1/*- 2 * Copyright (c) 2001-2007, by Cisco Systems, Inc. All rights reserved. 3 * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved. 4 * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions are met: 8 * 9 * a) Redistributions of source code must retain the above copyright notice, 10 * this list of conditions and the following disclaimer. 11 * 12 * b) Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in 14 * the documentation and/or other materials provided with the distribution. 15 * 16 * c) Neither the name of Cisco Systems, Inc. nor the names of its 17 * contributors may be used to endorse or promote products derived 18 * from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 30 * THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33#include <sys/cdefs.h> 34__FBSDID("$FreeBSD: stable/11/sys/netinet/sctp_indata.c 361473 2020-05-25 20:11:26Z tuexen $"); 35 36#include <netinet/sctp_os.h> 37#include <sys/proc.h> 38#include <netinet/sctp_var.h> 39#include <netinet/sctp_sysctl.h> 40#include <netinet/sctp_header.h> 41#include <netinet/sctp_pcb.h> 42#include <netinet/sctputil.h> 43#include <netinet/sctp_output.h> 44#include <netinet/sctp_uio.h> 45#include <netinet/sctp_auth.h> 46#include <netinet/sctp_timer.h> 47#include <netinet/sctp_asconf.h> 48#include <netinet/sctp_indata.h> 49#include <netinet/sctp_bsd_addr.h> 50#include <netinet/sctp_input.h> 51#include <netinet/sctp_crc32.h> 52#include <netinet/sctp_lock_bsd.h> 53/* 54 * NOTES: On the outbound side of things I need to check the sack timer to 55 * see if I should generate a sack into the chunk queue (if I have data to 56 * send that is and will be sending it .. for bundling. 57 * 58 * The callback in sctp_usrreq.c will get called when the socket is read from. 59 * This will cause sctp_service_queues() to get called on the top entry in 60 * the list. 61 */ 62static uint32_t 63sctp_add_chk_to_control(struct sctp_queued_to_read *control, 64 struct sctp_stream_in *strm, 65 struct sctp_tcb *stcb, 66 struct sctp_association *asoc, 67 struct sctp_tmit_chunk *chk, int lock_held); 68 69 70void 71sctp_set_rwnd(struct sctp_tcb *stcb, struct sctp_association *asoc) 72{ 73 asoc->my_rwnd = sctp_calc_rwnd(stcb, asoc); 74} 75 76/* Calculate what the rwnd would be */ 77uint32_t 78sctp_calc_rwnd(struct sctp_tcb *stcb, struct sctp_association *asoc) 79{ 80 uint32_t calc = 0; 81 82 /* 83 * This is really set wrong with respect to a 1-2-m socket. Since 84 * the sb_cc is the count that everyone as put up. When we re-write 85 * sctp_soreceive then we will fix this so that ONLY this 86 * associations data is taken into account. 87 */ 88 if (stcb->sctp_socket == NULL) { 89 return (calc); 90 } 91 92 KASSERT(asoc->cnt_on_reasm_queue > 0 || asoc->size_on_reasm_queue == 0, 93 ("size_on_reasm_queue is %u", asoc->size_on_reasm_queue)); 94 KASSERT(asoc->cnt_on_all_streams > 0 || asoc->size_on_all_streams == 0, 95 ("size_on_all_streams is %u", asoc->size_on_all_streams)); 96 if (stcb->asoc.sb_cc == 0 && 97 asoc->cnt_on_reasm_queue == 0 && 98 asoc->cnt_on_all_streams == 0) { 99 /* Full rwnd granted */ 100 calc = max(SCTP_SB_LIMIT_RCV(stcb->sctp_socket), SCTP_MINIMAL_RWND); 101 return (calc); 102 } 103 /* get actual space */ 104 calc = (uint32_t)sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv); 105 /* 106 * take out what has NOT been put on socket queue and we yet hold 107 * for putting up. 108 */ 109 calc = sctp_sbspace_sub(calc, (uint32_t)(asoc->size_on_reasm_queue + 110 asoc->cnt_on_reasm_queue * MSIZE)); 111 calc = sctp_sbspace_sub(calc, (uint32_t)(asoc->size_on_all_streams + 112 asoc->cnt_on_all_streams * MSIZE)); 113 if (calc == 0) { 114 /* out of space */ 115 return (calc); 116 } 117 118 /* what is the overhead of all these rwnd's */ 119 calc = sctp_sbspace_sub(calc, stcb->asoc.my_rwnd_control_len); 120 /* 121 * If the window gets too small due to ctrl-stuff, reduce it to 1, 122 * even it is 0. SWS engaged 123 */ 124 if (calc < stcb->asoc.my_rwnd_control_len) { 125 calc = 1; 126 } 127 return (calc); 128} 129 130 131 132/* 133 * Build out our readq entry based on the incoming packet. 134 */ 135struct sctp_queued_to_read * 136sctp_build_readq_entry(struct sctp_tcb *stcb, 137 struct sctp_nets *net, 138 uint32_t tsn, uint32_t ppid, 139 uint32_t context, uint16_t sid, 140 uint32_t mid, uint8_t flags, 141 struct mbuf *dm) 142{ 143 struct sctp_queued_to_read *read_queue_e = NULL; 144 145 sctp_alloc_a_readq(stcb, read_queue_e); 146 if (read_queue_e == NULL) { 147 goto failed_build; 148 } 149 memset(read_queue_e, 0, sizeof(struct sctp_queued_to_read)); 150 read_queue_e->sinfo_stream = sid; 151 read_queue_e->sinfo_flags = (flags << 8); 152 read_queue_e->sinfo_ppid = ppid; 153 read_queue_e->sinfo_context = context; 154 read_queue_e->sinfo_tsn = tsn; 155 read_queue_e->sinfo_cumtsn = tsn; 156 read_queue_e->sinfo_assoc_id = sctp_get_associd(stcb); 157 read_queue_e->mid = mid; 158 read_queue_e->top_fsn = read_queue_e->fsn_included = 0xffffffff; 159 TAILQ_INIT(&read_queue_e->reasm); 160 read_queue_e->whoFrom = net; 161 atomic_add_int(&net->ref_count, 1); 162 read_queue_e->data = dm; 163 read_queue_e->stcb = stcb; 164 read_queue_e->port_from = stcb->rport; 165 if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) { 166 read_queue_e->do_not_ref_stcb = 1; 167 } 168failed_build: 169 return (read_queue_e); 170} 171 172struct mbuf * 173sctp_build_ctl_nchunk(struct sctp_inpcb *inp, struct sctp_sndrcvinfo *sinfo) 174{ 175 struct sctp_extrcvinfo *seinfo; 176 struct sctp_sndrcvinfo *outinfo; 177 struct sctp_rcvinfo *rcvinfo; 178 struct sctp_nxtinfo *nxtinfo; 179 struct cmsghdr *cmh; 180 struct mbuf *ret; 181 int len; 182 int use_extended; 183 int provide_nxt; 184 185 if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_RECVDATAIOEVNT) && 186 sctp_is_feature_off(inp, SCTP_PCB_FLAGS_RECVRCVINFO) && 187 sctp_is_feature_off(inp, SCTP_PCB_FLAGS_RECVNXTINFO)) { 188 /* user does not want any ancillary data */ 189 return (NULL); 190 } 191 192 len = 0; 193 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) { 194 len += CMSG_SPACE(sizeof(struct sctp_rcvinfo)); 195 } 196 seinfo = (struct sctp_extrcvinfo *)sinfo; 197 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVNXTINFO) && 198 (seinfo->serinfo_next_flags & SCTP_NEXT_MSG_AVAIL)) { 199 provide_nxt = 1; 200 len += CMSG_SPACE(sizeof(struct sctp_nxtinfo)); 201 } else { 202 provide_nxt = 0; 203 } 204 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVDATAIOEVNT)) { 205 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXT_RCVINFO)) { 206 use_extended = 1; 207 len += CMSG_SPACE(sizeof(struct sctp_extrcvinfo)); 208 } else { 209 use_extended = 0; 210 len += CMSG_SPACE(sizeof(struct sctp_sndrcvinfo)); 211 } 212 } else { 213 use_extended = 0; 214 } 215 216 ret = sctp_get_mbuf_for_msg(len, 0, M_NOWAIT, 1, MT_DATA); 217 if (ret == NULL) { 218 /* No space */ 219 return (ret); 220 } 221 SCTP_BUF_LEN(ret) = 0; 222 223 /* We need a CMSG header followed by the struct */ 224 cmh = mtod(ret, struct cmsghdr *); 225 /* 226 * Make sure that there is no un-initialized padding between the 227 * cmsg header and cmsg data and after the cmsg data. 228 */ 229 memset(cmh, 0, len); 230 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) { 231 cmh->cmsg_level = IPPROTO_SCTP; 232 cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo)); 233 cmh->cmsg_type = SCTP_RCVINFO; 234 rcvinfo = (struct sctp_rcvinfo *)CMSG_DATA(cmh); 235 rcvinfo->rcv_sid = sinfo->sinfo_stream; 236 rcvinfo->rcv_ssn = sinfo->sinfo_ssn; 237 rcvinfo->rcv_flags = sinfo->sinfo_flags; 238 rcvinfo->rcv_ppid = sinfo->sinfo_ppid; 239 rcvinfo->rcv_tsn = sinfo->sinfo_tsn; 240 rcvinfo->rcv_cumtsn = sinfo->sinfo_cumtsn; 241 rcvinfo->rcv_context = sinfo->sinfo_context; 242 rcvinfo->rcv_assoc_id = sinfo->sinfo_assoc_id; 243 cmh = (struct cmsghdr *)((caddr_t)cmh + CMSG_SPACE(sizeof(struct sctp_rcvinfo))); 244 SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_rcvinfo)); 245 } 246 if (provide_nxt) { 247 cmh->cmsg_level = IPPROTO_SCTP; 248 cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_nxtinfo)); 249 cmh->cmsg_type = SCTP_NXTINFO; 250 nxtinfo = (struct sctp_nxtinfo *)CMSG_DATA(cmh); 251 nxtinfo->nxt_sid = seinfo->serinfo_next_stream; 252 nxtinfo->nxt_flags = 0; 253 if (seinfo->serinfo_next_flags & SCTP_NEXT_MSG_IS_UNORDERED) { 254 nxtinfo->nxt_flags |= SCTP_UNORDERED; 255 } 256 if (seinfo->serinfo_next_flags & SCTP_NEXT_MSG_IS_NOTIFICATION) { 257 nxtinfo->nxt_flags |= SCTP_NOTIFICATION; 258 } 259 if (seinfo->serinfo_next_flags & SCTP_NEXT_MSG_ISCOMPLETE) { 260 nxtinfo->nxt_flags |= SCTP_COMPLETE; 261 } 262 nxtinfo->nxt_ppid = seinfo->serinfo_next_ppid; 263 nxtinfo->nxt_length = seinfo->serinfo_next_length; 264 nxtinfo->nxt_assoc_id = seinfo->serinfo_next_aid; 265 cmh = (struct cmsghdr *)((caddr_t)cmh + CMSG_SPACE(sizeof(struct sctp_nxtinfo))); 266 SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_nxtinfo)); 267 } 268 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVDATAIOEVNT)) { 269 cmh->cmsg_level = IPPROTO_SCTP; 270 outinfo = (struct sctp_sndrcvinfo *)CMSG_DATA(cmh); 271 if (use_extended) { 272 cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_extrcvinfo)); 273 cmh->cmsg_type = SCTP_EXTRCV; 274 memcpy(outinfo, sinfo, sizeof(struct sctp_extrcvinfo)); 275 SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_extrcvinfo)); 276 } else { 277 cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_sndrcvinfo)); 278 cmh->cmsg_type = SCTP_SNDRCV; 279 *outinfo = *sinfo; 280 SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_sndrcvinfo)); 281 } 282 } 283 return (ret); 284} 285 286 287static void 288sctp_mark_non_revokable(struct sctp_association *asoc, uint32_t tsn) 289{ 290 uint32_t gap, i, cumackp1; 291 int fnd = 0; 292 int in_r = 0, in_nr = 0; 293 294 if (SCTP_BASE_SYSCTL(sctp_do_drain) == 0) { 295 return; 296 } 297 cumackp1 = asoc->cumulative_tsn + 1; 298 if (SCTP_TSN_GT(cumackp1, tsn)) { 299 /* 300 * this tsn is behind the cum ack and thus we don't need to 301 * worry about it being moved from one to the other. 302 */ 303 return; 304 } 305 SCTP_CALC_TSN_TO_GAP(gap, tsn, asoc->mapping_array_base_tsn); 306 in_r = SCTP_IS_TSN_PRESENT(asoc->mapping_array, gap); 307 in_nr = SCTP_IS_TSN_PRESENT(asoc->nr_mapping_array, gap); 308 if ((in_r == 0) && (in_nr == 0)) { 309#ifdef INVARIANTS 310 panic("Things are really messed up now"); 311#else 312 SCTP_PRINTF("gap:%x tsn:%x\n", gap, tsn); 313 sctp_print_mapping_array(asoc); 314#endif 315 } 316 if (in_nr == 0) 317 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap); 318 if (in_r) 319 SCTP_UNSET_TSN_PRESENT(asoc->mapping_array, gap); 320 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) { 321 asoc->highest_tsn_inside_nr_map = tsn; 322 } 323 if (tsn == asoc->highest_tsn_inside_map) { 324 /* We must back down to see what the new highest is */ 325 for (i = tsn - 1; SCTP_TSN_GE(i, asoc->mapping_array_base_tsn); i--) { 326 SCTP_CALC_TSN_TO_GAP(gap, i, asoc->mapping_array_base_tsn); 327 if (SCTP_IS_TSN_PRESENT(asoc->mapping_array, gap)) { 328 asoc->highest_tsn_inside_map = i; 329 fnd = 1; 330 break; 331 } 332 } 333 if (!fnd) { 334 asoc->highest_tsn_inside_map = asoc->mapping_array_base_tsn - 1; 335 } 336 } 337} 338 339static int 340sctp_place_control_in_stream(struct sctp_stream_in *strm, 341 struct sctp_association *asoc, 342 struct sctp_queued_to_read *control) 343{ 344 struct sctp_queued_to_read *at; 345 struct sctp_readhead *q; 346 uint8_t flags, unordered; 347 348 flags = (control->sinfo_flags >> 8); 349 unordered = flags & SCTP_DATA_UNORDERED; 350 if (unordered) { 351 q = &strm->uno_inqueue; 352 if (asoc->idata_supported == 0) { 353 if (!TAILQ_EMPTY(q)) { 354 /* 355 * Only one stream can be here in old style 356 * -- abort 357 */ 358 return (-1); 359 } 360 TAILQ_INSERT_TAIL(q, control, next_instrm); 361 control->on_strm_q = SCTP_ON_UNORDERED; 362 return (0); 363 } 364 } else { 365 q = &strm->inqueue; 366 } 367 if ((flags & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) { 368 control->end_added = 1; 369 control->first_frag_seen = 1; 370 control->last_frag_seen = 1; 371 } 372 if (TAILQ_EMPTY(q)) { 373 /* Empty queue */ 374 TAILQ_INSERT_HEAD(q, control, next_instrm); 375 if (unordered) { 376 control->on_strm_q = SCTP_ON_UNORDERED; 377 } else { 378 control->on_strm_q = SCTP_ON_ORDERED; 379 } 380 return (0); 381 } else { 382 TAILQ_FOREACH(at, q, next_instrm) { 383 if (SCTP_MID_GT(asoc->idata_supported, at->mid, control->mid)) { 384 /* 385 * one in queue is bigger than the new one, 386 * insert before this one 387 */ 388 TAILQ_INSERT_BEFORE(at, control, next_instrm); 389 if (unordered) { 390 control->on_strm_q = SCTP_ON_UNORDERED; 391 } else { 392 control->on_strm_q = SCTP_ON_ORDERED; 393 } 394 break; 395 } else if (SCTP_MID_EQ(asoc->idata_supported, at->mid, control->mid)) { 396 /* 397 * Gak, He sent me a duplicate msg id 398 * number?? return -1 to abort. 399 */ 400 return (-1); 401 } else { 402 if (TAILQ_NEXT(at, next_instrm) == NULL) { 403 /* 404 * We are at the end, insert it 405 * after this one 406 */ 407 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) { 408 sctp_log_strm_del(control, at, 409 SCTP_STR_LOG_FROM_INSERT_TL); 410 } 411 TAILQ_INSERT_AFTER(q, at, control, next_instrm); 412 if (unordered) { 413 control->on_strm_q = SCTP_ON_UNORDERED; 414 } else { 415 control->on_strm_q = SCTP_ON_ORDERED; 416 } 417 break; 418 } 419 } 420 } 421 } 422 return (0); 423} 424 425static void 426sctp_abort_in_reasm(struct sctp_tcb *stcb, 427 struct sctp_queued_to_read *control, 428 struct sctp_tmit_chunk *chk, 429 int *abort_flag, int opspot) 430{ 431 char msg[SCTP_DIAG_INFO_LEN]; 432 struct mbuf *oper; 433 434 if (stcb->asoc.idata_supported) { 435 snprintf(msg, sizeof(msg), 436 "Reass %x,CF:%x,TSN=%8.8x,SID=%4.4x,FSN=%8.8x,MID:%8.8x", 437 opspot, 438 control->fsn_included, 439 chk->rec.data.tsn, 440 chk->rec.data.sid, 441 chk->rec.data.fsn, chk->rec.data.mid); 442 } else { 443 snprintf(msg, sizeof(msg), 444 "Reass %x,CI:%x,TSN=%8.8x,SID=%4.4x,FSN=%4.4x,SSN:%4.4x", 445 opspot, 446 control->fsn_included, 447 chk->rec.data.tsn, 448 chk->rec.data.sid, 449 chk->rec.data.fsn, 450 (uint16_t)chk->rec.data.mid); 451 } 452 oper = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 453 sctp_m_freem(chk->data); 454 chk->data = NULL; 455 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED); 456 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_1; 457 sctp_abort_an_association(stcb->sctp_ep, stcb, oper, SCTP_SO_NOT_LOCKED); 458 *abort_flag = 1; 459} 460 461static void 462sctp_clean_up_control(struct sctp_tcb *stcb, struct sctp_queued_to_read *control) 463{ 464 /* 465 * The control could not be placed and must be cleaned. 466 */ 467 struct sctp_tmit_chunk *chk, *nchk; 468 469 TAILQ_FOREACH_SAFE(chk, &control->reasm, sctp_next, nchk) { 470 TAILQ_REMOVE(&control->reasm, chk, sctp_next); 471 if (chk->data) 472 sctp_m_freem(chk->data); 473 chk->data = NULL; 474 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED); 475 } 476 sctp_free_remote_addr(control->whoFrom); 477 if (control->data) { 478 sctp_m_freem(control->data); 479 control->data = NULL; 480 } 481 sctp_free_a_readq(stcb, control); 482} 483 484/* 485 * Queue the chunk either right into the socket buffer if it is the next one 486 * to go OR put it in the correct place in the delivery queue. If we do 487 * append to the so_buf, keep doing so until we are out of order as 488 * long as the control's entered are non-fragmented. 489 */ 490static void 491sctp_queue_data_to_stream(struct sctp_tcb *stcb, 492 struct sctp_association *asoc, 493 struct sctp_queued_to_read *control, int *abort_flag, int *need_reasm) 494{ 495 /* 496 * FIX-ME maybe? What happens when the ssn wraps? If we are getting 497 * all the data in one stream this could happen quite rapidly. One 498 * could use the TSN to keep track of things, but this scheme breaks 499 * down in the other type of stream usage that could occur. Send a 500 * single msg to stream 0, send 4Billion messages to stream 1, now 501 * send a message to stream 0. You have a situation where the TSN 502 * has wrapped but not in the stream. Is this worth worrying about 503 * or should we just change our queue sort at the bottom to be by 504 * TSN. 505 * 506 * Could it also be legal for a peer to send ssn 1 with TSN 2 and 507 * ssn 2 with TSN 1? If the peer is doing some sort of funky TSN/SSN 508 * assignment this could happen... and I don't see how this would be 509 * a violation. So for now I am undecided an will leave the sort by 510 * SSN alone. Maybe a hybred approach is the answer 511 * 512 */ 513 struct sctp_queued_to_read *at; 514 int queue_needed; 515 uint32_t nxt_todel; 516 struct mbuf *op_err; 517 struct sctp_stream_in *strm; 518 char msg[SCTP_DIAG_INFO_LEN]; 519 520 strm = &asoc->strmin[control->sinfo_stream]; 521 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) { 522 sctp_log_strm_del(control, NULL, SCTP_STR_LOG_FROM_INTO_STRD); 523 } 524 if (SCTP_MID_GT((asoc->idata_supported), strm->last_mid_delivered, control->mid)) { 525 /* The incoming sseq is behind where we last delivered? */ 526 SCTPDBG(SCTP_DEBUG_INDATA1, "Duplicate S-SEQ: %u delivered: %u from peer, Abort association\n", 527 strm->last_mid_delivered, control->mid); 528 /* 529 * throw it in the stream so it gets cleaned up in 530 * association destruction 531 */ 532 TAILQ_INSERT_HEAD(&strm->inqueue, control, next_instrm); 533 if (asoc->idata_supported) { 534 snprintf(msg, sizeof(msg), "Delivered MID=%8.8x, got TSN=%8.8x, SID=%4.4x, MID=%8.8x", 535 strm->last_mid_delivered, control->sinfo_tsn, 536 control->sinfo_stream, control->mid); 537 } else { 538 snprintf(msg, sizeof(msg), "Delivered SSN=%4.4x, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x", 539 (uint16_t)strm->last_mid_delivered, 540 control->sinfo_tsn, 541 control->sinfo_stream, 542 (uint16_t)control->mid); 543 } 544 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 545 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_2; 546 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); 547 *abort_flag = 1; 548 return; 549 550 } 551 queue_needed = 1; 552 asoc->size_on_all_streams += control->length; 553 sctp_ucount_incr(asoc->cnt_on_all_streams); 554 nxt_todel = strm->last_mid_delivered + 1; 555 if (SCTP_MID_EQ(asoc->idata_supported, nxt_todel, control->mid)) { 556#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 557 struct socket *so; 558 559 so = SCTP_INP_SO(stcb->sctp_ep); 560 atomic_add_int(&stcb->asoc.refcnt, 1); 561 SCTP_TCB_UNLOCK(stcb); 562 SCTP_SOCKET_LOCK(so, 1); 563 SCTP_TCB_LOCK(stcb); 564 atomic_subtract_int(&stcb->asoc.refcnt, 1); 565 if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 566 SCTP_SOCKET_UNLOCK(so, 1); 567 return; 568 } 569#endif 570 /* can be delivered right away? */ 571 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) { 572 sctp_log_strm_del(control, NULL, SCTP_STR_LOG_FROM_IMMED_DEL); 573 } 574 /* EY it wont be queued if it could be delivered directly */ 575 queue_needed = 0; 576 if (asoc->size_on_all_streams >= control->length) { 577 asoc->size_on_all_streams -= control->length; 578 } else { 579#ifdef INVARIANTS 580 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length); 581#else 582 asoc->size_on_all_streams = 0; 583#endif 584 } 585 sctp_ucount_decr(asoc->cnt_on_all_streams); 586 strm->last_mid_delivered++; 587 sctp_mark_non_revokable(asoc, control->sinfo_tsn); 588 sctp_add_to_readq(stcb->sctp_ep, stcb, 589 control, 590 &stcb->sctp_socket->so_rcv, 1, 591 SCTP_READ_LOCK_NOT_HELD, SCTP_SO_LOCKED); 592 TAILQ_FOREACH_SAFE(control, &strm->inqueue, next_instrm, at) { 593 /* all delivered */ 594 nxt_todel = strm->last_mid_delivered + 1; 595 if (SCTP_MID_EQ(asoc->idata_supported, nxt_todel, control->mid) && 596 (((control->sinfo_flags >> 8) & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG)) { 597 if (control->on_strm_q == SCTP_ON_ORDERED) { 598 TAILQ_REMOVE(&strm->inqueue, control, next_instrm); 599 if (asoc->size_on_all_streams >= control->length) { 600 asoc->size_on_all_streams -= control->length; 601 } else { 602#ifdef INVARIANTS 603 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length); 604#else 605 asoc->size_on_all_streams = 0; 606#endif 607 } 608 sctp_ucount_decr(asoc->cnt_on_all_streams); 609#ifdef INVARIANTS 610 } else { 611 panic("Huh control: %p is on_strm_q: %d", 612 control, control->on_strm_q); 613#endif 614 } 615 control->on_strm_q = 0; 616 strm->last_mid_delivered++; 617 /* 618 * We ignore the return of deliver_data here 619 * since we always can hold the chunk on the 620 * d-queue. And we have a finite number that 621 * can be delivered from the strq. 622 */ 623 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) { 624 sctp_log_strm_del(control, NULL, 625 SCTP_STR_LOG_FROM_IMMED_DEL); 626 } 627 sctp_mark_non_revokable(asoc, control->sinfo_tsn); 628 sctp_add_to_readq(stcb->sctp_ep, stcb, 629 control, 630 &stcb->sctp_socket->so_rcv, 1, 631 SCTP_READ_LOCK_NOT_HELD, 632 SCTP_SO_LOCKED); 633 continue; 634 } else if (SCTP_MID_EQ(asoc->idata_supported, nxt_todel, control->mid)) { 635 *need_reasm = 1; 636 } 637 break; 638 } 639#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 640 SCTP_SOCKET_UNLOCK(so, 1); 641#endif 642 } 643 if (queue_needed) { 644 /* 645 * Ok, we did not deliver this guy, find the correct place 646 * to put it on the queue. 