1 /*        $KAME: sctp_input.c,v 1.28 2005/04/21 18:36:21 nishida Exp $          */
2 /*        $NetBSD: sctp_input.c,v 1.18 2024/07/05 04:31:54 rin Exp $  */
3 
4 /*
5  * Copyright (C) 2002, 2003, 2004 Cisco Systems Inc,
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  * 3. Neither the name of the project nor the names of its contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32 
33 #include <sys/cdefs.h>
34 __KERNEL_RCSID(0, "$NetBSD: sctp_input.c,v 1.18 2024/07/05 04:31:54 rin Exp $");
35 
36 #ifdef _KERNEL_OPT
37 #include "opt_ipsec.h"
38 #include "opt_inet.h"
39 #include "opt_sctp.h"
40 #endif /* _KERNEL_OPT */
41 
42 #include <sys/param.h>
43 #include <sys/systm.h>
44 #include <sys/malloc.h>
45 #include <sys/mbuf.h>
46 #include <sys/socket.h>
47 #include <sys/socketvar.h>
48 #include <sys/sysctl.h>
49 #include <sys/domain.h>
50 #include <sys/protosw.h>
51 #include <sys/kernel.h>
52 #include <sys/errno.h>
53 #include <sys/syslog.h>
54 
55 #include <machine/limits.h>
56 #include <machine/cpu.h>
57 
58 #include <net/if.h>
59 #include <net/route.h>
60 #include <net/if_types.h>
61 
62 #include <netinet/in.h>
63 #include <netinet/in_systm.h>
64 #include <netinet/ip.h>
65 #include <netinet/in_pcb.h>
66 #include <netinet/in_var.h>
67 #include <netinet/ip_var.h>
68 
69 #ifdef INET6
70 #include <netinet/ip6.h>
71 #include <netinet6/ip6_var.h>
72 #endif /* INET6 */
73 
74 #include <netinet/ip_icmp.h>
75 #include <netinet/icmp_var.h>
76 #include <netinet/sctp_var.h>
77 #include <netinet/sctp_pcb.h>
78 #include <netinet/sctp_header.h>
79 #include <netinet/sctputil.h>
80 #include <netinet/sctp_output.h>
81 #include <netinet/sctp_input.h>
82 #include <netinet/sctp_hashdriver.h>
83 #include <netinet/sctp_indata.h>
84 #include <netinet/sctp_asconf.h>
85 
86 #ifdef IPSEC
87 #include <netipsec/ipsec.h>
88 #include <netipsec/key.h>
89 #endif /*IPSEC*/
90 
91 #ifdef SCTP_DEBUG
92 extern u_int32_t sctp_debug_on;
93 #endif
94 
95 /* INIT handler */
96 static void
sctp_handle_init(struct mbuf * m,int iphlen,int offset,struct sctphdr * sh,struct sctp_init_chunk * cp,struct sctp_inpcb * inp,struct sctp_tcb * stcb,struct sctp_nets * net)97 sctp_handle_init(struct mbuf *m, int iphlen, int offset,
98     struct sctphdr *sh, struct sctp_init_chunk *cp, struct sctp_inpcb *inp,
99     struct sctp_tcb *stcb, struct sctp_nets *net)
100 {
101           struct sctp_init *init;
102           struct mbuf *op_err;
103 #ifdef SCTP_DEBUG
104           if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
105                     printf("sctp_handle_init: handling INIT tcb:%p\n", stcb);
106           }
107 #endif
108           op_err = NULL;
109           init = &cp->init;
110           /* First are we accepting? */
111           if (((inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) == 0) ||
112               (inp->sctp_socket->so_qlimit == 0)) {
113                     sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
114                     return;
115           }
116           if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) {
117                     /* Invalid length */
118                     op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
119                     sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
120                     return;
121           }
122           /* validate parameters */
123           if (init->initiate_tag == 0) {
124                     /* protocol error... send abort */
125                     op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
126                     sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
127                     return;
128           }
129           if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) {
130                     /* invalid parameter... send abort */
131                     op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
132                     sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
133                     return;
134           }
135           if (init->num_inbound_streams == 0) {
136                     /* protocol error... send abort */
137                     op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
138                     sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
139                     return;
140           }
141           if (init->num_outbound_streams == 0) {
142                     /* protocol error... send abort */
143                     op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
144                     sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
145                     return;
146           }
147 
148           /* send an INIT-ACK w/cookie */
149 #ifdef SCTP_DEBUG
150           if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
151                     printf("sctp_handle_init: sending INIT-ACK\n");
152           }
153 #endif
154 
155           sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp);
156 }
157 
158 /*
159  * process peer "INIT/INIT-ACK" chunk
160  * returns value < 0 on error
161  */
162 
163 static int
sctp_process_init(struct sctp_init_chunk * cp,struct sctp_tcb * stcb,struct sctp_nets * net)164 sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb,
165     struct sctp_nets *net)
166 {
167           struct sctp_init *init;
168           struct sctp_association *asoc;
169           struct sctp_nets *lnet;
170           unsigned int i;
171 
172           init = &cp->init;
173           asoc = &stcb->asoc;
174           /* save off parameters */
175           asoc->peer_vtag = ntohl(init->initiate_tag);
176           asoc->peers_rwnd = ntohl(init->a_rwnd);
177 
178           if (TAILQ_FIRST(&asoc->nets)) {
179                     /* update any ssthresh's that may have a default */
180                     TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) {
181                               lnet->ssthresh = asoc->peers_rwnd;
182                     }
183           }
184           if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) {
185                     unsigned int newcnt;
186                     struct sctp_stream_out *outs;
187                     struct sctp_tmit_chunk *chk;
188 
189                     /* cut back on number of streams */
190                     newcnt = ntohs(init->num_inbound_streams);
191                     /* This if is probably not needed but I am cautious */
192                     if (asoc->strmout) {
193                               /* First make sure no data chunks are trapped */
194                               for (i=newcnt; i < asoc->pre_open_streams; i++) {
195                                         outs = &asoc->strmout[i];
196                                         chk = TAILQ_FIRST(&outs->outqueue);
197                                         while (chk) {
198                                                   TAILQ_REMOVE(&outs->outqueue, chk,
199                                                                  sctp_next);
200                                                   asoc->stream_queue_cnt--;
201                                                   sctp_ulp_notify(SCTP_NOTIFY_DG_FAIL,
202                                                       stcb, SCTP_NOTIFY_DATAGRAM_UNSENT,
203                                                       chk);
204                                                   sctp_m_freem(chk->data);
205                                                   chk->data = NULL;
206                                                   sctp_free_remote_addr(chk->whoTo);
207                                                   chk->whoTo = NULL;
208                                                   chk->asoc = NULL;
209                                                   /* Free the chunk */
210                                                   SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk);
211                                                   sctppcbinfo.ipi_count_chunk--;
212                                                   if ((int)sctppcbinfo.ipi_count_chunk < 0) {
213                                                             panic("Chunk count is negative");
214                                                   }
215                                                   sctppcbinfo.ipi_gencnt_chunk++;
216                                                   chk = TAILQ_FIRST(&outs->outqueue);
217                                         }
218                               }
219                     }
220                     /* cut back the count and abandon the upper streams */
221                     asoc->pre_open_streams = newcnt;
222           }
223           asoc->streamincnt = ntohs(init->num_outbound_streams);
224           if (asoc->streamincnt > MAX_SCTP_STREAMS) {
225                     asoc->streamincnt = MAX_SCTP_STREAMS;
226           }
227 
228           asoc->streamoutcnt = asoc->pre_open_streams;
229           /* init tsn's */
230           asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1;
231 #ifdef SCTP_MAP_LOGGING
232           sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
233 #endif
234           /* This is the next one we expect */
235           asoc->str_reset_seq_in = asoc->asconf_seq_in + 1;
236 
237           asoc->mapping_array_base_tsn = ntohl(init->initial_tsn);
238           asoc->cumulative_tsn = asoc->asconf_seq_in;
239           asoc->last_echo_tsn = asoc->asconf_seq_in;
240           asoc->advanced_peer_ack_point = asoc->last_acked_seq;
241           /* open the requested streams */
242           if (asoc->strmin != NULL) {
243                     /* Free the old ones */
244                     free(asoc->strmin, M_PCB);
245           }
246           asoc->strmin = malloc(asoc->streamincnt * sizeof(struct sctp_stream_in),
247                                         M_PCB, M_NOWAIT);
248           if (asoc->strmin == NULL) {
249                     /* we didn't get memory for the streams! */
250 #ifdef SCTP_DEBUG
251                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
252                               printf("process_init: couldn't get memory for the streams!\n");
253                     }
254 #endif
255                     return (-1);
256           }
257           for (i = 0; i < asoc->streamincnt; i++) {
258                     asoc->strmin[i].stream_no = i;
259                     asoc->strmin[i].last_sequence_delivered = 0xffff;
260                     /*
261                      * U-stream ranges will be set when the cookie
262                      * is unpacked. Or for the INIT sender they
263                      * are un set (if pr-sctp not supported) when the
264                      * INIT-ACK arrives.
265                      */
266                     TAILQ_INIT(&asoc->strmin[i].inqueue);
267                     /*
268                      * we are not on any wheel, pr-sctp streams
269                      * will go on the wheel when they have data waiting
270                      * for reorder.
271                      */
272                     asoc->strmin[i].next_spoke.tqe_next = 0;
273                     asoc->strmin[i].next_spoke.tqe_prev = 0;
274           }
275 
276           /*
277            * load_address_from_init will put the addresses into the
278            * association when the COOKIE is processed or the INIT-ACK
279            * is processed. Both types of COOKIE's existing and new
280            * call this routine. It will remove addresses that
281            * are no longer in the association (for the restarting
282            * case where addresses are removed). Up front when the
283            * INIT arrives we will discard it if it is a restart
284            * and new addresses have been added.
285            */
286           return (0);
287 }
288 
289 /*
290  * INIT-ACK message processing/consumption
291  * returns value < 0 on error
292  */
293 static int
sctp_process_init_ack(struct mbuf * m,int iphlen,int offset,struct sctphdr * sh,struct sctp_init_ack_chunk * cp,struct sctp_tcb * stcb,struct sctp_nets * net)294 sctp_process_init_ack(struct mbuf *m, int iphlen, int offset,
295     struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
296     struct sctp_nets *net)
297 {
298           struct sctp_association *asoc;
299           struct mbuf *op_err;
300           int retval, abort_flag;
301           uint32_t initack_limit;
302           /* First verify that we have no illegal param's */
303           abort_flag = 0;
304           op_err = NULL;
305 
306           op_err = sctp_arethere_unrecognized_parameters(m,
307               (offset+sizeof(struct sctp_init_chunk)) ,
308               &abort_flag, (struct sctp_chunkhdr *)cp);
309           if (abort_flag) {
310                     /* Send an abort and notify peer */
311                     if (op_err != NULL) {
312                               sctp_send_operr_to(m, iphlen, op_err, cp->init.initiate_tag);
313                     } else {
314                               /*
315                                * Just notify (abort_assoc does this if
316                                * we send an abort).
317                                */
318                               sctp_abort_notification(stcb, 0);
319                               /*
320                                * No sense in further INIT's since
321                                * we will get the same param back
322                                */
323                               sctp_free_assoc(stcb->sctp_ep, stcb);
324                     }
325                     return (-1);
326           }
327           asoc = &stcb->asoc;
328           /* process the peer's parameters in the INIT-ACK */
329           retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net);
330           if (retval < 0) {
331                     return (retval);
332           }
333 
334           initack_limit = offset + ntohs(cp->ch.chunk_length);
335           /* load all addresses */
336           if (sctp_load_addresses_from_init(stcb, m, iphlen,
337               (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh,
338               NULL)) {
339                     /* Huh, we should abort */
340                     sctp_abort_notification(stcb, 0);
341                     sctp_free_assoc(stcb->sctp_ep, stcb);
342                     return (-1);
343           }
344           if (op_err) {
345                     sctp_queue_op_err(stcb, op_err);
346                     /* queuing will steal away the mbuf chain to the out queue */
347                     op_err = NULL;
348           }
349           /* extract the cookie and queue it to "echo" it back... */
350           stcb->asoc.overall_error_count = 0;
351           net->error_count = 0;
352           retval = sctp_send_cookie_echo(m, offset, stcb, net);
353           if (retval < 0) {
354                     /*
355                      * No cookie, we probably should send a op error.
356                      * But in any case if there is no cookie in the INIT-ACK,
357                      * we can abandon the peer, its broke.
358                      */
359                     if (retval == -3) {
360                               /* We abort with an error of missing mandatory param */
361                               op_err =
362                                   sctp_generate_invmanparam(SCTP_CAUSE_MISS_PARAM);
363                               if (op_err) {
364                                         /*
365                                          * Expand beyond to include the mandatory
366                                          * param cookie
367                                          */
368                                         struct sctp_inv_mandatory_param *mp;
369                                         op_err->m_len =
370                                             sizeof(struct sctp_inv_mandatory_param);
371                                         mp = mtod(op_err,
372                                             struct sctp_inv_mandatory_param *);
373                                         /* Subtract the reserved param */
374                                         mp->length =
375                                             htons(sizeof(struct sctp_inv_mandatory_param) - 2);
376                                         mp->num_param = htonl(1);
377                                         mp->param = htons(SCTP_STATE_COOKIE);
378                                         mp->resv = 0;
379                               }
380                               sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
381                                   sh, op_err);
382                     }
383                     return (retval);
384           }
385 
386           /*
387            * Cancel the INIT timer, We do this first before queueing
388            * the cookie. We always cancel at the primary to assume that
389            * we are cancelling the timer started by the INIT which always
390            * goes to the primary.
391            */
392           sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb,
393               asoc->primary_destination);
394 
395           /* calculate the RTO */
396           net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered);
397 
398           return (0);
399 }
400 
401 static void
sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk * cp,struct sctp_tcb * stcb,struct sctp_nets * net)402 sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp,
403     struct sctp_tcb *stcb, struct sctp_nets *net)
404 {
405           struct sockaddr_storage store;
406           struct sockaddr_in *sin;
407           struct sockaddr_in6 *sin6;
408           struct sctp_nets *r_net;
409           struct timeval tv;
410 
411           if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) {
412                     /* Invalid length */
413                     return;
414           }
415 
416           sin = (struct sockaddr_in *)&store;
417           sin6 = (struct sockaddr_in6 *)&store;
418 
419           memset(&store, 0, sizeof(store));
420           if (cp->heartbeat.hb_info.addr_family == AF_INET &&
421               cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) {
422                     sin->sin_family = cp->heartbeat.hb_info.addr_family;
423                     sin->sin_len = cp->heartbeat.hb_info.addr_len;
424                     sin->sin_port = stcb->rport;
425                     memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address,
426                         sizeof(sin->sin_addr));
427           } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 &&
428               cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) {
429                     sin6->sin6_family = cp->heartbeat.hb_info.addr_family;
430                     sin6->sin6_len = cp->heartbeat.hb_info.addr_len;
431                     sin6->sin6_port = stcb->rport;
432                     memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address,
433                         sizeof(sin6->sin6_addr));
434           } else {
435 #ifdef SCTP_DEBUG
436                     if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
437                               printf("unsupported address family");
438                     }
439 #endif
440                     return;
441           }
442           r_net = sctp_findnet(stcb, (struct sockaddr *)sin);
443           if (r_net == NULL) {
444 #ifdef SCTP_DEBUG
445                     if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
446                               printf("Huh? I can't find the address I sent it to, discard\n");
447                     }
448 #endif
449                     return;
450           }
451           if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) &&
452               (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) &&
453               (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) {
454                     /*
455                      * If the its a HB and it's random value is correct when
456                      * can confirm the destination.
457                      */
458                     r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
459                     sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
460                         stcb, 0, (void *)r_net);
461           }
462           r_net->error_count = 0;
463           r_net->hb_responded = 1;
464           tv.tv_sec = cp->heartbeat.hb_info.time_value_1;
465           tv.tv_usec = cp->heartbeat.hb_info.time_value_2;
466           if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) {
467                     r_net->dest_state = SCTP_ADDR_REACHABLE;
468                     sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb,
469                         SCTP_HEARTBEAT_SUCCESS, (void *)r_net);
470 
471                     /* now was it the primary? if so restore */
472                     if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) {
473                               sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net);
474                     }
475           }
476           /* Now lets do a RTO with this */
477           r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv);
478 }
479 
480 static void
sctp_handle_abort(struct sctp_abort_chunk * cp,struct sctp_tcb * stcb,struct sctp_nets * net)481 sctp_handle_abort(struct sctp_abort_chunk *cp,
482     struct sctp_tcb *stcb, struct sctp_nets *net)
483 {
484 
485 #ifdef SCTP_DEBUG
486           if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
487                     printf("sctp_handle_abort: handling ABORT\n");
488           }
489 #endif
490           if (stcb == NULL)
491                     return;
492           /* verify that the destination addr is in the association */
493           /* ignore abort for addresses being deleted */
494 
495           /* stop any receive timers */
496           sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net);
497           /* notify user of the abort and clean up... */
498           sctp_abort_notification(stcb, 0);
499           /* free the tcb */
500           sctp_free_assoc(stcb->sctp_ep, stcb);
501 #ifdef SCTP_DEBUG
502           if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
503                     printf("sctp_handle_abort: finished\n");
504           }
505 #endif
506 }
507 
508 static void
sctp_handle_shutdown(struct sctp_shutdown_chunk * cp,struct sctp_tcb * stcb,struct sctp_nets * net,int * abort_flag)509 sctp_handle_shutdown(struct sctp_shutdown_chunk *cp,
510     struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag)
511 {
512           struct sctp_association *asoc;
513           int some_on_streamwheel;
514 
515 #ifdef SCTP_DEBUG
516           if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
517                     printf("sctp_handle_shutdown: handling SHUTDOWN\n");
518           }
519 #endif
520           if (stcb == NULL)
521                     return;
522 
523           if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_WAIT) ||
524               (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) {
525               return;
526           }
527 
528           if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) {
529                     /* update current data status */
530 #ifdef SCTP_DEBUG
531                     if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
532                               printf("Warning Shutdown NOT the expected size.. skipping (%d:%d)\n",
533                                      ntohs(cp->ch.chunk_length),
534                                      (int)sizeof(struct sctp_shutdown_chunk));
535                     }
536 #endif
537                     return;
538           } else {
539                     sctp_update_acked(stcb, cp, net, abort_flag);
540           }
541           asoc = &stcb->asoc;
542           /* goto SHUTDOWN_RECEIVED state to block new requests */
543           if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
544               (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) {
545                     asoc->state = SCTP_STATE_SHUTDOWN_RECEIVED;
546 #ifdef SCTP_DEBUG
547                     if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
548                               printf("Moving to SHUTDOWN-RECEIVED state\n");
549                     }
550 #endif
551                     /* notify upper layer that peer has initiated a shutdown */
552                     sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL);
553 
554                     if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
555                         (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
556 
557                               /* Set the flag so we cannot send more, we
558                                * would call the function but we don't want to
559                                * wake up the ulp necessarily.
560                                */
561 #if defined(__FreeBSD__) && __FreeBSD_version >= 502115
562                               stcb->sctp_ep->sctp_socket->so_rcv.sb_state |= SBS_CANTSENDMORE;
563 #else
564                               stcb->sctp_ep->sctp_socket->so_state |= SS_CANTSENDMORE;
565 #endif
566                     }
567                     /* reset time */
568                     SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
569           }
570           if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) {
571                     /*
572                      * stop the shutdown timer, since we WILL move
573                      * to SHUTDOWN-ACK-SENT.
