->secret_key[(int)ep->current_secret_number], 1827 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1828 } 1829 /* get the signature */ 1830 SCTP_INP_RUNLOCK(l_inp); 1831 sig = (u_int8_t *)sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (u_int8_t *)&tmp_sig); 1832 if (sig == NULL) { 1833 /* couldn't find signature */ 1834 #ifdef SCTP_DEBUG 1835 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1836 printf("sctp_handle_cookie: couldn't pull the signature\n"); 1837 } 1838 #endif 1839 return (NULL); 1840 } 1841 /* compare the received digest with the computed digest */ 1842 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) { 1843 /* try the old cookie? */ 1844 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) && 1845 (ep->current_secret_number != ep->last_secret_number)) { 1846 /* compute digest with old */ 1847 #ifdef SCTP_DEBUG 1848 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1849 printf("sctp_handle_cookie: old cookie sig\n"); 1850 } 1851 #endif 1852 sctp_hash_digest_m((char *)ep->secret_key[(int)ep->last_secret_number], 1853 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1854 /* compare */ 1855 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0) 1856 cookie_ok = 1; 1857 } 1858 } else { 1859 cookie_ok = 1; 1860 } 1861 1862 /* 1863 * Now before we continue we must reconstruct our mbuf so 1864 * that normal processing of any other chunks will work. 1865 */ 1866 { 1867 struct mbuf *m_at; 1868 m_at = m; 1869 while (m_at->m_next != NULL) { 1870 m_at = m_at->m_next; 1871 } 1872 m_at->m_next = m_sig; 1873 if (m->m_flags & M_PKTHDR) { 1874 /* 1875 * We should only do this if and only if the front 1876 * mbuf has a m_pkthdr... it should in theory. 1877 */ 1878 if (m_sig->m_flags & M_PKTHDR) { 1879 /* Add back to the pkt hdr of main m chain */ 1880 m->m_pkthdr.len += m_sig->m_len; 1881 } else { 1882 /* 1883 * Got a problem, no pkthdr in split chain. 1884 * TSNH but we will handle it just in case 1885 */ 1886 int mmlen = 0; 1887 struct mbuf *lat; 1888 printf("Warning: Hitting m_split join TSNH code - fixed\n"); 1889 lat = m_sig; 1890 while (lat) { 1891 mmlen += lat->m_len; 1892 lat = lat->m_next; 1893 } 1894 m->m_pkthdr.len += mmlen; 1895 } 1896 } 1897 } 1898 1899 if (cookie_ok == 0) { 1900 #ifdef SCTP_DEBUG 1901 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1902 printf("handle_cookie_echo: cookie signature validation failed!\n"); 1903 printf("offset = %u, cookie_offset = %u, sig_offset = %u\n", 1904 (u_int32_t)offset, cookie_offset, sig_offset); 1905 } 1906 #endif 1907 return (NULL); 1908 } 1909 #ifdef SCTP_DEBUG 1910 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1911 printf("handle_cookie_echo: cookie signature validation passed\n"); 1912 } 1913 #endif 1914 1915 /* 1916 * check the cookie timestamps to be sure it's not stale 1917 */ 1918 SCTP_GETTIME_TIMEVAL(&now); 1919 /* Expire time is in Ticks, so we convert to seconds */ 1920 time_expires.tv_sec = cookie->time_entered.tv_sec + cookie->cookie_life; 1921 time_expires.tv_usec = cookie->time_entered.tv_usec; 1922 #ifndef __FreeBSD__ 1923 if (timercmp(&now, &time_expires, >)) 1924 #else 1925 if (timevalcmp(&now, &time_expires, >)) 1926 #endif 1927 { 1928 /* cookie is stale! */ 1929 struct mbuf *op_err; 1930 struct sctp_stale_cookie_msg *scm; 1931 u_int32_t tim; 1932 #ifdef SCTP_DEBUG 1933 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 1934 printf("sctp_handle_cookie: got a STALE cookie!\n"); 1935 } 1936 #endif 1937 MGETHDR(op_err, M_DONTWAIT, MT_HEADER); 1938 if (op_err == NULL) { 1939 /* FOOBAR */ 1940 return (NULL); 1941 } 1942 /* pre-reserve some space */ 1943 op_err->m_data += sizeof(struct ip6_hdr); 1944 op_err->m_data += sizeof(struct sctphdr); 1945 op_err->m_data += sizeof(struct sctp_chunkhdr); 1946 1947 /* Set the len */ 1948 op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_stale_cookie_msg); 1949 scm = mtod(op_err, struct sctp_stale_cookie_msg *); 1950 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE); 1951 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) + 1952 (sizeof(u_int32_t)))); 1953 /* seconds to usec */ 1954 tim = (now.tv_sec - time_expires.tv_sec) * 1000000; 1955 /* add in usec */ 1956 if (tim == 0) 1957 tim = now.tv_usec - cookie->time_entered.tv_usec; 1958 scm->time_usec = htonl(tim); 1959 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 1960 return (NULL); 1961 } 1962 /* 1963 * Now we must see with the lookup address if we have an existing 1964 * asoc. This will only happen if we were in the COOKIE-WAIT state 1965 * and a INIT collided with us and somewhere the peer sent the 1966 * cookie on another address besides the single address our assoc 1967 * had for him. In this case we will have one of the tie-tags set 1968 * at least AND the address field in the cookie can be used to 1969 * look it up. 1970 */ 1971 to = NULL; 1972 if (cookie->addr_type == SCTP_IPV6_ADDRESS) { 1973 memset(&sin6, 0, sizeof(sin6)); 1974 sin6.sin6_family = AF_INET6; 1975 sin6.sin6_len = sizeof(sin6); 1976 sin6.sin6_port = sh->src_port; 1977 sin6.sin6_scope_id = cookie->scope_id; 1978 memcpy(&sin6.sin6_addr.s6_addr, cookie->address, 1979 sizeof(sin6.sin6_addr.s6_addr)); 1980 to = (struct sockaddr *)&sin6; 1981 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) { 1982 memset(&sin, 0, sizeof(sin)); 1983 sin.sin_family = AF_INET; 1984 sin.sin_len = sizeof(sin); 1985 sin.sin_port = sh->src_port; 1986 sin.sin_addr.s_addr = cookie->address[0]; 1987 to = (struct sockaddr *)&sin; 1988 } 1989 1990 if ((*stcb == NULL) && to) { 1991 /* Yep, lets check */ 1992 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL); 1993 if (*stcb == NULL) { 1994 /* We should have only got back the same inp. If we 1995 * got back a different ep we have a problem. The original 1996 * findep got back l_inp and now 1997 */ 1998 if (l_inp != *inp_p) { 1999 printf("Bad problem find_ep got a diff inp then special_locate?\n"); 2000 } 2001 } 2002 } 2003 2004 cookie_len -= SCTP_SIGNATURE_SIZE; 2005 if (*stcb == NULL) { 2006 /* this is the "normal" case... get a new TCB */ 2007 #ifdef SCTP_DEBUG 2008 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2009 printf("sctp_handle_cookie: processing NEW cookie\n"); 2010 } 2011 #endif 2012 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie, 2013 cookie_len, *inp_p, netp, to, ¬ification); 2014 /* now always decrement, since this is the normal 2015 * case.. we had no tcb when we entered. 2016 */ 2017 } else { 2018 /* this is abnormal... cookie-echo on existing TCB */ 2019 #ifdef SCTP_DEBUG 2020 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2021 printf("sctp_handle_cookie: processing EXISTING cookie\n"); 2022 } 2023 #endif 2024 had_a_existing_tcb = 1; 2025 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh, 2026 cookie, cookie_len, *inp_p, *stcb, *netp, to, ¬ification); 2027 } 2028 2029 if (*stcb == NULL) { 2030 /* still no TCB... must be bad cookie-echo */ 2031 #ifdef SCTP_DEBUG 2032 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2033 printf("handle_cookie_echo: ACK! don't have a TCB!\n"); 2034 } 2035 #endif /* SCTP_DEBUG */ 2036 return (NULL); 2037 } 2038 2039 /* 2040 * Ok, we built an association so confirm the address 2041 * we sent the INIT-ACK to. 2042 */ 2043 netl = sctp_findnet(*stcb, to); 2044 /* This code should in theory NOT run but 2045 */ 2046 if (netl == NULL) { 2047 #ifdef SCTP_DEBUG 2048 printf("TSNH! Huh, why do I need to add this address here?\n"); 2049 #endif 2050 sctp_add_remote_addr(*stcb, to, 0, 100); 2051 netl = sctp_findnet(*stcb, to); 2052 } 2053 if (netl) { 2054 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) { 2055 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 2056 sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL, 2057 netl); 2058 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2059 (*stcb), 0, (void *)netl); 2060 } 2061 } 2062 #ifdef SCTP_DEBUG 2063 else { 2064 printf("Could not add source address for some reason\n"); 2065 } 2066 #endif 2067 2068 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) { 2069 if (!had_a_existing_tcb || 2070 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) { 2071 /* 2072 * If we have a NEW cookie or the connect never reached 2073 * the connected state during collision we must do the 2074 * TCP accept thing. 2075 */ 2076 struct socket *so, *oso; 2077 struct sctp_inpcb *inp; 2078 if (notification == SCTP_NOTIFY_ASSOC_RESTART) { 2079 /* 2080 * For a restart we will keep the same socket, 2081 * no need to do anything. I THINK!! 2082 */ 2083 sctp_ulp_notify(notification, *stcb, 0, NULL); 2084 return (m); 2085 } 2086 oso = (*inp_p)->sctp_socket; 2087 SCTP_TCB_UNLOCK((*stcb)); 2088 so = sonewconn(oso, SS_ISCONNECTED); 2089 SCTP_INP_WLOCK((*stcb)->sctp_ep); 2090 SCTP_TCB_LOCK((*stcb)); 2091 SCTP_INP_WUNLOCK((*stcb)->sctp_ep); 2092 if (so == NULL) { 2093 struct mbuf *op_err; 2094 /* Too many sockets */ 2095 #ifdef SCTP_DEBUG 2096 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 2097 printf("process_cookie_new: no room for another socket!