1/*-
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved.
5 * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved.
6 * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions are met:
10 *
11 * a) Redistributions of source code must retain the above copyright notice,
12 *    this list of conditions and the following disclaimer.
13 *
14 * b) Redistributions in binary form must reproduce the above copyright
15 *    notice, this list of conditions and the following disclaimer in
16 *    the documentation and/or other materials provided with the distribution.
17 *
18 * c) Neither the name of Cisco Systems, Inc. nor the names of its
19 *    contributors may be used to endorse or promote products derived
20 *    from this software without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
23 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
24 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
26 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
27 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
28 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
29 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
30 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
31 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
32 * THE POSSIBILITY OF SUCH DAMAGE.
33 */
34
35#include <netinet/sctp_os.h>
36#include <sys/proc.h>
37#include <netinet/sctp_var.h>
38#include <netinet/sctp_sysctl.h>
39#include <netinet/sctp_header.h>
40#include <netinet/sctp_pcb.h>
41#include <netinet/sctputil.h>
42#include <netinet/sctp_output.h>
43#include <netinet/sctp_uio.h>
44#include <netinet/sctputil.h>
45#include <netinet/sctp_auth.h>
46#include <netinet/sctp_timer.h>
47#include <netinet/sctp_asconf.h>
48#include <netinet/sctp_indata.h>
49#include <netinet/sctp_bsd_addr.h>
50#include <netinet/sctp_input.h>
51#include <netinet/sctp_crc32.h>
52#include <netinet/sctp_kdtrace.h>
53#if defined(INET) || defined(INET6)
54#include <netinet/udp.h>
55#endif
56#include <netinet/udp_var.h>
57#include <machine/in_cksum.h>
58
59#define SCTP_MAX_GAPS_INARRAY 4
60struct sack_track {
61	uint8_t right_edge;	/* mergable on the right edge */
62	uint8_t left_edge;	/* mergable on the left edge */
63	uint8_t num_entries;
64	uint8_t spare;
65	struct sctp_gap_ack_block gaps[SCTP_MAX_GAPS_INARRAY];
66};
67
68const struct sack_track sack_array[256] = {
69	{0, 0, 0, 0,		/* 0x00 */
70		{{0, 0},
71		{0, 0},
72		{0, 0},
73		{0, 0}
74		}
75	},
76	{1, 0, 1, 0,		/* 0x01 */
77		{{0, 0},
78		{0, 0},
79		{0, 0},
80		{0, 0}
81		}
82	},
83	{0, 0, 1, 0,		/* 0x02 */
84		{{1, 1},
85		{0, 0},
86		{0, 0},
87		{0, 0}
88		}
89	},
90	{1, 0, 1, 0,		/* 0x03 */
91		{{0, 1},
92		{0, 0},
93		{0, 0},
94		{0, 0}
95		}
96	},
97	{0, 0, 1, 0,		/* 0x04 */
98		{{2, 2},
99		{0, 0},
100		{0, 0},
101		{0, 0}
102		}
103	},
104	{1, 0, 2, 0,		/* 0x05 */
105		{{0, 0},
106		{2, 2},
107		{0, 0},
108		{0, 0}
109		}
110	},
111	{0, 0, 1, 0,		/* 0x06 */
112		{{1, 2},
113		{0, 0},
114		{0, 0},
115		{0, 0}
116		}
117	},
118	{1, 0, 1, 0,		/* 0x07 */
119		{{0, 2},
120		{0, 0},
121		{0, 0},
122		{0, 0}
123		}
124	},
125	{0, 0, 1, 0,		/* 0x08 */
126		{{3, 3},
127		{0, 0},
128		{0, 0},
129		{0, 0}
130		}
131	},
132	{1, 0, 2, 0,		/* 0x09 */
133		{{0, 0},
134		{3, 3},
135		{0, 0},
136		{0, 0}
137		}
138	},
139	{0, 0, 2, 0,		/* 0x0a */
140		{{1, 1},
141		{3, 3},
142		{0, 0},
143		{0, 0}
144		}
145	},
146	{1, 0, 2, 0,		/* 0x0b */
147		{{0, 1},
148		{3, 3},
149		{0, 0},
150		{0, 0}
151		}
152	},
153	{0, 0, 1, 0,		/* 0x0c */
154		{{2, 3},
155		{0, 0},
156		{0, 0},
157		{0, 0}
158		}
159	},
160	{1, 0, 2, 0,		/* 0x0d */
161		{{0, 0},
162		{2, 3},
163		{0, 0},
164		{0, 0}
165		}
166	},
167	{0, 0, 1, 0,		/* 0x0e */
168		{{1, 3},
169		{0, 0},
170		{0, 0},
171		{0, 0}
172		}
173	},
174	{1, 0, 1, 0,		/* 0x0f */
175		{{0, 3},
176		{0, 0},
177		{0, 0},
178		{0, 0}
179		}
180	},
181	{0, 0, 1, 0,		/* 0x10 */
182		{{4, 4},
183		{0, 0},
184		{0, 0},
185		{0, 0}
186		}
187	},
188	{1, 0, 2, 0,		/* 0x11 */
189		{{0, 0},
190		{4, 4},
191		{0, 0},
192		{0, 0}
193		}
194	},
195	{0, 0, 2, 0,		/* 0x12 */
196		{{1, 1},
197		{4, 4},
198		{0, 0},
199		{0, 0}
200		}
201	},
202	{1, 0, 2, 0,		/* 0x13 */
203		{{0, 1},
204		{4, 4},
205		{0, 0},
206		{0, 0}
207		}
208	},
209	{0, 0, 2, 0,		/* 0x14 */
210		{{2, 2},
211		{4, 4},
212		{0, 0},
213		{0, 0}
214		}
215	},
216	{1, 0, 3, 0,		/* 0x15 */
217		{{0, 0},
218		{2, 2},
219		{4, 4},
220		{0, 0}
221		}
222	},
223	{0, 0, 2, 0,		/* 0x16 */
224		{{1, 2},
225		{4, 4},
226		{0, 0},
227		{0, 0}
228		}
229	},
230	{1, 0, 2, 0,		/* 0x17 */
231		{{0, 2},
232		{4, 4},
233		{0, 0},
234		{0, 0}
235		}
236	},
237	{0, 0, 1, 0,		/* 0x18 */
238		{{3, 4},
239		{0, 0},
240		{0, 0},
241		{0, 0}
242		}
243	},
244	{1, 0, 2, 0,		/* 0x19 */
245		{{0, 0},
246		{3, 4},
247		{0, 0},
248		{0, 0}
249		}
250	},
251	{0, 0, 2, 0,		/* 0x1a */
252		{{1, 1},
253		{3, 4},
254		{0, 0},
255		{0, 0}
256		}
257	},
258	{1, 0, 2, 0,		/* 0x1b */
259		{{0, 1},
260		{3, 4},
261		{0, 0},
262		{0, 0}
263		}
264	},
265	{0, 0, 1, 0,		/* 0x1c */
266		{{2, 4},
267		{0, 0},
268		{0, 0},
269		{0, 0}
270		}
271	},
272	{1, 0, 2, 0,		/* 0x1d */
273		{{0, 0},
274		{2, 4},
275		{0, 0},
276		{0, 0}
277		}
278	},
279	{0, 0, 1, 0,		/* 0x1e */
280		{{1, 4},
281		{0, 0},
282		{0, 0},
283		{0, 0}
284		}
285	},
286	{1, 0, 1, 0,		/* 0x1f */
287		{{0, 4},
288		{0, 0},
289		{0, 0},
290		{0, 0}
291		}
292	},
293	{0, 0, 1, 0,		/* 0x20 */
294		{{5, 5},
295		{0, 0},
296		{0, 0},
297		{0, 0}
298		}
299	},
300	{1, 0, 2, 0,		/* 0x21 */
301		{{0, 0},
302		{5, 5},
303		{0, 0},
304		{0, 0}
305		}
306	},
307	{0, 0, 2, 0,		/* 0x22 */
308		{{1, 1},
309		{5, 5},
310		{0, 0},
311		{0, 0}
312		}
313	},
314	{1, 0, 2, 0,		/* 0x23 */
315		{{0, 1},
316		{5, 5},
317		{0, 0},
318		{0, 0}
319		}
320	},
321	{0, 0, 2, 0,		/* 0x24 */
322		{{2, 2},
323		{5, 5},
324		{0, 0},
325		{0, 0}
326		}
327	},
328	{1, 0, 3, 0,		/* 0x25 */
329		{{0, 0},
330		{2, 2},
331		{5, 5},
332		{0, 0}
333		}
334	},
335	{0, 0, 2, 0,		/* 0x26 */
336		{{1, 2},
337		{5, 5},
338		{0, 0},
339		{0, 0}
340		}
341	},
342	{1, 0, 2, 0,		/* 0x27 */
343		{{0, 2},
344		{5, 5},
345		{0, 0},
346		{0, 0}
347		}
348	},
349	{0, 0, 2, 0,		/* 0x28 */
350		{{3, 3},
351		{5, 5},
352		{0, 0},
353		{0, 0}
354		}
355	},
356	{1, 0, 3, 0,		/* 0x29 */
357		{{0, 0},
358		{3, 3},
359		{5, 5},
360		{0, 0}
361		}
362	},
363	{0, 0, 3, 0,		/* 0x2a */
364		{{1, 1},
365		{3, 3},
366		{5, 5},
367		{0, 0}
368		}
369	},
370	{1, 0, 3, 0,		/* 0x2b */
371		{{0, 1},
372		{3, 3},
373		{5, 5},
374		{0, 0}
375		}
376	},
377	{0, 0, 2, 0,		/* 0x2c */
378		{{2, 3},
379		{5, 5},
380		{0, 0},
381		{0, 0}
382		}
383	},
384	{1, 0, 3, 0,		/* 0x2d */
385		{{0, 0},
386		{2, 3},
387		{5, 5},
388		{0, 0}
389		}
390	},
391	{0, 0, 2, 0,		/* 0x2e */
392		{{1, 3},
393		{5, 5},
394		{0, 0},
395		{0, 0}
396		}
397	},
398	{1, 0, 2, 0,		/* 0x2f */
399		{{0, 3},
400		{5, 5},
401		{0, 0},
402		{0, 0}
403		}
404	},
405	{0, 0, 1, 0,		/* 0x30 */
406		{{4, 5},
407		{0, 0},
408		{0, 0},
409		{0, 0}
410		}
411	},
412	{1, 0, 2, 0,		/* 0x31 */
413		{{0, 0},
414		{4, 5},
415		{0, 0},
416		{0, 0}
417		}
418	},
419	{0, 0, 2, 0,		/* 0x32 */
420		{{1, 1},
421		{4, 5},
422		{0, 0},
423		{0, 0}
424		}
425	},
426	{1, 0, 2, 0,		/* 0x33 */
427		{{0, 1},
428		{4, 5},
429		{0, 0},
430		{0, 0}
431		}
432	},
433	{0, 0, 2, 0,		/* 0x34 */
434		{{2, 2},
435		{4, 5},
436		{0, 0},
437		{0, 0}
438		}
439	},
440	{1, 0, 3, 0,		/* 0x35 */
441		{{0, 0},
442		{2, 2},
443		{4, 5},
444		{0, 0}
445		}
446	},
447	{0, 0, 2, 0,		/* 0x36 */
448		{{1, 2},
449		{4, 5},
450		{0, 0},
451		{0, 0}
452		}
453	},
454	{1, 0, 2, 0,		/* 0x37 */
455		{{0, 2},
456		{4, 5},
457		{0, 0},
458		{0, 0}
459		}
460	},
461	{0, 0, 1, 0,		/* 0x38 */
462		{{3, 5},
463		{0, 0},
464		{0, 0},
465		{0, 0}
466		}
467	},
468	{1, 0, 2, 0,		/* 0x39 */
469		{{0, 0},
470		{3, 5},
471		{0, 0},
472		{0, 0}
473		}
474	},
475	{0, 0, 2, 0,		/* 0x3a */
476		{{1, 1},
477		{3, 5},
478		{0, 0},
479		{0, 0}
480		}
481	},
482	{1, 0, 2, 0,		/* 0x3b */
483		{{0, 1},
484		{3, 5},
485		{0, 0},
486		{0, 0}
487		}
488	},
489	{0, 0, 1, 0,		/* 0x3c */
490		{{2, 5},
491		{0, 0},
492		{0, 0},
493		{0, 0}
494		}
495	},
496	{1, 0, 2, 0,		/* 0x3d */
497		{{0, 0},
498		{2, 5},
499		{0, 0},
500		{0, 0}
501		}
502	},
503	{0, 0, 1, 0,		/* 0x3e */
504		{{1, 5},
505		{0, 0},
506		{0, 0},
507		{0, 0}
508		}
509	},
510	{1, 0, 1, 0,		/* 0x3f */
511		{{0, 5},
512		{0, 0},
513		{0, 0},
514		{0, 0}
515		}
516	},
517	{0, 0, 1, 0,		/* 0x40 */
518		{{6, 6},
519		{0, 0},
520		{0, 0},
521		{0, 0}
522		}
523	},
524	{1, 0, 2, 0,		/* 0x41 */
525		{{0, 0},
526		{6, 6},
527		{0, 0},
528		{0, 0}
529		}
530	},
531	{0, 0, 2, 0,		/* 0x42 */
532		{{1, 1},
533		{6, 6},
534		{0, 0},
535		{0, 0}
536		}
537	},
538	{1, 0, 2, 0,		/* 0x43 */
539		{{0, 1},
540		{6, 6},
541		{0, 0},
542		{0, 0}
543		}
544	},
545	{0, 0, 2, 0,		/* 0x44 */
546		{{2, 2},
547		{6, 6},
548		{0, 0},
549		{0, 0}
550		}
551	},
552	{1, 0, 3, 0,		/* 0x45 */
553		{{0, 0},
554		{2, 2},
555		{6, 6},
556		{0, 0}
557		}
558	},
559	{0, 0, 2, 0,		/* 0x46 */
560		{{1, 2},
561		{6, 6},
562		{0, 0},
563		{0, 0}
564		}
565	},
566	{1, 0, 2, 0,		/* 0x47 */
567		{{0, 2},
568		{6, 6},
569		{0, 0},
570		{0, 0}
571		}
572	},
573	{0, 0, 2, 0,		/* 0x48 */
574		{{3, 3},
575		{6, 6},
576		{0, 0},
577		{0, 0}
578		}
579	},
580	{1, 0, 3, 0,		/* 0x49 */
581		{{0, 0},
582		{3, 3},
583		{6, 6},
584		{0, 0}
585		}
586	},
587	{0, 0, 3, 0,		/* 0x4a */
588		{{1, 1},
589		{3, 3},
590		{6, 6},
591		{0, 0}
592		}
593	},
594	{1, 0, 3, 0,		/* 0x4b */
595		{{0, 1},
596		{3, 3},
597		{6, 6},
598		{0, 0}
599		}
600	},
601	{0, 0, 2, 0,		/* 0x4c */
602		{{2, 3},
603		{6, 6},
604		{0, 0},
605		{0, 0}
606		}
607	},
608	{1, 0, 3, 0,		/* 0x4d */
609		{{0, 0},
610		{2, 3},
611		{6, 6},
612		{0, 0}
613		}
614	},
615	{0, 0, 2, 0,		/* 0x4e */
616		{{1, 3},
617		{6, 6},
618		{0, 0},
619		{0, 0}
620		}
621	},
622	{1, 0, 2, 0,		/* 0x4f */
623		{{0, 3},
624		{6, 6},
625		{0, 0},
626		{0, 0}
627		}
628	},
629	{0, 0, 2, 0,		/* 0x50 */
630		{{4, 4},
631		{6, 6},
632		{0, 0},
633		{0, 0}
634		}
635	},
636	{1, 0, 3, 0,		/* 0x51 */
637		{{0, 0},
638		{4, 4},
639		{6, 6},
640		{0, 0}
641		}
642	},
643	{0, 0, 3, 0,		/* 0x52 */
644		{{1, 1},
645		{4, 4},
646		{6, 6},
647		{0, 0}
648		}
649	},
650	{1, 0, 3, 0,		/* 0x53 */
651		{{0, 1},
652		{4, 4},
653		{6, 6},
654		{0, 0}
655		}
656	},
657	{0, 0, 3, 0,		/* 0x54 */
658		{{2, 2},
659		{4, 4},
660		{6, 6},
661		{0, 0}
662		}
663	},
664	{1, 0, 4, 0,		/* 0x55 */
665		{{0, 0},
666		{2, 2},
667		{4, 4},
668		{6, 6}
669		}
670	},
671	{0, 0, 3, 0,		/* 0x56 */
672		{{1, 2},
673		{4, 4},
674		{6, 6},
675		{0, 0}
676		}
677	},
678	{1, 0, 3, 0,		/* 0x57 */
679		{{0, 2},
680		{4, 4},
681		{6, 6},
682		{0, 0}
683		}
684	},
685	{0, 0, 2, 0,		/* 0x58 */
686		{{3, 4},
687		{6, 6},
688		{0, 0},
689		{0, 0}
690		}
691	},
692	{1, 0, 3, 0,		/* 0x59 */
693		{{0, 0},
694		{3, 4},
695		{6, 6},
696		{0, 0}
697		}
698	},
699	{0, 0, 3, 0,		/* 0x5a */
700		{{1, 1},
701		{3, 4},
702		{6, 6},
703		{0, 0}
704		}
705	},
706	{1, 0, 3, 0,		/* 0x5b */
707		{{0, 1},
708		{3, 4},
709		{6, 6},
710		{0, 0}
711		}
712	},
713	{0, 0, 2, 0,		/* 0x5c */
714		{{2, 4},
715		{6, 6},
716		{0, 0},
717		{0, 0}
718		}
719	},
720	{1, 0, 3, 0,		/* 0x5d */
721		{{0, 0},
722		{2, 4},
723		{6, 6},
724		{0, 0}
725		}
726	},
727	{0, 0, 2, 0,		/* 0x5e */
728		{{1, 4},
729		{6, 6},
730		{0, 0},
731		{0, 0}
732		}
733	},
734	{1, 0, 2, 0,		/* 0x5f */
735		{{0, 4},
736		{6, 6},
737		{0, 0},
738		{0, 0}
739		}
740	},
741	{0, 0, 1, 0,		/* 0x60 */
742		{{5, 6},
743		{0, 0},
744		{0, 0},
745		{0, 0}
746		}
747	},
748	{1, 0, 2, 0,		/* 0x61 */
749		{{0, 0},
750		{5, 6},
751		{0, 0},
752		{0, 0}
753		}
754	},
755	{0, 0, 2, 0,		/* 0x62 */
756		{{1, 1},
757		{5, 6},
758		{0, 0},
759		{0, 0}
760		}
761	},
762	{1, 0, 2, 0,		/* 0x63 */
763		{{0, 1},
764		{5, 6},
765		{0, 0},
766		{0, 0}
767		}
768	},
769	{0, 0, 2, 0,		/* 0x64 */
770		{{2, 2},
771		{5, 6},
772		{0, 0},
773		{0, 0}
774		}
775	},
776	{1, 0, 3, 0,		/* 0x65 */
777		{{0, 0},
778		{2, 2},
779		{5, 6},
780		{0, 0}
781		}
782	},
783	{0, 0, 2, 0,		/* 0x66 */
784		{{1, 2},
785		{5, 6},
786		{0, 0},
787		{0, 0}
788		}
789	},
790	{1, 0, 2, 0,		/* 0x67 */
791		{{0, 2},
792		{5, 6},
793		{0, 0},
794		{0, 0}
795		}
796	},
797	{0, 0, 2, 0,		/* 0x68 */
798		{{3, 3},
799		{5, 6},
800		{0, 0},
801		{0, 0}
802		}
803	},
804	{1, 0, 3, 0,		/* 0x69 */
805		{{0, 0},
806		{3, 3},
807		{5, 6},
808		{0, 0}
809		}
810	},
811	{0, 0, 3, 0,		/* 0x6a */
812		{{1, 1},
813		{3, 3},
814		{5, 6},
815		{0, 0}
816		}
817	},
818	{1, 0, 3, 0,		/* 0x6b */
819		{{0, 1},
820		{3, 3},
821		{5, 6},
822		{0, 0}
823		}
824	},
825	{0, 0, 2, 0,		/* 0x6c */
826		{{2, 3},
827		{5, 6},
828		{0, 0},
829		{0, 0}
830		}
831	},
832	{1, 0, 3, 0,		/* 0x6d */
833		{{0, 0},
834		{2, 3},
835		{5, 6},
836		{0, 0}
837		}
838	},
839	{0, 0, 2, 0,		/* 0x6e */
840		{{1, 3},
841		{5, 6},
842		{0, 0},
843		{0, 0}
844		}
845	},
846	{1, 0, 2, 0,		/* 0x6f */
847		{{0, 3},
848		{5, 6},
849		{0, 0},
850		{0, 0}
851		}
852	},
853	{0, 0, 1, 0,		/* 0x70 */
854		{{4, 6},
855		{0, 0},
856		{0, 0},
857		{0, 0}
858		}
859	},
860	{1, 0, 2, 0,		/* 0x71 */
861		{{0, 0},
862		{4, 6},
863		{0, 0},
864		{0, 0}
865		}
866	},
867	{0, 0, 2, 0,		/* 0x72 */
868		{{1, 1},
869		{4, 6},
870		{0, 0},
871		{0, 0}
872		}
873	},
874	{1, 0, 2, 0,		/* 0x73 */
875		{{0, 1},
876		{4, 6},
877		{0, 0},
878		{0, 0}
879		}
880	},
881	{0, 0, 2, 0,		/* 0x74 */
882		{{2, 2},
883		{4, 6},
884		{0, 0},
885		{0, 0}
886		}
887	},
888	{1, 0, 3, 0,		/* 0x75 */
889		{{0, 0},
890		{2, 2},
891		{4, 6},
892		{0, 0}
893		}
894	},
895	{0, 0, 2, 0,		/* 0x76 */
896		{{1, 2},
897		{4, 6},
898		{0, 0},
899		{0, 0}
900		}
901	},
902	{1, 0, 2, 0,		/* 0x77 */
903		{{0, 2},
904		{4, 6},
905		{0, 0},
906		{0, 0}
907		}
908	},
909	{0, 0, 1, 0,		/* 0x78 */
910		{{3, 6},
911		{0, 0},
912		{0, 0},
913		{0, 0}
914		}
915	},
916	{1, 0, 2, 0,		/* 0x79 */
917		{{0, 0},
918		{3, 6},
919		{0, 0},
920		{0, 0}
921		}
922	},
923	{0, 0, 2, 0,		/* 0x7a */
924		{{1, 1},
925		{3, 6},
926		{0, 0},
927		{0, 0}
928		}
929	},
930	{1, 0, 2, 0,		/* 0x7b */
931		{{0, 1},
932		{3, 6},
933		{0, 0},
934		{0, 0}
935		}
936	},
937	{0, 0, 1, 0,		/* 0x7c */
938		{{2, 6},
939		{0, 0},
940		{0, 0},
941		{0, 0}
942		}
943	},
944	{1, 0, 2, 0,		/* 0x7d */
945		{{0, 0},
946		{2, 6},
947		{0, 0},
948		{0, 0}
949		}
950	},
951	{0, 0, 1, 0,		/* 0x7e */
952		{{1, 6},
953		{0, 0},
954		{0, 0},
955		{0, 0}
956		}
957	},
958	{1, 0, 1, 0,		/* 0x7f */
959		{{0, 6},
960		{0, 0},
961		{0, 0},
962		{0, 0}
963		}
964	},
965	{0, 1, 1, 0,		/* 0x80 */
966		{{7, 7},
967		{0, 0},
968		{0, 0},
969		{0, 0}
970		}
971	},
972	{1, 1, 2, 0,		/* 0x81 */
973		{{0, 0},
974		{7, 7},
975		{0, 0},
976		{0, 0}
977		}
978	},
979	{0, 1, 2, 0,		/* 0x82 */
980		{{1, 1},
981		{7, 7},
982		{0, 0},
983		{0, 0}
984		}
985	},
986	{1, 1, 2, 0,		/* 0x83 */
987		{{0, 1},
988		{7, 7},
989		{0, 0},
990		{0, 0}
991		}
992	},
993	{0, 1, 2, 0,		/* 0x84 */
994		{{2, 2},
995		{7, 7},
996		{0, 0},
997		{0, 0}
998		}
999	},
1000	{1, 1, 3, 0,		/* 0x85 */
1001		{{0, 0},
1002		{2, 2},
1003		{7, 7},
1004		{0, 0}
1005		}
1006	},
1007	{0, 1, 2, 0,		/* 0x86 */
1008		{{1, 2},
1009		{7, 7},
1010		{0, 0},
1011		{0, 0}
1012		}
1013	},
1014	{1, 1, 2, 0,		/* 0x87 */
1015		{{0, 2},
1016		{7, 7},
1017		{0, 0},
1018		{0, 0}
1019		}
1020	},
1021	{0, 1, 2, 0,		/* 0x88 */
1022		{{3, 3},
1023		{7, 7},
1024		{0, 0},
1025		{0, 0}
1026		}
1027	},
1028	{1, 1, 3, 0,		/* 0x89 */
1029		{{0, 0},
1030		{3, 3},
1031		{7, 7},
1032		{0, 0}
1033		}
1034	},
1035	{0, 1, 3, 0,		/* 0x8a */
1036		{{1, 1},
1037		{3, 3},
1038		{7, 7},
1039		{0, 0}
1040		}
1041	},
1042	{1, 1, 3, 0,		/* 0x8b */
1043		{{0, 1},
1044		{3, 3},
1045		{7, 7},
1046		{0, 0}
1047		}
1048	},
1049	{0, 1, 2, 0,		/* 0x8c */
1050		{{2, 3},
1051		{7, 7},
1052		{0, 0},
1053		{0, 0}
1054		}
1055	},
1056	{1, 1, 3, 0,		/* 0x8d */
1057		{{0, 0},
1058		{2, 3},
1059		{7, 7},
1060		{0, 0}
1061		}
1062	},
1063	{0, 1, 2, 0,		/* 0x8e */
1064		{{1, 3},
1065		{7, 7},
1066		{0, 0},
1067		{0, 0}
1068		}
1069	},
1070	{1, 1, 2, 0,		/* 0x8f */
1071		{{0, 3},
1072		{7, 7},
1073		{0, 0},
1074		{0, 0}
1075		}
1076	},
1077	{0, 1, 2, 0,		/* 0x90 */
1078		{{4, 4},
1079		{7, 7},
1080		{0, 0},
1081		{0, 0}
1082		}
1083	},
1084	{1, 1, 3, 0,		/* 0x91 */
1085		{{0, 0},
1086		{4, 4},
1087		{7, 7},
1088		{0, 0}
1089		}
1090	},
1091	{0, 1, 3, 0,		/* 0x92 */
1092		{{1, 1},
1093		{4, 4},
1094		{7, 7},
1095		{0, 0}
1096		}
1097	},
1098	{1, 1, 3, 0,		/* 0x93 */
1099		{{0, 1},
1100		{4, 4},
1101		{7, 7},
1102		{0, 0}
1103		}
1104	},
1105	{0, 1, 3, 0,		/* 0x94 */
1106		{{2, 2},
1107		{4, 4},
1108		{7, 7},
1109		{0, 0}
1110		}
1111	},
1112	{1, 1, 4, 0,		/* 0x95 */
1113		{{0, 0},
1114		{2, 2},
1115		{4, 4},
1116		{7, 7}
1117		}
1118	},
1119	{0, 1, 3, 0,		/* 0x96 */
1120		{{1, 2},
1121		{4, 4},
1122		{7, 7},
1123		{0, 0}
1124		}
1125	},
1126	{1, 1, 3, 0,		/* 0x97 */
1127		{{0, 2},
1128		{4, 4},
1129		{7, 7},
1130		{0, 0}
1131		}
1132	},
1133	{0, 1, 2, 0,		/* 0x98 */
1134		{{3, 4},
1135		{7, 7},
1136		{0, 0},
1137		{0, 0}
1138		}
1139	},
1140	{1, 1, 3, 0,		/* 0x99 */
1141		{{0, 0},
1142		{3, 4},
1143		{7, 7},
1144		{0, 0}
1145		}
1146	},
1147	{0, 1, 3, 0,		/* 0x9a */
1148		{{1, 1},
1149		{3, 4},
1150		{7, 7},
1151		{0, 0}
1152		}
1153	},
1154	{1, 1, 3, 0,		/* 0x9b */
1155		{{0, 1},
1156		{3, 4},
1157		{7, 7},
1158		{0, 0}
1159		}
1160	},
1161	{0, 1, 2, 0,		/* 0x9c */
1162		{{2, 4},
1163		{7, 7},
1164		{0, 0},
1165		{0, 0}
1166		}
1167	},
1168	{1, 1, 3, 0,		/* 0x9d */
1169		{{0, 0},
1170		{2, 4},
1171		{7, 7},
1172		{0, 0}
1173		}
1174	},
1175	{0, 1, 2, 0,		/* 0x9e */
1176		{{1, 4},
1177		{7, 7},
1178		{0, 0},
1179		{0, 0}
1180		}
1181	},
1182	{1, 1, 2, 0,		/* 0x9f */
1183		{{0, 4},
1184		{7, 7},
1185		{0, 0},
1186		{0, 0}
1187		}
1188	},
1189	{0, 1, 2, 0,		/* 0xa0 */
1190		{{5, 5},
1191		{7, 7},
1192		{0, 0},
1193		{0, 0}
1194		}
1195	},
1196	{1, 1, 3, 0,		/* 0xa1 */
1197		{{0, 0},
1198		{5, 5},
1199		{7, 7},
1200		{0, 0}
1201		}
1202	},
1203	{0, 1, 3, 0,		/* 0xa2 */
1204		{{1, 1},
1205		{5, 5},
1206		{7, 7},
1207		{0, 0}
1208		}
1209	},
1210	{1, 1, 3, 0,		/* 0xa3 */
1211		{{0, 1},
1212		{5, 5},
1213		{7, 7},
1214		{0, 0}
1215		}
1216	},
1217	{0, 1, 3, 0,		/* 0xa4 */
1218		{{2, 2},
1219		{5, 5},
1220		{7, 7},
1221		{0, 0}
1222		}
1223	},
1224	{1, 1, 4, 0,		/* 0xa5 */
1225		{{0, 0},
1226		{2, 2},
1227		{5, 5},
1228		{7, 7}
1229		}
1230	},
1231	{0, 1, 3, 0,		/* 0xa6 */
1232		{{1, 2},
1233		{5, 5},
1234		{7, 7},
1235		{0, 0}
1236		}
1237	},
1238	{1, 1, 3, 0,		/* 0xa7 */
1239		{{0, 2},
1240		{5, 5},
1241		{7, 7},
1242		{0, 0}
1243		}
1244	},
1245	{0, 1, 3, 0,		/* 0xa8 */
1246		{{3, 3},
1247		{5, 5},
1248		{7, 7},
1249		{0, 0}
1250		}
1251	},
1252	{1, 1, 4, 0,		/* 0xa9 */
1253		{{0, 0},
1254		{3, 3},
1255		{5, 5},
1256		{7, 7}
1257		}
1258	},
1259	{0, 1, 4, 0,		/* 0xaa */
1260		{{1, 1},
1261		{3, 3},
1262		{5, 5},
1263		{7, 7}
1264		}
1265	},
1266	{1, 1, 4, 0,		/* 0xab */
1267		{{0, 1},
1268		{3, 3},
1269		{5, 5},
1270		{7, 7}
1271		}
1272	},
1273	{0, 1, 3, 0,		/* 0xac */
1274		{{2, 3},
1275		{5, 5},
1276		{7, 7},
1277		{0, 0}
1278		}
1279	},
1280	{1, 1, 4, 0,		/* 0xad */
1281		{{0, 0},
1282		{2, 3},
1283		{5, 5},
1284		{7, 7}
1285		}
1286	},
1287	{0, 1, 3, 0,		/* 0xae */
1288		{{1, 3},
1289		{5, 5},
1290		{7, 7},
1291		{0, 0}
1292		}
1293	},
1294	{1, 1, 3, 0,		/* 0xaf */
1295		{{0, 3},
1296		{5, 5},
1297		{7, 7},
1298		{0, 0}
1299		}
1300	},
1301	{0, 1, 2, 0,		/* 0xb0 */
1302		{{4, 5},
1303		{7, 7},
1304		{0, 0},
1305		{0, 0}
1306		}
1307	},
1308	{1, 1, 3, 0,		/* 0xb1 */
1309		{{0, 0},
1310		{4, 5},
1311		{7, 7},
1312		{0, 0}
1313		}
1314	},
1315	{0, 1, 3, 0,		/* 0xb2 */
1316		{{1, 1},
1317		{4, 5},
1318		{7, 7},
1319		{0, 0}
1320		}
1321	},
1322	{1, 1, 3, 0,		/* 0xb3 */
1323		{{0, 1},
1324		{4, 5},
1325		{7, 7},
1326		{0, 0}
1327		}
1328	},
1329	{0, 1, 3, 0,		/* 0xb4 */
1330		{{2, 2},
1331		{4, 5},
1332		{7, 7},
1333		{0, 0}
1334		}
1335	},
1336	{1, 1, 4, 0,		/* 0xb5 */
1337		{{0, 0},
1338		{2, 2},
1339		{4, 5},
1340		{7, 7}
1341		}
1342	},
1343	{0, 1, 3, 0,		/* 0xb6 */
1344		{{1, 2},
1345		{4, 5},
1346		{7, 7},
1347		{0, 0}
1348		}
1349	},
1350	{1, 1, 3, 0,		/* 0xb7 */
1351		{{0, 2},
1352		{4, 5},
1353		{7, 7},
1354		{0, 0}
1355		}
1356	},
1357	{0, 1, 2, 0,		/* 0xb8 */
1358		{{3, 5},
1359		{7, 7},
1360		{0, 0},
1361		{0, 0}
1362		}
1363	},
1364	{1, 1, 3, 0,		/* 0xb9 */
1365		{{0, 0},
1366		{3, 5},
1367		{7, 7},
1368		{0, 0}
1369		}
1370	},
1371	{0, 1, 3, 0,		/* 0xba */
1372		{{1, 1},
1373		{3, 5},
1374		{7, 7},
1375		{0, 0}
1376		}
1377	},
1378	{1, 1, 3, 0,		/* 0xbb */
1379		{{0, 1},
1380		{3, 5},
1381		{7, 7},
1382		{0, 0}
1383		}
1384	},
1385	{0, 1, 2, 0,		/* 0xbc */
1386		{{2, 5},
1387		{7, 7},
1388		{0, 0},
1389		{0, 0}
1390		}
1391	},
1392	{1, 1, 3, 0,		/* 0xbd */
1393		{{0, 0},
1394		{2, 5},
1395		{7, 7},
1396		{0, 0}
1397		}
1398	},
1399	{0, 1, 2, 0,		/* 0xbe */
1400		{{1, 5},
1401		{7, 7},
1402		{0, 0},
1403		{0, 0}
1404		}
1405	},
1406	{1, 1, 2, 0,		/* 0xbf */
1407		{{0, 5},
1408		{7, 7},
1409		{0, 0},
1410		{0, 0}
1411		}
1412	},
1413	{0, 1, 1, 0,		/* 0xc0 */
1414		{{6, 7},
1415		{0, 0},
1416		{0, 0},
1417		{0, 0}
1418		}
1419	},
1420	{1, 1, 2, 0,		/* 0xc1 */
1421		{{0, 0},
1422		{6, 7},
1423		{0, 0},
1424		{0, 0}
1425		}
1426	},
1427	{0, 1, 2, 0,		/* 0xc2 */
1428		{{1, 1},
1429		{6, 7},
1430		{0, 0},
1431		{0, 0}
1432		}
1433	},
1434	{1, 1, 2, 0,		/* 0xc3 */
1435		{{0, 1},
1436		{6, 7},
1437		{0, 0},
1438		{0, 0}
1439		}
1440	},
1441	{0, 1, 2, 0,		/* 0xc4 */
1442		{{2, 2},
1443		{6, 7},
1444		{0, 0},
1445		{0, 0}
1446		}
1447	},
1448	{1, 1, 3, 0,		/* 0xc5 */
1449		{{0, 0},
1450		{2, 2},
1451		{6, 7},
1452		{0, 0}
1453		}
1454	},
1455	{0, 1, 2, 0,		/* 0xc6 */
1456		{{1, 2},
1457		{6, 7},
1458		{0, 0},
1459		{0, 0}
1460		}
1461	},
1462	{1, 1, 2, 0,		/* 0xc7 */
1463		{{0, 2},
1464		{6, 7},
1465		{0, 0},
1466		{0, 0}
1467		}
1468	},
1469	{0, 1, 2, 0,		/* 0xc8 */
1470		{{3, 3},
1471		{6, 7},
1472		{0, 0},
1473		{0, 0}
1474		}
1475	},
1476	{1, 1, 3, 0,		/* 0xc9 */
1477		{{0, 0},
1478		{3, 3},
1479		{6, 7},
1480		{0, 0}
1481		}
1482	},
1483	{0, 1, 3, 0,		/* 0xca */
1484		{{1, 1},
1485		{3, 3},
1486		{6, 7},
1487		{0, 0}
1488		}
1489	},
1490	{1, 1, 3, 0,		/* 0xcb */
1491		{{0, 1},
1492		{3, 3},
1493		{6, 7},
1494		{0, 0}
1495		}
1496	},
1497	{0, 1, 2, 0,		/* 0xcc */
1498		{{2, 3},
1499		{6, 7},
1500		{0, 0},
1501		{0, 0}
1502		}
1503	},
1504	{1, 1, 3, 0,		/* 0xcd */
1505		{{0, 0},
1506		{2, 3},
1507		{6, 7},
1508		{0, 0}
1509		}
1510	},
1511	{0, 1, 2, 0,		/* 0xce */
1512		{{1, 3},
1513		{6, 7},
1514		{0, 0},
1515		{0, 0}
1516		}
1517	},
1518	{1, 1, 2, 0,		/* 0xcf */
1519		{{0, 3},
1520		{6, 7},
1521		{0, 0},
1522		{0, 0}
1523		}
1524	},
1525	{0, 1, 2, 0,		/* 0xd0 */
1526		{{4, 4},
1527		{6, 7},
1528		{0, 0},
1529		{0, 0}
1530		}
1531	},
1532	{1, 1, 3, 0,		/* 0xd1 */
1533		{{0, 0},
1534		{4, 4},
1535		{6, 7},
1536		{0, 0}
1537		}
1538	},
1539	{0, 1, 3, 0,		/* 0xd2 */
1540		{{1, 1},
1541		{4, 4},
1542		{6, 7},
1543		{0, 0}
1544		}
1545	},
1546	{1, 1, 3, 0,		/* 0xd3 */
1547		{{0, 1},
1548		{4, 4},
1549		{6, 7},
1550		{0, 0}
1551		}
1552	},
1553	{0, 1, 3, 0,		/* 0xd4 */
1554		{{2, 2},
1555		{4, 4},
1556		{6, 7},
1557		{0, 0}
1558		}
1559	},
1560	{1, 1, 4, 0,		/* 0xd5 */
1561		{{0, 0},
1562		{2, 2},
1563		{4, 4},
1564		{6, 7}
1565		}
1566	},
1567	{0, 1, 3, 0,		/* 0xd6 */
1568		{{1, 2},
1569		{4, 4},
1570		{6, 7},
1571		{0, 0}
1572		}
1573	},
1574	{1, 1, 3, 0,		/* 0xd7 */
1575		{{0, 2},
1576		{4, 4},
1577		{6, 7},
1578		{0, 0}
1579		}
1580	},
1581	{0, 1, 2, 0,		/* 0xd8 */
1582		{{3, 4},
1583		{6, 7},
1584		{0, 0},
1585		{0, 0}
1586		}
1587	},
1588	{1, 1, 3, 0,		/* 0xd9 */
1589		{{0, 0},
1590		{3, 4},
1591		{6, 7},
1592		{0, 0}
1593		}
1594	},
1595	{0, 1, 3, 0,		/* 0xda */
1596		{{1, 1},
1597		{3, 4},
1598		{6, 7},
1599		{0, 0}
1600		}
1601	},
1602	{1, 1, 3, 0,		/* 0xdb */
1603		{{0, 1},
1604		{3, 4},
1605		{6, 7},
1606		{0, 0}
1607		}
1608	},
1609	{0, 1, 2, 0,		/* 0xdc */
1610		{{2, 4},
1611		{6, 7},
1612		{0, 0},
1613		{0, 0}
1614		}
1615	},
1616	{1, 1, 3, 0,		/* 0xdd */
1617		{{0, 0},
1618		{2, 4},
1619		{6, 7},
1620		{0, 0}
1621		}
1622	},
1623	{0, 1, 2, 0,		/* 0xde */
1624		{{1, 4},
1625		{6, 7},
1626		{0, 0},
1627		{0, 0}
1628		}
1629	},
1630	{1, 1, 2, 0,		/* 0xdf */
1631		{{0, 4},
1632		{6, 7},
1633		{0, 0},
1634		{0, 0}
1635		}
1636	},
1637	{0, 1, 1, 0,		/* 0xe0 */
1638		{{5, 7},
1639		{0, 0},
1640		{0, 0},
1641		{0, 0}
1642		}
1643	},
1644	{1, 1, 2, 0,		/* 0xe1 */
1645		{{0, 0},
1646		{5, 7},
1647		{0, 0},
1648		{0, 0}
1649		}
1650	},
1651	{0, 1, 2, 0,		/* 0xe2 */
1652		{{1, 1},
1653		{5, 7},
1654		{0, 0},
1655		{0, 0}
1656		}
1657	},
1658	{1, 1, 2, 0,		/* 0xe3 */
1659		{{0, 1},
1660		{5, 7},
1661		{0, 0},
1662		{0, 0}
1663		}
1664	},
1665	{0, 1, 2, 0,		/* 0xe4 */
1666		{{2, 2},
1667		{5, 7},
1668		{0, 0},
1669		{0, 0}
1670		}
1671	},
1672	{1, 1, 3, 0,		/* 0xe5 */
1673		{{0, 0},
1674		{2, 2},
1675		{5, 7},
1676		{0, 0}
1677		}
1678	},
1679	{0, 1, 2, 0,		/* 0xe6 */
1680		{{1, 2},
1681		{5, 7},
1682		{0, 0},
1683		{0, 0}
1684		}
1685	},
1686	{1, 1, 2, 0,		/* 0xe7 */
1687		{{0, 2},
1688		{5, 7},
1689		{0, 0},
1690		{0, 0}
1691		}
1692	},
1693	{0, 1, 2, 0,		/* 0xe8 */
1694		{{3, 3},
1695		{5, 7},
1696		{0, 0},
1697		{0, 0}
1698		}
1699	},
1700	{1, 1, 3, 0,		/* 0xe9 */
1701		{{0, 0},
1702		{3, 3},
1703		{5, 7},
1704		{0, 0}
1705		}
1706	},
1707	{0, 1, 3, 0,		/* 0xea */
1708		{{1, 1},
1709		{3, 3},
1710		{5, 7},
1711		{0, 0}
1712		}
1713	},
1714	{1, 1, 3, 0,		/* 0xeb */
1715		{{0, 1},
1716		{3, 3},
1717		{5, 7},
1718		{0, 0}
1719		}
1720	},
1721	{0, 1, 2, 0,		/* 0xec */
1722		{{2, 3},
1723		{5, 7},
1724		{0, 0},
1725		{0, 0}
1726		}
1727	},
1728	{1, 1, 3, 0,		/* 0xed */
1729		{{0, 0},
1730		{2, 3},
1731		{5, 7},
1732		{0, 0}
1733		}
1734	},
1735	{0, 1, 2, 0,		/* 0xee */
1736		{{1, 3},
1737		{5, 7},
1738		{0, 0},
1739		{0, 0}
1740		}
1741	},
1742	{1, 1, 2, 0,		/* 0xef */
1743		{{0, 3},
1744		{5, 7},
1745		{0, 0},
1746		{0, 0}
1747		}
1748	},
1749	{0, 1, 1, 0,		/* 0xf0 */
1750		{{4, 7},
1751		{0, 0},
1752		{0, 0},
1753		{0, 0}
1754		}
1755	},
1756	{1, 1, 2, 0,		/* 0xf1 */
1757		{{0, 0},
1758		{4, 7},
1759		{0, 0},
1760		{0, 0}
1761		}
1762	},
1763	{0, 1, 2, 0,		/* 0xf2 */
1764		{{1, 1},
1765		{4, 7},
1766		{0, 0},
1767		{0, 0}
1768		}
1769	},
1770	{1, 1, 2, 0,		/* 0xf3 */
1771		{{0, 1},
1772		{4, 7},
1773		{0, 0},
1774		{0, 0}
1775		}
1776	},
1777	{0, 1, 2, 0,		/* 0xf4 */
1778		{{2, 2},
1779		{4, 7},
1780		{0, 0},
1781		{0, 0}
1782		}
1783	},
1784	{1, 1, 3, 0,		/* 0xf5 */
1785		{{0, 0},
1786		{2, 2},
1787		{4, 7},
1788		{0, 0}
1789		}
1790	},
1791	{0, 1, 2, 0,		/* 0xf6 */
1792		{{1, 2},
1793		{4, 7},
1794		{0, 0},
1795		{0, 0}
1796		}
1797	},
1798	{1, 1, 2, 0,		/* 0xf7 */
1799		{{0, 2},
1800		{4, 7},
1801		{0, 0},
1802		{0, 0}
1803		}
1804	},
1805	{0, 1, 1, 0,		/* 0xf8 */
1806		{{3, 7},
1807		{0, 0},
1808		{0, 0},
1809		{0, 0}
1810		}
1811	},
1812	{1, 1, 2, 0,		/* 0xf9 */
1813		{{0, 0},
1814		{3, 7},
1815		{0, 0},
1816		{0, 0}
1817		}
1818	},
1819	{0, 1, 2, 0,		/* 0xfa */
1820		{{1, 1},
1821		{3, 7},
1822		{0, 0},
1823		{0, 0}
1824		}
1825	},
1826	{1, 1, 2, 0,		/* 0xfb */
1827		{{0, 1},
1828		{3, 7},
1829		{0, 0},
1830		{0, 0}
1831		}
1832	},
1833	{0, 1, 1, 0,		/* 0xfc */
1834		{{2, 7},
1835		{0, 0},
1836		{0, 0},
1837		{0, 0}
1838		}
1839	},
1840	{1, 1, 2, 0,		/* 0xfd */
1841		{{0, 0},
1842		{2, 7},
1843		{0, 0},
1844		{0, 0}
1845		}
1846	},
1847	{0, 1, 1, 0,		/* 0xfe */
1848		{{1, 7},
1849		{0, 0},
1850		{0, 0},
1851		{0, 0}
1852		}
1853	},
1854	{1, 1, 1, 0,		/* 0xff */
1855		{{0, 7},
1856		{0, 0},
1857		{0, 0},
1858		{0, 0}
1859		}
1860	}
1861};
1862
1863int
1864sctp_is_address_in_scope(struct sctp_ifa *ifa,
1865    struct sctp_scoping *scope,
1866    int do_update)
1867{
1868	if ((scope->loopback_scope == 0) &&
1869	    (ifa->ifn_p) && SCTP_IFN_IS_IFT_LOOP(ifa->ifn_p)) {
1870		/*
1871		 * skip loopback if not in scope *
1872		 */
1873		return (0);
1874	}
1875	switch (ifa->address.sa.sa_family) {
1876#ifdef INET
1877	case AF_INET:
1878		if (scope->ipv4_addr_legal) {
1879			struct sockaddr_in *sin;
1880
1881			sin = &ifa->address.sin;
1882			if (sin->sin_addr.s_addr == 0) {
1883				/* not in scope , unspecified */
1884				return (0);
1885			}
1886			if ((scope->ipv4_local_scope == 0) &&
1887			    (IN4_ISPRIVATE_ADDRESS(&sin->sin_addr))) {
1888				/* private address not in scope */
1889				return (0);
1890			}
1891		} else {
1892			return (0);
1893		}
1894		break;
1895#endif
1896#ifdef INET6
1897	case AF_INET6:
1898		if (scope->ipv6_addr_legal) {
1899			struct sockaddr_in6 *sin6;
1900
1901			/*
1902			 * Must update the flags,  bummer, which means any
1903			 * IFA locks must now be applied HERE <->
1904			 */
1905			if (do_update) {
1906				sctp_gather_internal_ifa_flags(ifa);
1907			}
1908			if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
1909				return (0);
1910			}
1911			/* ok to use deprecated addresses? */
1912			sin6 = &ifa->address.sin6;
1913			if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) {
1914				/* skip unspecified addresses */
1915				return (0);
1916			}
1917			if (	/* (local_scope == 0) && */
1918			    (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))) {
1919				return (0);
1920			}
1921			if ((scope->site_scope == 0) &&
1922			    (IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr))) {
1923				return (0);
1924			}
1925		} else {
1926			return (0);
1927		}
1928		break;
1929#endif
1930	default:
1931		return (0);
1932	}
1933	return (1);
1934}
1935
1936static struct mbuf *
1937sctp_add_addr_to_mbuf(struct mbuf *m, struct sctp_ifa *ifa, uint16_t *len)
1938{
1939#if defined(INET) || defined(INET6)
1940	struct sctp_paramhdr *paramh;
1941	struct mbuf *mret;
1942	uint16_t plen;
1943#endif
1944
1945	switch (ifa->address.sa.sa_family) {
1946#ifdef INET
1947	case AF_INET:
1948		plen = (uint16_t)sizeof(struct sctp_ipv4addr_param);
1949		break;
1950#endif
1951#ifdef INET6
1952	case AF_INET6:
1953		plen = (uint16_t)sizeof(struct sctp_ipv6addr_param);
1954		break;
1955#endif
1956	default:
1957		return (m);
1958	}
1959#if defined(INET) || defined(INET6)
1960	if (M_TRAILINGSPACE(m) >= plen) {
1961		/* easy side we just drop it on the end */
1962		paramh = (struct sctp_paramhdr *)(SCTP_BUF_AT(m, SCTP_BUF_LEN(m)));
1963		mret = m;
1964	} else {
1965		/* Need more space */
1966		mret = m;
1967		while (SCTP_BUF_NEXT(mret) != NULL) {
1968			mret = SCTP_BUF_NEXT(mret);
1969		}
1970		SCTP_BUF_NEXT(mret) = sctp_get_mbuf_for_msg(plen, 0, M_NOWAIT, 1, MT_DATA);
1971		if (SCTP_BUF_NEXT(mret) == NULL) {
1972			/* We are hosed, can't add more addresses */
1973			return (m);
1974		}
1975		mret = SCTP_BUF_NEXT(mret);
1976		paramh = mtod(mret, struct sctp_paramhdr *);
1977	}
1978	/* now add the parameter */
1979	switch (ifa->address.sa.sa_family) {
1980#ifdef INET
1981	case AF_INET:
1982		{
1983			struct sctp_ipv4addr_param *ipv4p;
1984			struct sockaddr_in *sin;
1985
1986			sin = &ifa->address.sin;
1987			ipv4p = (struct sctp_ipv4addr_param *)paramh;
1988			paramh->param_type = htons(SCTP_IPV4_ADDRESS);
1989			paramh->param_length = htons(plen);
1990			ipv4p->addr = sin->sin_addr.s_addr;
1991			SCTP_BUF_LEN(mret) += plen;
1992			break;
1993		}
1994#endif
1995#ifdef INET6
1996	case AF_INET6:
1997		{
1998			struct sctp_ipv6addr_param *ipv6p;
1999			struct sockaddr_in6 *sin6;
2000
2001			sin6 = &ifa->address.sin6;
2002			ipv6p = (struct sctp_ipv6addr_param *)paramh;
2003			paramh->param_type = htons(SCTP_IPV6_ADDRESS);
2004			paramh->param_length = htons(plen);
2005			memcpy(ipv6p->addr, &sin6->sin6_addr,
2006			    sizeof(ipv6p->addr));
2007			/* clear embedded scope in the address */
2008			in6_clearscope((struct in6_addr *)ipv6p->addr);
2009			SCTP_BUF_LEN(mret) += plen;
2010			break;
2011		}
2012#endif
2013	default:
2014		return (m);
2015	}
2016	if (len != NULL) {
2017		*len += plen;
2018	}
2019	return (mret);
2020#endif
2021}
2022
2023struct mbuf *
2024sctp_add_addresses_to_i_ia(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
2025    struct sctp_scoping *scope,
2026    struct mbuf *m_at, int cnt_inits_to,
2027    uint16_t *padding_len, uint16_t *chunk_len)
2028{
2029	struct sctp_vrf *vrf = NULL;
2030	int cnt, limit_out = 0, total_count;
2031	uint32_t vrf_id;
2032
2033	vrf_id = inp->def_vrf_id;
2034	SCTP_IPI_ADDR_RLOCK();
2035	vrf = sctp_find_vrf(vrf_id);
2036	if (vrf == NULL) {
2037		SCTP_IPI_ADDR_RUNLOCK();
2038		return (m_at);
2039	}
2040	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) {
2041		struct sctp_ifa *sctp_ifap;
2042		struct sctp_ifn *sctp_ifnp;
2043
2044		cnt = cnt_inits_to;
2045		if (vrf->total_ifa_count > SCTP_COUNT_LIMIT) {
2046			limit_out = 1;
2047			cnt = SCTP_ADDRESS_LIMIT;
2048			goto skip_count;
2049		}
2050		LIST_FOREACH(sctp_ifnp, &vrf->ifnlist, next_ifn) {
2051			if ((scope->loopback_scope == 0) &&
2052			    SCTP_IFN_IS_IFT_LOOP(sctp_ifnp)) {
2053				/*
2054				 * Skip loopback devices if loopback_scope
2055				 * not set
2056				 */
2057				continue;
2058			}
2059			LIST_FOREACH(sctp_ifap, &sctp_ifnp->ifalist, next_ifa) {
2060#ifdef INET
2061				if ((sctp_ifap->address.sa.sa_family == AF_INET) &&
2062				    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2063				    &sctp_ifap->address.sin.sin_addr) != 0)) {
2064					continue;
2065				}
2066#endif
2067#ifdef INET6
2068				if ((sctp_ifap->address.sa.sa_family == AF_INET6) &&
2069				    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2070				    &sctp_ifap->address.sin6.sin6_addr) != 0)) {
2071					continue;
2072				}
2073#endif
2074				if (sctp_is_addr_restricted(stcb, sctp_ifap)) {
2075					continue;
2076				}
2077				if (sctp_is_address_in_scope(sctp_ifap, scope, 1) == 0) {
2078					continue;
2079				}
2080				cnt++;
2081				if (cnt > SCTP_ADDRESS_LIMIT) {
2082					break;
2083				}
2084			}
2085			if (cnt > SCTP_ADDRESS_LIMIT) {
2086				break;
2087			}
2088		}
2089skip_count:
2090		if (cnt > 1) {
2091			total_count = 0;
2092			LIST_FOREACH(sctp_ifnp, &vrf->ifnlist, next_ifn) {
2093				cnt = 0;
2094				if ((scope->loopback_scope == 0) &&
2095				    SCTP_IFN_IS_IFT_LOOP(sctp_ifnp)) {
2096					/*
2097					 * Skip loopback devices if
2098					 * loopback_scope not set
2099					 */
2100					continue;
2101				}
2102				LIST_FOREACH(sctp_ifap, &sctp_ifnp->ifalist, next_ifa) {
2103#ifdef INET
2104					if ((sctp_ifap->address.sa.sa_family == AF_INET) &&
2105					    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2106					    &sctp_ifap->address.sin.sin_addr) != 0)) {
2107						continue;
2108					}
2109#endif
2110#ifdef INET6
2111					if ((sctp_ifap->address.sa.sa_family == AF_INET6) &&
2112					    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2113					    &sctp_ifap->address.sin6.sin6_addr) != 0)) {
2114						continue;
2115					}
2116#endif
2117					if (sctp_is_addr_restricted(stcb, sctp_ifap)) {
2118						continue;
2119					}
2120					if (sctp_is_address_in_scope(sctp_ifap,
2121					    scope, 0) == 0) {
2122						continue;
2123					}
2124					if ((chunk_len != NULL) &&
2125					    (padding_len != NULL) &&
2126					    (*padding_len > 0)) {
2127						memset(mtod(m_at, caddr_t)+*chunk_len, 0, *padding_len);
2128						SCTP_BUF_LEN(m_at) += *padding_len;
2129						*chunk_len += *padding_len;
2130						*padding_len = 0;
2131					}
2132					m_at = sctp_add_addr_to_mbuf(m_at, sctp_ifap, chunk_len);
2133					if (limit_out) {
2134						cnt++;
2135						total_count++;
2136						if (cnt >= 2) {
2137							/*
2138							 * two from each
2139							 * address
2140							 */
2141							break;
2142						}
2143						if (total_count > SCTP_ADDRESS_LIMIT) {
2144							/* No more addresses */
2145							break;
2146						}
2147					}
2148				}
2149			}
2150		}
2151	} else {
2152		struct sctp_laddr *laddr;
2153
2154		cnt = cnt_inits_to;
2155		/* First, how many ? */
2156		LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2157			if (laddr->ifa == NULL) {
2158				continue;
2159			}
2160			if (laddr->ifa->localifa_flags & SCTP_BEING_DELETED)
2161				/*
2162				 * Address being deleted by the system, dont
2163				 * list.
2164				 */
2165				continue;
2166			if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2167				/*
2168				 * Address being deleted on this ep don't
2169				 * list.
2170				 */
2171				continue;
2172			}
2173			if (sctp_is_address_in_scope(laddr->ifa,
2174			    scope, 1) == 0) {
2175				continue;
2176			}
2177			cnt++;
2178		}
2179		/*
2180		 * To get through a NAT we only list addresses if we have
2181		 * more than one. That way if you just bind a single address
2182		 * we let the source of the init dictate our address.
2183		 */
2184		if (cnt > 1) {
2185			cnt = cnt_inits_to;
2186			LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2187				if (laddr->ifa == NULL) {
2188					continue;
2189				}
2190				if (laddr->ifa->localifa_flags & SCTP_BEING_DELETED) {
2191					continue;
2192				}
2193				if (sctp_is_address_in_scope(laddr->ifa,
2194				    scope, 0) == 0) {
2195					continue;
2196				}
2197				if ((chunk_len != NULL) &&
2198				    (padding_len != NULL) &&
2199				    (*padding_len > 0)) {
2200					memset(mtod(m_at, caddr_t)+*chunk_len, 0, *padding_len);
2201					SCTP_BUF_LEN(m_at) += *padding_len;
2202					*chunk_len += *padding_len;
2203					*padding_len = 0;
2204				}
2205				m_at = sctp_add_addr_to_mbuf(m_at, laddr->ifa, chunk_len);
2206				cnt++;
2207				if (cnt >= SCTP_ADDRESS_LIMIT) {
2208					break;
2209				}
2210			}
2211		}
2212	}
2213	SCTP_IPI_ADDR_RUNLOCK();
2214	return (m_at);
2215}
2216
2217static struct sctp_ifa *
2218sctp_is_ifa_addr_preferred(struct sctp_ifa *ifa,
2219    uint8_t dest_is_loop,
2220    uint8_t dest_is_priv,
2221    sa_family_t fam)
2222{
2223	uint8_t dest_is_global = 0;
2224
2225	/* dest_is_priv is true if destination is a private address */
2226	/* dest_is_loop is true if destination is a loopback addresses */
2227
2228	/**
2229	 * Here we determine if its a preferred address. A preferred address
2230	 * means it is the same scope or higher scope then the destination.
2231	 * L = loopback, P = private, G = global
2232	 * -----------------------------------------
2233	 *    src    |  dest | result
2234	 *  ----------------------------------------
2235	 *     L     |    L  |    yes
2236	 *  -----------------------------------------
2237	 *     P     |    L  |    yes-v4 no-v6
2238	 *  -----------------------------------------
2239	 *     G     |    L  |    yes-v4 no-v6
2240	 *  -----------------------------------------
2241	 *     L     |    P  |    no
2242	 *  -----------------------------------------
2243	 *     P     |    P  |    yes
2244	 *  -----------------------------------------
2245	 *     G     |    P  |    no
2246	 *   -----------------------------------------
2247	 *     L     |    G  |    no
2248	 *   -----------------------------------------
2249	 *     P     |    G  |    no
2250	 *    -----------------------------------------
2251	 *     G     |    G  |    yes
2252	 *    -----------------------------------------
2253	 */
2254
2255	if (ifa->address.sa.sa_family != fam) {
2256		/* forget mis-matched family */
2257		return (NULL);
2258	}
2259	if ((dest_is_priv == 0) && (dest_is_loop == 0)) {
2260		dest_is_global = 1;
2261	}
2262	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Is destination preferred:");
2263	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &ifa->address.sa);
2264	/* Ok the address may be ok */
2265#ifdef INET6
2266	if (fam == AF_INET6) {
2267		/* ok to use deprecated addresses? no lets not! */
2268		if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
2269			SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:1\n");
2270			return (NULL);
2271		}
2272		if (ifa->src_is_priv && !ifa->src_is_loop) {
2273			if (dest_is_loop) {
2274				SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:2\n");
2275				return (NULL);
2276			}
2277		}
2278		if (ifa->src_is_glob) {
2279			if (dest_is_loop) {
2280				SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:3\n");
2281				return (NULL);
2282			}
2283		}
2284	}
2285#endif
2286	/*
2287	 * Now that we know what is what, implement or table this could in
2288	 * theory be done slicker (it used to be), but this is
2289	 * straightforward and easier to validate :-)
2290	 */
2291	SCTPDBG(SCTP_DEBUG_OUTPUT3, "src_loop:%d src_priv:%d src_glob:%d\n",
2292	    ifa->src_is_loop, ifa->src_is_priv, ifa->src_is_glob);
2293	SCTPDBG(SCTP_DEBUG_OUTPUT3, "dest_loop:%d dest_priv:%d dest_glob:%d\n",
2294	    dest_is_loop, dest_is_priv, dest_is_global);
2295
2296	if ((ifa->src_is_loop) && (dest_is_priv)) {
2297		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:4\n");
2298		return (NULL);
2299	}
2300	if ((ifa->src_is_glob) && (dest_is_priv)) {
2301		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:5\n");
2302		return (NULL);
2303	}
2304	if ((ifa->src_is_loop) && (dest_is_global)) {
2305		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:6\n");
2306		return (NULL);
2307	}
2308	if ((ifa->src_is_priv) && (dest_is_global)) {
2309		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:7\n");
2310		return (NULL);
2311	}
2312	SCTPDBG(SCTP_DEBUG_OUTPUT3, "YES\n");
2313	/* its a preferred address */
2314	return (ifa);
2315}
2316
2317static struct sctp_ifa *
2318sctp_is_ifa_addr_acceptable(struct sctp_ifa *ifa,
2319    uint8_t dest_is_loop,
2320    uint8_t dest_is_priv,
2321    sa_family_t fam)
2322{
2323	uint8_t dest_is_global = 0;
2324
2325	/**
2326	 * Here we determine if its a acceptable address. A acceptable
2327	 * address means it is the same scope or higher scope but we can
2328	 * allow for NAT which means its ok to have a global dest and a
2329	 * private src.
2330	 *
2331	 * L = loopback, P = private, G = global
2332	 * -----------------------------------------
2333	 *  src    |  dest | result
2334	 * -----------------------------------------
2335	 *   L     |   L   |    yes
2336	 *  -----------------------------------------
2337	 *   P     |   L   |    yes-v4 no-v6
2338	 *  -----------------------------------------
2339	 *   G     |   L   |    yes
2340	 * -----------------------------------------
2341	 *   L     |   P   |    no
2342	 * -----------------------------------------
2343	 *   P     |   P   |    yes
2344	 * -----------------------------------------
2345	 *   G     |   P   |    yes - May not work
2346	 * -----------------------------------------
2347	 *   L     |   G   |    no
2348	 * -----------------------------------------
2349	 *   P     |   G   |    yes - May not work
2350	 * -----------------------------------------
2351	 *   G     |   G   |    yes
2352	 * -----------------------------------------
2353	 */
2354
2355	if (ifa->address.sa.sa_family != fam) {
2356		/* forget non matching family */
2357		SCTPDBG(SCTP_DEBUG_OUTPUT3, "ifa_fam:%d fam:%d\n",
2358		    ifa->address.sa.sa_family, fam);
2359		return (NULL);
2360	}
2361	/* Ok the address may be ok */
2362	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT3, &ifa->address.sa);
2363	SCTPDBG(SCTP_DEBUG_OUTPUT3, "dst_is_loop:%d dest_is_priv:%d\n",
2364	    dest_is_loop, dest_is_priv);
2365	if ((dest_is_loop == 0) && (dest_is_priv == 0)) {
2366		dest_is_global = 1;
2367	}
2368#ifdef INET6
2369	if (fam == AF_INET6) {
2370		/* ok to use deprecated addresses? */
2371		if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
2372			return (NULL);
2373		}
2374		if (ifa->src_is_priv) {
2375			/* Special case, linklocal to loop */
2376			if (dest_is_loop)
2377				return (NULL);
2378		}
2379	}
2380#endif
2381	/*
2382	 * Now that we know what is what, implement our table. This could in
2383	 * theory be done slicker (it used to be), but this is
2384	 * straightforward and easier to validate :-)
2385	 */
2386	SCTPDBG(SCTP_DEBUG_OUTPUT3, "ifa->src_is_loop:%d dest_is_priv:%d\n",
2387	    ifa->src_is_loop,
2388	    dest_is_priv);
2389	if ((ifa->src_is_loop == 1) && (dest_is_priv)) {
2390		return (NULL);
2391	}
2392	SCTPDBG(SCTP_DEBUG_OUTPUT3, "ifa->src_is_loop:%d dest_is_glob:%d\n",
2393	    ifa->src_is_loop,
2394	    dest_is_global);
2395	if ((ifa->src_is_loop == 1) && (dest_is_global)) {
2396		return (NULL);
2397	}
2398	SCTPDBG(SCTP_DEBUG_OUTPUT3, "address is acceptable\n");
2399	/* its an acceptable address */
2400	return (ifa);
2401}
2402
2403int
2404sctp_is_addr_restricted(struct sctp_tcb *stcb, struct sctp_ifa *ifa)
2405{
2406	struct sctp_laddr *laddr;
2407
2408	if (stcb == NULL) {
2409		/* There are no restrictions, no TCB :-) */
2410		return (0);
2411	}
2412	LIST_FOREACH(laddr, &stcb->asoc.sctp_restricted_addrs, sctp_nxt_addr) {
2413		if (laddr->ifa == NULL) {
2414			SCTPDBG(SCTP_DEBUG_OUTPUT1, "%s: NULL ifa\n",
2415			    __func__);
2416			continue;
2417		}
2418		if (laddr->ifa == ifa) {
2419			/* Yes it is on the list */
2420			return (1);
2421		}
2422	}
2423	return (0);
2424}
2425
2426int
2427sctp_is_addr_in_ep(struct sctp_inpcb *inp, struct sctp_ifa *ifa)
2428{
2429	struct sctp_laddr *laddr;
2430
2431	if (ifa == NULL)
2432		return (0);
2433	LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2434		if (laddr->ifa == NULL) {
2435			SCTPDBG(SCTP_DEBUG_OUTPUT1, "%s: NULL ifa\n",
2436			    __func__);
2437			continue;
2438		}
2439		if ((laddr->ifa == ifa) && laddr->action == 0)
2440			/* same pointer */
2441			return (1);
2442	}
2443	return (0);
2444}
2445
2446static struct sctp_ifa *
2447sctp_choose_boundspecific_inp(struct sctp_inpcb *inp,
2448    sctp_route_t *ro,
2449    uint32_t vrf_id,
2450    int non_asoc_addr_ok,
2451    uint8_t dest_is_priv,
2452    uint8_t dest_is_loop,
2453    sa_family_t fam)
2454{
2455	struct sctp_laddr *laddr, *starting_point;
2456	void *ifn;
2457	int resettotop = 0;
2458	struct sctp_ifn *sctp_ifn;
2459	struct sctp_ifa *sctp_ifa, *sifa;
2460	struct sctp_vrf *vrf;
2461	uint32_t ifn_index;
2462
2463	vrf = sctp_find_vrf(vrf_id);
2464	if (vrf == NULL)
2465		return (NULL);
2466
2467	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
2468	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
2469	sctp_ifn = sctp_find_ifn(ifn, ifn_index);
2470	/*
2471	 * first question, is the ifn we will emit on in our list, if so, we
2472	 * want such an address. Note that we first looked for a preferred
2473	 * address.