574                      */
575                     sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net);
576           }
577           /* Now are we there yet? */
578           some_on_streamwheel = 0;
579           if (!TAILQ_EMPTY(&asoc->out_wheel)) {
580                     /* Check to see if some data queued */
581                     struct sctp_stream_out *outs;
582                     TAILQ_FOREACH(outs, &asoc->out_wheel, next_spoke) {
583                               if (!TAILQ_EMPTY(&outs->outqueue)) {
584                                         some_on_streamwheel = 1;
585                                         break;
586                               }
587                     }
588           }
589 #ifdef SCTP_DEBUG
590           if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
591                     printf("some_on_streamwheel:%d send_q_empty:%d sent_q_empty:%d\n",
592                            some_on_streamwheel,
593                            !TAILQ_EMPTY(&asoc->send_queue),
594                            !TAILQ_EMPTY(&asoc->sent_queue));
595           }
596 #endif
597           if (!TAILQ_EMPTY(&asoc->send_queue) ||
598               !TAILQ_EMPTY(&asoc->sent_queue) ||
599               some_on_streamwheel) {
600                     /* By returning we will push more data out */
601                     return;
602           } else {
603                     /* no outstanding data to send, so move on... */
604                     /* send SHUTDOWN-ACK */
605                     sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination);
606                     /* move to SHUTDOWN-ACK-SENT state */
607                     asoc->state = SCTP_STATE_SHUTDOWN_ACK_SENT;
608 #ifdef SCTP_DEBUG
609                     if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
610                               printf("moving to SHUTDOWN_ACK state\n");
611                     }
612 #endif
613                     /* start SHUTDOWN timer */
614                     sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep,
615                         stcb, net);
616           }
617 }
618 
619 static void
sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk * cp,struct sctp_tcb * stcb,struct sctp_nets * net)620 sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp,
621     struct sctp_tcb *stcb, struct sctp_nets *net)
622 {
623           struct sctp_association *asoc;
624 
625 #ifdef SCTP_DEBUG
626           if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
627                     printf("sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n");
628           }
629 #endif
630           if (stcb == NULL)
631                     return;
632 
633           asoc = &stcb->asoc;
634           /* process according to association state */
635           if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
636               (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
637                     /* unexpected SHUTDOWN-ACK... so ignore... */
638                     return;
639           }
640           /* are the queues empty? */
641           if (!TAILQ_EMPTY(&asoc->send_queue) ||
642               !TAILQ_EMPTY(&asoc->sent_queue) ||
643               !TAILQ_EMPTY(&asoc->out_wheel)) {
644                     sctp_report_all_outbound(stcb);
645           }
646           /* stop the timer */
647           sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net);
648           /* send SHUTDOWN-COMPLETE */
649           sctp_send_shutdown_complete(stcb, net);
650           /* notify upper layer protocol */
651           sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL);
652           if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
653               (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
654                     stcb->sctp_ep->sctp_flags &= ~SCTP_PCB_FLAGS_CONNECTED;
655                     /* Set the connected flag to disconnected */
656                     stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0;
657                     stcb->sctp_ep->sctp_socket->so_snd.sb_mbcnt = 0;
658                     soisdisconnected(stcb->sctp_ep->sctp_socket);
659           }
660           /* free the TCB but first save off the ep */
661           sctp_free_assoc(stcb->sctp_ep, stcb);
662 }
663 
664 /*
665  * Skip past the param header and then we will find the chunk that
666  * caused the problem. There are two possiblities ASCONF or FWD-TSN
667  * other than that and our peer must be broken.
668  */
669 static void
sctp_process_unrecog_chunk(struct sctp_tcb * stcb,struct sctp_paramhdr * phdr,struct sctp_nets * net)670 sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr,
671     struct sctp_nets *net)
672 {
673           struct sctp_chunkhdr *chk;
674 
675           chk = (struct sctp_chunkhdr *)((vaddr_t)phdr + sizeof(*phdr));
676           switch (chk->chunk_type) {
677           case SCTP_ASCONF_ACK:
678 #ifdef SCTP_DEBUG
679                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
680                               printf("Strange peer, snds ASCONF but does not recongnize asconf-ack?\n");
681                     }
682 #endif
683                     /* FALLTHROUGH */
684           case SCTP_ASCONF:
685 #ifdef SCTP_DEBUG
686                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
687                               printf("Peer does not support ASCONF/ASCONF-ACK chunks\n");
688                     }
689 #endif /* SCTP_DEBUG */
690                     sctp_asconf_cleanup(stcb, net);
691                     break;
692           case SCTP_FORWARD_CUM_TSN:
693                     stcb->asoc.peer_supports_prsctp = 0;
694                     break;
695           default:
696 #ifdef SCTP_DEBUG
697                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
698                               printf("Peer does not support chunk type %d(%x)??\n",
699                                      chk->chunk_type, (u_int)chk->chunk_type);
700                     }
701 #endif
702                     break;
703           }
704 }
705 
706 /*
707  * Skip past the param header and then we will find the param that
708  * caused the problem.  There are a number of param's in a ASCONF
709  * OR the prsctp param these will turn of specific features.
710  */
711 static void
sctp_process_unrecog_param(struct sctp_tcb * stcb,struct sctp_paramhdr * phdr)712 sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr)
713 {
714           struct sctp_paramhdr *pbad;
715 
716           pbad = phdr + 1;
717           switch (ntohs(pbad->param_type)) {
718                     /* pr-sctp draft */
719           case SCTP_PRSCTP_SUPPORTED:
720                     stcb->asoc.peer_supports_prsctp = 0;
721                     break;
722           case SCTP_SUPPORTED_CHUNK_EXT:
723                     break;
724                     /* draft-ietf-tsvwg-addip-sctp */
725           case SCTP_ECN_NONCE_SUPPORTED:
726                     stcb->asoc.peer_supports_ecn_nonce = 0;
727                     stcb->asoc.ecn_nonce_allowed = 0;
728                     stcb->asoc.ecn_allowed = 0;
729                     break;
730           case SCTP_ADD_IP_ADDRESS:
731           case SCTP_DEL_IP_ADDRESS:
732                     stcb->asoc.peer_supports_asconf = 0;
733                     break;
734           case SCTP_SET_PRIM_ADDR:
735                     stcb->asoc.peer_supports_asconf_setprim = 0;
736                     break;
737           case SCTP_SUCCESS_REPORT:
738           case SCTP_ERROR_CAUSE_IND:
739 #ifdef SCTP_DEBUG
740                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
741                               printf("Huh, the peer does not support success? or error cause?\n");
742                               printf("Turning off ASCONF to this strange peer\n");
743                     }
744 #endif
745                     stcb->asoc.peer_supports_asconf = 0;
746                     stcb->asoc.peer_supports_asconf_setprim = 0;
747                     break;
748           default:
749 #ifdef SCTP_DEBUG
750                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
751                               printf("Peer does not support base param type %d(%x)??\n",
752                                   pbad->param_type, (u_int)pbad->param_type);
753                     }
754 #endif
755                     break;
756           }
757 }
758 
759 static int
sctp_handle_error(struct sctp_chunkhdr * ch,struct sctp_tcb * stcb,struct sctp_nets * net)760 sctp_handle_error(struct sctp_chunkhdr *ch,
761     struct sctp_tcb *stcb, struct sctp_nets *net)
762 {
763           int chklen;
764           struct sctp_paramhdr *phdr;
765           uint16_t error_type;
766           uint16_t error_len;
767           struct sctp_association *asoc;
768 
769           int adjust;
770           /* parse through all of the errors and process */
771           asoc = &stcb->asoc;
772           phdr = (struct sctp_paramhdr *)((vaddr_t)ch +
773               sizeof(struct sctp_chunkhdr));
774           chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr);
775           while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) {
776                     /* Process an Error Cause */
777                     error_type = ntohs(phdr->param_type);
778                     error_len = ntohs(phdr->param_length);
779                     if ((error_len > chklen) || (error_len == 0)) {
780                               /* invalid param length for this param */
781 #ifdef SCTP_DEBUG
782                               if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
783                                         printf("Bogus length in error param- chunk left:%d errorlen:%d\n",
784                                                chklen, error_len);
785                               }
786 #endif /* SCTP_DEBUG */
787                               return (0);
788                     }
789                     switch (error_type) {
790                     case SCTP_CAUSE_INV_STRM:
791                     case SCTP_CAUSE_MISS_PARAM:
792                     case SCTP_CAUSE_INVALID_PARAM:
793                     case SCTP_CAUSE_NOUSER_DATA:
794 #ifdef SCTP_DEBUG
795                               if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
796                                         printf("Software error we got a %d back? We have a bug :/ (or do they?)\n",
797                                                error_type);
798                               }
799 #endif
800                               break;
801                     case SCTP_CAUSE_STALE_COOKIE:
802                               /* We only act if we have echoed a cookie and are waiting. */
803                               if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) {
804                                         int *p;
805                                         p = (int *)((vaddr_t)phdr + sizeof(*phdr));
806                                         /* Save the time doubled */
807                                         asoc->cookie_preserve_req = ntohl(*p) << 1;
808                                         asoc->stale_cookie_count++;
809                                         if (asoc->stale_cookie_count >
810                                             asoc->max_init_times) {
811                                                   sctp_abort_notification(stcb, 0);
812                                                   /* now free the asoc */
813                                                   sctp_free_assoc(stcb->sctp_ep, stcb);
814                                                   return (-1);
815                                         }
816                                         /* blast back to INIT state */
817                                         asoc->state &= ~SCTP_STATE_COOKIE_ECHOED;
818                                         asoc->state |= SCTP_STATE_COOKIE_WAIT;
819                                         sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE,
820                                             stcb->sctp_ep, stcb, net);
821                                         sctp_send_initiate(stcb->sctp_ep, stcb);
822                               }
823                               break;
824                     case SCTP_CAUSE_UNRESOLV_ADDR:
825                               /*
826                                * Nothing we can do here, we don't do hostname
827                                * addresses so if the peer does not like my IPv6 (or
828                                * IPv4 for that matter) it does not matter. If they
829                                * don't support that type of address, they can NOT
830                                * possibly get that packet type... i.e. with no IPv6
831                                * you can't receive a IPv6 packet. so we can safely
832                                * ignore this one. If we ever added support for
833                                * HOSTNAME Addresses, then we would need to do
834                                * something here.
835                                */
836                               break;
837                     case SCTP_CAUSE_UNRECOG_CHUNK:
838                               sctp_process_unrecog_chunk(stcb, phdr, net);
839                               break;
840                     case SCTP_CAUSE_UNRECOG_PARAM:
841                               sctp_process_unrecog_param(stcb, phdr);
842                               break;
843                     case SCTP_CAUSE_COOKIE_IN_SHUTDOWN:
844                               /*
845                                * We ignore this since the timer will drive out a new
846                                * cookie anyway and there timer will drive us to send
847                                * a SHUTDOWN_COMPLETE. We can't send one here since
848                                * we don't have their tag.
849                                */
850                               break;
851                     case SCTP_CAUSE_DELETEING_LAST_ADDR:
852                     case SCTP_CAUSE_OPERATION_REFUSED:
853                     case SCTP_CAUSE_DELETING_SRC_ADDR:
854                               /* We should NOT get these here, but in a ASCONF-ACK. */
855 #ifdef SCTP_DEBUG
856                               if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
857                                         printf("Peer sends ASCONF errors in a Operational Error?<%d>?\n",
858                                                error_type);
859                               }
860 #endif
861                               break;
862                     case SCTP_CAUSE_OUT_OF_RESC:
863                               /*
864                                * And what, pray tell do we do with the fact
865                                * that the peer is out of resources? Not
866                                * really sure we could do anything but abort.
867                                * I suspect this should have came WITH an
868                                * abort instead of in a OP-ERROR.
869                                */
870                               break;
871                     default:
872 #ifdef SCTP_DEBUG
873                               if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
874                                         /* don't know what this error cause is... */
875                                         printf("sctp_handle_error: unknown error type = 0x%xh\n",
876                                                error_type);
877                               }
878 #endif /* SCTP_DEBUG */
879                               break;
880                     }
881                     adjust = SCTP_SIZE32(error_len);
882                     chklen -= adjust;
883                     phdr = (struct sctp_paramhdr *)((vaddr_t)phdr + adjust);
884           }
885           return (0);
886 }
887 
888 static int
sctp_handle_init_ack(struct mbuf * m,int iphlen,int offset,struct sctphdr * sh,struct sctp_init_ack_chunk * cp,struct sctp_tcb * stcb,struct sctp_nets * net)889 sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh,
890     struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
891     struct sctp_nets *net)
892 {
893           struct sctp_init_ack *init_ack;
894           int *state;
895           struct mbuf *op_err;
896 
897 #ifdef SCTP_DEBUG
898           if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
899                     printf("sctp_handle_init_ack: handling INIT-ACK\n");
900           }
901 #endif
902           if (stcb == NULL) {
903 #ifdef SCTP_DEBUG
904                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
905                               printf("sctp_handle_init_ack: TCB is null\n");
906                     }
907 #endif
908                     return (-1);
909           }
910           if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) {
911                     /* Invalid length */
912                     op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
913                     sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
914                         op_err);
915                     return (-1);
916           }
917           init_ack = &cp->init;
918           /* validate parameters */
919           if (init_ack->initiate_tag == 0) {
920                     /* protocol error... send an abort */
921                     op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
922                     sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
923                         op_err);
924                     return (-1);
925           }
926           if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) {
927                     /* protocol error... send an abort */
928                     op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
929                     sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
930                         op_err);
931                     return (-1);
932           }
933           if (init_ack->num_inbound_streams == 0) {
934                     /* protocol error... send an abort */
935                     op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
936                     sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
937                         op_err);
938                     return (-1);
939           }
940           if (init_ack->num_outbound_streams == 0) {
941                     /* protocol error... send an abort */
942                     op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
943                     sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
944                         op_err);
945                     return (-1);
946           }
947 
948           /* process according to association state... */
949           state = &stcb->asoc.state;
950           switch (*state & SCTP_STATE_MASK) {
951           case SCTP_STATE_COOKIE_WAIT:
952                     /* this is the expected state for this chunk */
953                     /* process the INIT-ACK parameters */
954                     if (stcb->asoc.primary_destination->dest_state &
955                         SCTP_ADDR_UNCONFIRMED) {
956                               /*
957                                * The primary is where we sent the INIT, we can
958                                * always consider it confirmed when the INIT-ACK
959                                * is returned. Do this before we load addresses
960                                * though.
961                                */
962                               stcb->asoc.primary_destination->dest_state &=
963                                   ~SCTP_ADDR_UNCONFIRMED;
964                               sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
965                                   stcb, 0, (void *)stcb->asoc.primary_destination);
966                     }
967                     if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, net
968                         ) < 0) {
969                               /* error in parsing parameters */
970 #ifdef SCTP_DEBUG
971                               if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
972                                         printf("sctp_process_init_ack: error in msg, discarding\n");
973                               }
974 #endif
975                               return (-1);
976                     }
977                     /* update our state */
978 #ifdef SCTP_DEBUG
979                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
980                               printf("moving to COOKIE-ECHOED state\n");
981                     }
982 #endif
983                     if (*state & SCTP_STATE_SHUTDOWN_PENDING) {
984                               *state = SCTP_STATE_COOKIE_ECHOED |
985                                         SCTP_STATE_SHUTDOWN_PENDING;
986                     } else {
987                               *state = SCTP_STATE_COOKIE_ECHOED;
988                     }
989 
990                     /* reset the RTO calc */
991                     stcb->asoc.overall_error_count = 0;
992                     SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
993                     /*
994                      * collapse the init timer back in case of a exponential backoff
995                      */
996                     sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep,
997                         stcb, net);
998                     /*
999                      * the send at the end of the inbound data processing will
1000                      * cause the cookie to be sent
1001                      */
1002                     break;
1003           case SCTP_STATE_SHUTDOWN_SENT:
1004                     /* incorrect state... discard */
1005                     break;
1006           case SCTP_STATE_COOKIE_ECHOED:
1007                     /* incorrect state... discard */
1008                     break;
1009           case SCTP_STATE_OPEN:
1010                     /* incorrect state... discard */
1011                     break;
1012           case SCTP_STATE_EMPTY:
1013           case SCTP_STATE_INUSE:
1014           default:
1015                     /* incorrect state... discard */
1016 #ifdef SCTP_DEBUG
1017                     if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1018                               printf("Leaving handle-init-ack default\n");
1019                     }
1020 #endif
1021                     return (-1);
1022                     break;
1023           } /* end switch asoc state */
1024 #ifdef SCTP_DEBUG
1025           if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1026                     printf("Leaving handle-init-ack end\n");
1027           }
1028 #endif
1029           return (0);
1030 }
1031 
1032 
1033 /*
1034  * handle a state cookie for an existing association
1035  * m: input packet mbuf chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk
1036  *    note: this is a "split" mbuf and the cookie signature does not exist
1037  * offset: offset into mbuf to the cookie-echo chunk
1038  */
1039 static struct sctp_tcb *
sctp_process_cookie_existing(struct mbuf * m,int iphlen,int offset,struct sctphdr * sh,struct sctp_state_cookie * cookie,int cookie_len,struct sctp_inpcb * inp,struct sctp_tcb * stcb,struct sctp_nets * net,struct sockaddr * init_src,int * notification)1040 sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
1041     struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
1042     struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net,
1043     struct sockaddr *init_src, int *notification)
1044 {
1045           struct sctp_association *asoc;
1046           struct sctp_init_chunk *init_cp, init_buf;
1047           struct sctp_init_ack_chunk *initack_cp, initack_buf;
1048           int chk_length;
1049           int init_offset, initack_offset;
1050           int retval;
1051 
1052           /* I know that the TCB is non-NULL from the caller */
1053           asoc = &stcb->asoc;
1054 
1055           if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
1056                     /* SHUTDOWN came in after sending INIT-ACK */
1057                     struct mbuf *op_err;
1058                     struct sctp_paramhdr *ph;
1059 
1060                     sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination);
1061 #ifdef SCTP_DEBUG
1062                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1063                               printf("sctp_handle_cookie: got a cookie, while shutting down!\n");
1064                     }
1065 #endif
1066                     MGETHDR(op_err, M_DONTWAIT, MT_HEADER);
1067                     if (op_err == NULL) {
1068                               /* FOOBAR */
1069                               return (NULL);
1070                     }
1071                     /* pre-reserve some space */
1072                     op_err->m_data += sizeof(struct ip6_hdr);
1073                     op_err->m_data += sizeof(struct sctphdr);
1074                     op_err->m_data += sizeof(struct sctp_chunkhdr);
1075                     /* Set the len */
1076                     op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_paramhdr);
1077                     ph = mtod(op_err, struct sctp_paramhdr *);
1078                     ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN);
1079                     ph->param_length = htons(sizeof(struct sctp_paramhdr));
1080                     sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag);
1081                     return (NULL);
1082           }
1083           /*
1084            * find and validate the INIT chunk in the cookie (peer's info)
1085            * the INIT should start after the cookie-echo header struct
1086            * (chunk header, state cookie header struct)
1087            */
1088           init_offset = offset += sizeof(struct sctp_cookie_echo_chunk);
1089 
1090           init_cp = (struct sctp_init_chunk *)
1091               sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
1092               (u_int8_t *)&init_buf);
1093           if (init_cp == NULL) {
1094                     /* could not pull a INIT chunk in cookie */
1095 #ifdef SCTP_DEBUG
1096                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1097                               printf("process_cookie_existing: could not pull INIT chunk hdr\n");
1098                     }
1099 #endif /* SCTP_DEBUG */
1100                     return (NULL);
1101           }
1102           chk_length = ntohs(init_cp->ch.chunk_length);
1103           if (init_cp->ch.chunk_type != SCTP_INITIATION) {
1104 #ifdef SCTP_DEBUG
1105                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1106                               printf("process_cookie_existing: could not find INIT chunk!\n");
1107                     }
1108 #endif /* SCTP_DEBUG */
1109                     return (NULL);
1110           }
1111 
1112           /*
1113            * find and validate the INIT-ACK chunk in the cookie (my info)
1114            * the INIT-ACK follows the INIT chunk
1115            */
1116           initack_offset = init_offset + SCTP_SIZE32(chk_length);
1117           initack_cp = (struct sctp_init_ack_chunk *)
1118               sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
1119               (u_int8_t *)&initack_buf);
1120           if (initack_cp == NULL) {
1121                     /* could not pull INIT-ACK chunk in cookie */
1122 #ifdef SCTP_DEBUG
1123                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1124                               printf("process_cookie_existing: could not pull INIT-ACK chunk hdr\n");
1125                     }
1126 #endif /* SCTP_DEBUG */
1127                     return (NULL);
1128           }
1129           chk_length = ntohs(initack_cp->ch.chunk_length);
1130           if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
1131 #ifdef SCTP_DEBUG
1132                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1133                               printf("process_cookie_existing: could not find INIT-ACK chunk!\n");
1134                     }
1135 #endif /* SCTP_DEBUG */
1136                     return (NULL);
1137           }
1138           if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
1139               (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) {
1140                     /*
1141                      * case D in Section 5.2.4 Table 2: MMAA
1142                      * process accordingly to get into the OPEN state
1143                      */
1144                     switch SCTP_GET_STATE(asoc) {
1145                     case SCTP_STATE_COOKIE_WAIT:
1146                               /*
1147                                * INIT was sent, but got got a COOKIE_ECHO with
1148                                * the correct tags... just accept it...