\n"); 2098 } 2099 #endif /* SCTP_DEBUG */ 2100 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2101 sctp_abort_association(*inp_p, NULL, m, iphlen, 2102 sh, op_err); 2103 sctp_free_assoc(*inp_p, *stcb); 2104 return (NULL); 2105 } 2106 inp = (struct sctp_inpcb *)so->so_pcb; 2107 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE | 2108 SCTP_PCB_FLAGS_CONNECTED | 2109 SCTP_PCB_FLAGS_IN_TCPPOOL | 2110 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) | 2111 SCTP_PCB_FLAGS_DONT_WAKE); 2112 inp->sctp_socket = so; 2113 2114 /* 2115 * Now we must move it from one hash table to another 2116 * and get the tcb in the right place. 2117 */ 2118 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb); 2119 2120 /* Switch over to the new guy */ 2121 *inp_p = inp; 2122 2123 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, 2124 *stcb, *netp); 2125 2126 sctp_ulp_notify(notification, *stcb, 0, NULL); 2127 return (m); 2128 } 2129 } 2130 if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) { 2131 sctp_ulp_notify(notification, *stcb, 0, NULL); 2132 } 2133 return (m); 2134 } 2135 2136 static void 2137 sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp, 2138 struct sctp_tcb *stcb, struct sctp_nets *net) 2139 { 2140 /* cp must not be used, others call this without a c-ack :-) */ 2141 struct sctp_association *asoc; 2142 2143 #ifdef SCTP_DEBUG 2144 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2145 printf("sctp_handle_cookie_ack: handling COOKIE-ACK\n"); 2146 } 2147 #endif 2148 if (stcb == NULL) 2149 return; 2150 2151 asoc = &stcb->asoc; 2152 2153 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, stcb, net); 2154 2155 /* process according to association state */ 2156 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 2157 /* state change only needed when I am in right state */ 2158 #ifdef SCTP_DEBUG 2159 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2160 printf("moving to OPEN state\n"); 2161 } 2162 #endif 2163 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2164 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 2165 } else { 2166 asoc->state = SCTP_STATE_OPEN; 2167 } 2168 2169 /* update RTO */ 2170 if (asoc->overall_error_count == 0) { 2171 net->RTO = sctp_calculate_rto(stcb, asoc, net, 2172 &asoc->time_entered); 2173 } 2174 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 2175 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL); 2176 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2177 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2178 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2179 soisconnected(stcb->sctp_ep->sctp_socket); 2180 } 2181 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, 2182 stcb, net); 2183 /* since we did not send a HB make sure we don't double things */ 2184 net->hb_responded = 1; 2185 2186 if (stcb->asoc.sctp_autoclose_ticks && 2187 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) { 2188 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 2189 stcb->sctp_ep, stcb, NULL); 2190 } 2191 2192 /* 2193 * set ASCONF timer if ASCONFs are pending and allowed 2194 * (eg. addresses changed when init/cookie echo in flight) 2195 */ 2196 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_DO_ASCONF) && 2197 (stcb->asoc.peer_supports_asconf) && 2198 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) { 2199 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, 2200 stcb->sctp_ep, stcb, 2201 stcb->asoc.primary_destination); 2202 } 2203 2204 } 2205 /* Toss the cookie if I can */ 2206 sctp_toss_old_cookies(asoc); 2207 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 2208 /* Restart the timer if we have pending data */ 2209 struct sctp_tmit_chunk *chk; 2210 chk = TAILQ_FIRST(&asoc->sent_queue); 2211 if (chk) { 2212 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2213 stcb, chk->whoTo); 2214 } 2215 } 2216 2217 } 2218 2219 static void 2220 sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp, 2221 struct sctp_tcb *stcb) 2222 { 2223 struct sctp_nets *net; 2224 struct sctp_tmit_chunk *lchk; 2225 u_int32_t tsn; 2226 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) { 2227 return; 2228 } 2229 sctp_pegs[SCTP_ECNE_RCVD]++; 2230 tsn = ntohl(cp->tsn); 2231 /* ECN Nonce stuff: need a resync and disable the nonce sum check */ 2232 /* Also we make sure we disable the nonce_wait */ 2233 lchk = TAILQ_FIRST(&stcb->asoc.send_queue); 2234 if (lchk == NULL) { 2235 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq; 2236 } else { 2237 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq; 2238 } 2239 stcb->asoc.nonce_wait_for_ecne = 0; 2240 stcb->asoc.nonce_sum_check = 0; 2241 2242 /* Find where it was sent, if possible */ 2243 net = NULL; 2244 lchk = TAILQ_FIRST(&stcb->asoc.sent_queue); 2245 while (lchk) { 2246 if (lchk->rec.data.TSN_seq == tsn) { 2247 net = lchk->whoTo; 2248 break; 2249 } 2250 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ)) 2251 break; 2252 lchk = TAILQ_NEXT(lchk, sctp_next); 2253 } 2254 if (net == NULL) 2255 /* default is we use the primary */ 2256 net = stcb->asoc.primary_destination; 2257 2258 if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) { 2259 #ifdef SCTP_CWND_LOGGING 2260 int old_cwnd; 2261 #endif 2262 #ifdef SCTP_CWND_LOGGING 2263 old_cwnd = net->cwnd; 2264 #endif 2265 sctp_pegs[SCTP_CWR_PERFO]++; 2266 net->ssthresh = net->cwnd / 2; 2267 if (net->ssthresh < net->mtu) { 2268 net->ssthresh = net->mtu; 2269 /* here back off the timer as well, to slow us down */ 2270 net->RTO <<= 2; 2271 } 2272 net->cwnd = net->ssthresh; 2273 #ifdef SCTP_CWND_LOGGING 2274 sctp_log_cwnd(net, (net->cwnd-old_cwnd), SCTP_CWND_LOG_FROM_SAT); 2275 #endif 2276 /* we reduce once every RTT. So we will only lower 2277 * cwnd at the next sending seq i.e. the resync_tsn. 2278 */ 2279 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn; 2280 } 2281 /* 2282 * We always send a CWR this way if our previous one was lost 2283 * our peer will get an update, or if it is not time again 2284 * to reduce we still get the cwr to the peer. 2285 */ 2286 sctp_send_cwr(stcb, net, tsn); 2287 } 2288 2289 static void 2290 sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb) 2291 { 2292 /* Here we get a CWR from the peer. We must look in 2293 * the outqueue and make sure that we have a covered 2294 * ECNE in teh control chunk part. If so remove it. 2295 */ 2296 struct sctp_tmit_chunk *chk; 2297 struct sctp_ecne_chunk *ecne; 2298 2299 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) { 2300 if (chk->rec.chunk_id != SCTP_ECN_ECHO) { 2301 continue; 2302 } 2303 /* Look for and remove if it is the right TSN. Since 2304 * there is only ONE ECNE on the control queue at 2305 * any one time we don't need to worry about more than 2306 * one! 2307 */ 2308 ecne = mtod(chk->data, struct sctp_ecne_chunk *); 2309 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn), 2310 MAX_TSN) || (cp->tsn == ecne->tsn)) { 2311 /* this covers this ECNE, we can remove it */ 2312 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, 2313 sctp_next); 2314 if (chk->data) { 2315 sctp_m_freem(chk->data); 2316 chk->data = NULL; 2317 } 2318 stcb->asoc.ctrl_queue_cnt--; 2319 sctp_free_remote_addr(chk->whoTo); 2320 SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk); 2321 sctppcbinfo.ipi_count_chunk--; 2322 if ((int)sctppcbinfo.ipi_count_chunk < 0) { 2323 panic("Chunk count is negative"); 2324 } 2325 sctppcbinfo.ipi_gencnt_chunk++; 2326 break; 2327 } 2328 } 2329 } 2330 2331 static void 2332 sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp, 2333 struct sctp_tcb *stcb, struct sctp_nets *net) 2334 { 2335 struct sctp_association *asoc; 2336 2337 #ifdef SCTP_DEBUG 2338 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2339 printf("sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n"); 2340 } 2341 #endif 2342 if (stcb == NULL) 2343 return; 2344 2345 asoc = &stcb->asoc; 2346 /* process according to association state */ 2347 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) { 2348 /* unexpected SHUTDOWN-COMPLETE... so ignore... */ 2349 return; 2350 } 2351 /* notify upper layer protocol */ 2352 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 2353 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2354 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2355 stcb->sctp_ep->sctp_flags &= ~SCTP_PCB_FLAGS_CONNECTED; 2356 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0; 2357 stcb->sctp_ep->sctp_socket->so_snd.sb_mbcnt = 0; 2358 soisdisconnected(stcb->sctp_ep->sctp_socket); 2359 } 2360 /* are the queues empty? they should be */ 2361 if (!TAILQ_EMPTY(&asoc->send_queue) || 2362 !TAILQ_EMPTY(&asoc->sent_queue) || 2363 !TAILQ_EMPTY(&asoc->out_wheel)) { 2364 sctp_report_all_outbound(stcb); 2365 } 2366 /* stop the timer */ 2367 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); 2368 /* free the TCB */ 2369 sctp_free_assoc(stcb->sctp_ep, stcb); 2370 return; 2371 } 2372 2373 static int 2374 process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc, 2375 struct sctp_nets *net, u_int8_t flg) 2376 { 2377 switch (desc->chunk_type) { 2378 case SCTP_DATA: 2379 /* find the tsn to resend (possibly */ 2380 { 2381 u_int32_t tsn; 2382 struct sctp_tmit_chunk *tp1; 2383 tsn = ntohl(desc->tsn_ifany); 2384 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2385 while (tp1) { 2386 if (tp1->rec.data.TSN_seq == tsn) { 2387 /* found it */ 2388 break; 2389 } 2390 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn, 2391 MAX_TSN)) { 2392 /* not found */ 2393 tp1 = NULL; 2394 break; 2395 } 2396 tp1 = TAILQ_NEXT(tp1, sctp_next); 2397 } 2398 if (tp1 == NULL) { 2399 /* Do it the other way */ 2400 sctp_pegs[SCTP_PDRP_DNFND]++; 