2474	 */
2475	if (sctp_ifn) {
2476		/* is a preferred one on the interface we route out? */
2477		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2478#ifdef INET
2479			if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
2480			    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2481			    &sctp_ifa->address.sin.sin_addr) != 0)) {
2482				continue;
2483			}
2484#endif
2485#ifdef INET6
2486			if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
2487			    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2488			    &sctp_ifa->address.sin6.sin6_addr) != 0)) {
2489				continue;
2490			}
2491#endif
2492			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2493			    (non_asoc_addr_ok == 0))
2494				continue;
2495			sifa = sctp_is_ifa_addr_preferred(sctp_ifa,
2496			    dest_is_loop,
2497			    dest_is_priv, fam);
2498			if (sifa == NULL)
2499				continue;
2500			if (sctp_is_addr_in_ep(inp, sifa)) {
2501				atomic_add_int(&sifa->refcount, 1);
2502				return (sifa);
2503			}
2504		}
2505	}
2506	/*
2507	 * ok, now we now need to find one on the list of the addresses. We
2508	 * can't get one on the emitting interface so let's find first a
2509	 * preferred one. If not that an acceptable one otherwise... we
2510	 * return NULL.
2511	 */
2512	starting_point = inp->next_addr_touse;
2513once_again:
2514	if (inp->next_addr_touse == NULL) {
2515		inp->next_addr_touse = LIST_FIRST(&inp->sctp_addr_list);
2516		resettotop = 1;
2517	}
2518	for (laddr = inp->next_addr_touse; laddr;
2519	    laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2520		if (laddr->ifa == NULL) {
2521			/* address has been removed */
2522			continue;
2523		}
2524		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2525			/* address is being deleted */
2526			continue;
2527		}
2528		sifa = sctp_is_ifa_addr_preferred(laddr->ifa, dest_is_loop,
2529		    dest_is_priv, fam);
2530		if (sifa == NULL)
2531			continue;
2532		atomic_add_int(&sifa->refcount, 1);
2533		return (sifa);
2534	}
2535	if (resettotop == 0) {
2536		inp->next_addr_touse = NULL;
2537		goto once_again;
2538	}
2539
2540	inp->next_addr_touse = starting_point;
2541	resettotop = 0;
2542once_again_too:
2543	if (inp->next_addr_touse == NULL) {
2544		inp->next_addr_touse = LIST_FIRST(&inp->sctp_addr_list);
2545		resettotop = 1;
2546	}
2547
2548	/* ok, what about an acceptable address in the inp */
2549	for (laddr = inp->next_addr_touse; laddr;
2550	    laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2551		if (laddr->ifa == NULL) {
2552			/* address has been removed */
2553			continue;
2554		}
2555		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2556			/* address is being deleted */
2557			continue;
2558		}
2559		sifa = sctp_is_ifa_addr_acceptable(laddr->ifa, dest_is_loop,
2560		    dest_is_priv, fam);
2561		if (sifa == NULL)
2562			continue;
2563		atomic_add_int(&sifa->refcount, 1);
2564		return (sifa);
2565	}
2566	if (resettotop == 0) {
2567		inp->next_addr_touse = NULL;
2568		goto once_again_too;
2569	}
2570
2571	/*
2572	 * no address bound can be a source for the destination we are in
2573	 * trouble
2574	 */
2575	return (NULL);
2576}
2577
2578static struct sctp_ifa *
2579sctp_choose_boundspecific_stcb(struct sctp_inpcb *inp,
2580    struct sctp_tcb *stcb,
2581    sctp_route_t *ro,
2582    uint32_t vrf_id,
2583    uint8_t dest_is_priv,
2584    uint8_t dest_is_loop,
2585    int non_asoc_addr_ok,
2586    sa_family_t fam)
2587{
2588	struct sctp_laddr *laddr, *starting_point;
2589	void *ifn;
2590	struct sctp_ifn *sctp_ifn;
2591	struct sctp_ifa *sctp_ifa, *sifa;
2592	uint8_t start_at_beginning = 0;
2593	struct sctp_vrf *vrf;
2594	uint32_t ifn_index;
2595
2596	/*
2597	 * first question, is the ifn we will emit on in our list, if so, we
2598	 * want that one.
2599	 */
2600	vrf = sctp_find_vrf(vrf_id);
2601	if (vrf == NULL)
2602		return (NULL);
2603
2604	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
2605	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
2606	sctp_ifn = sctp_find_ifn(ifn, ifn_index);
2607
2608	/*
2609	 * first question, is the ifn we will emit on in our list?  If so,
2610	 * we want that one. First we look for a preferred. Second, we go
2611	 * for an acceptable.
2612	 */
2613	if (sctp_ifn) {
2614		/* first try for a preferred address on the ep */
2615		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2616#ifdef INET
2617			if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
2618			    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2619			    &sctp_ifa->address.sin.sin_addr) != 0)) {
2620				continue;
2621			}
2622#endif
2623#ifdef INET6
2624			if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
2625			    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2626			    &sctp_ifa->address.sin6.sin6_addr) != 0)) {
2627				continue;
2628			}
2629#endif
2630			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) && (non_asoc_addr_ok == 0))
2631				continue;
2632			if (sctp_is_addr_in_ep(inp, sctp_ifa)) {
2633				sifa = sctp_is_ifa_addr_preferred(sctp_ifa, dest_is_loop, dest_is_priv, fam);
2634				if (sifa == NULL)
2635					continue;
2636				if (((non_asoc_addr_ok == 0) &&
2637				    (sctp_is_addr_restricted(stcb, sifa))) ||
2638				    (non_asoc_addr_ok &&
2639				    (sctp_is_addr_restricted(stcb, sifa)) &&
2640				    (!sctp_is_addr_pending(stcb, sifa)))) {
2641					/* on the no-no list */
2642					continue;
2643				}
2644				atomic_add_int(&sifa->refcount, 1);
2645				return (sifa);
2646			}
2647		}
2648		/* next try for an acceptable address on the ep */
2649		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2650#ifdef INET
2651			if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
2652			    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2653			    &sctp_ifa->address.sin.sin_addr) != 0)) {
2654				continue;
2655			}
2656#endif
2657#ifdef INET6
2658			if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
2659			    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2660			    &sctp_ifa->address.sin6.sin6_addr) != 0)) {
2661				continue;
2662			}
2663#endif
2664			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) && (non_asoc_addr_ok == 0))
2665				continue;
2666			if (sctp_is_addr_in_ep(inp, sctp_ifa)) {
2667				sifa = sctp_is_ifa_addr_acceptable(sctp_ifa, dest_is_loop, dest_is_priv, fam);
2668				if (sifa == NULL)
2669					continue;
2670				if (((non_asoc_addr_ok == 0) &&
2671				    (sctp_is_addr_restricted(stcb, sifa))) ||
2672				    (non_asoc_addr_ok &&
2673				    (sctp_is_addr_restricted(stcb, sifa)) &&
2674				    (!sctp_is_addr_pending(stcb, sifa)))) {
2675					/* on the no-no list */
2676					continue;
2677				}
2678				atomic_add_int(&sifa->refcount, 1);
2679				return (sifa);
2680			}
2681		}
2682	}
2683	/*
2684	 * if we can't find one like that then we must look at all addresses
2685	 * bound to pick one at first preferable then secondly acceptable.
2686	 */
2687	starting_point = stcb->asoc.last_used_address;
2688sctp_from_the_top:
2689	if (stcb->asoc.last_used_address == NULL) {
2690		start_at_beginning = 1;
2691		stcb->asoc.last_used_address = LIST_FIRST(&inp->sctp_addr_list);
2692	}
2693	/* search beginning with the last used address */
2694	for (laddr = stcb->asoc.last_used_address; laddr;
2695	    laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2696		if (laddr->ifa == NULL) {
2697			/* address has been removed */
2698			continue;
2699		}
2700		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2701			/* address is being deleted */
2702			continue;
2703		}
2704		sifa = sctp_is_ifa_addr_preferred(laddr->ifa, dest_is_loop, dest_is_priv, fam);
2705		if (sifa == NULL)
2706			continue;
2707		if (((non_asoc_addr_ok == 0) &&
2708		    (sctp_is_addr_restricted(stcb, sifa))) ||
2709		    (non_asoc_addr_ok &&
2710		    (sctp_is_addr_restricted(stcb, sifa)) &&
2711		    (!sctp_is_addr_pending(stcb, sifa)))) {
2712			/* on the no-no list */
2713			continue;
2714		}
2715		stcb->asoc.last_used_address = laddr;
2716		atomic_add_int(&sifa->refcount, 1);
2717		return (sifa);
2718	}
2719	if (start_at_beginning == 0) {
2720		stcb->asoc.last_used_address = NULL;
2721		goto sctp_from_the_top;
2722	}
2723	/* now try for any higher scope than the destination */
2724	stcb->asoc.last_used_address = starting_point;
2725	start_at_beginning = 0;
2726sctp_from_the_top2:
2727	if (stcb->asoc.last_used_address == NULL) {
2728		start_at_beginning = 1;
2729		stcb->asoc.last_used_address = LIST_FIRST(&inp->sctp_addr_list);
2730	}
2731	/* search beginning with the last used address */
2732	for (laddr = stcb->asoc.last_used_address; laddr;
2733	    laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2734		if (laddr->ifa == NULL) {
2735			/* address has been removed */
2736			continue;
2737		}
2738		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2739			/* address is being deleted */
2740			continue;
2741		}
2742		sifa = sctp_is_ifa_addr_acceptable(laddr->ifa, dest_is_loop,
2743		    dest_is_priv, fam);
2744		if (sifa == NULL)
2745			continue;
2746		if (((non_asoc_addr_ok == 0) &&
2747		    (sctp_is_addr_restricted(stcb, sifa))) ||
2748		    (non_asoc_addr_ok &&
2749		    (sctp_is_addr_restricted(stcb, sifa)) &&
2750		    (!sctp_is_addr_pending(stcb, sifa)))) {
2751			/* on the no-no list */
2752			continue;
2753		}
2754		stcb->asoc.last_used_address = laddr;
2755		atomic_add_int(&sifa->refcount, 1);
2756		return (sifa);
2757	}
2758	if (start_at_beginning == 0) {
2759		stcb->asoc.last_used_address = NULL;
2760		goto sctp_from_the_top2;
2761	}
2762	return (NULL);
2763}
2764
2765static struct sctp_ifa *
2766sctp_select_nth_preferred_addr_from_ifn_boundall(struct sctp_ifn *ifn,
2767    struct sctp_inpcb *inp,
2768    struct sctp_tcb *stcb,
2769    int non_asoc_addr_ok,
2770    uint8_t dest_is_loop,
2771    uint8_t dest_is_priv,
2772    int addr_wanted,
2773    sa_family_t fam,
2774    sctp_route_t *ro)
2775{
2776	struct sctp_ifa *ifa, *sifa;
2777	int num_eligible_addr = 0;
2778#ifdef INET6
2779	struct sockaddr_in6 sin6, lsa6;
2780
2781	if (fam == AF_INET6) {
2782		memcpy(&sin6, &ro->ro_dst, sizeof(struct sockaddr_in6));
2783		(void)sa6_recoverscope(&sin6);
2784	}
2785#endif				/* INET6 */
2786	LIST_FOREACH(ifa, &ifn->ifalist, next_ifa) {
2787#ifdef INET
2788		if ((ifa->address.sa.sa_family == AF_INET) &&
2789		    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2790		    &ifa->address.sin.sin_addr) != 0)) {
2791			continue;
2792		}
2793#endif
2794#ifdef INET6
2795		if ((ifa->address.sa.sa_family == AF_INET6) &&
2796		    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2797		    &ifa->address.sin6.sin6_addr) != 0)) {
2798			continue;
2799		}
2800#endif
2801		if ((ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2802		    (non_asoc_addr_ok == 0))
2803			continue;
2804		sifa = sctp_is_ifa_addr_preferred(ifa, dest_is_loop,
2805		    dest_is_priv, fam);
2806		if (sifa == NULL)
2807			continue;
2808#ifdef INET6
2809		if (fam == AF_INET6 &&
2810		    dest_is_loop &&
2811		    sifa->src_is_loop && sifa->src_is_priv) {
2812			/*
2813			 * don't allow fe80::1 to be a src on loop ::1, we
2814			 * don't list it to the peer so we will get an
2815			 * abort.
2816			 */
2817			continue;
2818		}
2819		if (fam == AF_INET6 &&
2820		    IN6_IS_ADDR_LINKLOCAL(&sifa->address.sin6.sin6_addr) &&
2821		    IN6_IS_ADDR_LINKLOCAL(&sin6.sin6_addr)) {
2822			/*
2823			 * link-local <-> link-local must belong to the same
2824			 * scope.
2825			 */
2826			memcpy(&lsa6, &sifa->address.sin6, sizeof(struct sockaddr_in6));
2827			(void)sa6_recoverscope(&lsa6);
2828			if (sin6.sin6_scope_id != lsa6.sin6_scope_id) {
2829				continue;
2830			}
2831		}
2832#endif				/* INET6 */
2833
2834		/*
2835		 * Check if the IPv6 address matches to next-hop. In the
2836		 * mobile case, old IPv6 address may be not deleted from the
2837		 * interface. Then, the interface has previous and new
2838		 * addresses.  We should use one corresponding to the
2839		 * next-hop.  (by micchie)
2840		 */
2841#ifdef INET6
2842		if (stcb && fam == AF_INET6 &&
2843		    sctp_is_mobility_feature_on(stcb->sctp_ep, SCTP_MOBILITY_BASE)) {
2844			if (sctp_v6src_match_nexthop(&sifa->address.sin6, ro) == 0) {
2845				continue;
2846			}
2847		}
2848#endif
2849#ifdef INET
2850		/* Avoid topologically incorrect IPv4 address */
2851		if (stcb && fam == AF_INET &&
2852		    sctp_is_mobility_feature_on(stcb->sctp_ep, SCTP_MOBILITY_BASE)) {
2853			if (sctp_v4src_match_nexthop(sifa, ro) == 0) {
2854				continue;
2855			}
2856		}
2857#endif
2858		if (stcb) {
2859			if (sctp_is_address_in_scope(ifa, &stcb->asoc.scope, 0) == 0) {
2860				continue;
2861			}
2862			if (((non_asoc_addr_ok == 0) &&
2863			    (sctp_is_addr_restricted(stcb, sifa))) ||
2864			    (non_asoc_addr_ok &&
2865			    (sctp_is_addr_restricted(stcb, sifa)) &&
2866			    (!sctp_is_addr_pending(stcb, sifa)))) {
2867				/*
2868				 * It is restricted for some reason..
2869				 * probably not yet added.
2870				 */
2871				continue;
2872			}
2873		}
2874		if (num_eligible_addr >= addr_wanted) {
2875			return (sifa);
2876		}
2877		num_eligible_addr++;
2878	}
2879	return (NULL);
2880}
2881
2882static int
2883sctp_count_num_preferred_boundall(struct sctp_ifn *ifn,
2884    struct sctp_inpcb *inp,
2885    struct sctp_tcb *stcb,
2886    int non_asoc_addr_ok,
2887    uint8_t dest_is_loop,
2888    uint8_t dest_is_priv,
2889    sa_family_t fam)
2890{
2891	struct sctp_ifa *ifa, *sifa;
2892	int num_eligible_addr = 0;
2893
2894	LIST_FOREACH(ifa, &ifn->ifalist, next_ifa) {
2895#ifdef INET
2896		if ((ifa->address.sa.sa_family == AF_INET) &&
2897		    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2898		    &ifa->address.sin.sin_addr) != 0)) {
2899			continue;
2900		}
2901#endif
2902#ifdef INET6
2903		if ((ifa->address.sa.sa_family == AF_INET6) &&
2904		    (stcb != NULL) &&
2905		    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2906		    &ifa->address.sin6.sin6_addr) != 0)) {
2907			continue;
2908		}
2909#endif
2910		if ((ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2911		    (non_asoc_addr_ok == 0)) {
2912			continue;
2913		}
2914		sifa = sctp_is_ifa_addr_preferred(ifa, dest_is_loop,
2915		    dest_is_priv, fam);
2916		if (sifa == NULL) {
2917			continue;
2918		}
2919		if (stcb) {
2920			if (sctp_is_address_in_scope(ifa, &stcb->asoc.scope, 0) == 0) {
2921				continue;
2922			}
2923			if (((non_asoc_addr_ok == 0) &&
2924			    (sctp_is_addr_restricted(stcb, sifa))) ||
2925			    (non_asoc_addr_ok &&
2926			    (sctp_is_addr_restricted(stcb, sifa)) &&
2927			    (!sctp_is_addr_pending(stcb, sifa)))) {
2928				/*
2929				 * It is restricted for some reason..
2930				 * probably not yet added.
2931				 */
2932				continue;
2933			}
2934		}
2935		num_eligible_addr++;
2936	}
2937	return (num_eligible_addr);
2938}
2939
2940static struct sctp_ifa *
2941sctp_choose_boundall(struct sctp_inpcb *inp,
2942    struct sctp_tcb *stcb,
2943    struct sctp_nets *net,
2944    sctp_route_t *ro,
2945    uint32_t vrf_id,
2946    uint8_t dest_is_priv,
2947    uint8_t dest_is_loop,
2948    int non_asoc_addr_ok,
2949    sa_family_t fam)
2950{
2951	int cur_addr_num = 0, num_preferred = 0;
2952	void *ifn;
2953	struct sctp_ifn *sctp_ifn, *looked_at = NULL, *emit_ifn;
2954	struct sctp_ifa *sctp_ifa, *sifa;
2955	uint32_t ifn_index;
2956	struct sctp_vrf *vrf;
2957#ifdef INET
2958	int retried = 0;
2959#endif
2960
2961	/*-
2962	 * For boundall we can use any address in the association.
2963	 * If non_asoc_addr_ok is set we can use any address (at least in
2964	 * theory). So we look for preferred addresses first. If we find one,
2965	 * we use it. Otherwise we next try to get an address on the
2966	 * interface, which we should be able to do (unless non_asoc_addr_ok
2967	 * is false and we are routed out that way). In these cases where we
2968	 * can't use the address of the interface we go through all the
2969	 * ifn's looking for an address we can use and fill that in. Punting
2970	 * means we send back address 0, which will probably cause problems
2971	 * actually since then IP will fill in the address of the route ifn,
2972	 * which means we probably already rejected it.. i.e. here comes an
2973	 * abort :-<.
2974	 */
2975	vrf = sctp_find_vrf(vrf_id);
2976	if (vrf == NULL)
2977		return (NULL);
2978
2979	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
2980	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
2981	SCTPDBG(SCTP_DEBUG_OUTPUT2, "ifn from route:%p ifn_index:%d\n", ifn, ifn_index);
2982	emit_ifn = looked_at = sctp_ifn = sctp_find_ifn(ifn, ifn_index);
2983	if (sctp_ifn == NULL) {
2984		/* ?? We don't have this guy ?? */
2985		SCTPDBG(SCTP_DEBUG_OUTPUT2, "No ifn emit interface?\n");
2986		goto bound_all_plan_b;
2987	}
2988	SCTPDBG(SCTP_DEBUG_OUTPUT2, "ifn_index:%d name:%s is emit interface\n",
2989	    ifn_index, sctp_ifn->ifn_name);
2990
2991	if (net) {
2992		cur_addr_num = net->indx_of_eligible_next_to_use;
2993	}
2994	num_preferred = sctp_count_num_preferred_boundall(sctp_ifn,
2995	    inp, stcb,
2996	    non_asoc_addr_ok,
2997	    dest_is_loop,
2998	    dest_is_priv, fam);
2999	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Found %d preferred source addresses for intf:%s\n",
3000	    num_preferred, sctp_ifn->ifn_name);
3001	if (num_preferred == 0) {
3002		/*
3003		 * no eligible addresses, we must use some other interface
3004		 * address if we can find one.
3005		 */
3006		goto bound_all_plan_b;
3007	}
3008	/*
3009	 * Ok we have num_eligible_addr set with how many we can use, this
3010	 * may vary from call to call due to addresses being deprecated
3011	 * etc..
3012	 */
3013	if (cur_addr_num >= num_preferred) {
3014		cur_addr_num = 0;
3015	}
3016	/*
3017	 * select the nth address from the list (where cur_addr_num is the
3018	 * nth) and 0 is the first one, 1 is the second one etc...
3019	 */
3020	SCTPDBG(SCTP_DEBUG_OUTPUT2, "cur_addr_num:%d\n", cur_addr_num);
3021
3022	sctp_ifa = sctp_select_nth_preferred_addr_from_ifn_boundall(sctp_ifn, inp, stcb, non_asoc_addr_ok, dest_is_loop,
3023	    dest_is_priv, cur_addr_num, fam, ro);
3024
3025	/* if sctp_ifa is NULL something changed??, fall to plan b. */
3026	if (sctp_ifa) {
3027		atomic_add_int(&sctp_ifa->refcount, 1);
3028		if (net) {
3029			/* save off where the next one we will want */
3030			net->indx_of_eligible_next_to_use = cur_addr_num + 1;
3031		}
3032		return (sctp_ifa);
3033	}
3034	/*
3035	 * plan_b: Look at all interfaces and find a preferred address. If
3036	 * no preferred fall through to plan_c.
3037	 */
3038bound_all_plan_b:
3039	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Trying Plan B\n");
3040	LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
3041		SCTPDBG(SCTP_DEBUG_OUTPUT2, "Examine interface %s\n",
3042		    sctp_ifn->ifn_name);
3043		if (dest_is_loop == 0 && SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
3044			/* wrong base scope */
3045			SCTPDBG(SCTP_DEBUG_OUTPUT2, "skip\n");
3046			continue;
3047		}
3048		if ((sctp_ifn == looked_at) && looked_at) {
3049			/* already looked at this guy */
3050			SCTPDBG(SCTP_DEBUG_OUTPUT2, "already seen\n");
3051			continue;
3052		}
3053		num_preferred = sctp_count_num_preferred_boundall(sctp_ifn, inp, stcb, non_asoc_addr_ok,
3054		    dest_is_loop, dest_is_priv, fam);
3055		SCTPDBG(SCTP_DEBUG_OUTPUT2,
3056		    "Found ifn:%p %d preferred source addresses\n",
3057		    ifn, num_preferred);
3058		if (num_preferred == 0) {
3059			/* None on this interface. */
3060			SCTPDBG(SCTP_DEBUG_OUTPUT2, "No preferred -- skipping to next\n");
3061			continue;
3062		}
3063		SCTPDBG(SCTP_DEBUG_OUTPUT2,
3064		    "num preferred:%d on interface:%p cur_addr_num:%d\n",
3065		    num_preferred, (void *)sctp_ifn, cur_addr_num);
3066
3067		/*
3068		 * Ok we have num_eligible_addr set with how many we can
3069		 * use, this may vary from call to call due to addresses
3070		 * being deprecated etc..
3071		 */
3072		if (cur_addr_num >= num_preferred) {
3073			cur_addr_num = 0;
3074		}
3075		sifa = sctp_select_nth_preferred_addr_from_ifn_boundall(sctp_ifn, inp, stcb, non_asoc_addr_ok, dest_is_loop,
3076		    dest_is_priv, cur_addr_num, fam, ro);
3077		if (sifa == NULL)
3078			continue;
3079		if (net) {
3080			net->indx_of_eligible_next_to_use = cur_addr_num + 1;
3081			SCTPDBG(SCTP_DEBUG_OUTPUT2, "we selected %d\n",
3082			    cur_addr_num);
3083			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Source:");
3084			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &sifa->address.sa);
3085			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Dest:");
3086			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &net->ro._l_addr.sa);
3087		}
3088		atomic_add_int(&sifa->refcount, 1);
3089		return (sifa);
3090	}
3091#ifdef INET
3092again_with_private_addresses_allowed:
3093#endif
3094	/* plan_c: do we have an acceptable address on the emit interface */
3095	sifa = NULL;
3096	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Trying Plan C: find acceptable on interface\n");
3097	if (emit_ifn == NULL) {
3098		SCTPDBG(SCTP_DEBUG_OUTPUT2, "Jump to Plan D - no emit_ifn\n");
3099		goto plan_d;
3100	}
3101	LIST_FOREACH(sctp_ifa, &emit_ifn->ifalist, next_ifa) {
3102		SCTPDBG(SCTP_DEBUG_OUTPUT2, "ifa:%p\n", (void *)sctp_ifa);
3103#ifdef INET
3104		if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
3105		    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
3106		    &sctp_ifa->address.sin.sin_addr) != 0)) {
3107			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Jailed\n");
3108			continue;
3109		}
3110#endif
3111#ifdef INET6
3112		if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
3113		    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
3114		    &sctp_ifa->address.sin6.sin6_addr) != 0)) {
3115			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Jailed\n");
3116			continue;
3117		}
3118#endif
3119		if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
3120		    (non_asoc_addr_ok == 0)) {
3121			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Defer\n");
3122			continue;
3123		}
3124		sifa = sctp_is_ifa_addr_acceptable(sctp_ifa, dest_is_loop,
3125		    dest_is_priv, fam);
3126		if (sifa == NULL) {
3127			SCTPDBG(SCTP_DEBUG_OUTPUT2, "IFA not acceptable\n");
3128			continue;
3129		}
3130		if (stcb) {
3131			if (sctp_is_address_in_scope(sifa, &stcb->asoc.scope, 0) == 0) {
3132				SCTPDBG(SCTP_DEBUG_OUTPUT2, "NOT in scope\n");
3133				sifa = NULL;
3134				continue;
3135			}
3136			if (((non_asoc_addr_ok == 0) &&
3137			    (sctp_is_addr_restricted(stcb, sifa))) ||
3138			    (non_asoc_addr_ok &&
3139			    (sctp_is_addr_restricted(stcb, sifa)) &&
3140			    (!sctp_is_addr_pending(stcb, sifa)))) {
3141				/*
3142				 * It is restricted for some reason..
3143				 * probably not yet added.
3144				 */
3145				SCTPDBG(SCTP_DEBUG_OUTPUT2, "Its restricted\n");
3146				sifa = NULL;
3147				continue;
3148			}
3149		}
3150		atomic_add_int(&sifa->refcount, 1);
3151		goto out;
3152	}
3153plan_d:
3154	/*
3155	 * plan_d: We are in trouble. No preferred address on the emit
3156	 * interface. And not even a preferred address on all interfaces. Go
3157	 * out and see if we can find an acceptable address somewhere
3158	 * amongst all interfaces.
3159	 */
3160	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Trying Plan D looked_at is %p\n", (void *)looked_at);
3161	LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
3162		if (dest_is_loop == 0 && SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
3163			/* wrong base scope */
3164			continue;
3165		}
3166		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
3167#ifdef INET
3168			if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
3169			    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
3170			    &sctp_ifa->address.sin.sin_addr) != 0)) {
3171				continue;
3172			}
3173#endif
3174#ifdef INET6
3175			if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
3176			    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
3177			    &sctp_ifa->address.sin6.sin6_addr) != 0)) {
3178				continue;
3179			}
3180#endif
3181			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
3182			    (non_asoc_addr_ok == 0))
3183				continue;
3184			sifa = sctp_is_ifa_addr_acceptable(sctp_ifa,
3185			    dest_is_loop,
3186			    dest_is_priv, fam);
3187			if (sifa == NULL)
3188				continue;
3189			if (stcb) {
3190				if (sctp_is_address_in_scope(sifa, &stcb->asoc.scope, 0) == 0) {
3191					sifa = NULL;
3192					continue;
3193				}
3194				if (((non_asoc_addr_ok == 0) &&
3195				    (sctp_is_addr_restricted(stcb, sifa))) ||
3196				    (non_asoc_addr_ok &&
3197				    (sctp_is_addr_restricted(stcb, sifa)) &&
3198				    (!sctp_is_addr_pending(stcb, sifa)))) {
3199					/*
3200					 * It is restricted for some
3201					 * reason.. probably not yet added.
3202					 */
3203					sifa = NULL;
3204					continue;
3205				}
3206			}
3207			goto out;
3208		}
3209	}
3210#ifdef INET
3211	if (stcb) {
3212		if ((retried == 0) && (stcb->asoc.scope.ipv4_local_scope == 0)) {
3213			stcb->asoc.scope.ipv4_local_scope = 1;
3214			retried = 1;
3215			goto again_with_private_addresses_allowed;
3216		} else if (retried == 1) {
3217			stcb->asoc.scope.ipv4_local_scope = 0;
3218		}
3219	}
3220#endif
3221out:
3222#ifdef INET
3223	if (sifa) {
3224		if (retried == 1) {
3225			LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
3226				if (dest_is_loop == 0 && SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
3227					/* wrong base scope */
3228					continue;
3229				}
3230				LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
3231					struct sctp_ifa *tmp_sifa;
3232
3233#ifdef INET
3234					if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
3235					    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
3236					    &sctp_ifa->address.sin.sin_addr) != 0)) {
3237						continue;
3238					}
3239#endif
3240#ifdef INET6
3241					if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
3242					    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
3243					    &sctp_ifa->address.sin6.sin6_addr) != 0)) {
3244						continue;
3245					}
3246#endif
3247					if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
3248					    (non_asoc_addr_ok == 0))
3249						continue;
3250					tmp_sifa = sctp_is_ifa_addr_acceptable(sctp_ifa,
3251					    dest_is_loop,
3252					    dest_is_priv, fam);
3253					if (tmp_sifa == NULL) {
3254						continue;
3255					}
3256					if (tmp_sifa == sifa) {
3257						continue;
3258					}
3259					if (stcb) {
3260						if (sctp_is_address_in_scope(tmp_sifa,
3261						    &stcb->asoc.scope, 0) == 0) {
3262							continue;
3263						}
3264						if (((non_asoc_addr_ok == 0) &&
3265						    (sctp_is_addr_restricted(stcb, tmp_sifa))) ||
3266						    (non_asoc_addr_ok &&
3267						    (sctp_is_addr_restricted(stcb, tmp_sifa)) &&
3268						    (!sctp_is_addr_pending(stcb, tmp_sifa)))) {
3269							/*
3270							 * It is restricted
3271							 * for some reason..
3272							 * probably not yet
3273							 * added.
3274							 */
3275							continue;
3276						}
3277					}
3278					if ((tmp_sifa->address.sin.sin_family == AF_INET) &&
3279					    (IN4_ISPRIVATE_ADDRESS(&(tmp_sifa->address.sin.sin_addr)))) {
3280						sctp_add_local_addr_restricted(stcb, tmp_sifa);
3281					}
3282				}
3283			}
3284		}
3285		atomic_add_int(&sifa->refcount, 1);
3286	}
3287#endif
3288	return (sifa);
3289}
3290
3291/* tcb may be NULL */
3292struct sctp_ifa *
3293sctp_source_address_selection(struct sctp_inpcb *inp,
3294    struct sctp_tcb *stcb,
3295    sctp_route_t *ro,
3296    struct sctp_nets *net,
3297    int non_asoc_addr_ok, uint32_t vrf_id)
3298{
3299	struct sctp_ifa *answer;
3300	uint8_t dest_is_priv, dest_is_loop;
3301	sa_family_t fam;
3302#ifdef INET
3303	struct sockaddr_in *to = (struct sockaddr_in *)&ro->ro_dst;
3304#endif
3305#ifdef INET6
3306	struct sockaddr_in6 *to6 = (struct sockaddr_in6 *)&ro->ro_dst;
3307#endif
3308
3309	/**
3310	 * Rules:
3311	 * - Find the route if needed, cache if I can.
3312	 * - Look at interface address in route, Is it in the bound list. If so we
3313	 *   have the best source.
3314	 * - If not we must rotate amongst the addresses.
3315	 *
3316	 * Caveats and issues
3317	 *
3318	 * Do we need to pay attention to scope. We can have a private address
3319	 * or a global address we are sourcing or sending to. So if we draw
3320	 * it out
3321	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3322	 * For V4
3323	 * ------------------------------------------
3324	 *      source     *      dest  *  result
3325	 * -----------------------------------------
3326	 * <a>  Private    *    Global  *  NAT
3327	 * -----------------------------------------
3328	 * <b>  Private    *    Private *  No problem
3329	 * -----------------------------------------
3330	 * <c>  Global     *    Private *  Huh, How will this work?
3331	 * -----------------------------------------
3332	 * <d>  Global     *    Global  *  No Problem
3333	 *------------------------------------------
3334	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3335	 * For V6
3336	 *------------------------------------------
3337	 *      source     *      dest  *  result
3338	 * -----------------------------------------
3339	 * <a>  Linklocal  *    Global  *
3340	 * -----------------------------------------
3341	 * <b>  Linklocal  * Linklocal  *  No problem
3342	 * -----------------------------------------
3343	 * <c>  Global     * Linklocal  *  Huh, How will this work?
3344	 * -----------------------------------------
3345	 * <d>  Global     *    Global  *  No Problem
3346	 *------------------------------------------
3347	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3348	 *
3349	 * And then we add to that what happens if there are multiple addresses
3350	 * assigned to an interface. Remember the ifa on a ifn is a linked
3351	 * list of addresses. So one interface can have more than one IP
3352	 * address. What happens if we have both a private and a global
3353	 * address? Do we then use context of destination to sort out which
3354	 * one is best? And what about NAT's sending P->G may get you a NAT
3355	 * translation, or should you select the G thats on the interface in
3356	 * preference.
3357	 *
3358	 * Decisions:
3359	 *
3360	 * - count the number of addresses on the interface.
3361	 * - if it is one, no problem except case <c>.
3362	 *   For <a> we will assume a NAT out there.
3363	 * - if there are more than one, then we need to worry about scope P
3364	 *   or G. We should prefer G -> G and P -> P if possible.
3365	 *   Then as a secondary fall back to mixed types G->P being a last
3366	 *   ditch one.
3367	 * - The above all works for bound all, but bound specific we need to
3368	 *   use the same concept but instead only consider the bound
3369	 *   addresses. If the bound set is NOT assigned to the interface then
3370	 *   we must use rotation amongst the bound addresses..
3371	 */
3372	if (ro->ro_nh == NULL) {
3373		/*
3374		 * Need a route to cache.
3375		 */
3376		SCTP_RTALLOC(ro, vrf_id, inp->fibnum);
3377	}
3378	if (ro->ro_nh == NULL) {
3379		return (NULL);
3380	}
3381	fam = ro->ro_dst.sa_family;
3382	dest_is_priv = dest_is_loop = 0;
3383	/* Setup our scopes for the destination */
3384	switch (fam) {
3385#ifdef INET
3386	case AF_INET:
3387		/* Scope based on outbound address */
3388		if (IN4_ISLOOPBACK_ADDRESS(&to->sin_addr)) {
3389			dest_is_loop = 1;
3390			if (net != NULL) {
3391				/* mark it as local */
3392				net->addr_is_local = 1;
3393			}
3394		} else if ((IN4_ISPRIVATE_ADDRESS(&to->sin_addr))) {
3395			dest_is_priv = 1;
3396		}
3397		break;
3398#endif
3399#ifdef INET6
3400	case AF_INET6:
3401		/* Scope based on outbound address */
3402		if (IN6_IS_ADDR_LOOPBACK(&to6->sin6_addr) ||
3403		    SCTP_ROUTE_IS_REAL_LOOP(ro)) {
3404			/*
3405			 * If the address is a loopback address, which
3406			 * consists of "::1" OR "fe80::1%lo0", we are
3407			 * loopback scope. But we don't use dest_is_priv
3408			 * (link local addresses).
3409			 */
3410			dest_is_loop = 1;
3411			if (net != NULL) {
3412				/* mark it as local */
3413				net->addr_is_local = 1;
3414			}
3415		} else if (IN6_IS_ADDR_LINKLOCAL(&to6->sin6_addr)) {
3416			dest_is_priv = 1;
3417		}
3418		break;
3419#endif
3420	}
3421	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Select source addr for:");
3422	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)&ro->ro_dst);
3423	SCTP_IPI_ADDR_RLOCK();
3424	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) {
3425		/*
3426		 * Bound all case
3427		 */
3428		answer = sctp_choose_boundall(inp, stcb, net, ro, vrf_id,
3429		    dest_is_priv, dest_is_loop,
3430		    non_asoc_addr_ok, fam);
3431		SCTP_IPI_ADDR_RUNLOCK();
3432		return (answer);
3433	}
3434	/*
3435	 * Subset bound case
3436	 */
3437	if (stcb) {
3438		answer = sctp_choose_boundspecific_stcb(inp, stcb, ro,
3439		    vrf_id, dest_is_priv,
3440		    dest_is_loop,
3441		    non_asoc_addr_ok, fam);
3442	} else {
3443		answer = sctp_choose_boundspecific_inp(inp, ro, vrf_id,
3444		    non_asoc_addr_ok,
3445		    dest_is_priv,
3446		    dest_is_loop, fam);
3447	}
3448	SCTP_IPI_ADDR_RUNLOCK();
3449	return (answer);
3450}
3451
3452static bool
3453sctp_find_cmsg(int c_type, void *data, struct mbuf *control, size_t cpsize)
3454{
3455	struct cmsghdr cmh;
3456	struct sctp_sndinfo sndinfo;
3457	struct sctp_prinfo prinfo;
3458	struct sctp_authinfo authinfo;
3459	int tot_len, rem_len, cmsg_data_len, cmsg_data_off, off;
3460	bool found;
3461
3462	/*
3463	 * Independent of how many mbufs, find the c_type inside the control
3464	 * structure and copy out the data.
3465	 */
3466	found = false;
3467	tot_len = SCTP_BUF_LEN(control);
3468	for (off = 0; off < tot_len; off += CMSG_ALIGN(cmh.cmsg_len)) {
3469		rem_len = tot_len - off;
3470		if (rem_len < (int)CMSG_ALIGN(sizeof(cmh))) {
3471			/* There is not enough room for one more. */
3472			return (found);
3473		}
3474		m_copydata(control, off, sizeof(cmh), (caddr_t)&cmh);
3475		if (cmh.cmsg_len < CMSG_ALIGN(sizeof(cmh))) {
3476			/* We dont't have a complete CMSG header. */
3477			return (found);
3478		}
3479		if ((cmh.cmsg_len > INT_MAX) || ((int)cmh.cmsg_len > rem_len)) {
3480			/* We don't have the complete CMSG. */
3481			return (found);
3482		}
3483		cmsg_data_len = (int)cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh));
3484		cmsg_data_off = off + CMSG_ALIGN(sizeof(cmh));
3485		if ((cmh.cmsg_level == IPPROTO_SCTP) &&
3486		    ((c_type == cmh.cmsg_type) ||
3487		    ((c_type == SCTP_SNDRCV) &&
3488		    ((cmh.cmsg_type == SCTP_SNDINFO) ||
3489		    (cmh.cmsg_type == SCTP_PRINFO) ||
3490		    (cmh.cmsg_type == SCTP_AUTHINFO))))) {
3491			if (c_type == cmh.cmsg_type) {
3492				if (cpsize > INT_MAX) {
3493					return (found);
3494				}
3495				if (cmsg_data_len < (int)cpsize) {
3496					return (found);
3497				}
3498				/* It is exactly what we want. Copy it out. */
3499				m_copydata(control, cmsg_data_off, (int)cpsize, (caddr_t)data);
3500				return (1);
3501			} else {
3502				struct sctp_sndrcvinfo *sndrcvinfo;
3503
3504				sndrcvinfo = (struct sctp_sndrcvinfo *)data;
3505				if (!found) {
3506					if (cpsize < sizeof(struct sctp_sndrcvinfo)) {
3507						return (found);
3508					}
3509					memset(sndrcvinfo, 0, sizeof(struct sctp_sndrcvinfo));
3510				}
3511				switch (cmh.cmsg_type) {
3512				case SCTP_SNDINFO:
3513					if (cmsg_data_len < (int)sizeof(struct sctp_sndinfo)) {
3514						return (found);
3515					}
3516					m_copydata(control, cmsg_data_off, sizeof(struct sctp_sndinfo), (caddr_t)&sndinfo);
3517					sndrcvinfo->sinfo_stream = sndinfo.snd_sid;
3518					sndrcvinfo->sinfo_flags = sndinfo.snd_flags;
3519					sndrcvinfo->sinfo_ppid = sndinfo.snd_ppid;
3520					sndrcvinfo->sinfo_context = sndinfo.snd_context;
3521					sndrcvinfo->sinfo_assoc_id = sndinfo.snd_assoc_id;
3522					break;
3523				case SCTP_PRINFO:
3524					if (cmsg_data_len < (int)sizeof(struct sctp_prinfo)) {
3525						return (found);
3526					}
3527					m_copydata(control, cmsg_data_off, sizeof(struct sctp_prinfo), (caddr_t)&prinfo);
3528					if (prinfo.pr_policy != SCTP_PR_SCTP_NONE) {
3529						sndrcvinfo->sinfo_timetolive = prinfo.pr_value;
3530					} else {
3531						sndrcvinfo->sinfo_timetolive = 0;
3532					}
3533					sndrcvinfo->sinfo_flags |= prinfo.pr_policy;
3534					break;
3535				case SCTP_AUTHINFO:
3536					if (cmsg_data_len < (int)sizeof(struct sctp_authinfo)) {
3537						return (found);
3538					}
3539					m_copydata(control, cmsg_data_off, sizeof(struct sctp_authinfo), (caddr_t)&authinfo);
3540					sndrcvinfo->sinfo_keynumber_valid = 1;
3541					sndrcvinfo->sinfo_keynumber = authinfo.auth_keynumber;
3542					break;
3543				default:
3544					return (found);
3545				}
3546				found = true;
3547			}
3548		}
3549	}
3550	return (found);
3551}
3552
3553static int
3554sctp_process_cmsgs_for_init(struct sctp_tcb *stcb, struct mbuf *control, int *error)
3555{
3556	struct cmsghdr cmh;
3557	struct sctp_initmsg initmsg;
3558#ifdef INET
3559	struct sockaddr_in sin;
3560#endif
3561#ifdef INET6
3562	struct sockaddr_in6 sin6;
3563#endif
3564	int tot_len, rem_len, cmsg_data_len, cmsg_data_off, off;
3565
3566	tot_len = SCTP_BUF_LEN(control);
3567	for (off = 0; off < tot_len; off += CMSG_ALIGN(cmh.cmsg_len)) {
3568		rem_len = tot_len - off;
3569		if (rem_len < (int)CMSG_ALIGN(sizeof(cmh))) {
3570			/* There is not enough room for one more. */
3571			*error = EINVAL;
3572			return (1);
3573		}
3574		m_copydata(control, off, sizeof(cmh), (caddr_t)&cmh);
3575		if (cmh.cmsg_len < CMSG_ALIGN(sizeof(cmh))) {
3576			/* We dont't have a complete CMSG header. */
3577			*error = EINVAL;
3578			return (1);
3579		}
3580		if ((cmh.cmsg_len > INT_MAX) || ((int)cmh.cmsg_len > rem_len)) {
3581			/* We don't have the complete CMSG. */
3582			*error = EINVAL;
3583			return (1);
3584		}
3585		cmsg_data_len = (int)cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh));
3586		cmsg_data_off = off + CMSG_ALIGN(sizeof(cmh));
3587		if (cmh.cmsg_level == IPPROTO_SCTP) {
3588			switch (cmh.cmsg_type) {
3589			case SCTP_INIT:
3590				if (cmsg_data_len < (int)sizeof(struct sctp_initmsg)) {
3591					*error = EINVAL;
3592					return (1);
3593				}
3594				m_copydata(control, cmsg_data_off, sizeof(struct sctp_initmsg), (caddr_t)&initmsg);
3595				if (initmsg.sinit_max_attempts)
3596					stcb->asoc.max_init_times = initmsg.sinit_max_attempts;
3597				if (initmsg.sinit_num_ostreams)
3598					stcb->asoc.pre_open_streams = initmsg.sinit_num_ostreams;
3599				if (initmsg.sinit_max_instreams)
3600					stcb->asoc.max_inbound_streams = initmsg.sinit_max_instreams;
3601				if (initmsg.sinit_max_init_timeo)
3602					stcb->asoc.initial_init_rto_max = initmsg.sinit_max_init_timeo;
3603				if (stcb->asoc.streamoutcnt < stcb->asoc.pre_open_streams) {
3604					struct sctp_stream_out *tmp_str;
3605					unsigned int i;
3606#if defined(SCTP_DETAILED_STR_STATS)
3607					int j;
3608#endif
3609
3610					/* Default is NOT correct */
3611					SCTPDBG(SCTP_DEBUG_OUTPUT1, "Ok, default:%d pre_open:%d\n",
3612					    stcb->asoc.streamoutcnt, stcb->asoc.pre_open_streams);
3613					SCTP_TCB_UNLOCK(stcb);
3614					SCTP_MALLOC(tmp_str,
3615					    struct sctp_stream_out *,
3616					    (stcb->asoc.pre_open_streams * sizeof(struct sctp_stream_out)),
3617					    SCTP_M_STRMO);
3618					SCTP_TCB_LOCK(stcb);
3619					if (tmp_str != NULL) {
3620						SCTP_FREE(stcb->asoc.strmout, SCTP_M_STRMO);
3621						stcb->asoc.strmout = tmp_str;
3622						stcb->asoc.strm_realoutsize = stcb->asoc.streamoutcnt = stcb->asoc.pre_open_streams;
3623					} else {
3624						stcb->asoc.pre_open_streams = stcb->asoc.streamoutcnt;
3625					}
3626					for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
3627						TAILQ_INIT(&stcb->asoc.strmout[i].outqueue);
3628						stcb->asoc.ss_functions.sctp_ss_init_stream(stcb, &stcb->asoc.strmout[i], NULL);
3629						stcb->asoc.strmout[i].chunks_on_queues = 0;
3630#if defined(SCTP_DETAILED_STR_STATS)
3631						for (j = 0; j < SCTP_PR_SCTP_MAX + 1; j++) {
3632							stcb->asoc.strmout[i].abandoned_sent[j] = 0;
3633							stcb->asoc.strmout[i].abandoned_unsent[j] = 0;
3634						}
3635#else
3636						stcb->asoc.strmout[i].abandoned_sent[0] = 0;
3637						stcb->asoc.strmout[i].abandoned_unsent[0] = 0;
3638#endif
3639						stcb->asoc.strmout[i].next_mid_ordered = 0;
3640						stcb->asoc.strmout[i].next_mid_unordered = 0;
3641						stcb->asoc.strmout[i].sid = i;
3642						stcb->asoc.strmout[i].last_msg_incomplete = 0;
3643						stcb->asoc.strmout[i].state = SCTP_STREAM_OPENING;
3644					}
3645				}
3646				break;
3647#ifdef INET
3648			case SCTP_DSTADDRV4:
3649				if (cmsg_data_len < (int)sizeof(struct in_addr)) {
3650					*error = EINVAL;
3651					return (1);
3652				}
3653				memset(&sin, 0, sizeof(struct sockaddr_in));
3654				sin.sin_family = AF_INET;
3655				sin.sin_len = sizeof(struct sockaddr_in);
3656				sin.sin_port = stcb->rport;
3657				m_copydata(control, cmsg_data_off, sizeof(struct in_addr), (caddr_t)&sin.sin_addr);
3658				if ((sin.sin_addr.s_addr == INADDR_ANY) ||
3659				    (sin.sin_addr.s_addr == INADDR_BROADCAST) ||
3660				    IN_MULTICAST(ntohl(sin.sin_addr.s_addr))) {
3661					*error = EINVAL;
3662					return (1);
3663				}
3664				if (sctp_add_remote_addr(stcb, (struct sockaddr *)&sin, NULL, stcb->asoc.port,
3665				    SCTP_DONOT_SETSCOPE, SCTP_ADDR_IS_CONFIRMED)) {
3666					*error = ENOBUFS;
3667					return (1);
3668				}
3669				break;
3670#endif
3671#ifdef INET6
3672			case SCTP_DSTADDRV6:
3673				if (cmsg_data_len < (int)sizeof(struct in6_addr)) {
3674					*error = EINVAL;
3675					return (1);
3676				}
3677				memset(&sin6, 0, sizeof(struct sockaddr_in6));
3678				sin6.sin6_family = AF_INET6;
3679				sin6.sin6_len = sizeof(struct sockaddr_in6);
3680				sin6.sin6_port = stcb->rport;
3681				m_copydata(control, cmsg_data_off, sizeof(struct in6_addr), (caddr_t)&sin6.sin6_addr);
3682				if (IN6_IS_ADDR_UNSPECIFIED(&sin6.sin6_addr) ||
3683				    IN6_IS_ADDR_MULTICAST(&sin6.sin6_addr)) {
3684					*error = EINVAL;
3685					return (1);
3686				}
3687#ifdef INET
3688				if (IN6_IS_ADDR_V4MAPPED(&sin6.sin6_addr)) {
3689					in6_sin6_2_sin(&sin, &sin6);
3690					if ((sin.sin_addr.s_addr == INADDR_ANY) ||
3691					    (sin.sin_addr.s_addr == INADDR_BROADCAST) ||
3692					    IN_MULTICAST(ntohl(sin.sin_addr.s_addr))) {
3693						*error = EINVAL;
3694						return (1);
3695					}
3696					if (sctp_add_remote_addr(stcb, (struct sockaddr *)&sin, NULL, stcb->asoc.port,
3697					    SCTP_DONOT_SETSCOPE, SCTP_ADDR_IS_CONFIRMED)) {
3698						*error = ENOBUFS;
3699						return (1);
3700					}
3701				} else
3702#endif
3703					if (sctp_add_remote_addr(stcb, (struct sockaddr *)&sin6, NULL, stcb->asoc.port,
3704				    SCTP_DONOT_SETSCOPE, SCTP_ADDR_IS_CONFIRMED)) {
3705					*error = ENOBUFS;
3706					return (1);
3707				}
3708				break;
3709#endif
3710			default:
3711				break;
3712			}
3713		}
3714	}
3715	return (0);
3716}
3717
3718#if defined(INET) || defined(INET6)
3719static struct sctp_tcb *
3720sctp_findassociation_cmsgs(struct sctp_inpcb **inp_p,
3721    uint16_t port,
3722    struct mbuf *control,
3723    struct sctp_nets **net_p,
3724    int *error)
3725{
3726	struct cmsghdr cmh;
3727	struct sctp_tcb *stcb;
3728	struct sockaddr *addr;
3729#ifdef INET
3730	struct sockaddr_in sin;
3731#endif
3732#ifdef INET6
3733	struct sockaddr_in6 sin6;
3734#endif
3735	int tot_len, rem_len, cmsg_data_len, cmsg_data_off, off;
3736
3737	tot_len = SCTP_BUF_LEN(control);
3738	for (off = 0; off < tot_len; off += CMSG_ALIGN(cmh.cmsg_len)) {
3739		rem_len = tot_len - off;
3740		if (rem_len < (int)CMSG_ALIGN(sizeof(cmh))) {
3741			/* There is not enough room for one more. */
3742			*error = EINVAL;
3743			return (NULL);
3744		}
3745		m_copydata(control, off, sizeof(cmh), (caddr_t)&cmh);
3746		if (cmh.cmsg_len < CMSG_ALIGN(sizeof(cmh))) {
3747			/* We dont't have a complete CMSG header. */
3748			*error = EINVAL;
3749			return (NULL);
3750		}
3751		if ((cmh.cmsg_len > INT_MAX) || ((int)cmh.cmsg_len > rem_len)) {
3752			/* We don't have the complete CMSG. */
3753			*error = EINVAL;
3754			return (NULL);
3755		}
3756		cmsg_data_len = (int)cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh));
3757		cmsg_data_off = off + CMSG_ALIGN(sizeof(cmh));
3758		if (cmh.cmsg_level == IPPROTO_SCTP) {
3759			switch (cmh.cmsg_type) {
3760#ifdef INET
3761			case SCTP_DSTADDRV4:
3762				if (cmsg_data_len < (int)sizeof(struct in_addr)) {
3763					*error = EINVAL;
3764					return (NULL);
3765				}
3766				memset(&sin, 0, sizeof(struct sockaddr_in));
3767				sin.sin_family = AF_INET;
3768				sin.sin_len = sizeof(struct sockaddr_in);
3769				sin.sin_port = port;
3770				m_copydata(control, cmsg_data_off, sizeof(struct in_addr), (caddr_t)&sin.sin_addr);
3771				addr = (struct sockaddr *)&sin;
3772				break;
3773#endif
3774#ifdef INET6
3775			case SCTP_DSTADDRV6:
3776				if (cmsg_data_len < (int)sizeof(struct in6_addr)) {
3777					*error = EINVAL;
3778					return (NULL);
3779				}
3780				memset(&sin6, 0, sizeof(struct sockaddr_in6));
3781				sin6.sin6_family = AF_INET6;
3782				sin6.sin6_len = sizeof(struct sockaddr_in6);
3783				sin6.sin6_port = port;
3784				m_copydata(control, cmsg_data_off, sizeof(struct in6_addr), (caddr_t)&sin6.sin6_addr);
3785#ifdef INET
3786				if (IN6_IS_ADDR_V4MAPPED(&sin6.sin6_addr)) {
3787					in6_sin6_2_sin(&sin, &sin6);
3788					addr = (struct sockaddr *)&sin;
3789				} else
3790#endif
3791					addr = (struct sockaddr *)&sin6;
3792				break;
3793#endif
3794			default:
3795				addr = NULL;
3796				break;
3797			}
3798			if (addr) {
3799				stcb = sctp_findassociation_ep_addr(inp_p, addr, net_p, NULL, NULL);
3800				if (stcb != NULL) {
3801					return (stcb);
3802				}
3803			}
3804		}
3805	}
3806	return (NULL);
3807}
3808#endif
3809
3810static struct mbuf *
3811sctp_add_cookie(struct mbuf *init, int init_offset,
3812    struct mbuf *initack, int initack_offset, struct sctp_state_cookie *stc_in, uint8_t **signature)
3813{
3814	struct mbuf *copy_init, *copy_initack, *m_at, *sig, *mret;
3815	struct sctp_state_cookie *stc;
3816	struct sctp_paramhdr *ph;
3817	uint16_t cookie_sz;
3818
3819	mret = sctp_get_mbuf_for_msg((sizeof(struct sctp_state_cookie) +
3820	    sizeof(struct sctp_paramhdr)), 0,
3821	    M_NOWAIT, 1, MT_DATA);
3822	if (mret == NULL) {
3823		return (NULL);
3824	}
3825	copy_init = SCTP_M_COPYM(init, init_offset, M_COPYALL, M_NOWAIT);
3826	if (copy_init == NULL) {
3827		sctp_m_freem(mret);
3828		return (NULL);
3829	}
3830#ifdef SCTP_MBUF_LOGGING
3831	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
3832		sctp_log_mbc(copy_init, SCTP_MBUF_ICOPY);
3833	}
3834#endif
3835	copy_initack = SCTP_M_COPYM(initack, initack_offset, M_COPYALL,
3836	    M_NOWAIT);
3837	if (copy_initack == NULL) {
3838		sctp_m_freem(mret);
3839		sctp_m_freem(copy_init);
3840		return (NULL);
3841	}
3842#ifdef SCTP_MBUF_LOGGING
3843	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
3844		sctp_log_mbc(copy_initack, SCTP_MBUF_ICOPY);
3845	}
3846#endif
3847	/* easy side we just drop it on the end */
3848	ph = mtod(mret, struct sctp_paramhdr *);
3849	SCTP_BUF_LEN(mret) = sizeof(struct sctp_state_cookie) +
3850	    sizeof(struct sctp_paramhdr);
3851	stc = (struct sctp_state_cookie *)((caddr_t)ph +
3852	    sizeof(struct sctp_paramhdr));
3853	ph->param_type = htons(SCTP_STATE_COOKIE);
3854	ph->param_length = 0;	/* fill in at the end */
3855	/* Fill in the stc cookie data */
3856	memcpy(stc, stc_in, sizeof(struct sctp_state_cookie));
3857
3858	/* tack the INIT and then the INIT-ACK onto the chain */
3859	cookie_sz = 0;
3860	for (m_at = mret; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
3861		cookie_sz += SCTP_BUF_LEN(m_at);
3862		if (SCTP_BUF_NEXT(m_at) == NULL) {
3863			SCTP_BUF_NEXT(m_at) = copy_init;
3864			break;
3865		}
3866	}
3867	for (m_at = copy_init; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
3868		cookie_sz += SCTP_BUF_LEN(m_at);
3869		if (SCTP_BUF_NEXT(m_at) == NULL) {
3870			SCTP_BUF_NEXT(m_at) = copy_initack;
3871			break;
3872		}
3873	}
3874	for (m_at = copy_initack; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
3875		cookie_sz += SCTP_BUF_LEN(m_at);
3876		if (SCTP_BUF_NEXT(m_at) == NULL) {
3877			break;
3878		}
3879	}
3880	sig = sctp_get_mbuf_for_msg(SCTP_SIGNATURE_SIZE, 0, M_NOWAIT, 1, MT_DATA);
3881	if (sig == NULL) {
3882		/* no space, so free the entire chain */
3883		sctp_m_freem(mret);
3884		return (NULL);
3885	}
3886	SCTP_BUF_NEXT(m_at) = sig;
3887	SCTP_BUF_LEN(sig) = SCTP_SIGNATURE_SIZE;
3888	cookie_sz += SCTP_SIGNATURE_SIZE;
3889	ph->param_length = htons(cookie_sz);
3890	*signature = (uint8_t *)mtod(sig, caddr_t);
3891	memset(*signature, 0, SCTP_SIGNATURE_SIZE);
3892	return (mret);
3893}
3894
3895static uint8_t
3896sctp_get_ect(struct sctp_tcb *stcb)
3897{
3898	if ((stcb != NULL) && (stcb->asoc.ecn_supported == 1)) {
3899		return (SCTP_ECT0_BIT);
3900	} else {
3901		return (0);
3902	}
3903}
3904
3905#if defined(INET) || defined(INET6)
3906static void
3907sctp_handle_no_route(struct sctp_tcb *stcb,
3908    struct sctp_nets *net,
3909    int so_locked)
3910{
3911	SCTPDBG(SCTP_DEBUG_OUTPUT1, "dropped packet - no valid source addr\n");
3912
3913	if (net) {
3914		SCTPDBG(SCTP_DEBUG_OUTPUT1, "Destination was ");
3915		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT1, &net->ro._l_addr.sa);
3916		if (net->dest_state & SCTP_ADDR_CONFIRMED) {
3917			if ((net->dest_state & SCTP_ADDR_REACHABLE) && stcb) {
3918				SCTPDBG(SCTP_DEBUG_OUTPUT1, "no route takes interface %p down\n", (void *)net);
3919				sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_DOWN,
3920				    stcb, 0,
3921				    (void *)net,
3922				    so_locked);
3923				net->dest_state &= ~SCTP_ADDR_REACHABLE;
3924				net->dest_state &= ~SCTP_ADDR_PF;
3925			}
3926		}
3927		if (stcb) {
3928			if (net == stcb->asoc.primary_destination) {
3929				/* need a new primary */
3930				struct sctp_nets *alt;
3931
3932				alt = sctp_find_alternate_net(stcb, net, 0);
3933				if (alt != net) {
3934					if (stcb->asoc.alternate) {
3935						sctp_free_remote_addr(stcb->asoc.alternate);
3936					}
3937					stcb->asoc.alternate = alt;
3938					atomic_add_int(&stcb->asoc.alternate->ref_count, 1);
3939					if (net->ro._s_addr) {
3940						sctp_free_ifa(net->ro._s_addr);
3941						net->ro._s_addr = NULL;
3942					}
3943					net->src_addr_selected = 0;
3944				}
3945			}
3946		}
3947	}
3948}
3949#endif
3950
3951static int
3952sctp_lowlevel_chunk_output(struct sctp_inpcb *inp,
3953    struct sctp_tcb *stcb,	/* may be NULL */
3954    struct sctp_nets *net,
3955    struct sockaddr *to,
3956    struct mbuf *m,
3957    uint32_t auth_offset,
3958    struct sctp_auth_chunk *auth,
3959    uint16_t auth_keyid,
3960    int nofragment_flag,
3961    int ecn_ok,
3962    int out_of_asoc_ok,
3963    uint16_t src_port,
3964    uint16_t dest_port,
3965    uint32_t v_tag,
3966    uint16_t port,
3967    union sctp_sockstore *over_addr,
3968    uint8_t mflowtype, uint32_t mflowid,
3969    bool use_zero_crc,
3970    int so_locked)
3971{
3972/* nofragment_flag to tell if IP_DF should be set (IPv4 only) */
3973	/**
3974	 * Given a mbuf chain (via SCTP_BUF_NEXT()) that holds a packet header
3975	 * WITH an SCTPHDR but no IP header, endpoint inp and sa structure:
3976	 * - fill in the HMAC digest of any AUTH chunk in the packet.
3977	 * - calculate and fill in the SCTP checksum.
3978	 * - prepend an IP address header.
3979	 * - if boundall use INADDR_ANY.
3980	 * - if boundspecific do source address selection.
3981	 * - set fragmentation option for ipV4.
3982	 * - On return from IP output, check/adjust mtu size of output
3983	 *   interface and smallest_mtu size as well.
3984	 */
3985	/* Will need ifdefs around this */
3986	struct mbuf *newm;
3987	struct sctphdr *sctphdr;
3988	int packet_length;
3989	int ret;
3990#if defined(INET) || defined(INET6)
3991	uint32_t vrf_id;
3992#endif
3993#if defined(INET) || defined(INET6)
3994	struct mbuf *o_pak;
3995	sctp_route_t *ro = NULL;
3996	struct udphdr *udp = NULL;
3997#endif
3998	uint8_t tos_value;
3999
4000	if ((net) && (net->dest_state & SCTP_ADDR_OUT_OF_SCOPE)) {
4001		SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EFAULT);
4002		sctp_m_freem(m);
4003		return (EFAULT);
4004	}
4005#if defined(INET) || defined(INET6)
4006	if (stcb) {
4007		vrf_id = stcb->asoc.vrf_id;
4008	} else {
4009		vrf_id = inp->def_vrf_id;
4010	}
4011#endif
4012	/* fill in the HMAC digest for any AUTH chunk in the packet */
4013	if ((auth != NULL) && (stcb != NULL)) {
4014		sctp_fill_hmac_digest_m(m, auth_offset, auth, stcb, auth_keyid);
4015	}
4016
4017	if (net) {
4018		tos_value = net->dscp;
4019	} else if (stcb) {
4020		tos_value = stcb->asoc.default_dscp;
4021	} else {
4022		tos_value = inp->sctp_ep.default_dscp;
4023	}
4024
4025	switch (to->sa_family) {
4026#ifdef INET
4027	case AF_INET:
4028		{
4029			struct ip *ip = NULL;
4030			sctp_route_t iproute;
4031			int len;
4032
4033			len = SCTP_MIN_V4_OVERHEAD;
4034			if (port) {
4035				len += sizeof(struct udphdr);
4036			}
4037			newm = sctp_get_mbuf_for_msg(len, 1, M_NOWAIT, 1, MT_DATA);
4038			if (newm == NULL) {
4039				sctp_m_freem(m);
4040				SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4041				return (ENOMEM);
4042			}
4043			SCTP_ALIGN_TO_END(newm, len);
4044			SCTP_BUF_LEN(newm) = len;
4045			SCTP_BUF_NEXT(newm) = m;
4046			m = newm;
4047			if (net != NULL) {
4048				m->m_pkthdr.flowid = net->flowid;
4049				M_HASHTYPE_SET(m, net->flowtype);
4050			} else {
4051				m->m_pkthdr.flowid = mflowid;
4052				M_HASHTYPE_SET(m, mflowtype);
4053			}
4054			packet_length = sctp_calculate_len(m);
4055			ip = mtod(m, struct ip *);
4056			ip->ip_v = IPVERSION;
4057			ip->ip_hl = (sizeof(struct ip) >> 2);
4058			if (tos_value == 0) {
4059				/*
4060				 * This means especially, that it is not set
4061				 * at the SCTP layer. So use the value from
4062				 * the IP layer.