1149                                */
1150                               /* First we must process the INIT !! */
1151                               retval = sctp_process_init(init_cp, stcb, net);
1152                               if (retval < 0) {
1153 #ifdef SCTP_DEBUG
1154                                         printf("process_cookie_existing: INIT processing failed\n");
1155 #endif
1156                                         return (NULL);
1157                               }
1158                               /* FALLTHROUGH */
1159                               /* intentional fall through to below... */
1160 
1161                     case SCTP_STATE_COOKIE_ECHOED:
1162                               /* Duplicate INIT case */
1163                               /* we have already processed the INIT so no problem */
1164                               sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb,
1165                                   net);
1166                               sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net);
1167                               sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb,
1168                                   net);
1169                               /* update current state */
1170                               if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1171                                         asoc->state = SCTP_STATE_OPEN |
1172                                             SCTP_STATE_SHUTDOWN_PENDING;
1173                               } else if ((asoc->state & SCTP_STATE_SHUTDOWN_SENT) == 0) {
1174                                         /* if ok, move to OPEN state */
1175                                         asoc->state = SCTP_STATE_OPEN;
1176                               }
1177                               if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1178                                   (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
1179                                   (!(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING))) {
1180                                         /*
1181                                          * Here is where collision would go if we did a
1182                                          * connect() and instead got a
1183                                          * init/init-ack/cookie done before the
1184                                          * init-ack came back..
1185                                          */
1186                                         stcb->sctp_ep->sctp_flags |=
1187                                             SCTP_PCB_FLAGS_CONNECTED;
1188                                         soisconnected(stcb->sctp_ep->sctp_socket);
1189                               }
1190                               /* notify upper layer */
1191                               *notification = SCTP_NOTIFY_ASSOC_UP;
1192                               sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb,
1193                                   net);
1194                               /*
1195                                * since we did not send a HB make sure we don't double
1196                                * things
1197                                */
1198                               net->hb_responded = 1;
1199 
1200                               if (stcb->asoc.sctp_autoclose_ticks &&
1201                                   (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) {
1202                                         sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
1203                                             inp, stcb, NULL);
1204                               }
1205                               break;
1206                     default:
1207                               /*
1208                                * we're in the OPEN state (or beyond), so peer
1209                                * must have simply lost the COOKIE-ACK
1210                                */
1211                               break;
1212                     } /* end switch */
1213 
1214                     /*
1215                      * We ignore the return code here.. not sure if we should
1216                      * somehow abort.. but we do have an existing asoc. This
1217                      * really should not fail.
1218                      */
1219                     if (sctp_load_addresses_from_init(stcb, m, iphlen,
1220                         init_offset + sizeof(struct sctp_init_chunk),
1221                         initack_offset, sh, init_src)) {
1222 #ifdef SCTP_DEBUG
1223                               if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1224                                         printf("Weird cookie load_address failure on cookie existing - 1\n");
1225                               }
1226 #endif
1227                               return (NULL);
1228                     }
1229 
1230                     /* respond with a COOKIE-ACK */
1231                     sctp_send_cookie_ack(stcb);
1232                     return (stcb);
1233           } /* end if */
1234           if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
1235               ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag &&
1236               cookie->tie_tag_my_vtag == 0 &&
1237               cookie->tie_tag_peer_vtag == 0) {
1238                     /*
1239                      * case C in Section 5.2.4 Table 2: XMOO
1240                      * silently discard
1241                      */
1242                     return (NULL);
1243           }
1244           if (ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag &&
1245               (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag ||
1246                init_cp->init.initiate_tag == 0)) {
1247                     /*
1248                      * case B in Section 5.2.4 Table 2: MXAA or MOAA
1249                      * my info should be ok, re-accept peer info
1250                      */
1251                     sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net);
1252                     sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net);
1253                     sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net);
1254                     sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net);
1255                     /*
1256                      * since we did not send a HB make sure we don't double things
1257                      */
1258                     net->hb_responded = 1;
1259                     if (stcb->asoc.sctp_autoclose_ticks &&
1260                         (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) {
1261                               sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb,
1262                                   NULL);
1263                     }
1264                     asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1265                     asoc->pre_open_streams =
1266                         ntohs(initack_cp->init.num_outbound_streams);
1267                     asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
1268                     asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out =
1269                         asoc->init_seq_number;
1270                     asoc->t3timeout_highest_marked = asoc->asconf_seq_out;
1271                     asoc->last_cwr_tsn = asoc->init_seq_number - 1;
1272                     asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
1273                     asoc->str_reset_seq_in = asoc->init_seq_number;
1274                     asoc->advanced_peer_ack_point = asoc->last_acked_seq;
1275 
1276                     /* process the INIT info (peer's info) */
1277                     retval = sctp_process_init(init_cp, stcb, net);
1278                     if (retval < 0) {
1279 #ifdef SCTP_DEBUG
1280                               if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1281                                         printf("process_cookie_existing: INIT processing failed\n");
1282                               }
1283 #endif
1284                               return (NULL);
1285                     }
1286                     if (sctp_load_addresses_from_init(stcb, m, iphlen,
1287                         init_offset + sizeof(struct sctp_init_chunk),
1288                         initack_offset, sh, init_src)) {
1289 #ifdef SCTP_DEBUG
1290                               if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1291                                         printf("Weird cookie load_address failure on cookie existing - 2\n");
1292                               }
1293 #endif
1294                               return (NULL);
1295                     }
1296 
1297                     if ((asoc->state & SCTP_STATE_COOKIE_WAIT) ||
1298                         (asoc->state & SCTP_STATE_COOKIE_ECHOED)) {
1299                               *notification = SCTP_NOTIFY_ASSOC_UP;
1300 
1301                               if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1302                                    (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
1303                                   !(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) {
1304                                         stcb->sctp_ep->sctp_flags |=
1305                                             SCTP_PCB_FLAGS_CONNECTED;
1306                                         soisconnected(stcb->sctp_ep->sctp_socket);
1307                               }
1308                     }
1309                     if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1310                               asoc->state = SCTP_STATE_OPEN |
1311                                   SCTP_STATE_SHUTDOWN_PENDING;
1312                     } else {
1313                               asoc->state = SCTP_STATE_OPEN;
1314                     }
1315                     sctp_send_cookie_ack(stcb);
1316                     return (stcb);
1317           }
1318 
1319           if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
1320                ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) &&
1321               cookie->tie_tag_my_vtag == asoc->my_vtag_nonce &&
1322               cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce &&
1323               cookie->tie_tag_peer_vtag != 0) {
1324                     /*
1325                      * case A in Section 5.2.4 Table 2: XXMM (peer restarted)
1326                      */
1327                     sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net);
1328                     sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net);
1329                     sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net);
1330 
1331                     /* notify upper layer */
1332                     *notification = SCTP_NOTIFY_ASSOC_RESTART;
1333 
1334                     /* send up all the data */
1335                     sctp_report_all_outbound(stcb);
1336 
1337                     /* process the INIT-ACK info (my info) */
1338                     asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
1339                     asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1340                     asoc->pre_open_streams =
1341                         ntohs(initack_cp->init.num_outbound_streams);
1342                     asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
1343                     asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out =
1344                         asoc->init_seq_number;
1345                     asoc->t3timeout_highest_marked = asoc->asconf_seq_out;
1346                     asoc->last_cwr_tsn = asoc->init_seq_number - 1;
1347                     asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
1348                     asoc->str_reset_seq_in = asoc->init_seq_number;
1349 
1350                     asoc->advanced_peer_ack_point = asoc->last_acked_seq;
1351                     if (asoc->mapping_array)
1352                               memset(asoc->mapping_array, 0,
1353                                   asoc->mapping_array_size);
1354                     /* process the INIT info (peer's info) */
1355                     retval = sctp_process_init(init_cp, stcb, net);
1356                     if (retval < 0) {
1357 #ifdef SCTP_DEBUG
1358                               if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1359                                         printf("process_cookie_existing: INIT processing failed\n");
1360                               }
1361 #endif
1362                               return (NULL);
1363                     }
1364 
1365                     sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net);
1366                     /*
1367                      * since we did not send a HB make sure we don't double things
1368                      */
1369                     net->hb_responded = 1;
1370 
1371                     if (sctp_load_addresses_from_init(stcb, m, iphlen,
1372                         init_offset + sizeof(struct sctp_init_chunk),
1373                         initack_offset, sh, init_src)) {
1374 #ifdef SCTP_DEBUG
1375                               if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1376                                         printf("Weird cookie load_address failure on cookie existing - 3\n");
1377                               }
1378 #endif
1379                               return (NULL);
1380                     }
1381 
1382                     if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1383                               asoc->state = SCTP_STATE_OPEN |
1384                                   SCTP_STATE_SHUTDOWN_PENDING;
1385                     } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) {
1386                               /* move to OPEN state, if not in SHUTDOWN_SENT */
1387                               asoc->state = SCTP_STATE_OPEN;
1388                     }
1389                     /* respond with a COOKIE-ACK */
1390                     sctp_send_cookie_ack(stcb);
1391 
1392                     return (stcb);
1393           }
1394           /* all other cases... */
1395           return (NULL);
1396 }
1397 
1398 /*
1399  * handle a state cookie for a new association
1400  * m: input packet mbuf chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk
1401  *    note: this is a "split" mbuf and the cookie signature does not exist
1402  * offset: offset into mbuf to the cookie-echo chunk
1403  * length: length of the cookie chunk
1404  * to: where the init was from
1405  * returns a new TCB
1406  */
1407 static struct sctp_tcb *
sctp_process_cookie_new(struct mbuf * m,int iphlen,int offset,struct sctphdr * sh,struct sctp_state_cookie * cookie,int cookie_len,struct sctp_inpcb * inp,struct sctp_nets ** netp,struct sockaddr * init_src,int * notification)1408 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
1409     struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
1410     struct sctp_inpcb *inp, struct sctp_nets **netp,
1411     struct sockaddr *init_src, int *notification)
1412 {
1413           struct sctp_tcb *stcb;
1414           struct sctp_init_chunk *init_cp, init_buf;
1415           struct sctp_init_ack_chunk *initack_cp, initack_buf;
1416           struct sockaddr_storage sa_store;
1417           struct sockaddr *initack_src = (struct sockaddr *)&sa_store;
1418           struct sockaddr_in *sin;
1419           struct sockaddr_in6 *sin6;
1420           struct sctp_association *asoc;
1421           int chk_length;
1422           int init_offset, initack_offset, initack_limit;
1423           int retval;
1424           int error = 0;
1425           /*
1426            * find and validate the INIT chunk in the cookie (peer's info)
1427            * the INIT should start after the cookie-echo header struct
1428            * (chunk header, state cookie header struct)
1429            */
1430           init_offset = offset + sizeof(struct sctp_cookie_echo_chunk);
1431           init_cp = (struct sctp_init_chunk *)
1432               sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
1433               (u_int8_t *)&init_buf);
1434           if (init_cp == NULL) {
1435                     /* could not pull a INIT chunk in cookie */
1436 #ifdef SCTP_DEBUG
1437                     if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1438                               printf("process_cookie_new: could not pull INIT chunk hdr\n");
1439                     }
1440 #endif /* SCTP_DEBUG */
1441                     return (NULL);
1442           }
1443           chk_length = ntohs(init_cp->ch.chunk_length);
1444           if (init_cp->ch.chunk_type != SCTP_INITIATION) {
1445 #ifdef SCTP_DEBUG
1446                     if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1447                               printf("HUH? process_cookie_new: could not find INIT chunk!\n");
1448                     }
1449 #endif /* SCTP_DEBUG */
1450                     return (NULL);
1451           }
1452 
1453           initack_offset = init_offset + SCTP_SIZE32(chk_length);
1454           /*
1455            * find and validate the INIT-ACK chunk in the cookie (my info)
1456            * the INIT-ACK follows the INIT chunk
1457            */
1458           initack_cp = (struct sctp_init_ack_chunk *)
1459               sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
1460               (u_int8_t *)&initack_buf);
1461           if (initack_cp == NULL) {
1462                     /* could not pull INIT-ACK chunk in cookie */
1463 #ifdef SCTP_DEBUG
1464                     if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1465                               printf("process_cookie_new: could not pull INIT-ACK chunk hdr\n");
1466                     }
1467 #endif /* SCTP_DEBUG */
1468                     return (NULL);
1469           }
1470           chk_length = ntohs(initack_cp->ch.chunk_length);
1471           if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
1472 #ifdef SCTP_DEBUG
1473                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1474                               u_int8_t *pp;
1475                               pp = (u_int8_t *)initack_cp;
1476                               printf("process_cookie_new: could not find INIT-ACK chunk!\n");
1477                               printf("Found bytes %x %x %x %x at position %d\n",
1478                                   (u_int)pp[0], (u_int)pp[1], (u_int)pp[2],
1479                                   (u_int)pp[3], initack_offset);
1480                     }
1481 #endif /* SCTP_DEBUG */
1482                     return (NULL);
1483           }
1484           initack_limit = initack_offset + SCTP_SIZE32(chk_length);
1485 
1486           /*
1487            * now that we know the INIT/INIT-ACK are in place,
1488            * create a new TCB and popluate
1489            */
1490           stcb = sctp_aloc_assoc(inp, init_src, 0, &error, ntohl(initack_cp->init.initiate_tag));
1491           if (stcb == NULL) {
1492                     struct mbuf *op_err;
1493                     /* memory problem? */
1494 #ifdef SCTP_DEBUG
1495                     if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1496                               printf("process_cookie_new: no room for another TCB!\n");
1497                     }
1498 #endif /* SCTP_DEBUG */
1499                     op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
1500                     sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen,
1501                         sh, op_err);
1502                     return (NULL);
1503           }
1504 
1505           /* get the correct sctp_nets */
1506           *netp = sctp_findnet(stcb, init_src);
1507           asoc = &stcb->asoc;
1508           /* get scope variables out of cookie */
1509           asoc->ipv4_local_scope = cookie->ipv4_scope;
1510           asoc->site_scope = cookie->site_scope;
1511           asoc->local_scope = cookie->local_scope;
1512           asoc->loopback_scope = cookie->loopback_scope;
1513 
1514           if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) ||
1515               (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) {
1516                     struct mbuf *op_err;
1517                     /*
1518                      * Houston we have a problem. The EP changed while the cookie
1519                      * was in flight. Only recourse is to abort the association.
1520                      */
1521                     op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
1522                     sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen,
1523                         sh, op_err);
1524                     return (NULL);
1525           }
1526 
1527           /* process the INIT-ACK info (my info) */
1528           asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
1529           asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1530           asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams);
1531           asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
1532           asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number;
1533           asoc->t3timeout_highest_marked = asoc->asconf_seq_out;
1534           asoc->last_cwr_tsn = asoc->init_seq_number - 1;
1535           asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
1536           asoc->str_reset_seq_in = asoc->init_seq_number;
1537 
1538           asoc->advanced_peer_ack_point = asoc->last_acked_seq;
1539 
1540           /* process the INIT info (peer's info) */
1541           retval = sctp_process_init(init_cp, stcb, *netp);
1542           if (retval < 0) {
1543 #ifdef SCTP_DEBUG
1544                     if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1545                               printf("process_cookie_new: INIT processing failed\n");
1546                     }
1547 #endif
1548                     sctp_free_assoc(inp, stcb);
1549                     return (NULL);
1550           }
1551           /* load all addresses */
1552           if (sctp_load_addresses_from_init(stcb, m, iphlen,
1553               init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh,
1554               init_src)) {
1555                     sctp_free_assoc(inp, stcb);
1556                     return (NULL);
1557           }
1558 
1559           /* update current state */
1560 #ifdef SCTP_DEBUG
1561           if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1562                     printf("moving to OPEN state\n");
1563           }
1564 #endif
1565           if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1566                     asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING;
1567           } else {
1568                     asoc->state = SCTP_STATE_OPEN;
1569           }
1570           /* calculate the RTT */
1571           (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp,
1572               &cookie->time_entered);
1573 
1574           /*
1575            * if we're doing ASCONFs, check to see if we have any new
1576            * local addresses that need to get added to the peer (eg.
1577            * addresses changed while cookie echo in flight).  This needs
1578            * to be done after we go to the OPEN state to do the correct
1579            * asconf processing.
1580            * else, make sure we have the correct addresses in our lists
1581            */
1582 
1583           /* warning, we re-use sin, sin6, sa_store here! */
1584           /* pull in local_address (our "from" address) */
1585           if (cookie->laddr_type == SCTP_IPV4_ADDRESS) {
1586                     /* source addr is IPv4 */
1587                     sin = (struct sockaddr_in *)initack_src;
1588                     memset(sin, 0, sizeof(*sin));
1589                     sin->sin_family = AF_INET;
1590                     sin->sin_len = sizeof(struct sockaddr_in);
1591                     sin->sin_addr.s_addr = cookie->laddress[0];
1592           } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) {
1593                     /* source addr is IPv6 */
1594                     sin6 = (struct sockaddr_in6 *)initack_src;
1595                     memset(sin6, 0, sizeof(*sin6));
1596                     sin6->sin6_family = AF_INET6;
1597                     sin6->sin6_len = sizeof(struct sockaddr_in6);
1598                     sin6->sin6_scope_id = cookie->scope_id;
1599                     memcpy(&sin6->sin6_addr, cookie->laddress,
1600                         sizeof(sin6->sin6_addr));
1601           } else {
1602                     sctp_free_assoc(inp, stcb);
1603                     return (NULL);
1604           }
1605 
1606           sctp_check_address_list(stcb, m, initack_offset +
1607               sizeof(struct sctp_init_ack_chunk), initack_limit,
1608               initack_src, cookie->local_scope, cookie->site_scope,
1609               cookie->ipv4_scope, cookie->loopback_scope);
1610 
1611 
1612           /* set up to notify upper layer */
1613           *notification = SCTP_NOTIFY_ASSOC_UP;
1614           if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1615                (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL))  &&
1616               !(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) {
1617                     /*
1618                      * This is an endpoint that called connect()
1619                      * how it got a cookie that is NEW is a bit of
1620                      * a mystery. It must be that the INIT was sent, but
1621                      * before it got there.. a complete INIT/INIT-ACK/COOKIE
1622                      * arrived. But of course then it should have went to
1623                      * the other code.. not here.. oh well.. a bit of protection
1624                      * is worth having..
1625                      */
1626                     stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
1627                     soisconnected(stcb->sctp_ep->sctp_socket);
1628                     sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, *netp);
1629           } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
1630                        (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) {
1631                     /*
1632                      * We don't want to do anything with this
1633                      * one. Since it is the listening guy. The timer will
1634                      * get started for accepted connections in the caller.