2401 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2402 while (tp1) { 2403 if (tp1->rec.data.TSN_seq == tsn) { 2404 /* found it */ 2405 break; 2406 } 2407 tp1 = TAILQ_NEXT(tp1, sctp_next); 2408 } 2409 } 2410 if (tp1 == NULL) { 2411 sctp_pegs[SCTP_PDRP_TSNNF]++; 2412 } 2413 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) { 2414 u_int8_t *ddp; 2415 if (((tp1->rec.data.state_flags & SCTP_WINDOW_PROBE) == SCTP_WINDOW_PROBE) && 2416 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 2417 sctp_pegs[SCTP_PDRP_DIWNP]++; 2418 return (0); 2419 } 2420 if (stcb->asoc.peers_rwnd == 0 && 2421 (flg & SCTP_FROM_MIDDLE_BOX)) { 2422 sctp_pegs[SCTP_PDRP_DIZRW]++; 2423 return (0); 2424 } 2425 ddp = (u_int8_t *)(mtod(tp1->data, vaddr_t) + 2426 sizeof(struct sctp_data_chunk)); 2427 { 2428 unsigned int iii; 2429 for (iii = 0; iii < sizeof(desc->data_bytes); 2430 iii++) { 2431 if (ddp[iii] != desc->data_bytes[iii]) { 2432 sctp_pegs[SCTP_PDRP_BADD]++; 2433 return (-1); 2434 } 2435 } 2436 } 2437 if (tp1->sent != SCTP_DATAGRAM_RESEND) { 2438 stcb->asoc.sent_queue_retran_cnt++; 2439 } 2440 /* We zero out the nonce so resync not needed */ 2441 tp1->rec.data.ect_nonce = 0; 2442 2443 if (tp1->do_rtt) { 2444 /* 2445 * this guy had a RTO calculation pending on it, 2446 * cancel it 2447 */ 2448 tp1->whoTo->rto_pending = 0; 2449 tp1->do_rtt = 0; 2450 } 2451 sctp_pegs[SCTP_PDRP_MARK]++; 2452 tp1->sent = SCTP_DATAGRAM_RESEND; 2453 /* 2454 * mark it as if we were doing a FR, since we 2455 * will be getting gap ack reports behind the 2456 * info from the router. 2457 */ 2458 tp1->rec.data.doing_fast_retransmit = 1; 2459 /* 2460 * mark the tsn with what sequences can cause a new FR. 2461 */ 2462 if (TAILQ_EMPTY(&stcb->asoc.send_queue) ) { 2463 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq; 2464 } else { 2465 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq; 2466 } 2467 2468 /* restart the timer */ 2469 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2470 stcb, tp1->whoTo); 2471 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2472 stcb, tp1->whoTo); 2473 2474 /* fix counts and things */ 2475 sctp_flight_size_decrease(tp1); 2476 sctp_total_flight_decrease(stcb, tp1); 2477 tp1->snd_count--; 2478 } 2479 { 2480 /* audit code */ 2481 unsigned int audit; 2482 audit = 0; 2483 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 2484 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2485 audit++; 2486 } 2487 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue, 2488 sctp_next) { 2489 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2490 audit++; 2491 } 2492 if (audit != stcb->asoc.sent_queue_retran_cnt) { 2493 printf("**Local Audit finds cnt:%d asoc cnt:%d\n", 2494 audit, stcb->asoc.sent_queue_retran_cnt); 2495 #ifndef SCTP_AUDITING_ENABLED 2496 stcb->asoc.sent_queue_retran_cnt = audit; 2497 #endif 2498 } 2499 } 2500 } 2501 break; 2502 case SCTP_ASCONF: 2503 { 2504 struct sctp_tmit_chunk *asconf; 2505 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue, 2506 sctp_next) { 2507 if (asconf->rec.chunk_id == SCTP_ASCONF) { 2508 break; 2509 } 2510 } 2511 if (asconf) { 2512 if (asconf->sent != SCTP_DATAGRAM_RESEND) 2513 stcb->asoc.sent_queue_retran_cnt++; 2514 asconf->sent = SCTP_DATAGRAM_RESEND; 2515 asconf->snd_count--; 2516 } 2517 } 2518 break; 2519 case SCTP_INITIATION: 2520 /* resend the INIT */ 2521 stcb->asoc.dropped_special_cnt++; 2522 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) { 2523 /* 2524 * If we can get it in, in a few attempts we do this, 2525 * otherwise we let the timer fire. 2526 */ 2527 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, 2528 stcb, net); 2529 sctp_send_initiate(stcb->sctp_ep, stcb); 2530 } 2531 break; 2532 case SCTP_SELECTIVE_ACK: 2533 /* resend the sack */ 2534 sctp_send_sack(stcb); 2535 break; 2536 case SCTP_HEARTBEAT_REQUEST: 2537 /* resend a demand HB */ 2538 sctp_send_hb(stcb, 1, net); 2539 break; 2540 case SCTP_SHUTDOWN: 2541 #ifdef SCTP_DEBUG 2542 if (sctp_debug_on & SCTP_DEBUG_OUTPUT4) { 2543 printf("%s:%d sends a shutdown\n", 2544 __FILE__, 2545 __LINE__ 2546 ); 2547 } 2548 #endif 2549 sctp_send_shutdown(stcb, net); 2550 break; 2551 case SCTP_SHUTDOWN_ACK: 2552 sctp_send_shutdown_ack(stcb, net); 2553 break; 2554 case SCTP_COOKIE_ECHO: 2555 { 2556 struct sctp_tmit_chunk *cookie; 2557 cookie = NULL; 2558 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue, 2559 sctp_next) { 2560 if (cookie->rec.chunk_id == SCTP_COOKIE_ECHO) { 2561 break; 2562 } 2563 } 2564 if (cookie) { 2565 if (cookie->sent != SCTP_DATAGRAM_RESEND) 2566 stcb->asoc.sent_queue_retran_cnt++; 2567 cookie->sent = SCTP_DATAGRAM_RESEND; 2568 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, stcb, net); 2569 } 2570 } 2571 break; 2572 case SCTP_COOKIE_ACK: 2573 sctp_send_cookie_ack(stcb); 2574 break; 2575 case SCTP_ASCONF_ACK: 2576 /* resend last asconf ack */ 2577 sctp_send_asconf_ack(stcb, 1); 2578 break; 2579 case SCTP_FORWARD_CUM_TSN: 2580 send_forward_tsn(stcb, &stcb->asoc); 2581 break; 2582 /* can't do anything with these */ 2583 case SCTP_PACKET_DROPPED: 2584 case SCTP_INITIATION_ACK: /* this should not happen */ 2585 case SCTP_HEARTBEAT_ACK: 2586 case SCTP_ABORT_ASSOCIATION: 2587 case SCTP_OPERATION_ERROR: 2588 case SCTP_SHUTDOWN_COMPLETE: 2589 case SCTP_ECN_ECHO: 2590 case SCTP_ECN_CWR: 2591 default: 2592 break; 2593 } 2594 return (0); 2595 } 2596 2597 static void 2598 sctp_reset_in_stream(struct sctp_tcb *stcb, 2599 struct sctp_stream_reset_response *resp, int number_entries) 2600 { 2601 int i; 2602 uint16_t *list, temp; 2603 2604 /* We set things to 0xffff since this is the last delivered 2605 * sequence and we will be sending in 0 after the reset. 2606 */ 2607 2608 if (resp->reset_flags & SCTP_RESET_PERFORMED) { 2609 if (number_entries) { 2610 list = resp->list_of_streams; 2611 for (i = 0; i < number_entries; i++) { 2612 temp = ntohs(list[i]); 2613 list[i] = temp; 2614 if (list[i] >= stcb->asoc.streamincnt) { 2615 printf("Invalid stream in-stream reset %d\n", list[i]); 2616 continue; 2617 } 2618 stcb->asoc.strmin[(list[i])].last_sequence_delivered = 0xffff; 2619 } 2620 } else { 2621 list = NULL; 2622 for (i = 0; i < stcb->asoc.streamincnt; i++) { 2623 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; 2624 } 2625 } 2626 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list); 2627 } 2628 } 2629 2630 static void 2631 sctp_clean_up_stream_reset(struct sctp_tcb *stcb) 2632 { 2633 struct sctp_tmit_chunk *chk, *nchk; 2634 struct sctp_association *asoc; 2635 2636 asoc = &stcb->asoc; 2637 2638 for (chk = TAILQ_FIRST(&asoc->control_send_queue); 2639 chk; chk = nchk) { 2640 nchk = TAILQ_NEXT(chk, sctp_next); 2641 if (chk->rec.chunk_id == SCTP_STREAM_RESET) { 2642 struct sctp_stream_reset_req *strreq; 2643 strreq = mtod(chk->data, struct sctp_stream_reset_req *); 2644 if (strreq->sr_req.ph.param_type == ntohs(SCTP_STR_RESET_RESPONSE)) { 2645 /* we only clean up the request */ 2646 continue; 2647 } else if (strreq->sr_req.ph.param_type != ntohs(SCTP_STR_RESET_REQUEST)) { 2648 printf("TSNH, an unknown stream reset request is in queue %x\n", 2649 (u_int)ntohs(strreq->sr_req.ph.param_type)); 2650 continue; 2651 } 2652 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); 2653 TAILQ_REMOVE(&asoc->control_send_queue, 2654 chk, 2655 sctp_next); 2656 if (chk->data) { 2657 sctp_m_freem(chk->data); 2658 chk->data = NULL; 2659 } 2660 asoc->ctrl_queue_cnt--; 2661 sctp_free_remote_addr(chk->whoTo); 2662 SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk); 2663 sctppcbinfo.ipi_count_chunk--; 2664 if ((int)sctppcbinfo.ipi_count_chunk < 0) { 2665 panic("Chunk count is negative"); 2666 } 2667 sctppcbinfo.ipi_gencnt_chunk++; 2668 /* we can only have one of these so we break */ 2669 break; 2670 } 2671 } 2672 } 2673 2674 2675 void 2676 sctp_handle_stream_reset_response(struct sctp_tcb *stcb, 2677 struct sctp_stream_reset_response *resp) 2678 { 2679 uint32_t seq, tsn; 2680 int number_entries, param_length; 2681 2682 param_length = ntohs(resp->ph.param_length); 2683 seq = ntohl(resp->reset_req_seq_resp); 2684 if (seq == stcb->asoc.str_reset_seq_out) { 2685 sctp_clean_up_stream_reset(stcb); 2686 stcb->asoc.str_reset_seq_out++; 2687 stcb->asoc.stream_reset_outstanding = 0; 2688 tsn = ntohl(resp->reset_at_tsn); 2689 number_entries = (param_length - sizeof(struct sctp_stream_reset_response))/sizeof(uint16_t); 2690 tsn--; 2691 if ((tsn == stcb->asoc.cumulative_tsn) || 2692 (compare_with_wrap(stcb->asoc.cumulative_tsn, tsn, MAX_TSN))) { 2693 /* no problem we are good to go */ 2694 sctp_reset_in_stream(stcb, resp, number_entries); 2695 } else { 2696 /* So, we have a stream reset but there 2697 * is pending data. We need to copy 2698 * out the stream_reset and then queue 2699 * any data = or > resp->reset_at_tsn 2700 */ 2701 if (stcb->asoc.pending_reply != NULL) { 2702 /* FIX ME FIX ME 2703 * This IS WRONG. We need 2704 * to queue each of these up 2705 * and only release the chunks 2706 * for each reset that the cum-ack 2707 * goes by. This is a short cut. 2708 */ 2709 free(stcb->asoc.pending_reply, M_PCB); 2710 } 2711 stcb->asoc.pending_reply = malloc(param_length, 2712 M_PCB, M_NOWAIT); 2713 memcpy(stcb->asoc.pending_reply, resp, param_length); 2714 } 2715 2716 } else { 2717 /* duplicate */ 2718 #ifdef SCTP_DEBUG 2719 printf("Duplicate old stream reset resp next:%x this one:%x\n", 2720 stcb->asoc.str_reset_seq_out, seq); 2721 #endif 2722 } 2723 } 2724 2725 2726 static void 2727 sctp_handle_stream_reset(struct sctp_tcb *stcb, struct sctp_stream_reset_req *sr_req) 2728 { 2729 int chk_length, param_len; 2730 struct sctp_paramhdr *ph; 2731 /* now it may be a reset or a reset-response */ 2732 struct sctp_stream_reset_request *req; 2733 struct sctp_stream_reset_response *resp; 2734 chk_length = ntohs(sr_req->ch.chunk_length); 2735 2736 ph = (struct sctp_paramhdr *)&sr_req->sr_req; 2737 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_request)) { 2738 param_len = ntohs(ph->param_length); 2739 if (ntohs(ph->param_type) == SCTP_STR_RESET_REQUEST) { 2740 /* this will send the ACK and do the reset if needed */ 2741 req = (struct sctp_stream_reset_request *)ph; 2742 sctp_send_str_reset_ack(stcb, req); 2743 } else if (ntohs(ph->param_type) == SCTP_STR_RESET_RESPONSE) { 2744 /* Now here is a tricky one. We reset our receive side 2745 * of the streams. But what happens if the peers 2746 * next sending TSN is NOT equal to 1 minus our cumack? 