Coverage Report

Created: 2022-08-24 06:02

/src/usrsctp/usrsctplib/netinet/sctp_pcb.c
Line
Count
Source (jump to first uncovered line)
1
/*-
2
 * SPDX-License-Identifier: BSD-3-Clause
3
 *
4
 * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved.
5
 * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved.
6
 * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved.
7
 *
8
 * Redistribution and use in source and binary forms, with or without
9
 * modification, are permitted provided that the following conditions are met:
10
 *
11
 * a) Redistributions of source code must retain the above copyright notice,
12
 *    this list of conditions and the following disclaimer.
13
 *
14
 * b) Redistributions in binary form must reproduce the above copyright
15
 *    notice, this list of conditions and the following disclaimer in
16
 *    the documentation and/or other materials provided with the distribution.
17
 *
18
 * c) Neither the name of Cisco Systems, Inc. nor the names of its
19
 *    contributors may be used to endorse or promote products derived
20
 *    from this software without specific prior written permission.
21
 *
22
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
23
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
24
 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
26
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
27
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
28
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
29
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
30
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
31
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
32
 * THE POSSIBILITY OF SUCH DAMAGE.
33
 */
34
35
#if defined(__FreeBSD__) && !defined(__Userspace__)
36
#include <sys/cdefs.h>
37
__FBSDID("$FreeBSD$");
38
#endif
39
40
#include <netinet/sctp_os.h>
41
#if defined(__FreeBSD__) && !defined(__Userspace__)
42
#include <sys/proc.h>
43
#endif
44
#include <netinet/sctp_var.h>
45
#include <netinet/sctp_sysctl.h>
46
#include <netinet/sctp_pcb.h>
47
#include <netinet/sctputil.h>
48
#include <netinet/sctp.h>
49
#include <netinet/sctp_header.h>
50
#include <netinet/sctp_asconf.h>
51
#include <netinet/sctp_output.h>
52
#include <netinet/sctp_timer.h>
53
#include <netinet/sctp_bsd_addr.h>
54
#if defined(INET) || defined(INET6)
55
#if !defined(_WIN32)
56
#include <netinet/udp.h>
57
#endif
58
#endif
59
#ifdef INET6
60
#if defined(__Userspace__)
61
#include "user_ip6_var.h"
62
#else
63
#include <netinet6/ip6_var.h>
64
#endif
65
#endif
66
#if defined(__FreeBSD__) && !defined(__Userspace__)
67
#include <sys/sched.h>
68
#include <sys/smp.h>
69
#include <sys/unistd.h>
70
#endif
71
#if defined(__Userspace__)
72
#include <user_socketvar.h>
73
#include <user_atomic.h>
74
#if !defined(_WIN32)
75
#include <netdb.h>
76
#endif
77
#endif
78
79
#if !defined(__FreeBSD__) || defined(__Userspace__)
80
struct sctp_base_info system_base_info;
81
82
#endif
83
/* FIX: we don't handle multiple link local scopes */
84
/* "scopeless" replacement IN6_ARE_ADDR_EQUAL */
85
#ifdef INET6
86
int
87
SCTP6_ARE_ADDR_EQUAL(struct sockaddr_in6 *a, struct sockaddr_in6 *b)
88
104k
{
89
#ifdef SCTP_EMBEDDED_V6_SCOPE
90
#if defined(__APPLE__) && !defined(__Userspace__)
91
  struct in6_addr tmp_a, tmp_b;
92
93
  tmp_a = a->sin6_addr;
94
#if defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD)
95
  if (in6_embedscope(&tmp_a, a, NULL, NULL) != 0) {
96
#else
97
  if (in6_embedscope(&tmp_a, a, NULL, NULL, NULL) != 0) {
98
#endif
99
    return (0);
100
  }
101
  tmp_b = b->sin6_addr;
102
#if defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD)
103
  if (in6_embedscope(&tmp_b, b, NULL, NULL) != 0) {
104
#else
105
  if (in6_embedscope(&tmp_b, b, NULL, NULL, NULL) != 0) {
106
#endif
107
    return (0);
108
  }
109
  return (IN6_ARE_ADDR_EQUAL(&tmp_a, &tmp_b));
110
#elif defined(SCTP_KAME)
111
  struct sockaddr_in6 tmp_a, tmp_b;
112
113
  memcpy(&tmp_a, a, sizeof(struct sockaddr_in6));
114
  if (sa6_embedscope(&tmp_a, MODULE_GLOBAL(ip6_use_defzone)) != 0) {
115
    return (0);
116
  }
117
  memcpy(&tmp_b, b, sizeof(struct sockaddr_in6));
118
  if (sa6_embedscope(&tmp_b, MODULE_GLOBAL(ip6_use_defzone)) != 0) {
119
    return (0);
120
  }
121
  return (IN6_ARE_ADDR_EQUAL(&tmp_a.sin6_addr, &tmp_b.sin6_addr));
122
#else
123
  struct in6_addr tmp_a, tmp_b;
124
125
  tmp_a = a->sin6_addr;
126
  if (in6_embedscope(&tmp_a, a) != 0) {
127
    return (0);
128
  }
129
  tmp_b = b->sin6_addr;
130
  if (in6_embedscope(&tmp_b, b) != 0) {
131
    return (0);
132
  }
133
  return (IN6_ARE_ADDR_EQUAL(&tmp_a, &tmp_b));
134
#endif
135
#else
136
104k
  return (IN6_ARE_ADDR_EQUAL(&(a->sin6_addr), &(b->sin6_addr)));
137
104k
#endif /* SCTP_EMBEDDED_V6_SCOPE */
138
104k
}
139
#endif
140
141
void
142
sctp_fill_pcbinfo(struct sctp_pcbinfo *spcb)
143
0
{
144
  /*
145
   * We really don't need to lock this, but I will just because it
146
   * does not hurt.