1635                      */
1636                     ;
1637           } else {
1638                     sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, *netp);
1639           }
1640           /* since we did not send a HB make sure we don't double things */
1641           (*netp)->hb_responded = 1;
1642 
1643           if (stcb->asoc.sctp_autoclose_ticks &&
1644               (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) {
1645                     sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL);
1646           }
1647 
1648           /* respond with a COOKIE-ACK */
1649           sctp_send_cookie_ack(stcb);
1650 
1651           return (stcb);
1652 }
1653 
1654 
1655 /*
1656  * handles a COOKIE-ECHO message
1657  * stcb: modified to either a new or left as existing (non-NULL) TCB
1658  */
1659 static struct mbuf *
sctp_handle_cookie_echo(struct mbuf * m,int iphlen,int offset,struct sctphdr * sh,struct sctp_cookie_echo_chunk * cp,struct sctp_inpcb ** inp_p,struct sctp_tcb ** stcb,struct sctp_nets ** netp)1660 sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset,
1661     struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp,
1662     struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp)
1663 {
1664           struct sctp_state_cookie *cookie;
1665           struct sockaddr_in6 sin6;
1666           struct sockaddr_in sin;
1667           struct sctp_tcb *l_stcb=*stcb;
1668           struct sctp_inpcb *l_inp;
1669           struct sockaddr *to;
1670           struct sctp_pcb *ep;
1671           struct mbuf *m_sig;
1672           uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE];
1673           uint8_t *sig;
1674           uint8_t cookie_ok = 0;
1675           unsigned int size_of_pkt, sig_offset, cookie_offset;
1676           unsigned int cookie_len;
1677           struct timeval now;
1678           struct timeval time_expires;
1679           struct sockaddr_storage dest_store;
1680           struct sockaddr *localep_sa = (struct sockaddr *)&dest_store;
1681           struct ip *iph;
1682           int notification = 0;
1683           struct sctp_nets *netl;
1684           int had_a_existing_tcb = 0;
1685 
1686 #ifdef SCTP_DEBUG
1687           if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1688                     printf("sctp_handle_cookie: handling COOKIE-ECHO\n");
1689           }
1690 #endif
1691 
1692           if (inp_p == NULL) {
1693 #ifdef SCTP_DEBUG
1694                     if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1695                               printf("sctp_handle_cookie: null inp_p!\n");
1696                     }
1697 #endif
1698                     return (NULL);
1699           }
1700           /* First get the destination address setup too. */
1701           iph = mtod(m, struct ip *);
1702           if (iph->ip_v == IPVERSION) {
1703                     /* its IPv4 */
1704                     struct sockaddr_in *sin_d;
1705                     sin_d = (struct sockaddr_in *)(localep_sa);
1706                     memset(sin_d, 0, sizeof(*sin_d));
1707                     sin_d->sin_family = AF_INET;
1708                     sin_d->sin_len = sizeof(*sin_d);
1709                     sin_d->sin_port = sh->dest_port;
1710                     sin_d->sin_addr.s_addr = iph->ip_dst.s_addr ;
1711           } else if (iph->ip_v == (IPV6_VERSION >> 4)) {
1712                     /* its IPv6 */
1713                     struct ip6_hdr *ip6;
1714                     struct sockaddr_in6 *sin6_d;
1715                     sin6_d = (struct sockaddr_in6 *)(localep_sa);
1716                     memset(sin6_d, 0, sizeof(*sin6_d));
1717                     sin6_d->sin6_family = AF_INET6;
1718                     sin6_d->sin6_len = sizeof(struct sockaddr_in6);
1719                     ip6 = mtod(m, struct ip6_hdr *);
1720                     sin6_d->sin6_port = sh->dest_port;
1721                     sin6_d->sin6_addr = ip6->ip6_dst;
1722           } else {
1723                     return (NULL);
1724           }
1725 
1726           cookie = &cp->cookie;
1727           cookie_offset = offset + sizeof(struct sctp_chunkhdr);
1728           cookie_len = ntohs(cp->ch.chunk_length);
1729 
1730           /* compute size of packet */
1731           if (m->m_flags & M_PKTHDR) {
1732                     size_of_pkt = m->m_pkthdr.len;
1733           } else {
1734                     /* Should have a pkt hdr really */
1735                     struct mbuf *mat;
1736                     mat = m;
1737                     size_of_pkt = 0;
1738                     while (mat != NULL) {
1739                               size_of_pkt += mat->m_len;
1740                               mat = mat->m_next;
1741                     }
1742           }
1743           if (cookie_len > size_of_pkt ||
1744               cookie_len < sizeof(struct sctp_cookie_echo_chunk) +
1745               sizeof(struct sctp_init_chunk) +
1746               sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) {
1747                     /* cookie too long!  or too small */
1748 #ifdef SCTP_DEBUG
1749                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1750                               printf("sctp_handle_cookie: cookie_len=%u, pkt size=%u\n", cookie_len, size_of_pkt);
1751                     }
1752 #endif /* SCTP_DEBUG */
1753                     return (NULL);
1754           }
1755 
1756           if ((cookie->peerport != sh->src_port) &&
1757               (cookie->myport != sh->dest_port) &&
1758               (cookie->my_vtag != sh->v_tag)) {
1759                     /*
1760                      * invalid ports or bad tag.  Note that we always leave
1761                      * the v_tag in the header in network order and when we
1762                      * stored it in the my_vtag slot we also left it in network
1763                      * order. This maintians the match even though it may be in
1764                      * the opposite byte order of the machine :->
1765                      */
1766                     return (NULL);
1767           }
1768 
1769           /*
1770            * split off the signature into its own mbuf (since it
1771            * should not be calculated in the sctp_hash_digest_m() call).
1772            */
1773           sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE;
1774           if (sig_offset > size_of_pkt) {
1775                     /* packet not correct size! */
1776                     /* XXX this may already be accounted for earlier... */
1777 #ifdef SCTP_DEBUG
1778                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1779                               printf("sctp_handle_cookie: sig offset=%u, pkt size=%u\n", sig_offset, size_of_pkt);
1780                     }
1781 #endif
1782                     return (NULL);
1783           }
1784 
1785           m_sig = m_split(m, sig_offset, M_DONTWAIT);
1786           if (m_sig == NULL) {
1787                     /* out of memory or ?? */
1788 #ifdef SCTP_DEBUG
1789                     if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1790                               printf("sctp_handle_cookie: couldn't m_split the signature\n");
1791                     }
1792 #endif
1793                     return (NULL);
1794           }
1795           /*
1796            * compute the signature/digest for the cookie
1797            */
1798           ep = &(*inp_p)->sctp_ep;
1799           l_inp = *inp_p;
1800           if (l_stcb) {
1801                     SCTP_TCB_UNLOCK(l_stcb);
1802           }
1803           SCTP_INP_RLOCK(l_inp);
1804           if (l_stcb) {
1805                     SCTP_TCB_LOCK(l_stcb);
1806           }
1807           /* which cookie is it? */
1808           if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) &&
1809               (ep->current_secret_number != ep->last_secret_number)) {
1810                     /* it's the old cookie */
1811 #ifdef SCTP_DEBUG
1812                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1813                               printf("sctp_handle_cookie: old cookie sig\n");
1814                     }
1815 #endif
1816                     sctp_hash_digest_m((char *)ep->secret_key[(int)ep->last_secret_number],
1817                         SCTP_SECRET_SIZE, m, cookie_offset, calc_sig);
1818           } else {
1819                     /* it's the current cookie */
1820 #ifdef SCTP_DEBUG
1821                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1822                               printf("sctp_handle_cookie: current cookie sig\n");
1823                     }
1824 #endif
1825                     sctp_hash_digest_m((char *)ep->secret_key[(int)ep->current_secret_number],
1826                         SCTP_SECRET_SIZE, m, cookie_offset, calc_sig);
1827           }
1828           /* get the signature */
1829           SCTP_INP_RUNLOCK(l_inp);
1830           sig = (u_int8_t *)sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (u_int8_t *)&tmp_sig);
1831           if (sig == NULL) {
1832                     /* couldn't find signature */
1833 #ifdef SCTP_DEBUG
1834                     if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1835                               printf("sctp_handle_cookie: couldn't pull the signature\n");
1836                     }
1837 #endif
1838                     return (NULL);
1839           }
1840           /* compare the received digest with the computed digest */
1841           if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) {
1842                     /* try the old cookie? */
1843                     if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) &&
1844                         (ep->current_secret_number != ep->last_secret_number)) {
1845                               /* compute digest with old */
1846 #ifdef SCTP_DEBUG
1847                               if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1848                                         printf("sctp_handle_cookie: old cookie sig\n");
1849                               }
1850 #endif
1851                               sctp_hash_digest_m((char *)ep->secret_key[(int)ep->last_secret_number],
1852                                   SCTP_SECRET_SIZE, m, cookie_offset, calc_sig);
1853                               /* compare */
1854                               if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0)
1855                                         cookie_ok = 1;
1856                     }
1857           } else {
1858                     cookie_ok = 1;
1859           }
1860 
1861           /*
1862            * Now before we continue we must reconstruct our mbuf so
1863            * that normal processing of any other chunks will work.
1864            */
1865           {
1866                     struct mbuf *m_at;
1867                     m_at = m;
1868                     while (m_at->m_next != NULL) {
1869                               m_at = m_at->m_next;
1870                     }
1871                     m_at->m_next = m_sig;
1872                     if (m->m_flags & M_PKTHDR) {
1873                               /*
1874                                * We should only do this if and only if the front
1875                                * mbuf has a m_pkthdr... it should in theory.
1876                                */
1877                               if (m_sig->m_flags & M_PKTHDR) {
1878                                         /* Add back to the pkt hdr of main m chain */
1879                                         m->m_pkthdr.len += m_sig->m_len;
1880                               } else {
1881                                         /*
1882                                          * Got a problem, no pkthdr in split chain.
1883                                          * TSNH but we will handle it just in case
1884                                          */
1885                                         int mmlen = 0;
1886                                         struct mbuf *lat;
1887                                         printf("Warning: Hitting m_split join TSNH code - fixed\n");
1888                                         lat = m_sig;
1889                                         while (lat) {
1890                                                   mmlen += lat->m_len;
1891                                                   lat = lat->m_next;
1892                                         }
1893                                         m->m_pkthdr.len += mmlen;
1894                               }
1895                     }
1896           }
1897 
1898           if (cookie_ok == 0) {
1899 #ifdef SCTP_DEBUG
1900                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1901                               printf("handle_cookie_echo: cookie signature validation failed!\n");
1902                               printf("offset = %u, cookie_offset = %u, sig_offset = %u\n",
1903                                   (u_int32_t)offset, cookie_offset, sig_offset);
1904                     }
1905 #endif
1906                     return (NULL);
1907           }
1908 #ifdef SCTP_DEBUG
1909           if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1910                     printf("handle_cookie_echo: cookie signature validation passed\n");
1911           }
1912 #endif
1913 
1914           /*
1915            * check the cookie timestamps to be sure it's not stale
1916            */
1917           SCTP_GETTIME_TIMEVAL(&now);
1918           /* Expire time is in Ticks, so we convert to seconds */
1919           time_expires.tv_sec = cookie->time_entered.tv_sec + cookie->cookie_life;
1920           time_expires.tv_usec = cookie->time_entered.tv_usec;
1921 #ifndef __FreeBSD__
1922           if (timercmp(&now, &time_expires, >))
1923 #else
1924           if (timevalcmp(&now, &time_expires, >))
1925 #endif
1926           {
1927                     /* cookie is stale! */
1928                     struct mbuf *op_err;
1929                     struct sctp_stale_cookie_msg *scm;
1930                     u_int32_t tim;
1931 #ifdef SCTP_DEBUG
1932                     if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
1933                               printf("sctp_handle_cookie: got a STALE cookie!\n");
1934                     }
1935 #endif
1936                     MGETHDR(op_err, M_DONTWAIT, MT_HEADER);
1937                     if (op_err == NULL) {
1938                               /* FOOBAR */
1939                               return (NULL);
1940                     }
1941                     /* pre-reserve some space */
1942                     op_err->m_data += sizeof(struct ip6_hdr);
1943                     op_err->m_data += sizeof(struct sctphdr);
1944                     op_err->m_data += sizeof(struct sctp_chunkhdr);
1945 
1946                     /* Set the len */
1947                     op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_stale_cookie_msg);
1948                     scm = mtod(op_err, struct sctp_stale_cookie_msg *);
1949                     scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE);
1950                     scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) +
1951                         (sizeof(u_int32_t))));
1952                     /* seconds to usec */
1953                     tim = (now.tv_sec - time_expires.tv_sec) * 1000000;
1954                     /* add in usec */
1955                     if (tim == 0)
1956                               tim = now.tv_usec - cookie->time_entered.tv_usec;
1957                     scm->time_usec = htonl(tim);
1958                     sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag);
1959                     return (NULL);
1960           }
1961           /*
1962            * Now we must see with the lookup address if we have an existing
1963            * asoc. This will only happen if we were in the COOKIE-WAIT state
1964            * and a INIT collided with us and somewhere the peer sent the
1965            * cookie on another address besides the single address our assoc
1966            * had for him. In this case we will have one of the tie-tags set
1967            * at least AND the address field in the cookie can be used to
1968            * look it up.
1969            */
1970           to = NULL;
1971           if (cookie->addr_type == SCTP_IPV6_ADDRESS) {
1972                     memset(&sin6, 0, sizeof(sin6));
1973                     sin6.sin6_family = AF_INET6;
1974                     sin6.sin6_len = sizeof(sin6);
1975                     sin6.sin6_port = sh->src_port;
1976                     sin6.sin6_scope_id = cookie->scope_id;
1977                     memcpy(&sin6.sin6_addr.s6_addr, cookie->address,
1978                            sizeof(sin6.sin6_addr.s6_addr));
1979                     to = (struct sockaddr *)&sin6;
1980           } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) {
1981                     memset(&sin, 0, sizeof(sin));
1982                     sin.sin_family = AF_INET;
1983                     sin.sin_len = sizeof(sin);
1984                     sin.sin_port = sh->src_port;
1985                     sin.sin_addr.s_addr = cookie->address[0];
1986                     to = (struct sockaddr *)&sin;
1987           }
1988 
1989           if ((*stcb == NULL) && to) {
1990                     /* Yep, lets check */
1991                     *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL);
1992                     if (*stcb == NULL) {
1993                               /* We should have only got back the same inp. If we
1994                                * got back a different ep we have a problem. The original
1995                                * findep got back l_inp and now
1996                                */
1997                               if (l_inp != *inp_p) {
1998                                         printf("Bad problem find_ep got a diff inp then special_locate?\n");
1999                               }
2000                     }
2001           }
2002 
2003           cookie_len -= SCTP_SIGNATURE_SIZE;
2004           if (*stcb == NULL) {
2005                     /* this is the "normal" case... get a new TCB */
2006 #ifdef SCTP_DEBUG
2007                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
2008                               printf("sctp_handle_cookie: processing NEW cookie\n");
2009                     }
2010 #endif
2011                     *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie,
2012                         cookie_len, *inp_p, netp, to, &notification);
2013                     /* now always decrement, since this is the normal
2014                      * case.. we had no tcb when we entered.
2015                      */
2016           } else {
2017                     /* this is abnormal... cookie-echo on existing TCB */
2018 #ifdef SCTP_DEBUG
2019                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
2020                               printf("sctp_handle_cookie: processing EXISTING cookie\n");
2021                     }
2022 #endif
2023                     had_a_existing_tcb = 1;
2024                     *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh,
2025                         cookie, cookie_len, *inp_p, *stcb, *netp, to, &notification);
2026           }
2027 
2028           if (*stcb == NULL) {
2029                     /* still no TCB... must be bad cookie-echo */
2030 #ifdef SCTP_DEBUG
2031                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
2032                               printf("handle_cookie_echo: ACK! don't have a TCB!\n");
2033                     }
2034 #endif /* SCTP_DEBUG */
2035                     return (NULL);
2036           }
2037 
2038           /*
2039            * Ok, we built an association so confirm the address
2040            * we sent the INIT-ACK to.
2041            */
2042           netl = sctp_findnet(*stcb, to);
2043         /* This code should in theory NOT run but
2044            */
2045           if (netl == NULL) {
2046 #ifdef SCTP_DEBUG
2047                     printf("TSNH! Huh, why do I need to add this address here?\n");
2048 #endif
2049                     sctp_add_remote_addr(*stcb, to, 0, 100);
2050                     netl = sctp_findnet(*stcb, to);
2051           }
2052           if (netl) {
2053                     if (netl->dest_state &  SCTP_ADDR_UNCONFIRMED) {
2054                               netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
2055                               sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL,
2056                                                         netl);
2057                               sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
2058                                                   (*stcb), 0, (void *)netl);
2059                     }
2060           }
2061 #ifdef SCTP_DEBUG
2062           else {
2063                     printf("Could not add source address for some reason\n");
2064           }
2065 #endif
2066 
2067           if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) {
2068                     if (!had_a_existing_tcb ||
2069                         (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) {
2070                               /*
2071                                * If we have a NEW cookie or the connect never reached
2072                                * the connected state during collision we must do the
2073                                * TCP accept thing.
2074                                */
2075                               struct socket *so, *oso;
2076                               struct sctp_inpcb *inp;
2077                               if (notification == SCTP_NOTIFY_ASSOC_RESTART) {
2078                                         /*
2079                                          * For a restart we will keep the same socket,
2080                                          * no need to do anything. I THINK!!
2081                                          */
2082                                         sctp_ulp_notify(notification, *stcb, 0, NULL);
2083                                         return (m);
2084                               }
2085                               oso = (*inp_p)->sctp_socket;
2086                               SCTP_TCB_UNLOCK((*stcb));
2087                               so = sonewconn(oso, SS_ISCONNECTED);
2088                               SCTP_INP_WLOCK((*stcb)->sctp_ep);
2089                               SCTP_TCB_LOCK((*stcb));
2090                               SCTP_INP_WUNLOCK((*stcb)->sctp_ep);
2091                               if (so == NULL) {
2092                                         struct mbuf *op_err;
2093                                         /* Too many sockets */
2094 #ifdef SCTP_DEBUG
2095                                         if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
2096                                                   printf("process_cookie_new: no room for another socket!\n");
2097                                         }
2098 #endif /* SCTP_DEBUG */
2099                                         op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
2100                                         sctp_abort_association(*inp_p, NULL, m, iphlen,
2101                                             sh, op_err);
2102                                         sctp_free_assoc(*inp_p, *stcb);
2103                                         return (NULL);
2104                               }
2105                               inp = (struct sctp_inpcb *)so->so_pcb;
2106                               inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE |
2107                                   SCTP_PCB_FLAGS_CONNECTED |
2108                                   SCTP_PCB_FLAGS_IN_TCPPOOL |
2109                                   (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) |
2110                                   SCTP_PCB_FLAGS_DONT_WAKE);
2111                               inp->sctp_socket = so;
2112 
2113                               /*
2114                                * Now we must move it from one hash table to another
2115                                * and get the tcb in the right place.
2116                                */
2117                               sctp_move_pcb_and_assoc(*inp_p, inp, *stcb);
2118 
2119                               /* Switch over to the new guy */
2120                               *inp_p = inp;
2121 
2122                               sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp,
2123                                   *stcb, *netp);
2124 
2125                               sctp_ulp_notify(notification, *stcb, 0, NULL);
2126                               return (m);
2127                     }
2128           }
2129           if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) {
2130                     sctp_ulp_notify(notification, *stcb, 0, NULL);
2131           }
2132           return (m);
2133 }
2134 
2135 static void
sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk * cp,struct sctp_tcb * stcb,struct sctp_nets * net)2136 sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp,
2137     struct sctp_tcb *stcb, struct sctp_nets *net)
2138 {
2139           /* cp must not be used, others call this without a c-ack :-) */
2140           struct sctp_association *asoc;
2141 
2142 #ifdef SCTP_DEBUG
2143           if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
2144                     printf("sctp_handle_cookie_ack: handling COOKIE-ACK\n");
2145           }
2146 #endif
2147           if (stcb == NULL)
2148                     return;
2149 
2150           asoc = &stcb->asoc;
2151 
2152           sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, stcb, net);
2153 
2154           /* process according to association state */
2155           if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) {
2156                     /* state change only needed when I am in right state */
2157 #ifdef SCTP_DEBUG
2158                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
2159                               printf("moving to OPEN state\n");
2160                     }
2161 #endif
2162                     if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
2163                               asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING;
2164                     } else {
2165                               asoc->state = SCTP_STATE_OPEN;
2166                     }
2167 
2168                     /* update RTO */
2169                     if (asoc->overall_error_count == 0) {
2170                               net->RTO = sctp_calculate_rto(stcb, asoc, net,
2171                                   &asoc->time_entered);
2172                     }
2173                     SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
2174                     sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL);
2175                     if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
2176                         (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
2177                               stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
2178                               soisconnected(stcb->sctp_ep->sctp_socket);
2179                     }
2180                     sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep,
2181                         stcb, net);
2182                     /* since we did not send a HB make sure we don't double things */
2183                     net->hb_responded = 1;
2184 
2185                     if (stcb->asoc.sctp_autoclose_ticks &&
2186                         (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) {
2187                               sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
2188                                   stcb->sctp_ep, stcb, NULL);
2189                     }
2190 
2191                     /*
2192                      * set ASCONF timer if ASCONFs are pending and allowed
2193                      * (eg. addresses changed when init/cookie echo in flight)
2194                      */
2195                     if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_DO_ASCONF) &&
2196                         (stcb->asoc.peer_supports_asconf) &&
2197                         (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) {
2198                               sctp_timer_start(SCTP_TIMER_TYPE_ASCONF,
2199                                   stcb->sctp_ep, stcb,
2200                                   stcb->asoc.primary_destination);
2201                     }
2202 
2203           }
2204           /* Toss the cookie if I can */
2205           sctp_toss_old_cookies(asoc);
2206           if (!TAILQ_EMPTY(&asoc->sent_queue)) {
2207                     /* Restart the timer if we have pending data */
2208                     struct sctp_tmit_chunk *chk;
2209                     chk = TAILQ_FIRST(&asoc->sent_queue);
2210                     if (chk) {
2211                               sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
2212                                   stcb, chk->whoTo);
2213                     }
2214           }
2215 
2216 }
2217 
2218 static void
sctp_handle_ecn_echo(struct sctp_ecne_chunk * cp,struct sctp_tcb * stcb)2219 sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp,
2220     struct sctp_tcb *stcb)
2221 {
2222           struct sctp_nets *net;
2223           struct sctp_tmit_chunk *lchk;
2224           u_int32_t tsn;
2225           if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) {
2226                     return;
2227           }
2228           sctp_pegs[SCTP_ECNE_RCVD]++;
2229           tsn = ntohl(cp->tsn);
2230           /* ECN Nonce stuff: need a resync and disable the nonce sum check */
2231           /* Also we make sure we disable the nonce_wait */
2232           lchk = TAILQ_FIRST(&stcb->asoc.send_queue);
2233           if (lchk == NULL) {
2234                     stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq;
2235           } else {
2236                     stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq;
2237           }
2238           stcb->asoc.nonce_wait_for_ecne = 0;
2239           stcb->asoc.nonce_sum_check = 0;
2240 
2241           /* Find where it was sent, if possible */
2242           net = NULL;
2243           lchk = TAILQ_FIRST(&stcb->asoc.sent_queue);
2244           while (lchk) {
2245                     if (lchk->rec.data.TSN_seq == tsn) {
2246                               net = lchk->whoTo;
2247                               break;
2248                     }
2249                     if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ))
2250                               break;
2251                     lchk = TAILQ_NEXT(lchk, sctp_next);
2252           }
2253           if (net == NULL)
2254                     /* default is we use the primary */
2255                     net = stcb->asoc.primary_destination;
2256 
2257           if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) {
2258 #ifdef SCTP_CWND_LOGGING
2259                     int old_cwnd;
2260 #endif
2261 #ifdef SCTP_CWND_LOGGING
2262                     old_cwnd = net->cwnd;
2263 #endif
2264                     sctp_pegs[SCTP_CWR_PERFO]++;
2265                     net->ssthresh = net->cwnd / 2;
2266                     if (net->ssthresh < net->mtu) {
2267                               net->ssthresh = net->mtu;
2268                               /* here back off the timer as well, to slow us down */
2269                               net->RTO <<= 2;
2270                     }
2271                     net->cwnd = net->ssthresh;
2272 #ifdef SCTP_CWND_LOGGING
2273                     sctp_log_cwnd(net, (net->cwnd-old_cwnd), SCTP_CWND_LOG_FROM_SAT);
2274 #endif
2275                     /* we reduce once every RTT. So we will only lower
2276                      * cwnd at the next sending seq i.e. the resync_tsn.