2747 * And if his cumack is not equal to our next one out - 1 2748 * we have another problem if this is receprical. 2749 */ 2750 resp = (struct sctp_stream_reset_response *)ph; 2751 sctp_handle_stream_reset_response(stcb, resp); 2752 } 2753 ph = (struct sctp_paramhdr *)((vaddr_t)ph + SCTP_SIZE32(param_len)); 2754 chk_length -= SCTP_SIZE32(param_len); 2755 } 2756 } 2757 2758 /* 2759 * Handle a router or endpoints report of a packet loss, there 2760 * are two ways to handle this, either we get the whole packet 2761 * and must disect it ourselves (possibly with truncation and 2762 * or corruption) or it is a summary from a middle box that did 2763 * the disectting for us. 2764 */ 2765 static void 2766 sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp, 2767 struct sctp_tcb *stcb, struct sctp_nets *net) 2768 { 2769 u_int32_t bottle_bw, on_queue; 2770 u_int16_t trunc_len; 2771 unsigned int chlen; 2772 unsigned int at; 2773 struct sctp_chunk_desc desc; 2774 struct sctp_chunkhdr *ch; 2775 2776 chlen = ntohs(cp->ch.chunk_length); 2777 chlen -= sizeof(struct sctp_pktdrop_chunk); 2778 /* XXX possible chlen underflow */ 2779 if (chlen == 0) { 2780 ch = NULL; 2781 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) 2782 sctp_pegs[SCTP_PDRP_BWRPT]++; 2783 } else { 2784 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr)); 2785 chlen -= sizeof(struct sctphdr); 2786 /* XXX possible chlen underflow */ 2787 memset(&desc, 0, sizeof(desc)); 2788 } 2789 2790 /* first update a rwnd possibly */ 2791 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) { 2792 /* From a peer, we get a rwnd report */ 2793 u_int32_t a_rwnd; 2794 2795 sctp_pegs[SCTP_PDRP_FEHOS]++; 2796 2797 bottle_bw = ntohl(cp->bottle_bw); 2798 on_queue = ntohl(cp->current_onq); 2799 if (bottle_bw && on_queue) { 2800 /* a rwnd report is in here */ 2801 if (bottle_bw > on_queue) 2802 a_rwnd = bottle_bw - on_queue; 2803 else 2804 a_rwnd = 0; 2805 2806 if (a_rwnd <= 0) 2807 stcb->asoc.peers_rwnd = 0; 2808 else { 2809 if (a_rwnd > stcb->asoc.total_flight) { 2810 stcb->asoc.peers_rwnd = 2811 a_rwnd - stcb->asoc.total_flight; 2812 } else { 2813 stcb->asoc.peers_rwnd = 0; 2814 } 2815 if (stcb->asoc.peers_rwnd < 2816 stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 2817 /* SWS sender side engages */ 2818 stcb->asoc.peers_rwnd = 0; 2819 } 2820 } 2821 } 2822 } else { 2823 sctp_pegs[SCTP_PDRP_FMBOX]++; 2824 } 2825 trunc_len = (u_int16_t)ntohs(cp->trunc_len); 2826 /* now the chunks themselves */ 2827 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) { 2828 desc.chunk_type = ch->chunk_type; 2829 /* get amount we need to move */ 2830 at = ntohs(ch->chunk_length); 2831 if (at < sizeof(struct sctp_chunkhdr)) { 2832 /* corrupt chunk, maybe at the end? */ 2833 sctp_pegs[SCTP_PDRP_CRUPT]++; 2834 break; 2835 } 2836 if (trunc_len == 0) { 2837 /* we are supposed to have all of it */ 2838 if (at > chlen) { 2839 /* corrupt skip it */ 2840 sctp_pegs[SCTP_PDRP_CRUPT]++; 2841 break; 2842 } 2843 } else { 2844 /* is there enough of it left ? */ 2845 if (desc.chunk_type == SCTP_DATA) { 2846 if (chlen < (sizeof(struct sctp_data_chunk) + 2847 sizeof(desc.data_bytes))) { 2848 break; 2849 } 2850 } else { 2851 if (chlen < sizeof(struct sctp_chunkhdr)) { 2852 break; 2853 } 2854 } 2855 } 2856 if (desc.chunk_type == SCTP_DATA) { 2857 /* can we get out the tsn? */ 2858 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 2859 sctp_pegs[SCTP_PDRP_MB_DA]++; 2860 2861 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(u_int32_t)) ) { 2862 /* yep */ 2863 struct sctp_data_chunk *dcp; 2864 u_int8_t *ddp; 2865 unsigned int iii; 2866 dcp = (struct sctp_data_chunk *)ch; 2867 ddp = (u_int8_t *)(dcp + 1); 2868 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) { 2869 desc.data_bytes[iii] = ddp[iii]; 2870 } 2871 desc.tsn_ifany = dcp->dp.tsn; 2872 } else { 2873 /* nope we are done. */ 2874 sctp_pegs[SCTP_PDRP_NEDAT]++; 2875 break; 2876 } 2877 } else { 2878 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 2879 sctp_pegs[SCTP_PDRP_MB_CT]++; 2880 } 2881 2882 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) { 2883 sctp_pegs[SCTP_PDRP_PDBRK]++; 2884 break; 2885 } 2886 if (SCTP_SIZE32(at) > chlen) { 2887 break; 2888 } 2889 chlen -= SCTP_SIZE32(at); 2890 if (chlen < sizeof(struct sctp_chunkhdr)) { 2891 /* done, none left */ 2892 break; 2893 } 2894 ch = (struct sctp_chunkhdr *)((vaddr_t)ch + SCTP_SIZE32(at)); 2895 } 2896 2897 /* now middle boxes in sat networks get a cwnd bump */ 2898 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) && 2899 (stcb->asoc.sat_t3_loss_recovery == 0) && 2900 (stcb->asoc.sat_network)) { 2901 /* 2902 * This is debateable but for sat networks it makes sense 2903 * Note if a T3 timer has went off, we will prohibit any 2904 * changes to cwnd until we exit the t3 loss recovery. 2905 */ 2906 u_int32_t bw_avail; 2907 int rtt, incr; 2908 #ifdef SCTP_CWND_LOGGING 2909 int old_cwnd=net->cwnd; 2910 #endif 2911 /* need real RTT for this calc */ 2912 rtt = ((net->lastsa >> 2) + net->lastsv) >> 1; 2913 /* get bottle neck bw */ 2914 bottle_bw = ntohl(cp->bottle_bw); 2915 /* and whats on queue */ 2916 on_queue = ntohl(cp->current_onq); 2917 /* 2918 * adjust the on-queue if our flight is more it could be 2919 * that the router has not yet gotten data "in-flight" to it 2920 */ 2921 if (on_queue < net->flight_size) 2922 on_queue = net->flight_size; 2923 2924 /* calculate the available space */ 2925 bw_avail = (bottle_bw*rtt)/1000; 2926 if (bw_avail > bottle_bw) { 2927 /* 2928 * Cap the growth to no more than the bottle neck. 2929 * This can happen as RTT slides up due to queues. 2930 * It also means if you have more than a 1 second 2931 * RTT with a empty queue you will be limited to 2932 * the bottle_bw per second no matter if 2933 * other points have 1/2 the RTT and you could 2934 * get more out... 2935 */ 2936 bw_avail = bottle_bw; 2937 } 2938 2939 if (on_queue > bw_avail) { 2940 /* 2941 * No room for anything else don't allow anything 2942 * else to be "added to the fire". 2943 */ 2944 int seg_inflight, seg_onqueue, my_portion; 2945 net->partial_bytes_acked = 0; 2946 2947 /* how much are we over queue size? */ 2948 incr = on_queue - bw_avail; 2949 if (stcb->asoc.seen_a_sack_this_pkt) { 2950 /* undo any cwnd adjustment that 2951 * the sack might have made 2952 */ 2953 net->cwnd = net->prev_cwnd; 2954 } 2955 2956 /* Now how much of that is mine? */ 2957 seg_inflight = net->flight_size / net->mtu; 2958 seg_onqueue = on_queue / net->mtu; 2959 my_portion = (incr * seg_inflight)/seg_onqueue; 2960 2961 /* Have I made an adjustment already */ 2962 if (net->cwnd > net->flight_size) { 2963 /* for this flight I made an adjustment 2964 * we need to decrease the portion by a share 2965 * our previous adjustment. 2966 */ 2967 int diff_adj; 2968 diff_adj = net->cwnd - net->flight_size; 2969 if (diff_adj > my_portion) 2970 my_portion = 0; 2971 else 2972 my_portion -= diff_adj; 2973 } 2974 2975 /* back down to the previous cwnd (assume 2976 * we have had a sack before this packet). minus 2977 * what ever portion of the overage is my fault. 2978 */ 2979 net->cwnd -= my_portion; 2980 2981 /* we will NOT back down more than 1 MTU */ 2982 if (net->cwnd <= net->mtu) { 2983 net->cwnd = net->mtu; 2984 } 2985 /* force into CA */ 2986 net->ssthresh = net->cwnd - 1; 2987 } else { 2988 /* 2989 * Take 1/4 of the space left or 2990 * max burst up .. whichever is less. 2991 */ 2992 incr = uimin((bw_avail - on_queue) >> 2, 2993 (int)stcb->asoc.max_burst * (int)net->mtu); 2994 net->cwnd += incr; 2995 } 2996 if (net->cwnd > bw_avail) { 2997 /* We can't exceed the pipe size */ 2998 net->cwnd = bw_avail; 2999 } 3000 if (net->cwnd < net->mtu) { 3001 /* We always have 1 MTU */ 3002 net->cwnd = net->mtu; 3003 } 3004 #ifdef SCTP_CWND_LOGGING 3005 if (net->cwnd - old_cwnd != 0) { 3006 /* log only changes */ 3007 sctp_log_cwnd(net, (net->cwnd - old_cwnd), 3008 SCTP_CWND_LOG_FROM_SAT); 3009 } 3010 #endif 3011 } 3012 } 3013 3014 extern int sctp_strict_init; 3015 3016 /* 3017 * handles all control chunks in a packet 3018 * inputs: 3019 * - m: mbuf chain, assumed to still contain IP/SCTP header 3020 * - stcb: is the tcb found for this packet 3021 * - offset: offset into the mbuf chain to first chunkhdr 3022 * - length: is the length of the complete packet 3023 * outputs: 3024 * - length: modified to remaining length after control processing 3025 * - netp: modified to new sctp_nets after cookie-echo processing 3026 * - return NULL to discard the packet (ie. no asoc, bad packet,...) 