4063				 */
4064				tos_value = inp->ip_inp.inp.inp_ip_tos;
4065			}
4066			tos_value &= 0xfc;
4067			if (ecn_ok) {
4068				tos_value |= sctp_get_ect(stcb);
4069			}
4070			if ((nofragment_flag) && (port == 0)) {
4071				ip->ip_off = htons(IP_DF);
4072			} else {
4073				ip->ip_off = htons(0);
4074			}
4075			/* FreeBSD has a function for ip_id's */
4076			ip_fillid(ip);
4077
4078			ip->ip_ttl = inp->ip_inp.inp.inp_ip_ttl;
4079			ip->ip_len = htons(packet_length);
4080			ip->ip_tos = tos_value;
4081			if (port) {
4082				ip->ip_p = IPPROTO_UDP;
4083			} else {
4084				ip->ip_p = IPPROTO_SCTP;
4085			}
4086			ip->ip_sum = 0;
4087			if (net == NULL) {
4088				ro = &iproute;
4089				memset(&iproute, 0, sizeof(iproute));
4090				memcpy(&ro->ro_dst, to, to->sa_len);
4091			} else {
4092				ro = (sctp_route_t *)&net->ro;
4093			}
4094			/* Now the address selection part */
4095			ip->ip_dst.s_addr = ((struct sockaddr_in *)to)->sin_addr.s_addr;
4096
4097			/* call the routine to select the src address */
4098			if (net && out_of_asoc_ok == 0) {
4099				if (net->ro._s_addr && (net->ro._s_addr->localifa_flags & (SCTP_BEING_DELETED | SCTP_ADDR_IFA_UNUSEABLE))) {
4100					sctp_free_ifa(net->ro._s_addr);
4101					net->ro._s_addr = NULL;
4102					net->src_addr_selected = 0;
4103					RO_NHFREE(ro);
4104				}
4105				if (net->src_addr_selected == 0) {
4106					/* Cache the source address */
4107					net->ro._s_addr = sctp_source_address_selection(inp, stcb,
4108					    ro, net, 0,
4109					    vrf_id);
4110					net->src_addr_selected = 1;
4111				}
4112				if (net->ro._s_addr == NULL) {
4113					/* No route to host */
4114					net->src_addr_selected = 0;
4115					sctp_handle_no_route(stcb, net, so_locked);
4116					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4117					sctp_m_freem(m);
4118					return (EHOSTUNREACH);
4119				}
4120				ip->ip_src = net->ro._s_addr->address.sin.sin_addr;
4121			} else {
4122				if (over_addr == NULL) {
4123					struct sctp_ifa *_lsrc;
4124
4125					_lsrc = sctp_source_address_selection(inp, stcb, ro,
4126					    net,
4127					    out_of_asoc_ok,
4128					    vrf_id);
4129					if (_lsrc == NULL) {
4130						sctp_handle_no_route(stcb, net, so_locked);
4131						SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4132						sctp_m_freem(m);
4133						return (EHOSTUNREACH);
4134					}
4135					ip->ip_src = _lsrc->address.sin.sin_addr;
4136					sctp_free_ifa(_lsrc);
4137				} else {
4138					ip->ip_src = over_addr->sin.sin_addr;
4139					SCTP_RTALLOC(ro, vrf_id, inp->fibnum);
4140				}
4141			}
4142			if (port) {
4143				if (htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port)) == 0) {
4144					sctp_handle_no_route(stcb, net, so_locked);
4145					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4146					sctp_m_freem(m);
4147					return (EHOSTUNREACH);
4148				}
4149				udp = (struct udphdr *)((caddr_t)ip + sizeof(struct ip));
4150				udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
4151				udp->uh_dport = port;
4152				udp->uh_ulen = htons((uint16_t)(packet_length - sizeof(struct ip)));
4153				if (V_udp_cksum) {
4154					udp->uh_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
4155				} else {
4156					udp->uh_sum = 0;
4157				}
4158				sctphdr = (struct sctphdr *)((caddr_t)udp + sizeof(struct udphdr));
4159			} else {
4160				sctphdr = (struct sctphdr *)((caddr_t)ip + sizeof(struct ip));
4161			}
4162
4163			sctphdr->src_port = src_port;
4164			sctphdr->dest_port = dest_port;
4165			sctphdr->v_tag = v_tag;
4166			sctphdr->checksum = 0;
4167
4168			/*
4169			 * If source address selection fails and we find no
4170			 * route then the ip_output should fail as well with
4171			 * a NO_ROUTE_TO_HOST type error. We probably should
4172			 * catch that somewhere and abort the association
4173			 * right away (assuming this is an INIT being sent).
4174			 */
4175			if (ro->ro_nh == NULL) {
4176				/*
4177				 * src addr selection failed to find a route
4178				 * (or valid source addr), so we can't get
4179				 * there from here (yet)!
4180				 */
4181				sctp_handle_no_route(stcb, net, so_locked);
4182				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4183				sctp_m_freem(m);
4184				return (EHOSTUNREACH);
4185			}
4186			if (ro != &iproute) {
4187				memcpy(&iproute, ro, sizeof(*ro));
4188			}
4189			SCTPDBG(SCTP_DEBUG_OUTPUT3, "Calling ipv4 output routine from low level src addr:%x\n",
4190			    (uint32_t)(ntohl(ip->ip_src.s_addr)));
4191			SCTPDBG(SCTP_DEBUG_OUTPUT3, "Destination is %x\n",
4192			    (uint32_t)(ntohl(ip->ip_dst.s_addr)));
4193			SCTPDBG(SCTP_DEBUG_OUTPUT3, "RTP route is %p through\n",
4194			    (void *)ro->ro_nh);
4195
4196			if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
4197				/* failed to prepend data, give up */
4198				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4199				sctp_m_freem(m);
4200				return (ENOMEM);
4201			}
4202			SCTP_ATTACH_CHAIN(o_pak, m, packet_length);
4203			if (port) {
4204				if (use_zero_crc) {
4205					SCTP_STAT_INCR(sctps_sendzerocrc);
4206				} else {
4207					sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip) + sizeof(struct udphdr));
4208					SCTP_STAT_INCR(sctps_sendswcrc);
4209				}
4210				if (V_udp_cksum) {
4211					SCTP_ENABLE_UDP_CSUM(o_pak);
4212				}
4213			} else {
4214				if (use_zero_crc) {
4215					SCTP_STAT_INCR(sctps_sendzerocrc);
4216				} else {
4217					m->m_pkthdr.csum_flags = CSUM_SCTP;
4218					m->m_pkthdr.csum_data = offsetof(struct sctphdr, checksum);
4219					SCTP_STAT_INCR(sctps_sendhwcrc);
4220				}
4221			}
4222#ifdef SCTP_PACKET_LOGGING
4223			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
4224				sctp_packet_log(o_pak);
4225#endif
4226			/* send it out.  table id is taken from stcb */
4227			SCTP_PROBE5(send, NULL, stcb, ip, stcb, sctphdr);
4228			SCTP_IP_OUTPUT(ret, o_pak, ro, inp, vrf_id);
4229			if (port) {
4230				UDPSTAT_INC(udps_opackets);
4231			}
4232			SCTP_STAT_INCR(sctps_sendpackets);
4233			SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
4234			if (ret)
4235				SCTP_STAT_INCR(sctps_senderrors);
4236
4237			SCTPDBG(SCTP_DEBUG_OUTPUT3, "IP output returns %d\n", ret);
4238			if (net == NULL) {
4239				/* free tempy routes */
4240				RO_NHFREE(ro);
4241			} else {
4242				if ((ro->ro_nh != NULL) && (net->ro._s_addr) &&
4243				    ((net->dest_state & SCTP_ADDR_NO_PMTUD) == 0)) {
4244					uint32_t mtu;
4245
4246					mtu = SCTP_GATHER_MTU_FROM_ROUTE(net->ro._s_addr, &net->ro._l_addr.sa, ro->ro_nh);
4247					if (mtu > 0) {
4248						if (net->port) {
4249							mtu -= sizeof(struct udphdr);
4250						}
4251						if (mtu < net->mtu) {
4252							net->mtu = mtu;
4253							if ((stcb != NULL) && (stcb->asoc.smallest_mtu > mtu)) {
4254								sctp_pathmtu_adjustment(stcb, mtu, true);
4255							}
4256						}
4257					}
4258				} else if (ro->ro_nh == NULL) {
4259					/* route was freed */
4260					if (net->ro._s_addr &&
4261					    net->src_addr_selected) {
4262						sctp_free_ifa(net->ro._s_addr);
4263						net->ro._s_addr = NULL;
4264					}
4265					net->src_addr_selected = 0;
4266				}
4267			}
4268			return (ret);
4269		}
4270#endif
4271#ifdef INET6
4272	case AF_INET6:
4273		{
4274			uint32_t flowlabel, flowinfo;
4275			struct ip6_hdr *ip6h;
4276			struct route_in6 ip6route;
4277			struct ifnet *ifp;
4278			struct sockaddr_in6 *sin6, tmp, *lsa6, lsa6_tmp;
4279			int prev_scope = 0;
4280			struct sockaddr_in6 lsa6_storage;
4281			int error;
4282			u_short prev_port = 0;
4283			int len;
4284
4285			if (net) {
4286				flowlabel = net->flowlabel;
4287			} else if (stcb) {
4288				flowlabel = stcb->asoc.default_flowlabel;
4289			} else {
4290				flowlabel = inp->sctp_ep.default_flowlabel;
4291			}
4292			if (flowlabel == 0) {
4293				/*
4294				 * This means especially, that it is not set
4295				 * at the SCTP layer. So use the value from
4296				 * the IP layer.
4297				 */
4298				flowlabel = ntohl(((struct inpcb *)inp)->inp_flow);
4299			}
4300			flowlabel &= 0x000fffff;
4301			len = SCTP_MIN_OVERHEAD;
4302			if (port) {
4303				len += sizeof(struct udphdr);
4304			}
4305			newm = sctp_get_mbuf_for_msg(len, 1, M_NOWAIT, 1, MT_DATA);
4306			if (newm == NULL) {
4307				sctp_m_freem(m);
4308				SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4309				return (ENOMEM);
4310			}
4311			SCTP_ALIGN_TO_END(newm, len);
4312			SCTP_BUF_LEN(newm) = len;
4313			SCTP_BUF_NEXT(newm) = m;
4314			m = newm;
4315			if (net != NULL) {
4316				m->m_pkthdr.flowid = net->flowid;
4317				M_HASHTYPE_SET(m, net->flowtype);
4318			} else {
4319				m->m_pkthdr.flowid = mflowid;
4320				M_HASHTYPE_SET(m, mflowtype);
4321			}
4322			packet_length = sctp_calculate_len(m);
4323
4324			ip6h = mtod(m, struct ip6_hdr *);
4325			/* protect *sin6 from overwrite */
4326			sin6 = (struct sockaddr_in6 *)to;
4327			tmp = *sin6;
4328			sin6 = &tmp;
4329
4330			/* KAME hack: embed scopeid */
4331			if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0) {
4332				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
4333				sctp_m_freem(m);
4334				return (EINVAL);
4335			}
4336			if (net == NULL) {
4337				memset(&ip6route, 0, sizeof(ip6route));
4338				ro = (sctp_route_t *)&ip6route;
4339				memcpy(&ro->ro_dst, sin6, sin6->sin6_len);
4340			} else {
4341				ro = (sctp_route_t *)&net->ro;
4342			}
4343			/*
4344			 * We assume here that inp_flow is in host byte
4345			 * order within the TCB!
4346			 */
4347			if (tos_value == 0) {
4348				/*
4349				 * This means especially, that it is not set
4350				 * at the SCTP layer. So use the value from
4351				 * the IP layer.
4352				 */
4353				tos_value = (ntohl(((struct inpcb *)inp)->inp_flow) >> 20) & 0xff;
4354			}
4355			tos_value &= 0xfc;
4356			if (ecn_ok) {
4357				tos_value |= sctp_get_ect(stcb);
4358			}
4359			flowinfo = 0x06;
4360			flowinfo <<= 8;
4361			flowinfo |= tos_value;
4362			flowinfo <<= 20;
4363			flowinfo |= flowlabel;
4364			ip6h->ip6_flow = htonl(flowinfo);
4365			if (port) {
4366				ip6h->ip6_nxt = IPPROTO_UDP;
4367			} else {
4368				ip6h->ip6_nxt = IPPROTO_SCTP;
4369			}
4370			ip6h->ip6_plen = htons((uint16_t)(packet_length - sizeof(struct ip6_hdr)));
4371			ip6h->ip6_dst = sin6->sin6_addr;
4372
4373			/*
4374			 * Add SRC address selection here: we can only reuse
4375			 * to a limited degree the kame src-addr-sel, since
4376			 * we can try their selection but it may not be
4377			 * bound.
4378			 */
4379			memset(&lsa6_tmp, 0, sizeof(lsa6_tmp));
4380			lsa6_tmp.sin6_family = AF_INET6;
4381			lsa6_tmp.sin6_len = sizeof(lsa6_tmp);
4382			lsa6 = &lsa6_tmp;
4383			if (net && out_of_asoc_ok == 0) {
4384				if (net->ro._s_addr && (net->ro._s_addr->localifa_flags & (SCTP_BEING_DELETED | SCTP_ADDR_IFA_UNUSEABLE))) {
4385					sctp_free_ifa(net->ro._s_addr);
4386					net->ro._s_addr = NULL;
4387					net->src_addr_selected = 0;
4388					RO_NHFREE(ro);
4389				}
4390				if (net->src_addr_selected == 0) {
4391					sin6 = (struct sockaddr_in6 *)&net->ro._l_addr;
4392					/* KAME hack: embed scopeid */
4393					if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0) {
4394						SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
4395						sctp_m_freem(m);
4396						return (EINVAL);
4397					}
4398					/* Cache the source address */
4399					net->ro._s_addr = sctp_source_address_selection(inp,
4400					    stcb,
4401					    ro,
4402					    net,
4403					    0,
4404					    vrf_id);
4405					(void)sa6_recoverscope(sin6);
4406					net->src_addr_selected = 1;
4407				}
4408				if (net->ro._s_addr == NULL) {
4409					SCTPDBG(SCTP_DEBUG_OUTPUT3, "V6:No route to host\n");
4410					net->src_addr_selected = 0;
4411					sctp_handle_no_route(stcb, net, so_locked);
4412					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4413					sctp_m_freem(m);
4414					return (EHOSTUNREACH);
4415				}
4416				lsa6->sin6_addr = net->ro._s_addr->address.sin6.sin6_addr;
4417			} else {
4418				sin6 = (struct sockaddr_in6 *)&ro->ro_dst;
4419				/* KAME hack: embed scopeid */
4420				if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0) {
4421					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
4422					sctp_m_freem(m);
4423					return (EINVAL);
4424				}
4425				if (over_addr == NULL) {
4426					struct sctp_ifa *_lsrc;
4427
4428					_lsrc = sctp_source_address_selection(inp, stcb, ro,
4429					    net,
4430					    out_of_asoc_ok,
4431					    vrf_id);
4432					if (_lsrc == NULL) {
4433						sctp_handle_no_route(stcb, net, so_locked);
4434						SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4435						sctp_m_freem(m);
4436						return (EHOSTUNREACH);
4437					}
4438					lsa6->sin6_addr = _lsrc->address.sin6.sin6_addr;
4439					sctp_free_ifa(_lsrc);
4440				} else {
4441					lsa6->sin6_addr = over_addr->sin6.sin6_addr;
4442					SCTP_RTALLOC(ro, vrf_id, inp->fibnum);
4443				}
4444				(void)sa6_recoverscope(sin6);
4445			}
4446			lsa6->sin6_port = inp->sctp_lport;
4447
4448			if (ro->ro_nh == NULL) {
4449				/*
4450				 * src addr selection failed to find a route
4451				 * (or valid source addr), so we can't get
4452				 * there from here!
4453				 */
4454				sctp_handle_no_route(stcb, net, so_locked);
4455				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4456				sctp_m_freem(m);
4457				return (EHOSTUNREACH);
4458			}
4459			/*
4460			 * XXX: sa6 may not have a valid sin6_scope_id in
4461			 * the non-SCOPEDROUTING case.
4462			 */
4463			memset(&lsa6_storage, 0, sizeof(lsa6_storage));
4464			lsa6_storage.sin6_family = AF_INET6;
4465			lsa6_storage.sin6_len = sizeof(lsa6_storage);
4466			lsa6_storage.sin6_addr = lsa6->sin6_addr;
4467			if ((error = sa6_recoverscope(&lsa6_storage)) != 0) {
4468				SCTPDBG(SCTP_DEBUG_OUTPUT3, "recover scope fails error %d\n", error);
4469				sctp_m_freem(m);
4470				return (error);
4471			}
4472			/* XXX */
4473			lsa6_storage.sin6_addr = lsa6->sin6_addr;
4474			lsa6_storage.sin6_port = inp->sctp_lport;
4475			lsa6 = &lsa6_storage;
4476			ip6h->ip6_src = lsa6->sin6_addr;
4477
4478			if (port) {
4479				if (htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port)) == 0) {
4480					sctp_handle_no_route(stcb, net, so_locked);
4481					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4482					sctp_m_freem(m);
4483					return (EHOSTUNREACH);
4484				}
4485				udp = (struct udphdr *)((caddr_t)ip6h + sizeof(struct ip6_hdr));
4486				udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
4487				udp->uh_dport = port;
4488				udp->uh_ulen = htons((uint16_t)(packet_length - sizeof(struct ip6_hdr)));
4489				udp->uh_sum = 0;
4490				sctphdr = (struct sctphdr *)((caddr_t)udp + sizeof(struct udphdr));
4491			} else {
4492				sctphdr = (struct sctphdr *)((caddr_t)ip6h + sizeof(struct ip6_hdr));
4493			}
4494
4495			sctphdr->src_port = src_port;
4496			sctphdr->dest_port = dest_port;
4497			sctphdr->v_tag = v_tag;
4498			sctphdr->checksum = 0;
4499
4500			/*
4501			 * We set the hop limit now since there is a good
4502			 * chance that our ro pointer is now filled
4503			 */
4504			ip6h->ip6_hlim = SCTP_GET_HLIM(inp, ro);
4505			ifp = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
4506
4507#ifdef SCTP_DEBUG
4508			/* Copy to be sure something bad is not happening */
4509			sin6->sin6_addr = ip6h->ip6_dst;
4510			lsa6->sin6_addr = ip6h->ip6_src;
4511#endif
4512
4513			SCTPDBG(SCTP_DEBUG_OUTPUT3, "Calling ipv6 output routine from low level\n");
4514			SCTPDBG(SCTP_DEBUG_OUTPUT3, "src: ");
4515			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT3, (struct sockaddr *)lsa6);
4516			SCTPDBG(SCTP_DEBUG_OUTPUT3, "dst: ");
4517			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT3, (struct sockaddr *)sin6);
4518			if (net) {
4519				sin6 = (struct sockaddr_in6 *)&net->ro._l_addr;
4520				/*
4521				 * preserve the port and scope for link
4522				 * local send
4523				 */
4524				prev_scope = sin6->sin6_scope_id;
4525				prev_port = sin6->sin6_port;
4526			}
4527
4528			if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
4529				/* failed to prepend data, give up */
4530				sctp_m_freem(m);
4531				SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4532				return (ENOMEM);
4533			}
4534			SCTP_ATTACH_CHAIN(o_pak, m, packet_length);
4535			if (port) {
4536				sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip6_hdr) + sizeof(struct udphdr));
4537				SCTP_STAT_INCR(sctps_sendswcrc);
4538				if ((udp->uh_sum = in6_cksum(o_pak, IPPROTO_UDP, sizeof(struct ip6_hdr), packet_length - sizeof(struct ip6_hdr))) == 0) {
4539					udp->uh_sum = 0xffff;
4540				}
4541			} else {
4542				m->m_pkthdr.csum_flags = CSUM_SCTP_IPV6;
4543				m->m_pkthdr.csum_data = offsetof(struct sctphdr, checksum);
4544				SCTP_STAT_INCR(sctps_sendhwcrc);
4545			}
4546			/* send it out. table id is taken from stcb */
4547#ifdef SCTP_PACKET_LOGGING
4548			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
4549				sctp_packet_log(o_pak);
4550#endif
4551			SCTP_PROBE5(send, NULL, stcb, ip6h, stcb, sctphdr);
4552			SCTP_IP6_OUTPUT(ret, o_pak, (struct route_in6 *)ro, &ifp, inp, vrf_id);
4553			if (net) {
4554				/* for link local this must be done */
4555				sin6->sin6_scope_id = prev_scope;
4556				sin6->sin6_port = prev_port;
4557			}
4558			SCTPDBG(SCTP_DEBUG_OUTPUT3, "return from send is %d\n", ret);
4559			if (port) {
4560				UDPSTAT_INC(udps_opackets);
4561			}
4562			SCTP_STAT_INCR(sctps_sendpackets);
4563			SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
4564			if (ret) {
4565				SCTP_STAT_INCR(sctps_senderrors);
4566			}
4567			if (net == NULL) {
4568				/* Now if we had a temp route free it */
4569				RO_NHFREE(ro);
4570			} else {
4571				/*
4572				 * PMTU check versus smallest asoc MTU goes
4573				 * here
4574				 */
4575				if (ro->ro_nh == NULL) {
4576					/* Route was freed */
4577					if (net->ro._s_addr &&
4578					    net->src_addr_selected) {
4579						sctp_free_ifa(net->ro._s_addr);
4580						net->ro._s_addr = NULL;
4581					}
4582					net->src_addr_selected = 0;
4583				}
4584				if ((ro->ro_nh != NULL) && (net->ro._s_addr) &&
4585				    ((net->dest_state & SCTP_ADDR_NO_PMTUD) == 0)) {
4586					uint32_t mtu;
4587
4588					mtu = SCTP_GATHER_MTU_FROM_ROUTE(net->ro._s_addr, &net->ro._l_addr.sa, ro->ro_nh);
4589					if (mtu > 0) {
4590						if (net->port) {
4591							mtu -= sizeof(struct udphdr);
4592						}
4593						if (mtu < net->mtu) {
4594							net->mtu = mtu;
4595							if ((stcb != NULL) && (stcb->asoc.smallest_mtu > mtu)) {
4596								sctp_pathmtu_adjustment(stcb, mtu, false);
4597							}
4598						}
4599					}
4600				} else if (ifp != NULL) {
4601					if ((ND_IFINFO(ifp)->linkmtu > 0) &&
4602					    (stcb->asoc.smallest_mtu > ND_IFINFO(ifp)->linkmtu)) {
4603						sctp_pathmtu_adjustment(stcb, ND_IFINFO(ifp)->linkmtu, false);
4604					}
4605				}
4606			}
4607			return (ret);
4608		}
4609#endif
4610	default:
4611		SCTPDBG(SCTP_DEBUG_OUTPUT1, "Unknown protocol (TSNH) type %d\n",
4612		    ((struct sockaddr *)to)->sa_family);
4613		sctp_m_freem(m);
4614		SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EFAULT);
4615		return (EFAULT);
4616	}
4617}
4618
4619void
4620sctp_send_initiate(struct sctp_inpcb *inp, struct sctp_tcb *stcb, int so_locked)
4621{
4622	struct mbuf *m, *m_last;
4623	struct sctp_nets *net;
4624	struct sctp_init_chunk *init;
4625	struct sctp_supported_addr_param *sup_addr;
4626	struct sctp_adaptation_layer_indication *ali;
4627	struct sctp_zero_checksum_acceptable *zero_chksum;
4628	struct sctp_supported_chunk_types_param *pr_supported;
4629	struct sctp_paramhdr *ph;
4630	int cnt_inits_to = 0;
4631	int error;
4632	uint16_t num_ext, chunk_len, padding_len, parameter_len;
4633
4634	/* INIT's always go to the primary (and usually ONLY address) */
4635	net = stcb->asoc.primary_destination;
4636	if (net == NULL) {
4637		net = TAILQ_FIRST(&stcb->asoc.nets);
4638		if (net == NULL) {
4639			/* TSNH */
4640			return;
4641		}
4642		/* we confirm any address we send an INIT to */
4643		net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
4644		(void)sctp_set_primary_addr(stcb, NULL, net);
4645	} else {
4646		/* we confirm any address we send an INIT to */
4647		net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
4648	}
4649	SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT\n");
4650#ifdef INET6
4651	if (net->ro._l_addr.sa.sa_family == AF_INET6) {
4652		/*
4653		 * special hook, if we are sending to link local it will not
4654		 * show up in our private address count.
4655		 */
4656		if (IN6_IS_ADDR_LINKLOCAL(&net->ro._l_addr.sin6.sin6_addr))
4657			cnt_inits_to = 1;
4658	}
4659#endif
4660	if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
4661		/* This case should not happen */
4662		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - failed timer?\n");
4663		return;
4664	}
4665	/* start the INIT timer */
4666	sctp_timer_start(SCTP_TIMER_TYPE_INIT, inp, stcb, net);
4667
4668	m = sctp_get_mbuf_for_msg(MCLBYTES, 1, M_NOWAIT, 1, MT_DATA);
4669	if (m == NULL) {
4670		/* No memory, INIT timer will re-attempt. */
4671		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - mbuf?\n");
4672		return;
4673	}
4674	chunk_len = (uint16_t)sizeof(struct sctp_init_chunk);
4675	padding_len = 0;
4676	/* Now lets put the chunk header in place */
4677	init = mtod(m, struct sctp_init_chunk *);
4678	/* now the chunk header */
4679	init->ch.chunk_type = SCTP_INITIATION;
4680	init->ch.chunk_flags = 0;
4681	/* fill in later from mbuf we build */
4682	init->ch.chunk_length = 0;
4683	/* place in my tag */
4684	init->init.initiate_tag = htonl(stcb->asoc.my_vtag);
4685	/* set up some of the credits. */
4686	init->init.a_rwnd = htonl(max(inp->sctp_socket ? SCTP_SB_LIMIT_RCV(inp->sctp_socket) : 0,
4687	    SCTP_MINIMAL_RWND));
4688	init->init.num_outbound_streams = htons(stcb->asoc.pre_open_streams);
4689	init->init.num_inbound_streams = htons(stcb->asoc.max_inbound_streams);
4690	init->init.initial_tsn = htonl(stcb->asoc.init_seq_number);
4691
4692	/* Adaptation layer indication parameter */
4693	if (inp->sctp_ep.adaptation_layer_indicator_provided) {
4694		parameter_len = (uint16_t)sizeof(struct sctp_adaptation_layer_indication);
4695		ali = (struct sctp_adaptation_layer_indication *)(mtod(m, caddr_t)+chunk_len);
4696		ali->ph.param_type = htons(SCTP_ULP_ADAPTATION);
4697		ali->ph.param_length = htons(parameter_len);
4698		ali->indication = htonl(inp->sctp_ep.adaptation_layer_indicator);
4699		chunk_len += parameter_len;
4700	}
4701
4702	/* ECN parameter */
4703	if (stcb->asoc.ecn_supported == 1) {
4704		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
4705		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t)+chunk_len);
4706		ph->param_type = htons(SCTP_ECN_CAPABLE);
4707		ph->param_length = htons(parameter_len);
4708		chunk_len += parameter_len;
4709	}
4710
4711	/* PR-SCTP supported parameter */
4712	if (stcb->asoc.prsctp_supported == 1) {
4713		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
4714		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t)+chunk_len);
4715		ph->param_type = htons(SCTP_PRSCTP_SUPPORTED);
4716		ph->param_length = htons(parameter_len);
4717		chunk_len += parameter_len;
4718	}
4719
4720	/* Zero checksum acceptable parameter */
4721	if (stcb->asoc.rcv_edmid != SCTP_EDMID_NONE) {
4722		parameter_len = (uint16_t)sizeof(struct sctp_zero_checksum_acceptable);
4723		zero_chksum = (struct sctp_zero_checksum_acceptable *)(mtod(m, caddr_t)+chunk_len);
4724		zero_chksum->ph.param_type = htons(SCTP_ZERO_CHECKSUM_ACCEPTABLE);
4725		zero_chksum->ph.param_length = htons(parameter_len);
4726		zero_chksum->edmid = htonl(stcb->asoc.rcv_edmid);
4727		chunk_len += parameter_len;
4728	}
4729
4730	/* Add NAT friendly parameter. */
4731	if (SCTP_BASE_SYSCTL(sctp_inits_include_nat_friendly)) {
4732		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
4733		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t)+chunk_len);
4734		ph->param_type = htons(SCTP_HAS_NAT_SUPPORT);
4735		ph->param_length = htons(parameter_len);
4736		chunk_len += parameter_len;
4737	}
4738
4739	/* And now tell the peer which extensions we support */
4740	num_ext = 0;
4741	pr_supported = (struct sctp_supported_chunk_types_param *)(mtod(m, caddr_t)+chunk_len);
4742	if (stcb->asoc.prsctp_supported == 1) {
4743		pr_supported->chunk_types[num_ext++] = SCTP_FORWARD_CUM_TSN;
4744		if (stcb->asoc.idata_supported) {
4745			pr_supported->chunk_types[num_ext++] = SCTP_IFORWARD_CUM_TSN;
4746		}
4747	}
4748	if (stcb->asoc.auth_supported == 1) {
4749		pr_supported->chunk_types[num_ext++] = SCTP_AUTHENTICATION;
4750	}
4751	if (stcb->asoc.asconf_supported == 1) {
4752		pr_supported->chunk_types[num_ext++] = SCTP_ASCONF;
4753		pr_supported->chunk_types[num_ext++] = SCTP_ASCONF_ACK;
4754	}
4755	if (stcb->asoc.reconfig_supported == 1) {
4756		pr_supported->chunk_types[num_ext++] = SCTP_STREAM_RESET;
4757	}
4758	if (stcb->asoc.idata_supported) {
4759		pr_supported->chunk_types[num_ext++] = SCTP_IDATA;
4760	}
4761	if (stcb->asoc.nrsack_supported == 1) {
4762		pr_supported->chunk_types[num_ext++] = SCTP_NR_SELECTIVE_ACK;
4763	}
4764	if (stcb->asoc.pktdrop_supported == 1) {
4765		pr_supported->chunk_types[num_ext++] = SCTP_PACKET_DROPPED;
4766	}
4767	if (num_ext > 0) {
4768		parameter_len = (uint16_t)sizeof(struct sctp_supported_chunk_types_param) + num_ext;
4769		pr_supported->ph.param_type = htons(SCTP_SUPPORTED_CHUNK_EXT);
4770		pr_supported->ph.param_length = htons(parameter_len);
4771		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
4772		chunk_len += parameter_len;
4773	}
4774	/* add authentication parameters */
4775	if (stcb->asoc.auth_supported) {
4776		/* attach RANDOM parameter, if available */
4777		if (stcb->asoc.authinfo.random != NULL) {
4778			struct sctp_auth_random *randp;
4779
4780			if (padding_len > 0) {
4781				memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
4782				chunk_len += padding_len;
4783				padding_len = 0;
4784			}
4785			randp = (struct sctp_auth_random *)(mtod(m, caddr_t)+chunk_len);
4786			parameter_len = (uint16_t)sizeof(struct sctp_auth_random) + stcb->asoc.authinfo.random_len;
4787			/* random key already contains the header */
4788			memcpy(randp, stcb->asoc.authinfo.random->key, parameter_len);
4789			padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
4790			chunk_len += parameter_len;
4791		}
4792		/* add HMAC_ALGO parameter */
4793		if (stcb->asoc.local_hmacs != NULL) {
4794			struct sctp_auth_hmac_algo *hmacs;
4795
4796			if (padding_len > 0) {
4797				memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
4798				chunk_len += padding_len;
4799				padding_len = 0;
4800			}
4801			hmacs = (struct sctp_auth_hmac_algo *)(mtod(m, caddr_t)+chunk_len);
4802			parameter_len = (uint16_t)(sizeof(struct sctp_auth_hmac_algo) +
4803			    stcb->asoc.local_hmacs->num_algo * sizeof(uint16_t));
4804			hmacs->ph.param_type = htons(SCTP_HMAC_LIST);
4805			hmacs->ph.param_length = htons(parameter_len);
4806			sctp_serialize_hmaclist(stcb->asoc.local_hmacs, (uint8_t *)hmacs->hmac_ids);
4807			padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
4808			chunk_len += parameter_len;
4809		}
4810		/* add CHUNKS parameter */
4811		if (stcb->asoc.local_auth_chunks != NULL) {
4812			struct sctp_auth_chunk_list *chunks;
4813
4814			if (padding_len > 0) {
4815				memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
4816				chunk_len += padding_len;
4817				padding_len = 0;
4818			}
4819			chunks = (struct sctp_auth_chunk_list *)(mtod(m, caddr_t)+chunk_len);
4820			parameter_len = (uint16_t)(sizeof(struct sctp_auth_chunk_list) +
4821			    sctp_auth_get_chklist_size(stcb->asoc.local_auth_chunks));
4822			chunks->ph.param_type = htons(SCTP_CHUNK_LIST);
4823			chunks->ph.param_length = htons(parameter_len);
4824			sctp_serialize_auth_chunks(stcb->asoc.local_auth_chunks, chunks->chunk_types);
4825			padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
4826			chunk_len += parameter_len;
4827		}
4828	}
4829
4830	/* now any cookie time extensions */
4831	if (stcb->asoc.cookie_preserve_req > 0) {
4832		struct sctp_cookie_perserve_param *cookie_preserve;
4833
4834		if (padding_len > 0) {
4835			memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
4836			chunk_len += padding_len;
4837			padding_len = 0;
4838		}
4839		parameter_len = (uint16_t)sizeof(struct sctp_cookie_perserve_param);
4840		cookie_preserve = (struct sctp_cookie_perserve_param *)(mtod(m, caddr_t)+chunk_len);
4841		cookie_preserve->ph.param_type = htons(SCTP_COOKIE_PRESERVE);
4842		cookie_preserve->ph.param_length = htons(parameter_len);
4843		cookie_preserve->time = htonl(stcb->asoc.cookie_preserve_req);
4844		stcb->asoc.cookie_preserve_req = 0;
4845		chunk_len += parameter_len;
4846	}
4847
4848	if (stcb->asoc.scope.ipv4_addr_legal || stcb->asoc.scope.ipv6_addr_legal) {
4849		uint8_t i;
4850
4851		if (padding_len > 0) {
4852			memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
4853			chunk_len += padding_len;
4854			padding_len = 0;
4855		}
4856		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
4857		if (stcb->asoc.scope.ipv4_addr_legal) {
4858			parameter_len += (uint16_t)sizeof(uint16_t);
4859		}
4860		if (stcb->asoc.scope.ipv6_addr_legal) {
4861			parameter_len += (uint16_t)sizeof(uint16_t);
4862		}
4863		sup_addr = (struct sctp_supported_addr_param *)(mtod(m, caddr_t)+chunk_len);
4864		sup_addr->ph.param_type = htons(SCTP_SUPPORTED_ADDRTYPE);
4865		sup_addr->ph.param_length = htons(parameter_len);
4866		i = 0;
4867		if (stcb->asoc.scope.ipv4_addr_legal) {
4868			sup_addr->addr_type[i++] = htons(SCTP_IPV4_ADDRESS);
4869		}
4870		if (stcb->asoc.scope.ipv6_addr_legal) {
4871			sup_addr->addr_type[i++] = htons(SCTP_IPV6_ADDRESS);
4872		}
4873		padding_len = 4 - 2 * i;
4874		chunk_len += parameter_len;
4875	}
4876
4877	SCTP_BUF_LEN(m) = chunk_len;
4878	/* now the addresses */
4879	/*
4880	 * To optimize this we could put the scoping stuff into a structure
4881	 * and remove the individual uint8's from the assoc structure. Then
4882	 * we could just sifa in the address within the stcb. But for now
4883	 * this is a quick hack to get the address stuff teased apart.
4884	 */
4885	m_last = sctp_add_addresses_to_i_ia(inp, stcb, &stcb->asoc.scope,
4886	    m, cnt_inits_to,
4887	    &padding_len, &chunk_len);
4888
4889	init->ch.chunk_length = htons(chunk_len);
4890	if (padding_len > 0) {
4891		if (sctp_add_pad_tombuf(m_last, padding_len) == NULL) {
4892			sctp_m_freem(m);
4893			return;
4894		}
4895	}
4896	SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - calls lowlevel_output\n");
4897	if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
4898	    (struct sockaddr *)&net->ro._l_addr,
4899	    m, 0, NULL, 0, 0, 0, 0,
4900	    inp->sctp_lport, stcb->rport, htonl(0),
4901	    net->port, NULL,
4902	    0, 0,
4903	    false, so_locked))) {
4904		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Gak send error %d\n", error);
4905		if (error == ENOBUFS) {
4906			stcb->asoc.ifp_had_enobuf = 1;
4907			SCTP_STAT_INCR(sctps_lowlevelerr);
4908		}
4909	} else {
4910		stcb->asoc.ifp_had_enobuf = 0;
4911	}
4912	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
4913	(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
4914}
4915
4916struct mbuf *
4917sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt,
4918    int param_offset, int *abort_processing,
4919    struct sctp_chunkhdr *cp,
4920    int *nat_friendly,
4921    int *cookie_found,
4922    uint32_t *edmid)
4923{
4924	/*
4925	 * Given a mbuf containing an INIT or INIT-ACK with the param_offset
4926	 * being equal to the beginning of the params i.e. (iphlen +
4927	 * sizeof(struct sctp_init_msg) parse through the parameters to the
4928	 * end of the mbuf verifying that all parameters are known.
4929	 *
4930	 * For unknown parameters build and return a mbuf with
4931	 * UNRECOGNIZED_PARAMETER errors. If the flags indicate to stop
4932	 * processing this chunk stop, and set *abort_processing to 1.
4933	 *
4934	 * By having param_offset be pre-set to where parameters begin it is
4935	 * hoped that this routine may be reused in the future by new
4936	 * features.
4937	 */
4938	struct sctp_zero_checksum_acceptable zero_chksum, *zero_chksum_p;
4939	struct sctp_paramhdr *phdr, params;
4940	struct mbuf *mat, *m_tmp, *op_err, *op_err_last;
4941	int at, limit, pad_needed;
4942	uint16_t ptype, plen, padded_size;
4943
4944	*abort_processing = 0;
4945	if (cookie_found != NULL) {
4946		*cookie_found = 0;
4947	}
4948	if (edmid != NULL) {
4949		*edmid = SCTP_EDMID_NONE;
4950	}
4951	mat = in_initpkt;
4952	limit = ntohs(cp->chunk_length) - sizeof(struct sctp_init_chunk);
4953	at = param_offset;
4954	op_err = NULL;
4955	op_err_last = NULL;
4956	pad_needed = 0;
4957	SCTPDBG(SCTP_DEBUG_OUTPUT1, "Check for unrecognized param's\n");
4958	phdr = sctp_get_next_param(mat, at, &params, sizeof(params));
4959	while ((phdr != NULL) && ((size_t)limit >= sizeof(struct sctp_paramhdr))) {
4960		ptype = ntohs(phdr->param_type);
4961		plen = ntohs(phdr->param_length);
4962		if ((plen > limit) || (plen < sizeof(struct sctp_paramhdr))) {
4963			/* wacked parameter */
4964			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error %d\n", plen);
4965			goto invalid_size;
4966		}
4967		limit -= SCTP_SIZE32(plen);
4968		/*-
4969		 * All parameters for all chunks that we know/understand are
4970		 * listed here. We process them other places and make
4971		 * appropriate stop actions per the upper bits. However this
4972		 * is the generic routine processor's can call to get back
4973		 * an operr.. to either incorporate (init-ack) or send.
4974		 */
4975		padded_size = SCTP_SIZE32(plen);
4976		switch (ptype) {
4977			/* Param's with variable size */
4978		case SCTP_HEARTBEAT_INFO:
4979		case SCTP_UNRECOG_PARAM:
4980		case SCTP_ERROR_CAUSE_IND:
4981			/* ok skip fwd */
4982			at += padded_size;
4983			break;
4984		case SCTP_STATE_COOKIE:
4985			if (cookie_found != NULL) {
4986				*cookie_found = 1;
4987			}
4988			at += padded_size;
4989			break;
4990			/* Param's with variable size within a range */
4991		case SCTP_CHUNK_LIST:
4992		case SCTP_SUPPORTED_CHUNK_EXT:
4993			if (padded_size > (sizeof(struct sctp_supported_chunk_types_param) + (sizeof(uint8_t) * SCTP_MAX_SUPPORTED_EXT))) {
4994				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error chklist %d\n", plen);
4995				goto invalid_size;
4996			}
4997			at += padded_size;
4998			break;
4999		case SCTP_SUPPORTED_ADDRTYPE:
5000			if (padded_size > SCTP_MAX_ADDR_PARAMS_SIZE) {
5001				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error supaddrtype %d\n", plen);
5002				goto invalid_size;
5003			}
5004			at += padded_size;
5005			break;
5006		case SCTP_ZERO_CHECKSUM_ACCEPTABLE:
5007			if (padded_size != sizeof(struct sctp_zero_checksum_acceptable)) {
5008				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error checksum acceptable %d\n", plen);
5009				goto invalid_size;
5010			}
5011			if (edmid != NULL) {
5012				phdr = sctp_get_next_param(mat, at,
5013				    (struct sctp_paramhdr *)&zero_chksum,
5014				    sizeof(struct sctp_zero_checksum_acceptable));
5015				if (phdr != NULL) {
5016					zero_chksum_p = (struct sctp_zero_checksum_acceptable *)phdr;
5017					*edmid = ntohl(zero_chksum_p->edmid);
5018				}
5019			}
5020			at += padded_size;
5021			break;
5022		case SCTP_RANDOM:
5023			if (padded_size > (sizeof(struct sctp_auth_random) + SCTP_RANDOM_MAX_SIZE)) {
5024				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error random %d\n", plen);
5025				goto invalid_size;
5026			}
5027			at += padded_size;
5028			break;
5029		case SCTP_SET_PRIM_ADDR:
5030		case SCTP_DEL_IP_ADDRESS:
5031		case SCTP_ADD_IP_ADDRESS:
5032			if ((padded_size != sizeof(struct sctp_asconf_addrv4_param)) &&
5033			    (padded_size != sizeof(struct sctp_asconf_addr_param))) {
5034				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error setprim %d\n", plen);
5035				goto invalid_size;
5036			}
5037			at += padded_size;
5038			break;
5039			/* Param's with a fixed size */
5040		case SCTP_IPV4_ADDRESS:
5041			if (padded_size != sizeof(struct sctp_ipv4addr_param)) {
5042				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ipv4 addr %d\n", plen);
5043				goto invalid_size;
5044			}
5045			at += padded_size;
5046			break;
5047		case SCTP_IPV6_ADDRESS:
5048			if (padded_size != sizeof(struct sctp_ipv6addr_param)) {
5049				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ipv6 addr %d\n", plen);
5050				goto invalid_size;
5051			}
5052			at += padded_size;
5053			break;
5054		case SCTP_COOKIE_PRESERVE:
5055			if (padded_size != sizeof(struct sctp_cookie_perserve_param)) {
5056				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error cookie-preserve %d\n", plen);
5057				goto invalid_size;
5058			}
5059			at += padded_size;
5060			break;
5061		case SCTP_HAS_NAT_SUPPORT:
5062			if (padded_size != sizeof(struct sctp_paramhdr)) {
5063				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error nat support %d\n", plen);
5064				goto invalid_size;
5065			}
5066			*nat_friendly = 1;
5067			at += padded_size;
5068			break;
5069		case SCTP_PRSCTP_SUPPORTED:
5070			if (padded_size != sizeof(struct sctp_paramhdr)) {
5071				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error prsctp %d\n", plen);
5072				goto invalid_size;
5073			}
5074			at += padded_size;
5075			break;
5076		case SCTP_ECN_CAPABLE:
5077			if (padded_size != sizeof(struct sctp_paramhdr)) {
5078				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ecn %d\n", plen);
5079				goto invalid_size;
5080			}
5081			at += padded_size;
5082			break;
5083		case SCTP_ULP_ADAPTATION:
5084			if (padded_size != sizeof(struct sctp_adaptation_layer_indication)) {
5085				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error adapatation %d\n", plen);
5086				goto invalid_size;
5087			}
5088			at += padded_size;
5089			break;
5090		case SCTP_SUCCESS_REPORT:
5091			if (padded_size != sizeof(struct sctp_asconf_paramhdr)) {
5092				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error success %d\n", plen);
5093				goto invalid_size;
5094			}
5095			at += padded_size;
5096			break;
5097		case SCTP_HOSTNAME_ADDRESS:
5098			{
5099				/* Hostname parameters are deprecated. */
5100				struct sctp_gen_error_cause *cause;
5101				int l_len;
5102
5103				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Can't handle hostname addresses.. abort processing\n");
5104				*abort_processing = 1;
5105				sctp_m_freem(op_err);
5106				op_err = NULL;
5107				op_err_last = NULL;
5108#ifdef INET6
5109				l_len = SCTP_MIN_OVERHEAD;
5110#else
5111				l_len = SCTP_MIN_V4_OVERHEAD;
5112#endif
5113				l_len += sizeof(struct sctp_chunkhdr);
5114				l_len += sizeof(struct sctp_gen_error_cause);
5115				op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
5116				if (op_err != NULL) {
5117					/*
5118					 * Pre-reserve space for IP, SCTP,
5119					 * and chunk header.
5120					 */
5121#ifdef INET6
5122					SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
5123#else
5124					SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
5125#endif
5126					SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
5127					SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
5128					SCTP_BUF_LEN(op_err) = sizeof(struct sctp_gen_error_cause);
5129					cause = mtod(op_err, struct sctp_gen_error_cause *);
5130					cause->code = htons(SCTP_CAUSE_UNRESOLVABLE_ADDR);
5131					cause->length = htons((uint16_t)(sizeof(struct sctp_gen_error_cause) + plen));
5132					SCTP_BUF_NEXT(op_err) = SCTP_M_COPYM(mat, at, plen, M_NOWAIT);
5133					if (SCTP_BUF_NEXT(op_err) == NULL) {
5134						sctp_m_freem(op_err);
5135						op_err = NULL;
5136						op_err_last = NULL;
5137					}
5138				}
5139				return (op_err);
5140			}
5141		default:
5142			/*
5143			 * we do not recognize the parameter figure out what
5144			 * we do.
5145			 */
5146			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Hit default param %x\n", ptype);
5147			if ((ptype & 0x4000) == 0x4000) {
5148				/* Report bit is set?? */
5149				SCTPDBG(SCTP_DEBUG_OUTPUT1, "report op err\n");
5150				if (op_err == NULL) {
5151					int l_len;
5152
5153					/* Ok need to try to get an mbuf */
5154#ifdef INET6
5155					l_len = SCTP_MIN_OVERHEAD;
5156#else
5157					l_len = SCTP_MIN_V4_OVERHEAD;
5158#endif
5159					l_len += sizeof(struct sctp_chunkhdr);
5160					l_len += sizeof(struct sctp_paramhdr);
5161					op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
5162					if (op_err) {
5163						SCTP_BUF_LEN(op_err) = 0;
5164#ifdef INET6
5165						SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
5166#else
5167						SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
5168#endif
5169						SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
5170						SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
5171						op_err_last = op_err;
5172					}
5173				}
5174				if (op_err != NULL) {
5175					/* If we have space */
5176					struct sctp_paramhdr *param;
5177
5178					if (pad_needed > 0) {
5179						op_err_last = sctp_add_pad_tombuf(op_err_last, pad_needed);
5180					}
5181					if (op_err_last == NULL) {
5182						sctp_m_freem(op_err);
5183						op_err = NULL;
5184						op_err_last = NULL;
5185						goto more_processing;
5186					}
5187					if (M_TRAILINGSPACE(op_err_last) < (int)sizeof(struct sctp_paramhdr)) {
5188						m_tmp = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 0, M_NOWAIT, 1, MT_DATA);
5189						if (m_tmp == NULL) {
5190							sctp_m_freem(op_err);
5191							op_err = NULL;
5192							op_err_last = NULL;
5193							goto more_processing;
5194						}
5195						SCTP_BUF_LEN(m_tmp) = 0;
5196						SCTP_BUF_NEXT(m_tmp) = NULL;
5197						SCTP_BUF_NEXT(op_err_last) = m_tmp;
5198						op_err_last = m_tmp;
5199					}
5200					param = (struct sctp_paramhdr *)(mtod(op_err_last, caddr_t)+SCTP_BUF_LEN(op_err_last));
5201					param->param_type = htons(SCTP_UNRECOG_PARAM);
5202					param->param_length = htons((uint16_t)sizeof(struct sctp_paramhdr) + plen);
5203					SCTP_BUF_LEN(op_err_last) += sizeof(struct sctp_paramhdr);
5204					SCTP_BUF_NEXT(op_err_last) = SCTP_M_COPYM(mat, at, plen, M_NOWAIT);
5205					if (SCTP_BUF_NEXT(op_err_last) == NULL) {
5206						sctp_m_freem(op_err);
5207						op_err = NULL;
5208						op_err_last = NULL;
5209						goto more_processing;
5210					} else {
5211						while (SCTP_BUF_NEXT(op_err_last) != NULL) {
5212							op_err_last = SCTP_BUF_NEXT(op_err_last);
5213						}
5214					}
5215					if (plen % 4 != 0) {
5216						pad_needed = 4 - (plen % 4);
5217					} else {
5218						pad_needed = 0;
5219					}
5220				}
5221			}
5222	more_processing:
5223			if ((ptype & 0x8000) == 0x0000) {
5224				SCTPDBG(SCTP_DEBUG_OUTPUT1, "stop proc\n");
5225				return (op_err);
5226			} else {
5227				/* skip this chunk and continue processing */
5228				SCTPDBG(SCTP_DEBUG_OUTPUT1, "move on\n");
5229				at += SCTP_SIZE32(plen);
5230			}
5231			break;
5232		}
5233		phdr = sctp_get_next_param(mat, at, &params, sizeof(params));
5234	}
5235	return (op_err);
5236invalid_size:
5237	SCTPDBG(SCTP_DEBUG_OUTPUT1, "abort flag set\n");
5238	*abort_processing = 1;
5239	sctp_m_freem(op_err);
5240	op_err = NULL;
5241	op_err_last = NULL;
5242	if (phdr != NULL) {
5243		struct sctp_paramhdr *param;
5244		int l_len;
5245#ifdef INET6
5246		l_len = SCTP_MIN_OVERHEAD;
5247#else
5248		l_len = SCTP_MIN_V4_OVERHEAD;
5249#endif
5250		l_len += sizeof(struct sctp_chunkhdr);
5251		l_len += (2 * sizeof(struct sctp_paramhdr));
5252		op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
5253		if (op_err) {
5254			SCTP_BUF_LEN(op_err) = 0;
5255#ifdef INET6
5256			SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
5257#else
5258			SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
5259#endif
5260			SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
5261			SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
5262			SCTP_BUF_LEN(op_err) = 2 * sizeof(struct sctp_paramhdr);
5263			param = mtod(op_err, struct sctp_paramhdr *);
5264			param->param_type = htons(SCTP_CAUSE_PROTOCOL_VIOLATION);
5265			param->param_length = htons(2 * sizeof(struct sctp_paramhdr));
5266			param++;
5267			param->param_type = htons(ptype);
5268			param->param_length = htons(plen);
5269		}
5270	}
5271	return (op_err);
5272}
5273
5274/*
5275 * Given a INIT chunk, look through the parameters to verify that there
5276 * are no new addresses.
5277 * Return true, if there is a new address or there is a problem parsing
5278   the parameters. Provide an optional error cause used when sending an ABORT.
5279 * Return false, if there are no new addresses and there is no problem in
5280   parameter processing.
5281 */
5282static bool
5283sctp_are_there_new_addresses(struct sctp_association *asoc,
5284    struct mbuf *in_initpkt, int offset, int limit, struct sockaddr *src,
5285    struct mbuf **op_err)
5286{
5287	struct sockaddr *sa_touse;
5288	struct sockaddr *sa;
5289	struct sctp_paramhdr *phdr, params;
5290	struct sctp_nets *net;
5291#ifdef INET
5292	struct sockaddr_in sin4, *sa4;
5293#endif
5294#ifdef INET6
5295	struct sockaddr_in6 sin6, *sa6;
5296#endif
5297	uint16_t ptype, plen;
5298	bool fnd, check_src;
5299
5300	*op_err = NULL;
5301#ifdef INET
5302	memset(&sin4, 0, sizeof(sin4));
5303	sin4.sin_family = AF_INET;
5304	sin4.sin_len = sizeof(sin4);
5305#endif
5306#ifdef INET6
5307	memset(&sin6, 0, sizeof(sin6));
5308	sin6.sin6_family = AF_INET6;
5309	sin6.sin6_len = sizeof(sin6);
5310#endif
5311	/* First what about the src address of the pkt ? */
5312	check_src = false;
5313	switch (src->sa_family) {
5314#ifdef INET
5315	case AF_INET:
5316		if (asoc->scope.ipv4_addr_legal) {
5317			check_src = true;
5318		}
5319		break;
5320#endif
5321#ifdef INET6
5322	case AF_INET6:
5323		if (asoc->scope.ipv6_addr_legal) {
5324			check_src = true;
5325		}
5326		break;
5327#endif
5328	default:
5329		/* TSNH */
5330		break;
5331	}
5332	if (check_src) {
5333		fnd = false;
5334		TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
5335			sa = (struct sockaddr *)&net->ro._l_addr;
5336			if (sa->sa_family == src->sa_family) {
5337#ifdef INET
5338				if (sa->sa_family == AF_INET) {
5339					struct sockaddr_in *src4;
5340
5341					sa4 = (struct sockaddr_in *)sa;
5342					src4 = (struct sockaddr_in *)src;
5343					if (sa4->sin_addr.s_addr == src4->sin_addr.s_addr) {
5344						fnd = true;
5345						break;
5346					}
5347				}
5348#endif
5349#ifdef INET6
5350				if (sa->sa_family == AF_INET6) {
5351					struct sockaddr_in6 *src6;
5352
5353					sa6 = (struct sockaddr_in6 *)sa;
5354					src6 = (struct sockaddr_in6 *)src;
5355					if (SCTP6_ARE_ADDR_EQUAL(sa6, src6)) {
5356						fnd = true;
5357						break;
5358					}
5359				}
5360#endif
5361			}
5362		}
5363		if (!fnd) {
5364			/*
5365			 * If sending an ABORT in case of an additional
5366			 * address, don't use the new address error cause.
5367			 * This looks no different than if no listener was
5368			 * present.
5369			 */
5370			*op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code), "Address added");
5371			return (true);
5372		}
5373	}
5374	/* Ok so far lets munge through the rest of the packet */
5375	offset += sizeof(struct sctp_init_chunk);
5376	phdr = sctp_get_next_param(in_initpkt, offset, &params, sizeof(params));
5377	while (phdr) {
5378		sa_touse = NULL;
5379		ptype = ntohs(phdr->param_type);
5380		plen = ntohs(phdr->param_length);
5381		if (offset + plen > limit) {
5382			*op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, "Partial parameter");
5383			return (true);
5384		}
5385		if (plen < sizeof(struct sctp_paramhdr)) {
5386			*op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, "Parameter length too small");
5387			return (true);
5388		}
5389		switch (ptype) {
5390#ifdef INET
5391		case SCTP_IPV4_ADDRESS:
5392			{
5393				struct sctp_ipv4addr_param *p4, p4_buf;
5394
5395				if (plen != sizeof(struct sctp_ipv4addr_param)) {
5396					*op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, "Parameter length illegal");
5397					return (true);
5398				}
5399				phdr = sctp_get_next_param(in_initpkt, offset,
5400				    (struct sctp_paramhdr *)&p4_buf, sizeof(p4_buf));
5401				if (phdr == NULL) {
5402					*op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, "");
5403					return (true);
5404				}
5405				if (asoc->scope.ipv4_addr_legal) {
5406					p4 = (struct sctp_ipv4addr_param *)phdr;
5407					sin4.sin_addr.s_addr = p4->addr;
5408					sa_touse = (struct sockaddr *)&sin4;
5409				}
5410				break;
5411			}
5412#endif
5413#ifdef INET6
5414		case SCTP_IPV6_ADDRESS:
5415			{
5416				struct sctp_ipv6addr_param *p6, p6_buf;
5417
5418				if (plen != sizeof(struct sctp_ipv6addr_param)) {
5419					*op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, "Parameter length illegal");
5420					return (true);
5421				}
5422				phdr = sctp_get_next_param(in_initpkt, offset,
5423				    (struct sctp_paramhdr *)&p6_buf, sizeof(p6_buf));
5424				if (phdr == NULL) {
5425					*op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, "");
5426					return (true);
5427				}
5428				if (asoc->scope.ipv6_addr_legal) {
5429					p6 = (struct sctp_ipv6addr_param *)phdr;
5430					memcpy((caddr_t)&sin6.sin6_addr, p6->addr,
5431					    sizeof(p6->addr));
5432					sa_touse = (struct sockaddr *)&sin6;
5433				}
5434				break;
5435			}
5436#endif
5437		default:
5438			sa_touse = NULL;
5439			break;
5440		}
5441		if (sa_touse) {
5442			/* ok, sa_touse points to one to check */
5443			fnd = false;
5444			TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
5445				sa = (struct sockaddr *)&net->ro._l_addr;
5446				if (sa->sa_family != sa_touse->sa_family) {
5447					continue;
5448				}
5449#ifdef INET
5450				if (sa->sa_family == AF_INET) {
5451					sa4 = (struct sockaddr_in *)sa;
5452					if (sa4->sin_addr.s_addr ==
5453					    sin4.sin_addr.s_addr) {
5454						fnd = true;
5455						break;
5456					}
5457				}
5458#endif
5459#ifdef INET6
5460				if (sa->sa_family == AF_INET6) {
5461					sa6 = (struct sockaddr_in6 *)sa;
5462					if (SCTP6_ARE_ADDR_EQUAL(
5463					    sa6, &sin6)) {
5464						fnd = true;
5465						break;
5466					}
5467				}
5468#endif
5469			}
5470			if (!fnd) {
5471				/*
5472				 * If sending an ABORT in case of an
5473				 * additional address, don't use the new
5474				 * address error cause. This looks no
5475				 * different than if no listener was
5476				 * present.
5477				 */
5478				*op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code), "Address added");
5479				return (true);
5480			}
5481		}
5482		offset += SCTP_SIZE32(plen);
5483		if (offset >= limit) {
5484			break;
5485		}
5486		phdr = sctp_get_next_param(in_initpkt, offset, &params, sizeof(params));
5487	}
5488	return (false);
5489}
5490
5491/*
5492 * Given a MBUF chain that was sent into us containing an INIT. Build a
5493 * INIT-ACK with COOKIE and send back. We assume that the in_initpkt has done
5494 * a pullup to include IPv6/4header, SCTP header and initial part of INIT
5495 * message (i.e. the struct sctp_init_msg).
5496 */
5497void
5498sctp_send_initiate_ack(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
5499    struct sctp_nets *src_net, struct mbuf *init_pkt,
5500    int iphlen, int offset,
5501    struct sockaddr *src, struct sockaddr *dst,
5502    struct sctphdr *sh, struct sctp_init_chunk *init_chk,
5503    uint8_t mflowtype, uint32_t mflowid,
5504    uint32_t vrf_id, uint16_t port)
5505{
5506	struct sctp_association *asoc;
5507	struct mbuf *m, *m_tmp, *m_last, *m_cookie, *op_err;
5508	struct sctp_init_ack_chunk *initack;
5509	struct sctp_adaptation_layer_indication *ali;
5510	struct sctp_zero_checksum_acceptable *zero_chksum;
5511	struct sctp_supported_chunk_types_param *pr_supported;
5512	struct sctp_paramhdr *ph;
5513	union sctp_sockstore *over_addr;
5514	struct sctp_scoping scp;
5515	struct timeval now;
5516#ifdef INET
5517	struct sockaddr_in *dst4 = (struct sockaddr_in *)dst;
5518	struct sockaddr_in *src4 = (struct sockaddr_in *)src;
5519	struct sockaddr_in *sin;
5520#endif
5521#ifdef INET6
5522	struct sockaddr_in6 *dst6 = (struct sockaddr_in6 *)dst;
5523	struct sockaddr_in6 *src6 = (struct sockaddr_in6 *)src;
5524	struct sockaddr_in6 *sin6;
5525#endif
5526	struct sockaddr *to;
5527	struct sctp_state_cookie stc;
5528	struct sctp_nets *net = NULL;
5529	uint8_t *signature = NULL;
5530	int cnt_inits_to = 0;
5531	uint16_t his_limit, i_want;
5532	int abort_flag;
5533	int nat_friendly = 0;
5534	int error;
5535	struct socket *so;
5536	uint32_t edmid;
5537	uint16_t num_ext, chunk_len, padding_len, parameter_len;
5538	bool use_zero_crc;
5539
5540	if (stcb) {
5541		asoc = &stcb->asoc;
5542	} else {
5543		asoc = NULL;
5544	}
5545	if ((asoc != NULL) &&
5546	    (SCTP_GET_STATE(stcb) != SCTP_STATE_COOKIE_WAIT)) {
5547		if (sctp_are_there_new_addresses(asoc, init_pkt, offset, offset + ntohs(init_chk->ch.chunk_length), src, &op_err)) {
5548			/*
5549			 * new addresses, out of here in non-cookie-wait
5550			 * states
5551			 */
5552			sctp_send_abort(init_pkt, iphlen, src, dst, sh, 0, op_err,
5553			    mflowtype, mflowid, inp->fibnum,
5554			    vrf_id, port);
5555			return;
5556		}
5557		if (src_net != NULL && (src_net->port != port)) {
5558			/*
5559			 * change of remote encapsulation port, out of here
5560			 * in non-cookie-wait states
5561			 *
5562			 * Send an ABORT, without an specific error cause.
5563			 * This looks no different than if no listener was
5564			 * present.
5565			 */
5566			op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5567			    "Remote encapsulation port changed");
5568			sctp_send_abort(init_pkt, iphlen, src, dst, sh, 0, op_err,
5569			    mflowtype, mflowid, inp->fibnum,
5570			    vrf_id, port);
5571			return;
5572		}
5573	}
5574	abort_flag = 0;
5575	op_err = sctp_arethere_unrecognized_parameters(init_pkt,
5576	    (offset + sizeof(struct sctp_init_chunk)),
5577	    &abort_flag,
5578	    (struct sctp_chunkhdr *)init_chk,
5579	    &nat_friendly, NULL, &edmid);
5580	if (abort_flag) {
5581do_a_abort:
5582		if (op_err == NULL) {
5583			char msg[SCTP_DIAG_INFO_LEN];
5584
5585			SCTP_SNPRINTF(msg, sizeof(msg), "%s:%d at %s", __FILE__, __LINE__, __func__);
5586			op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5587			    msg);
5588		}
5589		sctp_send_abort(init_pkt, iphlen, src, dst, sh,
5590		    init_chk->init.initiate_tag, op_err,
5591		    mflowtype, mflowid, inp->fibnum,
5592		    vrf_id, port);
5593		return;
5594	}
5595	m = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
5596	if (m == NULL) {
5597		/* No memory, INIT timer will re-attempt. */
5598		sctp_m_freem(op_err);
5599		return;
5600	}
5601	chunk_len = (uint16_t)sizeof(struct sctp_init_ack_chunk);
5602	padding_len = 0;
5603
5604	/*
5605	 * We might not overwrite the identification[] completely and on
5606	 * some platforms time_entered will contain some padding. Therefore
5607	 * zero out the cookie to avoid putting uninitialized memory on the
5608	 * wire.
5609	 */
5610	memset(&stc, 0, sizeof(struct sctp_state_cookie));
5611
5612	/* the time I built cookie */
5613	(void)SCTP_GETTIME_TIMEVAL(&now);
5614	stc.time_entered.tv_sec = now.tv_sec;
5615	stc.time_entered.tv_usec = now.tv_usec;
5616
5617	/* populate any tie tags */
5618	if (asoc != NULL) {
5619		/* unlock before tag selections */
5620		stc.tie_tag_my_vtag = asoc->my_vtag_nonce;
5621		stc.tie_tag_peer_vtag = asoc->peer_vtag_nonce;
5622		stc.cookie_life = asoc->cookie_life;
5623		net = asoc->primary_destination;
5624	} else {
5625		stc.tie_tag_my_vtag = 0;
5626		stc.tie_tag_peer_vtag = 0;
5627		/* life I will award this cookie */
5628		stc.cookie_life = inp->sctp_ep.def_cookie_life;
5629	}
5630
5631	/* copy in the ports for later check */
5632	stc.myport = sh->dest_port;
5633	stc.peerport = sh->src_port;
5634
5635	/*
5636	 * If we wanted to honor cookie life extensions, we would add to
5637	 * stc.cookie_life. For now we should NOT honor any extension
5638	 */
5639	stc.site_scope = stc.local_scope = stc.loopback_scope = 0;
5640	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
5641		stc.ipv6_addr_legal = 1;
5642		if (SCTP_IPV6_V6ONLY(inp)) {
5643			stc.ipv4_addr_legal = 0;
5644		} else {
5645			stc.ipv4_addr_legal = 1;
5646		}
5647	} else {
5648		stc.ipv6_addr_legal = 0;
5649		stc.ipv4_addr_legal = 1;
5650	}
5651	stc.ipv4_scope = 0;
5652	if (net == NULL) {
5653		to = src;
5654		switch (dst->sa_family) {
5655#ifdef INET
5656		case AF_INET:
5657			{
5658				/* lookup address */
5659				stc.address[0] = src4->sin_addr.s_addr;
5660				stc.address[1] = 0;
5661				stc.address[2] = 0;
5662				stc.address[3] = 0;
5663				stc.addr_type = SCTP_IPV4_ADDRESS;
5664				/* local from address */
5665				stc.laddress[0] = dst4->sin_addr.s_addr;
5666				stc.laddress[1] = 0;
5667				stc.laddress[2] = 0;
5668				stc.laddress[3] = 0;
5669				stc.laddr_type = SCTP_IPV4_ADDRESS;
5670				/* scope_id is only for v6 */
5671				stc.scope_id = 0;
5672				if ((IN4_ISPRIVATE_ADDRESS(&src4->sin_addr)) ||
5673				    (IN4_ISPRIVATE_ADDRESS(&dst4->sin_addr))) {
5674					stc.ipv4_scope = 1;
5675				}
5676				/* Must use the address in this case */
5677				if (sctp_is_address_on_local_host(src, vrf_id)) {
5678					stc.loopback_scope = 1;
5679					stc.ipv4_scope = 1;
5680					stc.site_scope = 1;
5681					stc.local_scope = 0;
5682				}
5683				break;
5684			}
5685#endif
5686#ifdef INET6
5687		case AF_INET6:
5688			{
5689				stc.addr_type = SCTP_IPV6_ADDRESS;
5690				memcpy(&stc.address, &src6->sin6_addr, sizeof(struct in6_addr));
5691				stc.scope_id = ntohs(in6_getscope(&src6->sin6_addr));
5692				if (sctp_is_address_on_local_host(src, vrf_id)) {
5693					stc.loopback_scope = 1;
5694					stc.local_scope = 0;
5695					stc.site_scope = 1;
5696					stc.ipv4_scope = 1;
5697				} else if (IN6_IS_ADDR_LINKLOCAL(&src6->sin6_addr) ||
5698				    IN6_IS_ADDR_LINKLOCAL(&dst6->sin6_addr)) {
5699					/*
5700					 * If the new destination or source
5701					 * is a LINK_LOCAL we must have
5702					 * common both site and local scope.