147
   */
148
0
  SCTP_INP_INFO_RLOCK();
149
0
  spcb->ep_count = SCTP_BASE_INFO(ipi_count_ep);
150
0
  spcb->asoc_count = SCTP_BASE_INFO(ipi_count_asoc);
151
0
  spcb->laddr_count = SCTP_BASE_INFO(ipi_count_laddr);
152
0
  spcb->raddr_count = SCTP_BASE_INFO(ipi_count_raddr);
153
0
  spcb->chk_count = SCTP_BASE_INFO(ipi_count_chunk);
154
0
  spcb->readq_count = SCTP_BASE_INFO(ipi_count_readq);
155
0
  spcb->stream_oque = SCTP_BASE_INFO(ipi_count_strmoq);
156
0
  spcb->free_chunks = SCTP_BASE_INFO(ipi_free_chunks);
157
0
  SCTP_INP_INFO_RUNLOCK();
158
0
}
159
160
/*-
161
 * Addresses are added to VRF's (Virtual Router's). For BSD we
162
 * have only the default VRF 0. We maintain a hash list of
163
 * VRF's. Each VRF has its own list of sctp_ifn's. Each of
164
 * these has a list of addresses. When we add a new address
165
 * to a VRF we lookup the ifn/ifn_index, if the ifn does
166
 * not exist we create it and add it to the list of IFN's
167
 * within the VRF. Once we have the sctp_ifn, we add the
168
 * address to the list. So we look something like:
169
 *
170
 * hash-vrf-table
171
 *   vrf-> ifn-> ifn -> ifn
172
 *   vrf    |
173
 *    ...   +--ifa-> ifa -> ifa
174
 *   vrf
175
 *
176
 * We keep these separate lists since the SCTP subsystem will
177
 * point to these from its source address selection nets structure.
178
 * When an address is deleted it does not happen right away on
179
 * the SCTP side, it gets scheduled. What we do when a
180
 * delete happens is immediately remove the address from
181
 * the master list and decrement the refcount. As our
182
 * addip iterator works through and frees the src address
183
 * selection pointing to the sctp_ifa, eventually the refcount
184
 * will reach 0 and we will delete it. Note that it is assumed
185
 * that any locking on system level ifn/ifa is done at the
186
 * caller of these functions and these routines will only
187
 * lock the SCTP structures as they add or delete things.
188
 *
189
 * Other notes on VRF concepts.
190
 *  - An endpoint can be in multiple VRF's
191
 *  - An association lives within a VRF and only one VRF.
192
 *  - Any incoming packet we can deduce the VRF for by
193
 *    looking at the mbuf/pak inbound (for BSD its VRF=0 :D)
194
 *  - Any downward send call or connect call must supply the
195
 *    VRF via ancillary data or via some sort of set default
196
 *    VRF socket option call (again for BSD no brainer since
197
 *    the VRF is always 0).
198
 *  - An endpoint may add multiple VRF's to it.
199
 *  - Listening sockets can accept associations in any
200
 *    of the VRF's they are in but the assoc will end up
201
 *    in only one VRF (gotten from the packet or connect/send).