3027 * otherwise return the tcb for this packet 3028 */ 3029 static struct sctp_tcb * 3030 sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, 3031 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp, 3032 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen) 3033 { 3034 struct sctp_association *asoc; 3035 u_int32_t vtag_in; 3036 int num_chunks = 0; /* number of control chunks processed */ 3037 int chk_length; 3038 int ret; 3039 3040 /* 3041 * How big should this be, and should it be alloc'd? 3042 * Lets try the d-mtu-ceiling for now (2k) and that should 3043 * hopefully work ... until we get into jumbo grams and such.. 3044 */ 3045 u_int8_t chunk_buf[DEFAULT_CHUNK_BUFFER]; 3046 struct sctp_tcb *locked_tcb = stcb; 3047 3048 #ifdef SCTP_DEBUG 3049 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3050 printf("sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n", 3051 iphlen, *offset, length, stcb); 3052 } 3053 #endif /* SCTP_DEBUG */ 3054 3055 /* validate chunk header length... */ 3056 if (ntohs(ch->chunk_length) < sizeof(*ch)) { 3057 return (NULL); 3058 } 3059 3060 /* 3061 * validate the verification tag 3062 */ 3063 #ifdef SCTP_DEBUG 3064 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3065 printf("sctp_process_control: validating vtags\n"); 3066 } 3067 #endif /* SCTP_DEBUG */ 3068 vtag_in = ntohl(sh->v_tag); 3069 if (ch->chunk_type == SCTP_INITIATION) { 3070 if (vtag_in != 0) { 3071 /* protocol error- silently discard... */ 3072 #ifdef SCTP_DEBUG 3073 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3074 printf("sctp_process_control: INIT with vtag != 0\n"); 3075 } 3076 #endif /* SCTP_DEBUG */ 3077 sctp_pegs[SCTP_BAD_VTAGS]++; 3078 if (locked_tcb) { 3079 SCTP_TCB_UNLOCK(locked_tcb); 3080 } 3081 return (NULL); 3082 } 3083 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) { 3084 /* 3085 * first check if it's an ASCONF with an unknown src addr 3086 * we need to look inside to find the association 3087 */ 3088 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) { 3089 stcb = sctp_findassociation_ep_asconf(m, iphlen, 3090 *offset, sh, &inp, netp); 3091 } 3092 if (stcb == NULL) { 3093 /* no association, so it's out of the blue... */ 3094 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL); 3095 #ifdef SCTP_DEBUG 3096 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3097 printf("sctp_process_control: handling OOTB packet, chunk type=%xh\n", 3098 ch->chunk_type); 3099 } 3100 #endif /* SCTP_DEBUG */ 3101 *offset = length; 3102 if (locked_tcb) { 3103 SCTP_TCB_UNLOCK(locked_tcb); 3104 } 3105 return (NULL); 3106 } 3107 asoc = &stcb->asoc; 3108 /* ABORT and SHUTDOWN can use either v_tag... */ 3109 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) || 3110 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) || 3111 (ch->chunk_type == SCTP_PACKET_DROPPED)) { 3112 if ((vtag_in == asoc->my_vtag) || 3113 ((ch->chunk_flags & SCTP_HAD_NO_TCB) && 3114 (vtag_in == asoc->peer_vtag))) { 3115 /* this is valid */ 3116 } else { 3117 /* drop this packet... */ 3118 sctp_pegs[SCTP_BAD_VTAGS]++; 3119 if (locked_tcb) { 3120 SCTP_TCB_UNLOCK(locked_tcb); 3121 } 3122 return (NULL); 3123 } 3124 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 3125 if (vtag_in != asoc->my_vtag) { 3126 /* 3127 * this could be a stale SHUTDOWN-ACK or the 3128 * peer never got the SHUTDOWN-COMPLETE and 3129 * is still hung; we have started a new asoc 3130 * but it won't complete until the shutdown is 3131 * completed 3132 */ 3133 if (locked_tcb) { 3134 SCTP_TCB_UNLOCK(locked_tcb); 3135 } 3136 sctp_handle_ootb(m, iphlen, *offset, sh, inp, 3137 NULL); 3138 return (NULL); 3139 } 3140 } else { 3141 /* for all other chunks, vtag must match */ 3142 3143 if (vtag_in != asoc->my_vtag) { 3144 /* invalid vtag... */ 3145 #ifdef SCTP_DEBUG 3146 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3147 printf("invalid vtag: %xh, expect %xh\n", vtag_in, asoc->my_vtag); 3148 } 3149 #endif /* SCTP_DEBUG */ 3150 sctp_pegs[SCTP_BAD_VTAGS]++; 3151 if (locked_tcb) { 3152 SCTP_TCB_UNLOCK(locked_tcb); 3153 } 3154 *offset = length; 3155 return (NULL); 3156 } 3157 } 3158 } /* end if !SCTP_COOKIE_ECHO */ 3159 3160 #ifdef SCTP_DEBUG 3161 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3162 printf("sctp_process_control: vtags ok, processing ctrl chunks\n"); 3163 } 3164 #endif /* SCTP_DEBUG */ 3165 3166 /* 3167 * process all control chunks... 3168 */ 3169 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) || 3170 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) && 3171 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 3172 /* implied cookie-ack.. we must have lost the ack */ 3173 stcb->asoc.overall_error_count = 0; 3174 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp); 3175 } 3176 3177 while (IS_SCTP_CONTROL(ch)) { 3178 /* validate chunk length */ 3179 chk_length = ntohs(ch->chunk_length); 3180 #ifdef SCTP_DEBUG 3181 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 3182 printf("sctp_process_control: processing a chunk type=%u, len=%u\n", ch->chunk_type, chk_length); 3183 } 3184 #endif /* SCTP_DEBUG */ 3185 if ((size_t)chk_length < sizeof(*ch) || 3186 (*offset + chk_length) > length) { 3187 #ifdef SCTP_DEBUG 3188 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3189 printf("sctp_process_control: chunk length invalid! *offset:%u, chk_length:%u > length:%u\n", 3190 *offset, chk_length, length); 3191 } 3192 #endif /* SCTP_DEBUG */ 3193 *offset = length; 3194 if (locked_tcb) { 3195 SCTP_TCB_UNLOCK(locked_tcb); 3196 } 3197 return (NULL); 3198 } 3199 3200 /* 3201 * INIT-ACK only gets the init ack "header" portion only 3202 * because we don't have to process the peer's COOKIE. 3203 * All others get a complete chunk. 3204 */ 3205 if (ch->chunk_type == SCTP_INITIATION_ACK) { 3206 /* get an init-ack chunk */ 3207 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3208 sizeof(struct sctp_init_ack), chunk_buf); 3209 if (ch == NULL) { 3210 *offset = length; 3211 if (locked_tcb) { 3212 SCTP_TCB_UNLOCK(locked_tcb); 3213 } 3214 return (NULL); 3215 } 3216 } else { 3217 /* get a complete chunk... */ 3218 if ((size_t)chk_length > sizeof(chunk_buf)) { 3219 struct mbuf *oper; 3220 struct sctp_paramhdr *phdr; 3221 oper = NULL; 3222 MGETHDR(oper, M_DONTWAIT, MT_HEADER); 3223 if (oper) { 3224 /* pre-reserve some space */ 3225 oper->m_data += 3226 sizeof(struct sctp_chunkhdr); 3227 phdr = 3228 mtod(oper, struct sctp_paramhdr *); 3229 phdr->param_type = 3230 htons(SCTP_CAUSE_OUT_OF_RESC); 3231 phdr->param_length = 3232 htons(sizeof(struct sctp_paramhdr)); 3233 sctp_queue_op_err(stcb, oper); 3234 } 3235 if (locked_tcb) { 3236 SCTP_TCB_UNLOCK(locked_tcb); 3237 } 3238 return (NULL); 3239 } 3240 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3241 chk_length, chunk_buf); 3242 if (ch == NULL) { 3243 printf("sctp_process_control: Can't get the all data....\n"); 3244 *offset = length; 3245 if (locked_tcb) { 3246 SCTP_TCB_UNLOCK(locked_tcb); 3247 } 3248 return (NULL); 3249 } 3250 3251 } 3252 num_chunks++; 3253 /* Save off the last place we got a control from */ 3254 if ((*netp) && stcb) { 3255 stcb->asoc.last_control_chunk_from = *netp; 3256 } 3257 #ifdef SCTP_AUDITING_ENABLED 3258 sctp_audit_log(0xB0, ch->chunk_type); 3259 #endif 3260 switch (ch->chunk_type) { 3261 case SCTP_INITIATION: 3262 /* must be first and only chunk */ 3263 #ifdef SCTP_DEBUG 3264 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3265 printf("SCTP_INIT\n"); 3266 } 3267 #endif /* SCTP_DEBUG */ 3268 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3269 /* We are not interested anymore */ 3270 if (locked_tcb) { 3271 SCTP_TCB_UNLOCK(locked_tcb); 3272 } 3273 if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) { 3274 /* finish the job now */ 3275 sctp_inpcb_free(inp, 1); 3276 } 3277 *offset = length; 3278 return (NULL); 3279 } 3280 if ((num_chunks > 1) || 3281 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3282 *offset = length; 3283 if (locked_tcb) { 3284 SCTP_TCB_UNLOCK(locked_tcb); 3285 } 3286 return (NULL); 3287 } 3288 if ((stcb != NULL) && 3289 (SCTP_GET_STATE(&stcb->asoc) == 3290 SCTP_STATE_SHUTDOWN_ACK_SENT)) { 3291 sctp_send_shutdown_ack(stcb, 3292 stcb->asoc.primary_destination); 3293 *offset = length; 3294 if (locked_tcb) { 3295 SCTP_TCB_UNLOCK(locked_tcb); 3296 } 3297 return (NULL); 3298 } 3299 sctp_handle_init(m, iphlen, *offset, sh, 3300 (struct sctp_init_chunk *)ch, inp, stcb, *netp); 3301 *offset = length; 3302 if (locked_tcb) { 3303 SCTP_TCB_UNLOCK(locked_tcb); 3304 } 3305 return (NULL); 3306 break; 3307 case SCTP_INITIATION_ACK: 3308 /* must be first and only chunk */ 3309 #ifdef SCTP_DEBUG 3310 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3311 printf("SCTP_INIT-ACK\n"); 3312 } 3313 #endif /* SCTP_DEBUG */ 3314 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3315 /* We are not interested anymore */ 3316 if (locked_tcb) { 3317 SCTP_TCB_UNLOCK(locked_tcb); 3318 } 3319 *offset = length; 3320 if (stcb) { 3321 sctp_free_assoc(inp, stcb); 3322 } else { 3323 if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) { 3324 /* finish