5703					 * Don't set local scope though
5704					 * since we must depend on the
5705					 * source to be added implicitly. We
5706					 * cannot assure just because we
5707					 * share one link that all links are
5708					 * common.
5709					 */
5710					stc.local_scope = 0;
5711					stc.site_scope = 1;
5712					stc.ipv4_scope = 1;
5713					/*
5714					 * we start counting for the private
5715					 * address stuff at 1. since the
5716					 * link local we source from won't
5717					 * show up in our scoped count.
5718					 */
5719					cnt_inits_to = 1;
5720					/*
5721					 * pull out the scope_id from
5722					 * incoming pkt
5723					 */
5724				} else if (IN6_IS_ADDR_SITELOCAL(&src6->sin6_addr) ||
5725				    IN6_IS_ADDR_SITELOCAL(&dst6->sin6_addr)) {
5726					/*
5727					 * If the new destination or source
5728					 * is SITE_LOCAL then we must have
5729					 * site scope in common.
5730					 */
5731					stc.site_scope = 1;
5732				}
5733				memcpy(&stc.laddress, &dst6->sin6_addr, sizeof(struct in6_addr));
5734				stc.laddr_type = SCTP_IPV6_ADDRESS;
5735				break;
5736			}
5737#endif
5738		default:
5739			/* TSNH */
5740			goto do_a_abort;
5741			break;
5742		}
5743	} else {
5744		/* set the scope per the existing tcb */
5745
5746#ifdef INET6
5747		struct sctp_nets *lnet;
5748#endif
5749
5750		stc.loopback_scope = asoc->scope.loopback_scope;
5751		stc.ipv4_scope = asoc->scope.ipv4_local_scope;
5752		stc.site_scope = asoc->scope.site_scope;
5753		stc.local_scope = asoc->scope.local_scope;
5754#ifdef INET6
5755		/* Why do we not consider IPv4 LL addresses? */
5756		TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) {
5757			if (lnet->ro._l_addr.sin6.sin6_family == AF_INET6) {
5758				if (IN6_IS_ADDR_LINKLOCAL(&lnet->ro._l_addr.sin6.sin6_addr)) {
5759					/*
5760					 * if we have a LL address, start
5761					 * counting at 1.
5762					 */
5763					cnt_inits_to = 1;
5764				}
5765			}
5766		}
5767#endif
5768		/* use the net pointer */
5769		to = (struct sockaddr *)&net->ro._l_addr;
5770		switch (to->sa_family) {
5771#ifdef INET
5772		case AF_INET:
5773			sin = (struct sockaddr_in *)to;
5774			stc.address[0] = sin->sin_addr.s_addr;
5775			stc.address[1] = 0;
5776			stc.address[2] = 0;
5777			stc.address[3] = 0;
5778			stc.addr_type = SCTP_IPV4_ADDRESS;
5779			if (net->src_addr_selected == 0) {
5780				/*
5781				 * strange case here, the INIT should have
5782				 * did the selection.
5783				 */
5784				net->ro._s_addr = sctp_source_address_selection(inp,
5785				    stcb, (sctp_route_t *)&net->ro,
5786				    net, 0, vrf_id);
5787				if (net->ro._s_addr == NULL) {
5788					sctp_m_freem(op_err);
5789					sctp_m_freem(m);
5790					return;
5791				}
5792
5793				net->src_addr_selected = 1;
5794			}
5795			stc.laddress[0] = net->ro._s_addr->address.sin.sin_addr.s_addr;
5796			stc.laddress[1] = 0;
5797			stc.laddress[2] = 0;
5798			stc.laddress[3] = 0;
5799			stc.laddr_type = SCTP_IPV4_ADDRESS;
5800			/* scope_id is only for v6 */
5801			stc.scope_id = 0;
5802			break;
5803#endif
5804#ifdef INET6
5805		case AF_INET6:
5806			sin6 = (struct sockaddr_in6 *)to;
5807			memcpy(&stc.address, &sin6->sin6_addr,
5808			    sizeof(struct in6_addr));
5809			stc.addr_type = SCTP_IPV6_ADDRESS;
5810			stc.scope_id = sin6->sin6_scope_id;
5811			if (net->src_addr_selected == 0) {
5812				/*
5813				 * strange case here, the INIT should have
5814				 * done the selection.
5815				 */
5816				net->ro._s_addr = sctp_source_address_selection(inp,
5817				    stcb, (sctp_route_t *)&net->ro,
5818				    net, 0, vrf_id);
5819				if (net->ro._s_addr == NULL) {
5820					sctp_m_freem(op_err);
5821					sctp_m_freem(m);
5822					return;
5823				}
5824
5825				net->src_addr_selected = 1;
5826			}
5827			memcpy(&stc.laddress, &net->ro._s_addr->address.sin6.sin6_addr,
5828			    sizeof(struct in6_addr));
5829			stc.laddr_type = SCTP_IPV6_ADDRESS;
5830			break;
5831#endif
5832		}
5833	}
5834	if (asoc != NULL) {
5835		stc.rcv_edmid = asoc->rcv_edmid;
5836	} else {
5837		stc.rcv_edmid = inp->rcv_edmid;
5838	}
5839	/* Now lets put the SCTP header in place */
5840	initack = mtod(m, struct sctp_init_ack_chunk *);
5841	/* Save it off for quick ref */
5842	stc.peers_vtag = ntohl(init_chk->init.initiate_tag);
5843	/* who are we */
5844	memcpy(stc.identification, SCTP_VERSION_STRING,
5845	    min(strlen(SCTP_VERSION_STRING), sizeof(stc.identification)));
5846	memset(stc.reserved, 0, SCTP_RESERVE_SPACE);
5847	/* now the chunk header */
5848	initack->ch.chunk_type = SCTP_INITIATION_ACK;
5849	initack->ch.chunk_flags = 0;
5850	/* fill in later from mbuf we build */
5851	initack->ch.chunk_length = 0;
5852	/* place in my tag */
5853	if ((asoc != NULL) &&
5854	    ((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) ||
5855	    (SCTP_GET_STATE(stcb) == SCTP_STATE_INUSE) ||
5856	    (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED))) {
5857		/* re-use the v-tags and init-seq here */
5858		initack->init.initiate_tag = htonl(asoc->my_vtag);
5859		initack->init.initial_tsn = htonl(asoc->init_seq_number);
5860	} else {
5861		uint32_t vtag, itsn;
5862
5863		if (asoc) {
5864			atomic_add_int(&asoc->refcnt, 1);
5865			SCTP_TCB_UNLOCK(stcb);
5866	new_tag:
5867			SCTP_INP_INFO_RLOCK();
5868			vtag = sctp_select_a_tag(inp, inp->sctp_lport, sh->src_port, 1);
5869			SCTP_INP_INFO_RUNLOCK();
5870			if ((asoc->peer_supports_nat) && (vtag == asoc->my_vtag)) {
5871				/*
5872				 * Got a duplicate vtag on some guy behind a
5873				 * nat make sure we don't use it.
5874				 */
5875				goto new_tag;
5876			}
5877			initack->init.initiate_tag = htonl(vtag);
5878			/* get a TSN to use too */
5879			itsn = sctp_select_initial_TSN(&inp->sctp_ep);
5880			initack->init.initial_tsn = htonl(itsn);
5881			SCTP_TCB_LOCK(stcb);
5882			atomic_subtract_int(&asoc->refcnt, 1);
5883		} else {
5884			SCTP_INP_INCR_REF(inp);
5885			SCTP_INP_RUNLOCK(inp);
5886			SCTP_INP_INFO_RLOCK();
5887			vtag = sctp_select_a_tag(inp, inp->sctp_lport, sh->src_port, 1);
5888			SCTP_INP_INFO_RUNLOCK();
5889			initack->init.initiate_tag = htonl(vtag);
5890			/* get a TSN to use too */
5891			initack->init.initial_tsn = htonl(sctp_select_initial_TSN(&inp->sctp_ep));
5892			SCTP_INP_RLOCK(inp);
5893			SCTP_INP_DECR_REF(inp);
5894		}
5895	}
5896	/* save away my tag to */
5897	stc.my_vtag = initack->init.initiate_tag;
5898
5899	/* set up some of the credits. */
5900	so = inp->sctp_socket;
5901	if (so == NULL) {
5902		/* memory problem */
5903		sctp_m_freem(op_err);
5904		sctp_m_freem(m);
5905		return;
5906	} else {
5907		initack->init.a_rwnd = htonl(max(SCTP_SB_LIMIT_RCV(so), SCTP_MINIMAL_RWND));
5908	}
5909	/* set what I want */
5910	his_limit = ntohs(init_chk->init.num_inbound_streams);
5911	/* choose what I want */
5912	if (asoc != NULL) {
5913		if (asoc->streamoutcnt > asoc->pre_open_streams) {
5914			i_want = asoc->streamoutcnt;
5915		} else {
5916			i_want = asoc->pre_open_streams;
5917		}
5918	} else {
5919		i_want = inp->sctp_ep.pre_open_stream_count;
5920	}
5921	if (his_limit < i_want) {
5922		/* I Want more :< */
5923		initack->init.num_outbound_streams = init_chk->init.num_inbound_streams;
5924	} else {
5925		/* I can have what I want :> */
5926		initack->init.num_outbound_streams = htons(i_want);
5927	}
5928	/* tell him his limit. */
5929	initack->init.num_inbound_streams =
5930	    htons(inp->sctp_ep.max_open_streams_intome);
5931
5932	/* adaptation layer indication parameter */
5933	if (inp->sctp_ep.adaptation_layer_indicator_provided) {
5934		parameter_len = (uint16_t)sizeof(struct sctp_adaptation_layer_indication);
5935		ali = (struct sctp_adaptation_layer_indication *)(mtod(m, caddr_t)+chunk_len);
5936		ali->ph.param_type = htons(SCTP_ULP_ADAPTATION);
5937		ali->ph.param_length = htons(parameter_len);
5938		ali->indication = htonl(inp->sctp_ep.adaptation_layer_indicator);
5939		chunk_len += parameter_len;
5940	}
5941
5942	/* ECN parameter */
5943	if (((asoc != NULL) && (asoc->ecn_supported == 1)) ||
5944	    ((asoc == NULL) && (inp->ecn_supported == 1))) {
5945		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
5946		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t)+chunk_len);
5947		ph->param_type = htons(SCTP_ECN_CAPABLE);
5948		ph->param_length = htons(parameter_len);
5949		chunk_len += parameter_len;
5950	}
5951
5952	/* PR-SCTP supported parameter */
5953	if (((asoc != NULL) && (asoc->prsctp_supported == 1)) ||
5954	    ((asoc == NULL) && (inp->prsctp_supported == 1))) {
5955		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
5956		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t)+chunk_len);
5957		ph->param_type = htons(SCTP_PRSCTP_SUPPORTED);
5958		ph->param_length = htons(parameter_len);
5959		chunk_len += parameter_len;
5960	}
5961
5962	/* Zero checksum acceptable parameter */
5963	if (((asoc != NULL) && (asoc->rcv_edmid != SCTP_EDMID_NONE)) ||
5964	    ((asoc == NULL) && (inp->rcv_edmid != SCTP_EDMID_NONE))) {
5965		parameter_len = (uint16_t)sizeof(struct sctp_zero_checksum_acceptable);
5966		zero_chksum = (struct sctp_zero_checksum_acceptable *)(mtod(m, caddr_t)+chunk_len);
5967		zero_chksum->ph.param_type = htons(SCTP_ZERO_CHECKSUM_ACCEPTABLE);
5968		zero_chksum->ph.param_length = htons(parameter_len);
5969		if (asoc != NULL) {
5970			zero_chksum->edmid = htonl(asoc->rcv_edmid);
5971		} else {
5972			zero_chksum->edmid = htonl(inp->rcv_edmid);
5973		}
5974		chunk_len += parameter_len;
5975	}
5976
5977	/* Add NAT friendly parameter */
5978	if (nat_friendly) {
5979		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
5980		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t)+chunk_len);
5981		ph->param_type = htons(SCTP_HAS_NAT_SUPPORT);
5982		ph->param_length = htons(parameter_len);
5983		chunk_len += parameter_len;
5984	}
5985
5986	/* And now tell the peer which extensions we support */
5987	num_ext = 0;
5988	pr_supported = (struct sctp_supported_chunk_types_param *)(mtod(m, caddr_t)+chunk_len);
5989	if (((asoc != NULL) && (asoc->prsctp_supported == 1)) ||
5990	    ((asoc == NULL) && (inp->prsctp_supported == 1))) {
5991		pr_supported->chunk_types[num_ext++] = SCTP_FORWARD_CUM_TSN;
5992		if (((asoc != NULL) && (asoc->idata_supported == 1)) ||
5993		    ((asoc == NULL) && (inp->idata_supported == 1))) {
5994			pr_supported->chunk_types[num_ext++] = SCTP_IFORWARD_CUM_TSN;
5995		}
5996	}
5997	if (((asoc != NULL) && (asoc->auth_supported == 1)) ||
5998	    ((asoc == NULL) && (inp->auth_supported == 1))) {
5999		pr_supported->chunk_types[num_ext++] = SCTP_AUTHENTICATION;
6000	}
6001	if (((asoc != NULL) && (asoc->asconf_supported == 1)) ||
6002	    ((asoc == NULL) && (inp->asconf_supported == 1))) {
6003		pr_supported->chunk_types[num_ext++] = SCTP_ASCONF;
6004		pr_supported->chunk_types[num_ext++] = SCTP_ASCONF_ACK;
6005	}
6006	if (((asoc != NULL) && (asoc->reconfig_supported == 1)) ||
6007	    ((asoc == NULL) && (inp->reconfig_supported == 1))) {
6008		pr_supported->chunk_types[num_ext++] = SCTP_STREAM_RESET;
6009	}
6010	if (((asoc != NULL) && (asoc->idata_supported == 1)) ||
6011	    ((asoc == NULL) && (inp->idata_supported == 1))) {
6012		pr_supported->chunk_types[num_ext++] = SCTP_IDATA;
6013	}
6014	if (((asoc != NULL) && (asoc->nrsack_supported == 1)) ||
6015	    ((asoc == NULL) && (inp->nrsack_supported == 1))) {
6016		pr_supported->chunk_types[num_ext++] = SCTP_NR_SELECTIVE_ACK;
6017	}
6018	if (((asoc != NULL) && (asoc->pktdrop_supported == 1)) ||
6019	    ((asoc == NULL) && (inp->pktdrop_supported == 1))) {
6020		pr_supported->chunk_types[num_ext++] = SCTP_PACKET_DROPPED;
6021	}
6022	if (num_ext > 0) {
6023		parameter_len = (uint16_t)sizeof(struct sctp_supported_chunk_types_param) + num_ext;
6024		pr_supported->ph.param_type = htons(SCTP_SUPPORTED_CHUNK_EXT);
6025		pr_supported->ph.param_length = htons(parameter_len);
6026		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6027		chunk_len += parameter_len;
6028	}
6029
6030	/* add authentication parameters */
6031	if (((asoc != NULL) && (asoc->auth_supported == 1)) ||
6032	    ((asoc == NULL) && (inp->auth_supported == 1))) {
6033		struct sctp_auth_random *randp;
6034		struct sctp_auth_hmac_algo *hmacs;
6035		struct sctp_auth_chunk_list *chunks;
6036
6037		if (padding_len > 0) {
6038			memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
6039			chunk_len += padding_len;
6040			padding_len = 0;
6041		}
6042		/* generate and add RANDOM parameter */
6043		randp = (struct sctp_auth_random *)(mtod(m, caddr_t)+chunk_len);
6044		parameter_len = (uint16_t)sizeof(struct sctp_auth_random) +
6045		    SCTP_AUTH_RANDOM_SIZE_DEFAULT;
6046		randp->ph.param_type = htons(SCTP_RANDOM);
6047		randp->ph.param_length = htons(parameter_len);
6048		SCTP_READ_RANDOM(randp->random_data, SCTP_AUTH_RANDOM_SIZE_DEFAULT);
6049		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6050		chunk_len += parameter_len;
6051
6052		if (padding_len > 0) {
6053			memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
6054			chunk_len += padding_len;
6055			padding_len = 0;
6056		}
6057		/* add HMAC_ALGO parameter */
6058		hmacs = (struct sctp_auth_hmac_algo *)(mtod(m, caddr_t)+chunk_len);
6059		parameter_len = (uint16_t)sizeof(struct sctp_auth_hmac_algo) +
6060		    sctp_serialize_hmaclist(inp->sctp_ep.local_hmacs,
6061		    (uint8_t *)hmacs->hmac_ids);
6062		hmacs->ph.param_type = htons(SCTP_HMAC_LIST);
6063		hmacs->ph.param_length = htons(parameter_len);
6064		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6065		chunk_len += parameter_len;
6066
6067		if (padding_len > 0) {
6068			memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
6069			chunk_len += padding_len;
6070			padding_len = 0;
6071		}
6072		/* add CHUNKS parameter */
6073		chunks = (struct sctp_auth_chunk_list *)(mtod(m, caddr_t)+chunk_len);
6074		parameter_len = (uint16_t)sizeof(struct sctp_auth_chunk_list) +
6075		    sctp_serialize_auth_chunks(inp->sctp_ep.local_auth_chunks,
6076		    chunks->chunk_types);
6077		chunks->ph.param_type = htons(SCTP_CHUNK_LIST);
6078		chunks->ph.param_length = htons(parameter_len);
6079		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6080		chunk_len += parameter_len;
6081	}
6082	SCTP_BUF_LEN(m) = chunk_len;
6083	m_last = m;
6084	/* now the addresses */
6085	/*
6086	 * To optimize this we could put the scoping stuff into a structure
6087	 * and remove the individual uint8's from the stc structure. Then we
6088	 * could just sifa in the address within the stc.. but for now this
6089	 * is a quick hack to get the address stuff teased apart.
6090	 */
6091	scp.ipv4_addr_legal = stc.ipv4_addr_legal;
6092	scp.ipv6_addr_legal = stc.ipv6_addr_legal;
6093	scp.loopback_scope = stc.loopback_scope;
6094	scp.ipv4_local_scope = stc.ipv4_scope;
6095	scp.local_scope = stc.local_scope;
6096	scp.site_scope = stc.site_scope;
6097	m_last = sctp_add_addresses_to_i_ia(inp, stcb, &scp, m_last,
6098	    cnt_inits_to,
6099	    &padding_len, &chunk_len);
6100	/* padding_len can only be positive, if no addresses have been added */
6101	if (padding_len > 0) {
6102		memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
6103		chunk_len += padding_len;
6104		SCTP_BUF_LEN(m) += padding_len;
6105		padding_len = 0;
6106	}
6107
6108	/* tack on the operational error if present */
6109	if (op_err) {
6110		parameter_len = 0;
6111		for (m_tmp = op_err; m_tmp != NULL; m_tmp = SCTP_BUF_NEXT(m_tmp)) {
6112			parameter_len += SCTP_BUF_LEN(m_tmp);
6113		}
6114		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6115		SCTP_BUF_NEXT(m_last) = op_err;
6116		while (SCTP_BUF_NEXT(m_last) != NULL) {
6117			m_last = SCTP_BUF_NEXT(m_last);
6118		}
6119		chunk_len += parameter_len;
6120	}
6121	if (padding_len > 0) {
6122		m_last = sctp_add_pad_tombuf(m_last, padding_len);
6123		if (m_last == NULL) {
6124			/* Houston we have a problem, no space */
6125			sctp_m_freem(m);
6126			return;
6127		}
6128		chunk_len += padding_len;
6129		padding_len = 0;
6130	}
6131	/* Now we must build a cookie */
6132	m_cookie = sctp_add_cookie(init_pkt, offset, m, 0, &stc, &signature);
6133	if (m_cookie == NULL) {
6134		/* memory problem */
6135		sctp_m_freem(m);
6136		return;
6137	}
6138	/* Now append the cookie to the end and update the space/size */
6139	SCTP_BUF_NEXT(m_last) = m_cookie;
6140	parameter_len = 0;
6141	for (m_tmp = m_cookie; m_tmp != NULL; m_tmp = SCTP_BUF_NEXT(m_tmp)) {
6142		parameter_len += SCTP_BUF_LEN(m_tmp);
6143		if (SCTP_BUF_NEXT(m_tmp) == NULL) {
6144			m_last = m_tmp;
6145		}
6146	}
6147	padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6148	chunk_len += parameter_len;
6149
6150	/*
6151	 * Place in the size, but we don't include the last pad (if any) in
6152	 * the INIT-ACK.
6153	 */
6154	initack->ch.chunk_length = htons(chunk_len);
6155
6156	/*
6157	 * Time to sign the cookie, we don't sign over the cookie signature
6158	 * though thus we set trailer.
6159	 */
6160	(void)sctp_hmac_m(SCTP_HMAC,
6161	    (uint8_t *)inp->sctp_ep.secret_key[(int)(inp->sctp_ep.current_secret_number)],
6162	    SCTP_SECRET_SIZE, m_cookie, sizeof(struct sctp_paramhdr),
6163	    (uint8_t *)signature, SCTP_SIGNATURE_SIZE);
6164	/*
6165	 * We sifa 0 here to NOT set IP_DF if its IPv4, we ignore the return
6166	 * here since the timer will drive a retranmission.
6167	 */
6168	if (padding_len > 0) {
6169		if (sctp_add_pad_tombuf(m_last, padding_len) == NULL) {
6170			sctp_m_freem(m);
6171			return;
6172		}
6173	}
6174	if (stc.loopback_scope) {
6175		over_addr = (union sctp_sockstore *)dst;
6176	} else {
6177		over_addr = NULL;
6178	}
6179
6180	if (asoc != NULL) {
6181		use_zero_crc = (asoc->rcv_edmid != SCTP_EDMID_NONE) && (asoc->rcv_edmid == edmid);
6182	} else {
6183		use_zero_crc = (inp->rcv_edmid != SCTP_EDMID_NONE) && (inp->rcv_edmid == edmid);
6184	}
6185
6186	if ((error = sctp_lowlevel_chunk_output(inp, NULL, NULL, to, m, 0, NULL, 0, 0,
6187	    0, 0,
6188	    inp->sctp_lport, sh->src_port, init_chk->init.initiate_tag,
6189	    port, over_addr,
6190	    mflowtype, mflowid,
6191	    use_zero_crc,
6192	    SCTP_SO_NOT_LOCKED))) {
6193		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Gak send error %d\n", error);
6194		if (error == ENOBUFS) {
6195			if (asoc != NULL) {
6196				asoc->ifp_had_enobuf = 1;
6197			}
6198			SCTP_STAT_INCR(sctps_lowlevelerr);
6199		}
6200	} else {
6201		if (asoc != NULL) {
6202			asoc->ifp_had_enobuf = 0;
6203		}
6204	}
6205	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
6206}
6207
6208static void
6209sctp_prune_prsctp(struct sctp_tcb *stcb,
6210    struct sctp_association *asoc,
6211    struct sctp_nonpad_sndrcvinfo *srcv,
6212    int dataout)
6213{
6214	int freed_spc = 0;
6215	struct sctp_tmit_chunk *chk, *nchk;
6216
6217	SCTP_TCB_LOCK_ASSERT(stcb);
6218	if ((asoc->prsctp_supported) &&
6219	    (asoc->sent_queue_cnt_removeable > 0)) {
6220		TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) {
6221			/*
6222			 * Look for chunks marked with the PR_SCTP flag AND
6223			 * the buffer space flag. If the one being sent is
6224			 * equal or greater priority then purge the old one
6225			 * and free some space.
6226			 */
6227			if (PR_SCTP_BUF_ENABLED(chk->flags)) {
6228				/*
6229				 * This one is PR-SCTP AND buffer space
6230				 * limited type
6231				 */
6232				if (chk->rec.data.timetodrop.tv_sec > (long)srcv->sinfo_timetolive) {
6233					/*
6234					 * Lower numbers equates to higher
6235					 * priority. So if the one we are
6236					 * looking at has a larger priority,
6237					 * we want to drop the data and NOT
6238					 * retransmit it.
6239					 */
6240					if (chk->data) {
6241						/*
6242						 * We release the book_size
6243						 * if the mbuf is here
6244						 */
6245						int ret_spc;
6246						uint8_t sent;
6247
6248						if (chk->sent > SCTP_DATAGRAM_UNSENT)
6249							sent = 1;
6250						else
6251							sent = 0;
6252						ret_spc = sctp_release_pr_sctp_chunk(stcb, chk,
6253						    sent,
6254						    SCTP_SO_LOCKED);
6255						freed_spc += ret_spc;
6256						if (freed_spc >= dataout) {
6257							return;
6258						}
6259					}	/* if chunk was present */
6260				}	/* if of sufficient priority */
6261			}	/* if chunk has enabled */
6262		}		/* tailqforeach */
6263
6264		TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
6265			/* Here we must move to the sent queue and mark */
6266			if (PR_SCTP_BUF_ENABLED(chk->flags)) {
6267				if (chk->rec.data.timetodrop.tv_sec > (long)srcv->sinfo_timetolive) {
6268					if (chk->data) {
6269						/*
6270						 * We release the book_size
6271						 * if the mbuf is here
6272						 */
6273						int ret_spc;
6274
6275						ret_spc = sctp_release_pr_sctp_chunk(stcb, chk,
6276						    0, SCTP_SO_LOCKED);
6277
6278						freed_spc += ret_spc;
6279						if (freed_spc >= dataout) {
6280							return;
6281						}
6282					}	/* end if chk->data */
6283				}	/* end if right class */
6284			}	/* end if chk pr-sctp */
6285		}		/* tailqforeachsafe (chk) */
6286	}			/* if enabled in asoc */
6287}
6288
6289uint32_t
6290sctp_get_frag_point(struct sctp_tcb *stcb)
6291{
6292	struct sctp_association *asoc;
6293	uint32_t frag_point, overhead;
6294
6295	asoc = &stcb->asoc;
6296	/* Consider IP header and SCTP common header. */
6297	if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
6298		overhead = SCTP_MIN_OVERHEAD;
6299	} else {
6300		overhead = SCTP_MIN_V4_OVERHEAD;
6301	}
6302	/* Consider DATA/IDATA chunk header and AUTH header, if needed. */
6303	if (asoc->idata_supported) {
6304		overhead += sizeof(struct sctp_idata_chunk);
6305		if (sctp_auth_is_required_chunk(SCTP_IDATA, asoc->peer_auth_chunks)) {
6306			overhead += sctp_get_auth_chunk_len(asoc->peer_hmac_id);
6307		}
6308	} else {
6309		overhead += sizeof(struct sctp_data_chunk);
6310		if (sctp_auth_is_required_chunk(SCTP_DATA, asoc->peer_auth_chunks)) {
6311			overhead += sctp_get_auth_chunk_len(asoc->peer_hmac_id);
6312		}
6313	}
6314	KASSERT(overhead % 4 == 0,
6315	    ("overhead (%u) not a multiple of 4", overhead));
6316	/* Consider padding. */
6317	if (asoc->smallest_mtu % 4 > 0) {
6318		overhead += (asoc->smallest_mtu % 4);
6319	}
6320	KASSERT(asoc->smallest_mtu > overhead,
6321	    ("Association MTU (%u) too small for overhead (%u)",
6322	    asoc->smallest_mtu, overhead));
6323	frag_point = asoc->smallest_mtu - overhead;
6324	KASSERT(frag_point % 4 == 0,
6325	    ("frag_point (%u) not a multiple of 4", frag_point));
6326	/* Honor MAXSEG socket option. */
6327	if ((asoc->sctp_frag_point > 0) &&
6328	    (asoc->sctp_frag_point < frag_point)) {
6329		frag_point = asoc->sctp_frag_point;
6330	}
6331	return (frag_point);
6332}
6333
6334static void
6335sctp_set_prsctp_policy(struct sctp_stream_queue_pending *sp)
6336{
6337	/*
6338	 * We assume that the user wants PR_SCTP_TTL if the user provides a
6339	 * positive lifetime but does not specify any PR_SCTP policy.
6340	 */
6341	if (PR_SCTP_ENABLED(sp->sinfo_flags)) {
6342		sp->act_flags |= PR_SCTP_POLICY(sp->sinfo_flags);
6343	} else if (sp->timetolive > 0) {
6344		sp->sinfo_flags |= SCTP_PR_SCTP_TTL;
6345		sp->act_flags |= PR_SCTP_POLICY(sp->sinfo_flags);
6346	} else {
6347		return;
6348	}
6349	switch (PR_SCTP_POLICY(sp->sinfo_flags)) {
6350	case CHUNK_FLAGS_PR_SCTP_BUF:
6351		/*
6352		 * Time to live is a priority stored in tv_sec when doing
6353		 * the buffer drop thing.
6354		 */
6355		sp->ts.tv_sec = sp->timetolive;
6356		sp->ts.tv_usec = 0;
6357		break;
6358	case CHUNK_FLAGS_PR_SCTP_TTL:
6359		{
6360			struct timeval tv;
6361
6362			(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
6363			tv.tv_sec = sp->timetolive / 1000;
6364			tv.tv_usec = (sp->timetolive * 1000) % 1000000;
6365			/*
6366			 * TODO sctp_constants.h needs alternative time
6367			 * macros when _KERNEL is undefined.
6368			 */
6369			timevaladd(&sp->ts, &tv);
6370		}
6371		break;
6372	case CHUNK_FLAGS_PR_SCTP_RTX:
6373		/*
6374		 * Time to live is a the number or retransmissions stored in
6375		 * tv_sec.
6376		 */
6377		sp->ts.tv_sec = sp->timetolive;
6378		sp->ts.tv_usec = 0;
6379		break;
6380	default:
6381		SCTPDBG(SCTP_DEBUG_USRREQ1,
6382		    "Unknown PR_SCTP policy %u.\n",
6383		    PR_SCTP_POLICY(sp->sinfo_flags));
6384		break;
6385	}
6386}
6387
6388static int
6389sctp_msg_append(struct sctp_tcb *stcb,
6390    struct sctp_nets *net,
6391    struct mbuf *m,
6392    struct sctp_nonpad_sndrcvinfo *srcv)
6393{
6394	int error = 0;
6395	struct mbuf *at;
6396	struct sctp_stream_queue_pending *sp = NULL;
6397	struct sctp_stream_out *strm;
6398
6399	SCTP_TCB_LOCK_ASSERT(stcb);
6400
6401	/*
6402	 * Given an mbuf chain, put it into the association send queue and
6403	 * place it on the wheel
6404	 */
6405	if (srcv->sinfo_stream >= stcb->asoc.streamoutcnt) {
6406		/* Invalid stream number */
6407		SCTP_LTRACE_ERR_RET_PKT(m, NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
6408		error = EINVAL;
6409		goto out_now;
6410	}
6411	if ((stcb->asoc.stream_locked) &&
6412	    (stcb->asoc.stream_locked_on != srcv->sinfo_stream)) {
6413		SCTP_LTRACE_ERR_RET_PKT(m, NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
6414		error = EINVAL;
6415		goto out_now;
6416	}
6417	if ((stcb->asoc.strmout[srcv->sinfo_stream].state != SCTP_STREAM_OPEN) &&
6418	    (stcb->asoc.strmout[srcv->sinfo_stream].state != SCTP_STREAM_OPENING)) {
6419		/*
6420		 * Can't queue any data while stream reset is underway.
6421		 */
6422		if (stcb->asoc.strmout[srcv->sinfo_stream].state > SCTP_STREAM_OPEN) {
6423			error = EAGAIN;
6424		} else {
6425			error = EINVAL;
6426		}
6427		goto out_now;
6428	}
6429	/* Now can we send this? */
6430	if ((SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_SENT) ||
6431	    (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
6432	    (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
6433	    (stcb->asoc.state & SCTP_STATE_SHUTDOWN_PENDING)) {
6434		/* got data while shutting down */
6435		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EPIPE);
6436		error = EPIPE;
6437		goto out_now;
6438	}
6439	sctp_alloc_a_strmoq(stcb, sp);
6440	if (sp == NULL) {
6441		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
6442		error = ENOMEM;
6443		goto out_now;
6444	}
6445	sp->sinfo_flags = srcv->sinfo_flags;
6446	sp->timetolive = srcv->sinfo_timetolive;
6447	sp->ppid = srcv->sinfo_ppid;
6448	sp->context = srcv->sinfo_context;
6449	sp->fsn = 0;
6450	if (sp->sinfo_flags & SCTP_ADDR_OVER) {
6451		sp->net = net;
6452		atomic_add_int(&sp->net->ref_count, 1);
6453	} else {
6454		sp->net = NULL;
6455	}
6456	(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
6457	sp->sid = srcv->sinfo_stream;
6458	sp->msg_is_complete = 1;
6459	sp->sender_all_done = 1;
6460	sp->some_taken = 0;
6461	sp->data = m;
6462	sp->tail_mbuf = NULL;
6463	sctp_set_prsctp_policy(sp);
6464	/*
6465	 * We could in theory (for sendall) sifa the length in, but we would
6466	 * still have to hunt through the chain since we need to setup the
6467	 * tail_mbuf
6468	 */
6469	sp->length = 0;
6470	for (at = m; at; at = SCTP_BUF_NEXT(at)) {
6471		if (SCTP_BUF_NEXT(at) == NULL)
6472			sp->tail_mbuf = at;
6473		sp->length += SCTP_BUF_LEN(at);
6474	}
6475	if (srcv->sinfo_keynumber_valid) {
6476		sp->auth_keyid = srcv->sinfo_keynumber;
6477	} else {
6478		sp->auth_keyid = stcb->asoc.authinfo.active_keyid;
6479	}
6480	if (sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks)) {
6481		sctp_auth_key_acquire(stcb, sp->auth_keyid);
6482		sp->holds_key_ref = 1;
6483	}
6484	strm = &stcb->asoc.strmout[srcv->sinfo_stream];
6485	sctp_snd_sb_alloc(stcb, sp->length);
6486	atomic_add_int(&stcb->asoc.stream_queue_cnt, 1);
6487	TAILQ_INSERT_TAIL(&strm->outqueue, sp, next);
6488	stcb->asoc.ss_functions.sctp_ss_add_to_stream(stcb, &stcb->asoc, strm, sp);
6489	m = NULL;
6490out_now:
6491	if (m) {
6492		sctp_m_freem(m);
6493	}
6494	return (error);
6495}
6496
6497static struct mbuf *
6498sctp_copy_mbufchain(struct mbuf *clonechain,
6499    struct mbuf *outchain,
6500    struct mbuf **endofchain,
6501    int can_take_mbuf,
6502    int sizeofcpy,
6503    uint8_t copy_by_ref)
6504{
6505	struct mbuf *m;
6506	struct mbuf *appendchain;
6507	caddr_t cp;
6508	int len;
6509
6510	if (endofchain == NULL) {
6511		/* error */
6512error_out:
6513		if (outchain)
6514			sctp_m_freem(outchain);
6515		return (NULL);
6516	}
6517	if (can_take_mbuf) {
6518		appendchain = clonechain;
6519	} else {
6520		if (!copy_by_ref &&
6521		    (sizeofcpy <= (int)((((SCTP_BASE_SYSCTL(sctp_mbuf_threshold_count) - 1) * MLEN) + MHLEN)))) {
6522			/* Its not in a cluster */
6523			if (*endofchain == NULL) {
6524				/* lets get a mbuf cluster */
6525				if (outchain == NULL) {
6526					/* This is the general case */
6527			new_mbuf:
6528					outchain = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_HEADER);
6529					if (outchain == NULL) {
6530						goto error_out;
6531					}
6532					SCTP_BUF_LEN(outchain) = 0;
6533					*endofchain = outchain;
6534					/* get the prepend space */
6535					SCTP_BUF_RESV_UF(outchain, (SCTP_FIRST_MBUF_RESV + 4));
6536				} else {
6537					/*
6538					 * We really should not get a NULL
6539					 * in endofchain
6540					 */
6541					/* find end */
6542					m = outchain;
6543					while (m) {
6544						if (SCTP_BUF_NEXT(m) == NULL) {
6545							*endofchain = m;
6546							break;
6547						}
6548						m = SCTP_BUF_NEXT(m);
6549					}
6550					/* sanity */
6551					if (*endofchain == NULL) {
6552						/*
6553						 * huh, TSNH XXX maybe we
6554						 * should panic
6555						 */
6556						sctp_m_freem(outchain);
6557						goto new_mbuf;
6558					}
6559				}
6560				/* get the new end of length */
6561				len = (int)M_TRAILINGSPACE(*endofchain);
6562			} else {
6563				/* how much is left at the end? */
6564				len = (int)M_TRAILINGSPACE(*endofchain);
6565			}
6566			/* Find the end of the data, for appending */
6567			cp = (mtod((*endofchain), caddr_t)+SCTP_BUF_LEN((*endofchain)));
6568
6569			/* Now lets copy it out */
6570			if (len >= sizeofcpy) {
6571				/* It all fits, copy it in */
6572				m_copydata(clonechain, 0, sizeofcpy, cp);
6573				SCTP_BUF_LEN((*endofchain)) += sizeofcpy;
6574			} else {
6575				/* fill up the end of the chain */
6576				if (len > 0) {
6577					m_copydata(clonechain, 0, len, cp);
6578					SCTP_BUF_LEN((*endofchain)) += len;
6579					/* now we need another one */
6580					sizeofcpy -= len;
6581				}
6582				m = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_HEADER);
6583				if (m == NULL) {
6584					/* We failed */
6585					goto error_out;
6586				}
6587				SCTP_BUF_NEXT((*endofchain)) = m;
6588				*endofchain = m;
6589				cp = mtod((*endofchain), caddr_t);
6590				m_copydata(clonechain, len, sizeofcpy, cp);
6591				SCTP_BUF_LEN((*endofchain)) += sizeofcpy;
6592			}
6593			return (outchain);
6594		} else {
6595			/* copy the old fashion way */
6596			appendchain = SCTP_M_COPYM(clonechain, 0, M_COPYALL, M_NOWAIT);
6597#ifdef SCTP_MBUF_LOGGING
6598			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
6599				sctp_log_mbc(appendchain, SCTP_MBUF_ICOPY);
6600			}
6601#endif
6602		}
6603	}
6604	if (appendchain == NULL) {
6605		/* error */
6606		if (outchain)
6607			sctp_m_freem(outchain);
6608		return (NULL);
6609	}
6610	if (outchain) {
6611		/* tack on to the end */
6612		if (*endofchain != NULL) {
6613			SCTP_BUF_NEXT(((*endofchain))) = appendchain;
6614		} else {
6615			m = outchain;
6616			while (m) {
6617				if (SCTP_BUF_NEXT(m) == NULL) {
6618					SCTP_BUF_NEXT(m) = appendchain;
6619					break;
6620				}
6621				m = SCTP_BUF_NEXT(m);
6622			}
6623		}
6624		/*
6625		 * save off the end and update the end-chain position
6626		 */
6627		m = appendchain;
6628		while (m) {
6629			if (SCTP_BUF_NEXT(m) == NULL) {
6630				*endofchain = m;
6631				break;
6632			}
6633			m = SCTP_BUF_NEXT(m);
6634		}
6635		return (outchain);
6636	} else {
6637		/* save off the end and update the end-chain position */
6638		m = appendchain;
6639		while (m) {
6640			if (SCTP_BUF_NEXT(m) == NULL) {
6641				*endofchain = m;
6642				break;
6643			}
6644			m = SCTP_BUF_NEXT(m);
6645		}
6646		return (appendchain);
6647	}
6648}
6649
6650static int
6651sctp_med_chunk_output(struct sctp_inpcb *inp,
6652    struct sctp_tcb *stcb,
6653    struct sctp_association *asoc,
6654    int *num_out,
6655    int *reason_code,
6656    int control_only, int from_where,
6657    struct timeval *now, int *now_filled,
6658    uint32_t frag_point, int so_locked);
6659
6660static void
6661sctp_sendall_iterator(struct sctp_inpcb *inp, struct sctp_tcb *stcb, void *ptr,
6662    uint32_t val SCTP_UNUSED)
6663{
6664	struct sctp_copy_all *ca;
6665	struct mbuf *m;
6666	int ret = 0;
6667	int added_control = 0;
6668	int un_sent, do_chunk_output = 1;
6669	struct sctp_association *asoc;
6670	struct sctp_nets *net;
6671
6672	ca = (struct sctp_copy_all *)ptr;
6673	if (ca->m == NULL) {
6674		return;
6675	}
6676	if (ca->inp != inp) {
6677		/* TSNH */
6678		return;
6679	}
6680	if (ca->sndlen > 0) {
6681		m = SCTP_M_COPYM(ca->m, 0, M_COPYALL, M_NOWAIT);
6682		if (m == NULL) {
6683			/* can't copy so we are done */
6684			ca->cnt_failed++;
6685			return;
6686		}
6687#ifdef SCTP_MBUF_LOGGING
6688		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
6689			sctp_log_mbc(m, SCTP_MBUF_ICOPY);
6690		}
6691#endif
6692	} else {
6693		m = NULL;
6694	}
6695	SCTP_TCB_LOCK_ASSERT(stcb);
6696	if (stcb->asoc.alternate) {
6697		net = stcb->asoc.alternate;
6698	} else {
6699		net = stcb->asoc.primary_destination;
6700	}
6701	if (ca->sndrcv.sinfo_flags & SCTP_ABORT) {
6702		/* Abort this assoc with m as the user defined reason */
6703		if (m != NULL) {
6704			SCTP_BUF_PREPEND(m, sizeof(struct sctp_paramhdr), M_NOWAIT);
6705		} else {
6706			m = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
6707			    0, M_NOWAIT, 1, MT_DATA);
6708			if (m != NULL) {
6709				SCTP_BUF_LEN(m) = sizeof(struct sctp_paramhdr);
6710			}
6711		}
6712		if (m != NULL) {
6713			struct sctp_paramhdr *ph;
6714
6715			ph = mtod(m, struct sctp_paramhdr *);
6716			ph->param_type = htons(SCTP_CAUSE_USER_INITIATED_ABT);
6717			ph->param_length = htons((uint16_t)(sizeof(struct sctp_paramhdr) + ca->sndlen));
6718		}
6719		/*
6720		 * We add one here to keep the assoc from dis-appearing on
6721		 * us.
6722		 */
6723		atomic_add_int(&stcb->asoc.refcnt, 1);
6724		sctp_abort_an_association(inp, stcb, m, false, SCTP_SO_NOT_LOCKED);
6725		/*
6726		 * sctp_abort_an_association calls sctp_free_asoc() free
6727		 * association will NOT free it since we incremented the
6728		 * refcnt .. we do this to prevent it being freed and things
6729		 * getting tricky since we could end up (from free_asoc)
6730		 * calling inpcb_free which would get a recursive lock call
6731		 * to the iterator lock.. But as a consequence of that the
6732		 * stcb will return to us un-locked.. since free_asoc
6733		 * returns with either no TCB or the TCB unlocked, we must
6734		 * relock.. to unlock in the iterator timer :-0
6735		 */
6736		SCTP_TCB_LOCK(stcb);
6737		atomic_subtract_int(&stcb->asoc.refcnt, 1);
6738		goto no_chunk_output;
6739	} else {
6740		if (m != NULL) {
6741			ret = sctp_msg_append(stcb, net, m, &ca->sndrcv);
6742		}
6743		asoc = &stcb->asoc;
6744		if (ca->sndrcv.sinfo_flags & SCTP_EOF) {
6745			/* shutdown this assoc */
6746			if (TAILQ_EMPTY(&asoc->send_queue) &&
6747			    TAILQ_EMPTY(&asoc->sent_queue) &&
6748			    sctp_is_there_unsent_data(stcb, SCTP_SO_NOT_LOCKED) == 0) {
6749				if ((*asoc->ss_functions.sctp_ss_is_user_msgs_incomplete) (stcb, asoc)) {
6750					goto abort_anyway;
6751				}
6752				/*
6753				 * there is nothing queued to send, so I'm
6754				 * done...
6755				 */
6756				if ((SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT) &&
6757				    (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
6758				    (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
6759					/*
6760					 * only send SHUTDOWN the first time
6761					 * through
6762					 */
6763					if (SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) {
6764						SCTP_STAT_DECR_GAUGE32(sctps_currestab);
6765					}
6766					SCTP_SET_STATE(stcb, SCTP_STATE_SHUTDOWN_SENT);
6767					sctp_stop_timers_for_shutdown(stcb);
6768					sctp_send_shutdown(stcb, net);
6769					sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb,
6770					    net);
6771					sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
6772					    NULL);
6773					added_control = 1;
6774					do_chunk_output = 0;
6775				}
6776			} else {
6777				/*
6778				 * we still got (or just got) data to send,
6779				 * so set SHUTDOWN_PENDING
6780				 */
6781				/*
6782				 * XXX sockets draft says that SCTP_EOF
6783				 * should be sent with no data.  currently,
6784				 * we will allow user data to be sent first
6785				 * and move to SHUTDOWN-PENDING
6786				 */
6787				if ((SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT) &&
6788				    (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
6789				    (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
6790					if ((*asoc->ss_functions.sctp_ss_is_user_msgs_incomplete) (stcb, asoc)) {
6791						SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_PARTIAL_MSG_LEFT);
6792					}
6793					SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_SHUTDOWN_PENDING);
6794					if (TAILQ_EMPTY(&asoc->send_queue) &&
6795					    TAILQ_EMPTY(&asoc->sent_queue) &&
6796					    (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) {
6797						struct mbuf *op_err;
6798						char msg[SCTP_DIAG_INFO_LEN];
6799
6800				abort_anyway:
6801						SCTP_SNPRINTF(msg, sizeof(msg),
6802						    "%s:%d at %s", __FILE__, __LINE__, __func__);
6803						op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
6804						    msg);
6805						atomic_add_int(&stcb->asoc.refcnt, 1);
6806						sctp_abort_an_association(stcb->sctp_ep, stcb,
6807						    op_err, false, SCTP_SO_NOT_LOCKED);
6808						atomic_subtract_int(&stcb->asoc.refcnt, 1);
6809						goto no_chunk_output;
6810					}
6811				}
6812			}
6813		}
6814	}
6815	un_sent = ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) +
6816	    (stcb->asoc.stream_queue_cnt * SCTP_DATA_CHUNK_OVERHEAD(stcb)));
6817
6818	if ((sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY)) &&
6819	    (stcb->asoc.total_flight > 0) &&
6820	    (un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD))) {
6821		do_chunk_output = 0;
6822	}
6823	if (do_chunk_output)
6824		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_NOT_LOCKED);
6825	else if (added_control) {
6826		struct timeval now;
6827		int num_out, reason, now_filled = 0;
6828
6829		(void)sctp_med_chunk_output(inp, stcb, &stcb->asoc, &num_out,
6830		    &reason, 1, 1, &now, &now_filled,
6831		    sctp_get_frag_point(stcb),
6832		    SCTP_SO_NOT_LOCKED);
6833	}
6834no_chunk_output:
6835	if (ret) {
6836		ca->cnt_failed++;
6837	} else {
6838		ca->cnt_sent++;
6839	}
6840}
6841
6842static void
6843sctp_sendall_completes(void *ptr, uint32_t val SCTP_UNUSED)
6844{
6845	struct sctp_copy_all *ca;
6846
6847	ca = (struct sctp_copy_all *)ptr;
6848	/*
6849	 * Do a notify here? Kacheong suggests that the notify be done at
6850	 * the send time.. so you would push up a notification if any send
6851	 * failed. Don't know if this is feasible since the only failures we
6852	 * have is "memory" related and if you cannot get an mbuf to send
6853	 * the data you surely can't get an mbuf to send up to notify the
6854	 * user you can't send the data :->
6855	 */
6856
6857	/* now free everything */
6858	if (ca->inp) {
6859		/* Lets clear the flag to allow others to run. */
6860		SCTP_INP_WLOCK(ca->inp);
6861		ca->inp->sctp_flags &= ~SCTP_PCB_FLAGS_SND_ITERATOR_UP;
6862		SCTP_INP_WUNLOCK(ca->inp);
6863	}
6864	sctp_m_freem(ca->m);
6865	SCTP_FREE(ca, SCTP_M_COPYAL);
6866}
6867
6868static struct mbuf *
6869sctp_copy_out_all(struct uio *uio, ssize_t len)
6870{
6871	struct mbuf *ret, *at;
6872	ssize_t left, willcpy, cancpy, error;
6873
6874	ret = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_WAITOK, 1, MT_DATA);
6875	if (ret == NULL) {
6876		/* TSNH */
6877		return (NULL);
6878	}
6879	left = len;
6880	SCTP_BUF_LEN(ret) = 0;
6881	/* save space for the data chunk header */
6882	cancpy = (int)M_TRAILINGSPACE(ret);
6883	willcpy = min(cancpy, left);
6884	at = ret;
6885	while (left > 0) {
6886		/* Align data to the end */
6887		error = uiomove(mtod(at, caddr_t), (int)willcpy, uio);
6888		if (error) {
6889	err_out_now:
6890			sctp_m_freem(at);
6891			return (NULL);
6892		}
6893		SCTP_BUF_LEN(at) = (int)willcpy;
6894		SCTP_BUF_NEXT_PKT(at) = SCTP_BUF_NEXT(at) = 0;
6895		left -= willcpy;
6896		if (left > 0) {
6897			SCTP_BUF_NEXT(at) = sctp_get_mbuf_for_msg((unsigned int)left, 0, M_WAITOK, 1, MT_DATA);
6898			if (SCTP_BUF_NEXT(at) == NULL) {
6899				goto err_out_now;
6900			}
6901			at = SCTP_BUF_NEXT(at);
6902			SCTP_BUF_LEN(at) = 0;
6903			cancpy = (int)M_TRAILINGSPACE(at);
6904			willcpy = min(cancpy, left);
6905		}
6906	}
6907	return (ret);
6908}
6909
6910static int
6911sctp_sendall(struct sctp_inpcb *inp, struct uio *uio, struct mbuf *m,
6912    struct sctp_nonpad_sndrcvinfo *srcv)
6913{
6914	struct sctp_copy_all *ca;
6915	struct mbuf *mat;
6916	ssize_t sndlen;
6917	int ret;
6918
6919	if (uio != NULL) {
6920		sndlen = uio->uio_resid;
6921	} else {
6922		sndlen = 0;
6923		for (mat = m; mat; mat = SCTP_BUF_NEXT(mat)) {
6924			sndlen += SCTP_BUF_LEN(mat);
6925		}
6926	}
6927	if (sndlen > (ssize_t)SCTP_BASE_SYSCTL(sctp_sendall_limit)) {
6928		/* You must not be larger than the limit! */
6929		return (EMSGSIZE);
6930	}
6931	SCTP_MALLOC(ca, struct sctp_copy_all *, sizeof(struct sctp_copy_all),
6932	    SCTP_M_COPYAL);
6933	if (ca == NULL) {
6934		sctp_m_freem(m);
6935		SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
6936		return (ENOMEM);
6937	}
6938	memset(ca, 0, sizeof(struct sctp_copy_all));
6939	ca->inp = inp;
6940	if (srcv != NULL) {
6941		memcpy(&ca->sndrcv, srcv, sizeof(struct sctp_nonpad_sndrcvinfo));
6942	}
6943	/* Serialize. */
6944	SCTP_INP_WLOCK(inp);
6945	if ((inp->sctp_flags & SCTP_PCB_FLAGS_SND_ITERATOR_UP) != 0) {
6946		SCTP_INP_WUNLOCK(inp);
6947		sctp_m_freem(m);
6948		SCTP_FREE(ca, SCTP_M_COPYAL);
6949		return (EBUSY);
6950	}
6951	inp->sctp_flags |= SCTP_PCB_FLAGS_SND_ITERATOR_UP;
6952	SCTP_INP_WUNLOCK(inp);
6953	/*
6954	 * take off the sendall flag, it would be bad if we failed to do
6955	 * this :-0
6956	 */
6957	ca->sndrcv.sinfo_flags &= ~SCTP_SENDALL;
6958	/* get length and mbuf chain */
6959	ca->sndlen = sndlen;
6960	if (uio != NULL) {
6961		ca->m = sctp_copy_out_all(uio, ca->sndlen);
6962		if (ca->m == NULL) {
6963			SCTP_FREE(ca, SCTP_M_COPYAL);
6964			sctp_m_freem(m);
6965			SCTP_INP_WLOCK(inp);
6966			inp->sctp_flags &= ~SCTP_PCB_FLAGS_SND_ITERATOR_UP;
6967			SCTP_INP_WUNLOCK(inp);
6968			SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
6969			return (ENOMEM);
6970		}
6971	} else {
6972		ca->m = m;
6973	}
6974	ret = sctp_initiate_iterator(NULL, sctp_sendall_iterator, NULL,
6975	    SCTP_PCB_ANY_FLAGS, SCTP_PCB_ANY_FEATURES,
6976	    SCTP_ASOC_ANY_STATE,
6977	    (void *)ca, 0,
6978	    sctp_sendall_completes, inp, 1);
6979	if (ret != 0) {
6980		SCTP_INP_WLOCK(inp);
6981		inp->sctp_flags &= ~SCTP_PCB_FLAGS_SND_ITERATOR_UP;
6982		SCTP_INP_WUNLOCK(inp);
6983		SCTP_FREE(ca, SCTP_M_COPYAL);
6984		SCTP_LTRACE_ERR_RET_PKT(m, inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EFAULT);
6985		return (EFAULT);
6986	}
6987	return (0);
6988}
6989
6990void
6991sctp_toss_old_cookies(struct sctp_tcb *stcb, struct sctp_association *asoc)
6992{
6993	struct sctp_tmit_chunk *chk, *nchk;
6994
6995	TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
6996		if (chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
6997			TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
6998			asoc->ctrl_queue_cnt--;
6999			if (chk->data) {
7000				sctp_m_freem(chk->data);
7001				chk->data = NULL;
7002			}
7003			sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
7004		}
7005	}
7006}
7007
7008void
7009sctp_toss_old_asconf(struct sctp_tcb *stcb)
7010{
7011	struct sctp_association *asoc;
7012	struct sctp_tmit_chunk *chk, *nchk;
7013	struct sctp_asconf_chunk *acp;
7014
7015	asoc = &stcb->asoc;
7016	TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) {
7017		/* find SCTP_ASCONF chunk in queue */
7018		if (chk->rec.chunk_id.id == SCTP_ASCONF) {
7019			if (chk->data) {
7020				acp = mtod(chk->data, struct sctp_asconf_chunk *);
7021				if (SCTP_TSN_GT(ntohl(acp->serial_number), asoc->asconf_seq_out_acked)) {
7022					/* Not Acked yet */
7023					break;
7024				}
7025			}
7026			TAILQ_REMOVE(&asoc->asconf_send_queue, chk, sctp_next);
7027			asoc->ctrl_queue_cnt--;
7028			if (chk->data) {
7029				sctp_m_freem(chk->data);
7030				chk->data = NULL;
7031			}
7032			sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
7033		}
7034	}
7035}
7036
7037static void
7038sctp_clean_up_datalist(struct sctp_tcb *stcb,
7039    struct sctp_association *asoc,
7040    struct sctp_tmit_chunk **data_list,
7041    int bundle_at,
7042    struct sctp_nets *net)
7043{
7044	int i;
7045	struct sctp_tmit_chunk *tp1;
7046
7047	for (i = 0; i < bundle_at; i++) {
7048		/* off of the send queue */
7049		TAILQ_REMOVE(&asoc->send_queue, data_list[i], sctp_next);
7050		asoc->send_queue_cnt--;
7051		if (i > 0) {
7052			/*
7053			 * Any chunk NOT 0 you zap the time chunk 0 gets
7054			 * zapped or set based on if a RTO measurement is
7055			 * needed.
7056			 */
7057			data_list[i]->do_rtt = 0;
7058		}
7059		/* record time */
7060		data_list[i]->sent_rcv_time = net->last_sent_time;
7061		data_list[i]->rec.data.cwnd_at_send = net->cwnd;
7062		data_list[i]->rec.data.fast_retran_tsn = data_list[i]->rec.data.tsn;
7063		if (data_list[i]->whoTo == NULL) {
7064			data_list[i]->whoTo = net;
7065			atomic_add_int(&net->ref_count, 1);
7066		}
7067		/* on to the sent queue */
7068		tp1 = TAILQ_LAST(&asoc->sent_queue, sctpchunk_listhead);
7069		if ((tp1) && SCTP_TSN_GT(tp1->rec.data.tsn, data_list[i]->rec.data.tsn)) {
7070			struct sctp_tmit_chunk *tpp;
7071
7072			/* need to move back */
7073	back_up_more:
7074			tpp = TAILQ_PREV(tp1, sctpchunk_listhead, sctp_next);
7075			if (tpp == NULL) {
7076				TAILQ_INSERT_BEFORE(tp1, data_list[i], sctp_next);
7077				goto all_done;
7078			}
7079			tp1 = tpp;
7080			if (SCTP_TSN_GT(tp1->rec.data.tsn, data_list[i]->rec.data.tsn)) {
7081				goto back_up_more;
7082			}
7083			TAILQ_INSERT_AFTER(&asoc->sent_queue, tp1, data_list[i], sctp_next);
7084		} else {
7085			TAILQ_INSERT_TAIL(&asoc->sent_queue,
7086			    data_list[i],
7087			    sctp_next);
7088		}
7089all_done:
7090		/* This does not lower until the cum-ack passes it */
7091		asoc->sent_queue_cnt++;
7092		if ((asoc->peers_rwnd <= 0) &&
7093		    (asoc->total_flight == 0) &&
7094		    (bundle_at == 1)) {
7095			/* Mark the chunk as being a window probe */
7096			SCTP_STAT_INCR(sctps_windowprobed);
7097		}
7098#ifdef SCTP_AUDITING_ENABLED
7099		sctp_audit_log(0xC2, 3);
7100#endif
7101		data_list[i]->sent = SCTP_DATAGRAM_SENT;
7102		data_list[i]->snd_count = 1;
7103		data_list[i]->rec.data.chunk_was_revoked = 0;
7104		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
7105			sctp_misc_ints(SCTP_FLIGHT_LOG_UP,
7106			    data_list[i]->whoTo->flight_size,
7107			    data_list[i]->book_size,
7108			    (uint32_t)(uintptr_t)data_list[i]->whoTo,
7109			    data_list[i]->rec.data.tsn);
7110		}
7111		sctp_flight_size_increase(data_list[i]);
7112		sctp_total_flight_increase(stcb, data_list[i]);
7113		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
7114			sctp_log_rwnd(SCTP_DECREASE_PEER_RWND,
7115			    asoc->peers_rwnd, data_list[i]->send_size, SCTP_BASE_SYSCTL(sctp_peer_chunk_oh));
7116		}
7117		asoc->peers_rwnd = sctp_sbspace_sub(asoc->peers_rwnd,
7118		    (uint32_t)(data_list[i]->send_size + SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)));
7119		if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
7120			/* SWS sender side engages */
7121			asoc->peers_rwnd = 0;
7122		}
7123	}
7124	if (asoc->cc_functions.sctp_cwnd_update_packet_transmitted) {
7125		(*asoc->cc_functions.sctp_cwnd_update_packet_transmitted) (stcb, net);
7126	}
7127}
7128
7129static void
7130sctp_clean_up_ctl(struct sctp_tcb *stcb, struct sctp_association *asoc, int so_locked)
7131{
7132	struct sctp_tmit_chunk *chk, *nchk;
7133
7134	TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
7135		if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
7136		    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK) ||	/* EY */
7137		    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_REQUEST) ||
7138		    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_ACK) ||
7139		    (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) ||
7140		    (chk->rec.chunk_id.id == SCTP_SHUTDOWN) ||
7141		    (chk->rec.chunk_id.id == SCTP_SHUTDOWN_ACK) ||
7142		    (chk->rec.chunk_id.id == SCTP_OPERATION_ERROR) ||
7143		    (chk->rec.chunk_id.id == SCTP_PACKET_DROPPED) ||
7144		    (chk->rec.chunk_id.id == SCTP_COOKIE_ACK) ||
7145		    (chk->rec.chunk_id.id == SCTP_ECN_CWR) ||
7146		    (chk->rec.chunk_id.id == SCTP_ASCONF_ACK)) {
7147			/* Stray chunks must be cleaned up */
7148	clean_up_anyway:
7149			TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
7150			asoc->ctrl_queue_cnt--;
7151			if (chk->data) {
7152				sctp_m_freem(chk->data);
7153				chk->data = NULL;
7154			}
7155			if (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) {
7156				asoc->fwd_tsn_cnt--;
7157			}
7158			sctp_free_a_chunk(stcb, chk, so_locked);
7159		} else if (chk->rec.chunk_id.id == SCTP_STREAM_RESET) {
7160			/* special handling, we must look into the param */
7161			if (chk != asoc->str_reset) {
7162				goto clean_up_anyway;
7163			}
7164		}
7165	}
7166}
7167
7168static uint32_t
7169sctp_can_we_split_this(struct sctp_tcb *stcb, uint32_t length,
7170    uint32_t space_left, uint32_t frag_point, int eeor_on)
7171{
7172	/*
7173	 * Make a decision on if I should split a msg into multiple parts.
7174	 * This is only asked of incomplete messages.
7175	 */
7176	if (eeor_on) {
7177		/*
7178		 * If we are doing EEOR we need to always send it if its the
7179		 * entire thing, since it might be all the guy is putting in
7180		 * the hopper.
7181		 */
7182		if (space_left >= length) {
7183			/*-
7184			 * If we have data outstanding,
7185			 * we get another chance when the sack
7186			 * arrives to transmit - wait for more data
7187			 */
7188			if (stcb->asoc.total_flight == 0) {
7189				/*
7190				 * If nothing is in flight, we zero the
7191				 * packet counter.
7192				 */
7193				return (length);
7194			}
7195			return (0);
7196
7197		} else {
7198			/* You can fill the rest */
7199			return (space_left);
7200		}
7201	}
7202	/*-
7203	 * For those strange folk that make the send buffer
7204	 * smaller than our fragmentation point, we can't
7205	 * get a full msg in so we have to allow splitting.
7206	 */
7207	if (SCTP_SB_LIMIT_SND(stcb->sctp_socket) < frag_point) {
7208		return (length);
7209	}
7210	if ((length <= space_left) ||
7211	    ((length - space_left) < SCTP_BASE_SYSCTL(sctp_min_residual))) {
7212		/* Sub-optimal residual don't split in non-eeor mode. */
7213		return (0);
7214	}
7215	/*
7216	 * If we reach here length is larger than the space_left. Do we wish
7217	 * to split it for the sake of packet putting together?
7218	 */
7219	if (space_left >= min(SCTP_BASE_SYSCTL(sctp_min_split_point), frag_point)) {
7220		/* Its ok to split it */
7221		return (min(space_left, frag_point));
7222	}
7223	/* Nope, can't split */
7224	return (0);
7225}
7226
7227static uint32_t
7228sctp_move_to_outqueue(struct sctp_tcb *stcb,
7229    struct sctp_nets *net,
7230    struct sctp_stream_out *strq,
7231    uint32_t space_left,
7232    uint32_t frag_point,
7233    int *giveup,
7234    int eeor_mode,
7235    int *bail,
7236    int so_locked)
7237{
7238	/* Move from the stream to the send_queue keeping track of the total */
7239	struct sctp_association *asoc;
7240	struct sctp_stream_queue_pending *sp;
7241	struct sctp_tmit_chunk *chk;
7242	struct sctp_data_chunk *dchkh = NULL;
7243	struct sctp_idata_chunk *ndchkh = NULL;
7244	uint32_t to_move, length;
7245	int leading;
7246	uint8_t rcv_flags = 0;
7247	uint8_t some_taken;
7248
7249	SCTP_TCB_LOCK_ASSERT(stcb);
7250	asoc = &stcb->asoc;
7251one_more_time:
7252	/* sa_ignore FREED_MEMORY */
7253	sp = TAILQ_FIRST(&strq->outqueue);
7254	if (sp == NULL) {
7255		sp = TAILQ_FIRST(&strq->outqueue);
7256		if (sp) {
7257			goto one_more_time;
7258		}
7259		if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_EXPLICIT_EOR) == 0) &&
7260		    (stcb->asoc.idata_supported == 0) &&
7261		    (strq->last_msg_incomplete)) {
7262			SCTP_PRINTF("Huh? Stream:%d lm_in_c=%d but queue is NULL\n",
7263			    strq->sid,
7264			    strq->last_msg_incomplete);
7265			strq->last_msg_incomplete = 0;
7266		}
7267		to_move = 0;
7268		goto out_of;
7269	}
7270	if ((sp->msg_is_complete) && (sp->length == 0)) {
7271		if (sp->sender_all_done) {
7272			/*
7273			 * We are doing deferred cleanup. Last time through
7274			 * when we took all the data the sender_all_done was
7275			 * not set.