202
 *
203
 */
204
205
struct sctp_vrf *
206
sctp_allocate_vrf(int vrf_id)
207
1
{
208
1
  struct sctp_vrf *vrf = NULL;
209
1
  struct sctp_vrflist *bucket;
210
211
  /* First allocate the VRF structure */
212
1
  vrf = sctp_find_vrf(vrf_id);
213
1
  if (vrf) {
214
    /* Already allocated */
215
0
    return (vrf);
216
0
  }
217
1
  SCTP_MALLOC(vrf, struct sctp_vrf *, sizeof(struct sctp_vrf),
218
1
        SCTP_M_VRF);
219
1
  if (vrf == NULL) {
220
    /* No memory */
221
0
#ifdef INVARIANTS
222
0
    panic("No memory for VRF:%d", vrf_id);
223
0
#endif
224
0
    return (NULL);
225
0
  }
226
  /* setup the VRF */
227
1
  memset(vrf, 0, sizeof(struct sctp_vrf));
228
1
  vrf->vrf_id = vrf_id;
229
1
  LIST_INIT(&vrf->ifnlist);
230
1
  vrf->total_ifa_count = 0;
231
1
  vrf->refcount = 0;
232
  /* now also setup table ids */
233
1
  SCTP_INIT_VRF_TABLEID(vrf);
234
  /* Init the HASH of addresses */
235
1
  vrf->vrf_addr_hash = SCTP_HASH_INIT(SCTP_VRF_ADDR_HASH_SIZE,
236
1
              &vrf->vrf_addr_hashmark);
237
1
  if (vrf->vrf_addr_hash == NULL) {
238
    /* No memory */
239
0
#ifdef INVARIANTS
240
0
    panic("No memory for VRF:%d", vrf_id);
241
0
#endif
242
0
    SCTP_FREE(vrf, SCTP_M_VRF);
243
0
    return (NULL);
244
0
  }
245
246
  /* Add it to the hash table */
247
1
  bucket = &SCTP_BASE_INFO(sctp_vrfhash)[(vrf_id & SCTP_BASE_INFO(hashvrfmark))];
248
1
  LIST_INSERT_HEAD(bucket, vrf, next_vrf);
249
1
  atomic_add_int(&SCTP_BASE_INFO(ipi_count_vrfs), 1);
250
1
  return (vrf);
251
1
}
252
253
struct sctp_ifn *
254
sctp_find_ifn(void *ifn, uint32_t ifn_index)
255
2.75k
{
256
2.75k
  struct sctp_ifn *sctp_ifnp;
257
2.75k
  struct sctp_ifnlist *hash_ifn_head;
258
259
  /* We assume the lock is held for the addresses
260
   * if that's wrong problems could occur :-)
261
   */
262
2.75k
  SCTP_IPI_ADDR_LOCK_ASSERT();
263
2.75k
  hash_ifn_head = &SCTP_BASE_INFO(vrf_ifn_hash)[(ifn_index & SCTP_BASE_INFO(vrf_ifn_hashmark))];
264
8.26k
  LIST_FOREACH(sctp_ifnp, hash_ifn_head, next_bucket) {
265
8.26k
    if (sctp_ifnp->ifn_index == ifn_index) {
266
2.75k
      return (sctp_ifnp);
267
2.75k
    }
268
5.51k
    if (sctp_ifnp->ifn_p && ifn && (sctp_ifnp->ifn_p == ifn)) {
269
0
      return (sctp_ifnp);
270
0
    }
271
5.51k
  }
272
3
  return (NULL);
273
2.75k
}
274
275
struct sctp_vrf *
276
sctp_find_vrf(uint32_t vrf_id)
277
144k
{
278
144k
  struct sctp_vrflist *bucket;
279
144k
  struct sctp_vrf *liste;
280
281
144k
  bucket = &SCTP_BASE_INFO(sctp_vrfhash)[(vrf_id & SCTP_BASE_INFO(hashvrfmark))];
282
144k
  LIST_FOREACH(liste, bucket, next_vrf) {
283
144k
    if (vrf_id == liste->vrf_id) {
284
144k
      return (liste);
285
144k
    }
286
144k
  }
287
1
  return (NULL);
288
144k
}
289
290
void
291
sctp_free_vrf(struct sctp_vrf *vrf)
292
0
{
293
0
  if (SCTP_DECREMENT_AND_CHECK_REFCOUNT(&vrf->refcount)) {
294
0
                if (vrf->vrf_addr_hash) {
295
0
                    SCTP_HASH_FREE(vrf->vrf_addr_hash, vrf->vrf_addr_hashmark);
296
0