the job now */ 3325 sctp_inpcb_free(inp, 1); 3326 } 3327 } 3328 return (NULL); 3329 } 3330 if ((num_chunks > 1) || 3331 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3332 #ifdef SCTP_DEBUG 3333 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3334 printf("Length is %d rounded chk_length:%d .. dropping\n", 3335 length - *offset, 3336 SCTP_SIZE32(chk_length)); 3337 } 3338 #endif 3339 *offset = length; 3340 if (locked_tcb) { 3341 SCTP_TCB_UNLOCK(locked_tcb); 3342 } 3343 return (NULL); 3344 } 3345 ret = sctp_handle_init_ack(m, iphlen, *offset, sh, 3346 (struct sctp_init_ack_chunk *)ch, stcb, *netp); 3347 /* 3348 * Special case, I must call the output routine 3349 * to get the cookie echoed 3350 */ 3351 if ((stcb) && ret == 0) 3352 sctp_chunk_output(stcb->sctp_ep, stcb, 2); 3353 *offset = length; 3354 #ifdef SCTP_DEBUG 3355 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3356 printf("All done INIT-ACK processing\n"); 3357 } 3358 #endif 3359 if (locked_tcb) { 3360 SCTP_TCB_UNLOCK(locked_tcb); 3361 } 3362 return (NULL); 3363 break; 3364 case SCTP_SELECTIVE_ACK: 3365 #ifdef SCTP_DEBUG 3366 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3367 printf("SCTP_SACK\n"); 3368 } 3369 #endif /* SCTP_DEBUG */ 3370 sctp_pegs[SCTP_PEG_SACKS_SEEN]++; 3371 { 3372 int abort_now = 0; 3373 stcb->asoc.seen_a_sack_this_pkt = 1; 3374 sctp_handle_sack((struct sctp_sack_chunk *)ch, 3375 stcb, *netp, &abort_now); 3376 if (abort_now) { 3377 /* ABORT signal from sack processing */ 3378 *offset = length; 3379 return (NULL); 3380 } 3381 } 3382 break; 3383 case SCTP_HEARTBEAT_REQUEST: 3384 #ifdef SCTP_DEBUG 3385 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3386 printf("SCTP_HEARTBEAT\n"); 3387 } 3388 #endif /* SCTP_DEBUG */ 3389 sctp_pegs[SCTP_HB_RECV]++; 3390 sctp_send_heartbeat_ack(stcb, m, *offset, chk_length, 3391 *netp); 3392 3393 /* He's alive so give him credit */ 3394 stcb->asoc.overall_error_count = 0; 3395 break; 3396 case SCTP_HEARTBEAT_ACK: 3397 #ifdef SCTP_DEBUG 3398 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3399 printf("SCTP_HEARTBEAT-ACK\n"); 3400 } 3401 #endif /* SCTP_DEBUG */ 3402 3403 /* He's alive so give him credit */ 3404 stcb->asoc.overall_error_count = 0; 3405 3406 sctp_pegs[SCTP_HB_ACK_RECV]++; 3407 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch, 3408 stcb, *netp); 3409 break; 3410 case SCTP_ABORT_ASSOCIATION: 3411 #ifdef SCTP_DEBUG 3412 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3413 printf("SCTP_ABORT\n"); 3414 } 3415 #endif /* SCTP_DEBUG */ 3416 sctp_handle_abort((struct sctp_abort_chunk *)ch, 3417 stcb, *netp); 3418 *offset = length; 3419 return (NULL); 3420 break; 3421 case SCTP_SHUTDOWN: 3422 #ifdef SCTP_DEBUG 3423 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3424 printf("SCTP_SHUTDOWN\n"); 3425 } 3426 #endif /* SCTP_DEBUG */ 3427 { 3428 int abort_flag = 0; 3429 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch, 3430 stcb, *netp, &abort_flag); 3431 if (abort_flag) { 3432 *offset = length; 3433 return (NULL); 3434 } 3435 } 3436 break; 3437 case SCTP_SHUTDOWN_ACK: 3438 #ifdef SCTP_DEBUG 3439 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3440 printf("SCTP_SHUTDOWN-ACK\n"); 3441 } 3442 #endif /* SCTP_DEBUG */ 3443 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp); 3444 *offset = length; 3445 return (NULL); 3446 break; 3447 case SCTP_OPERATION_ERROR: 3448 #ifdef SCTP_DEBUG 3449 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3450 printf("SCTP_OP-ERR\n"); 3451 } 3452 #endif /* SCTP_DEBUG */ 3453 if (sctp_handle_error(ch, stcb, *netp) < 0) { 3454 *offset = length; 3455 return (NULL); 3456 } 3457 break; 3458 case SCTP_COOKIE_ECHO: 3459 #ifdef SCTP_DEBUG 3460 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3461 printf("SCTP_COOKIE-ECHO stcb is %p\n", stcb); 3462 } 3463 #endif /* SCTP_DEBUG */ 3464 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3465 /* We are not interested anymore */ 3466 *offset = length; 3467 if (stcb) { 3468 sctp_free_assoc(inp, stcb); 3469 } else { 3470 if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) { 3471 /* finish the job now */ 3472 sctp_inpcb_free(inp, 1); 3473 } 3474 } 3475 return (NULL); 3476 } 3477 /* 3478 * First are we accepting? 3479 * We do this again here since it is possible 3480 * that a previous endpoint WAS listening responded to 3481 * a INIT-ACK and then closed. We opened and bound.. 3482 * and are now no longer listening. 3483 */ 3484 if (((inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) == 0) || 3485 (inp->sctp_socket->so_qlimit == 0)) { 3486 sctp_abort_association(inp, stcb, m, iphlen, sh, 3487 NULL); 3488 *offset = length; 3489 return (NULL); 3490 } else if (inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) { 3491 /* we are accepting so check limits like TCP */ 3492 if (inp->sctp_socket->so_qlen > 3493 inp->sctp_socket->so_qlimit) { 3494 /* no space */ 3495 struct mbuf *oper; 3496 struct sctp_paramhdr *phdr; 3497 oper = NULL; 3498 MGETHDR(oper, M_DONTWAIT, MT_HEADER); 3499 if (oper) { 3500 oper->m_len = 3501 oper->m_pkthdr.len = 3502 sizeof(struct sctp_paramhdr); 3503 phdr = mtod(oper, 3504 struct sctp_paramhdr *); 3505 phdr->param_type = 3506 htons(SCTP_CAUSE_OUT_OF_RESC); 3507 phdr->param_length = 3508 htons(sizeof(struct sctp_paramhdr)); 3509 } 3510 sctp_abort_association(inp, stcb, m, 3511 iphlen, sh, oper); 3512 *offset = length; 3513 return (NULL); 3514 } 3515 } 3516 { 3517 struct mbuf *ret_buf; 3518 ret_buf = sctp_handle_cookie_echo(m, iphlen, 3519 *offset, sh, 3520 (struct sctp_cookie_echo_chunk *)ch, &inp, 3521 &stcb, netp); 3522 #ifdef SCTP_DEBUG 3523 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3524 printf("ret_buf:%p length:%d off:%d\n", 3525 ret_buf, length, *offset); 3526 } 3527 #endif /* SCTP_DEBUG */ 3528 3529 if (ret_buf == NULL) { 3530 if (locked_tcb) { 3531 SCTP_TCB_UNLOCK(locked_tcb); 3532 } 3533 #ifdef SCTP_DEBUG 3534 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3535 printf("GAK, null buffer\n"); 3536 } 3537 #endif /* SCTP_DEBUG */ 3538 *offset = length; 3539 return (NULL); 3540 } 3541 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) { 3542 /* 3543 * Restart the timer if we have pending 3544 * data 3545 */ 3546 struct sctp_tmit_chunk *chk; 3547 chk = TAILQ_FIRST(&stcb->asoc.sent_queue); 3548 if (chk) { 3549 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 3550 stcb->sctp_ep, stcb, 3551 chk->whoTo); 3552 } 3553 } 3554 } 3555 break; 3556 case SCTP_COOKIE_ACK: 3557 #ifdef SCTP_DEBUG 3558 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3559 printf("SCTP_COOKIE-ACK\n"); 3560 } 3561 #endif /* SCTP_DEBUG */ 3562 3563 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3564 /* We are not interested anymore */ 3565 sctp_free_assoc(inp, stcb); 3566 *offset = length; 3567 return (NULL); 3568 } 3569 /* He's alive so give him credit */ 3570 stcb->asoc.overall_error_count = 0; 3571 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, 3572 stcb, *netp); 3573 break; 3574 case SCTP_ECN_ECHO: 3575 #ifdef SCTP_DEBUG 3576 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3577 printf("SCTP_ECN-ECHO\n"); 3578 } 3579 #endif /* SCTP_DEBUG */ 3580 /* He's alive so give him credit */ 3581 stcb->asoc.overall_error_count = 0; 3582 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, 3583 stcb); 3584 break; 3585 case SCTP_ECN_CWR: 3586 #ifdef SCTP_DEBUG 3587 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3588 printf("SCTP_ECN-CWR\n"); 3589 } 3590 #endif /* SCTP_DEBUG */ 3591 /* He's alive so give him credit */ 3592 stcb->asoc.overall_error_count = 0; 3593 3594 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb); 3595 break; 3596 case SCTP_SHUTDOWN_COMPLETE: 3597 #ifdef SCTP_DEBUG 3598 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3599 printf("SCTP_SHUTDOWN-COMPLETE\n"); 3600 } 3601 #endif /* SCTP_DEBUG */ 3602 /* must be first and only chunk */ 3603 if ((num_chunks > 1) || 3604 (length - *offset > SCTP_SIZE32(chk_length))) { 3605 *offset = length; 3606 if (locked_tcb) { 3607 SCTP_TCB_UNLOCK(locked_tcb); 3608 } 3609 return (NULL); 3610 } 3611 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch, 3612 stcb, *netp); 3613 *offset = length; 3614 return (NULL); 3615 break; 3616 case SCTP_ASCONF: 3617 #ifdef SCTP_DEBUG 3618 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3619 printf("SCTP_ASCONF\n"); 3620 } 3621 #endif /* SCTP_DEBUG */ 3622 /* He's alive so give him credit */ 3623 stcb->asoc.overall_error_count = 0; 3624 3625 sctp_handle_asconf(m, *offset, 3626 (struct sctp_asconf_chunk *)ch, stcb, *netp); 3627 break; 3628 case SCTP_ASCONF_ACK: 3629 #ifdef SCTP_DEBUG 3630 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3631 printf("SCTP_ASCONF-ACK\n"); 3632 } 3633 #endif /* SCTP_DEBUG */ 3634 /* He's alive so give him credit */ 3635 stcb->asoc.overall_error_count = 0; 3636 3637 sctp_handle_asconf_ack(m, *offset, 3638 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp); 3639 break; 3640 case SCTP_FORWARD_CUM_TSN: 3641 #ifdef SCTP_DEBUG 3642 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3643 printf("SCTP_FWD-TSN\n"); 3644 } 3645 #endif /* SCTP_DEBUG */ 3646 /* He's alive so give him credit */ 3647 { 3648 int abort_flag = 0; 3649 stcb->asoc.overall_error_count = 0; 3650 *fwd_tsn_seen = 1; 3651 sctp_handle_forward_tsn(stcb, 3652 (struct sctp_forward_tsn_chunk *)ch, &abort_flag); 3653 if (abort_flag) { 3654 *offset = length; 3655 return (NULL); 3656 } else { 3657 stcb->asoc.overall_error_count = 0; 3658 } 3659 3660 } 3661 break; 3662 case SCTP_STREAM_RESET: 3663 #ifdef SCTP_DEBUG 3664 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3665 printf("SCTP_STREAM_RESET\n"); 3666 } 3667 #endif /* SCTP_DEBUG */ 3668 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3669 chk_length, chunk_buf); 3670 if (stcb->asoc.peer_supports_strreset == 0) { 3671 /* hmm, peer should have annonced this, but 3672 * we will turn it on since he is sending us 3673 * a stream reset. 