7276			 */
7277			if ((sp->put_last_out == 0) && (sp->discard_rest == 0)) {
7278				SCTP_PRINTF("Gak, put out entire msg with NO end!-1\n");
7279				SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d\n",
7280				    sp->sender_all_done,
7281				    sp->length,
7282				    sp->msg_is_complete,
7283				    sp->put_last_out);
7284			}
7285			atomic_subtract_int(&asoc->stream_queue_cnt, 1);
7286			TAILQ_REMOVE(&strq->outqueue, sp, next);
7287			stcb->asoc.ss_functions.sctp_ss_remove_from_stream(stcb, asoc, strq, sp);
7288			if ((strq->state == SCTP_STREAM_RESET_PENDING) &&
7289			    (strq->chunks_on_queues == 0) &&
7290			    TAILQ_EMPTY(&strq->outqueue)) {
7291				stcb->asoc.trigger_reset = 1;
7292			}
7293			if (sp->net) {
7294				sctp_free_remote_addr(sp->net);
7295				sp->net = NULL;
7296			}
7297			if (sp->data) {
7298				sctp_m_freem(sp->data);
7299				sp->data = NULL;
7300			}
7301			sctp_free_a_strmoq(stcb, sp, so_locked);
7302			/* back to get the next msg */
7303			goto one_more_time;
7304		} else {
7305			/*
7306			 * sender just finished this but still holds a
7307			 * reference
7308			 */
7309			*giveup = 1;
7310			to_move = 0;
7311			goto out_of;
7312		}
7313	} else {
7314		/* is there some to get */
7315		if (sp->length == 0) {
7316			/* no */
7317			*giveup = 1;
7318			to_move = 0;
7319			goto out_of;
7320		} else if (sp->discard_rest) {
7321			/* Whack down the size */
7322			atomic_subtract_int(&stcb->asoc.total_output_queue_size, sp->length);
7323			if ((stcb->sctp_socket != NULL) &&
7324			    ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
7325			    (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL))) {
7326				SCTP_SB_DECR(&stcb->sctp_socket->so_snd, sp->length);
7327			}
7328			if (sp->data) {
7329				sctp_m_freem(sp->data);
7330				sp->data = NULL;
7331				sp->tail_mbuf = NULL;
7332			}
7333			sp->length = 0;
7334			sp->some_taken = 1;
7335			*giveup = 1;
7336			to_move = 0;
7337			goto out_of;
7338		}
7339	}
7340	some_taken = sp->some_taken;
7341	length = sp->length;
7342	if (sp->msg_is_complete) {
7343		/* The message is complete */
7344		to_move = min(length, frag_point);
7345		if (to_move == length) {
7346			/* All of it fits in the MTU */
7347			if (sp->some_taken) {
7348				rcv_flags |= SCTP_DATA_LAST_FRAG;
7349			} else {
7350				rcv_flags |= SCTP_DATA_NOT_FRAG;
7351			}
7352			sp->put_last_out = 1;
7353			if (sp->sinfo_flags & SCTP_SACK_IMMEDIATELY) {
7354				rcv_flags |= SCTP_DATA_SACK_IMMEDIATELY;
7355			}
7356		} else {
7357			/* Not all of it fits, we fragment */
7358			if (sp->some_taken == 0) {
7359				rcv_flags |= SCTP_DATA_FIRST_FRAG;
7360			}
7361			sp->some_taken = 1;
7362		}
7363	} else {
7364		to_move = sctp_can_we_split_this(stcb, length, space_left, frag_point, eeor_mode);
7365		if (to_move > 0) {
7366			if (to_move >= length) {
7367				to_move = length;
7368			}
7369			if (sp->some_taken == 0) {
7370				rcv_flags |= SCTP_DATA_FIRST_FRAG;
7371				sp->some_taken = 1;
7372			}
7373		} else {
7374			/* Nothing to take. */
7375			*giveup = 1;
7376			to_move = 0;
7377			goto out_of;
7378		}
7379	}
7380
7381	/* If we reach here, we can copy out a chunk */
7382	sctp_alloc_a_chunk(stcb, chk);
7383	if (chk == NULL) {
7384		/* No chunk memory */
7385		*giveup = 1;
7386		to_move = 0;
7387		goto out_of;
7388	}
7389	/*
7390	 * Setup for unordered if needed by looking at the user sent info
7391	 * flags.
7392	 */
7393	if (sp->sinfo_flags & SCTP_UNORDERED) {
7394		rcv_flags |= SCTP_DATA_UNORDERED;
7395	}
7396	if (SCTP_BASE_SYSCTL(sctp_enable_sack_immediately) &&
7397	    (sp->sinfo_flags & SCTP_EOF) == SCTP_EOF) {
7398		rcv_flags |= SCTP_DATA_SACK_IMMEDIATELY;
7399	}
7400	/* clear out the chunk before setting up */
7401	memset(chk, 0, sizeof(*chk));
7402	chk->rec.data.rcv_flags = rcv_flags;
7403
7404	if (to_move >= length) {
7405		/* we think we can steal the whole thing */
7406		if (to_move < sp->length) {
7407			/* bail, it changed */
7408			goto dont_do_it;
7409		}
7410		chk->data = sp->data;
7411		chk->last_mbuf = sp->tail_mbuf;
7412		/* register the stealing */
7413		sp->data = sp->tail_mbuf = NULL;
7414	} else {
7415		struct mbuf *m;
7416
7417dont_do_it:
7418		chk->data = SCTP_M_COPYM(sp->data, 0, to_move, M_NOWAIT);
7419		chk->last_mbuf = NULL;
7420		if (chk->data == NULL) {
7421			sp->some_taken = some_taken;
7422			sctp_free_a_chunk(stcb, chk, so_locked);
7423			*bail = 1;
7424			to_move = 0;
7425			goto out_of;
7426		}
7427#ifdef SCTP_MBUF_LOGGING
7428		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
7429			sctp_log_mbc(chk->data, SCTP_MBUF_ICOPY);
7430		}
7431#endif
7432		/* Pull off the data */
7433		m_adj(sp->data, to_move);
7434		/* Now lets work our way down and compact it */
7435		m = sp->data;
7436		while (m && (SCTP_BUF_LEN(m) == 0)) {
7437			sp->data = SCTP_BUF_NEXT(m);
7438			SCTP_BUF_NEXT(m) = NULL;
7439			if (sp->tail_mbuf == m) {
7440				/*-
7441				 * Freeing tail? TSNH since
7442				 * we supposedly were taking less
7443				 * than the sp->length.
7444				 */
7445#ifdef INVARIANTS
7446				panic("Huh, freeing tail? - TSNH");
7447#else
7448				SCTP_PRINTF("Huh, freeing tail? - TSNH\n");
7449				sp->tail_mbuf = sp->data = NULL;
7450				sp->length = 0;
7451#endif
7452			}
7453			sctp_m_free(m);
7454			m = sp->data;
7455		}
7456	}
7457	if (SCTP_BUF_IS_EXTENDED(chk->data)) {
7458		chk->copy_by_ref = 1;
7459	} else {
7460		chk->copy_by_ref = 0;
7461	}
7462	/*
7463	 * get last_mbuf and counts of mb usage This is ugly but hopefully
7464	 * its only one mbuf.
7465	 */
7466	if (chk->last_mbuf == NULL) {
7467		chk->last_mbuf = chk->data;
7468		while (SCTP_BUF_NEXT(chk->last_mbuf) != NULL) {
7469			chk->last_mbuf = SCTP_BUF_NEXT(chk->last_mbuf);
7470		}
7471	}
7472
7473	if (to_move > length) {
7474		/*- This should not happen either
7475		 * since we always lower to_move to the size
7476		 * of sp->length if its larger.
7477		 */
7478#ifdef INVARIANTS
7479		panic("Huh, how can to_move be larger?");
7480#else
7481		SCTP_PRINTF("Huh, how can to_move be larger?\n");
7482		sp->length = 0;
7483#endif
7484	} else {
7485		atomic_subtract_int(&sp->length, to_move);
7486	}
7487	leading = SCTP_DATA_CHUNK_OVERHEAD(stcb);
7488	if (M_LEADINGSPACE(chk->data) < leading) {
7489		/* Not enough room for a chunk header, get some */
7490		struct mbuf *m;
7491
7492		m = sctp_get_mbuf_for_msg(1, 0, M_NOWAIT, 1, MT_DATA);
7493		if (m == NULL) {
7494			/*
7495			 * we're in trouble here. _PREPEND below will free
7496			 * all the data if there is no leading space, so we
7497			 * must put the data back and restore.
7498			 */
7499			if (sp->data == NULL) {
7500				/* unsteal the data */
7501				sp->data = chk->data;
7502				sp->tail_mbuf = chk->last_mbuf;
7503			} else {
7504				struct mbuf *m_tmp;
7505
7506				/* reassemble the data */
7507				m_tmp = sp->data;
7508				sp->data = chk->data;
7509				SCTP_BUF_NEXT(chk->last_mbuf) = m_tmp;
7510			}
7511			sp->some_taken = some_taken;
7512			atomic_add_int(&sp->length, to_move);
7513			chk->data = NULL;
7514			*bail = 1;
7515			sctp_free_a_chunk(stcb, chk, so_locked);
7516			to_move = 0;
7517			goto out_of;
7518		} else {
7519			SCTP_BUF_LEN(m) = 0;
7520			SCTP_BUF_NEXT(m) = chk->data;
7521			chk->data = m;
7522			M_ALIGN(chk->data, 4);
7523		}
7524	}
7525	SCTP_BUF_PREPEND(chk->data, SCTP_DATA_CHUNK_OVERHEAD(stcb), M_NOWAIT);
7526	if (chk->data == NULL) {
7527		/* HELP, TSNH since we assured it would not above? */
7528#ifdef INVARIANTS
7529		panic("prepend fails HELP?");
7530#else
7531		SCTP_PRINTF("prepend fails HELP?\n");
7532		sctp_free_a_chunk(stcb, chk, so_locked);
7533#endif
7534		*bail = 1;
7535		to_move = 0;
7536		goto out_of;
7537	}
7538	sctp_snd_sb_alloc(stcb, SCTP_DATA_CHUNK_OVERHEAD(stcb));
7539	chk->book_size = chk->send_size = (uint16_t)(to_move + SCTP_DATA_CHUNK_OVERHEAD(stcb));
7540	chk->book_size_scale = 0;
7541	chk->sent = SCTP_DATAGRAM_UNSENT;
7542
7543	chk->flags = 0;
7544	chk->asoc = &stcb->asoc;
7545	chk->pad_inplace = 0;
7546	chk->no_fr_allowed = 0;
7547	if (stcb->asoc.idata_supported == 0) {
7548		if (rcv_flags & SCTP_DATA_UNORDERED) {
7549			/* Just use 0. The receiver ignores the values. */
7550			chk->rec.data.mid = 0;
7551		} else {
7552			chk->rec.data.mid = strq->next_mid_ordered;
7553			if (rcv_flags & SCTP_DATA_LAST_FRAG) {
7554				strq->next_mid_ordered++;
7555			}
7556		}
7557	} else {
7558		if (rcv_flags & SCTP_DATA_UNORDERED) {
7559			chk->rec.data.mid = strq->next_mid_unordered;
7560			if (rcv_flags & SCTP_DATA_LAST_FRAG) {
7561				strq->next_mid_unordered++;
7562			}
7563		} else {
7564			chk->rec.data.mid = strq->next_mid_ordered;
7565			if (rcv_flags & SCTP_DATA_LAST_FRAG) {
7566				strq->next_mid_ordered++;
7567			}
7568		}
7569	}
7570	chk->rec.data.sid = sp->sid;
7571	chk->rec.data.ppid = sp->ppid;
7572	chk->rec.data.context = sp->context;
7573	chk->rec.data.doing_fast_retransmit = 0;
7574
7575	chk->rec.data.timetodrop = sp->ts;
7576	chk->flags = sp->act_flags;
7577
7578	if (sp->net) {
7579		chk->whoTo = sp->net;
7580		atomic_add_int(&chk->whoTo->ref_count, 1);
7581	} else
7582		chk->whoTo = NULL;
7583
7584	if (sp->holds_key_ref) {
7585		chk->auth_keyid = sp->auth_keyid;
7586		sctp_auth_key_acquire(stcb, chk->auth_keyid);
7587		chk->holds_key_ref = 1;
7588	}
7589	stcb->asoc.ss_functions.sctp_ss_scheduled(stcb, net, asoc, strq, to_move);
7590	chk->rec.data.tsn = atomic_fetchadd_int(&asoc->sending_seq, 1);
7591	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_AT_SEND_2_OUTQ) {
7592		sctp_misc_ints(SCTP_STRMOUT_LOG_SEND,
7593		    (uint32_t)(uintptr_t)stcb, sp->length,
7594		    (uint32_t)((chk->rec.data.sid << 16) | (0x0000ffff & chk->rec.data.mid)),
7595		    chk->rec.data.tsn);
7596	}
7597	if (stcb->asoc.idata_supported == 0) {
7598		dchkh = mtod(chk->data, struct sctp_data_chunk *);
7599	} else {
7600		ndchkh = mtod(chk->data, struct sctp_idata_chunk *);
7601	}
7602	/*
7603	 * Put the rest of the things in place now. Size was done earlier in
7604	 * previous loop prior to padding.
7605	 */
7606
7607	SCTP_TCB_LOCK_ASSERT(stcb);
7608#ifdef SCTP_ASOCLOG_OF_TSNS
7609	if (asoc->tsn_out_at >= SCTP_TSN_LOG_SIZE) {
7610		asoc->tsn_out_at = 0;
7611		asoc->tsn_out_wrapped = 1;
7612	}
7613	asoc->out_tsnlog[asoc->tsn_out_at].tsn = chk->rec.data.tsn;
7614	asoc->out_tsnlog[asoc->tsn_out_at].strm = chk->rec.data.sid;
7615	asoc->out_tsnlog[asoc->tsn_out_at].seq = chk->rec.data.mid;
7616	asoc->out_tsnlog[asoc->tsn_out_at].sz = chk->send_size;
7617	asoc->out_tsnlog[asoc->tsn_out_at].flgs = chk->rec.data.rcv_flags;
7618	asoc->out_tsnlog[asoc->tsn_out_at].stcb = (void *)stcb;
7619	asoc->out_tsnlog[asoc->tsn_out_at].in_pos = asoc->tsn_out_at;
7620	asoc->out_tsnlog[asoc->tsn_out_at].in_out = 2;
7621	asoc->tsn_out_at++;
7622#endif
7623	if (stcb->asoc.idata_supported == 0) {
7624		dchkh->ch.chunk_type = SCTP_DATA;
7625		dchkh->ch.chunk_flags = chk->rec.data.rcv_flags;
7626		dchkh->dp.tsn = htonl(chk->rec.data.tsn);
7627		dchkh->dp.sid = htons(strq->sid);
7628		dchkh->dp.ssn = htons((uint16_t)chk->rec.data.mid);
7629		dchkh->dp.ppid = chk->rec.data.ppid;
7630		dchkh->ch.chunk_length = htons(chk->send_size);
7631	} else {
7632		ndchkh->ch.chunk_type = SCTP_IDATA;
7633		ndchkh->ch.chunk_flags = chk->rec.data.rcv_flags;
7634		ndchkh->dp.tsn = htonl(chk->rec.data.tsn);
7635		ndchkh->dp.sid = htons(strq->sid);
7636		ndchkh->dp.reserved = htons(0);
7637		ndchkh->dp.mid = htonl(chk->rec.data.mid);
7638		if (sp->fsn == 0)
7639			ndchkh->dp.ppid_fsn.ppid = chk->rec.data.ppid;
7640		else
7641			ndchkh->dp.ppid_fsn.fsn = htonl(sp->fsn);
7642		sp->fsn++;
7643		ndchkh->ch.chunk_length = htons(chk->send_size);
7644	}
7645	/* Now advance the chk->send_size by the actual pad needed. */
7646	if (chk->send_size < SCTP_SIZE32(chk->book_size)) {
7647		/* need a pad */
7648		struct mbuf *lm;
7649		int pads;
7650
7651		pads = SCTP_SIZE32(chk->book_size) - chk->send_size;
7652		lm = sctp_pad_lastmbuf(chk->data, pads, chk->last_mbuf);
7653		if (lm != NULL) {
7654			chk->last_mbuf = lm;
7655			chk->pad_inplace = 1;
7656		}
7657		chk->send_size += pads;
7658	}
7659	if (PR_SCTP_ENABLED(chk->flags)) {
7660		asoc->pr_sctp_cnt++;
7661	}
7662	if (sp->msg_is_complete && (sp->length == 0) && (sp->sender_all_done)) {
7663		/* All done pull and kill the message */
7664		if (sp->put_last_out == 0) {
7665			SCTP_PRINTF("Gak, put out entire msg with NO end!-2\n");
7666			SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d\n",
7667			    sp->sender_all_done,
7668			    sp->length,
7669			    sp->msg_is_complete,
7670			    sp->put_last_out);
7671		}
7672		atomic_subtract_int(&asoc->stream_queue_cnt, 1);
7673		TAILQ_REMOVE(&strq->outqueue, sp, next);
7674		stcb->asoc.ss_functions.sctp_ss_remove_from_stream(stcb, asoc, strq, sp);
7675		if ((strq->state == SCTP_STREAM_RESET_PENDING) &&
7676		    (strq->chunks_on_queues == 0) &&
7677		    TAILQ_EMPTY(&strq->outqueue)) {
7678			stcb->asoc.trigger_reset = 1;
7679		}
7680		if (sp->net) {
7681			sctp_free_remote_addr(sp->net);
7682			sp->net = NULL;
7683		}
7684		if (sp->data) {
7685			sctp_m_freem(sp->data);
7686			sp->data = NULL;
7687		}
7688		sctp_free_a_strmoq(stcb, sp, so_locked);
7689	}
7690	asoc->chunks_on_out_queue++;
7691	strq->chunks_on_queues++;
7692	TAILQ_INSERT_TAIL(&asoc->send_queue, chk, sctp_next);
7693	asoc->send_queue_cnt++;
7694out_of:
7695	return (to_move);
7696}
7697
7698static void
7699sctp_fill_outqueue(struct sctp_tcb *stcb, struct sctp_nets *net,
7700    uint32_t frag_point, int eeor_mode, int *quit_now,
7701    int so_locked)
7702{
7703	struct sctp_association *asoc;
7704	struct sctp_stream_out *strq;
7705	uint32_t space_left, moved, total_moved;
7706	int bail, giveup;
7707
7708	SCTP_TCB_LOCK_ASSERT(stcb);
7709	asoc = &stcb->asoc;
7710	total_moved = 0;
7711	switch (net->ro._l_addr.sa.sa_family) {
7712#ifdef INET
7713	case AF_INET:
7714		space_left = net->mtu - SCTP_MIN_V4_OVERHEAD;
7715		break;
7716#endif
7717#ifdef INET6
7718	case AF_INET6:
7719		space_left = net->mtu - SCTP_MIN_OVERHEAD;
7720		break;
7721#endif
7722	default:
7723		/* TSNH */
7724		space_left = net->mtu;
7725		break;
7726	}
7727	/* Need an allowance for the data chunk header too */
7728	space_left -= SCTP_DATA_CHUNK_OVERHEAD(stcb);
7729
7730	/* must make even word boundary */
7731	space_left &= 0xfffffffc;
7732	strq = stcb->asoc.ss_functions.sctp_ss_select_stream(stcb, net, asoc);
7733	giveup = 0;
7734	bail = 0;
7735	while ((space_left > 0) && (strq != NULL)) {
7736		moved = sctp_move_to_outqueue(stcb, net, strq, space_left,
7737		    frag_point, &giveup, eeor_mode,
7738		    &bail, so_locked);
7739		if ((giveup != 0) || (bail != 0)) {
7740			break;
7741		}
7742		strq = stcb->asoc.ss_functions.sctp_ss_select_stream(stcb, net, asoc);
7743		total_moved += moved;
7744		if (space_left >= moved) {
7745			space_left -= moved;
7746		} else {
7747			space_left = 0;
7748		}
7749		if (space_left >= SCTP_DATA_CHUNK_OVERHEAD(stcb)) {
7750			space_left -= SCTP_DATA_CHUNK_OVERHEAD(stcb);
7751		} else {
7752			space_left = 0;
7753		}
7754		space_left &= 0xfffffffc;
7755	}
7756	if (bail != 0)
7757		*quit_now = 1;
7758
7759	stcb->asoc.ss_functions.sctp_ss_packet_done(stcb, net, asoc);
7760
7761	if (total_moved == 0) {
7762		if ((stcb->asoc.sctp_cmt_on_off == 0) &&
7763		    (net == stcb->asoc.primary_destination)) {
7764			/* ran dry for primary network net */
7765			SCTP_STAT_INCR(sctps_primary_randry);
7766		} else if (stcb->asoc.sctp_cmt_on_off > 0) {
7767			/* ran dry with CMT on */
7768			SCTP_STAT_INCR(sctps_cmt_randry);
7769		}
7770	}
7771}
7772
7773void
7774sctp_fix_ecn_echo(struct sctp_association *asoc)
7775{
7776	struct sctp_tmit_chunk *chk;
7777
7778	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
7779		if (chk->rec.chunk_id.id == SCTP_ECN_ECHO) {
7780			chk->sent = SCTP_DATAGRAM_UNSENT;
7781		}
7782	}
7783}
7784
7785void
7786sctp_move_chunks_from_net(struct sctp_tcb *stcb, struct sctp_nets *net)
7787{
7788	struct sctp_association *asoc;
7789	struct sctp_tmit_chunk *chk;
7790	struct sctp_stream_queue_pending *sp;
7791	unsigned int i;
7792
7793	if (net == NULL) {
7794		return;
7795	}
7796	asoc = &stcb->asoc;
7797	for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
7798		TAILQ_FOREACH(sp, &stcb->asoc.strmout[i].outqueue, next) {
7799			if (sp->net == net) {
7800				sctp_free_remote_addr(sp->net);
7801				sp->net = NULL;
7802			}
7803		}
7804	}
7805	TAILQ_FOREACH(chk, &asoc->send_queue, sctp_next) {
7806		if (chk->whoTo == net) {
7807			sctp_free_remote_addr(chk->whoTo);
7808			chk->whoTo = NULL;
7809		}
7810	}
7811}
7812
7813int
7814sctp_med_chunk_output(struct sctp_inpcb *inp,
7815    struct sctp_tcb *stcb,
7816    struct sctp_association *asoc,
7817    int *num_out,
7818    int *reason_code,
7819    int control_only, int from_where,
7820    struct timeval *now, int *now_filled,
7821    uint32_t frag_point, int so_locked)
7822{
7823	/**
7824	 * Ok this is the generic chunk service queue. we must do the
7825	 * following:
7826	 * - Service the stream queue that is next, moving any
7827	 *   message (note I must get a complete message i.e. FIRST/MIDDLE and
7828	 *   LAST to the out queue in one pass) and assigning TSN's. This
7829	 *   only applies though if the peer does not support NDATA. For NDATA
7830	 *   chunks its ok to not send the entire message ;-)
7831	 * - Check to see if the cwnd/rwnd allows any output, if so we go ahead and
7832	 *   formulate and send the low level chunks. Making sure to combine
7833	 *   any control in the control chunk queue also.
7834	 */
7835	struct sctp_nets *net, *start_at, *sack_goes_to = NULL, *old_start_at = NULL;
7836	struct mbuf *outchain, *endoutchain;
7837	struct sctp_tmit_chunk *chk, *nchk;
7838
7839	/* temp arrays for unlinking */
7840	struct sctp_tmit_chunk *data_list[SCTP_MAX_DATA_BUNDLING];
7841	int no_fragmentflg, error;
7842	unsigned int max_rwnd_per_dest, max_send_per_dest;
7843	int one_chunk, hbflag, skip_data_for_this_net;
7844	int asconf, cookie, no_out_cnt;
7845	int bundle_at, ctl_cnt, no_data_chunks, eeor_mode;
7846	unsigned int mtu, r_mtu, omtu, mx_mtu, to_out;
7847	int tsns_sent = 0;
7848	uint32_t auth_offset;
7849	struct sctp_auth_chunk *auth;
7850	uint16_t auth_keyid;
7851	int override_ok = 1;
7852	int skip_fill_up = 0;
7853	int data_auth_reqd = 0;
7854
7855	/*
7856	 * JRS 5/14/07 - Add flag for whether a heartbeat is sent to the
7857	 * destination.
7858	 */
7859	int quit_now = 0;
7860	bool use_zero_crc;
7861
7862	*num_out = 0;
7863	*reason_code = 0;
7864	auth_keyid = stcb->asoc.authinfo.active_keyid;
7865	if ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) ||
7866	    (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
7867	    (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXPLICIT_EOR))) {
7868		eeor_mode = 1;
7869	} else {
7870		eeor_mode = 0;
7871	}
7872	ctl_cnt = no_out_cnt = asconf = cookie = 0;
7873	/*
7874	 * First lets prime the pump. For each destination, if there is room
7875	 * in the flight size, attempt to pull an MTU's worth out of the
7876	 * stream queues into the general send_queue
7877	 */
7878#ifdef SCTP_AUDITING_ENABLED
7879	sctp_audit_log(0xC2, 2);
7880#endif
7881	SCTP_TCB_LOCK_ASSERT(stcb);
7882	hbflag = 0;
7883	if (control_only)
7884		no_data_chunks = 1;
7885	else
7886		no_data_chunks = 0;
7887
7888	/* Nothing to possible to send? */
7889	if ((TAILQ_EMPTY(&asoc->control_send_queue) ||
7890	    (asoc->ctrl_queue_cnt == stcb->asoc.ecn_echo_cnt_onq)) &&
7891	    TAILQ_EMPTY(&asoc->asconf_send_queue) &&
7892	    TAILQ_EMPTY(&asoc->send_queue) &&
7893	    sctp_is_there_unsent_data(stcb, so_locked) == 0) {
7894nothing_to_send:
7895		*reason_code = 9;
7896		return (0);
7897	}
7898	if (asoc->peers_rwnd == 0) {
7899		/* No room in peers rwnd */
7900		*reason_code = 1;
7901		if (asoc->total_flight > 0) {
7902			/* we are allowed one chunk in flight */
7903			no_data_chunks = 1;
7904		}
7905	}
7906	if (stcb->asoc.ecn_echo_cnt_onq) {
7907		/* Record where a sack goes, if any */
7908		if (no_data_chunks &&
7909		    (asoc->ctrl_queue_cnt == stcb->asoc.ecn_echo_cnt_onq)) {
7910			/* Nothing but ECNe to send - we don't do that */
7911			goto nothing_to_send;
7912		}
7913		TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
7914			if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
7915			    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK)) {
7916				sack_goes_to = chk->whoTo;
7917				break;
7918			}
7919		}
7920	}
7921	max_rwnd_per_dest = ((asoc->peers_rwnd + asoc->total_flight) / asoc->numnets);
7922	if (stcb->sctp_socket)
7923		max_send_per_dest = SCTP_SB_LIMIT_SND(stcb->sctp_socket) / asoc->numnets;
7924	else
7925		max_send_per_dest = 0;
7926	if (no_data_chunks == 0) {
7927		/* How many non-directed chunks are there? */
7928		TAILQ_FOREACH(chk, &asoc->send_queue, sctp_next) {
7929			if (chk->whoTo == NULL) {
7930				/*
7931				 * We already have non-directed chunks on
7932				 * the queue, no need to do a fill-up.
7933				 */
7934				skip_fill_up = 1;
7935				break;
7936			}
7937		}
7938	}
7939	if ((no_data_chunks == 0) &&
7940	    (skip_fill_up == 0) &&
7941	    (!stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc))) {
7942		TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
7943			/*
7944			 * This for loop we are in takes in each net, if
7945			 * its's got space in cwnd and has data sent to it
7946			 * (when CMT is off) then it calls
7947			 * sctp_fill_outqueue for the net. This gets data on
7948			 * the send queue for that network.
7949			 *
7950			 * In sctp_fill_outqueue TSN's are assigned and data
7951			 * is copied out of the stream buffers. Note mostly
7952			 * copy by reference (we hope).
7953			 */
7954			net->window_probe = 0;
7955			if ((net != stcb->asoc.alternate) &&
7956			    ((net->dest_state & SCTP_ADDR_PF) ||
7957			    ((net->dest_state & SCTP_ADDR_REACHABLE) == 0) ||
7958			    (net->dest_state & SCTP_ADDR_UNCONFIRMED))) {
7959				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
7960					sctp_log_cwnd(stcb, net, 1,
7961					    SCTP_CWND_LOG_FILL_OUTQ_CALLED);
7962				}
7963				continue;
7964			}
7965			if ((stcb->asoc.cc_functions.sctp_cwnd_new_transmission_begins) &&
7966			    (net->flight_size == 0)) {
7967				(*stcb->asoc.cc_functions.sctp_cwnd_new_transmission_begins) (stcb, net);
7968			}
7969			if (net->flight_size >= net->cwnd) {
7970				/* skip this network, no room - can't fill */
7971				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
7972					sctp_log_cwnd(stcb, net, 3,
7973					    SCTP_CWND_LOG_FILL_OUTQ_CALLED);
7974				}
7975				continue;
7976			}
7977			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
7978				sctp_log_cwnd(stcb, net, 4, SCTP_CWND_LOG_FILL_OUTQ_CALLED);
7979			}
7980			sctp_fill_outqueue(stcb, net, frag_point, eeor_mode, &quit_now, so_locked);
7981			if (quit_now) {
7982				/* memory alloc failure */
7983				no_data_chunks = 1;
7984				break;
7985			}
7986		}
7987	}
7988	/* now service each destination and send out what we can for it */
7989	/* Nothing to send? */
7990	if (TAILQ_EMPTY(&asoc->control_send_queue) &&
7991	    TAILQ_EMPTY(&asoc->asconf_send_queue) &&
7992	    TAILQ_EMPTY(&asoc->send_queue)) {
7993		*reason_code = 8;
7994		return (0);
7995	}
7996
7997	if (asoc->sctp_cmt_on_off > 0) {
7998		/* get the last start point */
7999		start_at = asoc->last_net_cmt_send_started;
8000		if (start_at == NULL) {
8001			/* null so to beginning */
8002			start_at = TAILQ_FIRST(&asoc->nets);
8003		} else {
8004			start_at = TAILQ_NEXT(asoc->last_net_cmt_send_started, sctp_next);
8005			if (start_at == NULL) {
8006				start_at = TAILQ_FIRST(&asoc->nets);
8007			}
8008		}
8009		asoc->last_net_cmt_send_started = start_at;
8010	} else {
8011		start_at = TAILQ_FIRST(&asoc->nets);
8012	}
8013	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
8014		if (chk->whoTo == NULL) {
8015			if (asoc->alternate) {
8016				chk->whoTo = asoc->alternate;
8017			} else {
8018				chk->whoTo = asoc->primary_destination;
8019			}
8020			atomic_add_int(&chk->whoTo->ref_count, 1);
8021		}
8022	}
8023	old_start_at = NULL;
8024again_one_more_time:
8025	for (net = start_at; net != NULL; net = TAILQ_NEXT(net, sctp_next)) {
8026		/* how much can we send? */
8027		/* SCTPDBG("Examine for sending net:%x\n", (uint32_t)net); */
8028		if (old_start_at && (old_start_at == net)) {
8029			/* through list completely. */
8030			break;
8031		}
8032		tsns_sent = 0xa;
8033		if (TAILQ_EMPTY(&asoc->control_send_queue) &&
8034		    TAILQ_EMPTY(&asoc->asconf_send_queue) &&
8035		    (net->flight_size >= net->cwnd)) {
8036			/*
8037			 * Nothing on control or asconf and flight is full,
8038			 * we can skip even in the CMT case.
8039			 */
8040			continue;
8041		}
8042		bundle_at = 0;
8043		endoutchain = outchain = NULL;
8044		auth = NULL;
8045		auth_offset = 0;
8046		no_fragmentflg = 1;
8047		one_chunk = 0;
8048		if (net->dest_state & SCTP_ADDR_UNCONFIRMED) {
8049			skip_data_for_this_net = 1;
8050		} else {
8051			skip_data_for_this_net = 0;
8052		}
8053		switch (((struct sockaddr *)&net->ro._l_addr)->sa_family) {
8054#ifdef INET
8055		case AF_INET:
8056			mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
8057			break;
8058#endif
8059#ifdef INET6
8060		case AF_INET6:
8061			mtu = net->mtu - SCTP_MIN_OVERHEAD;
8062			break;
8063#endif
8064		default:
8065			/* TSNH */
8066			mtu = net->mtu;
8067			break;
8068		}
8069		mx_mtu = mtu;
8070		to_out = 0;
8071		if (mtu > asoc->peers_rwnd) {
8072			if (asoc->total_flight > 0) {
8073				/* We have a packet in flight somewhere */
8074				r_mtu = asoc->peers_rwnd;
8075			} else {
8076				/* We are always allowed to send one MTU out */
8077				one_chunk = 1;
8078				r_mtu = mtu;
8079			}
8080		} else {
8081			r_mtu = mtu;
8082		}
8083		error = 0;
8084		/************************/
8085		/* ASCONF transmission */
8086		/************************/
8087		/* Now first lets go through the asconf queue */
8088		TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) {
8089			if (chk->rec.chunk_id.id != SCTP_ASCONF) {
8090				continue;
8091			}
8092			if (chk->whoTo == NULL) {
8093				if (asoc->alternate == NULL) {
8094					if (asoc->primary_destination != net) {
8095						break;
8096					}
8097				} else {
8098					if (asoc->alternate != net) {
8099						break;
8100					}
8101				}
8102			} else {
8103				if (chk->whoTo != net) {
8104					break;
8105				}
8106			}
8107			if (chk->data == NULL) {
8108				break;
8109			}
8110			if (chk->sent != SCTP_DATAGRAM_UNSENT &&
8111			    chk->sent != SCTP_DATAGRAM_RESEND) {
8112				break;
8113			}
8114			/*
8115			 * if no AUTH is yet included and this chunk
8116			 * requires it, make sure to account for it.  We
8117			 * don't apply the size until the AUTH chunk is
8118			 * actually added below in case there is no room for
8119			 * this chunk. NOTE: we overload the use of "omtu"
8120			 * here
8121			 */
8122			if ((auth == NULL) &&
8123			    sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
8124			    stcb->asoc.peer_auth_chunks)) {
8125				omtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
8126			} else
8127				omtu = 0;
8128			/* Here we do NOT factor the r_mtu */
8129			if ((chk->send_size < (int)(mtu - omtu)) ||
8130			    (chk->flags & CHUNK_FLAGS_FRAGMENT_OK)) {
8131				/*
8132				 * We probably should glom the mbuf chain
8133				 * from the chk->data for control but the
8134				 * problem is it becomes yet one more level
8135				 * of tracking to do if for some reason
8136				 * output fails. Then I have got to
8137				 * reconstruct the merged control chain.. el
8138				 * yucko.. for now we take the easy way and
8139				 * do the copy
8140				 */
8141				/*
8142				 * Add an AUTH chunk, if chunk requires it
8143				 * save the offset into the chain for AUTH
8144				 */
8145				if ((auth == NULL) &&
8146				    (sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
8147				    stcb->asoc.peer_auth_chunks))) {
8148					outchain = sctp_add_auth_chunk(outchain,
8149					    &endoutchain,
8150					    &auth,
8151					    &auth_offset,
8152					    stcb,
8153					    chk->rec.chunk_id.id);
8154					SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8155				}
8156				outchain = sctp_copy_mbufchain(chk->data, outchain, &endoutchain,
8157				    (int)chk->rec.chunk_id.can_take_data,
8158				    chk->send_size, chk->copy_by_ref);
8159				if (outchain == NULL) {
8160					*reason_code = 8;
8161					SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
8162					return (ENOMEM);
8163				}
8164				SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8165				/* update our MTU size */
8166				if (mtu > (chk->send_size + omtu))
8167					mtu -= (chk->send_size + omtu);
8168				else
8169					mtu = 0;
8170				to_out += (chk->send_size + omtu);
8171				/* Do clear IP_DF ? */
8172				if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
8173					no_fragmentflg = 0;
8174				}
8175				if (chk->rec.chunk_id.can_take_data)
8176					chk->data = NULL;
8177				/*
8178				 * set hb flag since we can use these for
8179				 * RTO
8180				 */
8181				hbflag = 1;
8182				asconf = 1;
8183				/*
8184				 * should sysctl this: don't bundle data
8185				 * with ASCONF since it requires AUTH
8186				 */
8187				no_data_chunks = 1;
8188				chk->sent = SCTP_DATAGRAM_SENT;
8189				if (chk->whoTo == NULL) {
8190					chk->whoTo = net;
8191					atomic_add_int(&net->ref_count, 1);
8192				}
8193				chk->snd_count++;
8194				if (mtu == 0) {
8195					/*
8196					 * Ok we are out of room but we can
8197					 * output without effecting the
8198					 * flight size since this little guy
8199					 * is a control only packet.
8200					 */
8201					sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp, stcb, net);
8202					/*
8203					 * do NOT clear the asconf flag as
8204					 * it is used to do appropriate
8205					 * source address selection.
8206					 */
8207					if (*now_filled == 0) {
8208						(void)SCTP_GETTIME_TIMEVAL(now);
8209						*now_filled = 1;
8210					}
8211					net->last_sent_time = *now;
8212					hbflag = 0;
8213					if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
8214					    (struct sockaddr *)&net->ro._l_addr,
8215					    outchain, auth_offset, auth,
8216					    stcb->asoc.authinfo.active_keyid,
8217					    no_fragmentflg, 0, asconf,
8218					    inp->sctp_lport, stcb->rport,
8219					    htonl(stcb->asoc.peer_vtag),
8220					    net->port, NULL,
8221					    0, 0,
8222					    false, so_locked))) {
8223						/*
8224						 * error, we could not
8225						 * output
8226						 */
8227						SCTPDBG(SCTP_DEBUG_OUTPUT3, "Gak send error %d\n", error);
8228						if (from_where == 0) {
8229							SCTP_STAT_INCR(sctps_lowlevelerrusr);
8230						}
8231						if (error == ENOBUFS) {
8232							asoc->ifp_had_enobuf = 1;
8233							SCTP_STAT_INCR(sctps_lowlevelerr);
8234						}
8235						/* error, could not output */
8236						if (error == EHOSTUNREACH) {
8237							/*
8238							 * Destination went
8239							 * unreachable
8240							 * during this send
8241							 */
8242							sctp_move_chunks_from_net(stcb, net);
8243						}
8244						asconf = 0;
8245						*reason_code = 7;
8246						break;
8247					} else {
8248						asoc->ifp_had_enobuf = 0;
8249					}
8250					/*
8251					 * increase the number we sent, if a
8252					 * cookie is sent we don't tell them
8253					 * any was sent out.
8254					 */
8255					outchain = endoutchain = NULL;
8256					auth = NULL;
8257					auth_offset = 0;
8258					asconf = 0;
8259					if (!no_out_cnt)
8260						*num_out += ctl_cnt;
8261					/* recalc a clean slate and setup */
8262					switch (net->ro._l_addr.sa.sa_family) {
8263#ifdef INET
8264					case AF_INET:
8265						mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
8266						break;
8267#endif
8268#ifdef INET6
8269					case AF_INET6:
8270						mtu = net->mtu - SCTP_MIN_OVERHEAD;
8271						break;
8272#endif
8273					default:
8274						/* TSNH */
8275						mtu = net->mtu;
8276						break;
8277					}
8278					to_out = 0;
8279					no_fragmentflg = 1;
8280				}
8281			}
8282		}
8283		if (error != 0) {
8284			/* try next net */
8285			continue;
8286		}
8287		/************************/
8288		/* Control transmission */
8289		/************************/
8290		/* Now first lets go through the control queue */
8291		TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
8292			if ((sack_goes_to) &&
8293			    (chk->rec.chunk_id.id == SCTP_ECN_ECHO) &&
8294			    (chk->whoTo != sack_goes_to)) {
8295				/*
8296				 * if we have a sack in queue, and we are
8297				 * looking at an ecn echo that is NOT queued
8298				 * to where the sack is going..
8299				 */
8300				if (chk->whoTo == net) {
8301					/*
8302					 * Don't transmit it to where its
8303					 * going (current net)
8304					 */
8305					continue;
8306				} else if (sack_goes_to == net) {
8307					/*
8308					 * But do transmit it to this
8309					 * address
8310					 */
8311					goto skip_net_check;
8312				}
8313			}
8314			if (chk->whoTo == NULL) {
8315				if (asoc->alternate == NULL) {
8316					if (asoc->primary_destination != net) {
8317						continue;
8318					}
8319				} else {
8320					if (asoc->alternate != net) {
8321						continue;
8322					}
8323				}
8324			} else {
8325				if (chk->whoTo != net) {
8326					continue;
8327				}
8328			}
8329	skip_net_check:
8330			if (chk->data == NULL) {
8331				continue;
8332			}
8333			if (chk->sent != SCTP_DATAGRAM_UNSENT) {
8334				/*
8335				 * It must be unsent. Cookies and ASCONF's
8336				 * hang around but there timers will force
8337				 * when marked for resend.
8338				 */
8339				continue;
8340			}
8341			/*
8342			 * if no AUTH is yet included and this chunk
8343			 * requires it, make sure to account for it.  We
8344			 * don't apply the size until the AUTH chunk is
8345			 * actually added below in case there is no room for
8346			 * this chunk. NOTE: we overload the use of "omtu"
8347			 * here
8348			 */
8349			if ((auth == NULL) &&
8350			    sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
8351			    stcb->asoc.peer_auth_chunks)) {
8352				omtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
8353			} else
8354				omtu = 0;
8355			/* Here we do NOT factor the r_mtu */
8356			if ((chk->send_size <= (int)(mtu - omtu)) ||
8357			    (chk->flags & CHUNK_FLAGS_FRAGMENT_OK)) {
8358				/*
8359				 * We probably should glom the mbuf chain
8360				 * from the chk->data for control but the
8361				 * problem is it becomes yet one more level
8362				 * of tracking to do if for some reason
8363				 * output fails. Then I have got to
8364				 * reconstruct the merged control chain.. el
8365				 * yucko.. for now we take the easy way and
8366				 * do the copy
8367				 */
8368				/*
8369				 * Add an AUTH chunk, if chunk requires it
8370				 * save the offset into the chain for AUTH
8371				 */
8372				if ((auth == NULL) &&
8373				    (sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
8374				    stcb->asoc.peer_auth_chunks))) {
8375					outchain = sctp_add_auth_chunk(outchain,
8376					    &endoutchain,
8377					    &auth,
8378					    &auth_offset,
8379					    stcb,
8380					    chk->rec.chunk_id.id);
8381					SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8382				}
8383				outchain = sctp_copy_mbufchain(chk->data, outchain, &endoutchain,
8384				    (int)chk->rec.chunk_id.can_take_data,
8385				    chk->send_size, chk->copy_by_ref);
8386				if (outchain == NULL) {
8387					*reason_code = 8;
8388					SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
8389					return (ENOMEM);
8390				}
8391				SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8392				/* update our MTU size */
8393				if (mtu > (chk->send_size + omtu))
8394					mtu -= (chk->send_size + omtu);
8395				else
8396					mtu = 0;
8397				to_out += (chk->send_size + omtu);
8398				/* Do clear IP_DF ? */
8399				if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
8400					no_fragmentflg = 0;
8401				}
8402				if (chk->rec.chunk_id.can_take_data)
8403					chk->data = NULL;
8404				/* Mark things to be removed, if needed */
8405				if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
8406				    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK) ||	/* EY */
8407				    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_REQUEST) ||
8408				    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_ACK) ||
8409				    (chk->rec.chunk_id.id == SCTP_SHUTDOWN) ||
8410				    (chk->rec.chunk_id.id == SCTP_SHUTDOWN_ACK) ||
8411				    (chk->rec.chunk_id.id == SCTP_OPERATION_ERROR) ||
8412				    (chk->rec.chunk_id.id == SCTP_COOKIE_ACK) ||
8413				    (chk->rec.chunk_id.id == SCTP_ECN_CWR) ||
8414				    (chk->rec.chunk_id.id == SCTP_PACKET_DROPPED) ||
8415				    (chk->rec.chunk_id.id == SCTP_ASCONF_ACK)) {
8416					if (chk->rec.chunk_id.id == SCTP_HEARTBEAT_REQUEST) {
8417						hbflag = 1;
8418					}
8419					/* remove these chunks at the end */
8420					if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
8421					    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK)) {
8422						/* turn off the timer */
8423						if (SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) {
8424							sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
8425							    inp, stcb, NULL,
8426							    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_1);
8427						}
8428					}
8429					ctl_cnt++;
8430				} else {
8431					/*
8432					 * Other chunks, since they have
8433					 * timers running (i.e. COOKIE) we
8434					 * just "trust" that it gets sent or
8435					 * retransmitted.
8436					 */
8437					ctl_cnt++;
8438					if (chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
8439						cookie = 1;
8440						no_out_cnt = 1;
8441					} else if (chk->rec.chunk_id.id == SCTP_ECN_ECHO) {
8442						/*
8443						 * Increment ecne send count
8444						 * here this means we may be
8445						 * over-zealous in our
8446						 * counting if the send
8447						 * fails, but its the best
8448						 * place to do it (we used
8449						 * to do it in the queue of
8450						 * the chunk, but that did
8451						 * not tell how many times
8452						 * it was sent.
8453						 */
8454						SCTP_STAT_INCR(sctps_sendecne);
8455					}
8456					chk->sent = SCTP_DATAGRAM_SENT;
8457					if (chk->whoTo == NULL) {
8458						chk->whoTo = net;
8459						atomic_add_int(&net->ref_count, 1);
8460					}
8461					chk->snd_count++;
8462				}
8463				if (mtu == 0) {
8464					/*
8465					 * Ok we are out of room but we can
8466					 * output without effecting the
8467					 * flight size since this little guy
8468					 * is a control only packet.
8469					 */
8470					switch (asoc->snd_edmid) {
8471					case SCTP_EDMID_LOWER_LAYER_DTLS:
8472						use_zero_crc = true;
8473						break;
8474					default:
8475						use_zero_crc = false;
8476						break;
8477					}
8478					if (asconf) {
8479						sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp, stcb, net);
8480						use_zero_crc = false;
8481						/*
8482						 * do NOT clear the asconf
8483						 * flag as it is used to do
8484						 * appropriate source
8485						 * address selection.
8486						 */
8487					}
8488					if (cookie) {
8489						sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net);
8490						use_zero_crc = false;
8491						cookie = 0;
8492					}
8493					/* Only HB or ASCONF advances time */
8494					if (hbflag) {
8495						if (*now_filled == 0) {
8496							(void)SCTP_GETTIME_TIMEVAL(now);
8497							*now_filled = 1;
8498						}
8499						net->last_sent_time = *now;
8500						hbflag = 0;
8501					}
8502					if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
8503					    (struct sockaddr *)&net->ro._l_addr,
8504					    outchain,
8505					    auth_offset, auth,
8506					    stcb->asoc.authinfo.active_keyid,
8507					    no_fragmentflg, 0, asconf,
8508					    inp->sctp_lport, stcb->rport,
8509					    htonl(stcb->asoc.peer_vtag),
8510					    net->port, NULL,
8511					    0, 0,
8512					    use_zero_crc, so_locked))) {
8513						/*
8514						 * error, we could not
8515						 * output
8516						 */
8517						SCTPDBG(SCTP_DEBUG_OUTPUT3, "Gak send error %d\n", error);
8518						if (from_where == 0) {
8519							SCTP_STAT_INCR(sctps_lowlevelerrusr);
8520						}
8521						if (error == ENOBUFS) {
8522							asoc->ifp_had_enobuf = 1;
8523							SCTP_STAT_INCR(sctps_lowlevelerr);
8524						}
8525						if (error == EHOSTUNREACH) {
8526							/*
8527							 * Destination went
8528							 * unreachable
8529							 * during this send
8530							 */
8531							sctp_move_chunks_from_net(stcb, net);
8532						}
8533						asconf = 0;
8534						*reason_code = 7;
8535						break;
8536					} else {
8537						asoc->ifp_had_enobuf = 0;
8538					}
8539					/*
8540					 * increase the number we sent, if a
8541					 * cookie is sent we don't tell them
8542					 * any was sent out.
8543					 */
8544					outchain = endoutchain = NULL;
8545					auth = NULL;
8546					auth_offset = 0;
8547					asconf = 0;
8548					if (!no_out_cnt)
8549						*num_out += ctl_cnt;
8550					/* recalc a clean slate and setup */
8551					switch (net->ro._l_addr.sa.sa_family) {
8552#ifdef INET
8553					case AF_INET:
8554						mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
8555						break;
8556#endif
8557#ifdef INET6
8558					case AF_INET6:
8559						mtu = net->mtu - SCTP_MIN_OVERHEAD;
8560						break;
8561#endif
8562					default:
8563						/* TSNH */
8564						mtu = net->mtu;
8565						break;
8566					}
8567					to_out = 0;
8568					no_fragmentflg = 1;
8569				}
8570			}
8571		}
8572		if (error != 0) {
8573			/* try next net */
8574			continue;
8575		}
8576		/* JRI: if dest is in PF state, do not send data to it */
8577		if ((asoc->sctp_cmt_on_off > 0) &&
8578		    (net != stcb->asoc.alternate) &&
8579		    (net->dest_state & SCTP_ADDR_PF)) {
8580			goto no_data_fill;
8581		}
8582		if (net->flight_size >= net->cwnd) {
8583			goto no_data_fill;
8584		}
8585		if ((asoc->sctp_cmt_on_off > 0) &&
8586		    (SCTP_BASE_SYSCTL(sctp_buffer_splitting) & SCTP_RECV_BUFFER_SPLITTING) &&
8587		    (net->flight_size > max_rwnd_per_dest)) {
8588			goto no_data_fill;
8589		}
8590		/*
8591		 * We need a specific accounting for the usage of the send
8592		 * buffer. We also need to check the number of messages per
8593		 * net. For now, this is better than nothing and it disabled
8594		 * by default...
8595		 */
8596		if ((asoc->sctp_cmt_on_off > 0) &&
8597		    (SCTP_BASE_SYSCTL(sctp_buffer_splitting) & SCTP_SEND_BUFFER_SPLITTING) &&
8598		    (max_send_per_dest > 0) &&
8599		    (net->flight_size > max_send_per_dest)) {
8600			goto no_data_fill;
8601		}
8602		/*********************/
8603		/* Data transmission */
8604		/*********************/
8605		/*
8606		 * if AUTH for DATA is required and no AUTH has been added
8607		 * yet, account for this in the mtu now... if no data can be
8608		 * bundled, this adjustment won't matter anyways since the
8609		 * packet will be going out...
8610		 */
8611		data_auth_reqd = sctp_auth_is_required_chunk(SCTP_DATA,
8612		    stcb->asoc.peer_auth_chunks);
8613		if (data_auth_reqd && (auth == NULL)) {
8614			mtu -= sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
8615		}
8616		/* now lets add any data within the MTU constraints */
8617		switch (((struct sockaddr *)&net->ro._l_addr)->sa_family) {
8618#ifdef INET
8619		case AF_INET:
8620			if (net->mtu > SCTP_MIN_V4_OVERHEAD)
8621				omtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
8622			else
8623				omtu = 0;
8624			break;
8625#endif
8626#ifdef INET6
8627		case AF_INET6:
8628			if (net->mtu > SCTP_MIN_OVERHEAD)
8629				omtu = net->mtu - SCTP_MIN_OVERHEAD;
8630			else
8631				omtu = 0;
8632			break;
8633#endif
8634		default:
8635			/* TSNH */
8636			omtu = 0;
8637			break;
8638		}
8639		if ((((SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) ||
8640		    (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) &&
8641		    (skip_data_for_this_net == 0)) ||
8642		    (cookie)) {
8643			TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
8644				if (no_data_chunks) {
8645					/* let only control go out */
8646					*reason_code = 1;
8647					break;
8648				}
8649				if (net->flight_size >= net->cwnd) {
8650					/* skip this net, no room for data */
8651					*reason_code = 2;
8652					break;
8653				}
8654				if ((chk->whoTo != NULL) &&
8655				    (chk->whoTo != net)) {
8656					/* Don't send the chunk on this net */
8657					continue;
8658				}
8659
8660				if (asoc->sctp_cmt_on_off == 0) {
8661					if ((asoc->alternate) &&
8662					    (asoc->alternate != net) &&
8663					    (chk->whoTo == NULL)) {
8664						continue;
8665					} else if ((net != asoc->primary_destination) &&
8666						    (asoc->alternate == NULL) &&
8667					    (chk->whoTo == NULL)) {
8668						continue;
8669					}
8670				}
8671				if ((chk->send_size > omtu) && ((chk->flags & CHUNK_FLAGS_FRAGMENT_OK) == 0)) {
8672					/*-
8673					 * strange, we have a chunk that is
8674					 * to big for its destination and
8675					 * yet no fragment ok flag.
8676					 * Something went wrong when the
8677					 * PMTU changed...we did not mark
8678					 * this chunk for some reason?? I
8679					 * will fix it here by letting IP
8680					 * fragment it for now and printing
8681					 * a warning. This really should not
8682					 * happen ...
8683					 */
8684					SCTP_PRINTF("Warning chunk of %d bytes > mtu:%d and yet PMTU disc missed\n",
8685					    chk->send_size, mtu);
8686					chk->flags |= CHUNK_FLAGS_FRAGMENT_OK;
8687				}
8688				if (SCTP_BASE_SYSCTL(sctp_enable_sack_immediately) &&
8689				    (asoc->state & SCTP_STATE_SHUTDOWN_PENDING)) {
8690					struct sctp_data_chunk *dchkh;
8691
8692					dchkh = mtod(chk->data, struct sctp_data_chunk *);
8693					dchkh->ch.chunk_flags |= SCTP_DATA_SACK_IMMEDIATELY;
8694				}
8695				if (((chk->send_size <= mtu) && (chk->send_size <= r_mtu)) ||
8696				    ((chk->flags & CHUNK_FLAGS_FRAGMENT_OK) && (chk->send_size <= asoc->peers_rwnd))) {
8697					/* ok we will add this one */
8698
8699					/*
8700					 * Add an AUTH chunk, if chunk
8701					 * requires it, save the offset into
8702					 * the chain for AUTH
8703					 */
8704					if (data_auth_reqd) {
8705						if (auth == NULL) {
8706							outchain = sctp_add_auth_chunk(outchain,
8707							    &endoutchain,
8708							    &auth,
8709							    &auth_offset,
8710							    stcb,
8711							    SCTP_DATA);
8712							auth_keyid = chk->auth_keyid;
8713							override_ok = 0;
8714							SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8715						} else if (override_ok) {
8716							/*
8717							 * use this data's
8718							 * keyid
8719							 */
8720							auth_keyid = chk->auth_keyid;
8721							override_ok = 0;
8722						} else if (auth_keyid != chk->auth_keyid) {
8723							/*
8724							 * different keyid,
8725							 * so done bundling
8726							 */
8727							break;
8728						}
8729					}
8730					outchain = sctp_copy_mbufchain(chk->data, outchain, &endoutchain, 0,
8731					    chk->send_size, chk->copy_by_ref);
8732					if (outchain == NULL) {
8733						SCTPDBG(SCTP_DEBUG_OUTPUT3, "No memory?\n");
8734						if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
8735							sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
8736						}
8737						*reason_code = 3;
8738						SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
8739						return (ENOMEM);
8740					}
8741					/* update our MTU size */
8742					/* Do clear IP_DF ? */
8743					if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
8744						no_fragmentflg = 0;
8745					}
8746					/* unsigned subtraction of mtu */
8747					if (mtu > chk->send_size)
8748						mtu -= chk->send_size;
8749					else
8750						mtu = 0;
8751					/* unsigned subtraction of r_mtu */
8752					if (r_mtu > chk->send_size)
8753						r_mtu -= chk->send_size;
8754					else
8755						r_mtu = 0;
8756
8757					to_out += chk->send_size;
8758					if ((to_out > mx_mtu) && no_fragmentflg) {
8759#ifdef INVARIANTS
8760						panic("Exceeding mtu of %d out size is %d", mx_mtu, to_out);
8761#else
8762						SCTP_PRINTF("Exceeding mtu of %d out size is %d\n",
8763						    mx_mtu, to_out);
8764#endif
8765					}
8766					chk->window_probe = 0;
8767					data_list[bundle_at++] = chk;
8768					if (bundle_at >= SCTP_MAX_DATA_BUNDLING) {
8769						break;
8770					}
8771					if (chk->sent == SCTP_DATAGRAM_UNSENT) {
8772						if ((chk->rec.data.rcv_flags & SCTP_DATA_UNORDERED) == 0) {
8773							SCTP_STAT_INCR_COUNTER64(sctps_outorderchunks);
8774						} else {
8775							SCTP_STAT_INCR_COUNTER64(sctps_outunorderchunks);
8776						}
8777						if (((chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) == SCTP_DATA_LAST_FRAG) &&
8778						    ((chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) == 0))
8779							/*
8780							 * Count number of
8781							 * user msg's that
8782							 * were fragmented
8783							 * we do this by
8784							 * counting when we
8785							 * see a LAST
8786							 * fragment only.
8787							 */
8788							SCTP_STAT_INCR_COUNTER64(sctps_fragusrmsgs);
8789					}
8790					if ((mtu == 0) || (r_mtu == 0) || (one_chunk)) {
8791						if ((one_chunk) && (stcb->asoc.total_flight == 0)) {
8792							data_list[0]->window_probe = 1;
8793							net->window_probe = 1;
8794						}
8795						break;
8796					}
8797				} else {
8798					/*
8799					 * Must be sent in order of the
8800					 * TSN's (on a network)
8801					 */
8802					break;
8803				}
8804			}	/* for (chunk gather loop for this net) */
8805		}		/* if asoc.state OPEN */
8806no_data_fill:
8807		/* Is there something to send for this destination? */
8808		if (outchain) {
8809			switch (asoc->snd_edmid) {
8810			case SCTP_EDMID_LOWER_LAYER_DTLS:
8811				use_zero_crc = true;
8812				break;
8813			default:
8814				use_zero_crc = false;
8815				break;
8816			}
8817			/* We may need to start a control timer or two */
8818			if (asconf) {
8819				sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp,
8820				    stcb, net);
8821				use_zero_crc = false;
8822				/*
8823				 * do NOT clear the asconf flag as it is
8824				 * used to do appropriate source address
8825				 * selection.
8826				 */
8827			}
8828			if (cookie) {
8829				sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net);
8830				use_zero_crc = false;
8831				cookie = 0;
8832			}
8833			/* must start a send timer if data is being sent */
8834			if (bundle_at && (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer))) {
8835				/*
8836				 * no timer running on this destination
8837				 * restart it.
8838				 */
8839				sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
8840			}
8841			if (bundle_at || hbflag) {
8842				/* For data/asconf and hb set time */
8843				if (*now_filled == 0) {
8844					(void)SCTP_GETTIME_TIMEVAL(now);
8845					*now_filled = 1;
8846				}
8847				net->last_sent_time = *now;
8848			}
8849			/* Now send it, if there is anything to send :> */
8850			if ((error = sctp_lowlevel_chunk_output(inp,
8851			    stcb,
8852			    net,
8853			    (struct sockaddr *)&net->ro._l_addr,
8854			    outchain,
8855			    auth_offset,
8856			    auth,
8857			    auth_keyid,
8858			    no_fragmentflg,
8859			    bundle_at,
8860			    asconf,
8861			    inp->sctp_lport, stcb->rport,
8862			    htonl(stcb->asoc.peer_vtag),
8863			    net->port, NULL,
8864			    0, 0,
8865			    use_zero_crc,
8866			    so_locked))) {
8867				/* error, we could not output */
8868				SCTPDBG(SCTP_DEBUG_OUTPUT3, "Gak send error %d\n", error);
8869				if (from_where == 0) {
8870					SCTP_STAT_INCR(sctps_lowlevelerrusr);
8871				}
8872				if (error == ENOBUFS) {
8873					asoc->ifp_had_enobuf = 1;
8874					SCTP_STAT_INCR(sctps_lowlevelerr);
8875				}
8876				if (error == EHOSTUNREACH) {
8877					/*
8878					 * Destination went unreachable
8879					 * during this send
8880					 */
8881					sctp_move_chunks_from_net(stcb, net);
8882				}
8883				asconf = 0;
8884				*reason_code = 6;
8885				/*-
8886				 * I add this line to be paranoid. As far as
8887				 * I can tell the continue, takes us back to
8888				 * the top of the for, but just to make sure
8889				 * I will reset these again here.
8890				 */
8891				ctl_cnt = 0;
8892				continue;	/* This takes us back to the
8893						 * for() for the nets. */
8894			} else {
8895				asoc->ifp_had_enobuf = 0;
8896			}
8897			endoutchain = NULL;
8898			auth = NULL;
8899			auth_offset = 0;
8900			asconf = 0;
8901			if (!no_out_cnt) {
8902				*num_out += (ctl_cnt + bundle_at);
8903			}
8904			if (bundle_at) {
8905				/* setup for a RTO measurement */
8906				tsns_sent = data_list[0]->rec.data.tsn;
8907				/* fill time if not already filled */
8908				if (*now_filled == 0) {
8909					(void)SCTP_GETTIME_TIMEVAL(&asoc->time_last_sent);
8910					*now_filled = 1;
8911					*now = asoc->time_last_sent;
8912				} else {
8913					asoc->time_last_sent = *now;
8914				}
8915				if (net->rto_needed) {
8916					data_list[0]->do_rtt = 1;
8917					net->rto_needed = 0;
8918				}
8919				SCTP_STAT_INCR_BY(sctps_senddata, bundle_at);
8920				sctp_clean_up_datalist(stcb, asoc, data_list, bundle_at, net);
8921			}
8922			if (one_chunk) {
8923				break;
8924			}
8925		}
8926		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
8927			sctp_log_cwnd(stcb, net, tsns_sent, SCTP_CWND_LOG_FROM_SEND);
8928		}
8929	}
8930	if (old_start_at == NULL) {
8931		old_start_at = start_at;
8932		start_at = TAILQ_FIRST(&asoc->nets);
8933		if (old_start_at)
8934			goto again_one_more_time;
8935	}
8936
8937	/*
8938	 * At the end there should be no NON timed chunks hanging on this
8939	 * queue.
8940	 */
8941	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
8942		sctp_log_cwnd(stcb, net, *num_out, SCTP_CWND_LOG_FROM_SEND);
8943	}
8944	if ((*num_out == 0) && (*reason_code == 0)) {
8945		*reason_code = 4;
8946	} else {
8947		*reason_code = 5;
8948	}
8949	sctp_clean_up_ctl(stcb, asoc, so_locked);
8950	return (0);
8951}
8952
8953void
8954sctp_queue_op_err(struct sctp_tcb *stcb, struct mbuf *op_err)
8955{
8956	/*-
8957	 * Prepend a OPERATIONAL_ERROR chunk header and put on the end of
8958	 * the control chunk queue.
8959	 */
8960	struct sctp_chunkhdr *hdr;
8961	struct sctp_tmit_chunk *chk;
8962	struct mbuf *mat, *last_mbuf;
8963	uint32_t chunk_length;
8964	uint16_t padding_length;
8965
8966	SCTP_TCB_LOCK_ASSERT(stcb);
8967	SCTP_BUF_PREPEND(op_err, sizeof(struct sctp_chunkhdr), M_NOWAIT);
8968	if (op_err == NULL) {
8969		return;
8970	}
8971	last_mbuf = NULL;
8972	chunk_length = 0;
8973	for (mat = op_err; mat != NULL; mat = SCTP_BUF_NEXT(mat)) {
8974		chunk_length += SCTP_BUF_LEN(mat);
8975		if (SCTP_BUF_NEXT(mat) == NULL) {
8976			last_mbuf = mat;
8977		}
8978	}
8979	if (chunk_length > SCTP_MAX_CHUNK_LENGTH) {
8980		sctp_m_freem(op_err);
8981		return;
8982	}
8983	padding_length = chunk_length % 4;
8984	if (padding_length != 0) {
8985		padding_length = 4 - padding_length;
8986	}
8987	if (padding_length != 0) {
8988		if (sctp_add_pad_tombuf(last_mbuf, padding_length) == NULL) {
8989			sctp_m_freem(op_err);
8990			return;
8991		}
8992	}
8993	sctp_alloc_a_chunk(stcb, chk);
8994	if (chk == NULL) {
8995		/* no memory */
8996		sctp_m_freem(op_err);
8997		return;
8998	}
8999	chk->copy_by_ref = 0;
9000	chk->rec.chunk_id.id = SCTP_OPERATION_ERROR;
9001	chk->rec.chunk_id.can_take_data = 0;
9002	chk->flags = 0;
9003	chk->send_size = (uint16_t)chunk_length;
9004	chk->sent = SCTP_DATAGRAM_UNSENT;
9005	chk->snd_count = 0;
9006	chk->asoc = &stcb->asoc;
9007	chk->data = op_err;
9008	chk->whoTo = NULL;
9009	hdr = mtod(op_err, struct sctp_chunkhdr *);
9010	hdr->chunk_type = SCTP_OPERATION_ERROR;
9011	hdr->chunk_flags = 0;
9012	hdr->chunk_length = htons(chk->send_size);
9013	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9014	chk->asoc->ctrl_queue_cnt++;
9015}
9016
9017int
9018sctp_send_cookie_echo(struct mbuf *m,
9019    int offset, int limit,
9020    struct sctp_tcb *stcb,
9021    struct sctp_nets *net)
9022{
9023	/*-
9024	 * pull out the cookie and put it at the front of the control chunk
9025	 * queue.
9026	 */
9027	int at;
9028	struct mbuf *cookie;
9029	struct sctp_paramhdr param, *phdr;
9030	struct sctp_chunkhdr *hdr;
9031	struct sctp_tmit_chunk *chk;
9032	uint16_t ptype, plen;
9033
9034	SCTP_TCB_LOCK_ASSERT(stcb);
9035	/* First find the cookie in the param area */
9036	cookie = NULL;
9037	at = offset + sizeof(struct sctp_init_chunk);
9038	for (;;) {
9039		phdr = sctp_get_next_param(m, at, &param, sizeof(param));
9040		if (phdr == NULL) {
9041			return (-3);
9042		}
9043		ptype = ntohs(phdr->param_type);
9044		plen = ntohs(phdr->param_length);
9045		if (plen < sizeof(struct sctp_paramhdr)) {
9046			return (-6);
9047		}
9048		if (ptype == SCTP_STATE_COOKIE) {
9049			int pad;
9050
9051			/* found the cookie */
9052			if (at + plen > limit) {
9053				return (-7);
9054			}
9055			cookie = SCTP_M_COPYM(m, at, plen, M_NOWAIT);
9056			if (cookie == NULL) {
9057				/* No memory */
9058				return (-2);
9059			}
9060			if ((pad = (plen % 4)) > 0) {
9061				pad = 4 - pad;
9062			}
9063			if (pad > 0) {
9064				if (sctp_pad_lastmbuf(cookie, pad, NULL) == NULL) {
9065					return (-8);
9066				}
9067			}
9068#ifdef SCTP_MBUF_LOGGING
9069			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
9070				sctp_log_mbc(cookie, SCTP_MBUF_ICOPY);
9071			}
9072#endif
9073			break;
9074		}
9075		at += SCTP_SIZE32(plen);
9076	}
9077	/* ok, we got the cookie lets change it into a cookie echo chunk */
9078	/* first the change from param to cookie */
9079	hdr = mtod(cookie, struct sctp_chunkhdr *);
9080	hdr->chunk_type = SCTP_COOKIE_ECHO;
9081	hdr->chunk_flags = 0;
9082	/* get the chunk stuff now and place it in the FRONT of the queue */
9083	sctp_alloc_a_chunk(stcb, chk);
9084	if (chk == NULL) {
9085		/* no memory */
9086		sctp_m_freem(cookie);
9087		return (-5);
9088	}
9089	chk->copy_by_ref = 0;
9090	chk->rec.chunk_id.id = SCTP_COOKIE_ECHO;
9091	chk->rec.chunk_id.can_take_data = 0;
9092	chk->flags = CHUNK_FLAGS_FRAGMENT_OK;
9093	chk->send_size = SCTP_SIZE32(plen);
9094	chk->sent = SCTP_DATAGRAM_UNSENT;
9095	chk->snd_count = 0;
9096	chk->asoc = &stcb->asoc;
9097	chk->data = cookie;
9098	chk->whoTo = net;
9099	atomic_add_int(&chk->whoTo->ref_count, 1);
9100	TAILQ_INSERT_HEAD(&chk->asoc->control_send_queue, chk, sctp_next);
9101	chk->asoc->ctrl_queue_cnt++;
9102	return (0);
9103}
9104
9105void
9106sctp_send_heartbeat_ack(struct sctp_tcb *stcb,
9107    struct mbuf *m,
9108    int offset,
9109    int chk_length,
9110    struct sctp_nets *net)
9111{
9112	/*
9113	 * take a HB request and make it into a HB ack and send it.