2277                      */
2278                     stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn;
2279           }
2280           /*
2281            * We always send a CWR this way if our previous one was lost
2282            * our peer will get an update, or if it is not time again
2283            * to reduce we still get the cwr to the peer.
2284            */
2285           sctp_send_cwr(stcb, net, tsn);
2286 }
2287 
2288 static void
sctp_handle_ecn_cwr(struct sctp_cwr_chunk * cp,struct sctp_tcb * stcb)2289 sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb)
2290 {
2291           /* Here we get a CWR from the peer. We must look in
2292            * the outqueue and make sure that we have a covered
2293            * ECNE in teh control chunk part. If so remove it.
2294            */
2295           struct sctp_tmit_chunk *chk;
2296           struct sctp_ecne_chunk *ecne;
2297 
2298           TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) {
2299                     if (chk->rec.chunk_id != SCTP_ECN_ECHO) {
2300                               continue;
2301                     }
2302                     /* Look for and remove if it is the right TSN. Since
2303                      * there is only ONE ECNE on the control queue at
2304                      * any one time we don't need to worry about more than
2305                      * one!
2306                      */
2307                     ecne = mtod(chk->data, struct sctp_ecne_chunk *);
2308                     if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn),
2309                         MAX_TSN) || (cp->tsn == ecne->tsn)) {
2310                               /* this covers this ECNE, we can remove it */
2311                               TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk,
2312                                   sctp_next);
2313                               sctp_m_freem(chk->data);
2314                               chk->data = NULL;
2315                               stcb->asoc.ctrl_queue_cnt--;
2316                               sctp_free_remote_addr(chk->whoTo);
2317                               SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk);
2318                               sctppcbinfo.ipi_count_chunk--;
2319                               if ((int)sctppcbinfo.ipi_count_chunk < 0) {
2320                                         panic("Chunk count is negative");
2321                               }
2322                               sctppcbinfo.ipi_gencnt_chunk++;
2323                               break;
2324                     }
2325           }
2326 }
2327 
2328 static void
sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk * cp,struct sctp_tcb * stcb,struct sctp_nets * net)2329 sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp,
2330     struct sctp_tcb *stcb, struct sctp_nets *net)
2331 {
2332           struct sctp_association *asoc;
2333 
2334 #ifdef SCTP_DEBUG
2335           if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
2336                     printf("sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n");
2337           }
2338 #endif
2339           if (stcb == NULL)
2340                     return;
2341 
2342           asoc = &stcb->asoc;
2343           /* process according to association state */
2344           if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) {
2345                     /* unexpected SHUTDOWN-COMPLETE... so ignore... */
2346                     return;
2347           }
2348           /* notify upper layer protocol */
2349           sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL);
2350           if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
2351               (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
2352                     stcb->sctp_ep->sctp_flags &= ~SCTP_PCB_FLAGS_CONNECTED;
2353                     stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0;
2354                     stcb->sctp_ep->sctp_socket->so_snd.sb_mbcnt = 0;
2355                     soisdisconnected(stcb->sctp_ep->sctp_socket);
2356           }
2357           /* are the queues empty? they should be */
2358           if (!TAILQ_EMPTY(&asoc->send_queue) ||
2359               !TAILQ_EMPTY(&asoc->sent_queue) ||
2360               !TAILQ_EMPTY(&asoc->out_wheel)) {
2361                     sctp_report_all_outbound(stcb);
2362           }
2363           /* stop the timer */
2364           sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net);
2365           /* free the TCB */
2366           sctp_free_assoc(stcb->sctp_ep, stcb);
2367           return;
2368 }
2369 
2370 static int
process_chunk_drop(struct sctp_tcb * stcb,struct sctp_chunk_desc * desc,struct sctp_nets * net,u_int8_t flg)2371 process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc,
2372     struct sctp_nets *net, u_int8_t flg)
2373 {
2374           switch (desc->chunk_type) {
2375           case SCTP_DATA:
2376                     /* find the tsn to resend (possibly */
2377           {
2378                     u_int32_t tsn;
2379                     struct sctp_tmit_chunk *tp1;
2380                     tsn = ntohl(desc->tsn_ifany);
2381                     tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
2382                     while (tp1) {
2383                               if (tp1->rec.data.TSN_seq == tsn) {
2384                                         /* found it */
2385                                         break;
2386                               }
2387                               if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn,
2388                                                         MAX_TSN)) {
2389                                         /* not found */
2390                                         tp1 = NULL;
2391                                         break;
2392                               }
2393                               tp1 = TAILQ_NEXT(tp1, sctp_next);
2394                     }
2395                     if (tp1 == NULL) {
2396                               /* Do it the other way */
2397                               sctp_pegs[SCTP_PDRP_DNFND]++;
2398                               tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
2399                               while (tp1) {
2400                                         if (tp1->rec.data.TSN_seq == tsn) {
2401                                                   /* found it */
2402                                                   break;
2403                                         }
2404                                         tp1 = TAILQ_NEXT(tp1, sctp_next);
2405                               }
2406                     }
2407                     if (tp1 == NULL) {
2408                               sctp_pegs[SCTP_PDRP_TSNNF]++;
2409                     }
2410                     if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) {
2411                               u_int8_t *ddp;
2412                               if (((tp1->rec.data.state_flags & SCTP_WINDOW_PROBE) == SCTP_WINDOW_PROBE) &&
2413                                   ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) {
2414                                         sctp_pegs[SCTP_PDRP_DIWNP]++;
2415                                         return (0);
2416                               }
2417                               if (stcb->asoc.peers_rwnd == 0 &&
2418                                   (flg & SCTP_FROM_MIDDLE_BOX)) {
2419                                         sctp_pegs[SCTP_PDRP_DIZRW]++;
2420                                         return (0);
2421                               }
2422                               ddp = (u_int8_t *)(mtod(tp1->data, vaddr_t) +
2423                                   sizeof(struct sctp_data_chunk));
2424                               {
2425                                         unsigned int iii;
2426                                         for (iii = 0; iii < sizeof(desc->data_bytes);
2427                                             iii++) {
2428                                                   if (ddp[iii] != desc->data_bytes[iii]) {
2429                                                             sctp_pegs[SCTP_PDRP_BADD]++;
2430                                                             return (-1);
2431                                                   }
2432                                         }
2433                               }
2434                               if (tp1->sent != SCTP_DATAGRAM_RESEND) {
2435                                         stcb->asoc.sent_queue_retran_cnt++;
2436                               }
2437                               /* We zero out the nonce so resync not needed */
2438                               tp1->rec.data.ect_nonce = 0;
2439 
2440                               if (tp1->do_rtt) {
2441                                         /*
2442                                          * this guy had a RTO calculation pending on it,
2443                                          * cancel it
2444                                          */
2445                                         tp1->whoTo->rto_pending = 0;
2446                                         tp1->do_rtt = 0;
2447                               }
2448                               sctp_pegs[SCTP_PDRP_MARK]++;
2449                               tp1->sent = SCTP_DATAGRAM_RESEND;
2450                               /*
2451                                * mark it as if we were doing a FR, since we
2452                                * will be getting gap ack reports behind the
2453                                * info from the router.
2454                                */
2455                               tp1->rec.data.doing_fast_retransmit = 1;
2456                               /*
2457                                * mark the tsn with what sequences can cause a new FR.
2458                                */
2459                               if (TAILQ_EMPTY(&stcb->asoc.send_queue) ) {
2460                                         tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq;
2461                               } else {
2462                                         tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq;
2463                               }
2464 
2465                               /* restart the timer */
2466                               sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
2467                                   stcb, tp1->whoTo);
2468                               sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
2469                                   stcb, tp1->whoTo);
2470 
2471                               /* fix counts and things */
2472                               sctp_flight_size_decrease(tp1);
2473                               sctp_total_flight_decrease(stcb, tp1);
2474                               tp1->snd_count--;
2475                     }
2476                     {
2477                               /* audit code */
2478                               unsigned int audit;
2479                               audit = 0;
2480                               TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) {
2481                                         if (tp1->sent == SCTP_DATAGRAM_RESEND)
2482                                                   audit++;
2483                               }
2484                               TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue,
2485                                   sctp_next) {
2486                                         if (tp1->sent == SCTP_DATAGRAM_RESEND)
2487                                                   audit++;
2488                               }
2489                               if (audit != stcb->asoc.sent_queue_retran_cnt) {
2490                                         printf("**Local Audit finds cnt:%d asoc cnt:%d\n",
2491                                             audit, stcb->asoc.sent_queue_retran_cnt);
2492 #ifndef SCTP_AUDITING_ENABLED
2493                                         stcb->asoc.sent_queue_retran_cnt = audit;
2494 #endif
2495                               }
2496                     }
2497           }
2498           break;
2499           case SCTP_ASCONF:
2500           {
2501                     struct sctp_tmit_chunk *asconf;
2502                     TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue,
2503                         sctp_next) {
2504                               if (asconf->rec.chunk_id == SCTP_ASCONF) {
2505                                         break;
2506                               }
2507                     }
2508                     if (asconf) {
2509                               if (asconf->sent != SCTP_DATAGRAM_RESEND)
2510                                         stcb->asoc.sent_queue_retran_cnt++;
2511                               asconf->sent = SCTP_DATAGRAM_RESEND;
2512                               asconf->snd_count--;
2513                     }
2514           }
2515           break;
2516           case SCTP_INITIATION:
2517                     /* resend the INIT */
2518                     stcb->asoc.dropped_special_cnt++;
2519                     if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) {
2520                               /*
2521                                * If we can get it in, in a few attempts we do this,
2522                                * otherwise we let the timer fire.
2523                                */
2524                               sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep,
2525                                   stcb, net);
2526                               sctp_send_initiate(stcb->sctp_ep, stcb);
2527                     }
2528                     break;
2529           case SCTP_SELECTIVE_ACK:
2530                     /* resend the sack */
2531                     sctp_send_sack(stcb);
2532                     break;
2533           case SCTP_HEARTBEAT_REQUEST:
2534                     /* resend a demand HB */
2535                     sctp_send_hb(stcb, 1, net);
2536                     break;
2537           case SCTP_SHUTDOWN:
2538 #ifdef SCTP_DEBUG
2539                     if (sctp_debug_on & SCTP_DEBUG_OUTPUT4) {
2540                               printf("%s:%d sends a shutdown\n",
2541                                      __FILE__,
2542                                      __LINE__
2543                                         );
2544                     }
2545 #endif
2546                     sctp_send_shutdown(stcb, net);
2547                     break;
2548           case SCTP_SHUTDOWN_ACK:
2549                     sctp_send_shutdown_ack(stcb, net);
2550                     break;
2551           case SCTP_COOKIE_ECHO:
2552           {
2553                     struct sctp_tmit_chunk *cookie;
2554                     cookie = NULL;
2555                     TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue,
2556                         sctp_next) {
2557                               if (cookie->rec.chunk_id == SCTP_COOKIE_ECHO) {
2558                                         break;
2559                               }
2560                     }
2561                     if (cookie) {
2562                               if (cookie->sent != SCTP_DATAGRAM_RESEND)
2563                                         stcb->asoc.sent_queue_retran_cnt++;
2564                               cookie->sent = SCTP_DATAGRAM_RESEND;
2565                               sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, stcb, net);
2566                     }
2567           }
2568           break;
2569           case SCTP_COOKIE_ACK:
2570                     sctp_send_cookie_ack(stcb);
2571                     break;
2572           case SCTP_ASCONF_ACK:
2573                     /* resend last asconf ack */
2574                     sctp_send_asconf_ack(stcb, 1);
2575                     break;
2576           case SCTP_FORWARD_CUM_TSN:
2577                     send_forward_tsn(stcb, &stcb->asoc);
2578                     break;
2579                     /* can't do anything with these */
2580           case SCTP_PACKET_DROPPED:
2581           case SCTP_INITIATION_ACK:     /* this should not happen */
2582           case SCTP_HEARTBEAT_ACK:
2583           case SCTP_ABORT_ASSOCIATION:
2584           case SCTP_OPERATION_ERROR:
2585           case SCTP_SHUTDOWN_COMPLETE:
2586           case SCTP_ECN_ECHO:
2587           case SCTP_ECN_CWR:
2588           default:
2589                     break;
2590           }
2591           return (0);
2592 }
2593 
2594 static void
sctp_reset_in_stream(struct sctp_tcb * stcb,struct sctp_stream_reset_response * resp,int number_entries)2595 sctp_reset_in_stream(struct sctp_tcb *stcb,
2596     struct sctp_stream_reset_response *resp, int number_entries)
2597 {
2598           int i;
2599           uint16_t *list, temp;
2600 
2601         /* We set things to 0xffff since this is the last delivered
2602            * sequence and we will be sending in 0 after the reset.
2603            */
2604 
2605           if (resp->reset_flags & SCTP_RESET_PERFORMED) {
2606                     if (number_entries) {
2607                               list = resp->list_of_streams;
2608                               for (i = 0; i < number_entries; i++) {
2609                                         temp = ntohs(list[i]);
2610                                         list[i] = temp;
2611                                         if (list[i] >= stcb->asoc.streamincnt) {
2612                                                   printf("Invalid stream in-stream reset %d\n", list[i]);
2613                                                   continue;
2614                                         }
2615                                         stcb->asoc.strmin[(list[i])].last_sequence_delivered = 0xffff;
2616                               }
2617                     } else {
2618                               list = NULL;
2619                               for (i = 0; i < stcb->asoc.streamincnt; i++) {
2620                                         stcb->asoc.strmin[i].last_sequence_delivered = 0xffff;
2621                               }
2622                     }
2623                     sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list);
2624           }
2625 }
2626 
2627 static void
sctp_clean_up_stream_reset(struct sctp_tcb * stcb)2628 sctp_clean_up_stream_reset(struct sctp_tcb *stcb)
2629 {
2630           struct sctp_tmit_chunk *chk, *nchk;
2631           struct sctp_association *asoc;
2632 
2633           asoc = &stcb->asoc;
2634 
2635           for (chk = TAILQ_FIRST(&asoc->control_send_queue);
2636               chk; chk = nchk) {
2637                     nchk = TAILQ_NEXT(chk, sctp_next);
2638                     if (chk->rec.chunk_id == SCTP_STREAM_RESET) {
2639                               struct sctp_stream_reset_req *strreq;
2640                               strreq = mtod(chk->data, struct sctp_stream_reset_req *);
2641                               if (strreq->sr_req.ph.param_type == ntohs(SCTP_STR_RESET_RESPONSE)) {
2642                                         /* we only clean up the request */
2643                                         continue;
2644                               } else if (strreq->sr_req.ph.param_type != ntohs(SCTP_STR_RESET_REQUEST)) {
2645                                         printf("TSNH, an unknown stream reset request is in queue %x\n",
2646                                                (u_int)ntohs(strreq->sr_req.ph.param_type));
2647                                         continue;
2648                               }
2649                               sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo);
2650                               TAILQ_REMOVE(&asoc->control_send_queue,
2651                                              chk,
2652                                              sctp_next);
2653                               sctp_m_freem(chk->data);
2654                               chk->data = NULL;
2655                               asoc->ctrl_queue_cnt--;
2656                               sctp_free_remote_addr(chk->whoTo);
2657                               SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk);
2658                               sctppcbinfo.ipi_count_chunk--;
2659                               if ((int)sctppcbinfo.ipi_count_chunk < 0) {
2660                                         panic("Chunk count is negative");
2661                               }
2662                               sctppcbinfo.ipi_gencnt_chunk++;
2663                               /* we can only have one of these so we break */
2664                               break;
2665                     }
2666           }
2667 }
2668 
2669 
2670 void
sctp_handle_stream_reset_response(struct sctp_tcb * stcb,struct sctp_stream_reset_response * resp)2671 sctp_handle_stream_reset_response(struct sctp_tcb *stcb,
2672           struct sctp_stream_reset_response *resp)
2673 {
2674           uint32_t seq, tsn;
2675           int number_entries, param_length;
2676 
2677           param_length = ntohs(resp->ph.param_length);
2678           seq = ntohl(resp->reset_req_seq_resp);
2679           if (seq == stcb->asoc.str_reset_seq_out) {
2680                     sctp_clean_up_stream_reset(stcb);
2681                     stcb->asoc.str_reset_seq_out++;
2682                     stcb->asoc.stream_reset_outstanding = 0;
2683                     tsn = ntohl(resp->reset_at_tsn);
2684                     number_entries = (param_length - sizeof(struct sctp_stream_reset_response))/sizeof(uint16_t);
2685                     tsn--;
2686                     if ((tsn == stcb->asoc.cumulative_tsn) ||
2687                         (compare_with_wrap(stcb->asoc.cumulative_tsn, tsn, MAX_TSN))) {
2688                               /* no problem we are good to go */
2689                               sctp_reset_in_stream(stcb, resp, number_entries);
2690                     } else {
2691                               /* So, we have a stream reset but there
2692                                * is pending data. We need to copy
2693                                * out the stream_reset and then queue
2694                                * any data = or > resp->reset_at_tsn
2695                                */
2696                               if (stcb->asoc.pending_reply != NULL) {
2697                                         /* FIX ME FIX ME
2698                                          * This IS WRONG. We need
2699                                          * to queue each of these up
2700                                          * and only release the chunks
2701                                          * for each reset that the cum-ack
2702                                          * goes by. This is a short cut.
2703                                          */
2704                                         free(stcb->asoc.pending_reply, M_PCB);
2705                               }
2706                               stcb->asoc.pending_reply = malloc(param_length,
2707                                                                       M_PCB, M_NOWAIT);
2708                               memcpy(stcb->asoc.pending_reply, resp, param_length);
2709                     }
2710 
2711           } else {
2712                     /* duplicate */
2713 #ifdef SCTP_DEBUG
2714                     printf("Duplicate old stream reset resp next:%x this one:%x\n",
2715                            stcb->asoc.str_reset_seq_out, seq);
2716 #endif
2717           }
2718 }
2719 
2720 
2721 static void
sctp_handle_stream_reset(struct sctp_tcb * stcb,struct sctp_stream_reset_req * sr_req)2722 sctp_handle_stream_reset(struct sctp_tcb *stcb, struct sctp_stream_reset_req *sr_req)
2723 {
2724           int chk_length, param_len;
2725           struct sctp_paramhdr *ph;
2726           /* now it may be a reset or a reset-response */
2727           struct sctp_stream_reset_request *req;
2728           struct sctp_stream_reset_response *resp;
2729           chk_length = ntohs(sr_req->ch.chunk_length);
2730 
2731           ph = (struct sctp_paramhdr *)&sr_req->sr_req;
2732           while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_request)) {
2733                     param_len = ntohs(ph->param_length);
2734                     if (ntohs(ph->param_type) == SCTP_STR_RESET_REQUEST) {
2735                               /* this will send the ACK and do the reset if needed */
2736                               req = (struct sctp_stream_reset_request *)ph;
2737                               sctp_send_str_reset_ack(stcb, req);
2738                     } else if (ntohs(ph->param_type) == SCTP_STR_RESET_RESPONSE) {
2739                               /* Now here is a tricky one. We reset our receive side
2740                                * of the streams. But what happens if the peers
2741                                * next sending TSN is NOT equal to 1 minus our cumack?