3674 */ 3675 stcb->asoc.peer_supports_strreset = 1; 3676 } 3677 sctp_handle_stream_reset(stcb, (struct sctp_stream_reset_req *)ch); 3678 break; 3679 case SCTP_PACKET_DROPPED: 3680 #ifdef SCTP_DEBUG 3681 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3682 printf("SCTP_PACKET_DROPPED\n"); 3683 } 3684 #endif /* SCTP_DEBUG */ 3685 /* re-get it all please */ 3686 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3687 chk_length, chunk_buf); 3688 3689 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch, 3690 stcb, *netp); 3691 3692 3693 break; 3694 default: 3695 /* it's an unknown chunk! */ 3696 if ((ch->chunk_type & 0x40) && (stcb != NULL)) { 3697 struct mbuf *mm; 3698 struct sctp_paramhdr *phd; 3699 MGETHDR(mm, M_DONTWAIT, MT_HEADER); 3700 if (mm) { 3701 phd = mtod(mm, struct sctp_paramhdr *); 3702 /* We cheat and use param type since we 3703 * did not bother to define a error 3704 * cause struct. 3705 * They are the same basic format with 3706 * different names. 3707 */ 3708 phd->param_type = 3709 htons(SCTP_CAUSE_UNRECOG_CHUNK); 3710 phd->param_length = 3711 htons(chk_length + sizeof(*phd)); 3712 mm->m_len = sizeof(*phd); 3713 mm->m_next = sctp_m_copym(m, *offset, 3714 SCTP_SIZE32(chk_length), 3715 M_DONTWAIT); 3716 if (mm->m_next) { 3717 mm->m_pkthdr.len = 3718 SCTP_SIZE32(chk_length) + 3719 sizeof(*phd); 3720 sctp_queue_op_err(stcb, mm); 3721 } else { 3722 sctp_m_freem(mm); 3723 #ifdef SCTP_DEBUG 3724 if (sctp_debug_on & 3725 SCTP_DEBUG_INPUT1) { 3726 printf("Gak can't copy the chunk into operr %d bytes\n", 3727 chk_length); 3728 } 3729 #endif 3730 } 3731 } 3732 #ifdef SCTP_DEBUG 3733 else { 3734 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3735 printf("Gak can't mgethdr for op-err of unrec chunk\n"); 3736 } 3737 } 3738 #endif 3739 } 3740 if ((ch->chunk_type & 0x80) == 0) { 3741 /* discard this packet */ 3742 *offset = length; 3743 return (stcb); 3744 } /* else skip this bad chunk and continue... */ 3745 break; 3746 } /* switch (ch->chunk_type) */ 3747 /* get the next chunk */ 3748 *offset += SCTP_SIZE32(chk_length); 3749 if (*offset >= length) { 3750 /* no more data left in the mbuf chain */ 3751 break; 3752 } 3753 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3754 sizeof(struct sctp_chunkhdr), chunk_buf); 3755 if (ch == NULL) { 3756 if (locked_tcb) { 3757 SCTP_TCB_UNLOCK(locked_tcb); 3758 } 3759 *offset = length; 3760 return (NULL); 3761 } 3762 } /* while */ 3763 return (stcb); 3764 } 3765 3766 3767 /* 3768 * Process the ECN bits we have something set so 3769 * we must look to see if it is ECN(0) or ECN(1) or CE 3770 */ 3771 static void 3772 sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net, 3773 u_int8_t ecn_bits) 3774 { 3775 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 3776 ; 3777 } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) { 3778 /* 3779 * we only add to the nonce sum for ECT1, ECT0 3780 * does not change the NS bit (that we have 3781 * yet to find a way to send it yet). 3782 */ 3783 3784 /* ECN Nonce stuff */ 3785 stcb->asoc.receiver_nonce_sum++; 3786 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM; 3787 3788 /* 3789 * Drag up the last_echo point if cumack is larger since we 3790 * don't want the point falling way behind by more than 2^^31 3791 * and then having it be incorrect. 3792 */ 3793 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 3794 stcb->asoc.last_echo_tsn, MAX_TSN)) { 3795 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 3796 } 3797 } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) { 3798 /* 3799 * Drag up the last_echo point if cumack is larger since we 3800 * don't want the point falling way behind by more than 2^^31 3801 * and then having it be incorrect. 3802 */ 3803 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 3804 stcb->asoc.last_echo_tsn, MAX_TSN)) { 3805 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 3806 } 3807 } 3808 } 3809 3810 static void 3811 sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net, 3812 u_int32_t high_tsn, u_int8_t ecn_bits) 3813 { 3814 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 3815 /* 3816 * we possibly must notify the sender that a congestion 3817 * window reduction is in order. We do this 3818 * by adding a ECNE chunk to the output chunk 3819 * queue. The incoming CWR will remove this chunk. 3820 */ 3821 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn, 3822 MAX_TSN)) { 3823 /* Yep, we need to add a ECNE */ 3824 sctp_send_ecn_echo(stcb, net, high_tsn); 3825 stcb->asoc.last_echo_tsn = high_tsn; 3826 } 3827 } 3828 } 3829 3830 /* 3831 * common input chunk processing (v4 and v6) 3832 */ 3833 int 3834 sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, 3835 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch, 3836 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 3837 u_int8_t ecn_bits) 3838 { 3839 /* 3840 * Control chunk processing 3841 */ 3842 u_int32_t high_tsn; 3843 int fwd_tsn_seen = 0, data_processed = 0; 3844 struct mbuf *m = *mm; 3845 int abort_flag = 0; 3846 3847 sctp_pegs[SCTP_DATAGRAMS_RCVD]++; 3848 #ifdef SCTP_AUDITING_ENABLED 3849 sctp_audit_log(0xE0, 1); 3850 sctp_auditing(0, inp, stcb, net); 3851 #endif 3852 3853 #ifdef SCTP_DEBUG 3854 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3855 printf("Ok, Common input processing called, m:%p iphlen:%d offset:%d length:%d\n", 3856 m, iphlen, offset, length); 3857 } 3858 #endif /* SCTP_DEBUG */ 3859 if (IS_SCTP_CONTROL(ch)) { 3860 /* process the control portion of the SCTP packet */ 3861 #ifdef SCTP_DEBUG 3862 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3863 printf("Processing control\n"); 3864 } 3865 #endif /* SCTP_DEBUG */ 3866 3867 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch, 3868 inp, stcb, &net, &fwd_tsn_seen); 3869 } else { 3870 /* 3871 * no control chunks, so pre-process DATA chunks 3872 * (these checks are taken care of by control processing) 3873 */ 3874 #ifdef SCTP_DEBUG 3875 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3876 printf("No control present\n"); 3877 } 3878 #endif /* SCTP_DEBUG */ 3879 3880 if (stcb == NULL) { 3881 /* out of the blue DATA chunk */ 3882 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 3883 return (1); 3884 } 3885 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) { 3886 /* v_tag mismatch! */ 3887 sctp_pegs[SCTP_BAD_VTAGS]++; 3888 SCTP_TCB_UNLOCK(stcb); 3889 return (1); 3890 } 3891 } 3892 if (stcb == NULL) { 3893 /* 3894 * no valid TCB for this packet, 3895 * or we found it's a bad packet while processing control, 3896 * or we're done with this packet (done or skip rest of data), 3897 * so we drop it... 3898 */ 3899 return (1); 3900 } 3901 #ifdef SCTP_DEBUG 3902 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3903 printf("Ok, control finished time to look for data (%d) offset:%d\n", 3904 length, offset); 3905 } 3906 #endif /* SCTP_DEBUG */ 3907 /* 3908 * DATA chunk processing 3909 */ 3910 /* plow through the data chunks while length > offset */ 3911 stcb->asoc.seen_a_sack_this_pkt = 0; 3912 3913 if (length > offset) { 3914 int retval; 3915 /* 3916 * First check to make sure our state is correct. 3917 * We would not get here unless we really did have a 3918 * tag, so we don't abort if this happens, just 3919 * dump the chunk silently. 3920 */ 3921 switch (SCTP_GET_STATE(&stcb->asoc)) { 3922 case SCTP_STATE_COOKIE_ECHOED: 3923 /* 3924 * we consider data with valid tags in 3925 * this state shows us the cookie-ack was lost. 3926 * Imply it was there. 3927 */ 3928 stcb->asoc.overall_error_count = 0; 3929 sctp_handle_cookie_ack( 3930 (struct sctp_cookie_ack_chunk *)ch, stcb, net); 3931 break; 3932 case SCTP_STATE_COOKIE_WAIT: 3933 /* 3934 * We consider OOTB any data sent during asoc setup. 3935 */ 3936 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 3937 SCTP_TCB_UNLOCK(stcb); 3938 return (1); 3939 break; 3940 case SCTP_STATE_EMPTY: /* should not happen */ 3941 case SCTP_STATE_INUSE: /* should not happen */ 3942 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */ 3943 case SCTP_STATE_SHUTDOWN_ACK_SENT: 3944 default: 3945 #ifdef SCTP_DEBUG 3946 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3947 printf("Got data in invalid state %d.. dropping\n", stcb->asoc.state); 3948 } 3949 #endif 3950 SCTP_TCB_UNLOCK(stcb); 3951 return (1); 3952 break; 3953 case SCTP_STATE_OPEN: 3954 case SCTP_STATE_SHUTDOWN_SENT: 3955 break; 3956 } 3957 /* take care of ECN, part 1. */ 3958 if (stcb->asoc.ecn_allowed && 3959 (ecn_bits & (SCTP_ECT0_BIT|SCTP_ECT1_BIT)) ) { 3960 sctp_process_ecn_marked_a(stcb, net, ecn_bits); 3961 } 3962 /* plow through the data chunks while length > offset */ 3963 retval = sctp_process_data(mm, iphlen, &offset, length, sh, 3964 inp, stcb, net, &high_tsn); 3965 if (retval == 2) { 3966 /* The association aborted, NO UNLOCK needed 3967 * since the association is destroyed. 