9114	 */
9115	struct mbuf *outchain;
9116	struct sctp_chunkhdr *chdr;
9117	struct sctp_tmit_chunk *chk;
9118
9119	if (net == NULL)
9120		/* must have a net pointer */
9121		return;
9122
9123	outchain = SCTP_M_COPYM(m, offset, chk_length, M_NOWAIT);
9124	if (outchain == NULL) {
9125		/* gak out of memory */
9126		return;
9127	}
9128#ifdef SCTP_MBUF_LOGGING
9129	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
9130		sctp_log_mbc(outchain, SCTP_MBUF_ICOPY);
9131	}
9132#endif
9133	chdr = mtod(outchain, struct sctp_chunkhdr *);
9134	chdr->chunk_type = SCTP_HEARTBEAT_ACK;
9135	chdr->chunk_flags = 0;
9136	if (chk_length % 4 != 0) {
9137		sctp_pad_lastmbuf(outchain, 4 - (chk_length % 4), NULL);
9138	}
9139	sctp_alloc_a_chunk(stcb, chk);
9140	if (chk == NULL) {
9141		/* no memory */
9142		sctp_m_freem(outchain);
9143		return;
9144	}
9145	chk->copy_by_ref = 0;
9146	chk->rec.chunk_id.id = SCTP_HEARTBEAT_ACK;
9147	chk->rec.chunk_id.can_take_data = 1;
9148	chk->flags = 0;
9149	chk->send_size = chk_length;
9150	chk->sent = SCTP_DATAGRAM_UNSENT;
9151	chk->snd_count = 0;
9152	chk->asoc = &stcb->asoc;
9153	chk->data = outchain;
9154	chk->whoTo = net;
9155	atomic_add_int(&chk->whoTo->ref_count, 1);
9156	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9157	chk->asoc->ctrl_queue_cnt++;
9158}
9159
9160void
9161sctp_send_cookie_ack(struct sctp_tcb *stcb)
9162{
9163	/* formulate and queue a cookie-ack back to sender */
9164	struct mbuf *cookie_ack;
9165	struct sctp_chunkhdr *hdr;
9166	struct sctp_tmit_chunk *chk;
9167
9168	SCTP_TCB_LOCK_ASSERT(stcb);
9169
9170	cookie_ack = sctp_get_mbuf_for_msg(sizeof(struct sctp_chunkhdr), 0, M_NOWAIT, 1, MT_HEADER);
9171	if (cookie_ack == NULL) {
9172		/* no mbuf's */
9173		return;
9174	}
9175	SCTP_BUF_RESV_UF(cookie_ack, SCTP_MIN_OVERHEAD);
9176	sctp_alloc_a_chunk(stcb, chk);
9177	if (chk == NULL) {
9178		/* no memory */
9179		sctp_m_freem(cookie_ack);
9180		return;
9181	}
9182	chk->copy_by_ref = 0;
9183	chk->rec.chunk_id.id = SCTP_COOKIE_ACK;
9184	chk->rec.chunk_id.can_take_data = 1;
9185	chk->flags = 0;
9186	chk->send_size = sizeof(struct sctp_chunkhdr);
9187	chk->sent = SCTP_DATAGRAM_UNSENT;
9188	chk->snd_count = 0;
9189	chk->asoc = &stcb->asoc;
9190	chk->data = cookie_ack;
9191	if (chk->asoc->last_control_chunk_from != NULL) {
9192		chk->whoTo = chk->asoc->last_control_chunk_from;
9193		atomic_add_int(&chk->whoTo->ref_count, 1);
9194	} else {
9195		chk->whoTo = NULL;
9196	}
9197	hdr = mtod(cookie_ack, struct sctp_chunkhdr *);
9198	hdr->chunk_type = SCTP_COOKIE_ACK;
9199	hdr->chunk_flags = 0;
9200	hdr->chunk_length = htons(chk->send_size);
9201	SCTP_BUF_LEN(cookie_ack) = chk->send_size;
9202	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9203	chk->asoc->ctrl_queue_cnt++;
9204	return;
9205}
9206
9207void
9208sctp_send_shutdown_ack(struct sctp_tcb *stcb, struct sctp_nets *net)
9209{
9210	/* formulate and queue a SHUTDOWN-ACK back to the sender */
9211	struct mbuf *m_shutdown_ack;
9212	struct sctp_shutdown_ack_chunk *ack_cp;
9213	struct sctp_tmit_chunk *chk;
9214
9215	m_shutdown_ack = sctp_get_mbuf_for_msg(sizeof(struct sctp_shutdown_ack_chunk), 0, M_NOWAIT, 1, MT_HEADER);
9216	if (m_shutdown_ack == NULL) {
9217		/* no mbuf's */
9218		return;
9219	}
9220	SCTP_BUF_RESV_UF(m_shutdown_ack, SCTP_MIN_OVERHEAD);
9221	sctp_alloc_a_chunk(stcb, chk);
9222	if (chk == NULL) {
9223		/* no memory */
9224		sctp_m_freem(m_shutdown_ack);
9225		return;
9226	}
9227	chk->copy_by_ref = 0;
9228	chk->rec.chunk_id.id = SCTP_SHUTDOWN_ACK;
9229	chk->rec.chunk_id.can_take_data = 1;
9230	chk->flags = 0;
9231	chk->send_size = sizeof(struct sctp_chunkhdr);
9232	chk->sent = SCTP_DATAGRAM_UNSENT;
9233	chk->snd_count = 0;
9234	chk->asoc = &stcb->asoc;
9235	chk->data = m_shutdown_ack;
9236	chk->whoTo = net;
9237	if (chk->whoTo) {
9238		atomic_add_int(&chk->whoTo->ref_count, 1);
9239	}
9240	ack_cp = mtod(m_shutdown_ack, struct sctp_shutdown_ack_chunk *);
9241	ack_cp->ch.chunk_type = SCTP_SHUTDOWN_ACK;
9242	ack_cp->ch.chunk_flags = 0;
9243	ack_cp->ch.chunk_length = htons(chk->send_size);
9244	SCTP_BUF_LEN(m_shutdown_ack) = chk->send_size;
9245	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9246	chk->asoc->ctrl_queue_cnt++;
9247	return;
9248}
9249
9250void
9251sctp_send_shutdown(struct sctp_tcb *stcb, struct sctp_nets *net)
9252{
9253	/* formulate and queue a SHUTDOWN to the sender */
9254	struct mbuf *m_shutdown;
9255	struct sctp_shutdown_chunk *shutdown_cp;
9256	struct sctp_tmit_chunk *chk;
9257
9258	TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) {
9259		if (chk->rec.chunk_id.id == SCTP_SHUTDOWN) {
9260			/* We already have a SHUTDOWN queued. Reuse it. */
9261			if (chk->whoTo) {
9262				sctp_free_remote_addr(chk->whoTo);
9263				chk->whoTo = NULL;
9264			}
9265			break;
9266		}
9267	}
9268	if (chk == NULL) {
9269		m_shutdown = sctp_get_mbuf_for_msg(sizeof(struct sctp_shutdown_chunk), 0, M_NOWAIT, 1, MT_HEADER);
9270		if (m_shutdown == NULL) {
9271			/* no mbuf's */
9272			return;
9273		}
9274		SCTP_BUF_RESV_UF(m_shutdown, SCTP_MIN_OVERHEAD);
9275		sctp_alloc_a_chunk(stcb, chk);
9276		if (chk == NULL) {
9277			/* no memory */
9278			sctp_m_freem(m_shutdown);
9279			return;
9280		}
9281		chk->copy_by_ref = 0;
9282		chk->rec.chunk_id.id = SCTP_SHUTDOWN;
9283		chk->rec.chunk_id.can_take_data = 1;
9284		chk->flags = 0;
9285		chk->send_size = sizeof(struct sctp_shutdown_chunk);
9286		chk->sent = SCTP_DATAGRAM_UNSENT;
9287		chk->snd_count = 0;
9288		chk->asoc = &stcb->asoc;
9289		chk->data = m_shutdown;
9290		chk->whoTo = net;
9291		if (chk->whoTo) {
9292			atomic_add_int(&chk->whoTo->ref_count, 1);
9293		}
9294		shutdown_cp = mtod(m_shutdown, struct sctp_shutdown_chunk *);
9295		shutdown_cp->ch.chunk_type = SCTP_SHUTDOWN;
9296		shutdown_cp->ch.chunk_flags = 0;
9297		shutdown_cp->ch.chunk_length = htons(chk->send_size);
9298		shutdown_cp->cumulative_tsn_ack = htonl(stcb->asoc.cumulative_tsn);
9299		SCTP_BUF_LEN(m_shutdown) = chk->send_size;
9300		TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9301		chk->asoc->ctrl_queue_cnt++;
9302	} else {
9303		TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, sctp_next);
9304		chk->whoTo = net;
9305		if (chk->whoTo) {
9306			atomic_add_int(&chk->whoTo->ref_count, 1);
9307		}
9308		shutdown_cp = mtod(chk->data, struct sctp_shutdown_chunk *);
9309		shutdown_cp->cumulative_tsn_ack = htonl(stcb->asoc.cumulative_tsn);
9310		TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, chk, sctp_next);
9311	}
9312	return;
9313}
9314
9315void
9316sctp_send_asconf(struct sctp_tcb *stcb, struct sctp_nets *net, int addr_locked)
9317{
9318	/*
9319	 * formulate and queue an ASCONF to the peer. ASCONF parameters
9320	 * should be queued on the assoc queue.
9321	 */
9322	struct sctp_tmit_chunk *chk;
9323	struct mbuf *m_asconf;
9324	int len;
9325
9326	SCTP_TCB_LOCK_ASSERT(stcb);
9327
9328	if ((!TAILQ_EMPTY(&stcb->asoc.asconf_send_queue)) &&
9329	    (!sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_MULTIPLE_ASCONFS))) {
9330		/* can't send a new one if there is one in flight already */
9331		return;
9332	}
9333
9334	/* compose an ASCONF chunk, maximum length is PMTU */
9335	m_asconf = sctp_compose_asconf(stcb, &len, addr_locked);
9336	if (m_asconf == NULL) {
9337		return;
9338	}
9339
9340	sctp_alloc_a_chunk(stcb, chk);
9341	if (chk == NULL) {
9342		/* no memory */
9343		sctp_m_freem(m_asconf);
9344		return;
9345	}
9346
9347	chk->copy_by_ref = 0;
9348	chk->rec.chunk_id.id = SCTP_ASCONF;
9349	chk->rec.chunk_id.can_take_data = 0;
9350	chk->flags = CHUNK_FLAGS_FRAGMENT_OK;
9351	chk->data = m_asconf;
9352	chk->send_size = len;
9353	chk->sent = SCTP_DATAGRAM_UNSENT;
9354	chk->snd_count = 0;
9355	chk->asoc = &stcb->asoc;
9356	chk->whoTo = net;
9357	if (chk->whoTo) {
9358		atomic_add_int(&chk->whoTo->ref_count, 1);
9359	}
9360	TAILQ_INSERT_TAIL(&chk->asoc->asconf_send_queue, chk, sctp_next);
9361	chk->asoc->ctrl_queue_cnt++;
9362	return;
9363}
9364
9365void
9366sctp_send_asconf_ack(struct sctp_tcb *stcb)
9367{
9368	/*
9369	 * formulate and queue a asconf-ack back to sender. the asconf-ack
9370	 * must be stored in the tcb.
9371	 */
9372	struct sctp_tmit_chunk *chk;
9373	struct sctp_asconf_ack *ack, *latest_ack;
9374	struct mbuf *m_ack;
9375	struct sctp_nets *net = NULL;
9376
9377	SCTP_TCB_LOCK_ASSERT(stcb);
9378	/* Get the latest ASCONF-ACK */
9379	latest_ack = TAILQ_LAST(&stcb->asoc.asconf_ack_sent, sctp_asconf_ackhead);
9380	if (latest_ack == NULL) {
9381		return;
9382	}
9383	if (latest_ack->last_sent_to != NULL &&
9384	    latest_ack->last_sent_to == stcb->asoc.last_control_chunk_from) {
9385		/* we're doing a retransmission */
9386		net = sctp_find_alternate_net(stcb, stcb->asoc.last_control_chunk_from, 0);
9387		if (net == NULL) {
9388			/* no alternate */
9389			if (stcb->asoc.last_control_chunk_from == NULL) {
9390				if (stcb->asoc.alternate) {
9391					net = stcb->asoc.alternate;
9392				} else {
9393					net = stcb->asoc.primary_destination;
9394				}
9395			} else {
9396				net = stcb->asoc.last_control_chunk_from;
9397			}
9398		}
9399	} else {
9400		/* normal case */
9401		if (stcb->asoc.last_control_chunk_from == NULL) {
9402			if (stcb->asoc.alternate) {
9403				net = stcb->asoc.alternate;
9404			} else {
9405				net = stcb->asoc.primary_destination;
9406			}
9407		} else {
9408			net = stcb->asoc.last_control_chunk_from;
9409		}
9410	}
9411	latest_ack->last_sent_to = net;
9412
9413	TAILQ_FOREACH(ack, &stcb->asoc.asconf_ack_sent, next) {
9414		if (ack->data == NULL) {
9415			continue;
9416		}
9417
9418		/* copy the asconf_ack */
9419		m_ack = SCTP_M_COPYM(ack->data, 0, M_COPYALL, M_NOWAIT);
9420		if (m_ack == NULL) {
9421			/* couldn't copy it */
9422			return;
9423		}
9424#ifdef SCTP_MBUF_LOGGING
9425		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
9426			sctp_log_mbc(m_ack, SCTP_MBUF_ICOPY);
9427		}
9428#endif
9429
9430		sctp_alloc_a_chunk(stcb, chk);
9431		if (chk == NULL) {
9432			/* no memory */
9433			if (m_ack)
9434				sctp_m_freem(m_ack);
9435			return;
9436		}
9437		chk->copy_by_ref = 0;
9438		chk->rec.chunk_id.id = SCTP_ASCONF_ACK;
9439		chk->rec.chunk_id.can_take_data = 1;
9440		chk->flags = CHUNK_FLAGS_FRAGMENT_OK;
9441		chk->whoTo = net;
9442		if (chk->whoTo) {
9443			atomic_add_int(&chk->whoTo->ref_count, 1);
9444		}
9445		chk->data = m_ack;
9446		chk->send_size = ack->len;
9447		chk->sent = SCTP_DATAGRAM_UNSENT;
9448		chk->snd_count = 0;
9449		chk->asoc = &stcb->asoc;
9450
9451		TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9452		chk->asoc->ctrl_queue_cnt++;
9453	}
9454	return;
9455}
9456
9457static int
9458sctp_chunk_retransmission(struct sctp_inpcb *inp,
9459    struct sctp_tcb *stcb,
9460    struct sctp_association *asoc,
9461    int *cnt_out, struct timeval *now, int *now_filled, int *fr_done, int so_locked)
9462{
9463	/*-
9464	 * send out one MTU of retransmission. If fast_retransmit is
9465	 * happening we ignore the cwnd. Otherwise we obey the cwnd and
9466	 * rwnd. For a Cookie or Asconf in the control chunk queue we
9467	 * retransmit them by themselves.
9468	 *
9469	 * For data chunks we will pick out the lowest TSN's in the sent_queue
9470	 * marked for resend and bundle them all together (up to a MTU of
9471	 * destination). The address to send to should have been
9472	 * selected/changed where the retransmission was marked (i.e. in FR
9473	 * or t3-timeout routines).
9474	 */
9475	struct sctp_tmit_chunk *data_list[SCTP_MAX_DATA_BUNDLING];
9476	struct sctp_tmit_chunk *chk, *fwd;
9477	struct mbuf *m, *endofchain;
9478	struct sctp_nets *net = NULL;
9479	uint32_t tsns_sent = 0;
9480	int no_fragmentflg, bundle_at;
9481	unsigned int mtu;
9482	int error, i, one_chunk, fwd_tsn, ctl_cnt, tmr_started;
9483	struct sctp_auth_chunk *auth = NULL;
9484	uint32_t auth_offset = 0;
9485	uint16_t auth_keyid;
9486	int override_ok = 1;
9487	int data_auth_reqd = 0;
9488	uint32_t dmtu = 0;
9489	bool use_zero_crc;
9490
9491	SCTP_TCB_LOCK_ASSERT(stcb);
9492	tmr_started = ctl_cnt = 0;
9493	no_fragmentflg = 1;
9494	fwd_tsn = 0;
9495	*cnt_out = 0;
9496	fwd = NULL;
9497	endofchain = m = NULL;
9498	auth_keyid = stcb->asoc.authinfo.active_keyid;
9499#ifdef SCTP_AUDITING_ENABLED
9500	sctp_audit_log(0xC3, 1);
9501#endif
9502	if ((TAILQ_EMPTY(&asoc->sent_queue)) &&
9503	    (TAILQ_EMPTY(&asoc->control_send_queue))) {
9504		SCTPDBG(SCTP_DEBUG_OUTPUT1, "SCTP hits empty queue with cnt set to %d?\n",
9505		    asoc->sent_queue_retran_cnt);
9506		asoc->sent_queue_cnt = 0;
9507		asoc->sent_queue_cnt_removeable = 0;
9508		/* send back 0/0 so we enter normal transmission */
9509		*cnt_out = 0;
9510		return (0);
9511	}
9512	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
9513		if ((chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) ||
9514		    (chk->rec.chunk_id.id == SCTP_STREAM_RESET) ||
9515		    (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN)) {
9516			if (chk->sent != SCTP_DATAGRAM_RESEND) {
9517				continue;
9518			}
9519			if (chk->rec.chunk_id.id == SCTP_STREAM_RESET) {
9520				if (chk != asoc->str_reset) {
9521					/*
9522					 * not eligible for retran if its
9523					 * not ours
9524					 */
9525					continue;
9526				}
9527			}
9528			ctl_cnt++;
9529			if (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) {
9530				fwd_tsn = 1;
9531			}
9532			/*
9533			 * Add an AUTH chunk, if chunk requires it save the
9534			 * offset into the chain for AUTH
9535			 */
9536			if ((auth == NULL) &&
9537			    (sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
9538			    stcb->asoc.peer_auth_chunks))) {
9539				m = sctp_add_auth_chunk(m, &endofchain,
9540				    &auth, &auth_offset,
9541				    stcb,
9542				    chk->rec.chunk_id.id);
9543				SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
9544			}
9545			m = sctp_copy_mbufchain(chk->data, m, &endofchain, 0, chk->send_size, chk->copy_by_ref);
9546			break;
9547		}
9548	}
9549	one_chunk = 0;
9550	/* do we have control chunks to retransmit? */
9551	if (m != NULL) {
9552		/* Start a timer no matter if we succeed or fail */
9553		switch (asoc->snd_edmid) {
9554		case SCTP_EDMID_LOWER_LAYER_DTLS:
9555			use_zero_crc = true;
9556			break;
9557		default:
9558			use_zero_crc = false;
9559			break;
9560		}
9561		if (chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
9562			sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, inp, stcb, chk->whoTo);
9563			use_zero_crc = false;
9564		} else if (chk->rec.chunk_id.id == SCTP_ASCONF) {
9565			/* XXXMT: Can this happen? */
9566			sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp, stcb, chk->whoTo);
9567			use_zero_crc = false;
9568		}
9569		chk->snd_count++;	/* update our count */
9570		if ((error = sctp_lowlevel_chunk_output(inp, stcb, chk->whoTo,
9571		    (struct sockaddr *)&chk->whoTo->ro._l_addr, m,
9572		    auth_offset, auth, stcb->asoc.authinfo.active_keyid,
9573		    no_fragmentflg, 0, 0,
9574		    inp->sctp_lport, stcb->rport, htonl(stcb->asoc.peer_vtag),
9575		    chk->whoTo->port, NULL,
9576		    0, 0,
9577		    use_zero_crc,
9578		    so_locked))) {
9579			SCTPDBG(SCTP_DEBUG_OUTPUT3, "Gak send error %d\n", error);
9580			if (error == ENOBUFS) {
9581				asoc->ifp_had_enobuf = 1;
9582				SCTP_STAT_INCR(sctps_lowlevelerr);
9583			}
9584			return (error);
9585		} else {
9586			asoc->ifp_had_enobuf = 0;
9587		}
9588		endofchain = NULL;
9589		auth = NULL;
9590		auth_offset = 0;
9591		/*
9592		 * We don't want to mark the net->sent time here since this
9593		 * we use this for HB and retrans cannot measure RTT
9594		 */
9595		/* (void)SCTP_GETTIME_TIMEVAL(&chk->whoTo->last_sent_time); */
9596		*cnt_out += 1;
9597		chk->sent = SCTP_DATAGRAM_SENT;
9598		sctp_ucount_decr(stcb->asoc.sent_queue_retran_cnt);
9599		if (fwd_tsn == 0) {
9600			return (0);
9601		} else {
9602			/* Clean up the fwd-tsn list */
9603			sctp_clean_up_ctl(stcb, asoc, so_locked);
9604			return (0);
9605		}
9606	}
9607	/*
9608	 * Ok, it is just data retransmission we need to do or that and a
9609	 * fwd-tsn with it all.
9610	 */
9611	if (TAILQ_EMPTY(&asoc->sent_queue)) {
9612		return (SCTP_RETRAN_DONE);
9613	}
9614	if ((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED) ||
9615	    (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT)) {
9616		/* not yet open, resend the cookie and that is it */
9617		return (1);
9618	}
9619#ifdef SCTP_AUDITING_ENABLED
9620	sctp_auditing(20, inp, stcb, NULL);
9621#endif
9622	data_auth_reqd = sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks);
9623	TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) {
9624		if (chk->sent != SCTP_DATAGRAM_RESEND) {
9625			/* No, not sent to this net or not ready for rtx */
9626			continue;
9627		}
9628		if (chk->data == NULL) {
9629			SCTP_PRINTF("TSN:%x chk->snd_count:%d chk->sent:%d can't retran - no data\n",
9630			    chk->rec.data.tsn, chk->snd_count, chk->sent);
9631			continue;
9632		}
9633		if ((SCTP_BASE_SYSCTL(sctp_max_retran_chunk)) &&
9634		    (chk->snd_count >= SCTP_BASE_SYSCTL(sctp_max_retran_chunk))) {
9635			struct mbuf *op_err;
9636			char msg[SCTP_DIAG_INFO_LEN];
9637
9638			SCTP_SNPRINTF(msg, sizeof(msg), "TSN %8.8x retransmitted %d times, giving up",
9639			    chk->rec.data.tsn, chk->snd_count);
9640			op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
9641			    msg);
9642			atomic_add_int(&stcb->asoc.refcnt, 1);
9643			sctp_abort_an_association(stcb->sctp_ep, stcb, op_err,
9644			    false, so_locked);
9645			SCTP_TCB_LOCK(stcb);
9646			atomic_subtract_int(&stcb->asoc.refcnt, 1);
9647			return (SCTP_RETRAN_EXIT);
9648		}
9649		/* pick up the net */
9650		net = chk->whoTo;
9651		switch (net->ro._l_addr.sa.sa_family) {
9652#ifdef INET
9653		case AF_INET:
9654			mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
9655			break;
9656#endif
9657#ifdef INET6
9658		case AF_INET6:
9659			mtu = net->mtu - SCTP_MIN_OVERHEAD;
9660			break;
9661#endif
9662		default:
9663			/* TSNH */
9664			mtu = net->mtu;
9665			break;
9666		}
9667
9668		if ((asoc->peers_rwnd < mtu) && (asoc->total_flight > 0)) {
9669			/* No room in peers rwnd */
9670			uint32_t tsn;
9671
9672			tsn = asoc->last_acked_seq + 1;
9673			if (tsn == chk->rec.data.tsn) {
9674				/*
9675				 * we make a special exception for this
9676				 * case. The peer has no rwnd but is missing
9677				 * the lowest chunk.. which is probably what
9678				 * is holding up the rwnd.
9679				 */
9680				goto one_chunk_around;
9681			}
9682			return (1);
9683		}
9684one_chunk_around:
9685		if (asoc->peers_rwnd < mtu) {
9686			one_chunk = 1;
9687			if ((asoc->peers_rwnd == 0) &&
9688			    (asoc->total_flight == 0)) {
9689				chk->window_probe = 1;
9690				chk->whoTo->window_probe = 1;
9691			}
9692		}
9693#ifdef SCTP_AUDITING_ENABLED
9694		sctp_audit_log(0xC3, 2);
9695#endif
9696		bundle_at = 0;
9697		m = NULL;
9698		net->fast_retran_ip = 0;
9699		if (chk->rec.data.doing_fast_retransmit == 0) {
9700			/*
9701			 * if no FR in progress skip destination that have
9702			 * flight_size > cwnd.
9703			 */
9704			if (net->flight_size >= net->cwnd) {
9705				continue;
9706			}
9707		} else {
9708			/*
9709			 * Mark the destination net to have FR recovery
9710			 * limits put on it.
9711			 */
9712			*fr_done = 1;
9713			net->fast_retran_ip = 1;
9714		}
9715
9716		/*
9717		 * if no AUTH is yet included and this chunk requires it,
9718		 * make sure to account for it.  We don't apply the size
9719		 * until the AUTH chunk is actually added below in case
9720		 * there is no room for this chunk.
9721		 */
9722		if (data_auth_reqd && (auth == NULL)) {
9723			dmtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
9724		} else
9725			dmtu = 0;
9726
9727		if ((chk->send_size <= (mtu - dmtu)) ||
9728		    (chk->flags & CHUNK_FLAGS_FRAGMENT_OK)) {
9729			/* ok we will add this one */
9730			if (data_auth_reqd) {
9731				if (auth == NULL) {
9732					m = sctp_add_auth_chunk(m,
9733					    &endofchain,
9734					    &auth,
9735					    &auth_offset,
9736					    stcb,
9737					    SCTP_DATA);
9738					auth_keyid = chk->auth_keyid;
9739					override_ok = 0;
9740					SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
9741				} else if (override_ok) {
9742					auth_keyid = chk->auth_keyid;
9743					override_ok = 0;
9744				} else if (chk->auth_keyid != auth_keyid) {
9745					/* different keyid, so done bundling */
9746					break;
9747				}
9748			}
9749			m = sctp_copy_mbufchain(chk->data, m, &endofchain, 0, chk->send_size, chk->copy_by_ref);
9750			if (m == NULL) {
9751				SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
9752				return (ENOMEM);
9753			}
9754			/* Do clear IP_DF ? */
9755			if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
9756				no_fragmentflg = 0;
9757			}
9758			/* update our MTU size */
9759			if (mtu > (chk->send_size + dmtu))
9760				mtu -= (chk->send_size + dmtu);
9761			else
9762				mtu = 0;
9763			data_list[bundle_at++] = chk;
9764			if (one_chunk && (asoc->total_flight <= 0)) {
9765				SCTP_STAT_INCR(sctps_windowprobed);
9766			}
9767		}
9768		if (one_chunk == 0) {
9769			/*
9770			 * now are there anymore forward from chk to pick
9771			 * up?
9772			 */
9773			for (fwd = TAILQ_NEXT(chk, sctp_next); fwd != NULL; fwd = TAILQ_NEXT(fwd, sctp_next)) {
9774				if (fwd->sent != SCTP_DATAGRAM_RESEND) {
9775					/* Nope, not for retran */
9776					continue;
9777				}
9778				if (fwd->whoTo != net) {
9779					/* Nope, not the net in question */
9780					continue;
9781				}
9782				if (data_auth_reqd && (auth == NULL)) {
9783					dmtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
9784				} else
9785					dmtu = 0;
9786				if (fwd->send_size <= (mtu - dmtu)) {
9787					if (data_auth_reqd) {
9788						if (auth == NULL) {
9789							m = sctp_add_auth_chunk(m,
9790							    &endofchain,
9791							    &auth,
9792							    &auth_offset,
9793							    stcb,
9794							    SCTP_DATA);
9795							auth_keyid = fwd->auth_keyid;
9796							override_ok = 0;
9797							SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
9798						} else if (override_ok) {
9799							auth_keyid = fwd->auth_keyid;
9800							override_ok = 0;
9801						} else if (fwd->auth_keyid != auth_keyid) {
9802							/*
9803							 * different keyid,
9804							 * so done bundling
9805							 */
9806							break;
9807						}
9808					}
9809					m = sctp_copy_mbufchain(fwd->data, m, &endofchain, 0, fwd->send_size, fwd->copy_by_ref);
9810					if (m == NULL) {
9811						SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
9812						return (ENOMEM);
9813					}
9814					/* Do clear IP_DF ? */
9815					if (fwd->flags & CHUNK_FLAGS_FRAGMENT_OK) {
9816						no_fragmentflg = 0;
9817					}
9818					/* update our MTU size */
9819					if (mtu > (fwd->send_size + dmtu))
9820						mtu -= (fwd->send_size + dmtu);
9821					else
9822						mtu = 0;
9823					data_list[bundle_at++] = fwd;
9824					if (bundle_at >= SCTP_MAX_DATA_BUNDLING) {
9825						break;
9826					}
9827				} else {
9828					/* can't fit so we are done */
9829					break;
9830				}
9831			}
9832		}
9833		/* Is there something to send for this destination? */
9834		if (m) {
9835			/*
9836			 * No matter if we fail/or succeed we should start a
9837			 * timer. A failure is like a lost IP packet :-)
9838			 */
9839			if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
9840				/*
9841				 * no timer running on this destination
9842				 * restart it.
9843				 */
9844				sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
9845				tmr_started = 1;
9846			}
9847			switch (asoc->snd_edmid) {
9848			case SCTP_EDMID_LOWER_LAYER_DTLS:
9849				use_zero_crc = true;
9850				break;
9851			default:
9852				use_zero_crc = false;
9853				break;
9854			}
9855			/* Now lets send it, if there is anything to send :> */
9856			if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
9857			    (struct sockaddr *)&net->ro._l_addr, m,
9858			    auth_offset, auth, auth_keyid,
9859			    no_fragmentflg, 0, 0,
9860			    inp->sctp_lport, stcb->rport, htonl(stcb->asoc.peer_vtag),
9861			    net->port, NULL,
9862			    0, 0,
9863			    use_zero_crc,
9864			    so_locked))) {
9865				/* error, we could not output */
9866				SCTPDBG(SCTP_DEBUG_OUTPUT3, "Gak send error %d\n", error);
9867				if (error == ENOBUFS) {
9868					asoc->ifp_had_enobuf = 1;
9869					SCTP_STAT_INCR(sctps_lowlevelerr);
9870				}
9871				return (error);
9872			} else {
9873				asoc->ifp_had_enobuf = 0;
9874			}
9875			endofchain = NULL;
9876			auth = NULL;
9877			auth_offset = 0;
9878			/* For HB's */
9879			/*
9880			 * We don't want to mark the net->sent time here
9881			 * since this we use this for HB and retrans cannot
9882			 * measure RTT
9883			 */
9884			/* (void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time); */
9885
9886			/* For auto-close */
9887			if (*now_filled == 0) {
9888				(void)SCTP_GETTIME_TIMEVAL(&asoc->time_last_sent);
9889				*now = asoc->time_last_sent;
9890				*now_filled = 1;
9891			} else {
9892				asoc->time_last_sent = *now;
9893			}
9894			*cnt_out += bundle_at;
9895#ifdef SCTP_AUDITING_ENABLED
9896			sctp_audit_log(0xC4, bundle_at);
9897#endif
9898			if (bundle_at) {
9899				tsns_sent = data_list[0]->rec.data.tsn;
9900			}
9901			for (i = 0; i < bundle_at; i++) {
9902				SCTP_STAT_INCR(sctps_sendretransdata);
9903				data_list[i]->sent = SCTP_DATAGRAM_SENT;
9904				/*
9905				 * When we have a revoked data, and we
9906				 * retransmit it, then we clear the revoked
9907				 * flag since this flag dictates if we
9908				 * subtracted from the fs
9909				 */
9910				if (data_list[i]->rec.data.chunk_was_revoked) {
9911					/* Deflate the cwnd */
9912					data_list[i]->whoTo->cwnd -= data_list[i]->book_size;
9913					data_list[i]->rec.data.chunk_was_revoked = 0;
9914				}
9915				data_list[i]->snd_count++;
9916				sctp_ucount_decr(asoc->sent_queue_retran_cnt);
9917				/* record the time */
9918				data_list[i]->sent_rcv_time = asoc->time_last_sent;
9919				if (data_list[i]->book_size_scale) {
9920					/*
9921					 * need to double the book size on
9922					 * this one
9923					 */
9924					data_list[i]->book_size_scale = 0;
9925					/*
9926					 * Since we double the booksize, we
9927					 * must also double the output queue
9928					 * size, since this get shrunk when
9929					 * we free by this amount.
9930					 */
9931					atomic_add_int(&((asoc)->total_output_queue_size), data_list[i]->book_size);
9932					data_list[i]->book_size *= 2;
9933				} else {
9934					if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
9935						sctp_log_rwnd(SCTP_DECREASE_PEER_RWND,
9936						    asoc->peers_rwnd, data_list[i]->send_size, SCTP_BASE_SYSCTL(sctp_peer_chunk_oh));
9937					}
9938					asoc->peers_rwnd = sctp_sbspace_sub(asoc->peers_rwnd,
9939					    (uint32_t)(data_list[i]->send_size +
9940					    SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)));
9941				}
9942				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
9943					sctp_misc_ints(SCTP_FLIGHT_LOG_UP_RSND,
9944					    data_list[i]->whoTo->flight_size,
9945					    data_list[i]->book_size,
9946					    (uint32_t)(uintptr_t)data_list[i]->whoTo,
9947					    data_list[i]->rec.data.tsn);
9948				}
9949				sctp_flight_size_increase(data_list[i]);
9950				sctp_total_flight_increase(stcb, data_list[i]);
9951				if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
9952					/* SWS sender side engages */
9953					asoc->peers_rwnd = 0;
9954				}
9955				if ((i == 0) &&
9956				    (data_list[i]->rec.data.doing_fast_retransmit)) {
9957					SCTP_STAT_INCR(sctps_sendfastretrans);
9958					if ((data_list[i] == TAILQ_FIRST(&asoc->sent_queue)) &&
9959					    (tmr_started == 0)) {
9960						/*-
9961						 * ok we just fast-retrans'd
9962						 * the lowest TSN, i.e the
9963						 * first on the list. In
9964						 * this case we want to give
9965						 * some more time to get a
9966						 * SACK back without a
9967						 * t3-expiring.
9968						 */
9969						sctp_timer_stop(SCTP_TIMER_TYPE_SEND, inp, stcb, net,
9970						    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_2);
9971						sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
9972					}
9973				}
9974			}
9975			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
9976				sctp_log_cwnd(stcb, net, tsns_sent, SCTP_CWND_LOG_FROM_RESEND);
9977			}
9978#ifdef SCTP_AUDITING_ENABLED
9979			sctp_auditing(21, inp, stcb, NULL);
9980#endif
9981		} else {
9982			/* None will fit */
9983			return (1);
9984		}
9985		if (asoc->sent_queue_retran_cnt <= 0) {
9986			/* all done we have no more to retran */
9987			asoc->sent_queue_retran_cnt = 0;
9988			break;
9989		}
9990		if (one_chunk) {
9991			/* No more room in rwnd */
9992			return (1);
9993		}
9994		/* stop the for loop here. we sent out a packet */
9995		break;
9996	}
9997	return (0);
9998}
9999
10000static void
10001sctp_timer_validation(struct sctp_inpcb *inp,
10002    struct sctp_tcb *stcb,
10003    struct sctp_association *asoc)
10004{
10005	struct sctp_nets *net;
10006
10007	/* Validate that a timer is running somewhere */
10008	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
10009		if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
10010			/* Here is a timer */
10011			return;
10012		}
10013	}
10014	SCTP_TCB_LOCK_ASSERT(stcb);
10015	/* Gak, we did not have a timer somewhere */
10016	SCTPDBG(SCTP_DEBUG_OUTPUT3, "Deadlock avoided starting timer on a dest at retran\n");
10017	if (asoc->alternate) {
10018		sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, asoc->alternate);
10019	} else {
10020		sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, asoc->primary_destination);
10021	}
10022	return;
10023}
10024
10025void
10026sctp_chunk_output(struct sctp_inpcb *inp,
10027    struct sctp_tcb *stcb,
10028    int from_where,
10029    int so_locked)
10030{
10031	/*-
10032	 * Ok this is the generic chunk service queue. we must do the
10033	 * following:
10034	 * - See if there are retransmits pending, if so we must
10035	 *   do these first.
10036	 * - Service the stream queue that is next, moving any
10037	 *   message (note I must get a complete message i.e.
10038	 *   FIRST/MIDDLE and LAST to the out queue in one pass) and assigning
10039	 *   TSN's
10040	 * - Check to see if the cwnd/rwnd allows any output, if so we
10041	 *   go ahead and formulate and send the low level chunks. Making sure
10042	 *   to combine any control in the control chunk queue also.
10043	 */
10044	struct sctp_association *asoc;
10045	struct sctp_nets *net;
10046	int error = 0, num_out, tot_out = 0, ret = 0, reason_code;
10047	unsigned int burst_cnt = 0;
10048	struct timeval now;
10049	int now_filled = 0;
10050	int nagle_on;
10051	uint32_t frag_point = sctp_get_frag_point(stcb);
10052	int un_sent = 0;
10053	int fr_done;
10054	unsigned int tot_frs = 0;
10055
10056	asoc = &stcb->asoc;
10057do_it_again:
10058	/* The Nagle algorithm is only applied when handling a send call. */
10059	if (from_where == SCTP_OUTPUT_FROM_USR_SEND) {
10060		if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_NODELAY)) {
10061			nagle_on = 0;
10062		} else {
10063			nagle_on = 1;
10064		}
10065	} else {
10066		nagle_on = 0;
10067	}
10068	SCTP_TCB_LOCK_ASSERT(stcb);
10069
10070	un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight);
10071
10072	if ((un_sent <= 0) &&
10073	    (TAILQ_EMPTY(&asoc->control_send_queue)) &&
10074	    (TAILQ_EMPTY(&asoc->asconf_send_queue)) &&
10075	    (asoc->sent_queue_retran_cnt == 0) &&
10076	    (asoc->trigger_reset == 0)) {
10077		/* Nothing to do unless there is something to be sent left */
10078		return;
10079	}
10080	/*
10081	 * Do we have something to send, data or control AND a sack timer
10082	 * running, if so piggy-back the sack.
10083	 */
10084	if (SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) {
10085		sctp_send_sack(stcb, so_locked);
10086		sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, NULL,
10087		    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_3);
10088	}
10089	while (asoc->sent_queue_retran_cnt) {
10090		/*-
10091		 * Ok, it is retransmission time only, we send out only ONE
10092		 * packet with a single call off to the retran code.
10093		 */
10094		if (from_where == SCTP_OUTPUT_FROM_COOKIE_ACK) {
10095			/*-
10096			 * Special hook for handling cookies discarded
10097			 * by peer that carried data. Send cookie-ack only
10098			 * and then the next call with get the retran's.
10099			 */
10100			(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out, &reason_code, 1,
10101			    from_where,
10102			    &now, &now_filled, frag_point, so_locked);
10103			return;
10104		} else if (from_where != SCTP_OUTPUT_FROM_HB_TMR) {
10105			/* if its not from a HB then do it */
10106			fr_done = 0;
10107			ret = sctp_chunk_retransmission(inp, stcb, asoc, &num_out, &now, &now_filled, &fr_done, so_locked);
10108			if (fr_done) {
10109				tot_frs++;
10110			}
10111		} else {
10112			/*
10113			 * its from any other place, we don't allow retran
10114			 * output (only control)
10115			 */
10116			ret = 1;
10117		}
10118		if (ret > 0) {
10119			/* Can't send anymore */
10120			/*-
10121			 * now lets push out control by calling med-level
10122			 * output once. this assures that we WILL send HB's
10123			 * if queued too.
10124			 */
10125			(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out, &reason_code, 1,
10126			    from_where,
10127			    &now, &now_filled, frag_point, so_locked);
10128#ifdef SCTP_AUDITING_ENABLED
10129			sctp_auditing(8, inp, stcb, NULL);
10130#endif
10131			sctp_timer_validation(inp, stcb, asoc);
10132			return;
10133		}
10134		if (ret < 0) {
10135			/*-
10136			 * The count was off.. retran is not happening so do
10137			 * the normal retransmission.
10138			 */
10139#ifdef SCTP_AUDITING_ENABLED
10140			sctp_auditing(9, inp, stcb, NULL);
10141#endif
10142			if (ret == SCTP_RETRAN_EXIT) {
10143				return;
10144			}
10145			break;
10146		}
10147		if (from_where == SCTP_OUTPUT_FROM_T3) {
10148			/* Only one transmission allowed out of a timeout */
10149#ifdef SCTP_AUDITING_ENABLED
10150			sctp_auditing(10, inp, stcb, NULL);
10151#endif
10152			/* Push out any control */
10153			(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out, &reason_code, 1, from_where,
10154			    &now, &now_filled, frag_point, so_locked);
10155			return;
10156		}
10157		if ((asoc->fr_max_burst > 0) && (tot_frs >= asoc->fr_max_burst)) {
10158			/* Hit FR burst limit */
10159			return;
10160		}
10161		if ((num_out == 0) && (ret == 0)) {
10162			/* No more retrans to send */
10163			break;
10164		}
10165	}
10166#ifdef SCTP_AUDITING_ENABLED
10167	sctp_auditing(12, inp, stcb, NULL);
10168#endif
10169	/* Check for bad destinations, if they exist move chunks around. */
10170	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
10171		if ((net->dest_state & SCTP_ADDR_REACHABLE) == 0) {
10172			/*-
10173			 * if possible move things off of this address we
10174			 * still may send below due to the dormant state but
10175			 * we try to find an alternate address to send to
10176			 * and if we have one we move all queued data on the
10177			 * out wheel to this alternate address.
10178			 */
10179			if (net->ref_count > 1)
10180				sctp_move_chunks_from_net(stcb, net);
10181		} else {
10182			/*-
10183			 * if ((asoc->sat_network) || (net->addr_is_local))
10184			 * { burst_limit = asoc->max_burst *
10185			 * SCTP_SAT_NETWORK_BURST_INCR; }
10186			 */
10187			if (asoc->max_burst > 0) {
10188				if (SCTP_BASE_SYSCTL(sctp_use_cwnd_based_maxburst)) {
10189					if ((net->flight_size + (asoc->max_burst * net->mtu)) < net->cwnd) {
10190						/*
10191						 * JRS - Use the congestion
10192						 * control given in the
10193						 * congestion control module
10194						 */
10195						asoc->cc_functions.sctp_cwnd_update_after_output(stcb, net, asoc->max_burst);
10196						if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
10197							sctp_log_maxburst(stcb, net, 0, asoc->max_burst, SCTP_MAX_BURST_APPLIED);
10198						}
10199						SCTP_STAT_INCR(sctps_maxburstqueued);
10200					}
10201					net->fast_retran_ip = 0;
10202				} else {
10203					if (net->flight_size == 0) {
10204						/*
10205						 * Should be decaying the
10206						 * cwnd here
10207						 */
10208						;
10209					}
10210				}
10211			}
10212		}
10213	}
10214	burst_cnt = 0;
10215	do {
10216		error = sctp_med_chunk_output(inp, stcb, asoc, &num_out,
10217		    &reason_code, 0, from_where,
10218		    &now, &now_filled, frag_point, so_locked);
10219		if (error) {
10220			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Error %d was returned from med-c-op\n", error);
10221			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
10222				sctp_log_maxburst(stcb, asoc->primary_destination, error, burst_cnt, SCTP_MAX_BURST_ERROR_STOP);
10223			}
10224			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
10225				sctp_log_cwnd(stcb, NULL, error, SCTP_SEND_NOW_COMPLETES);
10226				sctp_log_cwnd(stcb, NULL, 0xdeadbeef, SCTP_SEND_NOW_COMPLETES);
10227			}
10228			break;
10229		}
10230		SCTPDBG(SCTP_DEBUG_OUTPUT3, "m-c-o put out %d\n", num_out);
10231
10232		tot_out += num_out;
10233		burst_cnt++;
10234		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
10235			sctp_log_cwnd(stcb, NULL, num_out, SCTP_SEND_NOW_COMPLETES);
10236			if (num_out == 0) {
10237				sctp_log_cwnd(stcb, NULL, reason_code, SCTP_SEND_NOW_COMPLETES);
10238			}
10239		}
10240		if (nagle_on) {
10241			/*
10242			 * When the Nagle algorithm is used, look at how
10243			 * much is unsent, then if its smaller than an MTU
10244			 * and we have data in flight we stop, except if we
10245			 * are handling a fragmented user message.
10246			 */
10247			un_sent = stcb->asoc.total_output_queue_size - stcb->asoc.total_flight;
10248			if ((un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD)) &&
10249			    (stcb->asoc.total_flight > 0)) {
10250/*	&&		     sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXPLICIT_EOR))) {*/
10251				break;
10252			}
10253		}
10254		if (TAILQ_EMPTY(&asoc->control_send_queue) &&
10255		    TAILQ_EMPTY(&asoc->send_queue) &&
10256		    sctp_is_there_unsent_data(stcb, so_locked) == 0) {
10257			/* Nothing left to send */
10258			break;
10259		}
10260		if ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) <= 0) {
10261			/* Nothing left to send */
10262			break;
10263		}
10264	} while (num_out &&
10265	    ((asoc->max_burst == 0) ||
10266	    SCTP_BASE_SYSCTL(sctp_use_cwnd_based_maxburst) ||
10267	    (burst_cnt < asoc->max_burst)));
10268
10269	if (SCTP_BASE_SYSCTL(sctp_use_cwnd_based_maxburst) == 0) {
10270		if ((asoc->max_burst > 0) && (burst_cnt >= asoc->max_burst)) {
10271			SCTP_STAT_INCR(sctps_maxburstqueued);
10272			asoc->burst_limit_applied = 1;
10273			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
10274				sctp_log_maxburst(stcb, asoc->primary_destination, 0, burst_cnt, SCTP_MAX_BURST_APPLIED);
10275			}
10276		} else {
10277			asoc->burst_limit_applied = 0;
10278		}
10279	}
10280	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
10281		sctp_log_cwnd(stcb, NULL, tot_out, SCTP_SEND_NOW_COMPLETES);
10282	}
10283	SCTPDBG(SCTP_DEBUG_OUTPUT1, "Ok, we have put out %d chunks\n",
10284	    tot_out);
10285
10286	/*-
10287	 * Now we need to clean up the control chunk chain if a ECNE is on
10288	 * it. It must be marked as UNSENT again so next call will continue
10289	 * to send it until such time that we get a CWR, to remove it.
10290	 */
10291	if (stcb->asoc.ecn_echo_cnt_onq)
10292		sctp_fix_ecn_echo(asoc);
10293
10294	if (stcb->asoc.trigger_reset) {
10295		if (sctp_send_stream_reset_out_if_possible(stcb, so_locked) == 0) {
10296			goto do_it_again;
10297		}
10298	}
10299	return;
10300}
10301
10302int
10303sctp_output(
10304    struct sctp_inpcb *inp,
10305    struct mbuf *m,
10306    struct sockaddr *addr,
10307    struct mbuf *control,
10308    struct thread *p,
10309    int flags)
10310{
10311	if (inp == NULL) {
10312		SCTP_LTRACE_ERR_RET_PKT(m, inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
10313		return (EINVAL);
10314	}
10315
10316	if (inp->sctp_socket == NULL) {
10317		SCTP_LTRACE_ERR_RET_PKT(m, inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
10318		return (EINVAL);
10319	}
10320	return (sctp_sosend(inp->sctp_socket,
10321	    addr,
10322	    (struct uio *)NULL,
10323	    m,
10324	    control,
10325	    flags, p
10326	    ));
10327}
10328
10329void
10330send_forward_tsn(struct sctp_tcb *stcb,
10331    struct sctp_association *asoc)
10332{
10333	struct sctp_tmit_chunk *chk, *at, *tp1, *last;
10334	struct sctp_forward_tsn_chunk *fwdtsn;
10335	struct sctp_strseq *strseq;
10336	struct sctp_strseq_mid *strseq_m;
10337	uint32_t advance_peer_ack_point;
10338	unsigned int cnt_of_space, i, ovh;
10339	unsigned int space_needed;
10340	unsigned int cnt_of_skipped = 0;
10341
10342	SCTP_TCB_LOCK_ASSERT(stcb);
10343	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
10344		if (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) {
10345			/* mark it to unsent */
10346			chk->sent = SCTP_DATAGRAM_UNSENT;
10347			chk->snd_count = 0;
10348			/* Do we correct its output location? */
10349			if (chk->whoTo) {
10350				sctp_free_remote_addr(chk->whoTo);
10351				chk->whoTo = NULL;
10352			}
10353			goto sctp_fill_in_rest;
10354		}
10355	}
10356	/* Ok if we reach here we must build one */
10357	sctp_alloc_a_chunk(stcb, chk);
10358	if (chk == NULL) {
10359		return;
10360	}
10361	asoc->fwd_tsn_cnt++;
10362	chk->copy_by_ref = 0;
10363	/*
10364	 * We don't do the old thing here since this is used not for on-wire
10365	 * but to tell if we are sending a fwd-tsn by the stack during
10366	 * output. And if its a IFORWARD or a FORWARD it is a fwd-tsn.
10367	 */
10368	chk->rec.chunk_id.id = SCTP_FORWARD_CUM_TSN;
10369	chk->rec.chunk_id.can_take_data = 0;
10370	chk->flags = 0;
10371	chk->asoc = asoc;
10372	chk->whoTo = NULL;
10373	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
10374	if (chk->data == NULL) {
10375		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
10376		return;
10377	}
10378	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
10379	chk->sent = SCTP_DATAGRAM_UNSENT;
10380	chk->snd_count = 0;
10381	TAILQ_INSERT_TAIL(&asoc->control_send_queue, chk, sctp_next);
10382	asoc->ctrl_queue_cnt++;
10383sctp_fill_in_rest:
10384	/*-
10385	 * Here we go through and fill out the part that deals with
10386	 * stream/seq of the ones we skip.
10387	 */
10388	SCTP_BUF_LEN(chk->data) = 0;
10389	TAILQ_FOREACH(at, &asoc->sent_queue, sctp_next) {
10390		if ((at->sent != SCTP_FORWARD_TSN_SKIP) &&
10391		    (at->sent != SCTP_DATAGRAM_NR_ACKED)) {
10392			/* no more to look at */
10393			break;
10394		}
10395		if (!asoc->idata_supported && (at->rec.data.rcv_flags & SCTP_DATA_UNORDERED)) {
10396			/* We don't report these */
10397			continue;
10398		}
10399		cnt_of_skipped++;
10400	}
10401	if (asoc->idata_supported) {
10402		space_needed = (sizeof(struct sctp_forward_tsn_chunk) +
10403		    (cnt_of_skipped * sizeof(struct sctp_strseq_mid)));
10404	} else {
10405		space_needed = (sizeof(struct sctp_forward_tsn_chunk) +
10406		    (cnt_of_skipped * sizeof(struct sctp_strseq)));
10407	}
10408	cnt_of_space = (unsigned int)M_TRAILINGSPACE(chk->data);
10409
10410	if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
10411		ovh = SCTP_MIN_OVERHEAD;
10412	} else {
10413		ovh = SCTP_MIN_V4_OVERHEAD;
10414	}
10415	if (cnt_of_space > (asoc->smallest_mtu - ovh)) {
10416		/* trim to a mtu size */
10417		cnt_of_space = asoc->smallest_mtu - ovh;
10418	}
10419	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
10420		sctp_misc_ints(SCTP_FWD_TSN_CHECK,
10421		    0xff, 0, cnt_of_skipped,
10422		    asoc->advanced_peer_ack_point);
10423	}
10424	advance_peer_ack_point = asoc->advanced_peer_ack_point;
10425	if (cnt_of_space < space_needed) {
10426		/*-
10427		 * ok we must trim down the chunk by lowering the
10428		 * advance peer ack point.
10429		 */
10430		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
10431			sctp_misc_ints(SCTP_FWD_TSN_CHECK,
10432			    0xff, 0xff, cnt_of_space,
10433			    space_needed);
10434		}
10435		cnt_of_skipped = cnt_of_space - sizeof(struct sctp_forward_tsn_chunk);
10436		if (asoc->idata_supported) {
10437			cnt_of_skipped /= sizeof(struct sctp_strseq_mid);
10438		} else {
10439			cnt_of_skipped /= sizeof(struct sctp_strseq);
10440		}
10441		/*-
10442		 * Go through and find the TSN that will be the one
10443		 * we report.
10444		 */
10445		at = TAILQ_FIRST(&asoc->sent_queue);
10446		if (at != NULL) {
10447			for (i = 0; i < cnt_of_skipped; i++) {
10448				tp1 = TAILQ_NEXT(at, sctp_next);
10449				if (tp1 == NULL) {
10450					break;
10451				}
10452				at = tp1;
10453			}
10454		}
10455		if (at && SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
10456			sctp_misc_ints(SCTP_FWD_TSN_CHECK,
10457			    0xff, cnt_of_skipped, at->rec.data.tsn,
10458			    asoc->advanced_peer_ack_point);
10459		}
10460		last = at;
10461		/*-
10462		 * last now points to last one I can report, update
10463		 * peer ack point
10464		 */
10465		if (last) {
10466			advance_peer_ack_point = last->rec.data.tsn;
10467		}
10468		if (asoc->idata_supported) {
10469			space_needed = sizeof(struct sctp_forward_tsn_chunk) +
10470			    cnt_of_skipped * sizeof(struct sctp_strseq_mid);
10471		} else {
10472			space_needed = sizeof(struct sctp_forward_tsn_chunk) +
10473			    cnt_of_skipped * sizeof(struct sctp_strseq);
10474		}
10475	}
10476	chk->send_size = space_needed;
10477	/* Setup the chunk */
10478	fwdtsn = mtod(chk->data, struct sctp_forward_tsn_chunk *);
10479	fwdtsn->ch.chunk_length = htons(chk->send_size);
10480	fwdtsn->ch.chunk_flags = 0;
10481	if (asoc->idata_supported) {
10482		fwdtsn->ch.chunk_type = SCTP_IFORWARD_CUM_TSN;
10483	} else {
10484		fwdtsn->ch.chunk_type = SCTP_FORWARD_CUM_TSN;
10485	}
10486	fwdtsn->new_cumulative_tsn = htonl(advance_peer_ack_point);
10487	SCTP_BUF_LEN(chk->data) = chk->send_size;
10488	fwdtsn++;
10489	/*-
10490	 * Move pointer to after the fwdtsn and transfer to the
10491	 * strseq pointer.
10492	 */
10493	if (asoc->idata_supported) {
10494		strseq_m = (struct sctp_strseq_mid *)fwdtsn;
10495		strseq = NULL;
10496	} else {
10497		strseq = (struct sctp_strseq *)fwdtsn;
10498		strseq_m = NULL;
10499	}
10500	/*-
10501	 * Now populate the strseq list. This is done blindly
10502	 * without pulling out duplicate stream info. This is
10503	 * inefficient but won't harm the process since the peer will
10504	 * look at these in sequence and will thus release anything.
10505	 * It could mean we exceed the PMTU and chop off some that
10506	 * we could have included.. but this is unlikely (aka 1432/4
10507	 * would mean 300+ stream seq's would have to be reported in
10508	 * one FWD-TSN. With a bit of work we can later FIX this to
10509	 * optimize and pull out duplicates.. but it does add more
10510	 * overhead. So for now... not!
10511	 */
10512	i = 0;
10513	TAILQ_FOREACH(at, &asoc->sent_queue, sctp_next) {
10514		if (i >= cnt_of_skipped) {
10515			break;
10516		}
10517		if (!asoc->idata_supported && (at->rec.data.rcv_flags & SCTP_DATA_UNORDERED)) {
10518			/* We don't report these */
10519			continue;
10520		}
10521		if (at->rec.data.tsn == advance_peer_ack_point) {
10522			at->rec.data.fwd_tsn_cnt = 0;
10523		}
10524		if (asoc->idata_supported) {
10525			strseq_m->sid = htons(at->rec.data.sid);
10526			if (at->rec.data.rcv_flags & SCTP_DATA_UNORDERED) {
10527				strseq_m->flags = htons(PR_SCTP_UNORDERED_FLAG);
10528			} else {
10529				strseq_m->flags = 0;
10530			}
10531			strseq_m->mid = htonl(at->rec.data.mid);
10532			strseq_m++;
10533		} else {
10534			strseq->sid = htons(at->rec.data.sid);
10535			strseq->ssn = htons((uint16_t)at->rec.data.mid);
10536			strseq++;
10537		}
10538		i++;
10539	}
10540	return;
10541}
10542
10543void
10544sctp_send_sack(struct sctp_tcb *stcb, int so_locked)
10545{
10546	/*-
10547	 * Queue up a SACK or NR-SACK in the control queue.
10548	 * We must first check to see if a SACK or NR-SACK is
10549	 * somehow on the control queue.
10550	 * If so, we will take and and remove the old one.
10551	 */
10552	struct sctp_association *asoc;
10553	struct sctp_tmit_chunk *chk, *a_chk;
10554	struct sctp_sack_chunk *sack;
10555	struct sctp_nr_sack_chunk *nr_sack;
10556	struct sctp_gap_ack_block *gap_descriptor;
10557	const struct sack_track *selector;
10558	int mergeable = 0;
10559	int offset;
10560	caddr_t limit;
10561	uint32_t *dup;
10562	int limit_reached = 0;
10563	unsigned int i, siz, j;
10564	unsigned int num_gap_blocks = 0, num_nr_gap_blocks = 0, space;
10565	int num_dups = 0;
10566	int space_req;
10567	uint32_t highest_tsn;
10568	uint8_t flags;
10569	uint8_t type;
10570	uint8_t tsn_map;
10571
10572	if (stcb->asoc.nrsack_supported == 1) {
10573		type = SCTP_NR_SELECTIVE_ACK;
10574	} else {
10575		type = SCTP_SELECTIVE_ACK;
10576	}
10577	a_chk = NULL;
10578	asoc = &stcb->asoc;
10579	SCTP_TCB_LOCK_ASSERT(stcb);
10580	if (asoc->last_data_chunk_from == NULL) {
10581		/* Hmm we never received anything */
10582		return;
10583	}
10584	sctp_slide_mapping_arrays(stcb);
10585	sctp_set_rwnd(stcb, asoc);
10586	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
10587		if (chk->rec.chunk_id.id == type) {
10588			/* Hmm, found a sack already on queue, remove it */
10589			TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
10590			asoc->ctrl_queue_cnt--;
10591			a_chk = chk;
10592			if (a_chk->data) {
10593				sctp_m_freem(a_chk->data);
10594				a_chk->data = NULL;
10595			}
10596			if (a_chk->whoTo) {
10597				sctp_free_remote_addr(a_chk->whoTo);
10598				a_chk->whoTo = NULL;
10599			}
10600			break;
10601		}
10602	}
10603	if (a_chk == NULL) {
10604		sctp_alloc_a_chunk(stcb, a_chk);
10605		if (a_chk == NULL) {
10606			/* No memory so we drop the idea, and set a timer */
10607			if (stcb->asoc.delayed_ack) {
10608				sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
10609				    stcb->sctp_ep, stcb, NULL,
10610				    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_4);
10611				sctp_timer_start(SCTP_TIMER_TYPE_RECV,
10612				    stcb->sctp_ep, stcb, NULL);
10613			} else {
10614				stcb->asoc.send_sack = 1;
10615			}
10616			return;
10617		}
10618		a_chk->copy_by_ref = 0;
10619		a_chk->rec.chunk_id.id = type;
10620		a_chk->rec.chunk_id.can_take_data = 1;
10621	}
10622	/* Clear our pkt counts */
10623	asoc->data_pkts_seen = 0;
10624
10625	a_chk->flags = 0;
10626	a_chk->asoc = asoc;
10627	a_chk->snd_count = 0;
10628	a_chk->send_size = 0;	/* fill in later */
10629	a_chk->sent = SCTP_DATAGRAM_UNSENT;
10630	a_chk->whoTo = NULL;
10631
10632	if ((asoc->last_data_chunk_from->dest_state & SCTP_ADDR_REACHABLE) == 0) {
10633		/*-
10634		 * Ok, the destination for the SACK is unreachable, lets see if
10635		 * we can select an alternate to asoc->last_data_chunk_from
10636		 */
10637		a_chk->whoTo = sctp_find_alternate_net(stcb, asoc->last_data_chunk_from, 0);
10638		if (a_chk->whoTo == NULL) {
10639			/* Nope, no alternate */
10640			a_chk->whoTo = asoc->last_data_chunk_from;
10641		}
10642	} else {
10643		a_chk->whoTo = asoc->last_data_chunk_from;
10644	}
10645	if (a_chk->whoTo) {
10646		atomic_add_int(&a_chk->whoTo->ref_count, 1);
10647	}
10648	if (SCTP_TSN_GT(asoc->highest_tsn_inside_map, asoc->highest_tsn_inside_nr_map)) {
10649		highest_tsn = asoc->highest_tsn_inside_map;
10650	} else {
10651		highest_tsn = asoc->highest_tsn_inside_nr_map;
10652	}
10653	if (highest_tsn == asoc->cumulative_tsn) {
10654		/* no gaps */
10655		if (type == SCTP_SELECTIVE_ACK) {
10656			space_req = sizeof(struct sctp_sack_chunk);
10657		} else {
10658			space_req = sizeof(struct sctp_nr_sack_chunk);
10659		}
10660	} else {
10661		/* gaps get a cluster */
10662		space_req = MCLBYTES;
10663	}
10664	/* Ok now lets formulate a MBUF with our sack */
10665	a_chk->data = sctp_get_mbuf_for_msg(space_req, 0, M_NOWAIT, 1, MT_DATA);
10666	if ((a_chk->data == NULL) ||
10667	    (a_chk->whoTo == NULL)) {
10668		/* rats, no mbuf memory */
10669		if (a_chk->data) {
10670			/* was a problem with the destination */
10671			sctp_m_freem(a_chk->data);
10672			a_chk->data = NULL;
10673		}
10674		sctp_free_a_chunk(stcb, a_chk, so_locked);
10675		/* sa_ignore NO_NULL_CHK */
10676		if (stcb->asoc.delayed_ack) {
10677			sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
10678			    stcb->sctp_ep, stcb, NULL,
10679			    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_5);
10680			sctp_timer_start(SCTP_TIMER_TYPE_RECV,
10681			    stcb->sctp_ep, stcb, NULL);
10682		} else {
10683			stcb->asoc.send_sack = 1;
10684		}
10685		return;
10686	}
10687	/* ok, lets go through and fill it in */
10688	SCTP_BUF_RESV_UF(a_chk->data, SCTP_MIN_OVERHEAD);
10689	space = (unsigned int)M_TRAILINGSPACE(a_chk->data);
10690	if (space > (a_chk->whoTo->mtu - SCTP_MIN_OVERHEAD)) {
10691		space = (a_chk->whoTo->mtu - SCTP_MIN_OVERHEAD);
10692	}
10693	limit = mtod(a_chk->data, caddr_t);
10694	limit += space;
10695
10696	flags = 0;
10697
10698	if ((asoc->sctp_cmt_on_off > 0) &&
10699	    SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
10700		/*-
10701		 * CMT DAC algorithm: If 2 (i.e., 0x10) packets have been
10702		 * received, then set high bit to 1, else 0. Reset
10703		 * pkts_rcvd.
10704		 */
10705		flags |= (asoc->cmt_dac_pkts_rcvd << 6);
10706		asoc->cmt_dac_pkts_rcvd = 0;
10707	}
10708#ifdef SCTP_ASOCLOG_OF_TSNS
10709	stcb->asoc.cumack_logsnt[stcb->asoc.cumack_log_atsnt] = asoc->cumulative_tsn;
10710	stcb->asoc.cumack_log_atsnt++;
10711	if (stcb->asoc.cumack_log_atsnt >= SCTP_TSN_LOG_SIZE) {
10712		stcb->asoc.cumack_log_atsnt = 0;
10713	}
10714#endif
10715	/* reset the readers interpretation */
10716	stcb->freed_by_sorcv_sincelast = 0;
10717
10718	if (type == SCTP_SELECTIVE_ACK) {
10719		sack = mtod(a_chk->data, struct sctp_sack_chunk *);
10720		nr_sack = NULL;
10721		gap_descriptor = (struct sctp_gap_ack_block *)((caddr_t)sack + sizeof(struct sctp_sack_chunk));
10722		if (highest_tsn > asoc->mapping_array_base_tsn) {
10723			siz = (((highest_tsn - asoc->mapping_array_base_tsn) + 1) + 7) / 8;
10724		} else {
10725			siz = (((MAX_TSN - asoc->mapping_array_base_tsn) + 1) + highest_tsn + 7) / 8;
10726		}
10727	} else {
10728		sack = NULL;
10729		nr_sack = mtod(a_chk->data, struct sctp_nr_sack_chunk *);
10730		gap_descriptor = (struct sctp_gap_ack_block *)((caddr_t)nr_sack + sizeof(struct sctp_nr_sack_chunk));
10731		if (asoc->highest_tsn_inside_map > asoc->mapping_array_base_tsn) {
10732			siz = (((asoc->highest_tsn_inside_map - asoc->mapping_array_base_tsn) + 1) + 7) / 8;
10733		} else {
10734			siz = (((MAX_TSN - asoc->mapping_array_base_tsn) + 1) + asoc->highest_tsn_inside_map + 7) / 8;
10735		}
10736	}
10737
10738	if (SCTP_TSN_GT(asoc->mapping_array_base_tsn, asoc->cumulative_tsn)) {
10739		offset = 1;
10740	} else {
10741		offset = asoc->mapping_array_base_tsn - asoc->cumulative_tsn;
10742	}
10743	if (((type == SCTP_SELECTIVE_ACK) &&
10744	    SCTP_TSN_GT(highest_tsn, asoc->cumulative_tsn)) ||
10745	    ((type == SCTP_NR_SELECTIVE_ACK) &&
10746	    SCTP_TSN_GT(asoc->highest_tsn_inside_map, asoc->cumulative_tsn))) {
10747		/* we have a gap .. maybe */
10748		for (i = 0; i < siz; i++) {
10749			tsn_map = asoc->mapping_array[i];
10750			if (type == SCTP_SELECTIVE_ACK) {
10751				tsn_map |= asoc->nr_mapping_array[i];
10752			}
10753			if (i == 0) {
10754				/*
10755				 * Clear all bits corresponding to TSNs
10756				 * smaller or equal to the cumulative TSN.