2742                                * And if his cumack is not equal to our next one out - 1
2743                                * we have another problem if this is receprical.
2744                                */
2745                               resp = (struct sctp_stream_reset_response *)ph;
2746                               sctp_handle_stream_reset_response(stcb, resp);
2747                     }
2748                     ph = (struct sctp_paramhdr *)((vaddr_t)ph + SCTP_SIZE32(param_len));
2749                     chk_length -= SCTP_SIZE32(param_len);
2750           }
2751 }
2752 
2753 /*
2754  * Handle a router or endpoints report of a packet loss, there
2755  * are two ways to handle this, either we get the whole packet
2756  * and must disect it ourselves (possibly with truncation and
2757  * or corruption) or it is a summary from a middle box that did
2758  * the disectting for us.
2759  */
2760 static void
sctp_handle_packet_dropped(struct sctp_pktdrop_chunk * cp,struct sctp_tcb * stcb,struct sctp_nets * net)2761 sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp,
2762     struct sctp_tcb *stcb, struct sctp_nets *net)
2763 {
2764           u_int32_t bottle_bw, on_queue;
2765           u_int16_t trunc_len;
2766           unsigned int chlen;
2767           unsigned int at;
2768           struct sctp_chunk_desc desc;
2769           struct sctp_chunkhdr *ch;
2770 
2771           chlen = ntohs(cp->ch.chunk_length);
2772           chlen -= sizeof(struct sctp_pktdrop_chunk);
2773           /* XXX possible chlen underflow */
2774           if (chlen == 0) {
2775                     ch = NULL;
2776                     if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)
2777                               sctp_pegs[SCTP_PDRP_BWRPT]++;
2778           } else {
2779                     ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr));
2780                     chlen -= sizeof(struct sctphdr);
2781                     /* XXX possible chlen underflow */
2782                     memset(&desc, 0, sizeof(desc));
2783           }
2784 
2785           /* first update a rwnd possibly */
2786           if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) {
2787                     /* From a peer, we get a rwnd report */
2788                     u_int32_t a_rwnd;
2789 
2790                     sctp_pegs[SCTP_PDRP_FEHOS]++;
2791 
2792                     bottle_bw = ntohl(cp->bottle_bw);
2793                     on_queue =  ntohl(cp->current_onq);
2794                     if (bottle_bw && on_queue) {
2795                               /* a rwnd report is in here */
2796                               if (bottle_bw > on_queue)
2797                                         a_rwnd = bottle_bw - on_queue;
2798                               else
2799                                         a_rwnd = 0;
2800 
2801                               if (a_rwnd <= 0)
2802                                         stcb->asoc.peers_rwnd =  0;
2803                               else {
2804                                         if (a_rwnd > stcb->asoc.total_flight) {
2805                                                   stcb->asoc.peers_rwnd =
2806                                                       a_rwnd - stcb->asoc.total_flight;
2807                                         } else {
2808                                                   stcb->asoc.peers_rwnd =  0;
2809                                         }
2810                                         if (stcb->asoc.peers_rwnd <
2811                                             stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
2812                                                   /* SWS sender side engages */
2813                                                   stcb->asoc.peers_rwnd = 0;
2814                                         }
2815                               }
2816                     }
2817           } else {
2818                     sctp_pegs[SCTP_PDRP_FMBOX]++;
2819           }
2820           trunc_len = (u_int16_t)ntohs(cp->trunc_len);
2821           /* now the chunks themselves */
2822           while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) {
2823                     desc.chunk_type = ch->chunk_type;
2824                     /* get amount we need to move */
2825                     at = ntohs(ch->chunk_length);
2826                     if (at < sizeof(struct sctp_chunkhdr)) {
2827                               /* corrupt chunk, maybe at the end? */
2828                               sctp_pegs[SCTP_PDRP_CRUPT]++;
2829                               break;
2830                     }
2831                     if (trunc_len == 0) {
2832                               /* we are supposed to have all of it */
2833                               if (at > chlen) {
2834                                         /* corrupt skip it */
2835                                         sctp_pegs[SCTP_PDRP_CRUPT]++;
2836                                         break;
2837                               }
2838                     } else {
2839                               /* is there enough of it left ? */
2840                               if (desc.chunk_type == SCTP_DATA) {
2841                                         if (chlen < (sizeof(struct sctp_data_chunk) +
2842                                                        sizeof(desc.data_bytes))) {
2843                                                   break;
2844                                         }
2845                               } else {
2846                                         if (chlen < sizeof(struct sctp_chunkhdr)) {
2847                                                   break;
2848                                         }
2849                               }
2850                     }
2851                     if (desc.chunk_type == SCTP_DATA) {
2852                               /* can we get out the tsn? */
2853                               if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX))
2854                                         sctp_pegs[SCTP_PDRP_MB_DA]++;
2855 
2856                               if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(u_int32_t)) ) {
2857                                         /* yep */
2858                                         struct sctp_data_chunk *dcp;
2859                                         u_int8_t  *ddp;
2860                                         unsigned int iii;
2861                                         dcp = (struct sctp_data_chunk *)ch;
2862                                         ddp = (u_int8_t *)(dcp + 1);
2863                                         for (iii = 0; iii < sizeof(desc.data_bytes); iii++) {
2864                                                   desc.data_bytes[iii] = ddp[iii];
2865                                         }
2866                                         desc.tsn_ifany = dcp->dp.tsn;
2867                               } else {
2868                                         /* nope we are done. */
2869                                         sctp_pegs[SCTP_PDRP_NEDAT]++;
2870                                         break;
2871                               }
2872                     } else {
2873                               if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX))
2874                                         sctp_pegs[SCTP_PDRP_MB_CT]++;
2875                     }
2876 
2877                     if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) {
2878                               sctp_pegs[SCTP_PDRP_PDBRK]++;
2879                               break;
2880                     }
2881                     if (SCTP_SIZE32(at) > chlen) {
2882                               break;
2883                     }
2884                     chlen -= SCTP_SIZE32(at);
2885                     if (chlen < sizeof(struct sctp_chunkhdr)) {
2886                               /* done, none left */
2887                               break;
2888                     }
2889                     ch = (struct sctp_chunkhdr *)((vaddr_t)ch + SCTP_SIZE32(at));
2890           }
2891 
2892           /* now middle boxes in sat networks get a cwnd bump */
2893           if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) &&
2894               (stcb->asoc.sat_t3_loss_recovery == 0) &&
2895               (stcb->asoc.sat_network)) {
2896                     /*
2897                      * This is debateable but for sat networks it makes sense
2898                      * Note if a T3 timer has went off, we will prohibit any
2899                      * changes to cwnd until we exit the t3 loss recovery.
2900                      */
2901                     u_int32_t bw_avail;
2902                     int rtt, incr;
2903 #ifdef SCTP_CWND_LOGGING
2904                     int old_cwnd=net->cwnd;
2905 #endif
2906                     /* need real RTT for this calc */
2907                     rtt = ((net->lastsa >> 2) + net->lastsv) >> 1;
2908                     /* get bottle neck bw */
2909                     bottle_bw = ntohl(cp->bottle_bw);
2910                     /* and whats on queue */
2911                     on_queue =  ntohl(cp->current_onq);
2912                     /*
2913                      * adjust the on-queue if our flight is more it could be
2914                      * that the router has not yet gotten data "in-flight" to it
2915                      */
2916                     if (on_queue < net->flight_size)
2917                               on_queue = net->flight_size;
2918 
2919                     /* calculate the available space */
2920                     bw_avail = (bottle_bw*rtt)/1000;
2921                     if (bw_avail > bottle_bw) {
2922                               /*
2923                                * Cap the growth to no more than the bottle neck.
2924                                * This can happen as RTT slides up due to queues.
2925                                * It also means if you have more than a 1 second
2926                                * RTT with a empty queue you will be limited to
2927                                * the bottle_bw per second no matter if
2928                                * other points have 1/2 the RTT and you could
2929                                * get more out...
2930                                */
2931                               bw_avail = bottle_bw;
2932                     }
2933 
2934                     if (on_queue > bw_avail) {
2935                               /*
2936                                * No room for anything else don't allow anything
2937                                * else to be "added to the fire".
2938                                */
2939                               int seg_inflight, seg_onqueue, my_portion;
2940                               net->partial_bytes_acked = 0;
2941 
2942                               /* how much are we over queue size? */
2943                               incr = on_queue - bw_avail;
2944                               if (stcb->asoc.seen_a_sack_this_pkt) {
2945                                         /* undo any cwnd adjustment that
2946                                          * the sack might have made
2947                                          */
2948                                         net->cwnd = net->prev_cwnd;
2949                               }
2950 
2951                               /* Now how much of that is mine? */
2952                               seg_inflight = net->flight_size / net->mtu;
2953                               seg_onqueue = on_queue / net->mtu;
2954                               my_portion = (incr * seg_inflight)/seg_onqueue;
2955 
2956                               /* Have I made an adjustment already */
2957                               if (net->cwnd > net->flight_size) {
2958                                         /* for this flight I made an adjustment
2959                                          * we need to decrease the portion by a share
2960                                          * our previous adjustment.
2961                                          */
2962                                         int diff_adj;
2963                                         diff_adj = net->cwnd - net->flight_size;
2964                                         if (diff_adj > my_portion)
2965                                                   my_portion = 0;
2966                                         else
2967                                                   my_portion -= diff_adj;
2968                               }
2969 
2970                               /* back down to the previous cwnd (assume
2971                                * we have had a sack before this packet). minus
2972                                * what ever portion of the overage is my fault.
2973                                */
2974                               net->cwnd -= my_portion;
2975 
2976                               /* we will NOT back down more than 1 MTU */
2977                               if (net->cwnd <= net->mtu) {
2978                                         net->cwnd = net->mtu;
2979                               }
2980                               /* force into CA */
2981                               net->ssthresh = net->cwnd - 1;
2982                     } else {
2983                               /*
2984                                * Take 1/4 of the space left or
2985                                * max burst up .. whichever is less.
2986                                */
2987                               incr = uimin((bw_avail - on_queue) >> 2,
2988                                   (int)stcb->asoc.max_burst * (int)net->mtu);
2989                               net->cwnd += incr;
2990                     }
2991                     if (net->cwnd > bw_avail) {
2992                               /* We can't exceed the pipe size */
2993                               net->cwnd = bw_avail;
2994                     }
2995                     if (net->cwnd < net->mtu) {
2996                               /* We always have 1 MTU */
2997                               net->cwnd = net->mtu;
2998                     }
2999 #ifdef SCTP_CWND_LOGGING
3000                     if (net->cwnd - old_cwnd != 0) {
3001                               /* log only changes */
3002                               sctp_log_cwnd(net, (net->cwnd - old_cwnd),
3003                                   SCTP_CWND_LOG_FROM_SAT);
3004                     }
3005 #endif
3006           }
3007 }
3008 
3009 extern int sctp_strict_init;
3010 
3011 /*
3012  * handles all control chunks in a packet
3013  * inputs:
3014  * - m: mbuf chain, assumed to still contain IP/SCTP header
3015  * - stcb: is the tcb found for this packet
3016  * - offset: offset into the mbuf chain to first chunkhdr
3017  * - length: is the length of the complete packet
3018  * outputs:
3019  * - length: modified to remaining length after control processing
3020  * - netp: modified to new sctp_nets after cookie-echo processing
3021  * - return NULL to discard the packet (ie. no asoc, bad packet,...)
3022  *   otherwise return the tcb for this packet
3023  */
3024 static struct sctp_tcb *
sctp_process_control(struct mbuf * m,int iphlen,int * offset,int length,struct sctphdr * sh,struct sctp_chunkhdr * ch,struct sctp_inpcb * inp,struct sctp_tcb * stcb,struct sctp_nets ** netp,int * fwd_tsn_seen)3025 sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length,
3026     struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp,
3027     struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen)
3028 {
3029           struct sctp_association *asoc;
3030           u_int32_t vtag_in;
3031           int num_chunks = 0; /* number of control chunks processed */
3032           int chk_length;
3033           int ret;
3034 
3035           /*
3036            * How big should this be, and should it be alloc'd?
3037            * Lets try the d-mtu-ceiling for now (2k) and that should
3038            * hopefully work ... until we get into jumbo grams and such..
3039            */
3040           u_int8_t chunk_buf[DEFAULT_CHUNK_BUFFER];
3041           struct sctp_tcb *locked_tcb = stcb;
3042 
3043 #ifdef SCTP_DEBUG
3044           if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
3045                     printf("sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n",
3046                            iphlen, *offset, length, stcb);
3047           }
3048 #endif /* SCTP_DEBUG */
3049 
3050           /* validate chunk header length... */
3051           if (ntohs(ch->chunk_length) < sizeof(*ch)) {
3052                     return (NULL);
3053           }
3054 
3055           /*
3056            * validate the verification tag
3057            */
3058 #ifdef SCTP_DEBUG
3059           if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3060                     printf("sctp_process_control: validating vtags\n");
3061           }
3062 #endif /* SCTP_DEBUG */
3063           vtag_in = ntohl(sh->v_tag);
3064           if (ch->chunk_type == SCTP_INITIATION) {
3065                     if (vtag_in != 0) {
3066                               /* protocol error- silently discard... */
3067 #ifdef SCTP_DEBUG
3068                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3069                                         printf("sctp_process_control: INIT with vtag != 0\n");
3070                               }
3071 #endif /* SCTP_DEBUG */
3072                               sctp_pegs[SCTP_BAD_VTAGS]++;
3073                               if (locked_tcb) {
3074                                         SCTP_TCB_UNLOCK(locked_tcb);
3075                               }
3076                               return (NULL);
3077                     }
3078           } else if (ch->chunk_type != SCTP_COOKIE_ECHO) {
3079                     /*
3080                      * first check if it's an ASCONF with an unknown src addr
3081                      * we need to look inside to find the association
3082                      */
3083                     if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) {
3084                               stcb = sctp_findassociation_ep_asconf(m, iphlen,
3085                                   *offset, sh, &inp, netp);
3086                     }
3087                     if (stcb == NULL) {
3088                               /* no association, so it's out of the blue... */
3089                               sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL);
3090 #ifdef SCTP_DEBUG
3091                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3092                                         printf("sctp_process_control: handling OOTB packet, chunk type=%xh\n",
3093                                                ch->chunk_type);
3094                               }
3095 #endif /* SCTP_DEBUG */
3096                               *offset = length;
3097                               if (locked_tcb) {
3098                                         SCTP_TCB_UNLOCK(locked_tcb);
3099                               }
3100                               return (NULL);
3101                     }
3102                     asoc = &stcb->asoc;
3103                     /* ABORT and SHUTDOWN can use either v_tag... */
3104                     if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) ||
3105                         (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) ||
3106                         (ch->chunk_type == SCTP_PACKET_DROPPED)) {
3107                               if ((vtag_in == asoc->my_vtag) ||
3108                                   ((ch->chunk_flags & SCTP_HAD_NO_TCB) &&
3109                                    (vtag_in == asoc->peer_vtag))) {
3110                                         /* this is valid */
3111                               } else {
3112                                         /* drop this packet... */
3113                                         sctp_pegs[SCTP_BAD_VTAGS]++;
3114                                         if (locked_tcb) {
3115                                                   SCTP_TCB_UNLOCK(locked_tcb);
3116                                         }
3117                                         return (NULL);
3118                               }
3119                     } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) {
3120                               if (vtag_in != asoc->my_vtag) {
3121                                         /*
3122                                          * this could be a stale SHUTDOWN-ACK or the
3123                                          * peer never got the SHUTDOWN-COMPLETE and
3124                                          * is still hung; we have started a new asoc
3125                                          * but it won't complete until the shutdown is
3126                                          * completed
3127                                          */
3128                                         if (locked_tcb) {
3129                                                   SCTP_TCB_UNLOCK(locked_tcb);
3130                                         }
3131                                         sctp_handle_ootb(m, iphlen, *offset, sh, inp,
3132                                             NULL);
3133                                         return (NULL);
3134                               }
3135                     } else {
3136                               /* for all other chunks, vtag must match */
3137 
3138                               if (vtag_in != asoc->my_vtag) {
3139                                         /* invalid vtag... */
3140 #ifdef SCTP_DEBUG
3141                                         if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3142                                                   printf("invalid vtag: %xh, expect %xh\n", vtag_in, asoc->my_vtag);
3143                                         }
3144 #endif /* SCTP_DEBUG */
3145                                         sctp_pegs[SCTP_BAD_VTAGS]++;
3146                                         if (locked_tcb) {
3147                                                   SCTP_TCB_UNLOCK(locked_tcb);
3148                                         }
3149                                         *offset = length;
3150                                         return (NULL);
3151                               }
3152                     }
3153           }  /* end if !SCTP_COOKIE_ECHO */
3154 
3155 #ifdef SCTP_DEBUG
3156           if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3157                     printf("sctp_process_control: vtags ok, processing ctrl chunks\n");
3158           }
3159 #endif /* SCTP_DEBUG */
3160 
3161           /*
3162            * process all control chunks...
3163            */
3164           if (((ch->chunk_type == SCTP_SELECTIVE_ACK) ||
3165               (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) &&
3166               (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) {
3167               /* implied cookie-ack.. we must have lost the ack */
3168               stcb->asoc.overall_error_count = 0;
3169               sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp);
3170           }
3171 
3172           while (IS_SCTP_CONTROL(ch)) {
3173                     /* validate chunk length */
3174                     chk_length = ntohs(ch->chunk_length);
3175 #ifdef SCTP_DEBUG
3176                     if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
3177                               printf("sctp_process_control: processing a chunk type=%u, len=%u\n", ch->chunk_type, chk_length);
3178                     }
3179 #endif /* SCTP_DEBUG */
3180                     if ((size_t)chk_length < sizeof(*ch) ||
3181                         (*offset + chk_length) > length) {
3182 #ifdef SCTP_DEBUG
3183                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3184                                         printf("sctp_process_control: chunk length invalid! *offset:%u, chk_length:%u > length:%u\n",
3185                                             *offset, chk_length, length);
3186                               }
3187 #endif /* SCTP_DEBUG */
3188                               *offset = length;
3189                               if (locked_tcb) {
3190                                         SCTP_TCB_UNLOCK(locked_tcb);
3191                               }
3192                               return (NULL);
3193                     }
3194 
3195                     /*
3196                      * INIT-ACK only gets the init ack "header" portion only
3197                      * because we don't have to process the peer's COOKIE.
3198                      * All others get a complete chunk.