                    vrf->vrf_addr_hash = NULL;
297
0
                }
298
    /* We zero'd the count */
299
0
    LIST_REMOVE(vrf, next_vrf);
300
0
    SCTP_FREE(vrf, SCTP_M_VRF);
301
0
    atomic_subtract_int(&SCTP_BASE_INFO(ipi_count_vrfs), 1);
302
0
  }
303
0
}
304
305
void
306
sctp_free_ifn(struct sctp_ifn *sctp_ifnp)
307
0
{
308
0
  if (SCTP_DECREMENT_AND_CHECK_REFCOUNT(&sctp_ifnp->refcount)) {
309
    /* We zero'd the count */
310
0
    if (sctp_ifnp->vrf) {
311
0
      sctp_free_vrf(sctp_ifnp->vrf);
312
0
    }
313
0
    SCTP_FREE(sctp_ifnp, SCTP_M_IFN);
314
0
    atomic_subtract_int(&SCTP_BASE_INFO(ipi_count_ifns), 1);
315
0
  }
316
0
}
317
318
void
319
sctp_update_ifn_mtu(uint32_t ifn_index, uint32_t mtu)
320
0
{
321
0
  struct sctp_ifn *sctp_ifnp;
322
323
0
  sctp_ifnp = sctp_find_ifn((void *)NULL, ifn_index);
324
0
  if (sctp_ifnp != NULL) {
325
0
    sctp_ifnp->ifn_mtu = mtu;
326
0
  }
327
0
}
328
329
void
330
sctp_free_ifa(struct sctp_ifa *sctp_ifap)
331
11.6k
{
332
11.6k
  if (SCTP_DECREMENT_AND_CHECK_REFCOUNT(&sctp_ifap->refcount)) {
333
    /* We zero'd the count */
334
0
    if (sctp_ifap->ifn_p) {
335
0
      sctp_free_ifn(sctp_ifap->ifn_p);
336
0
    }
337
0
    SCTP_FREE(sctp_ifap, SCTP_M_IFA);
338
0
    atomic_subtract_int(&SCTP_BASE_INFO(ipi_count_ifas), 1);
339
0
  }
340
11.6k
}
341
342
static void
343
sctp_delete_ifn(struct sctp_ifn *sctp_ifnp, int hold_addr_lock)
344
0
{
345
0
  struct sctp_ifn *found;
346
347
0
  found = sctp_find_ifn(sctp_ifnp->ifn_p, sctp_ifnp->ifn_index);
348
0
  if (found == NULL) {
349
    /* Not in the list.. sorry */
350
0
    return;
351
0
  }
352
0
  if (hold_addr_lock == 0) {
353
0
    SCTP_IPI_ADDR_WLOCK();
354
0
  } else {
355
0
    SCTP_IPI_ADDR_WLOCK_ASSERT();
356
0
  }
357
0
  LIST_REMOVE(sctp_ifnp, next_bucket);
358
0
  LIST_REMOVE(sctp_ifnp, next_ifn);
359
0
  if (hold_addr_lock == 0) {
360
0
    SCTP_IPI_ADDR_WUNLOCK();
361
0
  }
362
  /* Take away the reference, and possibly free it */
363
0
  sctp_free_ifn(sctp_ifnp);
364
0
}
365
366
void
367
sctp_mark_ifa_addr_down(uint32_t vrf_id, struct sockaddr *addr,
368
      const char *if_name, uint32_t ifn_index)
369
0
{
370
0
  struct sctp_vrf *vrf;
371
0
  struct sctp_ifa *sctp_ifap;
372
373
0
  SCTP_IPI_ADDR_RLOCK();
374
0
  vrf = sctp_find_vrf(vrf_id);
375
0
  if (vrf == NULL) {
376
0
    SCTPDBG(SCTP_DEBUG_PCB4, "Can't find vrf_id 0x%x\n", vrf_id);
377
0
    goto out;
378
0
  }
379
0
  sctp_ifap = sctp_find_ifa_by_addr(addr, vrf->vrf_id, SCTP_ADDR_LOCKED);
380
0
  if (sctp_ifap == NULL) {
381
0
    SCTPDBG(SCTP_DEBUG_PCB4, "Can't find sctp_ifap for address\n");
382
0
    goto out;
383
0
  }
384
0
  if (sctp_ifap->ifn_p == NULL) {
385
0
    SCTPDBG(SCTP_DEBUG_PCB4, "IFA has no IFN - can't mark unusable\n");
386
0
    goto out;
387
0
  }
388
0
  if (if_name) {
389
0
    if (strncmp(if_name, sctp_ifap->ifn_p->ifn_name, SCTP_IFNAMSIZ) != 0) {
390
0
      SCTPDBG(SCTP_DEBUG_PCB4, "IFN %s of IFA not the same as %s\n",
391
0
        sctp_ifap->ifn_p->ifn_name, if_name);