647 */ 648 if (sctp_place_control_in_stream(strm, asoc, control)) { 649 snprintf(msg, sizeof(msg), 650 "Queue to str MID: %u duplicate", 651 control->mid); 652 sctp_clean_up_control(stcb, control); 653 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 654 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_3; 655 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); 656 *abort_flag = 1; 657 } 658 } 659} 660 661 662static void 663sctp_setup_tail_pointer(struct sctp_queued_to_read *control) 664{ 665 struct mbuf *m, *prev = NULL; 666 struct sctp_tcb *stcb; 667 668 stcb = control->stcb; 669 control->held_length = 0; 670 control->length = 0; 671 m = control->data; 672 while (m) { 673 if (SCTP_BUF_LEN(m) == 0) { 674 /* Skip mbufs with NO length */ 675 if (prev == NULL) { 676 /* First one */ 677 control->data = sctp_m_free(m); 678 m = control->data; 679 } else { 680 SCTP_BUF_NEXT(prev) = sctp_m_free(m); 681 m = SCTP_BUF_NEXT(prev); 682 } 683 if (m == NULL) { 684 control->tail_mbuf = prev; 685 } 686 continue; 687 } 688 prev = m; 689 atomic_add_int(&control->length, SCTP_BUF_LEN(m)); 690 if (control->on_read_q) { 691 /* 692 * On read queue so we must increment the SB stuff, 693 * we assume caller has done any locks of SB. 694 */ 695 sctp_sballoc(stcb, &stcb->sctp_socket->so_rcv, m); 696 } 697 m = SCTP_BUF_NEXT(m); 698 } 699 if (prev) { 700 control->tail_mbuf = prev; 701 } 702} 703 704static void 705sctp_add_to_tail_pointer(struct sctp_queued_to_read *control, struct mbuf *m, uint32_t *added) 706{ 707 struct mbuf *prev = NULL; 708 struct sctp_tcb *stcb; 709 710 stcb = control->stcb; 711 if (stcb == NULL) { 712#ifdef INVARIANTS 713 panic("Control broken"); 714#else 715 return; 716#endif 717 } 718 if (control->tail_mbuf == NULL) { 719 /* TSNH */ 720 sctp_m_freem(control->data); 721 control->data = m; 722 sctp_setup_tail_pointer(control); 723 return; 724 } 725 control->tail_mbuf->m_next = m; 726 while (m) { 727 if (SCTP_BUF_LEN(m) == 0) { 728 /* Skip mbufs with NO length */ 729 if (prev == NULL) { 730 /* First one */ 731 control->tail_mbuf->m_next = sctp_m_free(m); 732 m = control->tail_mbuf->m_next; 733 } else { 734 SCTP_BUF_NEXT(prev) = sctp_m_free(m); 735 m = SCTP_BUF_NEXT(prev); 736 } 737 if (m == NULL) { 738 control->tail_mbuf = prev; 739 } 740 continue; 741 } 742 prev = m; 743 if (control->on_read_q) { 744 /* 745 * On read queue so we must increment the SB stuff, 746 * we assume caller has done any locks of SB. 747 */ 748 sctp_sballoc(stcb, &stcb->sctp_socket->so_rcv, m); 749 } 750 *added += SCTP_BUF_LEN(m); 751 atomic_add_int(&control->length, SCTP_BUF_LEN(m)); 752 m = SCTP_BUF_NEXT(m); 753 } 754 if (prev) { 755 control->tail_mbuf = prev; 756 } 757} 758 759static void 760sctp_build_readq_entry_from_ctl(struct sctp_queued_to_read *nc, struct sctp_queued_to_read *control) 761{ 762 memset(nc, 0, sizeof(struct sctp_queued_to_read)); 763 nc->sinfo_stream = control->sinfo_stream; 764 nc->mid = control->mid; 765 TAILQ_INIT(&nc->reasm); 766 nc->top_fsn = control->top_fsn; 767 nc->mid = control->mid; 768 nc->sinfo_flags = control->sinfo_flags; 769 nc->sinfo_ppid = control->sinfo_ppid; 770 nc->sinfo_context = control->sinfo_context; 771 nc->fsn_included = 0xffffffff; 772 nc->sinfo_tsn = control->sinfo_tsn; 773 nc->sinfo_cumtsn = control->sinfo_cumtsn; 774 nc->sinfo_assoc_id = control->sinfo_assoc_id; 775 nc->whoFrom = control->whoFrom; 776 atomic_add_int(&nc->whoFrom->ref_count, 1); 777 nc->stcb = control->stcb; 778 nc->port_from = control->port_from; 779 nc->do_not_ref_stcb = control->do_not_ref_stcb; 780} 781 782static void 783sctp_reset_a_control(struct sctp_queued_to_read *control, 784 struct sctp_inpcb *inp, uint32_t tsn) 785{ 786 control->fsn_included = tsn; 787 if (control->on_read_q) { 788 /* 789 * We have to purge it from there, hopefully this will work 790 * :-) 791 */ 792 TAILQ_REMOVE(&inp->read_queue, control, next); 793 control->on_read_q = 0; 794 } 795} 796 797static int 798sctp_handle_old_unordered_data(struct sctp_tcb *stcb, 799 struct sctp_association *asoc, 800 struct sctp_stream_in *strm, 801 struct sctp_queued_to_read *control, 802 uint32_t pd_point, 803 int inp_read_lock_held) 804{ 805 /* 806 * Special handling for the old un-ordered data chunk. All the 807 * chunks/TSN's go to mid 0. So we have to do the old style watching 808 * to see if we have it all. If you return one, no other control 809 * entries on the un-ordered queue will be looked at. In theory 810 * there should be no others entries in reality, unless the guy is 811 * sending both unordered NDATA and unordered DATA... 812 */ 813 struct sctp_tmit_chunk *chk, *lchk, *tchk; 814 uint32_t fsn; 815 struct sctp_queued_to_read *nc; 816 int cnt_added; 817 818 if (control->first_frag_seen == 0) { 819 /* Nothing we can do, we have not seen the first piece yet */ 820 return (1); 821 } 822 /* Collapse any we can */ 823 cnt_added = 0; 824restart: 825 fsn = control->fsn_included + 1; 826 /* Now what can we add? */ 827 TAILQ_FOREACH_SAFE(chk, &control->reasm, sctp_next, lchk) { 828 if (chk->rec.data.fsn == fsn) { 829 /* Ok lets add it */ 830 sctp_alloc_a_readq(stcb, nc); 831 if (nc == NULL) { 832 break; 833 } 834 memset(nc, 0, sizeof(struct sctp_queued_to_read)); 835 TAILQ_REMOVE(&control->reasm, chk, sctp_next); 836 sctp_add_chk_to_control(control, strm, stcb, asoc, chk, SCTP_READ_LOCK_NOT_HELD); 837 fsn++; 838 cnt_added++; 839 chk = NULL; 840 if (control->end_added) { 841 /* We are done */ 842 if (!TAILQ_EMPTY(&control->reasm)) { 843 /* 844 * Ok we have to move anything left 845 * on the control queue to a new 846 * control. 847 */ 848 sctp_build_readq_entry_from_ctl(nc, control); 849 tchk = TAILQ_FIRST(&control->reasm); 850 if (tchk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) { 851 TAILQ_REMOVE(&control->reasm, tchk, sctp_next); 852 if (asoc->size_on_reasm_queue >= tchk->send_size) { 853 asoc->size_on_reasm_queue -= tchk->send_size; 854 } else { 855#ifdef INVARIANTS 856 panic("size_on_reasm_queue = %u smaller than chunk length %u", asoc->size_on_reasm_queue, tchk->send_size); 857#else 858 asoc->size_on_reasm_queue = 0; 859#endif 860 } 861 sctp_ucount_decr(asoc->cnt_on_reasm_queue); 862 nc->first_frag_seen = 1; 863 nc->fsn_included = tchk->rec.data.fsn; 864 nc->data = tchk->data; 865 nc->sinfo_ppid = tchk->rec.data.ppid; 866 nc->sinfo_tsn = tchk->rec.data.tsn; 867 sctp_mark_non_revokable(asoc, tchk->rec.data.tsn); 868 tchk->data = NULL; 869 sctp_free_a_chunk(stcb, tchk, SCTP_SO_NOT_LOCKED); 870 sctp_setup_tail_pointer(nc); 871 tchk = TAILQ_FIRST(&control->reasm); 872 } 873 /* Spin the rest onto the queue */ 874 while (tchk) { 875 TAILQ_REMOVE(&control->reasm, tchk, sctp_next); 876 TAILQ_INSERT_TAIL(&nc->reasm, tchk, sctp_next); 877 tchk = TAILQ_FIRST(&control->reasm); 878 } 879 /* 880 * Now lets add it to the queue 881 * after removing control 882 */ 883 TAILQ_INSERT_TAIL(&strm->uno_inqueue, nc, next_instrm); 884 nc->on_strm_q = SCTP_ON_UNORDERED; 885 if (control->on_strm_q) { 886 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm); 887 control->on_strm_q = 0; 888 } 889 } 890 if (control->pdapi_started) { 891 strm->pd_api_started = 0; 892 control->pdapi_started = 0; 893 } 894 if (control->on_strm_q) { 895 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm); 896 control->on_strm_q = 0; 897 SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs); 898 } 899 if (control->on_read_q == 0) { 900 sctp_add_to_readq(stcb->sctp_ep, stcb, control, 901 &stcb->sctp_socket->so_rcv, control->end_added, 902 inp_read_lock_held, SCTP_SO_NOT_LOCKED); 903 } 904 sctp_wakeup_the_read_socket(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 905 if ((nc->first_frag_seen) && !TAILQ_EMPTY(&nc->reasm)) { 906 /* 907 * Switch to the new guy and 908 * continue 909 */ 910 control = nc; 911 goto restart; 912 } else { 913 if (nc->on_strm_q == 0) { 914 sctp_free_a_readq(stcb, nc); 915 } 916 } 917 return (1); 918 } else { 919 sctp_free_a_readq(stcb, nc); 920 } 921 } else { 922 /* Can't add more */ 923 break; 924 } 925 } 926 if (cnt_added && strm->pd_api_started) { 927 sctp_wakeup_the_read_socket(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 928 } 929 if ((control->length > pd_point) && (strm->pd_api_started == 0)) { 930 strm->pd_api_started = 1; 931 control->pdapi_started = 1; 932 sctp_add_to_readq(stcb->sctp_ep, stcb, control, 933 &stcb->sctp_socket->so_rcv, control->end_added, 934 inp_read_lock_held, SCTP_SO_NOT_LOCKED); 935 sctp_wakeup_the_read_socket(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 936 return (0); 937 } else { 938 return (1); 939 } 940} 941 942static void 943sctp_inject_old_unordered_data(struct sctp_tcb *stcb, 944 struct sctp_association *asoc, 945 struct sctp_queued_to_read *control, 946 struct sctp_tmit_chunk *chk, 947 int *abort_flag) 948{ 949 struct sctp_tmit_chunk *at; 950 int inserted; 951 952 /* 953 * Here we need to place the chunk into the control structure sorted 954 * in the correct order. 955 */ 956 if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) { 957 /* Its the very first one. */ 958 SCTPDBG(SCTP_DEBUG_XXX, 959 "chunk is a first fsn: %u becomes fsn_included\n", 960 chk->rec.data.fsn); 961 at = TAILQ_FIRST(&control->reasm); 962 if (at && SCTP_TSN_GT(chk->rec.data.fsn, at->rec.data.fsn)) { 963 /* 964 * The first chunk in the reassembly is a smaller 965 * TSN than this one, even though this has a first, 966 * it must be from a subsequent msg. 967 */ 968 goto place_chunk; 969 } 970 if (control->first_frag_seen) { 971 /* 972 * In old un-ordered we can reassembly on one 973 * control multiple messages. As long as the next 974 * FIRST is greater then the old first (TSN i.e. FSN 975 * wise) 976 */ 977 struct mbuf *tdata; 978 uint32_t tmp; 979 980 if (SCTP_TSN_GT(chk->rec.data.fsn, control->fsn_included)) { 981 /* 982 * Easy way the start of a new guy beyond 983 * the lowest 984 */ 985 goto place_chunk; 986 } 987 if ((chk->rec.data.fsn == control->fsn_included) || 988 (control->pdapi_started)) { 989 /* 990 * Ok this should not happen, if it does we 991 * started the pd-api on the higher TSN 992 * (since the equals part is a TSN failure 993 * it must be that). 994 * 995 * We are completly hosed in that case since 996 * I have no way to recover. This really 997 * will only happen if we can get more TSN's 998 * higher before the pd-api-point. 999 */ 1000 sctp_abort_in_reasm(stcb, control, chk, 1001 abort_flag, 1002 SCTP_FROM_SCTP_INDATA + SCTP_LOC_4); 1003 1004 return; 1005 } 1006 /* 1007 * Ok we have two firsts and the one we just got is 1008 * smaller than the one we previously placed.. yuck! 1009 * We must swap them out. 1010 */ 1011 /* swap the mbufs */ 1012 tdata = control->data; 1013 control->data = chk->data; 1014 chk->data = tdata; 1015 /* Save the lengths */ 1016 chk->send_size = control->length; 1017 /* Recompute length of control and tail pointer */ 1018 sctp_setup_tail_pointer(control); 1019 /* Fix the FSN included */ 1020 tmp = control->fsn_included; 1021 control->fsn_included = chk->rec.data.fsn; 1022 chk->rec.data.fsn = tmp; 1023 /* Fix the TSN included */ 1024 tmp = control->sinfo_tsn; 1025 control->sinfo_tsn = chk->rec.data.tsn; 1026 chk->rec.data.tsn = tmp; 1027 /* Fix the PPID included */ 1028 tmp = control->sinfo_ppid; 1029 control->sinfo_ppid = chk->rec.data.ppid; 1030 chk->rec.data.ppid = tmp; 1031 /* Fix tail pointer */ 1032 goto place_chunk; 1033 } 1034 control->first_frag_seen = 1; 1035 control->fsn_included = chk->rec.data.fsn; 1036 control->top_fsn = chk->rec.data.fsn; 1037 control->sinfo_tsn = chk->rec.data.tsn; 1038 control->sinfo_ppid = chk->rec.data.ppid; 1039 control->data = chk->data; 1040 sctp_mark_non_revokable(asoc, chk->rec.data.tsn); 1041 chk->data = NULL; 1042 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED); 1043 sctp_setup_tail_pointer(control); 1044 return; 1045 } 1046place_chunk: 1047 inserted = 0; 1048 TAILQ_FOREACH(at, &control->reasm, sctp_next) { 1049 if (SCTP_TSN_GT(at->rec.data.fsn, chk->rec.data.fsn)) { 1050 /* 1051 * This one in queue is bigger than the new one, 1052 * insert the new one before at. 1053 */ 1054 asoc->size_on_reasm_queue += chk->send_size; 1055 sctp_ucount_incr(asoc->cnt_on_reasm_queue); 1056 inserted = 1; 1057 TAILQ_INSERT_BEFORE(at, chk, sctp_next); 1058 break; 1059 } else if (at->rec.data.fsn == chk->rec.data.fsn) { 1060 /* 1061 * They sent a duplicate fsn number. This really 1062 * should not happen since the FSN is a TSN and it 1063 * should have been dropped earlier. 1064 */ 1065 sctp_abort_in_reasm(stcb, control, chk, 1066 abort_flag, 1067 SCTP_FROM_SCTP_INDATA + SCTP_LOC_5); 1068 return; 1069 } 1070 1071 } 1072 if (inserted == 0) { 1073 /* Its at the end */ 1074 asoc->size_on_reasm_queue += chk->send_size; 1075 sctp_ucount_incr(asoc->cnt_on_reasm_queue); 1076 control->top_fsn = chk->rec.data.fsn; 1077 TAILQ_INSERT_TAIL(&control->reasm, chk, sctp_next); 1078 } 1079} 1080 1081static int 1082sctp_deliver_reasm_check(struct sctp_tcb *stcb, struct sctp_association *asoc, 1083 struct sctp_stream_in *strm, int inp_read_lock_held) 1084{ 1085 /* 1086 * Given a stream, strm, see if any of the SSN's on it that are 1087 * fragmented are ready to deliver. If so go ahead and place them on 1088 * the read queue. In so placing if we have hit the end, then we 1089 * need to remove them from the stream's queue. 1090 */ 1091 struct sctp_queued_to_read *control, *nctl = NULL; 1092 uint32_t next_to_del; 1093 uint32_t pd_point; 1094 int ret = 0; 1095 1096 if (stcb->sctp_socket) { 1097 pd_point = min(SCTP_SB_LIMIT_RCV(stcb->sctp_socket) >> SCTP_PARTIAL_DELIVERY_SHIFT, 1098 stcb->sctp_ep->partial_delivery_point); 1099 } else { 1100 pd_point = stcb->sctp_ep->partial_delivery_point; 1101 } 1102 control = TAILQ_FIRST(&strm->uno_inqueue); 1103 1104 if ((control != NULL) && 1105 (asoc->idata_supported == 0)) { 1106 /* Special handling needed for "old" data format */ 1107 if (sctp_handle_old_unordered_data(stcb, asoc, strm, control, pd_point, inp_read_lock_held)) { 1108 goto done_un; 1109 } 1110 } 1111 if (strm->pd_api_started) { 1112 /* Can't add more */ 1113 return (0); 1114 } 1115 while (control) { 1116 SCTPDBG(SCTP_DEBUG_XXX, "Looking at control: %p e(%d) ssn: %u top_fsn: %u inc_fsn: %u -uo\n", 1117 control, control->end_added, control->mid, control->top_fsn, control->fsn_included); 1118 nctl = TAILQ_NEXT(control, next_instrm); 1119 if (control->end_added) { 1120 /* We just put the last bit on */ 1121 if (control->on_strm_q) { 1122#ifdef INVARIANTS 1123 if (control->on_strm_q != SCTP_ON_UNORDERED) { 1124 panic("Huh control: %p on_q: %d -- not unordered?", 1125 control, control->on_strm_q); 1126 } 1127#endif 1128 SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs); 1129 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm); 1130 control->on_strm_q = 0; 1131 } 1132 if (control->on_read_q == 0) { 1133 sctp_add_to_readq(stcb->sctp_ep, stcb, 1134 control, 1135 &stcb->sctp_socket->so_rcv, control->end_added, 1136 inp_read_lock_held, SCTP_SO_NOT_LOCKED); 1137 } 1138 } else { 1139 /* Can we do a PD-API for this un-ordered guy? */ 1140 if ((control->length >= pd_point) && (strm->pd_api_started == 0)) { 1141 strm->pd_api_started = 1; 1142 control->pdapi_started = 1; 1143 sctp_add_to_readq(stcb->sctp_ep, stcb, 1144 control, 1145 &stcb->sctp_socket->so_rcv, control->end_added, 1146 inp_read_lock_held, SCTP_SO_NOT_LOCKED); 1147 1148 break; 1149 } 1150 } 1151 control = nctl; 1152 } 1153done_un: 1154 control = TAILQ_FIRST(&strm->inqueue); 1155 if (strm->pd_api_started) { 1156 /* Can't add more */ 1157 return (0); 1158 } 1159 if (control == NULL) { 1160 return (ret); 1161 } 1162 if (SCTP_MID_EQ(asoc->idata_supported, strm->last_mid_delivered, control->mid)) { 1163 /* 1164 * Ok the guy at the top was being partially delivered 1165 * completed, so we remove it. Note the pd_api flag was 1166 * taken off when the chunk was merged on in 1167 * sctp_queue_data_for_reasm below. 1168 */ 1169 nctl = TAILQ_NEXT(control, next_instrm); 1170 SCTPDBG(SCTP_DEBUG_XXX, 1171 "Looking at control: %p e(%d) ssn: %u top_fsn: %u inc_fsn: %u (lastdel: %u)- o\n", 1172 control, control->end_added, control->mid, 1173 control->top_fsn, control->fsn_included, 1174 strm->last_mid_delivered); 1175 if (control->end_added) { 1176 if (control->on_strm_q) { 1177#ifdef INVARIANTS 1178 if (control->on_strm_q != SCTP_ON_ORDERED) { 1179 panic("Huh control: %p on_q: %d -- not ordered?", 1180 control, control->on_strm_q); 1181 } 1182#endif 1183 SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs); 1184 TAILQ_REMOVE(&strm->inqueue, control, next_instrm); 1185 if (asoc->size_on_all_streams >= control->length) { 1186 asoc->size_on_all_streams -= control->length; 1187 } else { 1188#ifdef INVARIANTS 1189 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length); 1190#else 1191 asoc->size_on_all_streams = 0; 1192#endif 1193 } 1194 sctp_ucount_decr(asoc->cnt_on_all_streams); 1195 control->on_strm_q = 0; 1196 } 1197 if (strm->pd_api_started && control->pdapi_started) { 1198 control->pdapi_started = 0; 1199 strm->pd_api_started = 0; 1200 } 1201 if (control->on_read_q == 0) { 1202 sctp_add_to_readq(stcb->sctp_ep, stcb, 1203 control, 1204 &stcb->sctp_socket->so_rcv, control->end_added, 1205 inp_read_lock_held, SCTP_SO_NOT_LOCKED); 1206 } 1207 control = nctl; 1208 } 1209 } 1210 if (strm->pd_api_started) { 1211 /* 1212 * Can't add more must have gotten an un-ordered above being 1213 * partially delivered. 1214 */ 1215 return (0); 1216 } 1217deliver_more: 1218 next_to_del = strm->last_mid_delivered + 1; 1219 if (control) { 1220 SCTPDBG(SCTP_DEBUG_XXX, 1221 "Looking at control: %p e(%d) ssn: %u top_fsn: %u inc_fsn: %u (nxtdel: %u)- o\n", 1222 control, control->end_added, control->mid, control->top_fsn, control->fsn_included, 1223 next_to_del); 1224 nctl = TAILQ_NEXT(control, next_instrm); 1225 if (SCTP_MID_EQ(asoc->idata_supported, control->mid, next_to_del) && 1226 (control->first_frag_seen)) { 1227 int done; 1228 1229 /* Ok we can deliver it onto the stream. */ 1230 if (control->end_added) { 1231 /* We are done with it afterwards */ 1232 if (control->on_strm_q) { 1233#ifdef INVARIANTS 1234 if (control->on_strm_q != SCTP_ON_ORDERED) { 1235 panic("Huh control: %p on_q: %d -- not ordered?", 1236 control, control->on_strm_q); 1237 } 1238#endif 1239 SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs); 1240 TAILQ_REMOVE(&strm->inqueue, control, next_instrm); 1241 if (asoc->size_on_all_streams >= control->length) { 1242 asoc->size_on_all_streams -= control->length; 1243 } else { 1244#ifdef INVARIANTS 1245 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length); 1246#else 1247 asoc->size_on_all_streams = 0; 1248#endif 1249 } 1250 sctp_ucount_decr(asoc->cnt_on_all_streams); 1251 control->on_strm_q = 0; 1252 } 1253 ret++; 1254 } 1255 if (((control->sinfo_flags >> 8) & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) { 1256 /* 1257 * A singleton now slipping through - mark 1258 * it non-revokable too 1259 */ 1260 sctp_mark_non_revokable(asoc, control->sinfo_tsn); 1261 } else if (control->end_added == 0) { 1262 /* 1263 * Check if we can defer adding until its 1264 * all there 1265 */ 1266 if ((control->length < pd_point) || (strm->pd_api_started)) { 1267 /* 1268 * Don't need it or cannot add more 1269 * (one being delivered that way) 1270 */ 1271 goto out; 1272 } 1273 } 1274 done = (control->end_added) && (control->last_frag_seen); 1275 if (control->on_read_q == 0) { 1276 if (!done) { 1277 if (asoc->size_on_all_streams >= control->length) { 1278 asoc->size_on_all_streams -= control->length; 1279 } else { 1280#ifdef INVARIANTS 1281 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length); 1282#else 1283 asoc->size_on_all_streams = 0; 1284#endif 1285 } 1286 strm->pd_api_started = 1; 1287 control->pdapi_started = 1; 1288 } 1289 sctp_add_to_readq(stcb->sctp_ep, stcb, 1290 control, 1291 &stcb->sctp_socket->so_rcv, control->end_added, 1292 inp_read_lock_held, SCTP_SO_NOT_LOCKED); 1293 } 1294 strm->last_mid_delivered = next_to_del; 1295 if (done) { 1296 control = nctl; 1297 goto deliver_more; 1298 } 1299 } 1300 } 1301out: 1302 return (ret); 1303} 1304 1305 1306uint32_t 1307sctp_add_chk_to_control(struct sctp_queued_to_read *control, 1308 struct sctp_stream_in *strm, 1309 struct sctp_tcb *stcb, struct sctp_association *asoc, 1310 struct sctp_tmit_chunk *chk, int hold_rlock) 1311{ 1312 /* 1313 * Given a control and a chunk, merge the data from the chk onto the 1314 * control and free up the chunk resources. 1315 */ 1316 uint32_t added = 0; 1317 int i_locked = 0; 1318 1319 if (control->on_read_q && (hold_rlock == 0)) { 1320 /* 1321 * Its being pd-api'd so we must do some locks. 1322 */ 1323 SCTP_INP_READ_LOCK(stcb->sctp_ep); 1324 i_locked = 1; 1325 } 1326 if (control->data == NULL) { 1327 control->data = chk->data; 1328 sctp_setup_tail_pointer(control); 1329 } else { 1330 sctp_add_to_tail_pointer(control, chk->data, &added); 1331 } 1332 control->fsn_included = chk->rec.data.fsn; 1333 asoc->size_on_reasm_queue -= chk->send_size; 1334 sctp_ucount_decr(asoc->cnt_on_reasm_queue); 1335 sctp_mark_non_revokable(asoc, chk->rec.data.tsn); 1336 chk->data = NULL; 1337 if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) { 1338 control->first_frag_seen = 1; 1339 control->sinfo_tsn = chk->rec.data.tsn; 1340 control->sinfo_ppid = chk->rec.data.ppid; 1341 } 1342 if (chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) { 1343 /* Its complete */ 1344 if ((control->on_strm_q) && (control->on_read_q)) { 1345 if (control->pdapi_started) { 1346 control->pdapi_started = 0; 1347 strm->pd_api_started = 0; 1348 } 1349 if (control->on_strm_q == SCTP_ON_UNORDERED) { 1350 /* Unordered */ 1351 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm); 1352 control->on_strm_q = 0; 1353 } else if (control->on_strm_q == SCTP_ON_ORDERED) { 1354 /* Ordered */ 1355 TAILQ_REMOVE(&strm->inqueue, control, next_instrm); 1356 /* 1357 * Don't need to decrement 1358 * size_on_all_streams, since control is on 1359 * the read queue. 1360 */ 1361 sctp_ucount_decr(asoc->cnt_on_all_streams); 1362 control->on_strm_q = 0; 1363#ifdef INVARIANTS 1364 } else if (control->on_strm_q) { 1365 panic("Unknown state on ctrl: %p on_strm_q: %d", control, 1366 control->on_strm_q); 1367#endif 1368 } 1369 } 1370 control->end_added = 1; 1371 control->last_frag_seen = 1; 1372 } 1373 if (i_locked) { 1374 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 1375 } 1376 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED); 1377 return (added); 1378} 1379 1380/* 1381 * Dump onto the re-assembly queue, in its proper place. After dumping on the 1382 * queue, see if anthing can be delivered. If so pull it off (or as much as 1383 * we can. If we run out of space then we must dump what we can and set the 1384 * appropriate flag to say we queued what we could. 1385 */ 1386static void 1387sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struct sctp_association *asoc, 1388 struct sctp_queued_to_read *control, 1389 struct sctp_tmit_chunk *chk, 1390 int created_control, 1391 int *abort_flag, uint32_t tsn) 1392{ 1393 uint32_t next_fsn; 1394 struct sctp_tmit_chunk *at, *nat; 1395 struct sctp_stream_in *strm; 1396 int do_wakeup, unordered; 1397 uint32_t lenadded; 1398 1399 strm = &asoc->strmin[control->sinfo_stream]; 1400 /* 1401 * For old un-ordered data chunks. 1402 */ 1403 if ((control->sinfo_flags >> 8) & SCTP_DATA_UNORDERED) { 1404 unordered = 1; 1405 } else { 1406 unordered = 0; 1407 } 1408 /* Must be added to the stream-in queue */ 1409 if (created_control) { 1410 if (unordered == 0) { 1411 sctp_ucount_incr(asoc->cnt_on_all_streams); 1412 } 1413 if (sctp_place_control_in_stream(strm, asoc, control)) { 1414 /* Duplicate SSN? */ 1415 sctp_abort_in_reasm(stcb, control, chk, 1416 abort_flag, 1417 SCTP_FROM_SCTP_INDATA + SCTP_LOC_6); 1418 sctp_clean_up_control(stcb, control); 1419 return; 1420 } 1421 if ((tsn == (asoc->cumulative_tsn + 1) && (asoc->idata_supported == 0))) { 1422 /* 1423 * Ok we created this control and now lets validate 1424 * that its legal i.e. there is a B bit set, if not 1425 * and we have up to the cum-ack then its invalid. 1426 */ 1427 if ((chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) == 0) { 1428 sctp_abort_in_reasm(stcb, control, chk, 1429 abort_flag, 1430 SCTP_FROM_SCTP_INDATA + SCTP_LOC_7); 1431 return; 1432 } 1433 } 1434 } 1435 if ((asoc->idata_supported == 0) && (unordered == 1)) { 1436 sctp_inject_old_unordered_data(stcb, asoc, control, chk, abort_flag); 1437 return; 1438 } 1439 /* 1440 * Ok we must queue the chunk into the reasembly portion: o if its 1441 * the first it goes to the control mbuf. o if its not first but the 1442 * next in sequence it goes to the control, and each succeeding one 1443 * in order also goes. o if its not in order we place it on the list 1444 * in its place. 1445 */ 1446 if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) { 1447 /* Its the very first one. */ 1448 SCTPDBG(SCTP_DEBUG_XXX, 1449 "chunk is a first fsn: %u becomes fsn_included\n", 1450 chk->rec.data.fsn); 1451 if (control->first_frag_seen) { 1452 /* 1453 * Error on senders part, they either sent us two 1454 * data chunks with FIRST, or they sent two 1455 * un-ordered chunks that were fragmented at the 1456 * same time in the same stream. 