10757				 */
10758				tsn_map &= (~0U << (1 - offset));
10759			}
10760			selector = &sack_array[tsn_map];
10761			if (mergeable && selector->right_edge) {
10762				/*
10763				 * Backup, left and right edges were ok to
10764				 * merge.
10765				 */
10766				num_gap_blocks--;
10767				gap_descriptor--;
10768			}
10769			if (selector->num_entries == 0)
10770				mergeable = 0;
10771			else {
10772				for (j = 0; j < selector->num_entries; j++) {
10773					if (mergeable && selector->right_edge) {
10774						/*
10775						 * do a merge by NOT setting
10776						 * the left side
10777						 */
10778						mergeable = 0;
10779					} else {
10780						/*
10781						 * no merge, set the left
10782						 * side
10783						 */
10784						mergeable = 0;
10785						gap_descriptor->start = htons((selector->gaps[j].start + offset));
10786					}
10787					gap_descriptor->end = htons((selector->gaps[j].end + offset));
10788					num_gap_blocks++;
10789					gap_descriptor++;
10790					if (((caddr_t)gap_descriptor + sizeof(struct sctp_gap_ack_block)) > limit) {
10791						/* no more room */
10792						limit_reached = 1;
10793						break;
10794					}
10795				}
10796				if (selector->left_edge) {
10797					mergeable = 1;
10798				}
10799			}
10800			if (limit_reached) {
10801				/* Reached the limit stop */
10802				break;
10803			}
10804			offset += 8;
10805		}
10806	}
10807	if ((type == SCTP_NR_SELECTIVE_ACK) &&
10808	    (limit_reached == 0)) {
10809		mergeable = 0;
10810
10811		if (asoc->highest_tsn_inside_nr_map > asoc->mapping_array_base_tsn) {
10812			siz = (((asoc->highest_tsn_inside_nr_map - asoc->mapping_array_base_tsn) + 1) + 7) / 8;
10813		} else {
10814			siz = (((MAX_TSN - asoc->mapping_array_base_tsn) + 1) + asoc->highest_tsn_inside_nr_map + 7) / 8;
10815		}
10816
10817		if (SCTP_TSN_GT(asoc->mapping_array_base_tsn, asoc->cumulative_tsn)) {
10818			offset = 1;
10819		} else {
10820			offset = asoc->mapping_array_base_tsn - asoc->cumulative_tsn;
10821		}
10822		if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->cumulative_tsn)) {
10823			/* we have a gap .. maybe */
10824			for (i = 0; i < siz; i++) {
10825				tsn_map = asoc->nr_mapping_array[i];
10826				if (i == 0) {
10827					/*
10828					 * Clear all bits corresponding to
10829					 * TSNs smaller or equal to the
10830					 * cumulative TSN.
10831					 */
10832					tsn_map &= (~0U << (1 - offset));
10833				}
10834				selector = &sack_array[tsn_map];
10835				if (mergeable && selector->right_edge) {
10836					/*
10837					 * Backup, left and right edges were
10838					 * ok to merge.
10839					 */
10840					num_nr_gap_blocks--;
10841					gap_descriptor--;
10842				}
10843				if (selector->num_entries == 0)
10844					mergeable = 0;
10845				else {
10846					for (j = 0; j < selector->num_entries; j++) {
10847						if (mergeable && selector->right_edge) {
10848							/*
10849							 * do a merge by NOT
10850							 * setting the left
10851							 * side
10852							 */
10853							mergeable = 0;
10854						} else {
10855							/*
10856							 * no merge, set the
10857							 * left side
10858							 */
10859							mergeable = 0;
10860							gap_descriptor->start = htons((selector->gaps[j].start + offset));
10861						}
10862						gap_descriptor->end = htons((selector->gaps[j].end + offset));
10863						num_nr_gap_blocks++;
10864						gap_descriptor++;
10865						if (((caddr_t)gap_descriptor + sizeof(struct sctp_gap_ack_block)) > limit) {
10866							/* no more room */
10867							limit_reached = 1;
10868							break;
10869						}
10870					}
10871					if (selector->left_edge) {
10872						mergeable = 1;
10873					}
10874				}
10875				if (limit_reached) {
10876					/* Reached the limit stop */
10877					break;
10878				}
10879				offset += 8;
10880			}
10881		}
10882	}
10883	/* now we must add any dups we are going to report. */
10884	if ((limit_reached == 0) && (asoc->numduptsns)) {
10885		dup = (uint32_t *)gap_descriptor;
10886		for (i = 0; i < asoc->numduptsns; i++) {
10887			*dup = htonl(asoc->dup_tsns[i]);
10888			dup++;
10889			num_dups++;
10890			if (((caddr_t)dup + sizeof(uint32_t)) > limit) {
10891				/* no more room */
10892				break;
10893			}
10894		}
10895		asoc->numduptsns = 0;
10896	}
10897	/*
10898	 * now that the chunk is prepared queue it to the control chunk
10899	 * queue.
10900	 */
10901	if (type == SCTP_SELECTIVE_ACK) {
10902		a_chk->send_size = (uint16_t)(sizeof(struct sctp_sack_chunk) +
10903		    (num_gap_blocks + num_nr_gap_blocks) * sizeof(struct sctp_gap_ack_block) +
10904		    num_dups * sizeof(int32_t));
10905		SCTP_BUF_LEN(a_chk->data) = a_chk->send_size;
10906		sack->sack.cum_tsn_ack = htonl(asoc->cumulative_tsn);
10907		sack->sack.a_rwnd = htonl(asoc->my_rwnd);
10908		sack->sack.num_gap_ack_blks = htons(num_gap_blocks);
10909		sack->sack.num_dup_tsns = htons(num_dups);
10910		sack->ch.chunk_type = type;
10911		sack->ch.chunk_flags = flags;
10912		sack->ch.chunk_length = htons(a_chk->send_size);
10913	} else {
10914		a_chk->send_size = (uint16_t)(sizeof(struct sctp_nr_sack_chunk) +
10915		    (num_gap_blocks + num_nr_gap_blocks) * sizeof(struct sctp_gap_ack_block) +
10916		    num_dups * sizeof(int32_t));
10917		SCTP_BUF_LEN(a_chk->data) = a_chk->send_size;
10918		nr_sack->nr_sack.cum_tsn_ack = htonl(asoc->cumulative_tsn);
10919		nr_sack->nr_sack.a_rwnd = htonl(asoc->my_rwnd);
10920		nr_sack->nr_sack.num_gap_ack_blks = htons(num_gap_blocks);
10921		nr_sack->nr_sack.num_nr_gap_ack_blks = htons(num_nr_gap_blocks);
10922		nr_sack->nr_sack.num_dup_tsns = htons(num_dups);
10923		nr_sack->nr_sack.reserved = 0;
10924		nr_sack->ch.chunk_type = type;
10925		nr_sack->ch.chunk_flags = flags;
10926		nr_sack->ch.chunk_length = htons(a_chk->send_size);
10927	}
10928	TAILQ_INSERT_TAIL(&asoc->control_send_queue, a_chk, sctp_next);
10929	asoc->my_last_reported_rwnd = asoc->my_rwnd;
10930	asoc->ctrl_queue_cnt++;
10931	asoc->send_sack = 0;
10932	SCTP_STAT_INCR(sctps_sendsacks);
10933	return;
10934}
10935
10936void
10937sctp_send_abort_tcb(struct sctp_tcb *stcb, struct mbuf *operr, int so_locked)
10938{
10939	struct mbuf *m_abort, *m, *m_last;
10940	struct mbuf *m_out, *m_end = NULL;
10941	struct sctp_abort_chunk *abort;
10942	struct sctp_auth_chunk *auth = NULL;
10943	struct sctp_nets *net;
10944	uint32_t vtag;
10945	uint32_t auth_offset = 0;
10946	int error;
10947	uint16_t cause_len, chunk_len, padding_len;
10948	bool use_zero_crc;
10949
10950	SCTP_TCB_LOCK_ASSERT(stcb);
10951	/*-
10952	 * Add an AUTH chunk, if chunk requires it and save the offset into
10953	 * the chain for AUTH
10954	 */
10955	if (sctp_auth_is_required_chunk(SCTP_ABORT_ASSOCIATION,
10956	    stcb->asoc.peer_auth_chunks)) {
10957		m_out = sctp_add_auth_chunk(NULL, &m_end, &auth, &auth_offset,
10958		    stcb, SCTP_ABORT_ASSOCIATION);
10959		SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
10960	} else {
10961		m_out = NULL;
10962	}
10963	switch (stcb->asoc.snd_edmid) {
10964	case SCTP_EDMID_LOWER_LAYER_DTLS:
10965		use_zero_crc = true;
10966		break;
10967	default:
10968		use_zero_crc = false;
10969		break;
10970	}
10971	m_abort = sctp_get_mbuf_for_msg(sizeof(struct sctp_abort_chunk), 0, M_NOWAIT, 1, MT_HEADER);
10972	if (m_abort == NULL) {
10973		if (m_out) {
10974			sctp_m_freem(m_out);
10975		}
10976		if (operr) {
10977			sctp_m_freem(operr);
10978		}
10979		return;
10980	}
10981	/* link in any error */
10982	SCTP_BUF_NEXT(m_abort) = operr;
10983	cause_len = 0;
10984	m_last = NULL;
10985	for (m = operr; m; m = SCTP_BUF_NEXT(m)) {
10986		cause_len += (uint16_t)SCTP_BUF_LEN(m);
10987		if (SCTP_BUF_NEXT(m) == NULL) {
10988			m_last = m;
10989		}
10990	}
10991	SCTP_BUF_LEN(m_abort) = sizeof(struct sctp_abort_chunk);
10992	chunk_len = (uint16_t)sizeof(struct sctp_abort_chunk) + cause_len;
10993	padding_len = SCTP_SIZE32(chunk_len) - chunk_len;
10994	if (m_out == NULL) {
10995		/* NO Auth chunk prepended, so reserve space in front */
10996		SCTP_BUF_RESV_UF(m_abort, SCTP_MIN_OVERHEAD);
10997		m_out = m_abort;
10998	} else {
10999		/* Put AUTH chunk at the front of the chain */
11000		SCTP_BUF_NEXT(m_end) = m_abort;
11001	}
11002	if (stcb->asoc.alternate) {
11003		net = stcb->asoc.alternate;
11004	} else {
11005		net = stcb->asoc.primary_destination;
11006	}
11007	/* Fill in the ABORT chunk header. */
11008	abort = mtod(m_abort, struct sctp_abort_chunk *);
11009	abort->ch.chunk_type = SCTP_ABORT_ASSOCIATION;
11010	if (stcb->asoc.peer_vtag == 0) {
11011		/* This happens iff the assoc is in COOKIE-WAIT state. */
11012		vtag = stcb->asoc.my_vtag;
11013		abort->ch.chunk_flags = SCTP_HAD_NO_TCB;
11014	} else {
11015		vtag = stcb->asoc.peer_vtag;
11016		abort->ch.chunk_flags = 0;
11017	}
11018	abort->ch.chunk_length = htons(chunk_len);
11019	/* Add padding, if necessary. */
11020	if (padding_len > 0) {
11021		if ((m_last == NULL) ||
11022		    (sctp_add_pad_tombuf(m_last, padding_len) == NULL)) {
11023			sctp_m_freem(m_out);
11024			return;
11025		}
11026	}
11027	if ((error = sctp_lowlevel_chunk_output(stcb->sctp_ep, stcb, net,
11028	    (struct sockaddr *)&net->ro._l_addr,
11029	    m_out, auth_offset, auth, stcb->asoc.authinfo.active_keyid, 1, 0, 0,
11030	    stcb->sctp_ep->sctp_lport, stcb->rport, htonl(vtag),
11031	    stcb->asoc.primary_destination->port, NULL,
11032	    0, 0,
11033	    use_zero_crc,
11034	    so_locked))) {
11035		SCTPDBG(SCTP_DEBUG_OUTPUT3, "Gak send error %d\n", error);
11036		if (error == ENOBUFS) {
11037			stcb->asoc.ifp_had_enobuf = 1;
11038			SCTP_STAT_INCR(sctps_lowlevelerr);
11039		}
11040	} else {
11041		stcb->asoc.ifp_had_enobuf = 0;
11042	}
11043	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
11044}
11045
11046void
11047sctp_send_shutdown_complete(struct sctp_tcb *stcb,
11048    struct sctp_nets *net,
11049    int reflect_vtag)
11050{
11051	/* formulate and SEND a SHUTDOWN-COMPLETE */
11052	struct mbuf *m_shutdown_comp;
11053	struct sctp_shutdown_complete_chunk *shutdown_complete;
11054	uint32_t vtag;
11055	int error;
11056	uint8_t flags;
11057	bool use_zero_crc;
11058
11059	m_shutdown_comp = sctp_get_mbuf_for_msg(sizeof(struct sctp_chunkhdr), 0, M_NOWAIT, 1, MT_HEADER);
11060	if (m_shutdown_comp == NULL) {
11061		/* no mbuf's */
11062		return;
11063	}
11064	if (reflect_vtag) {
11065		flags = SCTP_HAD_NO_TCB;
11066		vtag = stcb->asoc.my_vtag;
11067	} else {
11068		flags = 0;
11069		vtag = stcb->asoc.peer_vtag;
11070	}
11071	switch (stcb->asoc.snd_edmid) {
11072	case SCTP_EDMID_LOWER_LAYER_DTLS:
11073		use_zero_crc = true;
11074		break;
11075	default:
11076		use_zero_crc = false;
11077		break;
11078	}
11079	shutdown_complete = mtod(m_shutdown_comp, struct sctp_shutdown_complete_chunk *);
11080	shutdown_complete->ch.chunk_type = SCTP_SHUTDOWN_COMPLETE;
11081	shutdown_complete->ch.chunk_flags = flags;
11082	shutdown_complete->ch.chunk_length = htons(sizeof(struct sctp_shutdown_complete_chunk));
11083	SCTP_BUF_LEN(m_shutdown_comp) = sizeof(struct sctp_shutdown_complete_chunk);
11084	if ((error = sctp_lowlevel_chunk_output(stcb->sctp_ep, stcb, net,
11085	    (struct sockaddr *)&net->ro._l_addr,
11086	    m_shutdown_comp, 0, NULL, 0, 1, 0, 0,
11087	    stcb->sctp_ep->sctp_lport, stcb->rport,
11088	    htonl(vtag),
11089	    net->port, NULL,
11090	    0, 0,
11091	    use_zero_crc,
11092	    SCTP_SO_NOT_LOCKED))) {
11093		SCTPDBG(SCTP_DEBUG_OUTPUT3, "Gak send error %d\n", error);
11094		if (error == ENOBUFS) {
11095			stcb->asoc.ifp_had_enobuf = 1;
11096			SCTP_STAT_INCR(sctps_lowlevelerr);
11097		}
11098	} else {
11099		stcb->asoc.ifp_had_enobuf = 0;
11100	}
11101	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
11102	return;
11103}
11104
11105static void
11106sctp_send_resp_msg(struct sockaddr *src, struct sockaddr *dst,
11107    struct sctphdr *sh, uint32_t vtag,
11108    uint8_t type, struct mbuf *cause,
11109    uint8_t mflowtype, uint32_t mflowid, uint16_t fibnum,
11110    uint32_t vrf_id, uint16_t port)
11111{
11112	struct mbuf *o_pak;
11113	struct mbuf *mout;
11114	struct sctphdr *shout;
11115	struct sctp_chunkhdr *ch;
11116#if defined(INET) || defined(INET6)
11117	struct udphdr *udp;
11118#endif
11119	int ret, len, cause_len, padding_len;
11120#ifdef INET
11121	struct sockaddr_in *src_sin, *dst_sin;
11122	struct ip *ip;
11123#endif
11124#ifdef INET6
11125	struct sockaddr_in6 *src_sin6, *dst_sin6;
11126	struct ip6_hdr *ip6;
11127#endif
11128
11129	/* Compute the length of the cause and add final padding. */
11130	cause_len = 0;
11131	if (cause != NULL) {
11132		struct mbuf *m_at, *m_last = NULL;
11133
11134		for (m_at = cause; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
11135			if (SCTP_BUF_NEXT(m_at) == NULL)
11136				m_last = m_at;
11137			cause_len += SCTP_BUF_LEN(m_at);
11138		}
11139		padding_len = cause_len % 4;
11140		if (padding_len != 0) {
11141			padding_len = 4 - padding_len;
11142		}
11143		if (padding_len != 0) {
11144			if (sctp_add_pad_tombuf(m_last, padding_len) == NULL) {
11145				sctp_m_freem(cause);
11146				return;
11147			}
11148		}
11149	} else {
11150		padding_len = 0;
11151	}
11152	/* Get an mbuf for the header. */
11153	len = sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
11154	switch (dst->sa_family) {
11155#ifdef INET
11156	case AF_INET:
11157		len += sizeof(struct ip);
11158		break;
11159#endif
11160#ifdef INET6
11161	case AF_INET6:
11162		len += sizeof(struct ip6_hdr);
11163		break;
11164#endif
11165	default:
11166		break;
11167	}
11168#if defined(INET) || defined(INET6)
11169	if (port) {
11170		len += sizeof(struct udphdr);
11171	}
11172#endif
11173	mout = sctp_get_mbuf_for_msg(len + max_linkhdr, 1, M_NOWAIT, 1, MT_DATA);
11174	if (mout == NULL) {
11175		if (cause) {
11176			sctp_m_freem(cause);
11177		}
11178		return;
11179	}
11180	SCTP_BUF_RESV_UF(mout, max_linkhdr);
11181	SCTP_BUF_LEN(mout) = len;
11182	SCTP_BUF_NEXT(mout) = cause;
11183	M_SETFIB(mout, fibnum);
11184	mout->m_pkthdr.flowid = mflowid;
11185	M_HASHTYPE_SET(mout, mflowtype);
11186#ifdef INET
11187	ip = NULL;
11188#endif
11189#ifdef INET6
11190	ip6 = NULL;
11191#endif
11192	switch (dst->sa_family) {
11193#ifdef INET
11194	case AF_INET:
11195		src_sin = (struct sockaddr_in *)src;
11196		dst_sin = (struct sockaddr_in *)dst;
11197		ip = mtod(mout, struct ip *);
11198		ip->ip_v = IPVERSION;
11199		ip->ip_hl = (sizeof(struct ip) >> 2);
11200		ip->ip_tos = 0;
11201		ip->ip_off = htons(IP_DF);
11202		ip_fillid(ip);
11203		ip->ip_ttl = MODULE_GLOBAL(ip_defttl);
11204		if (port) {
11205			ip->ip_p = IPPROTO_UDP;
11206		} else {
11207			ip->ip_p = IPPROTO_SCTP;
11208		}
11209		ip->ip_src.s_addr = dst_sin->sin_addr.s_addr;
11210		ip->ip_dst.s_addr = src_sin->sin_addr.s_addr;
11211		ip->ip_sum = 0;
11212		len = sizeof(struct ip);
11213		shout = (struct sctphdr *)((caddr_t)ip + len);
11214		break;
11215#endif
11216#ifdef INET6
11217	case AF_INET6:
11218		src_sin6 = (struct sockaddr_in6 *)src;
11219		dst_sin6 = (struct sockaddr_in6 *)dst;
11220		ip6 = mtod(mout, struct ip6_hdr *);
11221		ip6->ip6_flow = htonl(0x60000000);
11222		if (V_ip6_auto_flowlabel) {
11223			ip6->ip6_flow |= (htonl(ip6_randomflowlabel()) & IPV6_FLOWLABEL_MASK);
11224		}
11225		ip6->ip6_hlim = MODULE_GLOBAL(ip6_defhlim);
11226		if (port) {
11227			ip6->ip6_nxt = IPPROTO_UDP;
11228		} else {
11229			ip6->ip6_nxt = IPPROTO_SCTP;
11230		}
11231		ip6->ip6_src = dst_sin6->sin6_addr;
11232		ip6->ip6_dst = src_sin6->sin6_addr;
11233		len = sizeof(struct ip6_hdr);
11234		shout = (struct sctphdr *)((caddr_t)ip6 + len);
11235		break;
11236#endif
11237	default:
11238		len = 0;
11239		shout = mtod(mout, struct sctphdr *);
11240		break;
11241	}
11242#if defined(INET) || defined(INET6)
11243	if (port) {
11244		if (htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port)) == 0) {
11245			sctp_m_freem(mout);
11246			return;
11247		}
11248		udp = (struct udphdr *)shout;
11249		udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
11250		udp->uh_dport = port;
11251		udp->uh_sum = 0;
11252		udp->uh_ulen = htons((uint16_t)(sizeof(struct udphdr) +
11253		    sizeof(struct sctphdr) +
11254		    sizeof(struct sctp_chunkhdr) +
11255		    cause_len + padding_len));
11256		len += sizeof(struct udphdr);
11257		shout = (struct sctphdr *)((caddr_t)shout + sizeof(struct udphdr));
11258	} else {
11259		udp = NULL;
11260	}
11261#endif
11262	shout->src_port = sh->dest_port;
11263	shout->dest_port = sh->src_port;
11264	shout->checksum = 0;
11265	if (vtag) {
11266		shout->v_tag = htonl(vtag);
11267	} else {
11268		shout->v_tag = sh->v_tag;
11269	}
11270	len += sizeof(struct sctphdr);
11271	ch = (struct sctp_chunkhdr *)((caddr_t)shout + sizeof(struct sctphdr));
11272	ch->chunk_type = type;
11273	if (vtag) {
11274		ch->chunk_flags = 0;
11275	} else {
11276		ch->chunk_flags = SCTP_HAD_NO_TCB;
11277	}
11278	ch->chunk_length = htons((uint16_t)(sizeof(struct sctp_chunkhdr) + cause_len));
11279	len += sizeof(struct sctp_chunkhdr);
11280	len += cause_len + padding_len;
11281
11282	if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
11283		sctp_m_freem(mout);
11284		return;
11285	}
11286	SCTP_ATTACH_CHAIN(o_pak, mout, len);
11287	switch (dst->sa_family) {
11288#ifdef INET
11289	case AF_INET:
11290		if (port) {
11291			if (V_udp_cksum) {
11292				udp->uh_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
11293			} else {
11294				udp->uh_sum = 0;
11295			}
11296		}
11297		ip->ip_len = htons(len);
11298		if (port) {
11299			shout->checksum = sctp_calculate_cksum(mout, sizeof(struct ip) + sizeof(struct udphdr));
11300			SCTP_STAT_INCR(sctps_sendswcrc);
11301			if (V_udp_cksum) {
11302				SCTP_ENABLE_UDP_CSUM(o_pak);
11303			}
11304		} else {
11305			mout->m_pkthdr.csum_flags = CSUM_SCTP;
11306			mout->m_pkthdr.csum_data = offsetof(struct sctphdr, checksum);
11307			SCTP_STAT_INCR(sctps_sendhwcrc);
11308		}
11309#ifdef SCTP_PACKET_LOGGING
11310		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING) {
11311			sctp_packet_log(o_pak);
11312		}
11313#endif
11314		SCTP_PROBE5(send, NULL, NULL, ip, NULL, shout);
11315		SCTP_IP_OUTPUT(ret, o_pak, NULL, NULL, vrf_id);
11316		break;
11317#endif
11318#ifdef INET6
11319	case AF_INET6:
11320		ip6->ip6_plen = htons((uint16_t)(len - sizeof(struct ip6_hdr)));
11321		if (port) {
11322			shout->checksum = sctp_calculate_cksum(mout, sizeof(struct ip6_hdr) + sizeof(struct udphdr));
11323			SCTP_STAT_INCR(sctps_sendswcrc);
11324			if ((udp->uh_sum = in6_cksum(o_pak, IPPROTO_UDP, sizeof(struct ip6_hdr), len - sizeof(struct ip6_hdr))) == 0) {
11325				udp->uh_sum = 0xffff;
11326			}
11327		} else {
11328			mout->m_pkthdr.csum_flags = CSUM_SCTP_IPV6;
11329			mout->m_pkthdr.csum_data = offsetof(struct sctphdr, checksum);
11330			SCTP_STAT_INCR(sctps_sendhwcrc);
11331		}
11332#ifdef SCTP_PACKET_LOGGING
11333		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING) {
11334			sctp_packet_log(o_pak);
11335		}
11336#endif
11337		SCTP_PROBE5(send, NULL, NULL, ip6, NULL, shout);
11338		SCTP_IP6_OUTPUT(ret, o_pak, NULL, NULL, NULL, vrf_id);
11339		break;
11340#endif
11341	default:
11342		SCTPDBG(SCTP_DEBUG_OUTPUT1, "Unknown protocol (TSNH) type %d\n",
11343		    dst->sa_family);
11344		sctp_m_freem(mout);
11345		SCTP_LTRACE_ERR_RET_PKT(mout, NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EFAULT);
11346		return;
11347	}
11348	SCTPDBG(SCTP_DEBUG_OUTPUT3, "return from send is %d\n", ret);
11349	if (port) {
11350		UDPSTAT_INC(udps_opackets);
11351	}
11352	SCTP_STAT_INCR(sctps_sendpackets);
11353	SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
11354	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
11355	if (ret) {
11356		SCTP_STAT_INCR(sctps_senderrors);
11357	}
11358	return;
11359}
11360
11361void
11362sctp_send_shutdown_complete2(struct sockaddr *src, struct sockaddr *dst,
11363    struct sctphdr *sh,
11364    uint8_t mflowtype, uint32_t mflowid, uint16_t fibnum,
11365    uint32_t vrf_id, uint16_t port)
11366{
11367	sctp_send_resp_msg(src, dst, sh, 0, SCTP_SHUTDOWN_COMPLETE, NULL,
11368	    mflowtype, mflowid, fibnum,
11369	    vrf_id, port);
11370}
11371
11372void
11373sctp_send_hb(struct sctp_tcb *stcb, struct sctp_nets *net, int so_locked)
11374{
11375	struct sctp_tmit_chunk *chk;
11376	struct sctp_heartbeat_chunk *hb;
11377	struct timeval now;
11378
11379	SCTP_TCB_LOCK_ASSERT(stcb);
11380	if (net == NULL) {
11381		return;
11382	}
11383	(void)SCTP_GETTIME_TIMEVAL(&now);
11384	switch (net->ro._l_addr.sa.sa_family) {
11385#ifdef INET
11386	case AF_INET:
11387		break;
11388#endif
11389#ifdef INET6
11390	case AF_INET6:
11391		break;
11392#endif
11393	default:
11394		return;
11395	}
11396	sctp_alloc_a_chunk(stcb, chk);
11397	if (chk == NULL) {
11398		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Gak, can't get a chunk for hb\n");
11399		return;
11400	}
11401
11402	chk->copy_by_ref = 0;
11403	chk->rec.chunk_id.id = SCTP_HEARTBEAT_REQUEST;
11404	chk->rec.chunk_id.can_take_data = 1;
11405	chk->flags = 0;
11406	chk->asoc = &stcb->asoc;
11407	chk->send_size = sizeof(struct sctp_heartbeat_chunk);
11408
11409	chk->data = sctp_get_mbuf_for_msg(chk->send_size, 0, M_NOWAIT, 1, MT_HEADER);
11410	if (chk->data == NULL) {
11411		sctp_free_a_chunk(stcb, chk, so_locked);
11412		return;
11413	}
11414	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11415	SCTP_BUF_LEN(chk->data) = chk->send_size;
11416	chk->sent = SCTP_DATAGRAM_UNSENT;
11417	chk->snd_count = 0;
11418	chk->whoTo = net;
11419	atomic_add_int(&chk->whoTo->ref_count, 1);
11420	/* Now we have a mbuf that we can fill in with the details */
11421	hb = mtod(chk->data, struct sctp_heartbeat_chunk *);
11422	memset(hb, 0, sizeof(struct sctp_heartbeat_chunk));
11423	/* fill out chunk header */
11424	hb->ch.chunk_type = SCTP_HEARTBEAT_REQUEST;
11425	hb->ch.chunk_flags = 0;
11426	hb->ch.chunk_length = htons(chk->send_size);
11427	/* Fill out hb parameter */
11428	hb->heartbeat.hb_info.ph.param_type = htons(SCTP_HEARTBEAT_INFO);
11429	hb->heartbeat.hb_info.ph.param_length = htons(sizeof(struct sctp_heartbeat_info_param));
11430	hb->heartbeat.hb_info.time_value_1 = now.tv_sec;
11431	hb->heartbeat.hb_info.time_value_2 = now.tv_usec;
11432	/* Did our user request this one, put it in */
11433	hb->heartbeat.hb_info.addr_family = (uint8_t)net->ro._l_addr.sa.sa_family;
11434	hb->heartbeat.hb_info.addr_len = net->ro._l_addr.sa.sa_len;
11435	if (net->dest_state & SCTP_ADDR_UNCONFIRMED) {
11436		/*
11437		 * we only take from the entropy pool if the address is not
11438		 * confirmed.
11439		 */
11440		net->heartbeat_random1 = hb->heartbeat.hb_info.random_value1 = sctp_select_initial_TSN(&stcb->sctp_ep->sctp_ep);
11441		net->heartbeat_random2 = hb->heartbeat.hb_info.random_value2 = sctp_select_initial_TSN(&stcb->sctp_ep->sctp_ep);
11442	} else {
11443		net->heartbeat_random1 = hb->heartbeat.hb_info.random_value1 = 0;
11444		net->heartbeat_random2 = hb->heartbeat.hb_info.random_value2 = 0;
11445	}
11446	switch (net->ro._l_addr.sa.sa_family) {
11447#ifdef INET
11448	case AF_INET:
11449		memcpy(hb->heartbeat.hb_info.address,
11450		    &net->ro._l_addr.sin.sin_addr,
11451		    sizeof(net->ro._l_addr.sin.sin_addr));
11452		break;
11453#endif
11454#ifdef INET6
11455	case AF_INET6:
11456		memcpy(hb->heartbeat.hb_info.address,
11457		    &net->ro._l_addr.sin6.sin6_addr,
11458		    sizeof(net->ro._l_addr.sin6.sin6_addr));
11459		break;
11460#endif
11461	default:
11462		if (chk->data) {
11463			sctp_m_freem(chk->data);
11464			chk->data = NULL;
11465		}
11466		sctp_free_a_chunk(stcb, chk, so_locked);
11467		return;
11468		break;
11469	}
11470	net->hb_responded = 0;
11471	TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, chk, sctp_next);
11472	stcb->asoc.ctrl_queue_cnt++;
11473	SCTP_STAT_INCR(sctps_sendheartbeat);
11474	return;
11475}
11476
11477void
11478sctp_send_ecn_echo(struct sctp_tcb *stcb, struct sctp_nets *net,
11479    uint32_t high_tsn)
11480{
11481	struct sctp_association *asoc;
11482	struct sctp_ecne_chunk *ecne;
11483	struct sctp_tmit_chunk *chk;
11484
11485	if (net == NULL) {
11486		return;
11487	}
11488	asoc = &stcb->asoc;
11489	SCTP_TCB_LOCK_ASSERT(stcb);
11490	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
11491		if ((chk->rec.chunk_id.id == SCTP_ECN_ECHO) && (net == chk->whoTo)) {
11492			/* found a previous ECN_ECHO update it if needed */
11493			uint32_t cnt, ctsn;
11494
11495			ecne = mtod(chk->data, struct sctp_ecne_chunk *);
11496			ctsn = ntohl(ecne->tsn);
11497			if (SCTP_TSN_GT(high_tsn, ctsn)) {
11498				ecne->tsn = htonl(high_tsn);
11499				SCTP_STAT_INCR(sctps_queue_upd_ecne);
11500			}
11501			cnt = ntohl(ecne->num_pkts_since_cwr);
11502			cnt++;
11503			ecne->num_pkts_since_cwr = htonl(cnt);
11504			return;
11505		}
11506	}
11507	/* nope could not find one to update so we must build one */
11508	sctp_alloc_a_chunk(stcb, chk);
11509	if (chk == NULL) {
11510		return;
11511	}
11512	SCTP_STAT_INCR(sctps_queue_upd_ecne);
11513	chk->copy_by_ref = 0;
11514	chk->rec.chunk_id.id = SCTP_ECN_ECHO;
11515	chk->rec.chunk_id.can_take_data = 0;
11516	chk->flags = 0;
11517	chk->asoc = &stcb->asoc;
11518	chk->send_size = sizeof(struct sctp_ecne_chunk);
11519	chk->data = sctp_get_mbuf_for_msg(chk->send_size, 0, M_NOWAIT, 1, MT_HEADER);
11520	if (chk->data == NULL) {
11521		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
11522		return;
11523	}
11524	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11525	SCTP_BUF_LEN(chk->data) = chk->send_size;
11526	chk->sent = SCTP_DATAGRAM_UNSENT;
11527	chk->snd_count = 0;
11528	chk->whoTo = net;
11529	atomic_add_int(&chk->whoTo->ref_count, 1);
11530
11531	stcb->asoc.ecn_echo_cnt_onq++;
11532	ecne = mtod(chk->data, struct sctp_ecne_chunk *);
11533	ecne->ch.chunk_type = SCTP_ECN_ECHO;
11534	ecne->ch.chunk_flags = 0;
11535	ecne->ch.chunk_length = htons(sizeof(struct sctp_ecne_chunk));
11536	ecne->tsn = htonl(high_tsn);
11537	ecne->num_pkts_since_cwr = htonl(1);
11538	TAILQ_INSERT_HEAD(&stcb->asoc.control_send_queue, chk, sctp_next);
11539	asoc->ctrl_queue_cnt++;
11540}
11541
11542void
11543sctp_send_packet_dropped(struct sctp_tcb *stcb, struct sctp_nets *net,
11544    struct mbuf *m, int len, int iphlen, int bad_crc)
11545{
11546	struct sctp_association *asoc;
11547	struct sctp_pktdrop_chunk *drp;
11548	struct sctp_tmit_chunk *chk;
11549	uint8_t *datap;
11550	int was_trunc = 0;
11551	int fullsz = 0;
11552	long spc;
11553	int offset;
11554	struct sctp_chunkhdr *ch, chunk_buf;
11555	unsigned int chk_length;
11556
11557	if (!stcb) {
11558		return;
11559	}
11560	asoc = &stcb->asoc;
11561	SCTP_TCB_LOCK_ASSERT(stcb);
11562	if (asoc->pktdrop_supported == 0) {
11563		/*-
11564		 * peer must declare support before I send one.
11565		 */
11566		return;
11567	}
11568	if (stcb->sctp_socket == NULL) {
11569		return;
11570	}
11571	sctp_alloc_a_chunk(stcb, chk);
11572	if (chk == NULL) {
11573		return;
11574	}
11575	chk->copy_by_ref = 0;
11576	chk->rec.chunk_id.id = SCTP_PACKET_DROPPED;
11577	chk->rec.chunk_id.can_take_data = 1;
11578	chk->flags = 0;
11579	len -= iphlen;
11580	chk->send_size = len;
11581	/* Validate that we do not have an ABORT in here. */
11582	offset = iphlen + sizeof(struct sctphdr);
11583	ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, offset,
11584	    sizeof(*ch), (uint8_t *)&chunk_buf);
11585	while (ch != NULL) {
11586		chk_length = ntohs(ch->chunk_length);
11587		if (chk_length < sizeof(*ch)) {
11588			/* break to abort land */
11589			break;
11590		}
11591		switch (ch->chunk_type) {
11592		case SCTP_PACKET_DROPPED:
11593		case SCTP_ABORT_ASSOCIATION:
11594		case SCTP_INITIATION_ACK:
11595			/**
11596			 * We don't respond with an PKT-DROP to an ABORT
11597			 * or PKT-DROP. We also do not respond to an
11598			 * INIT-ACK, because we can't know if the initiation
11599			 * tag is correct or not.
11600			 */
11601			sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
11602			return;
11603		default:
11604			break;
11605		}
11606		offset += SCTP_SIZE32(chk_length);
11607		ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, offset,
11608		    sizeof(*ch), (uint8_t *)&chunk_buf);
11609	}
11610
11611	if ((len + SCTP_MAX_OVERHEAD + sizeof(struct sctp_pktdrop_chunk)) >
11612	    min(stcb->asoc.smallest_mtu, MCLBYTES)) {
11613		/*
11614		 * only send 1 mtu worth, trim off the excess on the end.
11615		 */
11616		fullsz = len;
11617		len = min(stcb->asoc.smallest_mtu, MCLBYTES) - SCTP_MAX_OVERHEAD;
11618		was_trunc = 1;
11619	}
11620	chk->asoc = &stcb->asoc;
11621	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
11622	if (chk->data == NULL) {
11623jump_out:
11624		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
11625		return;
11626	}
11627	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11628	drp = mtod(chk->data, struct sctp_pktdrop_chunk *);
11629	if (drp == NULL) {
11630		sctp_m_freem(chk->data);
11631		chk->data = NULL;
11632		goto jump_out;
11633	}
11634	chk->book_size = SCTP_SIZE32((chk->send_size + sizeof(struct sctp_pktdrop_chunk) +
11635	    sizeof(struct sctphdr) + SCTP_MED_OVERHEAD));
11636	chk->book_size_scale = 0;
11637	if (was_trunc) {
11638		drp->ch.chunk_flags = SCTP_PACKET_TRUNCATED;
11639		drp->trunc_len = htons(fullsz);
11640		/*
11641		 * Len is already adjusted to size minus overhead above take
11642		 * out the pkt_drop chunk itself from it.
11643		 */
11644		chk->send_size = (uint16_t)(len - sizeof(struct sctp_pktdrop_chunk));
11645		len = chk->send_size;
11646	} else {
11647		/* no truncation needed */
11648		drp->ch.chunk_flags = 0;
11649		drp->trunc_len = htons(0);
11650	}
11651	if (bad_crc) {
11652		drp->ch.chunk_flags |= SCTP_BADCRC;
11653	}
11654	chk->send_size += sizeof(struct sctp_pktdrop_chunk);
11655	SCTP_BUF_LEN(chk->data) = chk->send_size;
11656	chk->sent = SCTP_DATAGRAM_UNSENT;
11657	chk->snd_count = 0;
11658	if (net) {
11659		/* we should hit here */
11660		chk->whoTo = net;
11661		atomic_add_int(&chk->whoTo->ref_count, 1);
11662	} else {
11663		chk->whoTo = NULL;
11664	}
11665	drp->ch.chunk_type = SCTP_PACKET_DROPPED;
11666	drp->ch.chunk_length = htons(chk->send_size);
11667	spc = SCTP_SB_LIMIT_RCV(stcb->sctp_socket);
11668	if (spc < 0) {
11669		spc = 0;
11670	}
11671	drp->bottle_bw = htonl(spc);
11672	if (asoc->my_rwnd) {
11673		drp->current_onq = htonl(asoc->size_on_reasm_queue +
11674		    asoc->size_on_all_streams +
11675		    asoc->my_rwnd_control_len +
11676		    SCTP_SBAVAIL(&stcb->sctp_socket->so_rcv));
11677	} else {
11678		/*-
11679		 * If my rwnd is 0, possibly from mbuf depletion as well as
11680		 * space used, tell the peer there is NO space aka onq == bw
11681		 */
11682		drp->current_onq = htonl(spc);
11683	}
11684	drp->reserved = 0;
11685	datap = drp->data;
11686	m_copydata(m, iphlen, len, (caddr_t)datap);
11687	TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, chk, sctp_next);
11688	asoc->ctrl_queue_cnt++;
11689}
11690
11691void
11692sctp_send_cwr(struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t high_tsn, uint8_t override)
11693{
11694	struct sctp_association *asoc;
11695	struct sctp_cwr_chunk *cwr;
11696	struct sctp_tmit_chunk *chk;
11697
11698	SCTP_TCB_LOCK_ASSERT(stcb);
11699	if (net == NULL) {
11700		return;
11701	}
11702	asoc = &stcb->asoc;
11703	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
11704		if ((chk->rec.chunk_id.id == SCTP_ECN_CWR) && (net == chk->whoTo)) {
11705			/*
11706			 * found a previous CWR queued to same destination
11707			 * update it if needed
11708			 */
11709			uint32_t ctsn;
11710
11711			cwr = mtod(chk->data, struct sctp_cwr_chunk *);
11712			ctsn = ntohl(cwr->tsn);
11713			if (SCTP_TSN_GT(high_tsn, ctsn)) {
11714				cwr->tsn = htonl(high_tsn);
11715			}
11716			if (override & SCTP_CWR_REDUCE_OVERRIDE) {
11717				/* Make sure override is carried */
11718				cwr->ch.chunk_flags |= SCTP_CWR_REDUCE_OVERRIDE;
11719			}
11720			return;
11721		}
11722	}
11723	sctp_alloc_a_chunk(stcb, chk);
11724	if (chk == NULL) {
11725		return;
11726	}
11727	chk->copy_by_ref = 0;
11728	chk->rec.chunk_id.id = SCTP_ECN_CWR;
11729	chk->rec.chunk_id.can_take_data = 1;
11730	chk->flags = 0;
11731	chk->asoc = asoc;
11732	chk->send_size = sizeof(struct sctp_cwr_chunk);
11733	chk->data = sctp_get_mbuf_for_msg(chk->send_size, 0, M_NOWAIT, 1, MT_HEADER);
11734	if (chk->data == NULL) {
11735		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
11736		return;
11737	}
11738	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11739	SCTP_BUF_LEN(chk->data) = chk->send_size;
11740	chk->sent = SCTP_DATAGRAM_UNSENT;
11741	chk->snd_count = 0;
11742	chk->whoTo = net;
11743	atomic_add_int(&chk->whoTo->ref_count, 1);
11744	cwr = mtod(chk->data, struct sctp_cwr_chunk *);
11745	cwr->ch.chunk_type = SCTP_ECN_CWR;
11746	cwr->ch.chunk_flags = override;
11747	cwr->ch.chunk_length = htons(sizeof(struct sctp_cwr_chunk));
11748	cwr->tsn = htonl(high_tsn);
11749	TAILQ_INSERT_TAIL(&asoc->control_send_queue, chk, sctp_next);
11750	asoc->ctrl_queue_cnt++;
11751}
11752
11753static int
11754sctp_add_stream_reset_out(struct sctp_tcb *stcb, struct sctp_tmit_chunk *chk,
11755    uint32_t seq, uint32_t resp_seq, uint32_t last_sent)
11756{
11757	uint16_t len, old_len, i;
11758	struct sctp_stream_reset_out_request *req_out;
11759	struct sctp_chunkhdr *ch;
11760	int at;
11761	int number_entries = 0;
11762
11763	ch = mtod(chk->data, struct sctp_chunkhdr *);
11764	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11765	/* get to new offset for the param. */
11766	req_out = (struct sctp_stream_reset_out_request *)((caddr_t)ch + len);
11767	/* now how long will this param be? */
11768	for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
11769		if ((stcb->asoc.strmout[i].state == SCTP_STREAM_RESET_PENDING) &&
11770		    (stcb->asoc.strmout[i].chunks_on_queues == 0) &&
11771		    TAILQ_EMPTY(&stcb->asoc.strmout[i].outqueue)) {
11772			number_entries++;
11773		}
11774	}
11775	if (number_entries == 0) {
11776		return (0);
11777	}
11778	if (number_entries == stcb->asoc.streamoutcnt) {
11779		number_entries = 0;
11780	}
11781	if (number_entries > SCTP_MAX_STREAMS_AT_ONCE_RESET) {
11782		number_entries = SCTP_MAX_STREAMS_AT_ONCE_RESET;
11783	}
11784	len = (uint16_t)(sizeof(struct sctp_stream_reset_out_request) + (sizeof(uint16_t) * number_entries));
11785	req_out->ph.param_type = htons(SCTP_STR_RESET_OUT_REQUEST);
11786	req_out->ph.param_length = htons(len);
11787	req_out->request_seq = htonl(seq);
11788	req_out->response_seq = htonl(resp_seq);
11789	req_out->send_reset_at_tsn = htonl(last_sent);
11790	at = 0;
11791	if (number_entries) {
11792		for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
11793			if ((stcb->asoc.strmout[i].state == SCTP_STREAM_RESET_PENDING) &&
11794			    (stcb->asoc.strmout[i].chunks_on_queues == 0) &&
11795			    TAILQ_EMPTY(&stcb->asoc.strmout[i].outqueue)) {
11796				req_out->list_of_streams[at] = htons(i);
11797				at++;
11798				stcb->asoc.strmout[i].state = SCTP_STREAM_RESET_IN_FLIGHT;
11799				if (at >= number_entries) {
11800					break;
11801				}
11802			}
11803		}
11804	} else {
11805		for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
11806			stcb->asoc.strmout[i].state = SCTP_STREAM_RESET_IN_FLIGHT;
11807		}
11808	}
11809	if (SCTP_SIZE32(len) > len) {
11810		/*-
11811		 * Need to worry about the pad we may end up adding to the
11812		 * end. This is easy since the struct is either aligned to 4
11813		 * bytes or 2 bytes off.
11814		 */
11815		req_out->list_of_streams[number_entries] = 0;
11816	}
11817	/* now fix the chunk length */
11818	ch->chunk_length = htons(len + old_len);
11819	chk->book_size = len + old_len;
11820	chk->book_size_scale = 0;
11821	chk->send_size = SCTP_SIZE32(chk->book_size);
11822	SCTP_BUF_LEN(chk->data) = chk->send_size;
11823	return (1);
11824}
11825
11826static void
11827sctp_add_stream_reset_in(struct sctp_tmit_chunk *chk,
11828    int number_entries, uint16_t *list,
11829    uint32_t seq)
11830{
11831	uint16_t len, old_len, i;
11832	struct sctp_stream_reset_in_request *req_in;
11833	struct sctp_chunkhdr *ch;
11834
11835	ch = mtod(chk->data, struct sctp_chunkhdr *);
11836	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11837
11838	/* get to new offset for the param. */
11839	req_in = (struct sctp_stream_reset_in_request *)((caddr_t)ch + len);
11840	/* now how long will this param be? */
11841	len = (uint16_t)(sizeof(struct sctp_stream_reset_in_request) + (sizeof(uint16_t) * number_entries));
11842	req_in->ph.param_type = htons(SCTP_STR_RESET_IN_REQUEST);
11843	req_in->ph.param_length = htons(len);
11844	req_in->request_seq = htonl(seq);
11845	if (number_entries) {
11846		for (i = 0; i < number_entries; i++) {
11847			req_in->list_of_streams[i] = htons(list[i]);
11848		}
11849	}
11850	if (SCTP_SIZE32(len) > len) {
11851		/*-
11852		 * Need to worry about the pad we may end up adding to the
11853		 * end. This is easy since the struct is either aligned to 4
11854		 * bytes or 2 bytes off.
11855		 */
11856		req_in->list_of_streams[number_entries] = 0;
11857	}
11858	/* now fix the chunk length */
11859	ch->chunk_length = htons(len + old_len);
11860	chk->book_size = len + old_len;
11861	chk->book_size_scale = 0;
11862	chk->send_size = SCTP_SIZE32(chk->book_size);
11863	SCTP_BUF_LEN(chk->data) = chk->send_size;
11864	return;
11865}
11866
11867static void
11868sctp_add_stream_reset_tsn(struct sctp_tmit_chunk *chk,
11869    uint32_t seq)
11870{
11871	uint16_t len, old_len;
11872	struct sctp_stream_reset_tsn_request *req_tsn;
11873	struct sctp_chunkhdr *ch;
11874
11875	ch = mtod(chk->data, struct sctp_chunkhdr *);
11876	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11877
11878	/* get to new offset for the param. */
11879	req_tsn = (struct sctp_stream_reset_tsn_request *)((caddr_t)ch + len);
11880	/* now how long will this param be? */
11881	len = sizeof(struct sctp_stream_reset_tsn_request);
11882	req_tsn->ph.param_type = htons(SCTP_STR_RESET_TSN_REQUEST);
11883	req_tsn->ph.param_length = htons(len);
11884	req_tsn->request_seq = htonl(seq);
11885
11886	/* now fix the chunk length */
11887	ch->chunk_length = htons(len + old_len);
11888	chk->send_size = len + old_len;
11889	chk->book_size = SCTP_SIZE32(chk->send_size);
11890	chk->book_size_scale = 0;
11891	SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
11892	return;
11893}
11894
11895void
11896sctp_add_stream_reset_result(struct sctp_tmit_chunk *chk,
11897    uint32_t resp_seq, uint32_t result)
11898{
11899	uint16_t len, old_len;
11900	struct sctp_stream_reset_response *resp;
11901	struct sctp_chunkhdr *ch;
11902
11903	ch = mtod(chk->data, struct sctp_chunkhdr *);
11904	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11905
11906	/* get to new offset for the param. */
11907	resp = (struct sctp_stream_reset_response *)((caddr_t)ch + len);
11908	/* now how long will this param be? */
11909	len = sizeof(struct sctp_stream_reset_response);
11910	resp->ph.param_type = htons(SCTP_STR_RESET_RESPONSE);
11911	resp->ph.param_length = htons(len);
11912	resp->response_seq = htonl(resp_seq);
11913	resp->result = ntohl(result);
11914
11915	/* now fix the chunk length */
11916	ch->chunk_length = htons(len + old_len);
11917	chk->book_size = len + old_len;
11918	chk->book_size_scale = 0;
11919	chk->send_size = SCTP_SIZE32(chk->book_size);
11920	SCTP_BUF_LEN(chk->data) = chk->send_size;
11921	return;
11922}
11923
11924void
11925sctp_send_deferred_reset_response(struct sctp_tcb *stcb,
11926    struct sctp_stream_reset_list *ent,
11927    int response)
11928{
11929	struct sctp_association *asoc;
11930	struct sctp_tmit_chunk *chk;
11931	struct sctp_chunkhdr *ch;
11932
11933	asoc = &stcb->asoc;
11934
11935	/*
11936	 * Reset our last reset action to the new one IP -> response
11937	 * (PERFORMED probably). This assures that if we fail to send, a
11938	 * retran from the peer will get the new response.
11939	 */
11940	asoc->last_reset_action[0] = response;
11941	if (asoc->stream_reset_outstanding) {
11942		return;
11943	}
11944	sctp_alloc_a_chunk(stcb, chk);
11945	if (chk == NULL) {
11946		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
11947		return;
11948	}
11949	chk->copy_by_ref = 0;
11950	chk->rec.chunk_id.id = SCTP_STREAM_RESET;
11951	chk->rec.chunk_id.can_take_data = 0;
11952	chk->flags = 0;
11953	chk->asoc = &stcb->asoc;
11954	chk->book_size = sizeof(struct sctp_chunkhdr);
11955	chk->send_size = SCTP_SIZE32(chk->book_size);
11956	chk->book_size_scale = 0;
11957	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
11958	if (chk->data == NULL) {
11959		sctp_free_a_chunk(stcb, chk, SCTP_SO_LOCKED);
11960		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
11961		return;
11962	}
11963	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11964	/* setup chunk parameters */
11965	chk->sent = SCTP_DATAGRAM_UNSENT;
11966	chk->snd_count = 0;
11967	if (stcb->asoc.alternate) {
11968		chk->whoTo = stcb->asoc.alternate;
11969	} else {
11970		chk->whoTo = stcb->asoc.primary_destination;
11971	}
11972	ch = mtod(chk->data, struct sctp_chunkhdr *);
11973	ch->chunk_type = SCTP_STREAM_RESET;
11974	ch->chunk_flags = 0;
11975	ch->chunk_length = htons(chk->book_size);
11976	atomic_add_int(&chk->whoTo->ref_count, 1);
11977	SCTP_BUF_LEN(chk->data) = chk->send_size;
11978	sctp_add_stream_reset_result(chk, ent->seq, response);
11979	/* insert the chunk for sending */
11980	TAILQ_INSERT_TAIL(&asoc->control_send_queue,
11981	    chk,
11982	    sctp_next);
11983	asoc->ctrl_queue_cnt++;
11984}
11985
11986void
11987sctp_add_stream_reset_result_tsn(struct sctp_tmit_chunk *chk,
11988    uint32_t resp_seq, uint32_t result,
11989    uint32_t send_una, uint32_t recv_next)
11990{
11991	uint16_t len, old_len;
11992	struct sctp_stream_reset_response_tsn *resp;
11993	struct sctp_chunkhdr *ch;
11994
11995	ch = mtod(chk->data, struct sctp_chunkhdr *);
11996	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11997
11998	/* get to new offset for the param. */
11999	resp = (struct sctp_stream_reset_response_tsn *)((caddr_t)ch + len);
12000	/* now how long will this param be? */
12001	len = sizeof(struct sctp_stream_reset_response_tsn);
12002	resp->ph.param_type = htons(SCTP_STR_RESET_RESPONSE);
12003	resp->ph.param_length = htons(len);
12004	resp->response_seq = htonl(resp_seq);
12005	resp->result = htonl(result);
12006	resp->senders_next_tsn = htonl(send_una);
12007	resp->receivers_next_tsn = htonl(recv_next);
12008
12009	/* now fix the chunk length */
12010	ch->chunk_length = htons(len + old_len);
12011	chk->book_size = len + old_len;
12012	chk->send_size = SCTP_SIZE32(chk->book_size);
12013	chk->book_size_scale = 0;
12014	SCTP_BUF_LEN(chk->data) = chk->send_size;
12015	return;
12016}
12017
12018static void
12019sctp_add_an_out_stream(struct sctp_tmit_chunk *chk,
12020    uint32_t seq,
12021    uint16_t adding)
12022{
12023	uint16_t len, old_len;
12024	struct sctp_chunkhdr *ch;
12025	struct sctp_stream_reset_add_strm *addstr;
12026
12027	ch = mtod(chk->data, struct sctp_chunkhdr *);
12028	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
12029
12030	/* get to new offset for the param. */
12031	addstr = (struct sctp_stream_reset_add_strm *)((caddr_t)ch + len);
12032	/* now how long will this param be? */
12033	len = sizeof(struct sctp_stream_reset_add_strm);
12034
12035	/* Fill it out. */
12036	addstr->ph.param_type = htons(SCTP_STR_RESET_ADD_OUT_STREAMS);
12037	addstr->ph.param_length = htons(len);
12038	addstr->request_seq = htonl(seq);
12039	addstr->number_of_streams = htons(adding);
12040	addstr->reserved = 0;
12041
12042	/* now fix the chunk length */
12043	ch->chunk_length = htons(len + old_len);
12044	chk->send_size = len + old_len;
12045	chk->book_size = SCTP_SIZE32(chk->send_size);
12046	chk->book_size_scale = 0;
12047	SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
12048	return;
12049}
12050
12051static void
12052sctp_add_an_in_stream(struct sctp_tmit_chunk *chk,
12053    uint32_t seq,
12054    uint16_t adding)
12055{
12056	uint16_t len, old_len;
12057	struct sctp_chunkhdr *ch;
12058	struct sctp_stream_reset_add_strm *addstr;
12059
12060	ch = mtod(chk->data, struct sctp_chunkhdr *);
12061	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
12062
12063	/* get to new offset for the param. */
12064	addstr = (struct sctp_stream_reset_add_strm *)((caddr_t)ch + len);
12065	/* now how long will this param be? */
12066	len = sizeof(struct sctp_stream_reset_add_strm);
12067	/* Fill it out. */
12068	addstr->ph.param_type = htons(SCTP_STR_RESET_ADD_IN_STREAMS);
12069	addstr->ph.param_length = htons(len);
12070	addstr->request_seq = htonl(seq);
12071	addstr->number_of_streams = htons(adding);
12072	addstr->reserved = 0;
12073
12074	/* now fix the chunk length */
12075	ch->chunk_length = htons(len + old_len);
12076	chk->send_size = len + old_len;
12077	chk->book_size = SCTP_SIZE32(chk->send_size);
12078	chk->book_size_scale = 0;
12079	SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
12080	return;
12081}
12082
12083int
12084sctp_send_stream_reset_out_if_possible(struct sctp_tcb *stcb, int so_locked)
12085{
12086	struct sctp_association *asoc;
12087	struct sctp_tmit_chunk *chk;
12088	struct sctp_chunkhdr *ch;
12089	uint32_t seq;
12090
12091	asoc = &stcb->asoc;
12092	asoc->trigger_reset = 0;
12093	if (asoc->stream_reset_outstanding) {
12094		return (EALREADY);
12095	}
12096	sctp_alloc_a_chunk(stcb, chk);
12097	if (chk == NULL) {
12098		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12099		return (ENOMEM);
12100	}
12101	chk->copy_by_ref = 0;
12102	chk->rec.chunk_id.id = SCTP_STREAM_RESET;
12103	chk->rec.chunk_id.can_take_data = 0;
12104	chk->flags = 0;
12105	chk->asoc = &stcb->asoc;
12106	chk->book_size = sizeof(struct sctp_chunkhdr);
12107	chk->send_size = SCTP_SIZE32(chk->book_size);
12108	chk->book_size_scale = 0;
12109	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
12110	if (chk->data == NULL) {
12111		sctp_free_a_chunk(stcb, chk, so_locked);
12112		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12113		return (ENOMEM);
12114	}
12115	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
12116
12117	/* setup chunk parameters */
12118	chk->sent = SCTP_DATAGRAM_UNSENT;
12119	chk->snd_count = 0;
12120	if (stcb->asoc.alternate) {
12121		chk->whoTo = stcb->asoc.alternate;
12122	} else {
12123		chk->whoTo = stcb->asoc.primary_destination;
12124	}
12125	ch = mtod(chk->data, struct sctp_chunkhdr *);
12126	ch->chunk_type = SCTP_STREAM_RESET;
12127	ch->chunk_flags = 0;
12128	ch->chunk_length = htons(chk->book_size);
12129	atomic_add_int(&chk->whoTo->ref_count, 1);
12130	SCTP_BUF_LEN(chk->data) = chk->send_size;
12131	seq = stcb->asoc.str_reset_seq_out;
12132	if (sctp_add_stream_reset_out(stcb, chk, seq, (stcb->asoc.str_reset_seq_in - 1), (stcb->asoc.sending_seq - 1))) {
12133		seq++;
12134		asoc->stream_reset_outstanding++;
12135	} else {
12136		m_freem(chk->data);
12137		chk->data = NULL;
12138		sctp_free_a_chunk(stcb, chk, so_locked);
12139		return (ENOENT);
12140	}
12141	asoc->str_reset = chk;
12142	/* insert the chunk for sending */
12143	TAILQ_INSERT_TAIL(&asoc->control_send_queue,
12144	    chk,
12145	    sctp_next);
12146	asoc->ctrl_queue_cnt++;
12147
12148	if (stcb->asoc.send_sack) {
12149		sctp_send_sack(stcb, so_locked);
12150	}
12151	sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo);
12152	return (0);
12153}
12154
12155int
12156sctp_send_str_reset_req(struct sctp_tcb *stcb,
12157    uint16_t number_entries, uint16_t *list,
12158    uint8_t send_in_req,
12159    uint8_t send_tsn_req,
12160    uint8_t add_stream,
12161    uint16_t adding_o,
12162    uint16_t adding_i, uint8_t peer_asked)
12163{
12164	struct sctp_association *asoc;
12165	struct sctp_tmit_chunk *chk;
12166	struct sctp_chunkhdr *ch;
12167	int can_send_out_req = 0;
12168	uint32_t seq;
12169
12170	SCTP_TCB_LOCK_ASSERT(stcb);
12171
12172	asoc = &stcb->asoc;
12173	if (asoc->stream_reset_outstanding) {
12174		/*-
12175		 * Already one pending, must get ACK back to clear the flag.
12176		 */
12177		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EBUSY);
12178		return (EBUSY);
12179	}
12180	if ((send_in_req == 0) && (send_tsn_req == 0) &&
12181	    (add_stream == 0)) {
12182		/* nothing to do */
12183		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12184		return (EINVAL);
12185	}
12186	if (send_tsn_req && send_in_req) {
12187		/* error, can't do that */
12188		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12189		return (EINVAL);
12190	} else if (send_in_req) {
12191		can_send_out_req = 1;
12192	}
12193	if (number_entries > (MCLBYTES -
12194	    SCTP_MIN_OVERHEAD -
12195	    sizeof(struct sctp_chunkhdr) -
12196	    sizeof(struct sctp_stream_reset_out_request)) /
12197	    sizeof(uint16_t)) {
12198		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12199		return (ENOMEM);
12200	}
12201	sctp_alloc_a_chunk(stcb, chk);
12202	if (chk == NULL) {
12203		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12204		return (ENOMEM);
12205	}
12206	chk->copy_by_ref = 0;
12207	chk->rec.chunk_id.id = SCTP_STREAM_RESET;
12208	chk->rec.chunk_id.can_take_data = 0;
12209	chk->flags = 0;
12210	chk->asoc = &stcb->asoc;
12211	chk->book_size = sizeof(struct sctp_chunkhdr);
12212	chk->send_size = SCTP_SIZE32(chk->book_size);
12213	chk->book_size_scale = 0;
12214	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
12215	if (chk->data == NULL) {
12216		sctp_free_a_chunk(stcb, chk, SCTP_SO_LOCKED);
12217		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12218		return (ENOMEM);
12219	}
12220	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
12221
12222	/* setup chunk parameters */
12223	chk->sent = SCTP_DATAGRAM_UNSENT;
12224	chk->snd_count = 0;
12225	if (stcb->asoc.alternate) {
12226		chk->whoTo = stcb->asoc.alternate;
12227	} else {
12228		chk->whoTo = stcb->asoc.primary_destination;
12229	}
12230	atomic_add_int(&chk->whoTo->ref_count, 1);
12231	ch = mtod(chk->data, struct sctp_chunkhdr *);
12232	ch->chunk_type = SCTP_STREAM_RESET;
12233	ch->chunk_flags = 0;
12234	ch->chunk_length = htons(chk->book_size);
12235	SCTP_BUF_LEN(chk->data) = chk->send_size;
12236
12237	seq = stcb->asoc.str_reset_seq_out;
12238	if (can_send_out_req) {
12239		int ret;
12240
12241		ret = sctp_add_stream_reset_out(stcb, chk, seq, (stcb->asoc.str_reset_seq_in - 1), (stcb->asoc.sending_seq - 1));
12242		if (ret) {
12243			seq++;
12244			asoc->stream_reset_outstanding++;
12245		}
12246	}
12247	if ((add_stream & 1) &&
12248	    ((stcb->asoc.strm_realoutsize - stcb->asoc.streamoutcnt) < adding_o)) {
12249		/* Need to allocate more */
12250		struct sctp_stream_out *oldstream;
12251		struct sctp_stream_queue_pending *sp, *nsp;
12252		int i;
12253#if defined(SCTP_DETAILED_STR_STATS)
12254		int j;
12255#endif
12256
12257		oldstream = stcb->asoc.strmout;
12258		/* get some more */
12259		SCTP_MALLOC(stcb->asoc.strmout, struct sctp_stream_out *,
12260		    (stcb->asoc.streamoutcnt + adding_o) * sizeof(struct sctp_stream_out),
12261		    SCTP_M_STRMO);
12262		if (stcb->asoc.strmout == NULL) {
12263			uint8_t x;
12264
12265			stcb->asoc.strmout = oldstream;
12266			/* Turn off the bit */
12267			x = add_stream & 0xfe;
12268			add_stream = x;
12269			goto skip_stuff;
12270		}
12271		/*
12272		 * Ok now we proceed with copying the old out stuff and
12273		 * initializing the new stuff.