392
0
      goto out;
393
0
    }
394
0
  } else {
395
0
    if (sctp_ifap->ifn_p->ifn_index != ifn_index) {
396
0
      SCTPDBG(SCTP_DEBUG_PCB4, "IFA owned by ifn_index:%d down command for ifn_index:%d - ignored\n",
397
0
        sctp_ifap->ifn_p->ifn_index, ifn_index);
398
0
      goto out;
399
0
    }
400
0
  }
401
402
0
  sctp_ifap->localifa_flags &= (~SCTP_ADDR_VALID);
403
0
  sctp_ifap->localifa_flags |= SCTP_ADDR_IFA_UNUSEABLE;
404
0
 out:
405
0
  SCTP_IPI_ADDR_RUNLOCK();
406
0
}
407
408
void
409
sctp_mark_ifa_addr_up(uint32_t vrf_id, struct sockaddr *addr,
410
          const char *if_name, uint32_t ifn_index)
411
0
{
412
0
  struct sctp_vrf *vrf;
413
0
  struct sctp_ifa *sctp_ifap;
414
415
0
  SCTP_IPI_ADDR_RLOCK();
416
0
  vrf = sctp_find_vrf(vrf_id);
417
0
  if (vrf == NULL) {
418
0
    SCTPDBG(SCTP_DEBUG_PCB4, "Can't find vrf_id 0x%x\n", vrf_id);
419
0
    goto out;
420
0
  }
421
0
  sctp_ifap = sctp_find_ifa_by_addr(addr, vrf->vrf_id, SCTP_ADDR_LOCKED);
422
0
  if (sctp_ifap == NULL) {
423
0
    SCTPDBG(SCTP_DEBUG_PCB4, "Can't find sctp_ifap for address\n");
424
0
    goto out;
425
0
  }
426
0
  if (sctp_ifap->ifn_p == NULL) {
427
0
    SCTPDBG(SCTP_DEBUG_PCB4, "IFA has no IFN - can't mark unusable\n");
428
0
    goto out;
429
0
  }
430
0
  if (if_name) {
431
0
    if (strncmp(if_name, sctp_ifap->ifn_p->ifn_name, SCTP_IFNAMSIZ) != 0) {
432
0
      SCTPDBG(SCTP_DEBUG_PCB4, "IFN %s of IFA not the same as %s\n",
433
0
        sctp_ifap->ifn_p->ifn_name, if_name);
434
0
      goto out;
435
0
    }
436
0
  } else {
437
0
    if (sctp_ifap->ifn_p->ifn_index != ifn_index) {
438
0
      SCTPDBG(SCTP_DEBUG_PCB4, "IFA owned by ifn_index:%d down command for ifn_index:%d - ignored\n",
439
0
        sctp_ifap->ifn_p->ifn_index, ifn_index);
440
0
      goto out;
441
0
    }
442
0
  }
443
444
0
  sctp_ifap->localifa_flags &= (~SCTP_ADDR_IFA_UNUSEABLE);
445
0
  sctp_ifap->localifa_flags |= SCTP_ADDR_VALID;
446
0
 out:
447
0
  SCTP_IPI_ADDR_RUNLOCK();
448
0
}
449
450
/*-
451
 * Add an ifa to an ifn.
452
 * Register the interface as necessary.
453
 * NOTE: ADDR write lock MUST be held.
454
 */
455
static void
456
sctp_add_ifa_to_ifn(struct sctp_ifn *sctp_ifnp, struct sctp_ifa *sctp_ifap)
457
0
{
458
0
  int ifa_af;
459
460
0
  LIST_INSERT_HEAD(&sctp_ifnp->ifalist, sctp_ifap, next_ifa);
461
0
  sctp_ifap->ifn_p = sctp_ifnp;
462
0
  atomic_add_int(&sctp_ifap->ifn_p->refcount, 1);
463
  /* update address counts */
464
0
  sctp_ifnp->ifa_count++;
465
0
  ifa_af = sctp_ifap->address.sa.sa_family;
466
0
  switch (ifa_af) {
467
0
#ifdef INET
468
0
  case AF_INET:
469
0
    sctp_ifnp->num_v4++;
470
0
    break;
471
0
#endif
472
0
#ifdef INET6
473
0
  case AF_INET6:
474
0
    sctp_ifnp->num_v6++;
475
0
    break;
476
0
#endif
477
0
  default:
478
0
    break;
479
0
  }
480
0
  if (sctp_ifnp->ifa_count == 1) {
481
    /* register the new interface */
482
0
    sctp_ifnp->registered_af = ifa_af;
483
0
  }
484
0
}
485
486
/*-
487
 * Remove an ifa from its ifn.