1457 */ 1458 sctp_abort_in_reasm(stcb, control, chk, 1459 abort_flag, 1460 SCTP_FROM_SCTP_INDATA + SCTP_LOC_8); 1461 return; 1462 } 1463 control->first_frag_seen = 1; 1464 control->sinfo_ppid = chk->rec.data.ppid; 1465 control->sinfo_tsn = chk->rec.data.tsn; 1466 control->fsn_included = chk->rec.data.fsn; 1467 control->data = chk->data; 1468 sctp_mark_non_revokable(asoc, chk->rec.data.tsn); 1469 chk->data = NULL; 1470 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED); 1471 sctp_setup_tail_pointer(control); 1472 asoc->size_on_all_streams += control->length; 1473 } else { 1474 /* Place the chunk in our list */ 1475 int inserted = 0; 1476 1477 if (control->last_frag_seen == 0) { 1478 /* Still willing to raise highest FSN seen */ 1479 if (SCTP_TSN_GT(chk->rec.data.fsn, control->top_fsn)) { 1480 SCTPDBG(SCTP_DEBUG_XXX, 1481 "We have a new top_fsn: %u\n", 1482 chk->rec.data.fsn); 1483 control->top_fsn = chk->rec.data.fsn; 1484 } 1485 if (chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) { 1486 SCTPDBG(SCTP_DEBUG_XXX, 1487 "The last fsn is now in place fsn: %u\n", 1488 chk->rec.data.fsn); 1489 control->last_frag_seen = 1; 1490 if (SCTP_TSN_GT(control->top_fsn, chk->rec.data.fsn)) { 1491 SCTPDBG(SCTP_DEBUG_XXX, 1492 "New fsn: %u is not at top_fsn: %u -- abort\n", 1493 chk->rec.data.fsn, 1494 control->top_fsn); 1495 sctp_abort_in_reasm(stcb, control, chk, 1496 abort_flag, 1497 SCTP_FROM_SCTP_INDATA + SCTP_LOC_9); 1498 return; 1499 } 1500 } 1501 if (asoc->idata_supported || control->first_frag_seen) { 1502 /* 1503 * For IDATA we always check since we know 1504 * that the first fragment is 0. For old 1505 * DATA we have to receive the first before 1506 * we know the first FSN (which is the TSN). 1507 */ 1508 if (SCTP_TSN_GE(control->fsn_included, chk->rec.data.fsn)) { 1509 /* 1510 * We have already delivered up to 1511 * this so its a dup 1512 */ 1513 sctp_abort_in_reasm(stcb, control, chk, 1514 abort_flag, 1515 SCTP_FROM_SCTP_INDATA + SCTP_LOC_10); 1516 return; 1517 } 1518 } 1519 } else { 1520 if (chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) { 1521 /* Second last? huh? */ 1522 SCTPDBG(SCTP_DEBUG_XXX, 1523 "Duplicate last fsn: %u (top: %u) -- abort\n", 1524 chk->rec.data.fsn, control->top_fsn); 1525 sctp_abort_in_reasm(stcb, control, 1526 chk, abort_flag, 1527 SCTP_FROM_SCTP_INDATA + SCTP_LOC_11); 1528 return; 1529 } 1530 if (asoc->idata_supported || control->first_frag_seen) { 1531 /* 1532 * For IDATA we always check since we know 1533 * that the first fragment is 0. For old 1534 * DATA we have to receive the first before 1535 * we know the first FSN (which is the TSN). 1536 */ 1537 1538 if (SCTP_TSN_GE(control->fsn_included, chk->rec.data.fsn)) { 1539 /* 1540 * We have already delivered up to 1541 * this so its a dup 1542 */ 1543 SCTPDBG(SCTP_DEBUG_XXX, 1544 "New fsn: %u is already seen in included_fsn: %u -- abort\n", 1545 chk->rec.data.fsn, control->fsn_included); 1546 sctp_abort_in_reasm(stcb, control, chk, 1547 abort_flag, 1548 SCTP_FROM_SCTP_INDATA + SCTP_LOC_12); 1549 return; 1550 } 1551 } 1552 /* 1553 * validate not beyond top FSN if we have seen last 1554 * one 1555 */ 1556 if (SCTP_TSN_GT(chk->rec.data.fsn, control->top_fsn)) { 1557 SCTPDBG(SCTP_DEBUG_XXX, 1558 "New fsn: %u is beyond or at top_fsn: %u -- abort\n", 1559 chk->rec.data.fsn, 1560 control->top_fsn); 1561 sctp_abort_in_reasm(stcb, control, chk, 1562 abort_flag, 1563 SCTP_FROM_SCTP_INDATA + SCTP_LOC_13); 1564 return; 1565 } 1566 } 1567 /* 1568 * If we reach here, we need to place the new chunk in the 1569 * reassembly for this control. 1570 */ 1571 SCTPDBG(SCTP_DEBUG_XXX, 1572 "chunk is a not first fsn: %u needs to be inserted\n", 1573 chk->rec.data.fsn); 1574 TAILQ_FOREACH(at, &control->reasm, sctp_next) { 1575 if (SCTP_TSN_GT(at->rec.data.fsn, chk->rec.data.fsn)) { 1576 /* 1577 * This one in queue is bigger than the new 1578 * one, insert the new one before at. 1579 */ 1580 SCTPDBG(SCTP_DEBUG_XXX, 1581 "Insert it before fsn: %u\n", 1582 at->rec.data.fsn); 1583 asoc->size_on_reasm_queue += chk->send_size; 1584 sctp_ucount_incr(asoc->cnt_on_reasm_queue); 1585 TAILQ_INSERT_BEFORE(at, chk, sctp_next); 1586 inserted = 1; 1587 break; 1588 } else if (at->rec.data.fsn == chk->rec.data.fsn) { 1589 /* 1590 * Gak, He sent me a duplicate str seq 1591 * number 1592 */ 1593 /* 1594 * foo bar, I guess I will just free this 1595 * new guy, should we abort too? FIX ME 1596 * MAYBE? Or it COULD be that the SSN's have 1597 * wrapped. Maybe I should compare to TSN 1598 * somehow... sigh for now just blow away 1599 * the chunk! 1600 */ 1601 SCTPDBG(SCTP_DEBUG_XXX, 1602 "Duplicate to fsn: %u -- abort\n", 1603 at->rec.data.fsn); 1604 sctp_abort_in_reasm(stcb, control, 1605 chk, abort_flag, 1606 SCTP_FROM_SCTP_INDATA + SCTP_LOC_14); 1607 return; 1608 } 1609 } 1610 if (inserted == 0) { 1611 /* Goes on the end */ 1612 SCTPDBG(SCTP_DEBUG_XXX, "Inserting at tail of list fsn: %u\n", 1613 chk->rec.data.fsn); 1614 asoc->size_on_reasm_queue += chk->send_size; 1615 sctp_ucount_incr(asoc->cnt_on_reasm_queue); 1616 TAILQ_INSERT_TAIL(&control->reasm, chk, sctp_next); 1617 } 1618 } 1619 /* 1620 * Ok lets see if we can suck any up into the control structure that 1621 * are in seq if it makes sense. 1622 */ 1623 do_wakeup = 0; 1624 /* 1625 * If the first fragment has not been seen there is no sense in 1626 * looking. 1627 */ 1628 if (control->first_frag_seen) { 1629 next_fsn = control->fsn_included + 1; 1630 TAILQ_FOREACH_SAFE(at, &control->reasm, sctp_next, nat) { 1631 if (at->rec.data.fsn == next_fsn) { 1632 /* We can add this one now to the control */ 1633 SCTPDBG(SCTP_DEBUG_XXX, 1634 "Adding more to control: %p at: %p fsn: %u next_fsn: %u included: %u\n", 1635 control, at, 1636 at->rec.data.fsn, 1637 next_fsn, control->fsn_included); 1638 TAILQ_REMOVE(&control->reasm, at, sctp_next); 1639 lenadded = sctp_add_chk_to_control(control, strm, stcb, asoc, at, SCTP_READ_LOCK_NOT_HELD); 1640 if (control->on_read_q) { 1641 do_wakeup = 1; 1642 } else { 1643 /* 1644 * We only add to the 1645 * size-on-all-streams if its not on 1646 * the read q. The read q flag will 1647 * cause a sballoc so its accounted 1648 * for there. 1649 */ 1650 asoc->size_on_all_streams += lenadded; 1651 } 1652 next_fsn++; 1653 if (control->end_added && control->pdapi_started) { 1654 if (strm->pd_api_started) { 1655 strm->pd_api_started = 0; 1656 control->pdapi_started = 0; 1657 } 1658 if (control->on_read_q == 0) { 1659 sctp_add_to_readq(stcb->sctp_ep, stcb, 1660 control, 1661 &stcb->sctp_socket->so_rcv, control->end_added, 1662 SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED); 1663 } 1664 break; 1665 } 1666 } else { 1667 break; 1668 } 1669 } 1670 } 1671 if (do_wakeup) { 1672 /* Need to wakeup the reader */ 1673 sctp_wakeup_the_read_socket(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 1674 } 1675} 1676 1677static struct sctp_queued_to_read * 1678sctp_find_reasm_entry(struct sctp_stream_in *strm, uint32_t mid, int ordered, int idata_supported) 1679{ 1680 struct sctp_queued_to_read *control; 1681 1682 if (ordered) { 1683 TAILQ_FOREACH(control, &strm->inqueue, next_instrm) { 1684 if (SCTP_MID_EQ(idata_supported, control->mid, mid)) { 1685 break; 1686 } 1687 } 1688 } else { 1689 if (idata_supported) { 1690 TAILQ_FOREACH(control, &strm->uno_inqueue, next_instrm) { 1691 if (SCTP_MID_EQ(idata_supported, control->mid, mid)) { 1692 break; 1693 } 1694 } 1695 } else { 1696 control = TAILQ_FIRST(&strm->uno_inqueue); 1697 } 1698 } 1699 return (control); 1700} 1701 1702static int 1703sctp_process_a_data_chunk(struct sctp_tcb *stcb, struct sctp_association *asoc, 1704 struct mbuf **m, int offset, int chk_length, 1705 struct sctp_nets *net, uint32_t *high_tsn, int *abort_flag, 1706 int *break_flag, int last_chunk, uint8_t chk_type) 1707{ 1708 struct sctp_tmit_chunk *chk = NULL; /* make gcc happy */ 1709 uint32_t tsn, fsn, gap, mid; 1710 struct mbuf *dmbuf; 1711 int the_len; 1712 int need_reasm_check = 0; 1713 uint16_t sid; 1714 struct mbuf *op_err; 1715 char msg[SCTP_DIAG_INFO_LEN]; 1716 struct sctp_queued_to_read *control, *ncontrol; 1717 uint32_t ppid; 1718 uint8_t chk_flags; 1719 struct sctp_stream_reset_list *liste; 1720 int ordered; 1721 size_t clen; 1722 int created_control = 0; 1723 1724 if (chk_type == SCTP_IDATA) { 1725 struct sctp_idata_chunk *chunk, chunk_buf; 1726 1727 chunk = (struct sctp_idata_chunk *)sctp_m_getptr(*m, offset, 1728 sizeof(struct sctp_idata_chunk), (uint8_t *)&chunk_buf); 1729 chk_flags = chunk->ch.chunk_flags; 1730 clen = sizeof(struct sctp_idata_chunk); 1731 tsn = ntohl(chunk->dp.tsn); 1732 sid = ntohs(chunk->dp.sid); 1733 mid = ntohl(chunk->dp.mid); 1734 if (chk_flags & SCTP_DATA_FIRST_FRAG) { 1735 fsn = 0; 1736 ppid = chunk->dp.ppid_fsn.ppid; 1737 } else { 1738 fsn = ntohl(chunk->dp.ppid_fsn.fsn); 1739 ppid = 0xffffffff; /* Use as an invalid value. */ 1740 } 1741 } else { 1742 struct sctp_data_chunk *chunk, chunk_buf; 1743 1744 chunk = (struct sctp_data_chunk *)sctp_m_getptr(*m, offset, 1745 sizeof(struct sctp_data_chunk), (uint8_t *)&chunk_buf); 1746 chk_flags = chunk->ch.chunk_flags; 1747 clen = sizeof(struct sctp_data_chunk); 1748 tsn = ntohl(chunk->dp.tsn); 1749 sid = ntohs(chunk->dp.sid); 1750 mid = (uint32_t)(ntohs(chunk->dp.ssn)); 1751 fsn = tsn; 1752 ppid = chunk->dp.ppid; 1753 } 1754 if ((size_t)chk_length == clen) { 1755 /* 1756 * Need to send an abort since we had a empty data chunk. 1757 */ 1758 op_err = sctp_generate_no_user_data_cause(tsn); 1759 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_15; 1760 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); 1761 *abort_flag = 1; 1762 return (0); 1763 } 1764 if ((chk_flags & SCTP_DATA_SACK_IMMEDIATELY) == SCTP_DATA_SACK_IMMEDIATELY) { 1765 asoc->send_sack = 1; 1766 } 1767 ordered = ((chk_flags & SCTP_DATA_UNORDERED) == 0); 1768 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 1769 sctp_log_map(tsn, asoc->cumulative_tsn, asoc->highest_tsn_inside_map, SCTP_MAP_TSN_ENTERS); 1770 } 1771 if (stcb == NULL) { 1772 return (0); 1773 } 1774 SCTP_LTRACE_CHK(stcb->sctp_ep, stcb, chk_type, tsn); 1775 if (SCTP_TSN_GE(asoc->cumulative_tsn, tsn)) { 1776 /* It is a duplicate */ 1777 SCTP_STAT_INCR(sctps_recvdupdata); 1778 if (asoc->numduptsns < SCTP_MAX_DUP_TSNS) { 1779 /* Record a dup for the next outbound sack */ 1780 asoc->dup_tsns[asoc->numduptsns] = tsn; 1781 asoc->numduptsns++; 1782 } 1783 asoc->send_sack = 1; 1784 return (0); 1785 } 1786 /* Calculate the number of TSN's between the base and this TSN */ 1787 SCTP_CALC_TSN_TO_GAP(gap, tsn, asoc->mapping_array_base_tsn); 1788 if (gap >= (SCTP_MAPPING_ARRAY << 3)) { 1789 /* Can't hold the bit in the mapping at max array, toss it */ 1790 return (0); 1791 } 1792 if (gap >= (uint32_t)(asoc->mapping_array_size << 3)) { 1793 SCTP_TCB_LOCK_ASSERT(stcb); 1794 if (sctp_expand_mapping_array(asoc, gap)) { 1795 /* Can't expand, drop it */ 1796 return (0); 1797 } 1798 } 1799 if (SCTP_TSN_GT(tsn, *high_tsn)) { 1800 *high_tsn = tsn; 1801 } 1802 /* See if we have received this one already */ 1803 if (SCTP_IS_TSN_PRESENT(asoc->mapping_array, gap) || 1804 SCTP_IS_TSN_PRESENT(asoc->nr_mapping_array, gap)) { 1805 SCTP_STAT_INCR(sctps_recvdupdata); 1806 if (asoc->numduptsns < SCTP_MAX_DUP_TSNS) { 1807 /* Record a dup for the next outbound sack */ 1808 asoc->dup_tsns[asoc->numduptsns] = tsn; 1809 asoc->numduptsns++; 1810 } 1811 asoc->send_sack = 1; 1812 return (0); 1813 } 1814 /* 1815 * Check to see about the GONE flag, duplicates would cause a sack 1816 * to be sent up above 1817 */ 1818 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) || 1819 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) || 1820 (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET))) { 1821 /* 1822 * wait a minute, this guy is gone, there is no longer a 1823 * receiver. Send peer an ABORT! 1824 */ 1825 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, ""); 1826 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); 1827 *abort_flag = 1; 1828 return (0); 1829 } 1830 /* 1831 * Now before going further we see if there is room. If NOT then we 1832 * MAY let one through only IF this TSN is the one we are waiting 1833 * for on a partial delivery API. 1834 */ 1835 1836 /* Is the stream valid? */ 1837 if (sid >= asoc->streamincnt) { 1838 struct sctp_error_invalid_stream *cause; 1839 1840 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_error_invalid_stream), 1841 0, M_NOWAIT, 1, MT_DATA); 1842 if (op_err != NULL) { 1843 /* add some space up front so prepend will work well */ 1844 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); 1845 cause = mtod(op_err, struct sctp_error_invalid_stream *); 1846 /* 1847 * Error causes are just param's and this one has 1848 * two back to back phdr, one with the error type 1849 * and size, the other with the streamid and a rsvd 1850 */ 1851 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_error_invalid_stream); 1852 cause->cause.code = htons(SCTP_CAUSE_INVALID_STREAM); 1853 cause->cause.length = htons(sizeof(struct sctp_error_invalid_stream)); 1854 cause->stream_id = htons(sid); 1855 cause->reserved = htons(0); 1856 sctp_queue_op_err(stcb, op_err); 1857 } 1858 SCTP_STAT_INCR(sctps_badsid); 1859 SCTP_TCB_LOCK_ASSERT(stcb); 1860 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap); 1861 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) { 1862 asoc->highest_tsn_inside_nr_map = tsn; 1863 } 1864 if (tsn == (asoc->cumulative_tsn + 1)) { 1865 /* Update cum-ack */ 1866 asoc->cumulative_tsn = tsn; 1867 } 1868 return (0); 1869 } 1870 /* 1871 * If its a fragmented message, lets see if we can find the control 1872 * on the reassembly queues. 1873 */ 1874 if ((chk_type == SCTP_IDATA) && 1875 ((chk_flags & SCTP_DATA_FIRST_FRAG) == 0) && 1876 (fsn == 0)) { 1877 /* 1878 * The first *must* be fsn 0, and other (middle/end) pieces 1879 * can *not* be fsn 0. XXX: This can happen in case of a 1880 * wrap around. Ignore is for now. 1881 */ 1882 snprintf(msg, sizeof(msg), "FSN zero for MID=%8.8x, but flags=%2.2x", 1883 mid, chk_flags); 1884 goto err_out; 1885 } 1886 control = sctp_find_reasm_entry(&asoc->strmin[sid], mid, ordered, asoc->idata_supported); 1887 SCTPDBG(SCTP_DEBUG_XXX, "chunk_flags:0x%x look for control on queues %p\n", 1888 chk_flags, control); 1889 if ((chk_flags & SCTP_DATA_NOT_FRAG) != SCTP_DATA_NOT_FRAG) { 1890 /* See if we can find the re-assembly entity */ 1891 if (control != NULL) { 1892 /* We found something, does it belong? */ 1893 if (ordered && (mid != control->mid)) { 1894 snprintf(msg, sizeof(msg), "Reassembly problem (MID=%8.8x)", mid); 1895 err_out: 1896 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 1897 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_16; 1898 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); 1899 *abort_flag = 1; 1900 return (0); 1901 } 1902 if (ordered && ((control->sinfo_flags >> 8) & SCTP_DATA_UNORDERED)) { 1903 /* 1904 * We can't have a switched order with an 1905 * unordered chunk 1906 */ 1907 snprintf(msg, sizeof(msg), "All fragments of a user message must be ordered or unordered (TSN=%8.8x)", 1908 tsn); 1909 goto err_out; 1910 } 1911 if (!ordered && (((control->sinfo_flags >> 8) & SCTP_DATA_UNORDERED) == 0)) { 1912 /* 1913 * We can't have a switched unordered with a 1914 * ordered chunk 1915 */ 1916 snprintf(msg, sizeof(msg), "All fragments of a user message must be ordered or unordered (TSN=%8.8x)", 1917 tsn); 1918 goto err_out; 1919 } 1920 } 1921 } else { 1922 /* 1923 * Its a complete segment. Lets validate we don't have a 1924 * re-assembly going on with the same Stream/Seq (for 1925 * ordered) or in the same Stream for unordered. 1926 */ 1927 if (control != NULL) { 1928 if (ordered || asoc->idata_supported) { 1929 SCTPDBG(SCTP_DEBUG_XXX, "chunk_flags: 0x%x dup detected on MID: %u\n", 1930 chk_flags, mid); 1931 snprintf(msg, sizeof(msg), "Duplicate MID=%8.8x detected.", mid); 1932 goto err_out; 1933 } else { 1934 if ((tsn == control->fsn_included + 1) && 1935 (control->end_added == 0)) { 1936 snprintf(msg, sizeof(msg), "Illegal message sequence, missing end for MID: %8.8x", control->fsn_included); 1937 goto err_out; 1938 } else { 1939 control = NULL; 1940 } 1941 } 1942 } 1943 } 1944 /* now do the tests */ 1945 if (((asoc->cnt_on_all_streams + 1946 asoc->cnt_on_reasm_queue + 1947 asoc->cnt_msg_on_sb) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue)) || 1948 (((int)asoc->my_rwnd) <= 0)) { 1949 /* 1950 * When we have NO room in the rwnd we check to make sure 1951 * the reader is doing its job... 1952 */ 1953 if (stcb->sctp_socket->so_rcv.sb_cc) { 1954 /* some to read, wake-up */ 1955#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1956 struct socket *so; 1957 1958 so = SCTP_INP_SO(stcb->sctp_ep); 1959 atomic_add_int(&stcb->asoc.refcnt, 1); 1960 SCTP_TCB_UNLOCK(stcb); 1961 SCTP_SOCKET_LOCK(so, 1); 1962 SCTP_TCB_LOCK(stcb); 1963 atomic_subtract_int(&stcb->asoc.refcnt, 1); 1964 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 1965 /* assoc was freed while we were unlocked */ 1966 SCTP_SOCKET_UNLOCK(so, 1); 1967 return (0); 1968 } 1969#endif 1970 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 1971#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1972 SCTP_SOCKET_UNLOCK(so, 1); 1973#endif 1974 } 1975 /* now is it in the mapping array of what we have accepted? */ 1976 if (chk_type == SCTP_DATA) { 1977 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_map) && 1978 SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) { 1979 /* Nope not in the valid range dump it */ 1980 dump_packet: 1981 sctp_set_rwnd(stcb, asoc); 1982 if ((asoc->cnt_on_all_streams + 1983 asoc->cnt_on_reasm_queue + 1984 asoc->cnt_msg_on_sb) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue)) { 1985 SCTP_STAT_INCR(sctps_datadropchklmt); 1986 } else { 1987 SCTP_STAT_INCR(sctps_datadroprwnd); 1988 } 1989 *break_flag = 1; 1990 return (0); 1991 } 1992 } else { 1993 if (control == NULL) { 1994 goto dump_packet; 1995 } 1996 if (SCTP_TSN_GT(fsn, control->top_fsn)) { 1997 goto dump_packet; 1998 } 1999 } 2000 } 2001#ifdef SCTP_ASOCLOG_OF_TSNS 2002 SCTP_TCB_LOCK_ASSERT(stcb); 2003 if (asoc->tsn_in_at >= SCTP_TSN_LOG_SIZE) { 2004 asoc->tsn_in_at = 0; 2005 asoc->tsn_in_wrapped = 1; 2006 } 2007 asoc->in_tsnlog[asoc->tsn_in_at].tsn = tsn; 2008 asoc->in_tsnlog[asoc->tsn_in_at].strm = sid; 2009 asoc->in_tsnlog[asoc->tsn_in_at].seq = mid; 2010 asoc->in_tsnlog[asoc->tsn_in_at].sz = chk_length; 2011 asoc->in_tsnlog[asoc->tsn_in_at].flgs = chunk_flags; 2012 asoc->in_tsnlog[asoc->tsn_in_at].stcb = (void *)stcb; 2013 asoc->in_tsnlog[asoc->tsn_in_at].in_pos = asoc->tsn_in_at; 2014 asoc->in_tsnlog[asoc->tsn_in_at].in_out = 1; 2015 asoc->tsn_in_at++; 2016#endif 2017 /* 2018 * Before we continue lets validate that we are not being fooled by 2019 * an evil attacker. We can only have Nk chunks based on our TSN 2020 * spread allowed by the mapping array N * 8 bits, so there is no 2021 * way our stream sequence numbers could have wrapped. We of course 2022 * only validate the FIRST fragment so the bit must be set. 2023 */ 2024 if ((chk_flags & SCTP_DATA_FIRST_FRAG) && 2025 (TAILQ_EMPTY(&asoc->resetHead)) && 2026 (chk_flags & SCTP_DATA_UNORDERED) == 0 && 2027 SCTP_MID_GE(asoc->idata_supported, asoc->strmin[sid].last_mid_delivered, mid)) { 2028 /* The incoming sseq is behind where we last delivered? */ 2029 SCTPDBG(SCTP_DEBUG_INDATA1, "EVIL/Broken-Dup S-SEQ: %u delivered: %u from peer, Abort!\n", 2030 mid, asoc->strmin[sid].last_mid_delivered); 2031 2032 if (asoc->idata_supported) { 2033 snprintf(msg, sizeof(msg), "Delivered MID=%8.8x, got TSN=%8.8x, SID=%4.4x, MID=%8.8x", 2034 asoc->strmin[sid].last_mid_delivered, 2035 tsn, 2036 sid, 2037 mid); 2038 } else { 2039 snprintf(msg, sizeof(msg), "Delivered SSN=%4.4x, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x", 2040 (uint16_t)asoc->strmin[sid].last_mid_delivered, 2041 tsn, 2042 sid, 2043 (uint16_t)mid); 2044 } 2045 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 2046 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_17; 2047 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); 2048 *abort_flag = 1; 2049 return (0); 2050 } 2051 if (chk_type == SCTP_IDATA) { 2052 the_len = (chk_length - sizeof(struct sctp_idata_chunk)); 2053 } else { 2054 the_len = (chk_length - sizeof(struct sctp_data_chunk)); 2055 } 2056 if (last_chunk == 0) { 2057 if (chk_type == SCTP_IDATA) { 2058 dmbuf = SCTP_M_COPYM(*m, 2059 (offset + sizeof(struct sctp_idata_chunk)), 2060 the_len, M_NOWAIT); 2061 } else { 2062 dmbuf = SCTP_M_COPYM(*m, 2063 (offset + sizeof(struct sctp_data_chunk)), 2064 the_len, M_NOWAIT); 2065 } 2066#ifdef SCTP_MBUF_LOGGING 2067 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) { 2068 sctp_log_mbc(dmbuf, SCTP_MBUF_ICOPY); 2069 } 2070#endif 2071 } else { 2072 /* We can steal the last chunk */ 2073 int l_len; 2074 2075 dmbuf = *m; 2076 /* lop off the top part */ 2077 if (chk_type == SCTP_IDATA) { 2078 m_adj(dmbuf, (offset + sizeof(struct sctp_idata_chunk))); 2079 } else { 2080 m_adj(dmbuf, (offset + sizeof(struct sctp_data_chunk))); 2081 } 2082 if (SCTP_BUF_NEXT(dmbuf) == NULL) { 2083 l_len = SCTP_BUF_LEN(dmbuf); 2084 } else { 2085 /* 2086 * need to count up the size hopefully does not hit 2087 * this to often :-0 2088 */ 2089 struct mbuf *lat; 2090 2091 l_len = 0; 2092 for (lat = dmbuf; lat; lat = SCTP_BUF_NEXT(lat)) { 2093 l_len += SCTP_BUF_LEN(lat); 2094 } 2095 } 2096 if (l_len > the_len) { 2097 /* Trim the end round bytes off too */ 2098 m_adj(dmbuf, -(l_len - the_len)); 2099 } 2100 } 2101 if (dmbuf == NULL) { 2102 SCTP_STAT_INCR(sctps_nomem); 2103 return (0); 2104 } 2105 /* 2106 * Now no matter what, we need a control, get one if we don't have 2107 * one (we may have gotten it above when we found the message was 2108 * fragmented 2109 */ 2110 if (control == NULL) { 2111 sctp_alloc_a_readq(stcb, control); 2112 sctp_build_readq_entry_mac(control, stcb, asoc->context, net, tsn, 2113 ppid, 2114 sid, 2115 chk_flags, 2116 NULL, fsn, mid); 2117 if (control == NULL) { 2118 SCTP_STAT_INCR(sctps_nomem); 2119 return (0); 2120 } 2121 if ((chk_flags & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) { 2122 struct mbuf *mm; 2123 2124 control->data = dmbuf; 2125 control->tail_mbuf = NULL; 2126 for (mm = control->data; mm; mm = mm->m_next) { 2127 control->length += SCTP_BUF_LEN(mm); 2128 if (SCTP_BUF_NEXT(mm) == NULL) { 2129 control->tail_mbuf = mm; 2130 } 2131 } 2132 control->end_added = 1; 2133 control->last_frag_seen = 1; 2134 control->first_frag_seen = 1; 2135 control->fsn_included = fsn; 2136 control->top_fsn = fsn; 2137 } 2138 created_control = 1; 2139 } 2140 SCTPDBG(SCTP_DEBUG_XXX, "chunk_flags: 0x%x ordered: %d MID: %u control: %p\n", 2141 chk_flags, ordered, mid, control); 2142 if ((chk_flags & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG && 2143 TAILQ_EMPTY(&asoc->resetHead) && 2144 ((ordered == 0) || 2145 (SCTP_MID_EQ(asoc->idata_supported, asoc->strmin[sid].last_mid_delivered + 1, mid) && 2146 TAILQ_EMPTY(&asoc->strmin[sid].inqueue)))) { 2147 /* Candidate for express delivery */ 2148 /* 2149 * Its not fragmented, No PD-API is up, Nothing in the 2150 * delivery queue, Its un-ordered OR ordered and the next to 2151 * deliver AND nothing else is stuck on the stream queue, 2152 * And there is room for it in the socket buffer. Lets just 2153 * stuff it up the buffer.... 