12274		 */
12275		stcb->asoc.ss_functions.sctp_ss_clear(stcb, &stcb->asoc, false);
12276		for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
12277			TAILQ_INIT(&stcb->asoc.strmout[i].outqueue);
12278			/* FIX ME FIX ME */
12279			/*
12280			 * This should be a SS_COPY operation FIX ME STREAM
12281			 * SCHEDULER EXPERT
12282			 */
12283			stcb->asoc.ss_functions.sctp_ss_init_stream(stcb, &stcb->asoc.strmout[i], &oldstream[i]);
12284			stcb->asoc.strmout[i].chunks_on_queues = oldstream[i].chunks_on_queues;
12285#if defined(SCTP_DETAILED_STR_STATS)
12286			for (j = 0; j < SCTP_PR_SCTP_MAX + 1; j++) {
12287				stcb->asoc.strmout[i].abandoned_sent[j] = oldstream[i].abandoned_sent[j];
12288				stcb->asoc.strmout[i].abandoned_unsent[j] = oldstream[i].abandoned_unsent[j];
12289			}
12290#else
12291			stcb->asoc.strmout[i].abandoned_sent[0] = oldstream[i].abandoned_sent[0];
12292			stcb->asoc.strmout[i].abandoned_unsent[0] = oldstream[i].abandoned_unsent[0];
12293#endif
12294			stcb->asoc.strmout[i].next_mid_ordered = oldstream[i].next_mid_ordered;
12295			stcb->asoc.strmout[i].next_mid_unordered = oldstream[i].next_mid_unordered;
12296			stcb->asoc.strmout[i].last_msg_incomplete = oldstream[i].last_msg_incomplete;
12297			stcb->asoc.strmout[i].sid = i;
12298			stcb->asoc.strmout[i].state = oldstream[i].state;
12299			/* now anything on those queues? */
12300			TAILQ_FOREACH_SAFE(sp, &oldstream[i].outqueue, next, nsp) {
12301				TAILQ_REMOVE(&oldstream[i].outqueue, sp, next);
12302				TAILQ_INSERT_TAIL(&stcb->asoc.strmout[i].outqueue, sp, next);
12303			}
12304		}
12305		/* now the new streams */
12306		stcb->asoc.ss_functions.sctp_ss_init(stcb, &stcb->asoc);
12307		for (i = stcb->asoc.streamoutcnt; i < (stcb->asoc.streamoutcnt + adding_o); i++) {
12308			TAILQ_INIT(&stcb->asoc.strmout[i].outqueue);
12309			stcb->asoc.strmout[i].chunks_on_queues = 0;
12310#if defined(SCTP_DETAILED_STR_STATS)
12311			for (j = 0; j < SCTP_PR_SCTP_MAX + 1; j++) {
12312				stcb->asoc.strmout[i].abandoned_sent[j] = 0;
12313				stcb->asoc.strmout[i].abandoned_unsent[j] = 0;
12314			}
12315#else
12316			stcb->asoc.strmout[i].abandoned_sent[0] = 0;
12317			stcb->asoc.strmout[i].abandoned_unsent[0] = 0;
12318#endif
12319			stcb->asoc.strmout[i].next_mid_ordered = 0;
12320			stcb->asoc.strmout[i].next_mid_unordered = 0;
12321			stcb->asoc.strmout[i].sid = i;
12322			stcb->asoc.strmout[i].last_msg_incomplete = 0;
12323			stcb->asoc.ss_functions.sctp_ss_init_stream(stcb, &stcb->asoc.strmout[i], NULL);
12324			stcb->asoc.strmout[i].state = SCTP_STREAM_CLOSED;
12325		}
12326		stcb->asoc.strm_realoutsize = stcb->asoc.streamoutcnt + adding_o;
12327		SCTP_FREE(oldstream, SCTP_M_STRMO);
12328	}
12329skip_stuff:
12330	if ((add_stream & 1) && (adding_o > 0)) {
12331		asoc->strm_pending_add_size = adding_o;
12332		asoc->peer_req_out = peer_asked;
12333		sctp_add_an_out_stream(chk, seq, adding_o);
12334		seq++;
12335		asoc->stream_reset_outstanding++;
12336	}
12337	if ((add_stream & 2) && (adding_i > 0)) {
12338		sctp_add_an_in_stream(chk, seq, adding_i);
12339		seq++;
12340		asoc->stream_reset_outstanding++;
12341	}
12342	if (send_in_req) {
12343		sctp_add_stream_reset_in(chk, number_entries, list, seq);
12344		seq++;
12345		asoc->stream_reset_outstanding++;
12346	}
12347	if (send_tsn_req) {
12348		sctp_add_stream_reset_tsn(chk, seq);
12349		asoc->stream_reset_outstanding++;
12350	}
12351	asoc->str_reset = chk;
12352	/* insert the chunk for sending */
12353	TAILQ_INSERT_TAIL(&asoc->control_send_queue,
12354	    chk,
12355	    sctp_next);
12356	asoc->ctrl_queue_cnt++;
12357	if (stcb->asoc.send_sack) {
12358		sctp_send_sack(stcb, SCTP_SO_LOCKED);
12359	}
12360	sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo);
12361	return (0);
12362}
12363
12364void
12365sctp_send_abort(struct mbuf *m, int iphlen, struct sockaddr *src, struct sockaddr *dst,
12366    struct sctphdr *sh, uint32_t vtag, struct mbuf *cause,
12367    uint8_t mflowtype, uint32_t mflowid, uint16_t fibnum,
12368    uint32_t vrf_id, uint16_t port)
12369{
12370	/* Don't respond to an ABORT with an ABORT. */
12371	if (sctp_is_there_an_abort_here(m, iphlen, &vtag)) {
12372		if (cause)
12373			sctp_m_freem(cause);
12374		return;
12375	}
12376	sctp_send_resp_msg(src, dst, sh, vtag, SCTP_ABORT_ASSOCIATION, cause,
12377	    mflowtype, mflowid, fibnum,
12378	    vrf_id, port);
12379	return;
12380}
12381
12382void
12383sctp_send_operr_to(struct sockaddr *src, struct sockaddr *dst,
12384    struct sctphdr *sh, uint32_t vtag, struct mbuf *cause,
12385    uint8_t mflowtype, uint32_t mflowid, uint16_t fibnum,
12386    uint32_t vrf_id, uint16_t port)
12387{
12388	sctp_send_resp_msg(src, dst, sh, vtag, SCTP_OPERATION_ERROR, cause,
12389	    mflowtype, mflowid, fibnum,
12390	    vrf_id, port);
12391	return;
12392}
12393
12394static struct mbuf *
12395sctp_copy_resume(struct uio *uio,
12396    int max_send_len,
12397    int user_marks_eor,
12398    int *error,
12399    uint32_t *sndout,
12400    struct mbuf **new_tail)
12401{
12402	struct mbuf *m;
12403
12404	m = m_uiotombuf(uio, M_WAITOK, max_send_len, 0,
12405	    (M_PKTHDR | (user_marks_eor ? M_EOR : 0)));
12406	if (m == NULL) {
12407		/* The only possible error is EFAULT. */
12408		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EFAULT);
12409		*error = EFAULT;
12410	} else {
12411		*sndout = m_length(m, NULL);
12412		*new_tail = m_last(m);
12413	}
12414	return (m);
12415}
12416
12417static int
12418sctp_copy_one(struct sctp_stream_queue_pending *sp,
12419    struct uio *uio,
12420    int resv_upfront)
12421{
12422	sp->data = m_uiotombuf(uio, M_WAITOK, sp->length, resv_upfront, 0);
12423	if (sp->data == NULL) {
12424		/* The only possible error is EFAULT. */
12425		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EFAULT);
12426		return (EFAULT);
12427	}
12428	sp->tail_mbuf = m_last(sp->data);
12429	return (0);
12430}
12431
12432static struct sctp_stream_queue_pending *
12433sctp_copy_it_in(struct sctp_tcb *stcb,
12434    struct sctp_association *asoc,
12435    struct sctp_nonpad_sndrcvinfo *srcv,
12436    struct uio *uio,
12437    struct sctp_nets *net,
12438    ssize_t max_send_len,
12439    int user_marks_eor,
12440    int *error)
12441{
12442
12443	/*-
12444	 * This routine must be very careful in its work. Protocol
12445	 * processing is up and running so care must be taken to spl...()
12446	 * when you need to do something that may effect the stcb/asoc. The
12447	 * sb is locked however. When data is copied the protocol processing
12448	 * should be enabled since this is a slower operation...
12449	 */
12450	struct sctp_stream_queue_pending *sp;
12451	int resv_in_first;
12452
12453	*error = 0;
12454	sctp_alloc_a_strmoq(stcb, sp);
12455	if (sp == NULL) {
12456		SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12457		*error = ENOMEM;
12458		goto out_now;
12459	}
12460	sp->act_flags = 0;
12461	sp->sender_all_done = 0;
12462	sp->sinfo_flags = srcv->sinfo_flags;
12463	sp->timetolive = srcv->sinfo_timetolive;
12464	sp->ppid = srcv->sinfo_ppid;
12465	sp->context = srcv->sinfo_context;
12466	sp->fsn = 0;
12467	(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
12468	sp->sid = srcv->sinfo_stream;
12469	sp->length = (uint32_t)min(uio->uio_resid, max_send_len);
12470	if ((sp->length == (uint32_t)uio->uio_resid) &&
12471	    ((user_marks_eor == 0) ||
12472	    (srcv->sinfo_flags & SCTP_EOF) ||
12473	    (user_marks_eor && (srcv->sinfo_flags & SCTP_EOR)))) {
12474		sp->msg_is_complete = 1;
12475	} else {
12476		sp->msg_is_complete = 0;
12477	}
12478	sp->sender_all_done = 0;
12479	sp->some_taken = 0;
12480	sp->put_last_out = 0;
12481	resv_in_first = SCTP_DATA_CHUNK_OVERHEAD(stcb);
12482	sp->data = sp->tail_mbuf = NULL;
12483	if (sp->length == 0) {
12484		goto skip_copy;
12485	}
12486	if (srcv->sinfo_keynumber_valid) {
12487		sp->auth_keyid = srcv->sinfo_keynumber;
12488	} else {
12489		sp->auth_keyid = stcb->asoc.authinfo.active_keyid;
12490	}
12491	if (sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks)) {
12492		sctp_auth_key_acquire(stcb, sp->auth_keyid);
12493		sp->holds_key_ref = 1;
12494	}
12495	*error = sctp_copy_one(sp, uio, resv_in_first);
12496skip_copy:
12497	if (*error) {
12498		sctp_free_a_strmoq(stcb, sp, SCTP_SO_LOCKED);
12499		sp = NULL;
12500	} else {
12501		if (sp->sinfo_flags & SCTP_ADDR_OVER) {
12502			sp->net = net;
12503			atomic_add_int(&sp->net->ref_count, 1);
12504		} else {
12505			sp->net = NULL;
12506		}
12507		sctp_set_prsctp_policy(sp);
12508	}
12509out_now:
12510	return (sp);
12511}
12512
12513int
12514sctp_sosend(struct socket *so,
12515    struct sockaddr *addr,
12516    struct uio *uio,
12517    struct mbuf *top,
12518    struct mbuf *control,
12519    int flags,
12520    struct thread *p)
12521{
12522	struct sctp_sndrcvinfo sndrcvninfo;
12523#if defined(INET) && defined(INET6)
12524	struct sockaddr_in sin;
12525#endif
12526	struct sockaddr *addr_to_use;
12527	int error;
12528	bool use_sndinfo;
12529
12530	if (control != NULL) {
12531		/* process cmsg snd/rcv info (maybe a assoc-id) */
12532		use_sndinfo = sctp_find_cmsg(SCTP_SNDRCV, (void *)&sndrcvninfo, control, sizeof(sndrcvninfo));
12533	} else {
12534		use_sndinfo = false;
12535	}
12536#if defined(INET) && defined(INET6)
12537	if ((addr != NULL) && (addr->sa_family == AF_INET6)) {
12538		struct sockaddr_in6 *sin6;
12539
12540		if (addr->sa_len != sizeof(struct sockaddr_in6)) {
12541			SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12542			return (EINVAL);
12543		}
12544		sin6 = (struct sockaddr_in6 *)addr;
12545		if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
12546			in6_sin6_2_sin(&sin, sin6);
12547			addr_to_use = (struct sockaddr *)&sin;
12548		} else {
12549			addr_to_use = addr;
12550		}
12551	} else {
12552		addr_to_use = addr;
12553	}
12554#else
12555	addr_to_use = addr;
12556#endif
12557	error = sctp_lower_sosend(so, addr_to_use, uio, top, control, flags,
12558	    use_sndinfo ? &sndrcvninfo : NULL, p);
12559	return (error);
12560}
12561
12562int
12563sctp_lower_sosend(struct socket *so,
12564    struct sockaddr *addr,
12565    struct uio *uio,
12566    struct mbuf *top,
12567    struct mbuf *control,
12568    int flags,
12569    struct sctp_sndrcvinfo *srcv,
12570    struct thread *p)
12571{
12572	struct sctp_nonpad_sndrcvinfo sndrcvninfo_buf;
12573	struct epoch_tracker et;
12574	struct timeval now;
12575	struct sctp_block_entry be;
12576	struct sctp_inpcb *inp;
12577	struct sctp_tcb *stcb = NULL;
12578	struct sctp_nets *net;
12579	struct sctp_association *asoc;
12580	struct sctp_inpcb *t_inp;
12581	struct sctp_nonpad_sndrcvinfo *sndrcvninfo;
12582	ssize_t sndlen = 0, max_len, local_add_more;
12583	ssize_t local_soresv = 0;
12584	sctp_assoc_t sinfo_assoc_id;
12585	int user_marks_eor;
12586	int nagle_applies = 0;
12587	int error;
12588	int queue_only = 0, queue_only_for_init = 0;
12589	int un_sent;
12590	int now_filled = 0;
12591	unsigned int inqueue_bytes = 0;
12592	uint16_t port;
12593	uint16_t sinfo_flags;
12594	uint16_t sinfo_stream;
12595	bool create_lock_applied = false;
12596	bool free_cnt_applied = false;
12597	bool some_on_control;
12598	bool got_all_of_the_send = false;
12599	bool non_blocking = false;
12600
12601	error = 0;
12602	net = NULL;
12603	stcb = NULL;
12604
12605	if ((uio == NULL) && (top == NULL)) {
12606		error = EINVAL;
12607		goto out_unlocked;
12608	}
12609	if (addr != NULL) {
12610		union sctp_sockstore *raddr = (union sctp_sockstore *)addr;
12611
12612		switch (raddr->sa.sa_family) {
12613#ifdef INET
12614		case AF_INET:
12615			if (raddr->sin.sin_len != sizeof(struct sockaddr_in)) {
12616				error = EINVAL;
12617				goto out_unlocked;
12618			}
12619			port = raddr->sin.sin_port;
12620			break;
12621#endif
12622#ifdef INET6
12623		case AF_INET6:
12624			if (raddr->sin6.sin6_len != sizeof(struct sockaddr_in6)) {
12625				error = EINVAL;
12626				goto out_unlocked;
12627			}
12628			port = raddr->sin6.sin6_port;
12629			break;
12630#endif
12631		default:
12632			error = EAFNOSUPPORT;
12633			goto out_unlocked;
12634		}
12635	} else {
12636		port = 0;
12637	}
12638	if (uio != NULL) {
12639		if (uio->uio_resid < 0) {
12640			error = EINVAL;
12641			goto out_unlocked;
12642		}
12643		sndlen = uio->uio_resid;
12644	} else {
12645		sndlen = SCTP_HEADER_LEN(top);
12646	}
12647	SCTPDBG(SCTP_DEBUG_OUTPUT1, "Send called addr:%p send length %zd\n",
12648	    (void *)addr, sndlen);
12649
12650	t_inp = inp = (struct sctp_inpcb *)so->so_pcb;
12651	if (inp == NULL) {
12652		error = EINVAL;
12653		goto out_unlocked;
12654	}
12655	user_marks_eor = sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXPLICIT_EOR);
12656	if ((uio == NULL) && (user_marks_eor != 0)) {
12657		/*-
12658		 * We do not support eeor mode for
12659		 * sending with mbuf chains (like sendfile).
12660		 */
12661		error = EINVAL;
12662		goto out_unlocked;
12663	}
12664	if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
12665	    SCTP_IS_LISTENING(inp)) {
12666		/* The listener can NOT send. */
12667		error = EINVAL;
12668		goto out_unlocked;
12669	}
12670	atomic_add_int(&inp->total_sends, 1);
12671
12672	if (srcv != NULL) {
12673		sndrcvninfo = (struct sctp_nonpad_sndrcvinfo *)srcv;
12674		sinfo_assoc_id = sndrcvninfo->sinfo_assoc_id;
12675		sinfo_flags = sndrcvninfo->sinfo_flags;
12676		if (INVALID_SINFO_FLAG(sinfo_flags) ||
12677		    PR_SCTP_INVALID_POLICY(sinfo_flags)) {
12678			error = EINVAL;
12679			goto out_unlocked;
12680		}
12681		if (sinfo_flags != 0) {
12682			SCTP_STAT_INCR(sctps_sends_with_flags);
12683		}
12684	} else {
12685		sndrcvninfo = NULL;
12686		sinfo_flags = inp->def_send.sinfo_flags;
12687		sinfo_assoc_id = inp->def_send.sinfo_assoc_id;
12688	}
12689	if (flags & MSG_EOR) {
12690		sinfo_flags |= SCTP_EOR;
12691	}
12692	if (flags & MSG_EOF) {
12693		sinfo_flags |= SCTP_EOF;
12694	}
12695	if ((sinfo_flags & SCTP_ADDR_OVER) && (addr == NULL)) {
12696		error = EINVAL;
12697		goto out_unlocked;
12698	}
12699	SCTP_INP_RLOCK(inp);
12700	if ((sinfo_flags & SCTP_SENDALL) &&
12701	    (inp->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) {
12702		SCTP_INP_RUNLOCK(inp);
12703		error = sctp_sendall(inp, uio, top, sndrcvninfo);
12704		top = NULL;
12705		goto out_unlocked;
12706	}
12707	/* Now we must find the association. */
12708	if ((inp->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) ||
12709	    (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
12710		stcb = LIST_FIRST(&inp->sctp_asoc_list);
12711		if (stcb != NULL) {
12712			SCTP_TCB_LOCK(stcb);
12713		}
12714		SCTP_INP_RUNLOCK(inp);
12715	} else if (sinfo_assoc_id > SCTP_ALL_ASSOC) {
12716		stcb = sctp_findasoc_ep_asocid_locked(inp, sinfo_assoc_id, 1);
12717		SCTP_INP_RUNLOCK(inp);
12718		if (stcb != NULL) {
12719			SCTP_TCB_LOCK_ASSERT(stcb);
12720		}
12721	} else if (addr != NULL) {
12722		/*-
12723		 * Since we did not use findep we must
12724		 * increment it, and if we don't find a tcb
12725		 * decrement it.
12726		 */
12727		SCTP_INP_INCR_REF(inp);
12728		SCTP_INP_RUNLOCK(inp);
12729		stcb = sctp_findassociation_ep_addr(&t_inp, addr, &net, NULL, NULL);
12730		if (stcb == NULL) {
12731			SCTP_INP_WLOCK(inp);
12732			SCTP_INP_DECR_REF(inp);
12733			SCTP_INP_WUNLOCK(inp);
12734		} else {
12735			SCTP_TCB_LOCK_ASSERT(stcb);
12736		}
12737	} else {
12738		SCTP_INP_RUNLOCK(inp);
12739	}
12740
12741#ifdef INVARIANTS
12742	if (stcb != NULL) {
12743		SCTP_TCB_LOCK_ASSERT(stcb);
12744	}
12745#endif
12746
12747	if ((stcb == NULL) && (addr != NULL)) {
12748		/* Possible implicit send? */
12749		SCTP_ASOC_CREATE_LOCK(inp);
12750		create_lock_applied = true;
12751		if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
12752		    (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE)) {
12753			error = EINVAL;
12754			goto out_unlocked;
12755		}
12756		if (((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) == 0) &&
12757		    (addr->sa_family == AF_INET6)) {
12758			error = EINVAL;
12759			goto out_unlocked;
12760		}
12761		SCTP_INP_WLOCK(inp);
12762		SCTP_INP_INCR_REF(inp);
12763		SCTP_INP_WUNLOCK(inp);
12764		/* With the lock applied look again */
12765		stcb = sctp_findassociation_ep_addr(&t_inp, addr, &net, NULL, NULL);
12766#if defined(INET) || defined(INET6)
12767		if ((stcb == NULL) && (control != NULL) && (port > 0)) {
12768			stcb = sctp_findassociation_cmsgs(&t_inp, port, control, &net, &error);
12769		}
12770#endif
12771		if (stcb == NULL) {
12772			SCTP_INP_WLOCK(inp);
12773			SCTP_INP_DECR_REF(inp);
12774			SCTP_INP_WUNLOCK(inp);
12775		} else {
12776			SCTP_TCB_LOCK_ASSERT(stcb);
12777			SCTP_ASOC_CREATE_UNLOCK(inp);
12778			create_lock_applied = false;
12779		}
12780		if (error != 0) {
12781			goto out_unlocked;
12782		}
12783		if (t_inp != inp) {
12784			error = ENOTCONN;
12785			goto out_unlocked;
12786		}
12787	}
12788	if (stcb == NULL) {
12789		if (addr == NULL) {
12790			error = ENOENT;
12791			goto out_unlocked;
12792		} else {
12793			/* We must go ahead and start the INIT process */
12794			uint32_t vrf_id;
12795
12796			if ((sinfo_flags & SCTP_ABORT) ||
12797			    ((sinfo_flags & SCTP_EOF) && (sndlen == 0))) {
12798				/*-
12799				 * User asks to abort a non-existent assoc,
12800				 * or EOF a non-existent assoc with no data
12801				 */
12802				error = ENOENT;
12803				goto out_unlocked;
12804			}
12805			/* get an asoc/stcb struct */
12806			vrf_id = inp->def_vrf_id;
12807			KASSERT(create_lock_applied, ("create_lock_applied is false"));
12808			stcb = sctp_aloc_assoc_connected(inp, addr, &error, 0, 0, vrf_id,
12809			    inp->sctp_ep.pre_open_stream_count,
12810			    inp->sctp_ep.port,
12811			    p,
12812			    SCTP_INITIALIZE_AUTH_PARAMS);
12813			if (stcb == NULL) {
12814				/* error is setup for us in the call. */
12815				KASSERT(error != 0, ("error is 0 although stcb is NULL"));
12816				goto out_unlocked;
12817			}
12818			SCTP_TCB_LOCK_ASSERT(stcb);
12819			SCTP_ASOC_CREATE_UNLOCK(inp);
12820			create_lock_applied = false;
12821			/*
12822			 * Turn on queue only flag to prevent data from
12823			 * being sent
12824			 */
12825			queue_only = 1;
12826			SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_WAIT);
12827			(void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
12828			if (control != NULL) {
12829				if (sctp_process_cmsgs_for_init(stcb, control, &error)) {
12830					sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
12831					    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_6);
12832					stcb = NULL;
12833					KASSERT(error != 0,
12834					    ("error is 0 although sctp_process_cmsgs_for_init() indicated an error"));
12835					goto out_unlocked;
12836				}
12837			}
12838			/* out with the INIT */
12839			queue_only_for_init = 1;
12840			/*-
12841			 * we may want to dig in after this call and adjust the MTU
12842			 * value. It defaulted to 1500 (constant) but the ro
12843			 * structure may now have an update and thus we may need to
12844			 * change it BEFORE we append the message.
12845			 */
12846		}
12847	}
12848
12849	KASSERT(!create_lock_applied, ("create_lock_applied is true"));
12850	KASSERT(stcb != NULL, ("stcb is NULL"));
12851	SCTP_TCB_LOCK_ASSERT(stcb);
12852
12853	asoc = &stcb->asoc;
12854	if ((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) ||
12855	    (asoc->state & SCTP_STATE_WAS_ABORTED)) {
12856		if (asoc->state & SCTP_STATE_WAS_ABORTED) {
12857			/* XXX: Could also be ECONNABORTED, not enough info. */
12858			error = ECONNRESET;
12859		} else {
12860			error = ENOTCONN;
12861		}
12862		goto out_unlocked;
12863	}
12864	if ((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) ||
12865	    (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) {
12866		queue_only = 1;
12867	}
12868	/* Keep the stcb from being freed under our feet. */
12869	atomic_add_int(&asoc->refcnt, 1);
12870	free_cnt_applied = true;
12871	if (sndrcvninfo == NULL) {
12872		/* Use a local copy to have a consistent view. */
12873		sndrcvninfo_buf = asoc->def_send;
12874		sndrcvninfo = &sndrcvninfo_buf;
12875		sinfo_flags = sndrcvninfo->sinfo_flags;
12876		if (flags & MSG_EOR) {
12877			sinfo_flags |= SCTP_EOR;
12878		}
12879		if (flags & MSG_EOF) {
12880			sinfo_flags |= SCTP_EOF;
12881		}
12882	}
12883	/* Are we aborting? */
12884	if (sinfo_flags & SCTP_ABORT) {
12885		struct mbuf *mm;
12886		struct sctp_paramhdr *ph;
12887		ssize_t tot_demand, tot_out = 0, max_out;
12888
12889		SCTP_STAT_INCR(sctps_sends_with_abort);
12890		if ((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) ||
12891		    (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) {
12892			/* It has to be up before we abort. */
12893			error = EINVAL;
12894			goto out_unlocked;
12895		}
12896		/* How big is the user initiated abort? */
12897		if (top != NULL) {
12898			struct mbuf *cntm;
12899
12900			if (sndlen != 0) {
12901				for (cntm = top; cntm; cntm = SCTP_BUF_NEXT(cntm)) {
12902					tot_out += SCTP_BUF_LEN(cntm);
12903				}
12904			}
12905			mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 0, M_NOWAIT, 1, MT_DATA);
12906		} else {
12907			/* Must fit in a MTU */
12908			tot_out = sndlen;
12909			tot_demand = (tot_out + sizeof(struct sctp_paramhdr));
12910			if (tot_demand > SCTP_DEFAULT_ADD_MORE) {
12911				error = EMSGSIZE;
12912				goto out_unlocked;
12913			}
12914			mm = sctp_get_mbuf_for_msg((unsigned int)tot_demand, 0, M_NOWAIT, 1, MT_DATA);
12915		}
12916		if (mm == NULL) {
12917			error = ENOMEM;
12918			goto out_unlocked;
12919		}
12920		max_out = asoc->smallest_mtu - sizeof(struct sctp_paramhdr);
12921		max_out -= sizeof(struct sctp_abort_msg);
12922		if (tot_out > max_out) {
12923			tot_out = max_out;
12924		}
12925		ph = mtod(mm, struct sctp_paramhdr *);
12926		ph->param_type = htons(SCTP_CAUSE_USER_INITIATED_ABT);
12927		ph->param_length = htons((uint16_t)(sizeof(struct sctp_paramhdr) + tot_out));
12928		ph++;
12929		SCTP_BUF_LEN(mm) = (int)(tot_out + sizeof(struct sctp_paramhdr));
12930		if (top == NULL) {
12931			SCTP_TCB_UNLOCK(stcb);
12932			error = uiomove((caddr_t)ph, (int)tot_out, uio);
12933			SCTP_TCB_LOCK(stcb);
12934			if ((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) ||
12935			    (asoc->state & SCTP_STATE_WAS_ABORTED)) {
12936				sctp_m_freem(mm);
12937				if (asoc->state & SCTP_STATE_WAS_ABORTED) {
12938					/*
12939					 * XXX: Could also be ECONNABORTED,
12940					 * not enough info.
12941					 */
12942					error = ECONNRESET;
12943				} else {
12944					error = ENOTCONN;
12945				}
12946				goto out_unlocked;
12947			}
12948			if (error != 0) {
12949				/*-
12950				 * Here if we can't get his data we
12951				 * still abort we just don't get to
12952				 * send the users note :-0
12953				 */
12954				sctp_m_freem(mm);
12955				mm = NULL;
12956				error = 0;
12957			}
12958		} else {
12959			if (sndlen != 0) {
12960				SCTP_BUF_NEXT(mm) = top;
12961			}
12962		}
12963		atomic_subtract_int(&asoc->refcnt, 1);
12964		free_cnt_applied = false;
12965		/* release this lock, otherwise we hang on ourselves */
12966		NET_EPOCH_ENTER(et);
12967		sctp_abort_an_association(stcb->sctp_ep, stcb, mm, false, SCTP_SO_LOCKED);
12968		NET_EPOCH_EXIT(et);
12969		stcb = NULL;
12970		/*
12971		 * In this case top is already chained to mm avoid double
12972		 * free, since we free it below if top != NULL and driver
12973		 * would free it after sending the packet out
12974		 */
12975		if (sndlen != 0) {
12976			top = NULL;
12977		}
12978		goto out_unlocked;
12979	}
12980
12981	KASSERT(stcb != NULL, ("stcb is NULL"));
12982	SCTP_TCB_LOCK_ASSERT(stcb);
12983	KASSERT((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0,
12984	    ("Association about to be freed"));
12985	KASSERT((asoc->state & SCTP_STATE_WAS_ABORTED) == 0,
12986	    ("Association was aborted"));
12987
12988	if (sinfo_flags & SCTP_ADDR_OVER) {
12989		if (addr != NULL) {
12990			net = sctp_findnet(stcb, addr);
12991		} else {
12992			net = NULL;
12993		}
12994		if ((net == NULL) ||
12995		    ((port != 0) && (port != stcb->rport))) {
12996			error = EINVAL;
12997			goto out_unlocked;
12998		}
12999	} else {
13000		if (asoc->alternate != NULL) {
13001			net = asoc->alternate;
13002		} else {
13003			net = asoc->primary_destination;
13004		}
13005	}
13006	if (sndlen == 0) {
13007		if (sinfo_flags & SCTP_EOF) {
13008			got_all_of_the_send = true;
13009			goto dataless_eof;
13010		} else {
13011			error = EINVAL;
13012			goto out_unlocked;
13013		}
13014	}
13015	if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_NO_FRAGMENT)) {
13016		if (sndlen > (ssize_t)asoc->smallest_mtu) {
13017			error = EMSGSIZE;
13018			goto out_unlocked;
13019		}
13020	}
13021	sinfo_stream = sndrcvninfo->sinfo_stream;
13022	/* Is the stream no. valid? */
13023	if (sinfo_stream >= asoc->streamoutcnt) {
13024		/* Invalid stream number */
13025		error = EINVAL;
13026		goto out_unlocked;
13027	}
13028	if ((asoc->strmout[sinfo_stream].state != SCTP_STREAM_OPEN) &&
13029	    (asoc->strmout[sinfo_stream].state != SCTP_STREAM_OPENING)) {
13030		/*
13031		 * Can't queue any data while stream reset is underway.
13032		 */
13033		if (asoc->strmout[sinfo_stream].state > SCTP_STREAM_OPEN) {
13034			error = EAGAIN;
13035		} else {
13036			error = EINVAL;
13037		}
13038		goto out_unlocked;
13039	}
13040	atomic_add_int(&stcb->total_sends, 1);
13041	if (SCTP_SO_IS_NBIO(so) || (flags & (MSG_NBIO | MSG_DONTWAIT)) != 0) {
13042		non_blocking = true;
13043	}
13044	if (non_blocking) {
13045		ssize_t amount;
13046
13047		inqueue_bytes = asoc->total_output_queue_size - (asoc->chunks_on_out_queue * SCTP_DATA_CHUNK_OVERHEAD(stcb));
13048		if (user_marks_eor == 0) {
13049			amount = sndlen;
13050		} else {
13051			amount = 1;
13052		}
13053		if ((SCTP_SB_LIMIT_SND(so) < (amount + inqueue_bytes + asoc->sb_send_resv)) ||
13054		    (asoc->chunks_on_out_queue >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
13055			if ((sndlen > (ssize_t)SCTP_SB_LIMIT_SND(so)) &&
13056			    (user_marks_eor == 0)) {
13057				error = EMSGSIZE;
13058			} else {
13059				error = EWOULDBLOCK;
13060			}
13061			goto out_unlocked;
13062		}
13063	}
13064	atomic_add_int(&asoc->sb_send_resv, (int)sndlen);
13065	local_soresv = sndlen;
13066
13067	KASSERT(stcb != NULL, ("stcb is NULL"));
13068	SCTP_TCB_LOCK_ASSERT(stcb);
13069	KASSERT((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0,
13070	    ("Association about to be freed"));
13071	KASSERT((asoc->state & SCTP_STATE_WAS_ABORTED) == 0,
13072	    ("Association was aborted"));
13073
13074	/* Ok, we will attempt a msgsnd :> */
13075	if (p != NULL) {
13076		p->td_ru.ru_msgsnd++;
13077	}
13078	/* Calculate the maximum we can send */
13079	inqueue_bytes = asoc->total_output_queue_size - (asoc->chunks_on_out_queue * SCTP_DATA_CHUNK_OVERHEAD(stcb));
13080	if (SCTP_SB_LIMIT_SND(so) > inqueue_bytes) {
13081		max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes;
13082	} else {
13083		max_len = 0;
13084	}
13085	/* Unless E_EOR mode is on, we must make a send FIT in one call. */
13086	if ((user_marks_eor == 0) &&
13087	    (sndlen > (ssize_t)SCTP_SB_LIMIT_SND(stcb->sctp_socket))) {
13088		/* It will NEVER fit. */
13089		error = EMSGSIZE;
13090		goto out_unlocked;
13091	}
13092	if (user_marks_eor != 0) {
13093		local_add_more = (ssize_t)min(SCTP_SB_LIMIT_SND(so), SCTP_BASE_SYSCTL(sctp_add_more_threshold));
13094	} else {
13095		/*-
13096		 * For non-eeor the whole message must fit in
13097		 * the socket send buffer.
13098		 */
13099		local_add_more = sndlen;
13100	}
13101	if (non_blocking) {
13102		goto skip_preblock;
13103	}
13104	if (((max_len <= local_add_more) && ((ssize_t)SCTP_SB_LIMIT_SND(so) >= local_add_more)) ||
13105	    (max_len == 0) ||
13106	    ((asoc->chunks_on_out_queue + asoc->stream_queue_cnt) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
13107		/* No room right now! */
13108		inqueue_bytes = asoc->total_output_queue_size - (asoc->chunks_on_out_queue * SCTP_DATA_CHUNK_OVERHEAD(stcb));
13109		SOCKBUF_LOCK(&so->so_snd);
13110		while ((SCTP_SB_LIMIT_SND(so) < (inqueue_bytes + local_add_more)) ||
13111		    ((asoc->stream_queue_cnt + asoc->chunks_on_out_queue) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
13112			SCTPDBG(SCTP_DEBUG_OUTPUT1, "pre_block limit:%u <(inq:%d + %zd) || (%d+%d > %d)\n",
13113			    (unsigned int)SCTP_SB_LIMIT_SND(so),
13114			    inqueue_bytes,
13115			    local_add_more,
13116			    asoc->stream_queue_cnt,
13117			    asoc->chunks_on_out_queue,
13118			    SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue));
13119			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13120				sctp_log_block(SCTP_BLOCK_LOG_INTO_BLKA, asoc, sndlen);
13121			}
13122			be.error = 0;
13123			stcb->block_entry = &be;
13124			SCTP_TCB_UNLOCK(stcb);
13125			error = sbwait(so, SO_SND);
13126			if (error == 0) {
13127				if (so->so_error != 0) {
13128					error = so->so_error;
13129				}
13130				if (be.error != 0) {
13131					error = be.error;
13132				}
13133			}
13134			SOCKBUF_UNLOCK(&so->so_snd);
13135			SCTP_TCB_LOCK(stcb);
13136			stcb->block_entry = NULL;
13137			if (error != 0) {
13138				goto out_unlocked;
13139			}
13140			if ((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) ||
13141			    (asoc->state & SCTP_STATE_WAS_ABORTED)) {
13142				if (asoc->state & SCTP_STATE_WAS_ABORTED) {
13143					/*
13144					 * XXX: Could also be ECONNABORTED,
13145					 * not enough info.
13146					 */
13147					error = ECONNRESET;
13148				} else {
13149					error = ENOTCONN;
13150				}
13151				goto out_unlocked;
13152			}
13153			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13154				sctp_log_block(SCTP_BLOCK_LOG_OUTOF_BLK,
13155				    asoc, asoc->total_output_queue_size);
13156			}
13157			inqueue_bytes = asoc->total_output_queue_size - (asoc->chunks_on_out_queue * SCTP_DATA_CHUNK_OVERHEAD(stcb));
13158			SOCKBUF_LOCK(&so->so_snd);
13159		}
13160		if (SCTP_SB_LIMIT_SND(so) > inqueue_bytes) {
13161			max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes;
13162		} else {
13163			max_len = 0;
13164		}
13165		SOCKBUF_UNLOCK(&so->so_snd);
13166	}
13167
13168skip_preblock:
13169	KASSERT(stcb != NULL, ("stcb is NULL"));
13170	SCTP_TCB_LOCK_ASSERT(stcb);
13171	KASSERT((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0,
13172	    ("Association about to be freed"));
13173	KASSERT((asoc->state & SCTP_STATE_WAS_ABORTED) == 0,
13174	    ("Association was aborted"));
13175
13176	/*
13177	 * sndlen covers for mbuf case uio_resid covers for the non-mbuf
13178	 * case NOTE: uio will be null when top/mbuf is passed
13179	 */
13180	if (top == NULL) {
13181		struct sctp_stream_queue_pending *sp;
13182		struct sctp_stream_out *strm;
13183		uint32_t sndout;
13184
13185		if ((asoc->stream_locked) &&
13186		    (asoc->stream_locked_on != sinfo_stream)) {
13187			error = EINVAL;
13188			goto out;
13189		}
13190		strm = &asoc->strmout[sinfo_stream];
13191		if (strm->last_msg_incomplete == 0) {
13192	do_a_copy_in:
13193			SCTP_TCB_UNLOCK(stcb);
13194			sp = sctp_copy_it_in(stcb, asoc, sndrcvninfo, uio, net, max_len, user_marks_eor, &error);
13195			SCTP_TCB_LOCK(stcb);
13196			if ((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) ||
13197			    (asoc->state & SCTP_STATE_WAS_ABORTED)) {
13198				if (asoc->state & SCTP_STATE_WAS_ABORTED) {
13199					/*
13200					 * XXX: Could also be ECONNABORTED,
13201					 * not enough info.
13202					 */
13203					error = ECONNRESET;
13204				} else {
13205					error = ENOTCONN;
13206				}
13207				goto out;
13208			}
13209			if (error != 0) {
13210				goto out;
13211			}
13212			/*
13213			 * Reject the sending of a new user message, if the
13214			 * association is about to be shut down.
13215			 */
13216			if ((SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_SENT) ||
13217			    (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
13218			    (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
13219			    (asoc->state & SCTP_STATE_SHUTDOWN_PENDING)) {
13220				if (sp->data != 0) {
13221					sctp_m_freem(sp->data);
13222					sp->data = NULL;
13223					sp->tail_mbuf = NULL;
13224					sp->length = 0;
13225				}
13226				if (sp->net != NULL) {
13227					sctp_free_remote_addr(sp->net);
13228					sp->net = NULL;
13229				}
13230				sctp_free_a_strmoq(stcb, sp, SCTP_SO_LOCKED);
13231				error = EPIPE;
13232				goto out_unlocked;
13233			}
13234			/* The out streams might be reallocated. */
13235			strm = &asoc->strmout[sinfo_stream];
13236			if (sp->msg_is_complete) {
13237				strm->last_msg_incomplete = 0;
13238				asoc->stream_locked = 0;
13239			} else {
13240				/*
13241				 * Just got locked to this guy in case of an
13242				 * interrupt.
13243				 */
13244				strm->last_msg_incomplete = 1;
13245				if (asoc->idata_supported == 0) {
13246					asoc->stream_locked = 1;
13247					asoc->stream_locked_on = sinfo_stream;
13248				}
13249				sp->sender_all_done = 0;
13250			}
13251			sctp_snd_sb_alloc(stcb, sp->length);
13252			atomic_add_int(&asoc->stream_queue_cnt, 1);
13253			if (sinfo_flags & SCTP_UNORDERED) {
13254				SCTP_STAT_INCR(sctps_sends_with_unord);
13255			}
13256			sp->processing = 1;
13257			TAILQ_INSERT_TAIL(&strm->outqueue, sp, next);
13258			asoc->ss_functions.sctp_ss_add_to_stream(stcb, asoc, strm, sp);
13259		} else {
13260			sp = TAILQ_LAST(&strm->outqueue, sctp_streamhead);
13261			if (sp == NULL) {
13262				/* ???? Huh ??? last msg is gone */
13263#ifdef INVARIANTS
13264				panic("Warning: Last msg marked incomplete, yet nothing left?");
13265#else
13266				SCTP_PRINTF("Warning: Last msg marked incomplete, yet nothing left?\n");
13267				strm->last_msg_incomplete = 0;
13268#endif
13269				goto do_a_copy_in;
13270			}
13271			if (sp->processing != 0) {
13272				error = EINVAL;
13273				goto out;
13274			} else {
13275				sp->processing = 1;
13276			}
13277		}
13278
13279		KASSERT(stcb != NULL, ("stcb is NULL"));
13280		SCTP_TCB_LOCK_ASSERT(stcb);
13281		KASSERT((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0,
13282		    ("Association about to be freed"));
13283		KASSERT((asoc->state & SCTP_STATE_WAS_ABORTED) == 0,
13284		    ("Association was aborted"));
13285
13286		while (uio->uio_resid > 0) {
13287			/* How much room do we have? */
13288			struct mbuf *new_tail, *mm;
13289
13290			inqueue_bytes = asoc->total_output_queue_size - (asoc->chunks_on_out_queue * SCTP_DATA_CHUNK_OVERHEAD(stcb));
13291			if (SCTP_SB_LIMIT_SND(so) > inqueue_bytes) {
13292				max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes;
13293			} else {
13294				max_len = 0;
13295			}
13296			if ((max_len > (ssize_t)SCTP_BASE_SYSCTL(sctp_add_more_threshold)) ||
13297			    ((max_len > 0) && (SCTP_SB_LIMIT_SND(so) < SCTP_BASE_SYSCTL(sctp_add_more_threshold))) ||
13298			    (uio->uio_resid <= max_len)) {
13299				SCTP_TCB_UNLOCK(stcb);
13300				sndout = 0;
13301				new_tail = NULL;
13302				mm = sctp_copy_resume(uio, (int)max_len, user_marks_eor, &error, &sndout, &new_tail);
13303				SCTP_TCB_LOCK(stcb);
13304				if ((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) ||
13305				    (asoc->state & SCTP_STATE_WAS_ABORTED)) {
13306					/*
13307					 * We need to get out. Peer probably
13308					 * aborted.
13309					 */
13310					sctp_m_freem(mm);
13311					if (asoc->state & SCTP_STATE_WAS_ABORTED) {
13312						/*
13313						 * XXX: Could also be
13314						 * ECONNABORTED, not enough
13315						 * info.
13316						 */
13317						error = ECONNRESET;
13318					} else {
13319						error = ENOTCONN;
13320					}
13321					goto out;
13322				}
13323				if ((mm == NULL) || (error != 0)) {
13324					if (mm != NULL) {
13325						sctp_m_freem(mm);
13326					}
13327					if (sp != NULL) {
13328						sp->processing = 0;
13329					}
13330					goto out;
13331				}
13332				/* Update the mbuf and count */
13333				if (sp->tail_mbuf != NULL) {
13334					/* Tack it to the end. */
13335					SCTP_BUF_NEXT(sp->tail_mbuf) = mm;
13336				} else {
13337					/* A stolen mbuf. */
13338					sp->data = mm;
13339				}
13340				sp->tail_mbuf = new_tail;
13341				sctp_snd_sb_alloc(stcb, sndout);
13342				atomic_add_int(&sp->length, sndout);
13343				if (sinfo_flags & SCTP_SACK_IMMEDIATELY) {
13344					sp->sinfo_flags |= SCTP_SACK_IMMEDIATELY;
13345				}
13346
13347				/* Did we reach EOR? */
13348				if ((uio->uio_resid == 0) &&
13349				    ((user_marks_eor == 0) ||
13350				    (sinfo_flags & SCTP_EOF) ||
13351				    (user_marks_eor && (sinfo_flags & SCTP_EOR)))) {
13352					sp->msg_is_complete = 1;
13353				} else {
13354					sp->msg_is_complete = 0;
13355				}
13356			}
13357
13358			KASSERT(stcb != NULL, ("stcb is NULL"));
13359			SCTP_TCB_LOCK_ASSERT(stcb);
13360			KASSERT((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0,
13361			    ("Association about to be freed"));
13362			KASSERT((asoc->state & SCTP_STATE_WAS_ABORTED) == 0,
13363			    ("Association was aborted"));
13364
13365			if (uio->uio_resid == 0) {
13366				/* got it all? */
13367				continue;
13368			}
13369			/* PR-SCTP? */
13370			if ((asoc->prsctp_supported) && (asoc->sent_queue_cnt_removeable > 0)) {
13371				/*
13372				 * This is ugly but we must assure locking
13373				 * order
13374				 */
13375				sctp_prune_prsctp(stcb, asoc, sndrcvninfo, (int)sndlen);
13376				inqueue_bytes = asoc->total_output_queue_size - (asoc->chunks_on_out_queue * SCTP_DATA_CHUNK_OVERHEAD(stcb));
13377				if (SCTP_SB_LIMIT_SND(so) > inqueue_bytes)
13378					max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes;
13379				else
13380					max_len = 0;
13381				if (max_len > 0) {
13382					continue;
13383				}
13384			}
13385			/* wait for space now */
13386			if (non_blocking) {
13387				/* Non-blocking io in place out */
13388				if (sp != NULL) {
13389					sp->processing = 0;
13390				}
13391				goto skip_out_eof;
13392			}
13393			/* What about the INIT, send it maybe */
13394			if (queue_only_for_init) {
13395				if (SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) {
13396					/* a collision took us forward? */
13397					queue_only = 0;
13398				} else {
13399					NET_EPOCH_ENTER(et);
13400					sctp_send_initiate(inp, stcb, SCTP_SO_LOCKED);
13401					NET_EPOCH_EXIT(et);
13402					SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_WAIT);
13403					queue_only = 1;
13404				}
13405			}
13406			if ((net->flight_size > net->cwnd) &&
13407			    (asoc->sctp_cmt_on_off == 0)) {
13408				SCTP_STAT_INCR(sctps_send_cwnd_avoid);
13409				queue_only = 1;
13410			} else if (asoc->ifp_had_enobuf) {
13411				SCTP_STAT_INCR(sctps_ifnomemqueued);
13412				if (net->flight_size > (2 * net->mtu)) {
13413					queue_only = 1;
13414				}
13415				asoc->ifp_had_enobuf = 0;
13416			}
13417			un_sent = asoc->total_output_queue_size - asoc->total_flight;
13418			if ((sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY)) &&
13419			    (asoc->total_flight > 0) &&
13420			    (asoc->stream_queue_cnt < SCTP_MAX_DATA_BUNDLING) &&
13421			    (un_sent < (int)(asoc->smallest_mtu - SCTP_MIN_OVERHEAD))) {
13422				/*-
13423				 * Ok, Nagle is set on and we have data outstanding.
13424				 * Don't send anything and let SACKs drive out the
13425				 * data unless we have a "full" segment to send.
13426				 */
13427				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
13428					sctp_log_nagle_event(stcb, SCTP_NAGLE_APPLIED);
13429				}
13430				SCTP_STAT_INCR(sctps_naglequeued);
13431				nagle_applies = 1;
13432			} else {
13433				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
13434					if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY))
13435						sctp_log_nagle_event(stcb, SCTP_NAGLE_SKIPPED);
13436				}
13437				SCTP_STAT_INCR(sctps_naglesent);
13438				nagle_applies = 0;
13439			}
13440			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13441				sctp_misc_ints(SCTP_CWNDLOG_PRESEND, queue_only_for_init, queue_only,
13442				    nagle_applies, un_sent);
13443				sctp_misc_ints(SCTP_CWNDLOG_PRESEND, asoc->total_output_queue_size,
13444				    asoc->total_flight,
13445				    asoc->chunks_on_out_queue, asoc->total_flight_count);
13446			}
13447			if (queue_only_for_init) {
13448				queue_only_for_init = 0;
13449			}
13450			if ((queue_only == 0) && (nagle_applies == 0)) {
13451				/*-
13452				 * need to start chunk output
13453				 * before blocking.. note that if
13454				 * a lock is already applied, then
13455				 * the input via the net is happening
13456				 * and I don't need to start output :-D
13457				 */
13458				NET_EPOCH_ENTER(et);
13459				sctp_chunk_output(inp, stcb,
13460				    SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
13461				NET_EPOCH_EXIT(et);
13462			}
13463			/*-
13464			 * This is a bit strange, but I think it will
13465			 * work. The total_output_queue_size is locked and
13466			 * protected by the TCB_LOCK, which we just released.
13467			 * There is a race that can occur between releasing it
13468			 * above, and me getting the socket lock, where sacks
13469			 * come in but we have not put the SB_WAIT on the
13470			 * so_snd buffer to get the wakeup. After the LOCK
13471			 * is applied the sack_processing will also need to
13472			 * LOCK the so->so_snd to do the actual sowwakeup(). So
13473			 * once we have the socket buffer lock if we recheck the
13474			 * size we KNOW we will get to sleep safely with the
13475			 * wakeup flag in place.
13476			 */
13477			inqueue_bytes = asoc->total_output_queue_size - (asoc->chunks_on_out_queue * SCTP_DATA_CHUNK_OVERHEAD(stcb));
13478			SOCKBUF_LOCK(&so->so_snd);
13479			if (SCTP_SB_LIMIT_SND(so) <= (inqueue_bytes +
13480			    min(SCTP_BASE_SYSCTL(sctp_add_more_threshold), SCTP_SB_LIMIT_SND(so)))) {
13481				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13482					sctp_log_block(SCTP_BLOCK_LOG_INTO_BLK,
13483					    asoc, uio->uio_resid);
13484				}
13485				be.error = 0;
13486				stcb->block_entry = &be;
13487				SCTP_TCB_UNLOCK(stcb);
13488				error = sbwait(so, SO_SND);
13489				if (error == 0) {
13490					if (so->so_error != 0)
13491						error = so->so_error;
13492					if (be.error != 0) {
13493						error = be.error;
13494					}
13495				}
13496				SOCKBUF_UNLOCK(&so->so_snd);
13497				SCTP_TCB_LOCK(stcb);
13498				stcb->block_entry = NULL;
13499				if ((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) ||
13500				    (asoc->state & SCTP_STATE_WAS_ABORTED)) {
13501					if (asoc->state & SCTP_STATE_WAS_ABORTED) {
13502						/*
13503						 * XXX: Could also be
13504						 * ECONNABORTED, not enough
13505						 * info.
13506						 */
13507						error = ECONNRESET;
13508					} else {
13509						error = ENOTCONN;
13510					}
13511					goto out_unlocked;
13512				}
13513				if (error != 0) {
13514					if (sp != NULL) {
13515						sp->processing = 0;
13516					}
13517					goto out_unlocked;
13518				}
13519			} else {
13520				SOCKBUF_UNLOCK(&so->so_snd);
13521			}
13522			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13523				sctp_log_block(SCTP_BLOCK_LOG_OUTOF_BLK,
13524				    asoc, asoc->total_output_queue_size);
13525			}
13526		}
13527
13528		KASSERT(stcb != NULL, ("stcb is NULL"));
13529		SCTP_TCB_LOCK_ASSERT(stcb);
13530		KASSERT((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0,
13531		    ("Association about to be freed"));
13532		KASSERT((asoc->state & SCTP_STATE_WAS_ABORTED) == 0,
13533		    ("Association was aborted"));
13534
13535		/* The out streams might be reallocated. */
13536		strm = &asoc->strmout[sinfo_stream];
13537		if (sp != NULL) {
13538			if (sp->msg_is_complete == 0) {
13539				strm->last_msg_incomplete = 1;
13540				if (asoc->idata_supported == 0) {
13541					asoc->stream_locked = 1;
13542					asoc->stream_locked_on = sinfo_stream;
13543				}
13544			} else {
13545				sp->sender_all_done = 1;
13546				strm->last_msg_incomplete = 0;
13547				asoc->stream_locked = 0;
13548			}
13549			sp->processing = 0;
13550		} else {
13551			SCTP_PRINTF("Huh no sp TSNH?\n");
13552			strm->last_msg_incomplete = 0;
13553			asoc->stream_locked = 0;
13554		}
13555		if (uio->uio_resid == 0) {
13556			got_all_of_the_send = true;
13557		}
13558	} else {
13559		error = sctp_msg_append(stcb, net, top, sndrcvninfo);
13560		top = NULL;
13561		if ((sinfo_flags & SCTP_EOF) != 0) {
13562			got_all_of_the_send = true;
13563		}
13564	}
13565	if (error != 0) {
13566		goto out;
13567	}
13568
13569dataless_eof:
13570	KASSERT(stcb != NULL, ("stcb is NULL"));
13571	SCTP_TCB_LOCK_ASSERT(stcb);
13572	KASSERT((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0,
13573	    ("Association about to be freed"));
13574	KASSERT((asoc->state & SCTP_STATE_WAS_ABORTED) == 0,
13575	    ("Association was aborted"));
13576
13577	/* EOF thing ? */
13578	if ((sinfo_flags & SCTP_EOF) && got_all_of_the_send) {
13579		SCTP_STAT_INCR(sctps_sends_with_eof);
13580		error = 0;
13581		if (TAILQ_EMPTY(&asoc->send_queue) &&
13582		    TAILQ_EMPTY(&asoc->sent_queue) &&
13583		    sctp_is_there_unsent_data(stcb, SCTP_SO_LOCKED) == 0) {
13584			if ((*asoc->ss_functions.sctp_ss_is_user_msgs_incomplete) (stcb, asoc)) {
13585				goto abort_anyway;
13586			}
13587			/* there is nothing queued to send, so I'm done... */
13588			if ((SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT) &&
13589			    (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
13590			    (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
13591				struct sctp_nets *netp;
13592
13593				/* only send SHUTDOWN the first time through */
13594				if (SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) {
13595					SCTP_STAT_DECR_GAUGE32(sctps_currestab);
13596				}
13597				SCTP_SET_STATE(stcb, SCTP_STATE_SHUTDOWN_SENT);
13598				sctp_stop_timers_for_shutdown(stcb);
13599				if (asoc->alternate != NULL) {
13600					netp = asoc->alternate;
13601				} else {
13602					netp = asoc->primary_destination;
13603				}
13604				sctp_send_shutdown(stcb, netp);
13605				sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb,
13606				    netp);
13607				sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
13608				    NULL);
13609			}
13610		} else {
13611			/*-
13612			 * we still got (or just got) data to send, so set
13613			 * SHUTDOWN_PENDING
13614			 */
13615			/*-
13616			 * XXX sockets draft says that SCTP_EOF should be
13617			 * sent with no data.  currently, we will allow user
13618			 * data to be sent first and move to
13619			 * SHUTDOWN-PENDING
13620			 */
13621			if ((SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT) &&
13622			    (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
13623			    (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
13624				if ((*asoc->ss_functions.sctp_ss_is_user_msgs_incomplete) (stcb, asoc)) {
13625					SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_PARTIAL_MSG_LEFT);
13626				}
13627				SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_SHUTDOWN_PENDING);
13628				if (TAILQ_EMPTY(&asoc->send_queue) &&
13629				    TAILQ_EMPTY(&asoc->sent_queue) &&
13630				    (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) {
13631					struct mbuf *op_err;
13632					char msg[SCTP_DIAG_INFO_LEN];
13633
13634			abort_anyway:
13635					if (free_cnt_applied) {
13636						atomic_subtract_int(&asoc->refcnt, 1);
13637						free_cnt_applied = false;
13638					}
13639					SCTP_SNPRINTF(msg, sizeof(msg),
13640					    "%s:%d at %s", __FILE__, __LINE__, __func__);
13641					op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
13642					    msg);
13643					NET_EPOCH_ENTER(et);
13644					sctp_abort_an_association(stcb->sctp_ep, stcb,
13645					    op_err, false, SCTP_SO_LOCKED);
13646					NET_EPOCH_EXIT(et);
13647					stcb = NULL;
13648					error = ECONNABORTED;
13649					goto out;
13650				}
13651				sctp_feature_off(inp, SCTP_PCB_FLAGS_NODELAY);
13652			}
13653		}
13654	}
13655
13656skip_out_eof:
13657	KASSERT(stcb != NULL, ("stcb is NULL"));
13658	SCTP_TCB_LOCK_ASSERT(stcb);
13659	KASSERT((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0,
13660	    ("Association about to be freed"));
13661	KASSERT((asoc->state & SCTP_STATE_WAS_ABORTED) == 0,
13662	    ("Association was aborted"));
13663
13664	some_on_control = !TAILQ_EMPTY(&asoc->control_send_queue);
13665	if (queue_only_for_init) {
13666		if (SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) {
13667			/* a collision took us forward? */
13668			queue_only = 0;
13669		} else {
13670			NET_EPOCH_ENTER(et);
13671			sctp_send_initiate(inp, stcb, SCTP_SO_LOCKED);
13672			NET_EPOCH_EXIT(et);
13673			SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_WAIT);
13674			queue_only = 1;
13675		}
13676	}
13677
13678	KASSERT(stcb != NULL, ("stcb is NULL"));
13679	SCTP_TCB_LOCK_ASSERT(stcb);
13680	KASSERT((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0,
13681	    ("Association about to be freed"));
13682	KASSERT((asoc->state & SCTP_STATE_WAS_ABORTED) == 0,
13683	    ("Association was aborted"));
13684
13685	if ((net->flight_size > net->cwnd) &&
13686	    (asoc->sctp_cmt_on_off == 0)) {
13687		SCTP_STAT_INCR(sctps_send_cwnd_avoid);
13688		queue_only = 1;
13689	} else if (asoc->ifp_had_enobuf) {
13690		SCTP_STAT_INCR(sctps_ifnomemqueued);
13691		if (net->flight_size > (2 * net->mtu)) {
13692			queue_only = 1;
13693		}
13694		asoc->ifp_had_enobuf = 0;
13695	}
13696	un_sent = asoc->total_output_queue_size - asoc->total_flight;
13697	if ((sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY)) &&
13698	    (asoc->total_flight > 0) &&
13699	    (asoc->stream_queue_cnt < SCTP_MAX_DATA_BUNDLING) &&
13700	    (un_sent < (int)(asoc->smallest_mtu - SCTP_MIN_OVERHEAD))) {
13701		/*-
13702		 * Ok, Nagle is set on and we have data outstanding.
13703		 * Don't send anything and let SACKs drive out the
13704		 * data unless wen have a "full" segment to send.
13705		 */
13706		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
13707			sctp_log_nagle_event(stcb, SCTP_NAGLE_APPLIED);
13708		}
13709		SCTP_STAT_INCR(sctps_naglequeued);
13710		nagle_applies = 1;
13711	} else {
13712		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
13713			if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY))
13714				sctp_log_nagle_event(stcb, SCTP_NAGLE_SKIPPED);
13715		}
13716		SCTP_STAT_INCR(sctps_naglesent);
13717		nagle_applies = 0;
13718	}
13719	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13720		sctp_misc_ints(SCTP_CWNDLOG_PRESEND, queue_only_for_init, queue_only,
13721		    nagle_applies, un_sent);
13722		sctp_misc_ints(SCTP_CWNDLOG_PRESEND, asoc->total_output_queue_size,
13723		    asoc->total_flight,
13724		    asoc->chunks_on_out_queue, asoc->total_flight_count);
13725	}
13726
13727	KASSERT(stcb != NULL, ("stcb is NULL"));
13728	SCTP_TCB_LOCK_ASSERT(stcb);
13729	KASSERT((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0,
13730	    ("Association about to be freed"));
13731	KASSERT((asoc->state & SCTP_STATE_WAS_ABORTED) == 0,
13732	    ("Association was aborted"));
13733
13734	NET_EPOCH_ENTER(et);
13735	if ((queue_only == 0) && (nagle_applies == 0) && (asoc->peers_rwnd && un_sent)) {
13736		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
13737	} else if ((queue_only == 0) &&
13738		    (asoc->peers_rwnd == 0) &&
13739	    (asoc->total_flight == 0)) {
13740		/* We get to have a probe outstanding */
13741		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
13742	} else if (some_on_control) {
13743		int num_out, reason;
13744
13745		/* Here we do control only */
13746		(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out,
13747		    &reason, 1, 1, &now, &now_filled,
13748		    sctp_get_frag_point(stcb),
13749		    SCTP_SO_LOCKED);
13750	}
13751	NET_EPOCH_EXIT(et);
13752	SCTPDBG(SCTP_DEBUG_OUTPUT1, "USR Send complete qo:%d prw:%d unsent:%d tf:%d cooq:%d toqs:%d err:%d\n",
13753	    queue_only, asoc->peers_rwnd, un_sent,
13754	    asoc->total_flight, asoc->chunks_on_out_queue,
13755	    asoc->total_output_queue_size, error);
13756
13757	KASSERT(stcb != NULL, ("stcb is NULL"));
13758	SCTP_TCB_LOCK_ASSERT(stcb);
13759	KASSERT((asoc->state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0,
13760	    ("Association about to be freed"));
13761	KASSERT((asoc->state & SCTP_STATE_WAS_ABORTED) == 0,
13762	    ("Association was aborted"));
13763
13764out:
13765out_unlocked:
13766	if (create_lock_applied) {
13767		SCTP_ASOC_CREATE_UNLOCK(inp);
13768	}
13769	if (stcb != NULL) {
13770		if (local_soresv) {
13771			atomic_subtract_int(&asoc->sb_send_resv, (int)sndlen);
13772		}
13773		if (free_cnt_applied) {
13774			atomic_subtract_int(&asoc->refcnt, 1);
13775		}
13776		SCTP_TCB_UNLOCK(stcb);
13777	}
13778	if (top != NULL) {
13779		sctp_m_freem(top);
13780	}
13781	if (control != NULL) {
13782		sctp_m_freem(control);
13783	}
13784	SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, error);
13785	return (error);
13786}
13787
13788/*
13789 * generate an AUTHentication chunk, if required
13790 */
13791struct mbuf *
13792sctp_add_auth_chunk(struct mbuf *m, struct mbuf **m_end,
13793    struct sctp_auth_chunk **auth_ret, uint32_t *offset,
13794    struct sctp_tcb *stcb, uint8_t chunk)
13795{
13796	struct mbuf *m_auth;
13797	struct sctp_auth_chunk *auth;
13798	int chunk_len;
13799	struct mbuf *cn;
13800
13801	if ((m_end == NULL) || (auth_ret == NULL) || (offset == NULL) ||
13802	    (stcb == NULL))
13803		return (m);
13804
13805	if (stcb->asoc.auth_supported == 0) {
13806		return (m);
13807	}
13808	/* does the requested chunk require auth? */
13809	if (!sctp_auth_is_required_chunk(chunk, stcb->asoc.peer_auth_chunks)) {
13810		return (m);
13811	}
13812	m_auth = sctp_get_mbuf_for_msg(sizeof(*auth), 0, M_NOWAIT, 1, MT_HEADER);
13813	if (m_auth == NULL) {
13814		/* no mbuf's */
13815		return (m);
13816	}
13817	/* reserve some space if this will be the first mbuf */
13818	if (m == NULL)
13819		SCTP_BUF_RESV_UF(m_auth, SCTP_MIN_OVERHEAD);
13820	/* fill in the AUTH chunk details */
13821	auth = mtod(m_auth, struct sctp_auth_chunk *);
13822	memset(auth, 0, sizeof(*auth));
13823	auth->ch.chunk_type = SCTP_AUTHENTICATION;
13824	auth->ch.chunk_flags = 0;
13825	chunk_len = sizeof(*auth) +
13826	    sctp_get_hmac_digest_len(stcb->asoc.peer_hmac_id);
13827	auth->ch.chunk_length = htons(chunk_len);
13828	auth->hmac_id = htons(stcb->asoc.peer_hmac_id);
13829	/* key id and hmac digest will be computed and filled in upon send */
13830
13831	/* save the offset where the auth was inserted into the chain */
13832	*offset = 0;
13833	for (cn = m; cn; cn = SCTP_BUF_NEXT(cn)) {
13834		*offset += SCTP_BUF_LEN(cn);
13835	}
13836
13837	/* update length and return pointer to the auth chunk */
13838	SCTP_BUF_LEN(m_auth) = chunk_len;
13839	m = sctp_copy_mbufchain(m_auth, m, m_end, 1, chunk_len, 0);
13840	if (auth_ret != NULL)
13841		*auth_ret = auth;
13842
13843	return (m);
13844}
13845
13846#ifdef INET6
13847int
13848sctp_v6src_match_nexthop(struct sockaddr_in6 *src6, sctp_route_t *ro)
13849{
13850	struct nd_prefix *pfx = NULL;
13851	struct nd_pfxrouter *pfxrtr = NULL;
13852	struct sockaddr_in6 gw6;
13853
13854	if (ro == NULL || ro->ro_nh == NULL || src6->sin6_family != AF_INET6)
13855		return (0);
13856
13857	/* get prefix entry of address */
13858	ND6_RLOCK();
13859	LIST_FOREACH(pfx, &MODULE_GLOBAL(nd_prefix), ndpr_entry) {
13860		if (pfx->ndpr_stateflags & NDPRF_DETACHED)
13861			continue;
13862		if (IN6_ARE_MASKED_ADDR_EQUAL(&pfx->ndpr_prefix.sin6_addr,
13863		    &src6->sin6_addr, &pfx->ndpr_mask))
13864			break;
13865	}
13866	/* no prefix entry in the prefix list */
13867	if (pfx == NULL) {
13868		ND6_RUNLOCK();
13869		SCTPDBG(SCTP_DEBUG_OUTPUT2, "No prefix entry for ");
13870		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)src6);
13871		return (0);
13872	}
13873
13874	SCTPDBG(SCTP_DEBUG_OUTPUT2, "v6src_match_nexthop(), Prefix entry is ");
13875	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)src6);
13876
13877	/* search installed gateway from prefix entry */
13878	LIST_FOREACH(pfxrtr, &pfx->ndpr_advrtrs, pfr_entry) {
13879		memset(&gw6, 0, sizeof(struct sockaddr_in6));
13880		gw6.sin6_family = AF_INET6;
13881		gw6.sin6_len = sizeof(struct sockaddr_in6);
13882		memcpy(&gw6.sin6_addr, &pfxrtr->router->rtaddr,
13883		    sizeof(struct in6_addr));
13884		SCTPDBG(SCTP_DEBUG_OUTPUT2, "prefix router is ");
13885		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)&gw6);
13886		SCTPDBG(SCTP_DEBUG_OUTPUT2, "installed router is ");
13887		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &ro->ro_nh->gw_sa);
13888		if (sctp_cmpaddr((struct sockaddr *)&gw6, &ro->ro_nh->gw_sa)) {
13889			ND6_RUNLOCK();
13890			SCTPDBG(SCTP_DEBUG_OUTPUT2, "pfxrouter is installed\n");
13891			return (1);
13892		}
13893	}
13894	ND6_RUNLOCK();
13895	SCTPDBG(SCTP_DEBUG_OUTPUT2, "pfxrouter is not installed\n");
13896	return (0);
13897}
13898#endif
13899
13900int
13901sctp_v4src_match_nexthop(struct sctp_ifa *sifa, sctp_route_t *ro)
13902{
13903#ifdef INET
13904	struct sockaddr_in *sin, *mask;
13905	struct ifaddr *ifa;
13906	struct in_addr srcnetaddr, gwnetaddr;
13907
13908	if (ro == NULL || ro->ro_nh == NULL ||
13909	    sifa->address.sa.sa_family != AF_INET) {
13910		return (0);
13911	}
13912	ifa = (struct ifaddr *)sifa->ifa;
13913	mask = (struct sockaddr_in *)(ifa->ifa_netmask);
13914	sin = &sifa->address.sin;
13915	srcnetaddr.s_addr = (sin->sin_addr.s_addr & mask->sin_addr.s_addr);
13916	SCTPDBG(SCTP_DEBUG_OUTPUT1, "match_nexthop4: src address is ");
13917	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &sifa->address.sa);
13918	SCTPDBG(SCTP_DEBUG_OUTPUT1, "network address is %x\n", srcnetaddr.s_addr);
13919
13920	sin = &ro->ro_nh->gw4_sa;
13921	gwnetaddr.s_addr = (sin->sin_addr.s_addr & mask->sin_addr.s_addr);
13922	SCTPDBG(SCTP_DEBUG_OUTPUT1, "match_nexthop4: nexthop is ");
13923	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &ro->ro_nh->gw_sa);
13924	SCTPDBG(SCTP_DEBUG_OUTPUT1, "network address is %x\n", gwnetaddr.s_addr);
13925	if (srcnetaddr.s_addr == gwnetaddr.s_addr) {
13926		return (1);
13927	}
13928#endif
13929	return (0);
13930}
13931