488
 * If no more addresses exist, remove the ifn too. Otherwise, re-register
489
 * the interface based on the remaining address families left.
490
 * NOTE: ADDR write lock MUST be held.
491
 */
492
static void
493
sctp_remove_ifa_from_ifn(struct sctp_ifa *sctp_ifap)
494
0
{
495
0
  LIST_REMOVE(sctp_ifap, next_ifa);
496
0
  if (sctp_ifap->ifn_p) {
497
    /* update address counts */
498
0
    sctp_ifap->ifn_p->ifa_count--;
499
0
    switch (sctp_ifap->address.sa.sa_family) {
500
0
#ifdef INET
501
0
    case AF_INET:
502
0
      sctp_ifap->ifn_p->num_v4--;
503
0
      break;
504
0
#endif
505
0
#ifdef INET6
506
0
    case AF_INET6:
507
0
      sctp_ifap->ifn_p->num_v6--;
508
0
      break;
509
0
#endif
510
0
    default:
511
0
      break;
512
0
    }
513
514
0
    if (LIST_EMPTY(&sctp_ifap->ifn_p->ifalist)) {
515
      /* remove the ifn, possibly freeing it */
516
0
      sctp_delete_ifn(sctp_ifap->ifn_p, SCTP_ADDR_LOCKED);
517
0
    } else {
518
      /* re-register address family type, if needed */
519
0
      if ((sctp_ifap->ifn_p->num_v6 == 0) &&
520
0
          (sctp_ifap->ifn_p->registered_af == AF_INET6)) {
521
0
        sctp_ifap->ifn_p->registered_af = AF_INET;
522
0
      } else if ((sctp_ifap->ifn_p->num_v4 == 0) &&
523
0
           (sctp_ifap->ifn_p->registered_af == AF_INET)) {
524
0
        sctp_ifap->ifn_p->registered_af = AF_INET6;
525
0
      }
526
      /* free the ifn refcount */
527
0
      sctp_free_ifn(sctp_ifap->ifn_p);
528
0
    }
529
0
    sctp_ifap->ifn_p = NULL;
530
0
  }
531
0
}
532
533
struct sctp_ifa *
534
sctp_add_addr_to_vrf(uint32_t vrf_id, void *ifn, uint32_t ifn_index,
535
         uint32_t ifn_type, const char *if_name, void *ifa,
536
         struct sockaddr *addr, uint32_t ifa_flags,
537
         int dynamic_add)
538
3
{
539
3
  struct sctp_vrf *vrf;
540
3
  struct sctp_ifn *sctp_ifnp, *new_sctp_ifnp;
541
3
  struct sctp_ifa *sctp_ifap, *new_sctp_ifap;
542
3
  struct sctp_ifalist *hash_addr_head;
543
3
  struct sctp_ifnlist *hash_ifn_head;
544
3
  uint32_t hash_of_addr;
545
3
  int new_ifn_af = 0;
546
547
#ifdef SCTP_DEBUG
548
  SCTPDBG(SCTP_DEBUG_PCB4, "vrf_id 0x%x: adding address: ", vrf_id);
549
  SCTPDBG_ADDR(SCTP_DEBUG_PCB4, addr);
550
#endif
551
3
  SCTP_MALLOC(new_sctp_ifnp, struct sctp_ifn *,
552
3
              sizeof(struct sctp_ifn), SCTP_M_IFN);
553
3
  if (new_sctp_ifnp == NULL) {
554
0
#ifdef INVARIANTS
555
0
    panic("No memory for IFN");
556
0
#endif
557
0
    return (NULL);
558
0
  }
559
3
  SCTP_MALLOC(new_sctp_ifap, struct sctp_ifa *, sizeof(struct sctp_ifa), SCTP_M_IFA);
560
3
  if (new_sctp_ifap == NULL) {
561
0
#ifdef INVARIANTS
562
0
    panic("No memory for IFA");
563
0
#endif
564
0
    SCTP_FREE(new_sctp_ifnp, SCTP_M_IFN);
565
0
    return (NULL);
566
0
  }
567
568
3
  SCTP_IPI_ADDR_WLOCK();
569
3
  sctp_ifnp = sctp_find_ifn(ifn, ifn_index);
570
3
  if (sctp_ifnp) {
571
0
    vrf = sctp_ifnp->vrf;
572
3
  } else {
573
3
    vrf = sctp_find_vrf(vrf_id);
574
3
    if (vrf == NULL) {
575
0
      vrf = sctp_allocate_vrf(vrf_id);
576
0
      if (vrf == NULL) {
577
0
        SCTP_IPI_ADDR_WUNLOCK();
578
0
        SCTP_FREE(new_sctp_ifnp, SCTP_M_IFN);
579
0
        SCTP_FREE(new_sctp_ifap, SCTP_M_IFA);
580
0
        return (NULL);
581
0
      }
582
0
    }
583
3
  }
584
3
  if (sctp_ifnp == NULL) {
585
    /* build one and add it, can't hold lock
586
     * until after malloc done though.