2154 */ 2155 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap); 2156 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) { 2157 asoc->highest_tsn_inside_nr_map = tsn; 2158 } 2159 SCTPDBG(SCTP_DEBUG_XXX, "Injecting control: %p to be read (MID: %u)\n", 2160 control, mid); 2161 2162 sctp_add_to_readq(stcb->sctp_ep, stcb, 2163 control, &stcb->sctp_socket->so_rcv, 2164 1, SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED); 2165 2166 if ((chk_flags & SCTP_DATA_UNORDERED) == 0) { 2167 /* for ordered, bump what we delivered */ 2168 asoc->strmin[sid].last_mid_delivered++; 2169 } 2170 SCTP_STAT_INCR(sctps_recvexpress); 2171 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) { 2172 sctp_log_strm_del_alt(stcb, tsn, mid, sid, 2173 SCTP_STR_LOG_FROM_EXPRS_DEL); 2174 } 2175 control = NULL; 2176 goto finish_express_del; 2177 } 2178 2179 /* Now will we need a chunk too? */ 2180 if ((chk_flags & SCTP_DATA_NOT_FRAG) != SCTP_DATA_NOT_FRAG) { 2181 sctp_alloc_a_chunk(stcb, chk); 2182 if (chk == NULL) { 2183 /* No memory so we drop the chunk */ 2184 SCTP_STAT_INCR(sctps_nomem); 2185 if (last_chunk == 0) { 2186 /* we copied it, free the copy */ 2187 sctp_m_freem(dmbuf); 2188 } 2189 return (0); 2190 } 2191 chk->rec.data.tsn = tsn; 2192 chk->no_fr_allowed = 0; 2193 chk->rec.data.fsn = fsn; 2194 chk->rec.data.mid = mid; 2195 chk->rec.data.sid = sid; 2196 chk->rec.data.ppid = ppid; 2197 chk->rec.data.context = stcb->asoc.context; 2198 chk->rec.data.doing_fast_retransmit = 0; 2199 chk->rec.data.rcv_flags = chk_flags; 2200 chk->asoc = asoc; 2201 chk->send_size = the_len; 2202 chk->whoTo = net; 2203 SCTPDBG(SCTP_DEBUG_XXX, "Building ck: %p for control: %p to be read (MID: %u)\n", 2204 chk, 2205 control, mid); 2206 atomic_add_int(&net->ref_count, 1); 2207 chk->data = dmbuf; 2208 } 2209 /* Set the appropriate TSN mark */ 2210 if (SCTP_BASE_SYSCTL(sctp_do_drain) == 0) { 2211 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap); 2212 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) { 2213 asoc->highest_tsn_inside_nr_map = tsn; 2214 } 2215 } else { 2216 SCTP_SET_TSN_PRESENT(asoc->mapping_array, gap); 2217 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_map)) { 2218 asoc->highest_tsn_inside_map = tsn; 2219 } 2220 } 2221 /* Now is it complete (i.e. not fragmented)? */ 2222 if ((chk_flags & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) { 2223 /* 2224 * Special check for when streams are resetting. We could be 2225 * more smart about this and check the actual stream to see 2226 * if it is not being reset.. that way we would not create a 2227 * HOLB when amongst streams being reset and those not being 2228 * reset. 2229 * 2230 */ 2231 if (((liste = TAILQ_FIRST(&asoc->resetHead)) != NULL) && 2232 SCTP_TSN_GT(tsn, liste->tsn)) { 2233 /* 2234 * yep its past where we need to reset... go ahead 2235 * and queue it. 2236 */ 2237 if (TAILQ_EMPTY(&asoc->pending_reply_queue)) { 2238 /* first one on */ 2239 TAILQ_INSERT_TAIL(&asoc->pending_reply_queue, control, next); 2240 } else { 2241 struct sctp_queued_to_read *lcontrol, *nlcontrol; 2242 unsigned char inserted = 0; 2243 2244 TAILQ_FOREACH_SAFE(lcontrol, &asoc->pending_reply_queue, next, nlcontrol) { 2245 if (SCTP_TSN_GT(control->sinfo_tsn, lcontrol->sinfo_tsn)) { 2246 2247 continue; 2248 } else { 2249 /* found it */ 2250 TAILQ_INSERT_BEFORE(lcontrol, control, next); 2251 inserted = 1; 2252 break; 2253 } 2254 } 2255 if (inserted == 0) { 2256 /* 2257 * must be put at end, use prevP 2258 * (all setup from loop) to setup 2259 * nextP. 2260 */ 2261 TAILQ_INSERT_TAIL(&asoc->pending_reply_queue, control, next); 2262 } 2263 } 2264 goto finish_express_del; 2265 } 2266 if (chk_flags & SCTP_DATA_UNORDERED) { 2267 /* queue directly into socket buffer */ 2268 SCTPDBG(SCTP_DEBUG_XXX, "Unordered data to be read control: %p MID: %u\n", 2269 control, mid); 2270 sctp_mark_non_revokable(asoc, control->sinfo_tsn); 2271 sctp_add_to_readq(stcb->sctp_ep, stcb, 2272 control, 2273 &stcb->sctp_socket->so_rcv, 1, 2274 SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED); 2275 2276 } else { 2277 SCTPDBG(SCTP_DEBUG_XXX, "Queue control: %p for reordering MID: %u\n", control, 2278 mid); 2279 sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check); 2280 if (*abort_flag) { 2281 if (last_chunk) { 2282 *m = NULL; 2283 } 2284 return (0); 2285 } 2286 } 2287 goto finish_express_del; 2288 } 2289 /* If we reach here its a reassembly */ 2290 need_reasm_check = 1; 2291 SCTPDBG(SCTP_DEBUG_XXX, 2292 "Queue data to stream for reasm control: %p MID: %u\n", 2293 control, mid); 2294 sctp_queue_data_for_reasm(stcb, asoc, control, chk, created_control, abort_flag, tsn); 2295 if (*abort_flag) { 2296 /* 2297 * the assoc is now gone and chk was put onto the reasm 2298 * queue, which has all been freed. 2299 */ 2300 if (last_chunk) { 2301 *m = NULL; 2302 } 2303 return (0); 2304 } 2305finish_express_del: 2306 /* Here we tidy up things */ 2307 if (tsn == (asoc->cumulative_tsn + 1)) { 2308 /* Update cum-ack */ 2309 asoc->cumulative_tsn = tsn; 2310 } 2311 if (last_chunk) { 2312 *m = NULL; 2313 } 2314 if (ordered) { 2315 SCTP_STAT_INCR_COUNTER64(sctps_inorderchunks); 2316 } else { 2317 SCTP_STAT_INCR_COUNTER64(sctps_inunorderchunks); 2318 } 2319 SCTP_STAT_INCR(sctps_recvdata); 2320 /* Set it present please */ 2321 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) { 2322 sctp_log_strm_del_alt(stcb, tsn, mid, sid, SCTP_STR_LOG_FROM_MARK_TSN); 2323 } 2324 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 2325 sctp_log_map(asoc->mapping_array_base_tsn, asoc->cumulative_tsn, 2326 asoc->highest_tsn_inside_map, SCTP_MAP_PREPARE_SLIDE); 2327 } 2328 if (need_reasm_check) { 2329 (void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[sid], SCTP_READ_LOCK_NOT_HELD); 2330 need_reasm_check = 0; 2331 } 2332 /* check the special flag for stream resets */ 2333 if (((liste = TAILQ_FIRST(&asoc->resetHead)) != NULL) && 2334 SCTP_TSN_GE(asoc->cumulative_tsn, liste->tsn)) { 2335 /* 2336 * we have finished working through the backlogged TSN's now 2337 * time to reset streams. 1: call reset function. 2: free 2338 * pending_reply space 3: distribute any chunks in 2339 * pending_reply_queue. 2340 */ 2341 sctp_reset_in_stream(stcb, liste->number_entries, liste->list_of_streams); 2342 TAILQ_REMOVE(&asoc->resetHead, liste, next_resp); 2343 sctp_send_deferred_reset_response(stcb, liste, SCTP_STREAM_RESET_RESULT_PERFORMED); 2344 SCTP_FREE(liste, SCTP_M_STRESET); 2345 /* sa_ignore FREED_MEMORY */ 2346 liste = TAILQ_FIRST(&asoc->resetHead); 2347 if (TAILQ_EMPTY(&asoc->resetHead)) { 2348 /* All can be removed */ 2349 TAILQ_FOREACH_SAFE(control, &asoc->pending_reply_queue, next, ncontrol) { 2350 TAILQ_REMOVE(&asoc->pending_reply_queue, control, next); 2351 sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check); 2352 if (*abort_flag) { 2353 return (0); 2354 } 2355 if (need_reasm_check) { 2356 (void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[control->sinfo_stream], SCTP_READ_LOCK_NOT_HELD); 2357 need_reasm_check = 0; 2358 } 2359 } 2360 } else { 2361 TAILQ_FOREACH_SAFE(control, &asoc->pending_reply_queue, next, ncontrol) { 2362 if (SCTP_TSN_GT(control->sinfo_tsn, liste->tsn)) { 2363 break; 2364 } 2365 /* 2366 * if control->sinfo_tsn is <= liste->tsn we 2367 * can process it which is the NOT of 2368 * control->sinfo_tsn > liste->tsn 2369 */ 2370 TAILQ_REMOVE(&asoc->pending_reply_queue, control, next); 2371 sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check); 2372 if (*abort_flag) { 2373 return (0); 2374 } 2375 if (need_reasm_check) { 2376 (void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[control->sinfo_stream], SCTP_READ_LOCK_NOT_HELD); 2377 need_reasm_check = 0; 2378 } 2379 } 2380 } 2381 } 2382 return (1); 2383} 2384 2385static const int8_t sctp_map_lookup_tab[256] = { 2386 0, 1, 0, 2, 0, 1, 0, 3, 2387 0, 1, 0, 2, 0, 1, 0, 4, 2388 0, 1, 0, 2, 0, 1, 0, 3, 2389 0, 1, 0, 2, 0, 1, 0, 5, 2390 0, 1, 0, 2, 0, 1, 0, 3, 2391 0, 1, 0, 2, 0, 1, 0, 4, 2392 0, 1, 0, 2, 0, 1, 0, 3, 2393 0, 1, 0, 2, 0, 1, 0, 6, 2394 0, 1, 0, 2, 0, 1, 0, 3, 2395 0, 1, 0, 2, 0, 1, 0, 4, 2396 0, 1, 0, 2, 0, 1, 0, 3, 2397 0, 1, 0, 2, 0, 1, 0, 5, 2398 0, 1, 0, 2, 0, 1, 0, 3, 2399 0, 1, 0, 2, 0, 1, 0, 4, 2400 0, 1, 0, 2, 0, 1, 0, 3, 2401 0, 1, 0, 2, 0, 1, 0, 7, 2402 0, 1, 0, 2, 0, 1, 0, 3, 2403 0, 1, 0, 2, 0, 1, 0, 4, 2404 0, 1, 0, 2, 0, 1, 0, 3, 2405 0, 1, 0, 2, 0, 1, 0, 5, 2406 0, 1, 0, 2, 0, 1, 0, 3, 2407 0, 1, 0, 2, 0, 1, 0, 4, 2408 0, 1, 0, 2, 0, 1, 0, 3, 2409 0, 1, 0, 2, 0, 1, 0, 6, 2410 0, 1, 0, 2, 0, 1, 0, 3, 2411 0, 1, 0, 2, 0, 1, 0, 4, 2412 0, 1, 0, 2, 0, 1, 0, 3, 2413 0, 1, 0, 2, 0, 1, 0, 5, 2414 0, 1, 0, 2, 0, 1, 0, 3, 2415 0, 1, 0, 2, 0, 1, 0, 4, 2416 0, 1, 0, 2, 0, 1, 0, 3, 2417 0, 1, 0, 2, 0, 1, 0, 8 2418}; 2419 2420 2421void 2422sctp_slide_mapping_arrays(struct sctp_tcb *stcb) 2423{ 2424 /* 2425 * Now we also need to check the mapping array in a couple of ways. 2426 * 1) Did we move the cum-ack point? 2427 * 2428 * When you first glance at this you might think that all entries 2429 * that make up the position of the cum-ack would be in the 2430 * nr-mapping array only.. i.e. things up to the cum-ack are always 2431 * deliverable. Thats true with one exception, when its a fragmented 2432 * message we may not deliver the data until some threshold (or all 2433 * of it) is in place. So we must OR the nr_mapping_array and 2434 * mapping_array to get a true picture of the cum-ack. 2435 */ 2436 struct sctp_association *asoc; 2437 int at; 2438 uint8_t val; 2439 int slide_from, slide_end, lgap, distance; 2440 uint32_t old_cumack, old_base, old_highest, highest_tsn; 2441 2442 asoc = &stcb->asoc; 2443 2444 old_cumack = asoc->cumulative_tsn; 2445 old_base = asoc->mapping_array_base_tsn; 2446 old_highest = asoc->highest_tsn_inside_map; 2447 /* 2448 * We could probably improve this a small bit by calculating the 2449 * offset of the current cum-ack as the starting point. 2450 */ 2451 at = 0; 2452 for (slide_from = 0; slide_from < stcb->asoc.mapping_array_size; slide_from++) { 2453 val = asoc->nr_mapping_array[slide_from] | asoc->mapping_array[slide_from]; 2454 if (val == 0xff) { 2455 at += 8; 2456 } else { 2457 /* there is a 0 bit */ 2458 at += sctp_map_lookup_tab[val]; 2459 break; 2460 } 2461 } 2462 asoc->cumulative_tsn = asoc->mapping_array_base_tsn + (at - 1); 2463 2464 if (SCTP_TSN_GT(asoc->cumulative_tsn, asoc->highest_tsn_inside_map) && 2465 SCTP_TSN_GT(asoc->cumulative_tsn, asoc->highest_tsn_inside_nr_map)) { 2466#ifdef INVARIANTS 2467 panic("huh, cumack 0x%x greater than high-tsn 0x%x in map", 2468 asoc->cumulative_tsn, asoc->highest_tsn_inside_map); 2469#else 2470 SCTP_PRINTF("huh, cumack 0x%x greater than high-tsn 0x%x in map - should panic?\n", 2471 asoc->cumulative_tsn, asoc->highest_tsn_inside_map); 2472 sctp_print_mapping_array(asoc); 2473 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 2474 sctp_log_map(0, 6, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 2475 } 2476 asoc->highest_tsn_inside_map = asoc->cumulative_tsn; 2477 asoc->highest_tsn_inside_nr_map = asoc->cumulative_tsn; 2478#endif 2479 } 2480 if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->highest_tsn_inside_map)) { 2481 highest_tsn = asoc->highest_tsn_inside_nr_map; 2482 } else { 2483 highest_tsn = asoc->highest_tsn_inside_map; 2484 } 2485 if ((asoc->cumulative_tsn == highest_tsn) && (at >= 8)) { 2486 /* The complete array was completed by a single FR */ 2487 /* highest becomes the cum-ack */ 2488 int clr; 2489#ifdef INVARIANTS 2490 unsigned int i; 2491#endif 2492 2493 /* clear the array */ 2494 clr = ((at + 7) >> 3); 2495 if (clr > asoc->mapping_array_size) { 2496 clr = asoc->mapping_array_size; 2497 } 2498 memset(asoc->mapping_array, 0, clr); 2499 memset(asoc->nr_mapping_array, 0, clr); 2500#ifdef INVARIANTS 2501 for (i = 0; i < asoc->mapping_array_size; i++) { 2502 if ((asoc->mapping_array[i]) || (asoc->nr_mapping_array[i])) { 2503 SCTP_PRINTF("Error Mapping array's not clean at clear\n"); 2504 sctp_print_mapping_array(asoc); 2505 } 2506 } 2507#endif 2508 asoc->mapping_array_base_tsn = asoc->cumulative_tsn + 1; 2509 asoc->highest_tsn_inside_nr_map = asoc->highest_tsn_inside_map = asoc->cumulative_tsn; 2510 } else if (at >= 8) { 2511 /* we can slide the mapping array down */ 2512 /* slide_from holds where we hit the first NON 0xff byte */ 2513 2514 /* 2515 * now calculate the ceiling of the move using our highest 2516 * TSN value 2517 */ 2518 SCTP_CALC_TSN_TO_GAP(lgap, highest_tsn, asoc->mapping_array_base_tsn); 2519 slide_end = (lgap >> 3); 2520 if (slide_end < slide_from) { 2521 sctp_print_mapping_array(asoc); 2522#ifdef INVARIANTS 2523 panic("impossible slide"); 2524#else 2525 SCTP_PRINTF("impossible slide lgap: %x slide_end: %x slide_from: %x? at: %d\n", 2526 lgap, slide_end, slide_from, at); 2527 return; 2528#endif 2529 } 2530 if (slide_end > asoc->mapping_array_size) { 2531#ifdef INVARIANTS 2532 panic("would overrun buffer"); 2533#else 2534 SCTP_PRINTF("Gak, would have overrun map end: %d slide_end: %d\n", 2535 asoc->mapping_array_size, slide_end); 2536 slide_end = asoc->mapping_array_size; 2537#endif 2538 } 2539 distance = (slide_end - slide_from) + 1; 2540 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 2541 sctp_log_map(old_base, old_cumack, old_highest, 2542 SCTP_MAP_PREPARE_SLIDE); 2543 sctp_log_map((uint32_t)slide_from, (uint32_t)slide_end, 2544 (uint32_t)lgap, SCTP_MAP_SLIDE_FROM); 2545 } 2546 if (distance + slide_from > asoc->mapping_array_size || 2547 distance < 0) { 2548 /* 2549 * Here we do NOT slide forward the array so that 2550 * hopefully when more data comes in to fill it up 2551 * we will be able to slide it forward. Really I 2552 * don't think this should happen :-0 2553 */ 2554 2555 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 2556 sctp_log_map((uint32_t)distance, (uint32_t)slide_from, 2557 (uint32_t)asoc->mapping_array_size, 2558 SCTP_MAP_SLIDE_NONE); 2559 } 2560 } else { 2561 int ii; 2562 2563 for (ii = 0; ii < distance; ii++) { 2564 asoc->mapping_array[ii] = asoc->mapping_array[slide_from + ii]; 2565 asoc->nr_mapping_array[ii] = asoc->nr_mapping_array[slide_from + ii]; 2566 2567 } 2568 for (ii = distance; ii < asoc->mapping_array_size; ii++) { 2569 asoc->mapping_array[ii] = 0; 2570 asoc->nr_mapping_array[ii] = 0; 2571 } 2572 if (asoc->highest_tsn_inside_map + 1 == asoc->mapping_array_base_tsn) { 2573 asoc->highest_tsn_inside_map += (slide_from << 3); 2574 } 2575 if (asoc->highest_tsn_inside_nr_map + 1 == asoc->mapping_array_base_tsn) { 2576 asoc->highest_tsn_inside_nr_map += (slide_from << 3); 2577 } 2578 asoc->mapping_array_base_tsn += (slide_from << 3); 2579 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 2580 sctp_log_map(asoc->mapping_array_base_tsn, 2581 asoc->cumulative_tsn, asoc->highest_tsn_inside_map, 2582 SCTP_MAP_SLIDE_RESULT); 2583 } 2584 } 2585 } 2586} 2587 2588void 2589sctp_sack_check(struct sctp_tcb *stcb, int was_a_gap) 2590{ 2591 struct sctp_association *asoc; 2592 uint32_t highest_tsn; 2593 int is_a_gap; 2594 2595 sctp_slide_mapping_arrays(stcb); 2596 asoc = &stcb->asoc; 2597 if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->highest_tsn_inside_map)) { 2598 highest_tsn = asoc->highest_tsn_inside_nr_map; 2599 } else { 2600 highest_tsn = asoc->highest_tsn_inside_map; 2601 } 2602 /* Is there a gap now? */ 2603 is_a_gap = SCTP_TSN_GT(highest_tsn, stcb->asoc.cumulative_tsn); 2604 2605 /* 2606 * Now we need to see if we need to queue a sack or just start the 2607 * timer (if allowed). 2608 */ 2609 if (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_SENT) { 2610 /* 2611 * Ok special case, in SHUTDOWN-SENT case. here we maker 2612 * sure SACK timer is off and instead send a SHUTDOWN and a 2613 * SACK 2614 */ 2615 if (SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) { 2616 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, 2617 stcb->sctp_ep, stcb, NULL, 2618 SCTP_FROM_SCTP_INDATA + SCTP_LOC_18); 2619 } 2620 sctp_send_shutdown(stcb, 2621 ((stcb->asoc.alternate) ? stcb->asoc.alternate : stcb->asoc.primary_destination)); 2622 if (is_a_gap) { 2623 sctp_send_sack(stcb, SCTP_SO_NOT_LOCKED); 2624 } 2625 } else { 2626 /* 2627 * CMT DAC algorithm: increase number of packets received 2628 * since last ack 2629 */ 2630 stcb->asoc.cmt_dac_pkts_rcvd++; 2631 2632 if ((stcb->asoc.send_sack == 1) || /* We need to send a 2633 * SACK */ 2634 ((was_a_gap) && (is_a_gap == 0)) || /* was a gap, but no 2635 * longer is one */ 2636 (stcb->asoc.numduptsns) || /* we have dup's */ 2637 (is_a_gap) || /* is still a gap */ 2638 (stcb->asoc.delayed_ack == 0) || /* Delayed sack disabled */ 2639 (stcb->asoc.data_pkts_seen >= stcb->asoc.sack_freq) /* hit limit of pkts */ 2640 ) { 2641 2642 if ((stcb->asoc.sctp_cmt_on_off > 0) && 2643 (SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) && 2644 (stcb->asoc.send_sack == 0) && 2645 (stcb->asoc.numduptsns == 0) && 2646 (stcb->asoc.delayed_ack) && 2647 (!SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer))) { 2648 2649 /* 2650 * CMT DAC algorithm: With CMT, delay acks 2651 * even in the face of 2652 * 2653 * reordering. Therefore, if acks that do 2654 * not have to be sent because of the above 2655 * reasons, will be delayed. That is, acks 2656 * that would have been sent due to gap 2657 * reports will be delayed with DAC. Start 2658 * the delayed ack timer. 2659 */ 2660 sctp_timer_start(SCTP_TIMER_TYPE_RECV, 2661 stcb->sctp_ep, stcb, NULL); 2662 } else { 2663 /* 2664 * Ok we must build a SACK since the timer 2665 * is pending, we got our first packet OR 2666 * there are gaps or duplicates. 2667 */ 2668 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, NULL, 2669 SCTP_FROM_SCTP_INDATA + SCTP_LOC_19); 2670 sctp_send_sack(stcb, SCTP_SO_NOT_LOCKED); 2671 } 2672 } else { 2673 if (!SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) { 2674 sctp_timer_start(SCTP_TIMER_TYPE_RECV, 2675 stcb->sctp_ep, stcb, NULL); 2676 } 2677 } 2678 } 2679} 2680 2681int 2682sctp_process_data(struct mbuf **mm, int iphlen, int *offset, int length, 2683 struct sctp_inpcb *inp, struct sctp_tcb *stcb, 2684 struct sctp_nets *net, uint32_t *high_tsn) 2685{ 2686 struct sctp_chunkhdr *ch, chunk_buf; 2687 struct sctp_association *asoc; 2688 int num_chunks = 0; /* number of control chunks processed */ 2689 int stop_proc = 0; 2690 int break_flag, last_chunk; 2691 int abort_flag = 0, was_a_gap; 2692 struct mbuf *m; 2693 uint32_t highest_tsn; 2694 uint16_t chk_length; 2695 2696 /* set the rwnd */ 2697 sctp_set_rwnd(stcb, &stcb->asoc); 2698 2699 m = *mm; 2700 SCTP_TCB_LOCK_ASSERT(stcb); 2701 asoc = &stcb->asoc; 2702 if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->highest_tsn_inside_map)) { 2703 highest_tsn = asoc->highest_tsn_inside_nr_map; 2704 } else { 2705 highest_tsn = asoc->highest_tsn_inside_map; 2706 } 2707 was_a_gap = SCTP_TSN_GT(highest_tsn, stcb->asoc.cumulative_tsn); 2708 /* 2709 * setup where we got the last DATA packet from for any SACK that 2710 * may need to go out. Don't bump the net. This is done ONLY when a 2711 * chunk is assigned. 2712 */ 2713 asoc->last_data_chunk_from = net; 2714 2715 /*- 2716 * Now before we proceed we must figure out if this is a wasted 2717 * cluster... i.e. it is a small packet sent in and yet the driver 2718 * underneath allocated a full cluster for it. If so we must copy it 2719 * to a smaller mbuf and free up the cluster mbuf. This will help 2720 * with cluster starvation. Note for __Panda__ we don't do this 2721 * since it has clusters all the way down to 64 bytes. 2722 */ 2723 if (SCTP_BUF_LEN(m) < (long)MLEN && SCTP_BUF_NEXT(m) == NULL) { 2724 /* we only handle mbufs that are singletons.. not chains */ 2725 m = sctp_get_mbuf_for_msg(SCTP_BUF_LEN(m), 0, M_NOWAIT, 1, MT_DATA); 2726 if (m) { 2727 /* ok lets see if we can copy the data up */ 2728 caddr_t *from, *to; 2729 2730 /* get the pointers and copy */ 2731 to = mtod(m, caddr_t *); 2732 from = mtod((*mm), caddr_t *); 2733 memcpy(to, from, SCTP_BUF_LEN((*mm))); 2734 /* copy the length and free up the old */ 2735 SCTP_BUF_LEN(m) = SCTP_BUF_LEN((*mm)); 2736 sctp_m_freem(*mm); 2737 /* success, back copy */ 2738 *mm = m; 2739 } else { 2740 /* We are in trouble in the mbuf world .. yikes */ 2741 m = *mm; 2742 } 2743 } 2744 /* get pointer to the first chunk header */ 2745 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 2746 sizeof(struct sctp_chunkhdr), 2747 (uint8_t *)&chunk_buf); 2748 if (ch == NULL) { 2749 return (1); 2750 } 2751 /* 2752 * process all DATA chunks... 2753 */ 2754 *high_tsn = asoc->cumulative_tsn; 2755 break_flag = 0; 2756 asoc->data_pkts_seen++; 2757 while (stop_proc == 0) { 2758 /* validate chunk length */ 2759 chk_length = ntohs(ch->chunk_length); 2760 if (length - *offset < chk_length) { 2761 /* all done, mutulated chunk */ 2762 stop_proc = 1; 2763 continue; 2764 } 2765 if ((asoc->idata_supported == 1) && 2766 (ch->chunk_type == SCTP_DATA)) { 2767 struct mbuf *op_err; 2768 char msg[SCTP_DIAG_INFO_LEN]; 2769 2770 snprintf(msg, sizeof(msg), "%s", "I-DATA chunk received when DATA was negotiated"); 2771 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 2772 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_20; 2773 sctp_abort_an_association(inp, stcb, op_err, SCTP_SO_NOT_LOCKED); 2774 return (2); 2775 } 2776 if ((asoc->idata_supported == 0) && 2777 (ch->chunk_type == SCTP_IDATA)) { 2778 struct mbuf *op_err; 2779 char msg[SCTP_DIAG_INFO_LEN]; 2780 2781 snprintf(msg, sizeof(msg), "%s", "DATA chunk received when I-DATA was negotiated"); 2782 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 2783 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_21; 2784 sctp_abort_an_association(inp, stcb, op_err, SCTP_SO_NOT_LOCKED); 2785 return (2); 2786 } 2787 if ((ch->chunk_type == SCTP_DATA) || 2788 (ch->chunk_type == SCTP_IDATA)) { 2789 uint16_t clen; 2790 2791 if (ch->chunk_type == SCTP_DATA) { 2792 clen = sizeof(struct sctp_data_chunk); 2793 } else { 2794 clen = sizeof(struct sctp_idata_chunk); 2795 } 2796 if (chk_length < clen) { 2797 /* 2798 * Need to send an abort since we had a 2799 * invalid data chunk. 2800 */ 2801 struct mbuf *op_err; 2802 char msg[SCTP_DIAG_INFO_LEN]; 2803 2804 snprintf(msg, sizeof(msg), "%s chunk of length %u", 2805 ch->chunk_type == SCTP_DATA ? "DATA" : "I-DATA", 2806 chk_length); 2807 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 2808 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_22; 2809 sctp_abort_an_association(inp, stcb, op_err, SCTP_SO_NOT_LOCKED); 2810 return (2); 2811 } 2812#ifdef SCTP_AUDITING_ENABLED 2813 sctp_audit_log(0xB1, 0); 2814#endif 2815 if (SCTP_SIZE32(chk_length) == (length - *offset)) { 2816 last_chunk = 1; 2817 } else { 2818 last_chunk = 0; 2819 } 2820 if (sctp_process_a_data_chunk(stcb, asoc, mm, *offset, 2821 chk_length, net, high_tsn, &abort_flag, &break_flag, 2822 last_chunk, ch->chunk_type)) { 2823 num_chunks++; 2824 } 2825 if (abort_flag) 2826 return (2); 2827 2828 if (break_flag) { 2829 /* 2830 * Set because of out of rwnd space and no 2831 * drop rep space left. 2832 */ 2833 stop_proc = 1; 2834 continue; 2835 } 2836 } else { 2837 /* not a data chunk in the data region */ 2838 switch (ch->chunk_type) { 2839 case SCTP_INITIATION: 2840 case SCTP_INITIATION_ACK: 2841 case SCTP_SELECTIVE_ACK: 2842 case SCTP_NR_SELECTIVE_ACK: 2843 case SCTP_HEARTBEAT_REQUEST: 2844 case SCTP_HEARTBEAT_ACK: 2845 case SCTP_ABORT_ASSOCIATION: 2846 case SCTP_SHUTDOWN: 2847 case SCTP_SHUTDOWN_ACK: 2848 case SCTP_OPERATION_ERROR: 2849 case SCTP_COOKIE_ECHO: 2850 case SCTP_COOKIE_ACK: 2851 case SCTP_ECN_ECHO: 2852 case SCTP_ECN_CWR: 2853 case SCTP_SHUTDOWN_COMPLETE: 2854 case SCTP_AUTHENTICATION: 2855 case SCTP_ASCONF_ACK: 2856 case SCTP_PACKET_DROPPED: 2857 case SCTP_STREAM_RESET: 2858 case SCTP_FORWARD_CUM_TSN: 2859 case SCTP_ASCONF: 2860 { 2861 /* 2862 * Now, what do we do with KNOWN 2863 * chunks that are NOT in the right 2864 * place? 2865 * 2866 * For now, I do nothing but ignore 2867 * them. We may later want to add 2868 * sysctl stuff to switch out and do 2869 * either an ABORT() or possibly 2870 * process them. 2871 */ 2872 struct mbuf *op_err; 2873 char msg[SCTP_DIAG_INFO_LEN]; 2874 2875 snprintf(msg, sizeof(msg), "DATA chunk followed by chunk of type %2.2x", 2876 ch->chunk_type); 2877 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 2878 sctp_abort_an_association(inp, stcb, op_err, SCTP_SO_NOT_LOCKED); 2879 return (2); 2880 } 2881 default: 2882 /* 2883 * Unknown chunk type: use bit rules after 2884 * checking length 2885 */ 2886 if (chk_length < sizeof(struct sctp_chunkhdr)) { 2887 /* 2888 * Need to send an abort since we 2889 * had a invalid chunk. 