3968 */ 3969 return (0); 3970 } 3971 3972 data_processed = 1; 3973 if (retval == 0) { 3974 /* take care of ecn part 2. */ 3975 if (stcb->asoc.ecn_allowed && (ecn_bits & (SCTP_ECT0_BIT|SCTP_ECT1_BIT)) ) { 3976 sctp_process_ecn_marked_b(stcb, net, high_tsn, ecn_bits); 3977 3978 } 3979 } 3980 3981 /* 3982 * Anything important needs to have been m_copy'ed in 3983 * process_data 3984 */ 3985 } 3986 if ((data_processed == 0) && (fwd_tsn_seen)) { 3987 int was_a_gap = 0; 3988 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map, 3989 stcb->asoc.cumulative_tsn, MAX_TSN)) { 3990 /* there was a gap before this data was processed */ 3991 was_a_gap = 1; 3992 } 3993 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag); 3994 if (abort_flag) { 3995 /* Again, we aborted so NO UNLOCK needed */ 3996 return (0); 3997 } 3998 } 3999 /* trigger send of any chunks in queue... */ 4000 #ifdef SCTP_AUDITING_ENABLED 4001 sctp_audit_log(0xE0, 2); 4002 sctp_auditing(1, inp, stcb, net); 4003 #endif 4004 #ifdef SCTP_DEBUG 4005 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4006 printf("Check for chunk output prw:%d tqe:%d tf=%d\n", 4007 stcb->asoc.peers_rwnd, 4008 TAILQ_EMPTY(&stcb->asoc.control_send_queue), 4009 stcb->asoc.total_flight); 4010 } 4011 #endif 4012 if (stcb->asoc.peers_rwnd > 0 || 4013 !TAILQ_EMPTY(&stcb->asoc.control_send_queue) || 4014 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)) { 4015 #ifdef SCTP_DEBUG 4016 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4017 printf("Calling chunk OUTPUT\n"); 4018 } 4019 #endif 4020 sctp_chunk_output(inp, stcb, 3); 4021 #ifdef SCTP_DEBUG 4022 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4023 printf("chunk OUTPUT returns\n"); 4024 } 4025 #endif 4026 } 4027 4028 #ifdef SCTP_AUDITING_ENABLED 4029 sctp_audit_log(0xE0, 3); 4030 sctp_auditing(2, inp, stcb, net); 4031 #endif 4032 SCTP_TCB_UNLOCK(stcb); 4033 return (0); 4034 } 4035 4036 #if defined(__OpenBSD__) 4037 static void 4038 sctp_saveopt(struct sctp_inpcb *inp, struct mbuf **mp, struct ip *ip, 4039 struct mbuf *m) 4040 { 4041 if (inp->ip_inp.inp.inp_flags & INP_RECVDSTADDR) { 4042 *mp = sbcreatecontrol((vaddr_t) &ip->ip_dst, 4043 sizeof(struct in_addr), IP_RECVDSTADDR, IPPROTO_IP); 4044 if (*mp) 4045 mp = &(*mp)->m_next; 4046 } 4047 } 4048 #endif 4049 4050 extern int sctp_no_csum_on_loopback; 4051 4052 void 4053 sctp_input(struct mbuf *m, int off, int proto) 4054 { 4055 int iphlen; 4056 u_int8_t ecn_bits; 4057 struct ip *ip; 4058 struct sctphdr *sh; 4059 struct sctp_inpcb *inp = NULL; 4060 struct mbuf *opts = 0; 4061 /*#ifdef INET6*/ 4062 /* Don't think this is needed */ 4063 /* struct ip6_recvpktopts opts6;*/ 4064 /*#endif INET6 */ 4065 4066 u_int32_t check, calc_check; 4067 struct sctp_nets *net; 4068 struct sctp_tcb *stcb = NULL; 4069 struct sctp_chunkhdr *ch; 4070 int refcount_up = 0; 4071 int length, mlen, offset; 4072 4073 iphlen = off; 4074 4075 net = NULL; 4076 sctp_pegs[SCTP_INPKTS]++; 4077 #ifdef SCTP_DEBUG 4078 /*if (sctp_debug_on & SCTP_DEBUG_INPUT1) {*/ 4079 printf("V4 input gets a packet iphlen:%d pktlen:%d\n", iphlen, m->m_pkthdr.len); 4080 /*}*/ 4081 #endif 4082 /*#ifdef INET6*/ 4083 /* Don't think this is needed */ 4084 /* bzero(&opts6, sizeof(opts6));*/ 4085 /*#endif INET6 */ 4086 4087 /* 4088 * Strip IP options, we don't allow any in or out. 4089 */ 4090 if ((size_t)iphlen > sizeof(struct ip)) { 4091 printf("sctp_input: got options\n"); 4092 #if 0 /* XXX */ 4093 ip_stripoptions(m, (struct mbuf *)0); 4094 #endif 4095 iphlen = sizeof(struct ip); 4096 } 4097 4098 /* 4099 * Get IP, SCTP, and first chunk header together in first mbuf. 4100 */ 4101 ip = mtod(m, struct ip *); 4102 offset = iphlen + sizeof(*sh) + sizeof(*ch); 4103 if (m->m_len < offset) { 4104 if ((m = m_pullup(m, offset)) == 0) { 4105 sctp_pegs[SCTP_HDR_DROPS]++; 4106 return; 4107 } 4108 ip = mtod(m, struct ip *); 4109 } 4110 sh = (struct sctphdr *)((vaddr_t)ip + iphlen); 4111 ch = (struct sctp_chunkhdr *)((vaddr_t)sh + sizeof(*sh)); 4112 4113 /* SCTP does not allow broadcasts or multicasts */ 4114 if (IN_MULTICAST(ip->ip_dst.s_addr)) 4115 { 4116 sctp_pegs[SCTP_IN_MCAST]++; 4117 goto bad; 4118 } 4119 if (in_broadcast(ip->ip_dst, m_get_rcvif_NOMPSAFE(m))) { 4120 sctp_pegs[SCTP_IN_MCAST]++; 4121 goto bad; 4122 } 4123 4124 /* destination port of 0 is illegal, based on RFC2960. */ 4125 if (sh->dest_port == 0) { 4126 sctp_pegs[SCTP_HDR_DROPS]++; 4127 goto bad; 4128 } 4129 4130 /* validate SCTP checksum */ 4131 if ((sctp_no_csum_on_loopback == 0) || 4132 (m_get_rcvif_NOMPSAFE(m) == NULL) || 4133 (m_get_rcvif_NOMPSAFE(m)->if_type != IFT_LOOP)) { 4134 /* we do NOT validate things from the loopback if the 4135 * sysctl is set to 1. 4136 */ 4137 check = sh->checksum; /* save incoming checksum */ 4138 if ((check == 0) && (sctp_no_csum_on_loopback)) { 4139 /* special hook for where we got a local address 4140 * somehow routed across a non IFT_LOOP type interface 4141 */ 4142 if (ip->ip_src.s_addr == ip->ip_dst.s_addr) 4143 goto sctp_skip_csum_4; 4144 } 4145 sh->checksum = 0; /* prepare for calc */ 4146 calc_check = sctp_calculate_sum(m, &mlen, iphlen); 4147 if (calc_check != check) { 4148 #ifdef SCTP_DEBUG 4149 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4150 printf("Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n", 4151 calc_check, check, m, mlen, iphlen); 4152 } 4153 #endif 4154 4155 stcb = sctp_findassociation_addr(m, iphlen, 4156 offset - sizeof(*ch), 4157 sh, ch, &inp, &net); 4158 if ((inp) && (stcb)) { 4159 sctp_send_packet_dropped(stcb, net, m, iphlen, 4160 1); 4161 sctp_chunk_output(inp, stcb, 2); 4162 } else if ((inp != NULL) && (stcb == NULL)) { 4163 refcount_up = 1; 4164 } 4165 sctp_pegs[SCTP_BAD_CSUM]++; 4166 goto bad; 4167 } 4168 sh->checksum = calc_check; 4169 } else { 4170 sctp_skip_csum_4: 4171 mlen = m->m_pkthdr.len; 4172 } 4173 /* validate mbuf chain length with IP payload length */ 4174 #if defined(__NetBSD__) || defined(__OpenBSD__) 4175 /* Open BSD gives us the len in network order, fix it */ 4176 NTOHS(ip->ip_len); 4177 #endif 4178 if (mlen < (ip->ip_len - iphlen)) { 4179 sctp_pegs[SCTP_HDR_DROPS]++; 4180 goto bad; 4181 } 4182 4183 /* 4184 * Locate pcb and tcb for datagram 4185 * sctp_findassociation_addr() wants IP/SCTP/first chunk header... 4186 */ 4187 #ifdef SCTP_DEBUG 4188 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4189 printf("V4 find association\n"); 4190 } 4191 #endif 4192 4193 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch), 4194 sh, ch, &inp, &net); 4195 /* inp's ref-count increased && stcb locked */ 4196 if (inp == NULL) { 4197 struct sctp_init_chunk *init_chk, chunk_buf; 4198 4199 sctp_pegs[SCTP_NOPORTS]++; 4200 #ifdef ICMP_BANDLIM 4201 /* 4202 * we use the bandwidth limiting to protect against 4203 * sending too many ABORTS all at once. In this case 4204 * these count the same as an ICMP message. 4205 */ 4206 if (badport_bandlim(0) < 0) 4207 goto bad; 4208 #endif /* ICMP_BANDLIM */ 4209 #ifdef SCTP_DEBUG 4210 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4211 printf("Sending a ABORT from packet entry!\n"); 4212 } 4213 #endif 4214 if (ch->chunk_type == SCTP_INITIATION) { 4215 /* we do a trick here to get the INIT tag, 4216 * dig in and get the tag from the INIT and 4217 * put it in the common header. 4218 */ 4219 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m, 4220 iphlen + sizeof(*sh), sizeof(*init_chk), 4221 (u_int8_t *)&chunk_buf); 4222 if (init_chk != NULL) 4223 sh->v_tag = init_chk->init.initiate_tag; 4224 } 4225 sctp_send_abort(m, iphlen, sh, 0, NULL); 4226 goto bad; 4227 } else if (stcb == NULL) { 4228 refcount_up = 1; 4229 } 4230 #ifdef IPSEC 4231 /* 4232 * I very much doubt any of the IPSEC stuff will work but I have 4233 * no idea, so I will leave it in place. 4234 */ 4235 if (ipsec_used && ipsec_in_reject(m, (struct inpcb *)inp)) { 4236 #if 0 4237 ipsecstat.in_polvio++; 4238 #endif 4239 sctp_pegs[SCTP_HDR_DROPS]++; 4240 goto bad; 4241 } 4242 #endif /* IPSEC */ 4243 4244 /* 4245 * Construct sockaddr format source address. 4246 * Stuff source address and datagram in user buffer. 4247 */ 4248 if ((inp->ip_inp.inp.inp_flags & INP_CONTROLOPTS) 4249 || (inp->sctp_socket->so_options & SO_TIMESTAMP) 4250 ) { 4251 ip_savecontrol((struct inpcb *)inp, &opts, ip, m); 4252 } 4253 4254 /* 4255 * common chunk processing 4256 */ 4257 length = ip->ip_len - (ip->ip_hl << 2) + iphlen; 4258 offset -= sizeof(struct sctp_chunkhdr); 4259 4260 ecn_bits = ip->ip_tos; 4261 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch, 4262 inp, stcb, net, ecn_bits); 4263 /* inp's ref-count reduced && stcb unlocked */ 4264 if (m) { 4265 sctp_m_freem(m); 4266 } 4267 if (opts) 4268 sctp_m_freem(opts); 4269 4270 if ((inp) && (refcount_up)) { 4271 /* reduce ref-count */ 4272 SCTP_INP_WLOCK(inp); 4273 SCTP_INP_DECR_REF(inp); 4274 SCTP_INP_WUNLOCK(inp); 4275 } 4276 4277 return; 4278 bad: 4279 if (stcb) { 4280 SCTP_TCB_UNLOCK(stcb); 4281 } 4282 4283 if ((inp) && (refcount_up)) { 4284 /* reduce ref-count */ 4285 SCTP_INP_WLOCK(inp); 4286 SCTP_INP_DECR_REF(inp); 4287 SCTP_INP_WUNLOCK(inp); 4288 } 4289 4290 if (m) { 4291 sctp_m_freem(m); 4292 } 4293 if (opts) 4294 sctp_m_freem(opts); 4295 return; 4296 } 4297
Indexes created Fri Sep 26 08:10:20 GMT 2025