587
     */
588
3
    sctp_ifnp = new_sctp_ifnp;
589
3
    new_sctp_ifnp = NULL;
590
3
    memset(sctp_ifnp, 0, sizeof(struct sctp_ifn));
591
3
    sctp_ifnp->ifn_index = ifn_index;
592
3
    sctp_ifnp->ifn_p = ifn;
593
3
    sctp_ifnp->ifn_type = ifn_type;
594
3
    sctp_ifnp->refcount = 0;
595
3
    sctp_ifnp->vrf = vrf;
596
3
    atomic_add_int(&vrf->refcount, 1);
597
3
    sctp_ifnp->ifn_mtu = SCTP_GATHER_MTU_FROM_IFN_INFO(ifn, ifn_index);
598
3
    if (if_name != NULL) {
599
3
      SCTP_SNPRINTF(sctp_ifnp->ifn_name, SCTP_IFNAMSIZ, "%s", if_name);
600
3
    } else {
601
0
      SCTP_SNPRINTF(sctp_ifnp->ifn_name, SCTP_IFNAMSIZ, "%s", "unknown");
602
0
    }
603
3
    hash_ifn_head = &SCTP_BASE_INFO(vrf_ifn_hash)[(ifn_index & SCTP_BASE_INFO(vrf_ifn_hashmark))];
604
3
    LIST_INIT(&sctp_ifnp->ifalist);
605
3
    LIST_INSERT_HEAD(hash_ifn_head, sctp_ifnp, next_bucket);
606
3
    LIST_INSERT_HEAD(&vrf->ifnlist, sctp_ifnp, next_ifn);
607
3
    atomic_add_int(&SCTP_BASE_INFO(ipi_count_ifns), 1);
608
3
    new_ifn_af = 1;
609
3
  }
610
3
  sctp_ifap = sctp_find_ifa_by_addr(addr, vrf->vrf_id, SCTP_ADDR_LOCKED);
611
3
  if (sctp_ifap) {
612
    /* Hmm, it already exists? */
613
0
    if ((sctp_ifap->ifn_p) &&
614
0
        (sctp_ifap->ifn_p->ifn_index == ifn_index)) {
615
0
      SCTPDBG(SCTP_DEBUG_PCB4, "Using existing ifn %s (0x%x) for ifa %p\n",
616
0
        sctp_ifap->ifn_p->ifn_name, ifn_index,
617
0
        (void *)sctp_ifap);
618
0
      if (new_ifn_af) {
619
        /* Remove the created one that we don't want */
620
0
        sctp_delete_ifn(sctp_ifnp, SCTP_ADDR_LOCKED);
621
0
      }
622
0
      if (sctp_ifap->localifa_flags & SCTP_BEING_DELETED) {
623
        /* easy to solve, just switch back to active */
624
0
        SCTPDBG(SCTP_DEBUG_PCB4, "Clearing deleted ifa flag\n");
625
0
        sctp_ifap->localifa_flags = SCTP_ADDR_VALID;
626
0
        sctp_ifap->ifn_p = sctp_ifnp;
627
0
        atomic_add_int(&sctp_ifap->ifn_p->refcount, 1);
628
0
      }
629
0
    exit_stage_left:
630
0
      SCTP_IPI_ADDR_WUNLOCK();
631
0
      if (new_sctp_ifnp != NULL) {
632
0
        SCTP_FREE(new_sctp_ifnp, SCTP_M_IFN);
633
0
      }
634
0
      SCTP_FREE(new_sctp_ifap, SCTP_M_IFA);
635
0
      return (sctp_ifap);
636
0
    } else {
637
0
      if (sctp_ifap->ifn_p) {
638
        /*
639
         * The last IFN gets the address, remove the
640
         * old one
641
         */
642
0
        SCTPDBG(SCTP_DEBUG_PCB4, "Moving ifa %p from %s (0x%x) to %s (0x%x)\n",
643
0
          (void *)sctp_ifap, sctp_ifap->ifn_p->ifn_name,
644
0
          sctp_ifap->ifn_p->ifn_index, if_name,
645
0
          ifn_index);
646
        /* remove the address from the old ifn */
647
0
        sctp_remove_ifa_from_ifn(sctp_ifap);
648
        /* move the address over to the new ifn */
649
0
        sctp_add_ifa_to_ifn(sctp_ifnp, sctp_ifap);
650
0
        goto exit_stage_left;
651
0
      } else {
652
        /* repair ifnp which was NULL ? */
653
0