2890 */ 2891 struct mbuf *op_err; 2892 char msg[SCTP_DIAG_INFO_LEN]; 2893 2894 snprintf(msg, sizeof(msg), "Chunk of length %u", 2895 chk_length); 2896 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 2897 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_23; 2898 sctp_abort_an_association(inp, stcb, op_err, SCTP_SO_NOT_LOCKED); 2899 return (2); 2900 } 2901 if (ch->chunk_type & 0x40) { 2902 /* Add a error report to the queue */ 2903 struct mbuf *op_err; 2904 struct sctp_gen_error_cause *cause; 2905 2906 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_gen_error_cause), 2907 0, M_NOWAIT, 1, MT_DATA); 2908 if (op_err != NULL) { 2909 cause = mtod(op_err, struct sctp_gen_error_cause *); 2910 cause->code = htons(SCTP_CAUSE_UNRECOG_CHUNK); 2911 cause->length = htons((uint16_t)(chk_length + sizeof(struct sctp_gen_error_cause))); 2912 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_gen_error_cause); 2913 SCTP_BUF_NEXT(op_err) = SCTP_M_COPYM(m, *offset, chk_length, M_NOWAIT); 2914 if (SCTP_BUF_NEXT(op_err) != NULL) { 2915 sctp_queue_op_err(stcb, op_err); 2916 } else { 2917 sctp_m_freem(op_err); 2918 } 2919 } 2920 } 2921 if ((ch->chunk_type & 0x80) == 0) { 2922 /* discard the rest of this packet */ 2923 stop_proc = 1; 2924 } /* else skip this bad chunk and 2925 * continue... */ 2926 break; 2927 } /* switch of chunk type */ 2928 } 2929 *offset += SCTP_SIZE32(chk_length); 2930 if ((*offset >= length) || stop_proc) { 2931 /* no more data left in the mbuf chain */ 2932 stop_proc = 1; 2933 continue; 2934 } 2935 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 2936 sizeof(struct sctp_chunkhdr), 2937 (uint8_t *)&chunk_buf); 2938 if (ch == NULL) { 2939 *offset = length; 2940 stop_proc = 1; 2941 continue; 2942 } 2943 } 2944 if (break_flag) { 2945 /* 2946 * we need to report rwnd overrun drops. 2947 */ 2948 sctp_send_packet_dropped(stcb, net, *mm, length, iphlen, 0); 2949 } 2950 if (num_chunks) { 2951 /* 2952 * Did we get data, if so update the time for auto-close and 2953 * give peer credit for being alive. 2954 */ 2955 SCTP_STAT_INCR(sctps_recvpktwithdata); 2956 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 2957 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 2958 stcb->asoc.overall_error_count, 2959 0, 2960 SCTP_FROM_SCTP_INDATA, 2961 __LINE__); 2962 } 2963 stcb->asoc.overall_error_count = 0; 2964 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_last_rcvd); 2965 } 2966 /* now service all of the reassm queue if needed */ 2967 if (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_SENT) { 2968 /* Assure that we ack right away */ 2969 stcb->asoc.send_sack = 1; 2970 } 2971 /* Start a sack timer or QUEUE a SACK for sending */ 2972 sctp_sack_check(stcb, was_a_gap); 2973 return (0); 2974} 2975 2976static int 2977sctp_process_segment_range(struct sctp_tcb *stcb, struct sctp_tmit_chunk **p_tp1, uint32_t last_tsn, 2978 uint16_t frag_strt, uint16_t frag_end, int nr_sacking, 2979 int *num_frs, 2980 uint32_t *biggest_newly_acked_tsn, 2981 uint32_t *this_sack_lowest_newack, 2982 int *rto_ok) 2983{ 2984 struct sctp_tmit_chunk *tp1; 2985 unsigned int theTSN; 2986 int j, wake_him = 0, circled = 0; 2987 2988 /* Recover the tp1 we last saw */ 2989 tp1 = *p_tp1; 2990 if (tp1 == NULL) { 2991 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2992 } 2993 for (j = frag_strt; j <= frag_end; j++) { 2994 theTSN = j + last_tsn; 2995 while (tp1) { 2996 if (tp1->rec.data.doing_fast_retransmit) 2997 (*num_frs) += 1; 2998 2999 /*- 3000 * CMT: CUCv2 algorithm. For each TSN being 3001 * processed from the sent queue, track the 3002 * next expected pseudo-cumack, or 3003 * rtx_pseudo_cumack, if required. Separate 3004 * cumack trackers for first transmissions, 3005 * and retransmissions. 3006 */ 3007 if ((tp1->sent < SCTP_DATAGRAM_RESEND) && 3008 (tp1->whoTo->find_pseudo_cumack == 1) && 3009 (tp1->snd_count == 1)) { 3010 tp1->whoTo->pseudo_cumack = tp1->rec.data.tsn; 3011 tp1->whoTo->find_pseudo_cumack = 0; 3012 } 3013 if ((tp1->sent < SCTP_DATAGRAM_RESEND) && 3014 (tp1->whoTo->find_rtx_pseudo_cumack == 1) && 3015 (tp1->snd_count > 1)) { 3016 tp1->whoTo->rtx_pseudo_cumack = tp1->rec.data.tsn; 3017 tp1->whoTo->find_rtx_pseudo_cumack = 0; 3018 } 3019 if (tp1->rec.data.tsn == theTSN) { 3020 if (tp1->sent != SCTP_DATAGRAM_UNSENT) { 3021 /*- 3022 * must be held until 3023 * cum-ack passes 3024 */ 3025 if (tp1->sent < SCTP_DATAGRAM_RESEND) { 3026 /*- 3027 * If it is less than RESEND, it is 3028 * now no-longer in flight. 3029 * Higher values may already be set 3030 * via previous Gap Ack Blocks... 3031 * i.e. ACKED or RESEND. 3032 */ 3033 if (SCTP_TSN_GT(tp1->rec.data.tsn, 3034 *biggest_newly_acked_tsn)) { 3035 *biggest_newly_acked_tsn = tp1->rec.data.tsn; 3036 } 3037 /*- 3038 * CMT: SFR algo (and HTNA) - set 3039 * saw_newack to 1 for dest being 3040 * newly acked. update 3041 * this_sack_highest_newack if 3042 * appropriate. 3043 */ 3044 if (tp1->rec.data.chunk_was_revoked == 0) 3045 tp1->whoTo->saw_newack = 1; 3046 3047 if (SCTP_TSN_GT(tp1->rec.data.tsn, 3048 tp1->whoTo->this_sack_highest_newack)) { 3049 tp1->whoTo->this_sack_highest_newack = 3050 tp1->rec.data.tsn; 3051 } 3052 /*- 3053 * CMT DAC algo: also update 3054 * this_sack_lowest_newack 3055 */ 3056 if (*this_sack_lowest_newack == 0) { 3057 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) { 3058 sctp_log_sack(*this_sack_lowest_newack, 3059 last_tsn, 3060 tp1->rec.data.tsn, 3061 0, 3062 0, 3063 SCTP_LOG_TSN_ACKED); 3064 } 3065 *this_sack_lowest_newack = tp1->rec.data.tsn; 3066 } 3067 /*- 3068 * CMT: CUCv2 algorithm. If (rtx-)pseudo-cumack for corresp 3069 * dest is being acked, then we have a new (rtx-)pseudo-cumack. Set 3070 * new_(rtx_)pseudo_cumack to TRUE so that the cwnd for this dest can be 3071 * updated. Also trigger search for the next expected (rtx-)pseudo-cumack. 3072 * Separate pseudo_cumack trackers for first transmissions and 3073 * retransmissions. 3074 */ 3075 if (tp1->rec.data.tsn == tp1->whoTo->pseudo_cumack) { 3076 if (tp1->rec.data.chunk_was_revoked == 0) { 3077 tp1->whoTo->new_pseudo_cumack = 1; 3078 } 3079 tp1->whoTo->find_pseudo_cumack = 1; 3080 } 3081 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) { 3082 sctp_log_cwnd(stcb, tp1->whoTo, tp1->rec.data.tsn, SCTP_CWND_LOG_FROM_SACK); 3083 } 3084 if (tp1->rec.data.tsn == tp1->whoTo->rtx_pseudo_cumack) { 3085 if (tp1->rec.data.chunk_was_revoked == 0) { 3086 tp1->whoTo->new_pseudo_cumack = 1; 3087 } 3088 tp1->whoTo->find_rtx_pseudo_cumack = 1; 3089 } 3090 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) { 3091 sctp_log_sack(*biggest_newly_acked_tsn, 3092 last_tsn, 3093 tp1->rec.data.tsn, 3094 frag_strt, 3095 frag_end, 3096 SCTP_LOG_TSN_ACKED); 3097 } 3098 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) { 3099 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_GAP, 3100 tp1->whoTo->flight_size, 3101 tp1->book_size, 3102 (uint32_t)(uintptr_t)tp1->whoTo, 3103 tp1->rec.data.tsn); 3104 } 3105 sctp_flight_size_decrease(tp1); 3106 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) { 3107 (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) (tp1->whoTo, 3108 tp1); 3109 } 3110 sctp_total_flight_decrease(stcb, tp1); 3111 3112 tp1->whoTo->net_ack += tp1->send_size; 3113 if (tp1->snd_count < 2) { 3114 /*- 3115 * True non-retransmited chunk 3116 */ 3117 tp1->whoTo->net_ack2 += tp1->send_size; 3118 3119 /*- 3120 * update RTO too ? 3121 */ 3122 if (tp1->do_rtt) { 3123 if (*rto_ok && 3124 sctp_calculate_rto(stcb, 3125 &stcb->asoc, 3126 tp1->whoTo, 3127 &tp1->sent_rcv_time, 3128 SCTP_RTT_FROM_DATA)) { 3129 *rto_ok = 0; 3130 } 3131 if (tp1->whoTo->rto_needed == 0) { 3132 tp1->whoTo->rto_needed = 1; 3133 } 3134 tp1->do_rtt = 0; 3135 } 3136 } 3137 3138 } 3139 if (tp1->sent <= SCTP_DATAGRAM_RESEND) { 3140 if (SCTP_TSN_GT(tp1->rec.data.tsn, 3141 stcb->asoc.this_sack_highest_gap)) { 3142 stcb->asoc.this_sack_highest_gap = 3143 tp1->rec.data.tsn; 3144 } 3145 if (tp1->sent == SCTP_DATAGRAM_RESEND) { 3146 sctp_ucount_decr(stcb->asoc.sent_queue_retran_cnt); 3147#ifdef SCTP_AUDITING_ENABLED 3148 sctp_audit_log(0xB2, 3149 (stcb->asoc.sent_queue_retran_cnt & 0x000000ff)); 3150#endif 3151 } 3152 } 3153 /*- 3154 * All chunks NOT UNSENT fall through here and are marked 3155 * (leave PR-SCTP ones that are to skip alone though) 3156 */ 3157 if ((tp1->sent != SCTP_FORWARD_TSN_SKIP) && 3158 (tp1->sent != SCTP_DATAGRAM_NR_ACKED)) { 3159 tp1->sent = SCTP_DATAGRAM_MARKED; 3160 } 3161 if (tp1->rec.data.chunk_was_revoked) { 3162 /* deflate the cwnd */ 3163 tp1->whoTo->cwnd -= tp1->book_size; 3164 tp1->rec.data.chunk_was_revoked = 0; 3165 } 3166 /* NR Sack code here */ 3167 if (nr_sacking && 3168 (tp1->sent != SCTP_DATAGRAM_NR_ACKED)) { 3169 if (stcb->asoc.strmout[tp1->rec.data.sid].chunks_on_queues > 0) { 3170 stcb->asoc.strmout[tp1->rec.data.sid].chunks_on_queues--; 3171#ifdef INVARIANTS 3172 } else { 3173 panic("No chunks on the queues for sid %u.", tp1->rec.data.sid); 3174#endif 3175 } 3176 if ((stcb->asoc.strmout[tp1->rec.data.sid].chunks_on_queues == 0) && 3177 (stcb->asoc.strmout[tp1->rec.data.sid].state == SCTP_STREAM_RESET_PENDING) && 3178 TAILQ_EMPTY(&stcb->asoc.strmout[tp1->rec.data.sid].outqueue)) { 3179 stcb->asoc.trigger_reset = 1; 3180 } 3181 tp1->sent = SCTP_DATAGRAM_NR_ACKED; 3182 if (tp1->data) { 3183 /* 3184 * sa_ignore 3185 * NO_NULL_CHK 3186 */ 3187 sctp_free_bufspace(stcb, &stcb->asoc, tp1, 1); 3188 sctp_m_freem(tp1->data); 3189 tp1->data = NULL; 3190 } 3191 wake_him++; 3192 } 3193 } 3194 break; 3195 } /* if (tp1->tsn == theTSN) */ 3196 if (SCTP_TSN_GT(tp1->rec.data.tsn, theTSN)) { 3197 break; 3198 } 3199 tp1 = TAILQ_NEXT(tp1, sctp_next); 3200 if ((tp1 == NULL) && (circled == 0)) { 3201 circled++; 3202 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 3203 } 3204 } /* end while (tp1) */ 3205 if (tp1 == NULL) { 3206 circled = 0; 3207 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 3208 } 3209 /* In case the fragments were not in order we must reset */ 3210 } /* end for (j = fragStart */ 3211 *p_tp1 = tp1; 3212 return (wake_him); /* Return value only used for nr-sack */ 3213} 3214 3215 3216static int 3217sctp_handle_segments(struct mbuf *m, int *offset, struct sctp_tcb *stcb, struct sctp_association *asoc, 3218 uint32_t last_tsn, uint32_t *biggest_tsn_acked, 3219 uint32_t *biggest_newly_acked_tsn, uint32_t *this_sack_lowest_newack, 3220 int num_seg, int num_nr_seg, int *rto_ok) 3221{ 3222 struct sctp_gap_ack_block *frag, block; 3223 struct sctp_tmit_chunk *tp1; 3224 int i; 3225 int num_frs = 0; 3226 int chunk_freed; 3227 int non_revocable; 3228 uint16_t frag_strt, frag_end, prev_frag_end; 3229 3230 tp1 = TAILQ_FIRST(&asoc->sent_queue); 3231 prev_frag_end = 0; 3232 chunk_freed = 0; 3233 3234 for (i = 0; i < (num_seg + num_nr_seg); i++) { 3235 if (i == num_seg) { 3236 prev_frag_end = 0; 3237 tp1 = TAILQ_FIRST(&asoc->sent_queue); 3238 } 3239 frag = (struct sctp_gap_ack_block *)sctp_m_getptr(m, *offset, 3240 sizeof(struct sctp_gap_ack_block), (uint8_t *)&block); 3241 *offset += sizeof(block); 3242 if (frag == NULL) { 3243 return (chunk_freed); 3244 } 3245 frag_strt = ntohs(frag->start); 3246 frag_end = ntohs(frag->end); 3247 3248 if (frag_strt > frag_end) { 3249 /* This gap report is malformed, skip it. */ 3250 continue; 3251 } 3252 if (frag_strt <= prev_frag_end) { 3253 /* This gap report is not in order, so restart. */ 3254 tp1 = TAILQ_FIRST(&asoc->sent_queue); 3255 } 3256 if (SCTP_TSN_GT((last_tsn + frag_end), *biggest_tsn_acked)) { 3257 *biggest_tsn_acked = last_tsn + frag_end; 3258 } 3259 if (i < num_seg) { 3260 non_revocable = 0; 3261 } else { 3262 non_revocable = 1; 3263 } 3264 if (sctp_process_segment_range(stcb, &tp1, last_tsn, frag_strt, frag_end, 3265 non_revocable, &num_frs, biggest_newly_acked_tsn, 3266 this_sack_lowest_newack, rto_ok)) { 3267 chunk_freed = 1; 3268 } 3269 prev_frag_end = frag_end; 3270 } 3271 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) { 3272 if (num_frs) 3273 sctp_log_fr(*biggest_tsn_acked, 3274 *biggest_newly_acked_tsn, 3275 last_tsn, SCTP_FR_LOG_BIGGEST_TSNS); 3276 } 3277 return (chunk_freed); 3278} 3279 3280static void 3281sctp_check_for_revoked(struct sctp_tcb *stcb, 3282 struct sctp_association *asoc, uint32_t cumack, 3283 uint32_t biggest_tsn_acked) 3284{ 3285 struct sctp_tmit_chunk *tp1; 3286 3287 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) { 3288 if (SCTP_TSN_GT(tp1->rec.data.tsn, cumack)) { 3289 /* 3290 * ok this guy is either ACK or MARKED. If it is 3291 * ACKED it has been previously acked but not this 3292 * time i.e. revoked. If it is MARKED it was ACK'ed 3293 * again. 3294 */ 3295 if (SCTP_TSN_GT(tp1->rec.data.tsn, biggest_tsn_acked)) { 3296 break; 3297 } 3298 if (tp1->sent == SCTP_DATAGRAM_ACKED) { 3299 /* it has been revoked */ 3300 tp1->sent = SCTP_DATAGRAM_SENT; 3301 tp1->rec.data.chunk_was_revoked = 1; 3302 /* 3303 * We must add this stuff back in to assure 3304 * timers and such get started. 3305 */ 3306 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) { 3307 sctp_misc_ints(SCTP_FLIGHT_LOG_UP_REVOKE, 3308 tp1->whoTo->flight_size, 3309 tp1->book_size, 3310 (uint32_t)(uintptr_t)tp1->whoTo, 3311 tp1->rec.data.tsn); 3312 } 3313 sctp_flight_size_increase(tp1); 3314 sctp_total_flight_increase(stcb, tp1); 3315 /* 3316 * We inflate the cwnd to compensate for our 3317 * artificial inflation of the flight_size. 3318 */ 3319 tp1->whoTo->cwnd += tp1->book_size; 3320 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) { 3321 sctp_log_sack(asoc->last_acked_seq, 3322 cumack, 3323 tp1->rec.data.tsn, 3324 0, 3325 0, 3326 SCTP_LOG_TSN_REVOKED); 3327 } 3328 } else if (tp1->sent == SCTP_DATAGRAM_MARKED) { 3329 /* it has been re-acked in this SACK */ 3330 tp1->sent = SCTP_DATAGRAM_ACKED; 3331 } 3332 } 3333 if (tp1->sent == SCTP_DATAGRAM_UNSENT) 3334 break; 3335 } 3336} 3337 3338 3339static void 3340sctp_strike_gap_ack_chunks(struct sctp_tcb *stcb, struct sctp_association *asoc, 3341 uint32_t biggest_tsn_acked, uint32_t biggest_tsn_newly_acked, uint32_t this_sack_lowest_newack, int accum_moved) 3342{ 3343 struct sctp_tmit_chunk *tp1; 3344 int strike_flag = 0; 3345 struct timeval now; 3346 int tot_retrans = 0; 3347 uint32_t sending_seq; 3348 struct sctp_nets *net; 3349 int num_dests_sacked = 0; 3350 3351 /* 3352 * select the sending_seq, this is either the next thing ready to be 3353 * sent but not transmitted, OR, the next seq we assign. 3354 */ 3355 tp1 = TAILQ_FIRST(&stcb->asoc.send_queue); 3356 if (tp1 == NULL) { 3357 sending_seq = asoc->sending_seq; 3358 } else { 3359 sending_seq = tp1->rec.data.tsn; 3360 } 3361 3362 /* CMT DAC algo: finding out if SACK is a mixed SACK */ 3363 if ((asoc->sctp_cmt_on_off > 0) && 3364 SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) { 3365 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 3366 if (net->saw_newack) 3367 num_dests_sacked++; 3368 } 3369 } 3370 if (stcb->asoc.prsctp_supported) { 3371 (void)SCTP_GETTIME_TIMEVAL(&now); 3372 } 3373 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) { 3374 strike_flag = 0; 3375 if (tp1->no_fr_allowed) { 3376 /* this one had a timeout or something */ 3377 continue; 3378 } 3379 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) { 3380 if (tp1->sent < SCTP_DATAGRAM_RESEND) 3381 sctp_log_fr(biggest_tsn_newly_acked, 3382 tp1->rec.data.tsn, 3383 tp1->sent, 3384 SCTP_FR_LOG_CHECK_STRIKE); 3385 } 3386 if (SCTP_TSN_GT(tp1->rec.data.tsn, biggest_tsn_acked) || 3387 tp1->sent == SCTP_DATAGRAM_UNSENT) { 3388 /* done */ 3389 break; 3390 } 3391 if (stcb->asoc.prsctp_supported) { 3392 if ((PR_SCTP_TTL_ENABLED(tp1->flags)) && tp1->sent < SCTP_DATAGRAM_ACKED) { 3393 /* Is it expired? */ 3394 if (timevalcmp(&now, &tp1->rec.data.timetodrop, >)) { 3395 /* Yes so drop it */ 3396 if (tp1->data != NULL) { 3397 (void)sctp_release_pr_sctp_chunk(stcb, tp1, 1, 3398 SCTP_SO_NOT_LOCKED); 3399 } 3400 continue; 3401 } 3402 } 3403 3404 } 3405 if (SCTP_TSN_GT(tp1->rec.data.tsn, asoc->this_sack_highest_gap) && 3406 !(accum_moved && asoc->fast_retran_loss_recovery)) { 3407 /* we are beyond the tsn in the sack */ 3408 break; 3409 } 3410 if (tp1->sent >= SCTP_DATAGRAM_RESEND) { 3411 /* either a RESEND, ACKED, or MARKED */ 3412 /* skip */ 3413 if (tp1->sent == SCTP_FORWARD_TSN_SKIP) { 3414 /* Continue strikin FWD-TSN chunks */ 3415 tp1->rec.data.fwd_tsn_cnt++; 3416 } 3417 continue; 3418 } 3419 /* 3420 * CMT : SFR algo (covers part of DAC and HTNA as well) 3421 */ 3422 if (tp1->whoTo && tp1->whoTo->saw_newack == 0) { 3423 /* 3424 * No new acks were receieved for data sent to this 3425 * dest. Therefore, according to the SFR algo for 3426 * CMT, no data sent to this dest can be marked for 3427 * FR using this SACK. 3428 */ 3429 continue; 3430 } else if (tp1->whoTo && 3431 SCTP_TSN_GT(tp1->rec.data.tsn, 3432 tp1->whoTo->this_sack_highest_newack) && 3433 !(accum_moved && asoc->fast_retran_loss_recovery)) { 3434 /* 3435 * CMT: New acks were receieved for data sent to 3436 * this dest. But no new acks were seen for data 3437 * sent after tp1. Therefore, according to the SFR 3438 * algo for CMT, tp1 cannot be marked for FR using 3439 * this SACK. This step covers part of the DAC algo 3440 * and the HTNA algo as well. 3441 */ 3442 continue; 3443 } 3444 /* 3445 * Here we check to see if we were have already done a FR 3446 * and if so we see if the biggest TSN we saw in the sack is 3447 * smaller than the recovery point. If so we don't strike 3448 * the tsn... otherwise we CAN strike the TSN. 3449 */ 3450 /* 3451 * @@@ JRI: Check for CMT if (accum_moved && 3452 * asoc->fast_retran_loss_recovery && (sctp_cmt_on_off == 3453 * 0)) { 3454 */ 3455 if (accum_moved && asoc->fast_retran_loss_recovery) { 3456 /* 3457 * Strike the TSN if in fast-recovery and cum-ack 3458 * moved. 3459 */ 3460 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) { 3461 sctp_log_fr(biggest_tsn_newly_acked, 3462 tp1->rec.data.tsn, 3463 tp1->sent, 3464 SCTP_FR_LOG_STRIKE_CHUNK); 3465 } 3466 if (tp1->sent < SCTP_DATAGRAM_RESEND) { 3467 tp1->sent++; 3468 } 3469 if ((asoc->sctp_cmt_on_off > 0) && 3470 SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) { 3471 /* 3472 * CMT DAC algorithm: If SACK flag is set to 3473 * 0, then lowest_newack test will not pass 3474 * because it would have been set to the 3475 * cumack earlier. If not already to be 3476 * rtx'd, If not a mixed sack and if tp1 is 3477 * not between two sacked TSNs, then mark by 3478 * one more. NOTE that we are marking by one 3479 * additional time since the SACK DAC flag 3480 * indicates that two packets have been 3481 * received after this missing TSN. 3482 */ 3483 if ((tp1->sent < SCTP_DATAGRAM_RESEND) && (num_dests_sacked == 1) && 3484 SCTP_TSN_GT(this_sack_lowest_newack, tp1->rec.data.tsn)) { 3485 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) { 3486 sctp_log_fr(16 + num_dests_sacked, 3487 tp1->rec.data.tsn, 3488 tp1->sent, 3489 SCTP_FR_LOG_STRIKE_CHUNK); 3490 } 3491 tp1->sent++; 3492 } 3493 } 3494 } else if ((tp1->rec.data.doing_fast_retransmit) && 3495 (asoc->sctp_cmt_on_off == 0)) { 3496 /* 3497 * For those that have done a FR we must take 3498 * special consideration if we strike. I.e the 3499 * biggest_newly_acked must be higher than the 3500 * sending_seq at the time we did the FR. 3501 */ 3502 if ( 3503#ifdef SCTP_FR_TO_ALTERNATE 3504 /* 3505 * If FR's go to new networks, then we must only do 3506 * this for singly homed asoc's. However if the FR's 3507 * go to the same network (Armando's work) then its 3508 * ok to FR multiple times. 3509 */ 3510 (asoc->numnets < 2) 3511#else 3512 (1) 3513#endif 3514 ) { 3515 3516 if (SCTP_TSN_GE(biggest_tsn_newly_acked, 3517 tp1->rec.data.fast_retran_tsn)) { 3518 /* 3519 * Strike the TSN, since this ack is 3520 * beyond where things were when we 3521 * did a FR. 3522 */ 3523 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) { 3524 sctp_log_fr(biggest_tsn_newly_acked, 3525 tp1->rec.data.tsn, 3526 tp1->sent, 3527 SCTP_FR_LOG_STRIKE_CHUNK); 3528 } 3529 if (tp1->sent < SCTP_DATAGRAM_RESEND) { 3530 tp1->sent++; 3531 } 3532 strike_flag = 1; 3533 if ((asoc->sctp_cmt_on_off > 0) && 3534 SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) { 3535 /* 3536 * CMT DAC algorithm: If 3537 * SACK flag is set to 0, 3538 * then lowest_newack test 3539 * will not pass because it 3540 * would have been set to 3541 * the cumack earlier. If 3542 * not already to be rtx'd, 3543 * If not a mixed sack and 3544 * if tp1 is not between two 3545 * sacked TSNs, then mark by 3546 * one more. NOTE that we 3547 * are marking by one 3548 * additional time since the 3549 * SACK DAC flag indicates 3550 * that two packets have 3551 * been received after this 3552 * missing TSN. 3553 */ 3554 if ((tp1->sent < SCTP_DATAGRAM_RESEND) && 3555 (num_dests_sacked == 1) && 3556 SCTP_TSN_GT(this_sack_lowest_newack, 3557 tp1->rec.data.tsn)) { 3558 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) { 3559 sctp_log_fr(32 + num_dests_sacked, 3560 tp1->rec.data.tsn, 3561 tp1->sent, 3562 SCTP_FR_LOG_STRIKE_CHUNK); 3563 } 3564 if (tp1->sent < SCTP_DATAGRAM_RESEND) { 3565 tp1->sent++; 3566 } 3567 } 3568 } 3569 } 3570 } 3571 /* 3572 * JRI: TODO: remove code for HTNA algo. CMT's SFR 3573 * algo covers HTNA. 3574 */ 3575 } else if (SCTP_TSN_GT(tp1->rec.data.tsn, 3576 biggest_tsn_newly_acked)) { 3577 /* 3578 * We don't strike these: This is the HTNA 3579 * algorithm i.e. we don't strike If our TSN is 3580 * larger than the Highest TSN Newly Acked. 3581 */ 3582 ; 3583 } else { 3584 /* Strike the TSN */ 3585 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) { 3586 sctp_log_fr(biggest_tsn_newly_acked, 3587 tp1->rec.data.tsn, 3588 tp1->sent, 3589 SCTP_FR_LOG_STRIKE_CHUNK); 3590 } 3591 if (tp1->sent < SCTP_DATAGRAM_RESEND) { 3592 tp1->sent++; 3593 } 3594 if ((asoc->sctp_cmt_on_off > 0) && 3595 SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) { 3596 /* 3597 * CMT DAC algorithm: If SACK flag is set to 3598 * 0, then lowest_newack test will not pass 3599 * because it would have been set to the 3600 * cumack earlier. If not already to be 3601 * rtx'd, If not a mixed sack and if tp1 is 3602 * not between two sacked TSNs, then mark by 3603 * one more. NOTE that we are marking by one 3604 * additional time since the SACK DAC flag 3605 * indicates that two packets have been 3606 * received after this missing TSN. 3607 */ 3608 if ((tp1->sent < SCTP_DATAGRAM_RESEND) && (num_dests_sacked == 1) && 3609 SCTP_TSN_GT(this_sack_lowest_newack, tp1->rec.data.tsn)) { 3610 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) { 3611 sctp_log_fr(48 + num_dests_sacked, 3612 tp1->rec.data.tsn, 3613 tp1->sent, 3614 SCTP_FR_LOG_STRIKE_CHUNK); 3615 } 3616 tp1->sent++; 3617 } 3618 } 3619 } 3620 if (tp1->sent == SCTP_DATAGRAM_RESEND) { 3621 struct sctp_nets *alt; 3622 3623 /* fix counts and things */ 3624 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) { 3625 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_RSND, 3626 (tp1->whoTo ? (tp1->whoTo->flight_size) : 0), 3627 tp1->book_size, 3628 (uint32_t)(uintptr_t)tp1->whoTo, 3629 tp1->rec.data.tsn); 3630 } 3631 if (tp1->whoTo) { 3632 tp1->whoTo->net_ack++; 3633 sctp_flight_size_decrease(tp1); 3634 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) { 3635 (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) (tp1->whoTo, 3636 tp1); 3637 } 3638 } 3639 3640 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) { 3641 sctp_log_rwnd(SCTP_INCREASE_PEER_RWND, 3642 asoc->peers_rwnd, tp1->send_size, SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)); 3643 } 3644 /* add back to the rwnd */ 3645 asoc->peers_rwnd += (tp1->send_size + SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)); 3646 3647 /* remove from the total flight */ 3648 sctp_total_flight_decrease(stcb, tp1); 3649 3650 if ((stcb->asoc.prsctp_supported) && 3651 (PR_SCTP_RTX_ENABLED(tp1->flags))) { 3652 /* 3653 * Has it been retransmitted tv_sec times? - 3654 * we store the retran count there. 