3199                      */
3200                     if (ch->chunk_type == SCTP_INITIATION_ACK) {
3201                               /* get an init-ack chunk */
3202                               ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
3203                                   sizeof(struct sctp_init_ack), chunk_buf);
3204                               if (ch == NULL) {
3205                                         *offset = length;
3206                                         if (locked_tcb) {
3207                                                   SCTP_TCB_UNLOCK(locked_tcb);
3208                                         }
3209                                         return (NULL);
3210                               }
3211                     } else {
3212                               /* get a complete chunk... */
3213                               if ((size_t)chk_length > sizeof(chunk_buf)) {
3214                                         struct mbuf *oper;
3215                                         struct sctp_paramhdr *phdr;
3216                                         oper = NULL;
3217                                         MGETHDR(oper, M_DONTWAIT, MT_HEADER);
3218                                         if (oper) {
3219                                                   /* pre-reserve some space */
3220                                                   oper->m_data +=
3221                                                       sizeof(struct sctp_chunkhdr);
3222                                                   phdr =
3223                                                       mtod(oper, struct sctp_paramhdr *);
3224                                                   phdr->param_type =
3225                                                       htons(SCTP_CAUSE_OUT_OF_RESC);
3226                                                   phdr->param_length =
3227                                                       htons(sizeof(struct sctp_paramhdr));
3228                                                   sctp_queue_op_err(stcb, oper);
3229                                         }
3230                                         if (locked_tcb) {
3231                                                   SCTP_TCB_UNLOCK(locked_tcb);
3232                                         }
3233                                         return (NULL);
3234                               }
3235                               ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
3236                                   chk_length, chunk_buf);
3237                               if (ch == NULL) {
3238                                         printf("sctp_process_control: Can't get the all data....\n");
3239                                         *offset = length;
3240                                         if (locked_tcb) {
3241                                                   SCTP_TCB_UNLOCK(locked_tcb);
3242                                         }
3243                                         return (NULL);
3244                               }
3245 
3246                     }
3247                     num_chunks++;
3248                     /* Save off the last place we got a control from */
3249                     if ((*netp) && stcb) {
3250                               stcb->asoc.last_control_chunk_from = *netp;
3251                     }
3252 #ifdef SCTP_AUDITING_ENABLED
3253                     sctp_audit_log(0xB0, ch->chunk_type);
3254 #endif
3255                     switch (ch->chunk_type) {
3256                     case SCTP_INITIATION:
3257                               /* must be first and only chunk */
3258 #ifdef SCTP_DEBUG
3259                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3260                                         printf("SCTP_INIT\n");
3261                               }
3262 #endif /* SCTP_DEBUG */
3263                               if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
3264                                         /* We are not interested anymore */
3265                                         if (locked_tcb) {
3266                                                   SCTP_TCB_UNLOCK(locked_tcb);
3267                                         }
3268                                         if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) {
3269                                                   /* finish the job now */
3270                                                   sctp_inpcb_free(inp, 1);
3271                                         }
3272                                         *offset = length;
3273                                         return (NULL);
3274                               }
3275                               if ((num_chunks > 1) ||
3276                                   (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) {
3277                                         *offset = length;
3278                                         if (locked_tcb) {
3279                                                   SCTP_TCB_UNLOCK(locked_tcb);
3280                                         }
3281                                         return (NULL);
3282                               }
3283                               if ((stcb != NULL) &&
3284                                   (SCTP_GET_STATE(&stcb->asoc) ==
3285                                   SCTP_STATE_SHUTDOWN_ACK_SENT)) {
3286                                         sctp_send_shutdown_ack(stcb,
3287                                             stcb->asoc.primary_destination);
3288                                         *offset = length;
3289                                         if (locked_tcb) {
3290                                                   SCTP_TCB_UNLOCK(locked_tcb);
3291                                         }
3292                                         return (NULL);
3293                               }
3294                               sctp_handle_init(m, iphlen, *offset, sh,
3295                                   (struct sctp_init_chunk *)ch, inp, stcb, *netp);
3296                               *offset = length;
3297                               if (locked_tcb) {
3298                                         SCTP_TCB_UNLOCK(locked_tcb);
3299                               }
3300                               return (NULL);
3301                               break;
3302                     case SCTP_INITIATION_ACK:
3303                               /* must be first and only chunk */
3304 #ifdef SCTP_DEBUG
3305                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3306                                         printf("SCTP_INIT-ACK\n");
3307                               }
3308 #endif /* SCTP_DEBUG */
3309                               if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
3310                                         /* We are not interested anymore */
3311                                         if (locked_tcb) {
3312                                                   SCTP_TCB_UNLOCK(locked_tcb);
3313                                         }
3314                                         *offset = length;
3315                                         if (stcb) {
3316                                                   sctp_free_assoc(inp, stcb);
3317                                         } else {
3318                                                   if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) {
3319                                                             /* finish the job now */
3320                                                             sctp_inpcb_free(inp, 1);
3321                                                   }
3322                                         }
3323                                         return (NULL);
3324                               }
3325                               if ((num_chunks > 1) ||
3326                                   (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) {
3327 #ifdef SCTP_DEBUG
3328                                         if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3329                                                   printf("Length is %d rounded chk_length:%d .. dropping\n",
3330                                                       length - *offset,
3331                                                       SCTP_SIZE32(chk_length));
3332                                         }
3333 #endif
3334                                         *offset = length;
3335                                         if (locked_tcb) {
3336                                                   SCTP_TCB_UNLOCK(locked_tcb);
3337                                         }
3338                                         return (NULL);
3339                               }
3340                               ret = sctp_handle_init_ack(m, iphlen, *offset, sh,
3341                                   (struct sctp_init_ack_chunk *)ch, stcb, *netp);
3342                               /*
3343                                * Special case, I must call the output routine
3344                                * to get the cookie echoed
3345                                */
3346                               if ((stcb) && ret == 0)
3347                                         sctp_chunk_output(stcb->sctp_ep, stcb, 2);
3348                               *offset = length;
3349 #ifdef SCTP_DEBUG
3350                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3351                                         printf("All done INIT-ACK processing\n");
3352                               }
3353 #endif
3354                               if (locked_tcb) {
3355                                         SCTP_TCB_UNLOCK(locked_tcb);
3356                               }
3357                               return (NULL);
3358                               break;
3359                     case SCTP_SELECTIVE_ACK:
3360 #ifdef SCTP_DEBUG
3361                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3362                                         printf("SCTP_SACK\n");
3363                               }
3364 #endif /* SCTP_DEBUG */
3365                               sctp_pegs[SCTP_PEG_SACKS_SEEN]++;
3366                               {
3367                                         int abort_now = 0;
3368                                         stcb->asoc.seen_a_sack_this_pkt = 1;
3369                                         sctp_handle_sack((struct sctp_sack_chunk *)ch,
3370                                             stcb, *netp, &abort_now);
3371                                         if (abort_now) {
3372                                                   /* ABORT signal from sack processing */
3373                                                   *offset = length;
3374                                                   return (NULL);
3375                                         }
3376                               }
3377                               break;
3378                     case SCTP_HEARTBEAT_REQUEST:
3379 #ifdef SCTP_DEBUG
3380                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3381                                         printf("SCTP_HEARTBEAT\n");
3382                               }
3383 #endif /* SCTP_DEBUG */
3384                               sctp_pegs[SCTP_HB_RECV]++;
3385                               sctp_send_heartbeat_ack(stcb, m, *offset, chk_length,
3386                                   *netp);
3387 
3388                               /* He's alive so give him credit */
3389                               stcb->asoc.overall_error_count = 0;
3390                               break;
3391                     case SCTP_HEARTBEAT_ACK:
3392 #ifdef SCTP_DEBUG
3393                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3394                                         printf("SCTP_HEARTBEAT-ACK\n");
3395                               }
3396 #endif /* SCTP_DEBUG */
3397 
3398                               /* He's alive so give him credit */
3399                               stcb->asoc.overall_error_count = 0;
3400 
3401                               sctp_pegs[SCTP_HB_ACK_RECV]++;
3402                               sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch,
3403                                   stcb, *netp);
3404                               break;
3405                     case SCTP_ABORT_ASSOCIATION:
3406 #ifdef SCTP_DEBUG
3407                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3408                                         printf("SCTP_ABORT\n");
3409                               }
3410 #endif /* SCTP_DEBUG */
3411                               sctp_handle_abort((struct sctp_abort_chunk *)ch,
3412                                   stcb, *netp);
3413                               *offset = length;
3414                               return (NULL);
3415                               break;
3416                     case SCTP_SHUTDOWN:
3417 #ifdef SCTP_DEBUG
3418                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3419                                         printf("SCTP_SHUTDOWN\n");
3420                               }
3421 #endif /* SCTP_DEBUG */
3422                        {
3423                                      int abort_flag = 0;
3424                                      sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch,
3425                                            stcb, *netp, &abort_flag);
3426                                      if (abort_flag) {
3427                                                *offset = length;
3428                                                return (NULL);
3429                                      }
3430                            }
3431                               break;
3432                     case SCTP_SHUTDOWN_ACK:
3433 #ifdef SCTP_DEBUG
3434                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3435                                         printf("SCTP_SHUTDOWN-ACK\n");
3436                               }
3437 #endif /* SCTP_DEBUG */
3438                               sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp);
3439                               *offset = length;
3440                               return (NULL);
3441                               break;
3442                     case SCTP_OPERATION_ERROR:
3443 #ifdef SCTP_DEBUG
3444                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3445                                         printf("SCTP_OP-ERR\n");
3446                               }
3447 #endif /* SCTP_DEBUG */
3448                               if (sctp_handle_error(ch, stcb, *netp) < 0) {
3449                                         *offset = length;
3450                                         return (NULL);
3451                               }
3452                               break;
3453                     case SCTP_COOKIE_ECHO:
3454 #ifdef SCTP_DEBUG
3455                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3456                                         printf("SCTP_COOKIE-ECHO stcb is %p\n", stcb);
3457                               }
3458 #endif /* SCTP_DEBUG */
3459                               if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
3460                                         /* We are not interested anymore */
3461                                         *offset = length;
3462                                         if (stcb) {
3463                                                   sctp_free_assoc(inp, stcb);
3464                                         } else {
3465                                                   if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) {
3466                                                             /* finish the job now */
3467                                                             sctp_inpcb_free(inp, 1);
3468                                                   }
3469                                         }
3470                                         return (NULL);
3471                               }
3472                               /*
3473                                * First are we accepting?
3474                                * We do this again here since it is possible
3475                                * that a previous endpoint WAS listening responded to
3476                                * a INIT-ACK and then closed. We opened and bound..
3477                                * and are now no longer listening.
3478                                */
3479                               if (((inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) == 0) ||
3480                                   (inp->sctp_socket->so_qlimit == 0)) {
3481                                         sctp_abort_association(inp, stcb, m, iphlen, sh,
3482                                             NULL);
3483                                         *offset = length;
3484                                         return (NULL);
3485                               } else if (inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) {
3486                                         /* we are accepting so check limits like TCP */
3487                                         if (inp->sctp_socket->so_qlen >
3488                                             inp->sctp_socket->so_qlimit) {
3489                                                   /* no space */
3490                                                   struct mbuf *oper;
3491                                                   struct sctp_paramhdr *phdr;
3492                                                   oper = NULL;
3493                                                   MGETHDR(oper, M_DONTWAIT, MT_HEADER);
3494                                                   if (oper) {
3495                                                             oper->m_len =
3496                                                                 oper->m_pkthdr.len =
3497                                                                 sizeof(struct sctp_paramhdr);
3498                                                             phdr = mtod(oper,
3499                                                                 struct sctp_paramhdr *);
3500                                                             phdr->param_type =
3501                                                                 htons(SCTP_CAUSE_OUT_OF_RESC);
3502                                                             phdr->param_length =
3503                                                                 htons(sizeof(struct sctp_paramhdr));
3504                                                   }
3505                                                   sctp_abort_association(inp, stcb, m,
3506                                                       iphlen, sh, oper);
3507                                                   *offset = length;
3508                                                   return (NULL);
3509                                         }
3510                               }
3511                               {
3512                                         struct mbuf *ret_buf;
3513                                         ret_buf = sctp_handle_cookie_echo(m, iphlen,
3514                                             *offset, sh,
3515                                             (struct sctp_cookie_echo_chunk *)ch, &inp,
3516                                             &stcb, netp);
3517 #ifdef SCTP_DEBUG
3518                                         if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3519                                                   printf("ret_buf:%p length:%d off:%d\n",
3520                                                       ret_buf, length, *offset);
3521                                         }
3522 #endif /* SCTP_DEBUG */
3523 
3524                                         if (ret_buf == NULL) {
3525                                                   if (locked_tcb) {
3526                                                             SCTP_TCB_UNLOCK(locked_tcb);
3527                                                   }
3528 #ifdef SCTP_DEBUG
3529                                                   if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3530                                                             printf("GAK, null buffer\n");
3531                                                   }
3532 #endif /* SCTP_DEBUG */
3533                                                   *offset = length;
3534                                                   return (NULL);
3535                                         }
3536                                         if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) {
3537                                                   /*
3538                                                    * Restart the timer if we have pending
3539                                                    * data
3540                                                    */
3541                                                   struct sctp_tmit_chunk *chk;
3542                                                   chk = TAILQ_FIRST(&stcb->asoc.sent_queue);
3543                                                   if (chk) {
3544                                                             sctp_timer_start(SCTP_TIMER_TYPE_SEND,
3545                                                                 stcb->sctp_ep, stcb,
3546                                                                 chk->whoTo);
3547                                                   }
3548                                         }
3549                               }
3550                               break;
3551                     case SCTP_COOKIE_ACK:
3552 #ifdef SCTP_DEBUG
3553                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3554                                         printf("SCTP_COOKIE-ACK\n");
3555                               }
3556 #endif /* SCTP_DEBUG */
3557 
3558                               if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
3559                                         /* We are not interested anymore */
3560                                         sctp_free_assoc(inp, stcb);
3561                                         *offset = length;
3562                                         return (NULL);
3563                               }
3564                               /* He's alive so give him credit */
3565                               stcb->asoc.overall_error_count = 0;
3566                               sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch,
3567                                   stcb, *netp);
3568                               break;
3569                     case SCTP_ECN_ECHO:
3570 #ifdef SCTP_DEBUG
3571                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3572                                         printf("SCTP_ECN-ECHO\n");
3573                               }
3574 #endif /* SCTP_DEBUG */
3575                               /* He's alive so give him credit */
3576                               stcb->asoc.overall_error_count = 0;
3577                               sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch,
3578                                   stcb);
3579                               break;
3580                     case SCTP_ECN_CWR:
3581 #ifdef SCTP_DEBUG
3582                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3583                                         printf("SCTP_ECN-CWR\n");
3584                               }
3585 #endif /* SCTP_DEBUG */
3586                               /* He's alive so give him credit */
3587                               stcb->asoc.overall_error_count = 0;
3588 
3589                               sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb);
3590                               break;
3591                     case SCTP_SHUTDOWN_COMPLETE:
3592 #ifdef SCTP_DEBUG
3593                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3594                                         printf("SCTP_SHUTDOWN-COMPLETE\n");
3595                               }
3596 #endif /* SCTP_DEBUG */
3597                               /* must be first and only chunk */
3598                               if ((num_chunks > 1) ||
3599                                   (length - *offset > SCTP_SIZE32(chk_length))) {
3600                                         *offset = length;
3601                                         if (locked_tcb) {
3602                                                   SCTP_TCB_UNLOCK(locked_tcb);
3603                                         }
3604                                         return (NULL);
3605                               }
3606                               sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch,
3607                                   stcb, *netp);
3608                               *offset = length;
3609                               return (NULL);
3610                               break;
3611                     case SCTP_ASCONF:
3612 #ifdef SCTP_DEBUG
3613                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3614                                         printf("SCTP_ASCONF\n");
3615                               }
3616 #endif /* SCTP_DEBUG */
3617                               /* He's alive so give him credit */
3618                               stcb->asoc.overall_error_count = 0;
3619 
3620                               sctp_handle_asconf(m, *offset,
3621                                   (struct sctp_asconf_chunk *)ch, stcb, *netp);
3622                               break;
3623                     case SCTP_ASCONF_ACK:
3624 #ifdef SCTP_DEBUG
3625                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3626                                         printf("SCTP_ASCONF-ACK\n");
3627                               }
3628 #endif /* SCTP_DEBUG */
3629                               /* He's alive so give him credit */
3630                               stcb->asoc.overall_error_count = 0;
3631 
3632                               sctp_handle_asconf_ack(m, *offset,
3633                                   (struct sctp_asconf_ack_chunk *)ch, stcb, *netp);
3634                               break;
3635                     case SCTP_FORWARD_CUM_TSN:
3636 #ifdef SCTP_DEBUG
3637                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3638                                         printf("SCTP_FWD-TSN\n");
3639                               }
3640 #endif /* SCTP_DEBUG */
3641                               /* He's alive so give him credit */
3642                         {
3643                                         int abort_flag = 0;
3644                                         stcb->asoc.overall_error_count = 0;
3645                                         *fwd_tsn_seen = 1;
3646                                         sctp_handle_forward_tsn(stcb,
3647                                             (struct sctp_forward_tsn_chunk *)ch, &abort_flag);
3648                                         if (abort_flag) {
3649                                                   *offset = length;
3650                                                   return (NULL);
3651                                         } else {
3652                                                   stcb->asoc.overall_error_count = 0;
3653                                         }
3654 
3655                         }
3656                               break;
3657                     case SCTP_STREAM_RESET:
3658 #ifdef SCTP_DEBUG
3659                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3660                                         printf("SCTP_STREAM_RESET\n");
3661                               }
3662 #endif /* SCTP_DEBUG */
3663                               ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
3664                                   chk_length, chunk_buf);
3665                               if (stcb->asoc.peer_supports_strreset == 0) {
3666                                         /* hmm, peer should have annonced this, but
3667                                          * we will turn it on since he is sending us
3668                                          * a stream reset.
3669                                          */
3670                                         stcb->asoc.peer_supports_strreset = 1;
3671                               }
3672                               sctp_handle_stream_reset(stcb, (struct sctp_stream_reset_req *)ch);
3673                               break;
3674                     case SCTP_PACKET_DROPPED:
3675 #ifdef SCTP_DEBUG
3676                               if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3677                                         printf("SCTP_PACKET_DROPPED\n");
3678                               }
3679 #endif /* SCTP_DEBUG */
3680                               /* re-get it all please */
3681                               ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
3682                                   chk_length, chunk_buf);
3683 
3684                               sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch,
3685                                   stcb, *netp);
3686 
3687 
3688                               break;
3689                     default:
3690                               /* it's an unknown chunk! */
3691                               if ((ch->chunk_type & 0x40) && (stcb != NULL)) {
3692                                         struct mbuf *mm;
3693                                         struct sctp_paramhdr *phd;
3694                                         MGETHDR(mm, M_DONTWAIT, MT_HEADER);
3695                                         if (mm) {
3696                                                   phd = mtod(mm, struct sctp_paramhdr *);
3697                                                   /* We cheat and use param type since we
3698                                                    * did not bother to define a error
3699                                                    * cause struct.
3700                                                    * They are the same basic format with
3701                                                    * different names.
3702                                                    */
3703                                                   phd->param_type =
3704                                                       htons(SCTP_CAUSE_UNRECOG_CHUNK);
3705                                                   phd->param_length =
3706                                                       htons(chk_length + sizeof(*phd));
3707                                                   mm->m_len = sizeof(*phd);
3708                                                   mm->m_next = sctp_m_copym(m, *offset,
3709                                                       SCTP_SIZE32(chk_length),
3710                                                       M_DONTWAIT);
3711                                                   if (mm->m_next) {
3712                                                             mm->m_pkthdr.len =
3713                                                                 SCTP_SIZE32(chk_length) +
3714                                                                 sizeof(*phd);
3715                                                             sctp_queue_op_err(stcb, mm);
3716                                                   } else {
3717                                                             sctp_m_freem(mm);
3718 #ifdef SCTP_DEBUG
3719                                                             if (sctp_debug_on &
3720                                                                 SCTP_DEBUG_INPUT1) {
3721                                                                       printf("Gak can't copy the chunk into operr %d bytes\n",
3722                                                                           chk_length);
3723                                                             }
3724 #endif
3725                                                   }
3726                                         }
3727 #ifdef SCTP_DEBUG
3728                                         else {
3729                                                   if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3730                                                             printf("Gak can't mgethdr for op-err of unrec chunk\n");
3731                                                   }
3732                                         }
3733 #endif
3734                               }
3735                               if ((ch->chunk_type & 0x80) == 0) {
3736                                         /* discard this packet */
3737                                         *offset = length;
3738                                         return (stcb);
3739                               } /* else skip this bad chunk and continue... */
3740                               break;
3741                     } /* switch (ch->chunk_type) */
3742                     /* get the next chunk */
3743                     *offset += SCTP_SIZE32(chk_length);
3744                     if (*offset >= length) {
3745                               /* no more data left in the mbuf chain */
3746                               break;
3747                     }
3748                     ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
3749                         sizeof(struct sctp_chunkhdr), chunk_buf);
3750                     if (ch == NULL) {
3751                               if (locked_tcb) {
3752                                         SCTP_TCB_UNLOCK(locked_tcb);
3753                               }
3754                               *offset = length;
3755                               return (NULL);
3756                     }
3757           } /* while */
3758           return (stcb);
3759 }
3760 
3761 
3762 /*
3763  * Process the ECN bits we have something set so
3764  * we must look to see if it is ECN(0) or ECN(1) or CE
3765  */
3766 static void
sctp_process_ecn_marked_a(struct sctp_tcb * stcb,struct sctp_nets * net,u_int8_t ecn_bits)3767 sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net,
3768     u_int8_t ecn_bits)
3769 {
3770           if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) {
3771                     ;
3772           } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) {
3773                     /*
3774                      * we only add to the nonce sum for ECT1, ECT0
3775                      * does not change the NS bit (that we have
3776                      * yet to find a way to send it yet).