3655 */ 3656 if (tp1->snd_count > tp1->rec.data.timetodrop.tv_sec) { 3657 /* Yes, so drop it */ 3658 if (tp1->data != NULL) { 3659 (void)sctp_release_pr_sctp_chunk(stcb, tp1, 1, 3660 SCTP_SO_NOT_LOCKED); 3661 } 3662 /* Make sure to flag we had a FR */ 3663 if (tp1->whoTo != NULL) { 3664 tp1->whoTo->net_ack++; 3665 } 3666 continue; 3667 } 3668 } 3669 /* 3670 * SCTP_PRINTF("OK, we are now ready to FR this 3671 * guy\n"); 3672 */ 3673 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) { 3674 sctp_log_fr(tp1->rec.data.tsn, tp1->snd_count, 3675 0, SCTP_FR_MARKED); 3676 } 3677 if (strike_flag) { 3678 /* This is a subsequent FR */ 3679 SCTP_STAT_INCR(sctps_sendmultfastretrans); 3680 } 3681 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 3682 if (asoc->sctp_cmt_on_off > 0) { 3683 /* 3684 * CMT: Using RTX_SSTHRESH policy for CMT. 3685 * If CMT is being used, then pick dest with 3686 * largest ssthresh for any retransmission. 3687 */ 3688 tp1->no_fr_allowed = 1; 3689 alt = tp1->whoTo; 3690 /* sa_ignore NO_NULL_CHK */ 3691 if (asoc->sctp_cmt_pf > 0) { 3692 /* 3693 * JRS 5/18/07 - If CMT PF is on, 3694 * use the PF version of 3695 * find_alt_net() 3696 */ 3697 alt = sctp_find_alternate_net(stcb, alt, 2); 3698 } else { 3699 /* 3700 * JRS 5/18/07 - If only CMT is on, 3701 * use the CMT version of 3702 * find_alt_net() 3703 */ 3704 /* sa_ignore NO_NULL_CHK */ 3705 alt = sctp_find_alternate_net(stcb, alt, 1); 3706 } 3707 if (alt == NULL) { 3708 alt = tp1->whoTo; 3709 } 3710 /* 3711 * CUCv2: If a different dest is picked for 3712 * the retransmission, then new 3713 * (rtx-)pseudo_cumack needs to be tracked 3714 * for orig dest. Let CUCv2 track new (rtx-) 3715 * pseudo-cumack always. 3716 */ 3717 if (tp1->whoTo) { 3718 tp1->whoTo->find_pseudo_cumack = 1; 3719 tp1->whoTo->find_rtx_pseudo_cumack = 1; 3720 } 3721 3722 } else { /* CMT is OFF */ 3723 3724#ifdef SCTP_FR_TO_ALTERNATE 3725 /* Can we find an alternate? */ 3726 alt = sctp_find_alternate_net(stcb, tp1->whoTo, 0); 3727#else 3728 /* 3729 * default behavior is to NOT retransmit 3730 * FR's to an alternate. Armando Caro's 3731 * paper details why. 3732 */ 3733 alt = tp1->whoTo; 3734#endif 3735 } 3736 3737 tp1->rec.data.doing_fast_retransmit = 1; 3738 tot_retrans++; 3739 /* mark the sending seq for possible subsequent FR's */ 3740 /* 3741 * SCTP_PRINTF("Marking TSN for FR new value %x\n", 3742 * (uint32_t)tpi->rec.data.tsn); 3743 */ 3744 if (TAILQ_EMPTY(&asoc->send_queue)) { 3745 /* 3746 * If the queue of send is empty then its 3747 * the next sequence number that will be 3748 * assigned so we subtract one from this to 3749 * get the one we last sent. 3750 */ 3751 tp1->rec.data.fast_retran_tsn = sending_seq; 3752 } else { 3753 /* 3754 * If there are chunks on the send queue 3755 * (unsent data that has made it from the 3756 * stream queues but not out the door, we 3757 * take the first one (which will have the 3758 * lowest TSN) and subtract one to get the 3759 * one we last sent. 3760 */ 3761 struct sctp_tmit_chunk *ttt; 3762 3763 ttt = TAILQ_FIRST(&asoc->send_queue); 3764 tp1->rec.data.fast_retran_tsn = 3765 ttt->rec.data.tsn; 3766 } 3767 3768 if (tp1->do_rtt) { 3769 /* 3770 * this guy had a RTO calculation pending on 3771 * it, cancel it 3772 */ 3773 if ((tp1->whoTo != NULL) && 3774 (tp1->whoTo->rto_needed == 0)) { 3775 tp1->whoTo->rto_needed = 1; 3776 } 3777 tp1->do_rtt = 0; 3778 } 3779 if (alt != tp1->whoTo) { 3780 /* yes, there is an alternate. */ 3781 sctp_free_remote_addr(tp1->whoTo); 3782 /* sa_ignore FREED_MEMORY */ 3783 tp1->whoTo = alt; 3784 atomic_add_int(&alt->ref_count, 1); 3785 } 3786 } 3787 } 3788} 3789 3790struct sctp_tmit_chunk * 3791sctp_try_advance_peer_ack_point(struct sctp_tcb *stcb, 3792 struct sctp_association *asoc) 3793{ 3794 struct sctp_tmit_chunk *tp1, *tp2, *a_adv = NULL; 3795 struct timeval now; 3796 int now_filled = 0; 3797 3798 if (asoc->prsctp_supported == 0) { 3799 return (NULL); 3800 } 3801 TAILQ_FOREACH_SAFE(tp1, &asoc->sent_queue, sctp_next, tp2) { 3802 if (tp1->sent != SCTP_FORWARD_TSN_SKIP && 3803 tp1->sent != SCTP_DATAGRAM_RESEND && 3804 tp1->sent != SCTP_DATAGRAM_NR_ACKED) { 3805 /* no chance to advance, out of here */ 3806 break; 3807 } 3808 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) { 3809 if ((tp1->sent == SCTP_FORWARD_TSN_SKIP) || 3810 (tp1->sent == SCTP_DATAGRAM_NR_ACKED)) { 3811 sctp_misc_ints(SCTP_FWD_TSN_CHECK, 3812 asoc->advanced_peer_ack_point, 3813 tp1->rec.data.tsn, 0, 0); 3814 } 3815 } 3816 if (!PR_SCTP_ENABLED(tp1->flags)) { 3817 /* 3818 * We can't fwd-tsn past any that are reliable aka 3819 * retransmitted until the asoc fails. 3820 */ 3821 break; 3822 } 3823 if (!now_filled) { 3824 (void)SCTP_GETTIME_TIMEVAL(&now); 3825 now_filled = 1; 3826 } 3827 /* 3828 * now we got a chunk which is marked for another 3829 * retransmission to a PR-stream but has run out its chances 3830 * already maybe OR has been marked to skip now. Can we skip 3831 * it if its a resend? 3832 */ 3833 if (tp1->sent == SCTP_DATAGRAM_RESEND && 3834 (PR_SCTP_TTL_ENABLED(tp1->flags))) { 3835 /* 3836 * Now is this one marked for resend and its time is 3837 * now up? 3838 */ 3839 if (timevalcmp(&now, &tp1->rec.data.timetodrop, >)) { 3840 /* Yes so drop it */ 3841 if (tp1->data) { 3842 (void)sctp_release_pr_sctp_chunk(stcb, tp1, 3843 1, SCTP_SO_NOT_LOCKED); 3844 } 3845 } else { 3846 /* 3847 * No, we are done when hit one for resend 3848 * whos time as not expired. 3849 */ 3850 break; 3851 } 3852 } 3853 /* 3854 * Ok now if this chunk is marked to drop it we can clean up 3855 * the chunk, advance our peer ack point and we can check 3856 * the next chunk. 3857 */ 3858 if ((tp1->sent == SCTP_FORWARD_TSN_SKIP) || 3859 (tp1->sent == SCTP_DATAGRAM_NR_ACKED)) { 3860 /* advance PeerAckPoint goes forward */ 3861 if (SCTP_TSN_GT(tp1->rec.data.tsn, asoc->advanced_peer_ack_point)) { 3862 asoc->advanced_peer_ack_point = tp1->rec.data.tsn; 3863 a_adv = tp1; 3864 } else if (tp1->rec.data.tsn == asoc->advanced_peer_ack_point) { 3865 /* No update but we do save the chk */ 3866 a_adv = tp1; 3867 } 3868 } else { 3869 /* 3870 * If it is still in RESEND we can advance no 3871 * further 3872 */ 3873 break; 3874 } 3875 } 3876 return (a_adv); 3877} 3878 3879static int 3880sctp_fs_audit(struct sctp_association *asoc) 3881{ 3882 struct sctp_tmit_chunk *chk; 3883 int inflight = 0, resend = 0, inbetween = 0, acked = 0, above = 0; 3884 int ret; 3885#ifndef INVARIANTS 3886 int entry_flight, entry_cnt; 3887#endif 3888 3889 ret = 0; 3890#ifndef INVARIANTS 3891 entry_flight = asoc->total_flight; 3892 entry_cnt = asoc->total_flight_count; 3893#endif 3894 if (asoc->pr_sctp_cnt >= asoc->sent_queue_cnt) 3895 return (0); 3896 3897 TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) { 3898 if (chk->sent < SCTP_DATAGRAM_RESEND) { 3899 SCTP_PRINTF("Chk TSN: %u size: %d inflight cnt: %d\n", 3900 chk->rec.data.tsn, 3901 chk->send_size, 3902 chk->snd_count); 3903 inflight++; 3904 } else if (chk->sent == SCTP_DATAGRAM_RESEND) { 3905 resend++; 3906 } else if (chk->sent < SCTP_DATAGRAM_ACKED) { 3907 inbetween++; 3908 } else if (chk->sent > SCTP_DATAGRAM_ACKED) { 3909 above++; 3910 } else { 3911 acked++; 3912 } 3913 } 3914 3915 if ((inflight > 0) || (inbetween > 0)) { 3916#ifdef INVARIANTS 3917 panic("Flight size-express incorrect? \n"); 3918#else 3919 SCTP_PRINTF("asoc->total_flight: %d cnt: %d\n", 3920 entry_flight, entry_cnt); 3921 3922 SCTP_PRINTF("Flight size-express incorrect F: %d I: %d R: %d Ab: %d ACK: %d\n", 3923 inflight, inbetween, resend, above, acked); 3924 ret = 1; 3925#endif 3926 } 3927 return (ret); 3928} 3929 3930 3931static void 3932sctp_window_probe_recovery(struct sctp_tcb *stcb, 3933 struct sctp_association *asoc, 3934 struct sctp_tmit_chunk *tp1) 3935{ 3936 tp1->window_probe = 0; 3937 if ((tp1->sent >= SCTP_DATAGRAM_ACKED) || (tp1->data == NULL)) { 3938 /* TSN's skipped we do NOT move back. */ 3939 sctp_misc_ints(SCTP_FLIGHT_LOG_DWN_WP_FWD, 3940 tp1->whoTo ? tp1->whoTo->flight_size : 0, 3941 tp1->book_size, 3942 (uint32_t)(uintptr_t)tp1->whoTo, 3943 tp1->rec.data.tsn); 3944 return; 3945 } 3946 /* First setup this by shrinking flight */ 3947 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) { 3948 (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) (tp1->whoTo, 3949 tp1); 3950 } 3951 sctp_flight_size_decrease(tp1); 3952 sctp_total_flight_decrease(stcb, tp1); 3953 /* Now mark for resend */ 3954 tp1->sent = SCTP_DATAGRAM_RESEND; 3955 sctp_ucount_incr(asoc->sent_queue_retran_cnt); 3956 3957 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) { 3958 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_WP, 3959 tp1->whoTo->flight_size, 3960 tp1->book_size, 3961 (uint32_t)(uintptr_t)tp1->whoTo, 3962 tp1->rec.data.tsn); 3963 } 3964} 3965 3966void 3967sctp_express_handle_sack(struct sctp_tcb *stcb, uint32_t cumack, 3968 uint32_t rwnd, int *abort_now, int ecne_seen) 3969{ 3970 struct sctp_nets *net; 3971 struct sctp_association *asoc; 3972 struct sctp_tmit_chunk *tp1, *tp2; 3973 uint32_t old_rwnd; 3974 int win_probe_recovery = 0; 3975 int win_probe_recovered = 0; 3976 int j, done_once = 0; 3977 int rto_ok = 1; 3978 uint32_t send_s; 3979 3980 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_SACK_ARRIVALS_ENABLE) { 3981 sctp_misc_ints(SCTP_SACK_LOG_EXPRESS, cumack, 3982 rwnd, stcb->asoc.last_acked_seq, stcb->asoc.peers_rwnd); 3983 } 3984 SCTP_TCB_LOCK_ASSERT(stcb); 3985#ifdef SCTP_ASOCLOG_OF_TSNS 3986 stcb->asoc.cumack_log[stcb->asoc.cumack_log_at] = cumack; 3987 stcb->asoc.cumack_log_at++; 3988 if (stcb->asoc.cumack_log_at > SCTP_TSN_LOG_SIZE) { 3989 stcb->asoc.cumack_log_at = 0; 3990 } 3991#endif 3992 asoc = &stcb->asoc; 3993 old_rwnd = asoc->peers_rwnd; 3994 if (SCTP_TSN_GT(asoc->last_acked_seq, cumack)) { 3995 /* old ack */ 3996 return; 3997 } else if (asoc->last_acked_seq == cumack) { 3998 /* Window update sack */ 3999 asoc->peers_rwnd = sctp_sbspace_sub(rwnd, 4000 (uint32_t)(asoc->total_flight + (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)))); 4001 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 4002 /* SWS sender side engages */ 4003 asoc->peers_rwnd = 0; 4004 } 4005 if (asoc->peers_rwnd > old_rwnd) { 4006 goto again; 4007 } 4008 return; 4009 } 4010 4011 /* First setup for CC stuff */ 4012 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 4013 if (SCTP_TSN_GT(cumack, net->cwr_window_tsn)) { 4014 /* Drag along the window_tsn for cwr's */ 4015 net->cwr_window_tsn = cumack; 4016 } 4017 net->prev_cwnd = net->cwnd; 4018 net->net_ack = 0; 4019 net->net_ack2 = 0; 4020 4021 /* 4022 * CMT: Reset CUC and Fast recovery algo variables before 4023 * SACK processing 4024 */ 4025 net->new_pseudo_cumack = 0; 4026 net->will_exit_fast_recovery = 0; 4027 if (stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack) { 4028 (*stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack) (stcb, net); 4029 } 4030 } 4031 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 4032 tp1 = TAILQ_LAST(&asoc->sent_queue, 4033 sctpchunk_listhead); 4034 send_s = tp1->rec.data.tsn + 1; 4035 } else { 4036 send_s = asoc->sending_seq; 4037 } 4038 if (SCTP_TSN_GE(cumack, send_s)) { 4039 struct mbuf *op_err; 4040 char msg[SCTP_DIAG_INFO_LEN]; 4041 4042 *abort_now = 1; 4043 /* XXX */ 4044 snprintf(msg, sizeof(msg), "Cum ack %8.8x greater or equal than TSN %8.8x", 4045 cumack, send_s); 4046 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 4047 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_24; 4048 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); 4049 return; 4050 } 4051 asoc->this_sack_highest_gap = cumack; 4052 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 4053 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 4054 stcb->asoc.overall_error_count, 4055 0, 4056 SCTP_FROM_SCTP_INDATA, 4057 __LINE__); 4058 } 4059 stcb->asoc.overall_error_count = 0; 4060 if (SCTP_TSN_GT(cumack, asoc->last_acked_seq)) { 4061 /* process the new consecutive TSN first */ 4062 TAILQ_FOREACH_SAFE(tp1, &asoc->sent_queue, sctp_next, tp2) { 4063 if (SCTP_TSN_GE(cumack, tp1->rec.data.tsn)) { 4064 if (tp1->sent == SCTP_DATAGRAM_UNSENT) { 4065 SCTP_PRINTF("Warning, an unsent is now acked?\n"); 4066 } 4067 if (tp1->sent < SCTP_DATAGRAM_ACKED) { 4068 /* 4069 * If it is less than ACKED, it is 4070 * now no-longer in flight. Higher 4071 * values may occur during marking 4072 */ 4073 if (tp1->sent < SCTP_DATAGRAM_RESEND) { 4074 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) { 4075 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_CA, 4076 tp1->whoTo->flight_size, 4077 tp1->book_size, 4078 (uint32_t)(uintptr_t)tp1->whoTo, 4079 tp1->rec.data.tsn); 4080 } 4081 sctp_flight_size_decrease(tp1); 4082 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) { 4083 (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) (tp1->whoTo, 4084 tp1); 4085 } 4086 /* sa_ignore NO_NULL_CHK */ 4087 sctp_total_flight_decrease(stcb, tp1); 4088 } 4089 tp1->whoTo->net_ack += tp1->send_size; 4090 if (tp1->snd_count < 2) { 4091 /* 4092 * True non-retransmited 4093 * chunk 4094 */ 4095 tp1->whoTo->net_ack2 += 4096 tp1->send_size; 4097 4098 /* update RTO too? */ 4099 if (tp1->do_rtt) { 4100 if (rto_ok && 4101 sctp_calculate_rto(stcb, 4102 &stcb->asoc, 4103 tp1->whoTo, 4104 &tp1->sent_rcv_time, 4105 SCTP_RTT_FROM_DATA)) { 4106 rto_ok = 0; 4107 } 4108 if (tp1->whoTo->rto_needed == 0) { 4109 tp1->whoTo->rto_needed = 1; 4110 } 4111 tp1->do_rtt = 0; 4112 } 4113 } 4114 /* 4115 * CMT: CUCv2 algorithm. From the 4116 * cumack'd TSNs, for each TSN being 4117 * acked for the first time, set the 4118 * following variables for the 4119 * corresp destination. 4120 * new_pseudo_cumack will trigger a 4121 * cwnd update. 4122 * find_(rtx_)pseudo_cumack will 4123 * trigger search for the next 4124 * expected (rtx-)pseudo-cumack. 4125 */ 4126 tp1->whoTo->new_pseudo_cumack = 1; 4127 tp1->whoTo->find_pseudo_cumack = 1; 4128 tp1->whoTo->find_rtx_pseudo_cumack = 1; 4129 4130 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) { 4131 /* sa_ignore NO_NULL_CHK */ 4132 sctp_log_cwnd(stcb, tp1->whoTo, tp1->rec.data.tsn, SCTP_CWND_LOG_FROM_SACK); 4133 } 4134 } 4135 if (tp1->sent == SCTP_DATAGRAM_RESEND) { 4136 sctp_ucount_decr(asoc->sent_queue_retran_cnt); 4137 } 4138 if (tp1->rec.data.chunk_was_revoked) { 4139 /* deflate the cwnd */ 4140 tp1->whoTo->cwnd -= tp1->book_size; 4141 tp1->rec.data.chunk_was_revoked = 0; 4142 } 4143 if (tp1->sent != SCTP_DATAGRAM_NR_ACKED) { 4144 if (asoc->strmout[tp1->rec.data.sid].chunks_on_queues > 0) { 4145 asoc->strmout[tp1->rec.data.sid].chunks_on_queues--; 4146#ifdef INVARIANTS 4147 } else { 4148 panic("No chunks on the queues for sid %u.", tp1->rec.data.sid); 4149#endif 4150 } 4151 } 4152 if ((asoc->strmout[tp1->rec.data.sid].chunks_on_queues == 0) && 4153 (asoc->strmout[tp1->rec.data.sid].state == SCTP_STREAM_RESET_PENDING) && 4154 TAILQ_EMPTY(&asoc->strmout[tp1->rec.data.sid].outqueue)) { 4155 asoc->trigger_reset = 1; 4156 } 4157 TAILQ_REMOVE(&asoc->sent_queue, tp1, sctp_next); 4158 if (tp1->data) { 4159 /* sa_ignore NO_NULL_CHK */ 4160 sctp_free_bufspace(stcb, asoc, tp1, 1); 4161 sctp_m_freem(tp1->data); 4162 tp1->data = NULL; 4163 } 4164 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) { 4165 sctp_log_sack(asoc->last_acked_seq, 4166 cumack, 4167 tp1->rec.data.tsn, 4168 0, 4169 0, 4170 SCTP_LOG_FREE_SENT); 4171 } 4172 asoc->sent_queue_cnt--; 4173 sctp_free_a_chunk(stcb, tp1, SCTP_SO_NOT_LOCKED); 4174 } else { 4175 break; 4176 } 4177 } 4178 4179 } 4180 /* sa_ignore NO_NULL_CHK */ 4181 if (stcb->sctp_socket) { 4182#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4183 struct socket *so; 4184 4185#endif 4186 SOCKBUF_LOCK(&stcb->sctp_socket->so_snd); 4187 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) { 4188 /* sa_ignore NO_NULL_CHK */ 4189 sctp_wakeup_log(stcb, 1, SCTP_WAKESND_FROM_SACK); 4190 } 4191#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4192 so = SCTP_INP_SO(stcb->sctp_ep); 4193 atomic_add_int(&stcb->asoc.refcnt, 1); 4194 SCTP_TCB_UNLOCK(stcb); 4195 SCTP_SOCKET_LOCK(so, 1); 4196 SCTP_TCB_LOCK(stcb); 4197 atomic_subtract_int(&stcb->asoc.refcnt, 1); 4198 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 4199 /* assoc was freed while we were unlocked */ 4200 SCTP_SOCKET_UNLOCK(so, 1); 4201 return; 4202 } 4203#endif 4204 sctp_sowwakeup_locked(stcb->sctp_ep, stcb->sctp_socket); 4205#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4206 SCTP_SOCKET_UNLOCK(so, 1); 4207#endif 4208 } else { 4209 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) { 4210 sctp_wakeup_log(stcb, 1, SCTP_NOWAKE_FROM_SACK); 4211 } 4212 } 4213 4214 /* JRS - Use the congestion control given in the CC module */ 4215 if ((asoc->last_acked_seq != cumack) && (ecne_seen == 0)) { 4216 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 4217 if (net->net_ack2 > 0) { 4218 /* 4219 * Karn's rule applies to clearing error 4220 * count, this is optional. 4221 */ 4222 net->error_count = 0; 4223 if (!(net->dest_state & SCTP_ADDR_REACHABLE)) { 4224 /* addr came good */ 4225 net->dest_state |= SCTP_ADDR_REACHABLE; 4226 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 4227 0, (void *)net, SCTP_SO_NOT_LOCKED); 4228 } 4229 if (net == stcb->asoc.primary_destination) { 4230 if (stcb->asoc.alternate) { 4231 /* 4232 * release the alternate, 4233 * primary is good 4234 */ 4235 sctp_free_remote_addr(stcb->asoc.alternate); 4236 stcb->asoc.alternate = NULL; 4237 } 4238 } 4239 if (net->dest_state & SCTP_ADDR_PF) { 4240 net->dest_state &= ~SCTP_ADDR_PF; 4241 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, 4242 stcb->sctp_ep, stcb, net, 4243 SCTP_FROM_SCTP_INDATA + SCTP_LOC_25); 4244 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, net); 4245 asoc->cc_functions.sctp_cwnd_update_exit_pf(stcb, net); 4246 /* Done with this net */ 4247 net->net_ack = 0; 4248 } 4249 /* restore any doubled timers */ 4250 net->RTO = (net->lastsa >> SCTP_RTT_SHIFT) + net->lastsv; 4251 if (net->RTO < stcb->asoc.minrto) { 4252 net->RTO = stcb->asoc.minrto; 4253 } 4254 if (net->RTO > stcb->asoc.maxrto) { 4255 net->RTO = stcb->asoc.maxrto; 4256 } 4257 } 4258 } 4259 asoc->cc_functions.sctp_cwnd_update_after_sack(stcb, asoc, 1, 0, 0); 4260 } 4261 asoc->last_acked_seq = cumack; 4262 4263 if (TAILQ_EMPTY(&asoc->sent_queue)) { 4264 /* nothing left in-flight */ 4265 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 4266 net->flight_size = 0; 4267 net->partial_bytes_acked = 0; 4268 } 4269 asoc->total_flight = 0; 4270 asoc->total_flight_count = 0; 4271 } 4272 4273 /* RWND update */ 4274 asoc->peers_rwnd = sctp_sbspace_sub(rwnd, 4275 (uint32_t)(asoc->total_flight + (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)))); 4276 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 4277 /* SWS sender side engages */ 4278 asoc->peers_rwnd = 0; 4279 } 4280 if (asoc->peers_rwnd > old_rwnd) { 4281 win_probe_recovery = 1; 4282 } 4283 /* Now assure a timer where data is queued at */ 4284again: 4285 j = 0; 4286 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 4287 if (win_probe_recovery && (net->window_probe)) { 4288 win_probe_recovered = 1; 4289 /* 4290 * Find first chunk that was used with window probe 4291 * and clear the sent 4292 */ 4293 /* sa_ignore FREED_MEMORY */ 4294 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) { 4295 if (tp1->window_probe) { 4296 /* move back to data send queue */ 4297 sctp_window_probe_recovery(stcb, asoc, tp1); 4298 break; 4299 } 4300 } 4301 } 4302 if (net->flight_size) { 4303 j++; 4304 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, net); 4305 if (net->window_probe) { 4306 net->window_probe = 0; 4307 } 4308 } else { 4309 if (net->window_probe) { 4310 /* 4311 * In window probes we must assure a timer 4312 * is still running there 4313 */ 4314 net->window_probe = 0; 4315 if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) { 4316 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, net); 4317 } 4318 } else if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) { 4319 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 4320 stcb, net, 4321 SCTP_FROM_SCTP_INDATA + SCTP_LOC_26); 4322 } 4323 } 4324 } 4325 if ((j == 0) && 4326 (!TAILQ_EMPTY(&asoc->sent_queue)) && 4327 (asoc->sent_queue_retran_cnt == 0) && 4328 (win_probe_recovered == 0) && 4329 (done_once == 0)) { 4330 /* 4331 * huh, this should not happen unless all packets are 4332 * PR-SCTP and marked to skip of course. 4333 */ 4334 if (sctp_fs_audit(asoc)) { 4335 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 4336 net->flight_size = 0; 4337 } 4338 asoc->total_flight = 0; 4339 asoc->total_flight_count = 0; 4340 asoc->sent_queue_retran_cnt = 0; 4341 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) { 4342 if (tp1->sent < SCTP_DATAGRAM_RESEND) { 4343 sctp_flight_size_increase(tp1); 4344 sctp_total_flight_increase(stcb, tp1); 4345 } else if (tp1->sent == SCTP_DATAGRAM_RESEND) { 4346 sctp_ucount_incr(asoc->sent_queue_retran_cnt); 4347 } 4348 } 4349 } 4350 done_once = 1; 4351 goto again; 4352 } 4353 /**********************************/ 4354 /* Now what about shutdown issues */ 4355 /**********************************/ 4356 if (TAILQ_EMPTY(&asoc->send_queue) && TAILQ_EMPTY(&asoc->sent_queue)) { 4357 /* nothing left on sendqueue.. consider done */ 4358 /* clean up */ 4359 if ((asoc->stream_queue_cnt == 1) && 4360 ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) || 4361 (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) && 4362 ((*asoc->ss_functions.sctp_ss_is_user_msgs_incomplete) (stcb, asoc))) { 4363 SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_PARTIAL_MSG_LEFT); 4364 } 4365 if (((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) || 4366 (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) && 4367 (asoc->stream_queue_cnt == 1) && 4368 (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) { 4369 struct mbuf *op_err; 4370 4371 *abort_now = 1; 4372 /* XXX */ 4373 op_err = sctp_generate_cause(SCTP_CAUSE_USER_INITIATED_ABT, ""); 4374 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_27; 4375 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); 4376 return; 4377 } 4378 if ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) && 4379 (asoc->stream_queue_cnt == 0)) { 4380 struct sctp_nets *netp; 4381 4382 if ((SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) || 4383 (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 4384 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 4385 } 4386 SCTP_SET_STATE(stcb, SCTP_STATE_SHUTDOWN_SENT); 4387 SCTP_CLEAR_SUBSTATE(stcb, SCTP_STATE_SHUTDOWN_PENDING); 4388 sctp_stop_timers_for_shutdown(stcb); 4389 if (asoc->alternate) { 4390 netp = asoc->alternate; 4391 } else { 4392 netp = asoc->primary_destination; 4393 } 4394 sctp_send_shutdown(stcb, netp); 4395 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN, 4396 stcb->sctp_ep, stcb, netp); 4397 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 4398 stcb->sctp_ep, stcb, netp); 4399 } else if ((SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED) && 4400 (asoc->stream_queue_cnt == 0)) { 4401 struct sctp_nets *netp; 4402 4403 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 4404 SCTP_SET_STATE(stcb, SCTP_STATE_SHUTDOWN_ACK_SENT); 4405 SCTP_CLEAR_SUBSTATE(stcb, SCTP_STATE_SHUTDOWN_PENDING); 4406 sctp_stop_timers_for_shutdown(stcb); 4407 if (asoc->alternate) { 4408 netp = asoc->alternate; 4409 } else { 4410 netp = asoc->primary_destination; 4411 } 4412 sctp_send_shutdown_ack(stcb, netp); 4413 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, 4414 stcb->sctp_ep, stcb, netp); 4415 } 4416 } 4417 /*********************************************/ 4418 /* Here we perform PR-SCTP procedures */ 4419 /* (section 4.2) */ 4420 /*********************************************/ 4421 /* C1. update advancedPeerAckPoint */ 4422 if (SCTP_TSN_GT(cumack, asoc->advanced_peer_ack_point)) { 4423 asoc->advanced_peer_ack_point = cumack; 4424 } 4425 /* PR-Sctp issues need to be addressed too */ 4426 if ((asoc->prsctp_supported) && (asoc->pr_sctp_cnt > 0)) { 4427 struct sctp_tmit_chunk *lchk; 4428 uint32_t old_adv_peer_ack_point; 4429 4430 old_adv_peer_ack_point = asoc->advanced_peer_ack_point; 4431 lchk = sctp_try_advance_peer_ack_point(stcb, asoc); 4432 /* C3. See if we need to send a Fwd-TSN */ 4433 if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, cumack)) { 4434 /* 4435 * ISSUE with ECN, see FWD-TSN processing. 