3777                      */
3778 
3779                     /* ECN Nonce stuff */
3780                     stcb->asoc.receiver_nonce_sum++;
3781                     stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM;
3782 
3783                     /*
3784                      * Drag up the last_echo point if cumack is larger since we
3785                      * don't want the point falling way behind by more than 2^^31
3786                      * and then having it be incorrect.
3787                      */
3788                     if (compare_with_wrap(stcb->asoc.cumulative_tsn,
3789                         stcb->asoc.last_echo_tsn, MAX_TSN)) {
3790                               stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn;
3791                     }
3792           } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) {
3793                     /*
3794                      * Drag up the last_echo point if cumack is larger since we
3795                      * don't want the point falling way behind by more than 2^^31
3796                      * and then having it be incorrect.
3797                      */
3798                     if (compare_with_wrap(stcb->asoc.cumulative_tsn,
3799                         stcb->asoc.last_echo_tsn, MAX_TSN)) {
3800                               stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn;
3801                     }
3802           }
3803 }
3804 
3805 static void
sctp_process_ecn_marked_b(struct sctp_tcb * stcb,struct sctp_nets * net,u_int32_t high_tsn,u_int8_t ecn_bits)3806 sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net,
3807     u_int32_t high_tsn, u_int8_t ecn_bits)
3808 {
3809           if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) {
3810                     /*
3811                      * we possibly must notify the sender that a congestion
3812                      * window reduction is in order. We do this
3813                      * by adding a ECNE chunk to the output chunk
3814                      * queue. The incoming CWR will remove this chunk.
3815                      */
3816                     if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn,
3817                         MAX_TSN)) {
3818                               /* Yep, we need to add a ECNE */
3819                               sctp_send_ecn_echo(stcb, net, high_tsn);
3820                               stcb->asoc.last_echo_tsn = high_tsn;
3821                     }
3822           }
3823 }
3824 
3825 /*
3826  * common input chunk processing (v4 and v6)
3827  */
3828 int
sctp_common_input_processing(struct mbuf ** mm,int iphlen,int offset,int length,struct sctphdr * sh,struct sctp_chunkhdr * ch,struct sctp_inpcb * inp,struct sctp_tcb * stcb,struct sctp_nets * net,u_int8_t ecn_bits)3829 sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset,
3830     int length, struct sctphdr *sh, struct sctp_chunkhdr *ch,
3831     struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net,
3832     u_int8_t ecn_bits)
3833 {
3834           /*
3835            * Control chunk processing
3836            */
3837           u_int32_t high_tsn;
3838           int fwd_tsn_seen = 0, data_processed = 0;
3839           struct mbuf *m = *mm;
3840           int abort_flag = 0;
3841 
3842           sctp_pegs[SCTP_DATAGRAMS_RCVD]++;
3843 #ifdef SCTP_AUDITING_ENABLED
3844           sctp_audit_log(0xE0, 1);
3845           sctp_auditing(0, inp, stcb, net);
3846 #endif
3847 
3848 #ifdef SCTP_DEBUG
3849           if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
3850                     printf("Ok, Common input processing called, m:%p iphlen:%d offset:%d length:%d\n",
3851                            m, iphlen, offset, length);
3852           }
3853 #endif /* SCTP_DEBUG */
3854           if (IS_SCTP_CONTROL(ch)) {
3855                     /* process the control portion of the SCTP packet */
3856 #ifdef SCTP_DEBUG
3857                     if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
3858                               printf("Processing control\n");
3859                     }
3860 #endif /* SCTP_DEBUG */
3861 
3862                     stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch,
3863                         inp, stcb, &net, &fwd_tsn_seen);
3864           } else {
3865                     /*
3866                      * no control chunks, so pre-process DATA chunks
3867                      * (these checks are taken care of by control processing)
3868                      */
3869 #ifdef SCTP_DEBUG
3870                     if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
3871                               printf("No control present\n");
3872                     }
3873 #endif /* SCTP_DEBUG */
3874 
3875                     if (stcb == NULL) {
3876                               /* out of the blue DATA chunk */
3877                               sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL);
3878                               return (1);
3879                     }
3880                     if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) {
3881                               /* v_tag mismatch! */
3882                               sctp_pegs[SCTP_BAD_VTAGS]++;
3883                               SCTP_TCB_UNLOCK(stcb);
3884                               return (1);
3885                     }
3886           }
3887           if (stcb == NULL) {
3888                     /*
3889                      * no valid TCB for this packet,
3890                      * or we found it's a bad packet while processing control,
3891                      * or we're done with this packet (done or skip rest of data),
3892                      * so we drop it...
3893                      */
3894                     return (1);
3895           }
3896 #ifdef SCTP_DEBUG
3897           if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
3898                     printf("Ok, control finished time to look for data (%d) offset:%d\n",
3899                            length, offset);
3900           }
3901 #endif /* SCTP_DEBUG */
3902           /*
3903            * DATA chunk processing
3904            */
3905           /* plow through the data chunks while length > offset */
3906           stcb->asoc.seen_a_sack_this_pkt = 0;
3907 
3908           if (length > offset) {
3909                     int retval;
3910                     /*
3911                      * First check to make sure our state is correct.
3912                      * We would not get here unless we really did have a
3913                      * tag, so we don't abort if this happens, just
3914                      * dump the chunk silently.
3915                      */
3916                     switch (SCTP_GET_STATE(&stcb->asoc)) {
3917                     case SCTP_STATE_COOKIE_ECHOED:
3918                               /*
3919                                * we consider data with valid tags in
3920                                * this state shows us the cookie-ack was lost.
3921                                * Imply it was there.
3922                                */
3923                               stcb->asoc.overall_error_count = 0;
3924                               sctp_handle_cookie_ack(
3925                                   (struct sctp_cookie_ack_chunk *)ch, stcb, net);
3926                               break;
3927                     case SCTP_STATE_COOKIE_WAIT:
3928                               /*
3929                                * We consider OOTB any data sent during asoc setup.
3930                                */
3931                               sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL);
3932                               SCTP_TCB_UNLOCK(stcb);
3933                               return (1);
3934                             break;
3935                     case SCTP_STATE_EMPTY:        /* should not happen */
3936                     case SCTP_STATE_INUSE:        /* should not happen */
3937                     case SCTP_STATE_SHUTDOWN_RECEIVED:  /* This is a peer error */
3938                     case SCTP_STATE_SHUTDOWN_ACK_SENT:
3939                     default:
3940 #ifdef SCTP_DEBUG
3941                               if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
3942                                         printf("Got data in invalid state %d.. dropping\n", stcb->asoc.state);
3943                               }
3944 #endif
3945                               SCTP_TCB_UNLOCK(stcb);
3946                               return (1);
3947                               break;
3948                     case SCTP_STATE_OPEN:
3949                     case SCTP_STATE_SHUTDOWN_SENT:
3950                               break;
3951                     }
3952                     /* take care of ECN, part 1. */
3953                     if (stcb->asoc.ecn_allowed &&
3954                         (ecn_bits & (SCTP_ECT0_BIT|SCTP_ECT1_BIT)) ) {
3955                               sctp_process_ecn_marked_a(stcb, net, ecn_bits);
3956                     }
3957                     /* plow through the data chunks while length > offset */
3958                     retval = sctp_process_data(mm, iphlen, &offset, length, sh,
3959                         inp, stcb, net, &high_tsn);
3960                     if (retval == 2) {
3961                               /* The association aborted, NO UNLOCK needed
3962                                * since the association is destroyed.
3963                                */
3964                               return (0);
3965                     }
3966 
3967                     data_processed = 1;
3968                     if (retval == 0) {
3969                               /* take care of ecn part 2. */
3970                               if (stcb->asoc.ecn_allowed && (ecn_bits & (SCTP_ECT0_BIT|SCTP_ECT1_BIT)) ) {
3971                                         sctp_process_ecn_marked_b(stcb, net, high_tsn, ecn_bits);
3972 
3973                               }
3974                     }
3975 
3976                     /*
3977                      * Anything important needs to have been m_copy'ed in
3978                      * process_data
3979                      */
3980           }
3981           if ((data_processed == 0) && (fwd_tsn_seen)) {
3982                     int was_a_gap = 0;
3983                     if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map,
3984                                               stcb->asoc.cumulative_tsn, MAX_TSN)) {
3985                               /* there was a gap before this data was processed */
3986                               was_a_gap = 1;
3987                     }
3988                     sctp_sack_check(stcb, 1, was_a_gap, &abort_flag);
3989                     if (abort_flag) {
3990                               /* Again, we aborted so NO UNLOCK needed */
3991                               return (0);
3992                     }
3993           }
3994           /* trigger send of any chunks in queue... */
3995 #ifdef SCTP_AUDITING_ENABLED
3996           sctp_audit_log(0xE0, 2);
3997           sctp_auditing(1, inp, stcb, net);
3998 #endif
3999 #ifdef SCTP_DEBUG
4000           if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
4001                     printf("Check for chunk output prw:%d tqe:%d tf=%d\n",
4002                            stcb->asoc.peers_rwnd,
4003                            TAILQ_EMPTY(&stcb->asoc.control_send_queue),
4004                            stcb->asoc.total_flight);
4005           }
4006 #endif
4007           if (stcb->asoc.peers_rwnd > 0 ||
4008               !TAILQ_EMPTY(&stcb->asoc.control_send_queue) ||
4009               (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)) {
4010 #ifdef SCTP_DEBUG
4011                     if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
4012                               printf("Calling chunk OUTPUT\n");
4013                     }
4014 #endif
4015                     sctp_chunk_output(inp, stcb, 3);
4016 #ifdef SCTP_DEBUG
4017                     if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
4018                               printf("chunk OUTPUT returns\n");
4019                     }
4020 #endif
4021           }
4022 
4023 #ifdef SCTP_AUDITING_ENABLED
4024           sctp_audit_log(0xE0, 3);
4025           sctp_auditing(2, inp, stcb, net);
4026 #endif
4027           SCTP_TCB_UNLOCK(stcb);
4028           return (0);
4029 }
4030 
4031 #if defined(__OpenBSD__)
4032 static void
sctp_saveopt(struct sctp_inpcb * inp,struct mbuf ** mp,struct ip * ip,struct mbuf * m)4033 sctp_saveopt(struct sctp_inpcb *inp, struct mbuf **mp, struct ip *ip,
4034     struct mbuf *m)
4035 {
4036           if (inp->ip_inp.inp.inp_flags & INP_RECVDSTADDR) {
4037                     *mp = sbcreatecontrol((vaddr_t) &ip->ip_dst,
4038                         sizeof(struct in_addr), IP_RECVDSTADDR, IPPROTO_IP);
4039                     if (*mp)
4040                               mp = &(*mp)->m_next;
4041           }
4042 }
4043 #endif
4044 
4045 extern int sctp_no_csum_on_loopback;
4046 
4047 void
sctp_input(struct mbuf * m,int off,int proto)4048 sctp_input(struct mbuf *m, int off, int proto)
4049 {
4050           int iphlen;
4051           u_int8_t ecn_bits;
4052           struct ip *ip;
4053           struct sctphdr *sh;
4054           struct sctp_inpcb *inp = NULL;
4055           struct mbuf *opts = 0;
4056 /*#ifdef INET6*/
4057 /* Don't think this is needed */
4058 /*        struct ip6_recvpktopts opts6;*/
4059 /*#endif INET6 */
4060 
4061           u_int32_t check, calc_check;
4062           struct sctp_nets *net;
4063           struct sctp_tcb *stcb = NULL;
4064           struct sctp_chunkhdr *ch;
4065           int refcount_up = 0;
4066           int length, mlen, offset;
4067 
4068           iphlen = off;
4069 
4070           net = NULL;
4071           sctp_pegs[SCTP_INPKTS]++;
4072 #ifdef SCTP_DEBUG
4073           /*if (sctp_debug_on & SCTP_DEBUG_INPUT1) {*/
4074                     printf("V4 input gets a packet iphlen:%d pktlen:%d\n", iphlen, m->m_pkthdr.len);
4075           /*}*/
4076 #endif
4077 /*#ifdef INET6*/
4078 /* Don't think this is needed */
4079 /*        bzero(&opts6, sizeof(opts6));*/
4080 /*#endif INET6 */
4081 
4082           /*
4083            * Strip IP options, we don't allow any in or out.
4084            */
4085           if ((size_t)iphlen > sizeof(struct ip)) {
4086                     printf("sctp_input: got options\n");
4087 #if 0                                   /* XXX */
4088                     ip_stripoptions(m, (struct mbuf *)0);
4089 #endif
4090                     iphlen = sizeof(struct ip);
4091           }
4092 
4093           /*
4094            * Get IP, SCTP, and first chunk header together in first mbuf.
4095            */
4096           ip = mtod(m, struct ip *);
4097           offset = iphlen + sizeof(*sh) + sizeof(*ch);
4098           if (m->m_len < offset) {
4099                     if ((m = m_pullup(m, offset)) == 0) {
4100                               sctp_pegs[SCTP_HDR_DROPS]++;
4101                               return;
4102                     }
4103                     ip = mtod(m, struct ip *);
4104           }
4105           sh = (struct sctphdr *)((vaddr_t)ip + iphlen);
4106           ch = (struct sctp_chunkhdr *)((vaddr_t)sh + sizeof(*sh));
4107 
4108           /* SCTP does not allow broadcasts or multicasts */
4109           if (IN_MULTICAST(ip->ip_dst.s_addr))
4110           {
4111                     sctp_pegs[SCTP_IN_MCAST]++;
4112                     goto bad;
4113           }
4114           if (in_broadcast(ip->ip_dst, m_get_rcvif_NOMPSAFE(m))) {
4115                     sctp_pegs[SCTP_IN_MCAST]++;
4116                     goto bad;
4117           }
4118 
4119           /* destination port of 0 is illegal, based on RFC2960. */
4120           if (sh->dest_port == 0) {
4121                   sctp_pegs[SCTP_HDR_DROPS]++;
4122                     goto bad;
4123           }
4124 
4125           /* validate SCTP checksum */
4126           if ((sctp_no_csum_on_loopback == 0) ||
4127               (m_get_rcvif_NOMPSAFE(m) == NULL) ||
4128               (m_get_rcvif_NOMPSAFE(m)->if_type != IFT_LOOP)) {
4129                     /* we do NOT validate things from the loopback if the
4130                      * sysctl is set to 1.
4131                      */
4132                     check = sh->checksum;         /* save incoming checksum */
4133                     if ((check == 0) && (sctp_no_csum_on_loopback)) {
4134                               /* special hook for where we got a local address
4135                                * somehow routed across a non IFT_LOOP type interface
4136                                */
4137                               if (ip->ip_src.s_addr == ip->ip_dst.s_addr)
4138                                         goto sctp_skip_csum_4;
4139                     }
4140                     sh->checksum = 0;             /* prepare for calc */
4141                     calc_check = sctp_calculate_sum(m, &mlen, iphlen);
4142                     if (calc_check != check) {
4143 #ifdef SCTP_DEBUG
4144                               if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
4145                                         printf("Bad CSUM on SCTP packet calc_check:%x check:%x  m:%p mlen:%d iphlen:%d\n",
4146                                                calc_check, check, m, mlen, iphlen);
4147                               }
4148 #endif
4149 
4150                               stcb = sctp_findassociation_addr(m, iphlen,
4151                                                                        offset - sizeof(*ch),
4152                                                                        sh, ch, &inp, &net);
4153                               if ((inp) && (stcb)) {
4154                                         sctp_send_packet_dropped(stcb, net, m, iphlen,
4155                                                                        1);
4156                                         sctp_chunk_output(inp, stcb, 2);
4157                               } else if ((inp != NULL) && (stcb == NULL)) {
4158                                         refcount_up = 1;
4159                               }
4160                               sctp_pegs[SCTP_BAD_CSUM]++;
4161                               goto bad;
4162                     }
4163                     sh->checksum = calc_check;
4164           } else {
4165           sctp_skip_csum_4:
4166                     mlen = m->m_pkthdr.len;
4167           }
4168           /* validate mbuf chain length with IP payload length */
4169 #if defined(__NetBSD__) || defined(__OpenBSD__)
4170           /* Open BSD gives us the len in network order, fix it */
4171           NTOHS(ip->ip_len);
4172 #endif
4173           if (mlen < (ip->ip_len - iphlen)) {
4174                   sctp_pegs[SCTP_HDR_DROPS]++;
4175                     goto bad;
4176           }
4177 
4178           /*
4179            * Locate pcb and tcb for datagram
4180            * sctp_findassociation_addr() wants IP/SCTP/first chunk header...
4181            */
4182 #ifdef SCTP_DEBUG
4183           if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
4184                     printf("V4 find association\n");
4185           }
4186 #endif
4187 
4188           stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch),
4189               sh, ch, &inp, &net);
4190           /* inp's ref-count increased && stcb locked */
4191           if (inp == NULL) {
4192                     struct sctp_init_chunk *init_chk, chunk_buf;
4193 
4194                     sctp_pegs[SCTP_NOPORTS]++;
4195 #ifdef ICMP_BANDLIM
4196                     /*
4197                      * we use the bandwidth limiting to protect against
4198                      * sending too many ABORTS all at once. In this case
4199                      * these count the same as an ICMP message.
4200                      */
4201                     if (badport_bandlim(0) < 0)
4202                               goto bad;
4203 #endif /* ICMP_BANDLIM */
4204 #ifdef SCTP_DEBUG
4205                     if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
4206                               printf("Sending a ABORT from packet entry!\n");
4207                     }
4208 #endif
4209                     if (ch->chunk_type == SCTP_INITIATION) {
4210                               /* we do a trick here to get the INIT tag,
4211                                * dig in and get the tag from the INIT and
4212                                * put it in the common header.
4213                                */
4214                               init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m,
4215                                   iphlen + sizeof(*sh), sizeof(*init_chk),
4216                                   (u_int8_t *)&chunk_buf);
4217                               if (init_chk != NULL)
4218                                         sh->v_tag = init_chk->init.initiate_tag;
4219                     }
4220                     sctp_send_abort(m, iphlen, sh, 0, NULL);
4221                     goto bad;
4222           } else if (stcb == NULL) {
4223                     refcount_up = 1;
4224           }
4225 #ifdef IPSEC
4226           /*
4227            * I very much doubt any of the IPSEC stuff will work but I have
4228            * no idea, so I will leave it in place.
4229            */
4230           if (ipsec_used && ipsec_in_reject(m, (struct inpcb *)inp)) {
4231 #if 0
4232                     ipsecstat.in_polvio++;
4233 #endif
4234                     sctp_pegs[SCTP_HDR_DROPS]++;
4235                     goto bad;
4236           }
4237 #endif /* IPSEC */
4238 
4239           /*
4240            * Construct sockaddr format source address.
4241            * Stuff source address and datagram in user buffer.
4242            */
4243           if ((inp->ip_inp.inp.inp_flags & INP_CONTROLOPTS)
4244               || (inp->sctp_socket->so_options & SO_TIMESTAMP)
4245                     ) {
4246                     ip_savecontrol((struct inpcb *)inp, &opts, ip, m);
4247           }
4248 
4249           /*
4250            * common chunk processing
4251            */
4252           length = ip->ip_len - (ip->ip_hl << 2) + iphlen;
4253           offset -= sizeof(struct sctp_chunkhdr);
4254 
4255           ecn_bits = ip->ip_tos;
4256           sctp_common_input_processing(&m, iphlen, offset, length, sh, ch,
4257               inp, stcb, net, ecn_bits);
4258           /* inp's ref-count reduced && stcb unlocked */
4259           sctp_m_freem(m);
4260           sctp_m_freem(opts);
4261 
4262           if ((inp) && (refcount_up)) {
4263                     /* reduce ref-count */
4264                     SCTP_INP_WLOCK(inp);
4265                     SCTP_INP_DECR_REF(inp);
4266                     SCTP_INP_WUNLOCK(inp);
4267           }
4268 
4269           return;
4270 bad:
4271           if (stcb) {
4272                     SCTP_TCB_UNLOCK(stcb);
4273           }
4274 
4275           if ((inp) && (refcount_up)) {
4276                     /* reduce ref-count */
4277                     SCTP_INP_WLOCK(inp);
4278                     SCTP_INP_DECR_REF(inp);
4279                     SCTP_INP_WUNLOCK(inp);
4280           }
4281 
4282           sctp_m_freem(m);
4283           sctp_m_freem(opts);
4284           return;
4285 }
4286