4436 */ 4437 if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, old_adv_peer_ack_point)) { 4438 send_forward_tsn(stcb, asoc); 4439 } else if (lchk) { 4440 /* try to FR fwd-tsn's that get lost too */ 4441 if (lchk->rec.data.fwd_tsn_cnt >= 3) { 4442 send_forward_tsn(stcb, asoc); 4443 } 4444 } 4445 } 4446 for (; lchk != NULL; lchk = TAILQ_NEXT(lchk, sctp_next)) { 4447 if (lchk->whoTo != NULL) { 4448 break; 4449 } 4450 } 4451 if (lchk != NULL) { 4452 /* Assure a timer is up */ 4453 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 4454 stcb->sctp_ep, stcb, lchk->whoTo); 4455 } 4456 } 4457 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_RWND_LOGGING_ENABLE) { 4458 sctp_misc_ints(SCTP_SACK_RWND_UPDATE, 4459 rwnd, 4460 stcb->asoc.peers_rwnd, 4461 stcb->asoc.total_flight, 4462 stcb->asoc.total_output_queue_size); 4463 } 4464} 4465 4466void 4467sctp_handle_sack(struct mbuf *m, int offset_seg, int offset_dup, 4468 struct sctp_tcb *stcb, 4469 uint16_t num_seg, uint16_t num_nr_seg, uint16_t num_dup, 4470 int *abort_now, uint8_t flags, 4471 uint32_t cum_ack, uint32_t rwnd, int ecne_seen) 4472{ 4473 struct sctp_association *asoc; 4474 struct sctp_tmit_chunk *tp1, *tp2; 4475 uint32_t last_tsn, biggest_tsn_acked, biggest_tsn_newly_acked, this_sack_lowest_newack; 4476 uint16_t wake_him = 0; 4477 uint32_t send_s = 0; 4478 long j; 4479 int accum_moved = 0; 4480 int will_exit_fast_recovery = 0; 4481 uint32_t a_rwnd, old_rwnd; 4482 int win_probe_recovery = 0; 4483 int win_probe_recovered = 0; 4484 struct sctp_nets *net = NULL; 4485 int done_once; 4486 int rto_ok = 1; 4487 uint8_t reneged_all = 0; 4488 uint8_t cmt_dac_flag; 4489 4490 /* 4491 * we take any chance we can to service our queues since we cannot 4492 * get awoken when the socket is read from :< 4493 */ 4494 /* 4495 * Now perform the actual SACK handling: 1) Verify that it is not an 4496 * old sack, if so discard. 2) If there is nothing left in the send 4497 * queue (cum-ack is equal to last acked) then you have a duplicate 4498 * too, update any rwnd change and verify no timers are running. 4499 * then return. 3) Process any new consequtive data i.e. cum-ack 4500 * moved process these first and note that it moved. 4) Process any 4501 * sack blocks. 5) Drop any acked from the queue. 6) Check for any 4502 * revoked blocks and mark. 7) Update the cwnd. 8) Nothing left, 4503 * sync up flightsizes and things, stop all timers and also check 4504 * for shutdown_pending state. If so then go ahead and send off the 4505 * shutdown. If in shutdown recv, send off the shutdown-ack and 4506 * start that timer, Ret. 9) Strike any non-acked things and do FR 4507 * procedure if needed being sure to set the FR flag. 10) Do pr-sctp 4508 * procedures. 11) Apply any FR penalties. 12) Assure we will SACK 4509 * if in shutdown_recv state. 4510 */ 4511 SCTP_TCB_LOCK_ASSERT(stcb); 4512 /* CMT DAC algo */ 4513 this_sack_lowest_newack = 0; 4514 SCTP_STAT_INCR(sctps_slowpath_sack); 4515 last_tsn = cum_ack; 4516 cmt_dac_flag = flags & SCTP_SACK_CMT_DAC; 4517#ifdef SCTP_ASOCLOG_OF_TSNS 4518 stcb->asoc.cumack_log[stcb->asoc.cumack_log_at] = cum_ack; 4519 stcb->asoc.cumack_log_at++; 4520 if (stcb->asoc.cumack_log_at > SCTP_TSN_LOG_SIZE) { 4521 stcb->asoc.cumack_log_at = 0; 4522 } 4523#endif 4524 a_rwnd = rwnd; 4525 4526 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_SACK_ARRIVALS_ENABLE) { 4527 sctp_misc_ints(SCTP_SACK_LOG_NORMAL, cum_ack, 4528 rwnd, stcb->asoc.last_acked_seq, stcb->asoc.peers_rwnd); 4529 } 4530 4531 old_rwnd = stcb->asoc.peers_rwnd; 4532 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 4533 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 4534 stcb->asoc.overall_error_count, 4535 0, 4536 SCTP_FROM_SCTP_INDATA, 4537 __LINE__); 4538 } 4539 stcb->asoc.overall_error_count = 0; 4540 asoc = &stcb->asoc; 4541 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) { 4542 sctp_log_sack(asoc->last_acked_seq, 4543 cum_ack, 4544 0, 4545 num_seg, 4546 num_dup, 4547 SCTP_LOG_NEW_SACK); 4548 } 4549 if ((num_dup) && (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE)) { 4550 uint16_t i; 4551 uint32_t *dupdata, dblock; 4552 4553 for (i = 0; i < num_dup; i++) { 4554 dupdata = (uint32_t *)sctp_m_getptr(m, offset_dup + i * sizeof(uint32_t), 4555 sizeof(uint32_t), (uint8_t *)&dblock); 4556 if (dupdata == NULL) { 4557 break; 4558 } 4559 sctp_log_fr(*dupdata, 0, 0, SCTP_FR_DUPED); 4560 } 4561 } 4562 /* reality check */ 4563 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 4564 tp1 = TAILQ_LAST(&asoc->sent_queue, 4565 sctpchunk_listhead); 4566 send_s = tp1->rec.data.tsn + 1; 4567 } else { 4568 tp1 = NULL; 4569 send_s = asoc->sending_seq; 4570 } 4571 if (SCTP_TSN_GE(cum_ack, send_s)) { 4572 struct mbuf *op_err; 4573 char msg[SCTP_DIAG_INFO_LEN]; 4574 4575 /* 4576 * no way, we have not even sent this TSN out yet. Peer is 4577 * hopelessly messed up with us. 4578 */ 4579 SCTP_PRINTF("NEW cum_ack:%x send_s:%x is smaller or equal\n", 4580 cum_ack, send_s); 4581 if (tp1) { 4582 SCTP_PRINTF("Got send_s from tsn:%x + 1 of tp1: %p\n", 4583 tp1->rec.data.tsn, (void *)tp1); 4584 } 4585hopeless_peer: 4586 *abort_now = 1; 4587 /* XXX */ 4588 snprintf(msg, sizeof(msg), "Cum ack %8.8x greater or equal than TSN %8.8x", 4589 cum_ack, send_s); 4590 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 4591 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_28; 4592 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); 4593 return; 4594 } 4595 /**********************/ 4596 /* 1) check the range */ 4597 /**********************/ 4598 if (SCTP_TSN_GT(asoc->last_acked_seq, last_tsn)) { 4599 /* acking something behind */ 4600 return; 4601 } 4602 4603 /* update the Rwnd of the peer */ 4604 if (TAILQ_EMPTY(&asoc->sent_queue) && 4605 TAILQ_EMPTY(&asoc->send_queue) && 4606 (asoc->stream_queue_cnt == 0)) { 4607 /* nothing left on send/sent and strmq */ 4608 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) { 4609 sctp_log_rwnd_set(SCTP_SET_PEER_RWND_VIA_SACK, 4610 asoc->peers_rwnd, 0, 0, a_rwnd); 4611 } 4612 asoc->peers_rwnd = a_rwnd; 4613 if (asoc->sent_queue_retran_cnt) { 4614 asoc->sent_queue_retran_cnt = 0; 4615 } 4616 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 4617 /* SWS sender side engages */ 4618 asoc->peers_rwnd = 0; 4619 } 4620 /* stop any timers */ 4621 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 4622 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 4623 stcb, net, SCTP_FROM_SCTP_INDATA + SCTP_LOC_29); 4624 net->partial_bytes_acked = 0; 4625 net->flight_size = 0; 4626 } 4627 asoc->total_flight = 0; 4628 asoc->total_flight_count = 0; 4629 return; 4630 } 4631 /* 4632 * We init netAckSz and netAckSz2 to 0. These are used to track 2 4633 * things. The total byte count acked is tracked in netAckSz AND 4634 * netAck2 is used to track the total bytes acked that are un- 4635 * amibguious and were never retransmitted. We track these on a per 4636 * destination address basis. 4637 */ 4638 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 4639 if (SCTP_TSN_GT(cum_ack, net->cwr_window_tsn)) { 4640 /* Drag along the window_tsn for cwr's */ 4641 net->cwr_window_tsn = cum_ack; 4642 } 4643 net->prev_cwnd = net->cwnd; 4644 net->net_ack = 0; 4645 net->net_ack2 = 0; 4646 4647 /* 4648 * CMT: Reset CUC and Fast recovery algo variables before 4649 * SACK processing 4650 */ 4651 net->new_pseudo_cumack = 0; 4652 net->will_exit_fast_recovery = 0; 4653 if (stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack) { 4654 (*stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack) (stcb, net); 4655 } 4656 4657 /* 4658 * CMT: SFR algo (and HTNA) - this_sack_highest_newack has 4659 * to be greater than the cumack. Also reset saw_newack to 0 4660 * for all dests. 4661 */ 4662 net->saw_newack = 0; 4663 net->this_sack_highest_newack = last_tsn; 4664 } 4665 /* process the new consecutive TSN first */ 4666 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) { 4667 if (SCTP_TSN_GE(last_tsn, tp1->rec.data.tsn)) { 4668 if (tp1->sent != SCTP_DATAGRAM_UNSENT) { 4669 accum_moved = 1; 4670 if (tp1->sent < SCTP_DATAGRAM_ACKED) { 4671 /* 4672 * If it is less than ACKED, it is 4673 * now no-longer in flight. Higher 4674 * values may occur during marking 4675 */ 4676 if ((tp1->whoTo->dest_state & 4677 SCTP_ADDR_UNCONFIRMED) && 4678 (tp1->snd_count < 2)) { 4679 /* 4680 * If there was no retran 4681 * and the address is 4682 * un-confirmed and we sent 4683 * there and are now 4684 * sacked.. its confirmed, 4685 * mark it so. 4686 */ 4687 tp1->whoTo->dest_state &= 4688 ~SCTP_ADDR_UNCONFIRMED; 4689 } 4690 if (tp1->sent < SCTP_DATAGRAM_RESEND) { 4691 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) { 4692 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_CA, 4693 tp1->whoTo->flight_size, 4694 tp1->book_size, 4695 (uint32_t)(uintptr_t)tp1->whoTo, 4696 tp1->rec.data.tsn); 4697 } 4698 sctp_flight_size_decrease(tp1); 4699 sctp_total_flight_decrease(stcb, tp1); 4700 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) { 4701 (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) (tp1->whoTo, 4702 tp1); 4703 } 4704 } 4705 tp1->whoTo->net_ack += tp1->send_size; 4706 4707 /* CMT SFR and DAC algos */ 4708 this_sack_lowest_newack = tp1->rec.data.tsn; 4709 tp1->whoTo->saw_newack = 1; 4710 4711 if (tp1->snd_count < 2) { 4712 /* 4713 * True non-retransmited 4714 * chunk 4715 */ 4716 tp1->whoTo->net_ack2 += 4717 tp1->send_size; 4718 4719 /* update RTO too? */ 4720 if (tp1->do_rtt) { 4721 if (rto_ok && 4722 sctp_calculate_rto(stcb, 4723 &stcb->asoc, 4724 tp1->whoTo, 4725 &tp1->sent_rcv_time, 4726 SCTP_RTT_FROM_DATA)) { 4727 rto_ok = 0; 4728 } 4729 if (tp1->whoTo->rto_needed == 0) { 4730 tp1->whoTo->rto_needed = 1; 4731 } 4732 tp1->do_rtt = 0; 4733 } 4734 } 4735 /* 4736 * CMT: CUCv2 algorithm. From the 4737 * cumack'd TSNs, for each TSN being 4738 * acked for the first time, set the 4739 * following variables for the 4740 * corresp destination. 4741 * new_pseudo_cumack will trigger a 4742 * cwnd update. 4743 * find_(rtx_)pseudo_cumack will 4744 * trigger search for the next 4745 * expected (rtx-)pseudo-cumack. 4746 */ 4747 tp1->whoTo->new_pseudo_cumack = 1; 4748 tp1->whoTo->find_pseudo_cumack = 1; 4749 tp1->whoTo->find_rtx_pseudo_cumack = 1; 4750 4751 4752 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) { 4753 sctp_log_sack(asoc->last_acked_seq, 4754 cum_ack, 4755 tp1->rec.data.tsn, 4756 0, 4757 0, 4758 SCTP_LOG_TSN_ACKED); 4759 } 4760 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) { 4761 sctp_log_cwnd(stcb, tp1->whoTo, tp1->rec.data.tsn, SCTP_CWND_LOG_FROM_SACK); 4762 } 4763 } 4764 if (tp1->sent == SCTP_DATAGRAM_RESEND) { 4765 sctp_ucount_decr(asoc->sent_queue_retran_cnt); 4766#ifdef SCTP_AUDITING_ENABLED 4767 sctp_audit_log(0xB3, 4768 (asoc->sent_queue_retran_cnt & 0x000000ff)); 4769#endif 4770 } 4771 if (tp1->rec.data.chunk_was_revoked) { 4772 /* deflate the cwnd */ 4773 tp1->whoTo->cwnd -= tp1->book_size; 4774 tp1->rec.data.chunk_was_revoked = 0; 4775 } 4776 if (tp1->sent != SCTP_DATAGRAM_NR_ACKED) { 4777 tp1->sent = SCTP_DATAGRAM_ACKED; 4778 } 4779 } 4780 } else { 4781 break; 4782 } 4783 } 4784 biggest_tsn_newly_acked = biggest_tsn_acked = last_tsn; 4785 /* always set this up to cum-ack */ 4786 asoc->this_sack_highest_gap = last_tsn; 4787 4788 if ((num_seg > 0) || (num_nr_seg > 0)) { 4789 4790 /* 4791 * thisSackHighestGap will increase while handling NEW 4792 * segments this_sack_highest_newack will increase while 4793 * handling NEWLY ACKED chunks. this_sack_lowest_newack is 4794 * used for CMT DAC algo. saw_newack will also change. 4795 */ 4796 if (sctp_handle_segments(m, &offset_seg, stcb, asoc, last_tsn, &biggest_tsn_acked, 4797 &biggest_tsn_newly_acked, &this_sack_lowest_newack, 4798 num_seg, num_nr_seg, &rto_ok)) { 4799 wake_him++; 4800 } 4801 /* 4802 * validate the biggest_tsn_acked in the gap acks if strict 4803 * adherence is wanted. 4804 */ 4805 if (SCTP_TSN_GE(biggest_tsn_acked, send_s)) { 4806 /* 4807 * peer is either confused or we are under attack. 4808 * We must abort. 4809 */ 4810 SCTP_PRINTF("Hopeless peer! biggest_tsn_acked:%x largest seq:%x\n", 4811 biggest_tsn_acked, send_s); 4812 goto hopeless_peer; 4813 } 4814 } 4815 /*******************************************/ 4816 /* cancel ALL T3-send timer if accum moved */ 4817 /*******************************************/ 4818 if (asoc->sctp_cmt_on_off > 0) { 4819 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 4820 if (net->new_pseudo_cumack) 4821 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 4822 stcb, net, 4823 SCTP_FROM_SCTP_INDATA + SCTP_LOC_30); 4824 4825 } 4826 } else { 4827 if (accum_moved) { 4828 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 4829 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 4830 stcb, net, SCTP_FROM_SCTP_INDATA + SCTP_LOC_31); 4831 } 4832 } 4833 } 4834 /********************************************/ 4835 /* drop the acked chunks from the sentqueue */ 4836 /********************************************/ 4837 asoc->last_acked_seq = cum_ack; 4838 4839 TAILQ_FOREACH_SAFE(tp1, &asoc->sent_queue, sctp_next, tp2) { 4840 if (SCTP_TSN_GT(tp1->rec.data.tsn, cum_ack)) { 4841 break; 4842 } 4843 if (tp1->sent != SCTP_DATAGRAM_NR_ACKED) { 4844 if (asoc->strmout[tp1->rec.data.sid].chunks_on_queues > 0) { 4845 asoc->strmout[tp1->rec.data.sid].chunks_on_queues--; 4846#ifdef INVARIANTS 4847 } else { 4848 panic("No chunks on the queues for sid %u.", tp1->rec.data.sid); 4849#endif 4850 } 4851 } 4852 if ((asoc->strmout[tp1->rec.data.sid].chunks_on_queues == 0) && 4853 (asoc->strmout[tp1->rec.data.sid].state == SCTP_STREAM_RESET_PENDING) && 4854 TAILQ_EMPTY(&asoc->strmout[tp1->rec.data.sid].outqueue)) { 4855 asoc->trigger_reset = 1; 4856 } 4857 TAILQ_REMOVE(&asoc->sent_queue, tp1, sctp_next); 4858 if (PR_SCTP_ENABLED(tp1->flags)) { 4859 if (asoc->pr_sctp_cnt != 0) 4860 asoc->pr_sctp_cnt--; 4861 } 4862 asoc->sent_queue_cnt--; 4863 if (tp1->data) { 4864 /* sa_ignore NO_NULL_CHK */ 4865 sctp_free_bufspace(stcb, asoc, tp1, 1); 4866 sctp_m_freem(tp1->data); 4867 tp1->data = NULL; 4868 if (asoc->prsctp_supported && PR_SCTP_BUF_ENABLED(tp1->flags)) { 4869 asoc->sent_queue_cnt_removeable--; 4870 } 4871 } 4872 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) { 4873 sctp_log_sack(asoc->last_acked_seq, 4874 cum_ack, 4875 tp1->rec.data.tsn, 4876 0, 4877 0, 4878 SCTP_LOG_FREE_SENT); 4879 } 4880 sctp_free_a_chunk(stcb, tp1, SCTP_SO_NOT_LOCKED); 4881 wake_him++; 4882 } 4883 if (TAILQ_EMPTY(&asoc->sent_queue) && (asoc->total_flight > 0)) { 4884#ifdef INVARIANTS 4885 panic("Warning flight size is positive and should be 0"); 4886#else 4887 SCTP_PRINTF("Warning flight size incorrect should be 0 is %d\n", 4888 asoc->total_flight); 4889#endif 4890 asoc->total_flight = 0; 4891 } 4892 4893 /* sa_ignore NO_NULL_CHK */ 4894 if ((wake_him) && (stcb->sctp_socket)) { 4895#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4896 struct socket *so; 4897 4898#endif 4899 SOCKBUF_LOCK(&stcb->sctp_socket->so_snd); 4900 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) { 4901 sctp_wakeup_log(stcb, wake_him, SCTP_WAKESND_FROM_SACK); 4902 } 4903#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4904 so = SCTP_INP_SO(stcb->sctp_ep); 4905 atomic_add_int(&stcb->asoc.refcnt, 1); 4906 SCTP_TCB_UNLOCK(stcb); 4907 SCTP_SOCKET_LOCK(so, 1); 4908 SCTP_TCB_LOCK(stcb); 4909 atomic_subtract_int(&stcb->asoc.refcnt, 1); 4910 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 4911 /* assoc was freed while we were unlocked */ 4912 SCTP_SOCKET_UNLOCK(so, 1); 4913 return; 4914 } 4915#endif 4916 sctp_sowwakeup_locked(stcb->sctp_ep, stcb->sctp_socket); 4917#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4918 SCTP_SOCKET_UNLOCK(so, 1); 4919#endif 4920 } else { 4921 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) { 4922 sctp_wakeup_log(stcb, wake_him, SCTP_NOWAKE_FROM_SACK); 4923 } 4924 } 4925 4926 if (asoc->fast_retran_loss_recovery && accum_moved) { 4927 if (SCTP_TSN_GE(asoc->last_acked_seq, asoc->fast_recovery_tsn)) { 4928 /* Setup so we will exit RFC2582 fast recovery */ 4929 will_exit_fast_recovery = 1; 4930 } 4931 } 4932 /* 4933 * Check for revoked fragments: 4934 * 4935 * if Previous sack - Had no frags then we can't have any revoked if 4936 * Previous sack - Had frag's then - If we now have frags aka 4937 * num_seg > 0 call sctp_check_for_revoked() to tell if peer revoked 4938 * some of them. else - The peer revoked all ACKED fragments, since 4939 * we had some before and now we have NONE. 4940 */ 4941 4942 if (num_seg) { 4943 sctp_check_for_revoked(stcb, asoc, cum_ack, biggest_tsn_acked); 4944 asoc->saw_sack_with_frags = 1; 4945 } else if (asoc->saw_sack_with_frags) { 4946 int cnt_revoked = 0; 4947 4948 /* Peer revoked all dg's marked or acked */ 4949 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) { 4950 if (tp1->sent == SCTP_DATAGRAM_ACKED) { 4951 tp1->sent = SCTP_DATAGRAM_SENT; 4952 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) { 4953 sctp_misc_ints(SCTP_FLIGHT_LOG_UP_REVOKE, 4954 tp1->whoTo->flight_size, 4955 tp1->book_size, 4956 (uint32_t)(uintptr_t)tp1->whoTo, 4957 tp1->rec.data.tsn); 4958 } 4959 sctp_flight_size_increase(tp1); 4960 sctp_total_flight_increase(stcb, tp1); 4961 tp1->rec.data.chunk_was_revoked = 1; 4962 /* 4963 * To ensure that this increase in 4964 * flightsize, which is artificial, does not 4965 * throttle the sender, we also increase the 4966 * cwnd artificially. 4967 */ 4968 tp1->whoTo->cwnd += tp1->book_size; 4969 cnt_revoked++; 4970 } 4971 } 4972 if (cnt_revoked) { 4973 reneged_all = 1; 4974 } 4975 asoc->saw_sack_with_frags = 0; 4976 } 4977 if (num_nr_seg > 0) 4978 asoc->saw_sack_with_nr_frags = 1; 4979 else 4980 asoc->saw_sack_with_nr_frags = 0; 4981 4982 /* JRS - Use the congestion control given in the CC module */ 4983 if (ecne_seen == 0) { 4984 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 4985 if (net->net_ack2 > 0) { 4986 /* 4987 * Karn's rule applies to clearing error 4988 * count, this is optional. 4989 */ 4990 net->error_count = 0; 4991 if (!(net->dest_state & SCTP_ADDR_REACHABLE)) { 4992 /* addr came good */ 4993 net->dest_state |= SCTP_ADDR_REACHABLE; 4994 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 4995 0, (void *)net, SCTP_SO_NOT_LOCKED); 4996 } 4997 4998 if (net == stcb->asoc.primary_destination) { 4999 if (stcb->asoc.alternate) { 5000 /* 5001 * release the alternate, 5002 * primary is good 5003 */ 5004 sctp_free_remote_addr(stcb->asoc.alternate); 5005 stcb->asoc.alternate = NULL; 5006 } 5007 } 5008 5009 if (net->dest_state & SCTP_ADDR_PF) { 5010 net->dest_state &= ~SCTP_ADDR_PF; 5011 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, 5012 stcb->sctp_ep, stcb, net, 5013 SCTP_FROM_SCTP_INDATA + SCTP_LOC_32); 5014 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, net); 5015 asoc->cc_functions.sctp_cwnd_update_exit_pf(stcb, net); 5016 /* Done with this net */ 5017 net->net_ack = 0; 5018 } 5019 /* restore any doubled timers */ 5020 net->RTO = (net->lastsa >> SCTP_RTT_SHIFT) + net->lastsv; 5021 if (net->RTO < stcb->asoc.minrto) { 5022 net->RTO = stcb->asoc.minrto; 5023 } 5024 if (net->RTO > stcb->asoc.maxrto) { 5025 net->RTO = stcb->asoc.maxrto; 5026 } 5027 } 5028 } 5029 asoc->cc_functions.sctp_cwnd_update_after_sack(stcb, asoc, accum_moved, reneged_all, will_exit_fast_recovery); 5030 } 5031 5032 if (TAILQ_EMPTY(&asoc->sent_queue)) { 5033 /* nothing left in-flight */ 5034 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 5035 /* stop all timers */ 5036 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 5037 stcb, net, 5038 SCTP_FROM_SCTP_INDATA + SCTP_LOC_33); 5039 net->flight_size = 0; 5040 net->partial_bytes_acked = 0; 5041 } 5042 asoc->total_flight = 0; 5043 asoc->total_flight_count = 0; 5044 } 5045 5046 /**********************************/ 5047 /* Now what about shutdown issues */ 5048 /**********************************/ 5049 if (TAILQ_EMPTY(&asoc->send_queue) && TAILQ_EMPTY(&asoc->sent_queue)) { 5050 /* nothing left on sendqueue.. consider done */ 5051 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) { 5052 sctp_log_rwnd_set(SCTP_SET_PEER_RWND_VIA_SACK, 5053 asoc->peers_rwnd, 0, 0, a_rwnd); 5054 } 5055 asoc->peers_rwnd = a_rwnd; 5056 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 5057 /* SWS sender side engages */ 5058 asoc->peers_rwnd = 0; 5059 } 5060 /* clean up */ 5061 if ((asoc->stream_queue_cnt == 1) && 5062 ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) || 5063 (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) && 5064 ((*asoc->ss_functions.sctp_ss_is_user_msgs_incomplete) (stcb, asoc))) { 5065 SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_PARTIAL_MSG_LEFT); 5066 } 5067 if (((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) || 5068 (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) && 5069 (asoc->stream_queue_cnt == 1) && 5070 (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) { 5071 struct mbuf *op_err; 5072 5073 *abort_now = 1; 5074 /* XXX */ 5075 op_err = sctp_generate_cause(SCTP_CAUSE_USER_INITIATED_ABT, ""); 5076 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_34; 5077 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); 5078 return; 5079 } 5080 if ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) && 5081 (asoc->stream_queue_cnt == 0)) { 5082 struct sctp_nets *netp; 5083 5084 if ((SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) || 5085 (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 5086 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 5087 } 5088 SCTP_SET_STATE(stcb, SCTP_STATE_SHUTDOWN_SENT); 5089 SCTP_CLEAR_SUBSTATE(stcb, SCTP_STATE_SHUTDOWN_PENDING); 5090 sctp_stop_timers_for_shutdown(stcb); 5091 if (asoc->alternate) { 5092 netp = asoc->alternate; 5093 } else { 5094 netp = asoc->primary_destination; 5095 } 5096 sctp_send_shutdown(stcb, netp); 5097 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN, 5098 stcb->sctp_ep, stcb, netp); 5099 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 5100 stcb->sctp_ep, stcb, netp); 5101 return; 5102 } else if ((SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED) && 5103 (asoc->stream_queue_cnt == 0)) { 5104 struct sctp_nets *netp; 5105 5106 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 5107 SCTP_SET_STATE(stcb, SCTP_STATE_SHUTDOWN_ACK_SENT); 5108 SCTP_CLEAR_SUBSTATE(stcb, SCTP_STATE_SHUTDOWN_PENDING); 5109 sctp_stop_timers_for_shutdown(stcb); 5110 if (asoc->alternate) { 5111 netp = asoc->alternate; 5112 } else { 5113 netp = asoc->primary_destination; 5114 } 5115 sctp_send_shutdown_ack(stcb, netp); 5116 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, 5117 stcb->sctp_ep, stcb, netp); 5118 return; 5119 } 5120 } 5121 /* 5122 * Now here we are going to recycle net_ack for a different use... 5123 * HEADS UP. 5124 */ 5125 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 5126 net->net_ack = 0; 5127 } 5128 5129 /* 5130 * CMT DAC algorithm: If SACK DAC flag was 0, then no extra marking 5131 * to be done. Setting this_sack_lowest_newack to the cum_ack will 5132 * automatically ensure that. 5133 */ 5134 if ((asoc->sctp_cmt_on_off > 0) && 5135 SCTP_BASE_SYSCTL(sctp_cmt_use_dac) && 5136 (cmt_dac_flag == 0)) { 5137 this_sack_lowest_newack = cum_ack; 5138 } 5139 if ((num_seg > 0) || (num_nr_seg > 0)) { 5140 sctp_strike_gap_ack_chunks(stcb, asoc, biggest_tsn_acked, 5141 biggest_tsn_newly_acked, this_sack_lowest_newack, accum_moved); 5142 } 5143 /* JRS - Use the congestion control given in the CC module */ 5144 asoc->cc_functions.sctp_cwnd_update_after_fr(stcb, asoc); 5145 5146 /* Now are we exiting loss recovery ? */ 5147 if (will_exit_fast_recovery) { 5148 /* Ok, we must exit fast recovery */ 5149 asoc->fast_retran_loss_recovery = 0; 5150 } 5151 if ((asoc->sat_t3_loss_recovery) && 5152 SCTP_TSN_GE(asoc->last_acked_seq, asoc->sat_t3_recovery_tsn)) { 5153 /* end satellite t3 loss recovery */ 5154 asoc->sat_t3_loss_recovery = 0; 5155 } 5156 /* 5157 * CMT Fast recovery 5158 */ 5159 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 5160 if (net->will_exit_fast_recovery) { 5161 /* Ok, we must exit fast recovery */ 5162 net->fast_retran_loss_recovery = 0; 5163 } 5164 } 5165 5166 /* Adjust and set the new rwnd value */ 5167 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) { 5168 sctp_log_rwnd_set(SCTP_SET_PEER_RWND_VIA_SACK, 5169 asoc->peers_rwnd, asoc->total_flight, (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)), a_rwnd); 5170 } 5171 asoc->peers_rwnd = sctp_sbspace_sub(a_rwnd, 5172 (uint32_t)(asoc->total_flight + (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)))); 5173 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 5174 /* SWS sender side engages */ 5175 asoc->peers_rwnd = 0; 5176 } 5177 if (asoc->peers_rwnd > old_rwnd) { 5178 win_probe_recovery = 1; 5179 } 5180 5181 /* 5182 * Now we must setup so we have a timer up for anyone with 5183 * outstanding data. 5184 */ 5185 done_once = 0; 5186again: 5187 j = 0; 5188 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 5189 if (win_probe_recovery && (net->window_probe)) { 5190 win_probe_recovered = 1; 5191 /*- 5192 * Find first chunk that was used with 5193 * window probe and clear the event. Put 5194 * it back into the send queue as if has 5195 * not been sent. 5196 */ 5197 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) { 5198 if (tp1->window_probe) { 5199 sctp_window_probe_recovery(stcb, asoc, tp1); 5200 break; 5201 } 5202 } 5203 } 5204 if (net->flight_size) { 5205 j++; 5206 if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) { 5207 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 5208 stcb->sctp_ep, stcb, net); 5209 } 5210 if (net->window_probe) { 5211 net->window_probe = 0; 5212 } 5213 } else { 5214 if (net->window_probe) { 5215 /* 5216 * In window probes we must assure a timer 5217 * is still running there 5218 */ 5219 if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) { 5220 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 5221 stcb->sctp_ep, stcb, net); 5222 5223 } 5224 } else if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) { 5225 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 5226 stcb, net, 5227 SCTP_FROM_SCTP_INDATA + SCTP_LOC_35); 5228 } 5229 } 5230 } 5231 if ((j == 0) && 5232 (!TAILQ_EMPTY(&asoc->sent_queue)) && 5233 (asoc->sent_queue_retran_cnt == 0) && 5234 (win_probe_recovered == 0) && 5235 (done_once == 0)) { 5236 /* 5237 * huh, this should not happen unless all packets are 5238 * PR-SCTP and marked to skip of course. 5239 */ 5240 if (sctp_fs_audit(asoc)) { 5241 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 5242 net->flight_size = 0; 5243 } 5244 asoc->total_flight = 0; 5245 asoc->total_flight_count = 0; 5246 asoc->sent_queue_retran_cnt = 0; 5247 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) { 5248 if (tp1->sent < SCTP_DATAGRAM_RESEND) { 5249 sctp_flight_size_increase(tp1); 5250 sctp_total_flight_increase(stcb, tp1); 5251 } else if (tp1->sent == SCTP_DATAGRAM_RESEND) { 5252 sctp_ucount_incr(asoc->sent_queue_retran_cnt); 5253 } 5254 } 5255 } 5256 done_once = 1; 5257 goto again; 5258 } 5259 /*********************************************/ 5260 /* Here we perform PR-SCTP procedures */ 5261 /* (section 4.2) */ 5262 /*********************************************/ 5263 /* C1. update advancedPeerAckPoint */ 5264 if (SCTP_TSN_GT(cum_ack, asoc->advanced_peer_ack_point)) { 5265 asoc->advanced_peer_ack_point = cum_ack; 5266 } 5267 /* C2. try to further move advancedPeerAckPoint ahead */ 5268 if ((asoc->prsctp_supported) && (asoc->pr_sctp_cnt > 0)) { 5269 struct sctp_tmit_chunk *lchk; 5270 uint32_t old_adv_peer_ack_point; 5271 5272 old_adv_peer_ack_point = asoc->advanced_peer_ack_point; 5273 lchk = sctp_try_advance_peer_ack_point(stcb, asoc); 5274 /* C3. See if we need to send a Fwd-TSN */ 5275 if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, cum_ack)) { 5276 /* 5277 * ISSUE with ECN, see FWD-TSN processing. 5278 */ 5279 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) { 5280 sctp_misc_ints(SCTP_FWD_TSN_CHECK, 5281 0xee, cum_ack, asoc->advanced_peer_ack_point, 5282 old_adv_peer_ack_point); 5283 } 5284 if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, old_adv_peer_ack_point)) { 5285 send_forward_tsn(stcb, asoc); 5286 } else if (lchk) { 5287 /* try to FR fwd-tsn's that get lost too */ 5288 if (lchk->rec.data.fwd_tsn_cnt >= 3) { 5289 send_forward_tsn(stcb, asoc); 5290 } 5291 } 5292 } 5293 for (; lchk != NULL; lchk = TAILQ_NEXT(lchk, sctp_next)) { 5294 if (lchk->whoTo != NULL) { 5295 break; 5296 } 5297 } 5298 if (lchk != NULL) { 5299 /* Assure a timer is up */ 5300 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 5301 stcb->sctp_ep, stcb, lchk->whoTo); 5302 } 5303 } 5304 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_RWND_LOGGING_ENABLE) { 5305 sctp_misc_ints(SCTP_SACK_RWND_UPDATE, 5306 a_rwnd, 5307 stcb->asoc.peers_rwnd, 5308 stcb->asoc.total_flight, 5309 stcb->asoc.total_output_queue_size); 5310 } 5311} 5312 5313void 5314sctp_update_acked(struct sctp_tcb *stcb, struct sctp_shutdown_chunk *cp, int *abort_flag) 5315{ 5316 /* Copy cum-ack */ 5317 uint32_t cum_ack, a_rwnd; 5318 5319 cum_ack = ntohl(cp->cumulative_tsn_ack); 5320 /* Arrange so a_rwnd does NOT change */ 5321 a_rwnd = stcb->asoc.peers_rwnd + stcb->asoc.total_flight; 5322 5323 /* Now call the express sack handling */ 5324 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, abort_flag, 0); 5325} 5326 5327static void 5328sctp_kick_prsctp_reorder_queue(struct sctp_tcb *stcb, 5329 struct sctp_stream_in *strmin) 5330{ 5331 struct sctp_queued_to_read *control, *ncontrol; 5332 struct sctp_association *asoc; 5333 uint32_t mid; 5334 int need_reasm_check = 0; 5335 5336 asoc = &stcb->asoc; 5337 mid = strmin->last_mid_delivered; 5338 /* 5339 * First deliver anything prior to and including the stream no that 5340 * came in. 5341 */ 5342 TAILQ_FOREACH_SAFE(control, &strmin->inqueue, next_instrm, ncontrol) { 5343 if (SCTP_MID_GE(asoc->idata_supported, mid, control->mid)) { 5344 /* this is deliverable now */ 5345 if (((control->sinfo_flags >> 8) & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) { 5346 if (control->on_strm_q) { 5347 if (control->on_strm_q == SCTP_ON_ORDERED) { 5348 TAILQ_REMOVE(&strmin->inqueue, control, next_instrm); 5349 } else if (control->on_strm_q == SCTP_ON_UNORDERED) { 5350 TAILQ_REMOVE(&strmin->uno_inqueue, control, next_instrm); 5351#ifdef INVARIANTS 5352 } else { 5353 panic("strmin: %p ctl: %p unknown %d", 5354 strmin, control, control->on_strm_q); 5355#endif 5356 } 5357 control->on_strm_q = 0; 5358 } 5359 /* subtract pending on streams */ 5360 if (asoc->size_on_all_streams >= control->length) { 5361 asoc->size_on_all_streams -= control->length; 5362 } else { 5363#ifdef INVARIANTS 5364 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length); 5365#else 5366 asoc->size_on_all_streams = 0; 5367#endif 5368 } 5369 sctp_ucount_decr(asoc->cnt_on_all_streams); 5370 /* deliver it to at least the delivery-q */ 5371 if (stcb->sctp_socket) { 5372 sctp_mark_non_revokable(asoc, control->sinfo_tsn); 5373 sctp_add_to_readq(stcb->sctp_ep, stcb, 5374 control, 5375 &stcb->sctp_socket->so_rcv, 5376 1, SCTP_READ_LOCK_HELD, 5377 SCTP_SO_NOT_LOCKED); 5378 } 5379 } else { 5380 /* Its a fragmented message */ 5381 if (control->first_frag_seen) { 5382 /* 5383 * Make it so this is next to 5384 * deliver, we restore later 5385 */ 5386 strmin->last_mid_delivered = control->mid - 1; 5387 need_reasm_check = 1; 5388 break; 5389 } 5390 } 5391 } else { 5392 /* no more delivery now. */ 5393 break; 5394 } 5395 } 5396 if (need_reasm_check) { 5397 int ret; 5398 5399 ret = sctp_deliver_reasm_check(stcb, &stcb->asoc, strmin, SCTP_READ_LOCK_HELD); 5400 if (SCTP_MID_GT(asoc->idata_supported, mid, strmin->last_mid_delivered)) { 5401 /* Restore the next to deliver unless we are ahead */ 5402 strmin->last_mid_delivered = mid; 5403 } 5404 if (ret == 0) { 5405 /* Left the front Partial one on */ 5406 return; 5407 } 5408 need_reasm_check = 0; 5409 } 5410 /* 5411 * now we must deliver things in queue the normal way if any are 5412 * now ready. 5413 */ 5414 mid = strmin->last_mid_delivered + 1; 5415 TAILQ_FOREACH_SAFE(control, &strmin->inqueue, next_instrm, ncontrol) { 5416 if (SCTP_MID_EQ(asoc->idata_supported, mid, control->mid)) { 5417 if (((control->sinfo_flags >> 8) & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) { 5418 /* this is deliverable now */ 5419 if (control->on_strm_q) { 5420 if (control->on_strm_q == SCTP_ON_ORDERED) { 5421 TAILQ_REMOVE(&strmin->inqueue, control, next_instrm); 5422 } else if (control->on_strm_q == SCTP_ON_UNORDERED) { 5423 TAILQ_REMOVE(&strmin->uno_inqueue, control, next_instrm); 5424#ifdef INVARIANTS 5425 } else { 5426 panic("strmin: %p ctl: %p unknown %d", 5427 strmin, control, control->on_strm_q); 5428#endif 5429 } 5430 control->on_strm_q = 0; 5431 } 5432 /* subtract pending on streams */ 5433 if (asoc->size_on_all_streams >= control->length) { 5434 asoc->size_on_all_streams -= control->length; 5435 } else { 5436#ifdef INVARIANTS 5437 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length); 5438#else 5439 asoc->size_on_all_streams = 0; 5440#endif 5441 } 5442 sctp_ucount_decr(asoc->cnt_on_all_streams); 5443 /* deliver it to at least the delivery-q */ 5444 strmin->last_mid_delivered = control->mid; 5445 if (stcb->sctp_socket) { 5446 sctp_mark_non_revokable(asoc, control->sinfo_tsn); 5447 sctp_add_to_readq(stcb->sctp_ep, stcb, 5448 control, 5449 &stcb->sctp_socket->so_rcv, 1, 5450 SCTP_READ_LOCK_HELD, SCTP_SO_NOT_LOCKED); 5451 5452 } 5453 mid = strmin->last_mid_delivered + 1; 5454 } else { 5455 /* Its a fragmented message */ 5456 if (control->first_frag_seen) { 5457 /* 5458 * Make it so this is next to 5459 * deliver 5460 */ 5461 strmin->last_mid_delivered = control->mid - 1; 5462 need_reasm_check = 1; 5463 break; 5464 } 5465 } 5466 } else { 5467 break; 5468 } 5469 } 5470 if (need_reasm_check) { 5471 (void)sctp_deliver_reasm_check(stcb, &stcb->asoc, strmin, SCTP_READ_LOCK_HELD); 5472 } 5473} 5474 5475 5476 5477static void 5478sctp_flush_reassm_for_str_seq(struct sctp_tcb *stcb, 5479 struct sctp_association *asoc, 5480 uint16_t stream, uint32_t mid, int ordered, uint32_t cumtsn) 5481{ 5482 struct sctp_queued_to_read *control; 5483 struct sctp_stream_in *strm; 5484 struct sctp_tmit_chunk *chk, *nchk; 5485 int cnt_removed = 0; 5486 5487 /* 5488 * For now large messages held on the stream reasm that are complete 5489 * will be tossed too. We could in theory do more work to spin 5490 * through and stop after dumping one msg aka seeing the start of a 5491 * new msg at the head, and call the delivery function... to see if 5492 * it can be delivered... But for now we just dump everything on the 5493 * queue. 5494 */ 5495 strm = &asoc->strmin[stream]; 5496 control = sctp_find_reasm_entry(strm, mid, ordered, asoc->idata_supported); 5497 if (control == NULL) { 5498 /* Not found */ 5499 return; 5500 } 5501 if (!asoc->idata_supported && !ordered && SCTP_TSN_GT(control->fsn_included, cumtsn)) { 5502 return; 5503 } 5504 TAILQ_FOREACH_SAFE(chk, &control->reasm, sctp_next, nchk) { 5505 /* Purge hanging chunks */ 5506 if (!asoc->idata_supported && (ordered == 0)) { 5507 if (SCTP_TSN_GT(chk->rec.data.tsn, cumtsn)) { 5508 break; 5509 } 5510 } 5511 cnt_removed++; 5512 TAILQ_REMOVE(&control->reasm, chk, sctp_next); 5513 if (asoc->size_on_reasm_queue >= chk->send_size) { 5514 asoc->size_on_reasm_queue -= chk->send_size; 5515 } else { 5516#ifdef INVARIANTS 5517 panic("size_on_reasm_queue = %u smaller than chunk length %u", asoc->size_on_reasm_queue, chk->send_size); 5518#else 5519 asoc->size_on_reasm_queue = 0; 5520#endif 5521 } 5522 sctp_ucount_decr(asoc->cnt_on_reasm_queue); 5523 if (chk->data) { 5524 sctp_m_freem(chk->data); 5525 chk->data = NULL; 5526 } 5527 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED); 5528 } 5529 if (!TAILQ_EMPTY(&control->reasm)) { 5530 /* This has to be old data, unordered */ 5531 if (control->data) { 5532 sctp_m_freem(control->data); 5533 control->data = NULL; 5534 } 5535 sctp_reset_a_control(control, stcb->sctp_ep, cumtsn); 5536 chk = TAILQ_FIRST(&control->reasm); 5537 if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) { 5538 TAILQ_REMOVE(&control->reasm, chk, sctp_next); 5539 sctp_add_chk_to_control(control, strm, stcb, asoc, 5540 chk, SCTP_READ_LOCK_HELD); 5541 } 5542 sctp_deliver_reasm_check(stcb, asoc, strm, SCTP_READ_LOCK_HELD); 5543 return; 5544 } 5545 if (control->on_strm_q == SCTP_ON_ORDERED) { 5546 TAILQ_REMOVE(&strm->inqueue, control, next_instrm); 5547 if (asoc->size_on_all_streams >= control->length) { 5548 asoc->size_on_all_streams -= control->length; 5549 } else { 5550#ifdef INVARIANTS 5551 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length); 5552#else 5553 asoc->size_on_all_streams = 0; 5554#endif 5555 } 5556 sctp_ucount_decr(asoc->cnt_on_all_streams); 5557 control->on_strm_q = 0; 5558 } else if (control->on_strm_q == SCTP_ON_UNORDERED) { 5559 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm); 5560 control->on_strm_q = 0; 5561#ifdef INVARIANTS 5562 } else if (control->on_strm_q) { 5563 panic("strm: %p ctl: %p unknown %d", 5564 strm, control, control->on_strm_q); 5565#endif 5566 } 5567 control->on_strm_q = 0; 5568 if (control->on_read_q == 0) { 5569 sctp_free_remote_addr(control->whoFrom); 5570 if (control->data) { 5571 sctp_m_freem(control->data); 5572 control->data = NULL; 5573 } 5574 sctp_free_a_readq(stcb, control); 5575 } 5576} 5577 5578void 5579sctp_handle_forward_tsn(struct sctp_tcb *stcb, 5580 struct sctp_forward_tsn_chunk *fwd, 5581 int *abort_flag, struct mbuf *m, int offset) 5582{ 5583 /* The pr-sctp fwd tsn */ 5584 /* 5585 * here we will perform all the data receiver side steps for 5586 * processing FwdTSN, as required in by pr-sctp draft: 5587 * 5588 * Assume we get FwdTSN(x): 5589 * 5590 * 1) update local cumTSN to x 2) try to further advance cumTSN to x 5591 * + others we have 3) examine and update re-ordering queue on 5592 * pr-in-streams 4) clean up re-assembly queue 5) Send a sack to 5593 * report where we are. 5594 */ 5595 struct sctp_association *asoc; 5596 uint32_t new_cum_tsn, gap; 5597 unsigned int i, fwd_sz, m_size; 5598 uint32_t str_seq; 5599 struct sctp_stream_in *strm; 5600 struct sctp_queued_to_read *control, *sv; 5601 5602 asoc = &stcb->asoc; 5603 if ((fwd_sz = ntohs(fwd->ch.chunk_length)) < sizeof(struct sctp_forward_tsn_chunk)) { 5604 SCTPDBG(SCTP_DEBUG_INDATA1, 5605 "Bad size too small/big fwd-tsn\n"); 5606 return; 5607 } 5608 m_size = (stcb->asoc.mapping_array_size << 3); 5609 /*************************************************************/ 5610 /* 1. Here we update local cumTSN and shift the bitmap array */ 5611 /*************************************************************/ 5612 new_cum_tsn = ntohl(fwd->new_cumulative_tsn); 5613 5614 if (SCTP_TSN_GE(asoc->cumulative_tsn, new_cum_tsn)) { 5615 /* Already got there ... */ 5616 return; 5617 } 5618 /* 5619 * now we know the new TSN is more advanced, let's find the actual 5620 * gap 5621 */ 5622 SCTP_CALC_TSN_TO_GAP(gap, new_cum_tsn, asoc->mapping_array_base_tsn); 5623 asoc->cumulative_tsn = new_cum_tsn; 5624 if (gap >= m_size) { 5625 if ((long)gap > sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv)) { 5626 struct mbuf *op_err; 5627 char msg[SCTP_DIAG_INFO_LEN]; 5628 5629 /* 5630 * out of range (of single byte chunks in the rwnd I 5631 * give out). This must be an attacker. 5632 */ 5633 *abort_flag = 1; 5634 snprintf(msg, sizeof(msg), 5635 "New cum ack %8.8x too high, highest TSN %8.8x", 5636 new_cum_tsn, asoc->highest_tsn_inside_map); 5637 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 5638 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_36; 5639 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); 5640 return; 5641 } 5642 SCTP_STAT_INCR(sctps_fwdtsn_map_over); 5643 5644 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 5645 asoc->mapping_array_base_tsn = new_cum_tsn + 1; 5646 asoc->highest_tsn_inside_map = new_cum_tsn; 5647 5648 memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.mapping_array_size); 5649 asoc->highest_tsn_inside_nr_map = new_cum_tsn; 5650 5651 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 5652 sctp_log_map(0, 3, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 5653 } 5654 } else { 5655 SCTP_TCB_LOCK_ASSERT(stcb); 5656 for (i = 0; i <= gap; i++) { 5657 if (!SCTP_IS_TSN_PRESENT(asoc->mapping_array, i) && 5658 !SCTP_IS_TSN_PRESENT(asoc->nr_mapping_array, i)) { 5659 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, i); 5660 if (SCTP_TSN_GT(asoc->mapping_array_base_tsn + i, asoc->highest_tsn_inside_nr_map)) { 5661 asoc->highest_tsn_inside_nr_map = asoc->mapping_array_base_tsn + i; 5662 } 5663 } 5664 } 5665 } 5666 /*************************************************************/ 5667 /* 2. Clear up re-assembly queue */ 5668 /*************************************************************/ 5669 5670 /* This is now done as part of clearing up the stream/seq */ 5671 if (asoc->idata_supported == 0) { 5672 uint16_t sid; 5673 5674 /* Flush all the un-ordered data based on cum-tsn */ 5675 SCTP_INP_READ_LOCK(stcb->sctp_ep); 5676 for (sid = 0; sid < asoc->streamincnt; sid++) { 5677 sctp_flush_reassm_for_str_seq(stcb, asoc, sid, 0, 0, new_cum_tsn); 5678 } 5679 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 5680 } 5681 /*******************************************************/ 5682 /* 3. Update the PR-stream re-ordering queues and fix */ 5683 /* delivery issues as needed. */ 5684 /*******************************************************/ 5685 fwd_sz -= sizeof(*fwd); 5686 if (m && fwd_sz) { 5687 /* New method. */ 5688 unsigned int num_str; 5689 uint32_t mid, cur_mid; 5690 uint16_t sid; 5691 uint16_t ordered, flags; 5692 struct sctp_strseq *stseq, strseqbuf; 5693 struct sctp_strseq_mid *stseq_m, strseqbuf_m; 5694 5695 offset += sizeof(*fwd); 5696 5697 SCTP_INP_READ_LOCK(stcb->sctp_ep); 5698 if (asoc->idata_supported) { 5699 num_str = fwd_sz / sizeof(struct sctp_strseq_mid); 5700 } else { 5701 num_str = fwd_sz / sizeof(struct sctp_strseq); 5702 } 5703 for (i = 0; i < num_str; i++) { 5704 if (asoc->idata_supported) { 5705 stseq_m = (struct sctp_strseq_mid *)sctp_m_getptr(m, offset, 5706 sizeof(struct sctp_strseq_mid), 5707 (uint8_t *)&strseqbuf_m); 5708 offset += sizeof(struct sctp_strseq_mid); 5709 if (stseq_m == NULL) { 5710 break; 5711 } 5712 sid = ntohs(stseq_m->sid); 5713 mid = ntohl(stseq_m->mid); 5714 flags = ntohs(stseq_m->flags); 5715 if (flags & PR_SCTP_UNORDERED_FLAG) { 5716 ordered = 0; 5717 } else { 5718 ordered = 1; 5719 } 5720 } else { 5721 stseq = (struct sctp_strseq *)sctp_m_getptr(m, offset, 5722 sizeof(struct sctp_strseq), 5723 (uint8_t *)&strseqbuf); 5724 offset += sizeof(struct sctp_strseq); 5725 if (stseq == NULL) { 5726 break; 5727 } 5728 sid = ntohs(stseq->sid); 5729 mid = (uint32_t)ntohs(stseq->ssn); 5730 ordered = 1; 5731 } 5732 /* Convert */ 5733 5734 /* now process */ 5735 5736 /* 5737 * Ok we now look for the stream/seq on the read 5738 * queue where its not all delivered. If we find it 5739 * we transmute the read entry into a PDI_ABORTED. 5740 */ 5741 if (sid >= asoc->streamincnt) { 5742 /* screwed up streams, stop! */ 5743 break; 5744 } 5745 if ((asoc->str_of_pdapi == sid) && 5746 (asoc->ssn_of_pdapi == mid)) { 5747 /* 5748 * If this is the one we were partially 5749 * delivering now then we no longer are. 5750 * Note this will change with the reassembly 5751 * re-write. 5752 */ 5753 asoc->fragmented_delivery_inprogress = 0; 5754 } 5755 strm = &asoc->strmin[sid]; 5756 for (cur_mid = strm->last_mid_delivered; SCTP_MID_GE(asoc->idata_supported, mid, cur_mid); cur_mid++) { 5757 sctp_flush_reassm_for_str_seq(stcb, asoc, sid, cur_mid, ordered, new_cum_tsn); 5758 } 5759 TAILQ_FOREACH(control, &stcb->sctp_ep->read_queue, next) { 5760 if ((control->sinfo_stream == sid) && 5761 (SCTP_MID_EQ(asoc->idata_supported, control->mid, mid))) { 5762 str_seq = (sid << 16) | (0x0000ffff & mid); 5763 control->pdapi_aborted = 1; 5764 sv = stcb->asoc.control_pdapi; 5765 control->end_added = 1; 5766 if (control->on_strm_q == SCTP_ON_ORDERED) { 5767 TAILQ_REMOVE(&strm->inqueue, control, next_instrm); 5768 if (asoc->size_on_all_streams >= control->length) { 5769 asoc->size_on_all_streams -= control->length; 5770 } else { 5771#ifdef INVARIANTS 5772 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length); 5773#else 5774 asoc->size_on_all_streams = 0; 5775#endif 5776 } 5777 sctp_ucount_decr(asoc->cnt_on_all_streams); 5778 } else if (control->on_strm_q == SCTP_ON_UNORDERED) { 5779 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm); 5780#ifdef INVARIANTS 5781 } else if (control->on_strm_q) { 5782 panic("strm: %p ctl: %p unknown %d", 5783 strm, control, control->on_strm_q); 5784#endif 5785 } 5786 control->on_strm_q = 0; 5787 stcb->asoc.control_pdapi = control; 5788 sctp_ulp_notify(SCTP_NOTIFY_PARTIAL_DELVIERY_INDICATION, 5789 stcb, 5790 SCTP_PARTIAL_DELIVERY_ABORTED, 5791 (void *)&str_seq, 5792 SCTP_SO_NOT_LOCKED); 5793 stcb->asoc.control_pdapi = sv; 5794 break; 5795 } else if ((control->sinfo_stream == sid) && 5796 SCTP_MID_GT(asoc->idata_supported, control->mid, mid)) { 5797 /* We are past our victim SSN */ 5798 break; 5799 } 5800 } 5801 if (SCTP_MID_GT(asoc->idata_supported, mid, strm->last_mid_delivered)) { 5802 /* Update the sequence number */ 5803 strm->last_mid_delivered = mid; 5804 } 5805 /* now kick the stream the new way */ 5806 /* sa_ignore NO_NULL_CHK */ 5807 sctp_kick_prsctp_reorder_queue(stcb, strm); 5808 } 5809 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 5810 } 5811 /* 5812 * Now slide thing forward. 5813 */ 5814 sctp_slide_mapping_arrays(stcb); 5815} 5816