        sctp_ifap->localifa_flags = SCTP_ADDR_VALID;
654
0
        SCTPDBG(SCTP_DEBUG_PCB4, "Repairing ifn %p for ifa %p\n",
655
0
          (void *)sctp_ifnp, (void *)sctp_ifap);
656
0
        sctp_add_ifa_to_ifn(sctp_ifnp, sctp_ifap);
657
0
      }
658
0
      goto exit_stage_left;
659
0
    }
660
0
  }
661
3
  sctp_ifap = new_sctp_ifap;
662
3
  memset(sctp_ifap, 0, sizeof(struct sctp_ifa));
663
3
  sctp_ifap->ifn_p = sctp_ifnp;
664
3
  atomic_add_int(&sctp_ifnp->refcount, 1);
665
3
  sctp_ifap->vrf_id = vrf_id;
666
3
  sctp_ifap->ifa = ifa;
667
#ifdef HAVE_SA_LEN
668
  memcpy(&sctp_ifap->address, addr, addr->sa_len);
669
#else
670
3
  switch (addr->sa_family) {
671
0
#ifdef INET
672
2
  case AF_INET:
673
2
    memcpy(&sctp_ifap->address, addr, sizeof(struct sockaddr_in));
674
2
    break;
675
0
#endif
676
0
#ifdef INET6
677
0
  case AF_INET6:
678
0
    memcpy(&sctp_ifap->address, addr, sizeof(struct sockaddr_in6));
679
0
    break;
680
0
#endif
681
0
#if defined(__Userspace__)
682
1
  case AF_CONN:
683
1
    memcpy(&sctp_ifap->address, addr, sizeof(struct sockaddr_conn));
684
1
    break;
685
0
#endif
686
0
  default:
687
    /* TSNH */
688
0
    break;
689
3
  }
690
3
#endif
691
3
  sctp_ifap->localifa_flags = SCTP_ADDR_VALID | SCTP_ADDR_DEFER_USE;
692
3
  sctp_ifap->flags = ifa_flags;
693
  /* Set scope */
694
3
  switch (sctp_ifap->address.sa.sa_family) {
695
0
#ifdef INET
696
2
  case AF_INET:
697
2
  {
698
2
    struct sockaddr_in *sin;
699
700
2
    sin = &sctp_ifap->address.sin;
701
2
    if (SCTP_IFN_IS_IFT_LOOP(sctp_ifap->ifn_p) ||
702
2
        (IN4_ISLOOPBACK_ADDRESS(&sin->sin_addr))) {
703
1
      sctp_ifap->src_is_loop = 1;
704
1
    }
705
2
    if ((IN4_ISPRIVATE_ADDRESS(&sin->sin_addr))) {
706
1
      sctp_ifap->src_is_priv = 1;
707
1
    }
708
2
    sctp_ifnp->num_v4++;
709
2
    if (new_ifn_af)
710
2
        new_ifn_af = AF_INET;
711
2
    break;
712
0
  }
713
0
#endif
714
0
#ifdef INET6
715
0
  case AF_INET6:
716
0
  {
717
    /* ok to use deprecated addresses? */
718
0
    struct sockaddr_in6 *sin6;
719
720
0
    sin6 = &sctp_ifap->address.sin6;
721
0
    if (SCTP_IFN_IS_IFT_LOOP(sctp_ifap->ifn_p) ||
722
0
        (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr))) {
723
0
      sctp_ifap->src_is_loop = 1;
724
0
    }
725
0
    if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) {
726
0
      sctp_ifap->src_is_priv = 1;
727
0
    }
728
0
    sctp_ifnp->num_v6++;
729
0
    if (new_ifn_af)
730
0
      new_ifn_af = AF_INET6;
731
0
    break;
732
0
  }
733
0
#endif
734
0
#if defined(__Userspace__)
735
1
  case AF_CONN:
736
1
    if (new_ifn_af)
737
1
      new_ifn_af = AF_CONN;
738
1
    break;
739
0
#endif
740
0
  default:
741
0
    new_ifn_af = 0;
742
0
    break;
743
3
  }
744
3
  hash_of_addr = sctp_get_ifa_hash_val(&sctp_ifap->address.sa);
745
746
3
  if ((sctp_ifap->src_is_priv == 0) &&
747
3
      (sctp_ifap->src_is_loop == 0)) {
748
1
    sctp_ifap->src_is_glob = 1;
749
1
  }
750
3
  hash_addr_head = &vrf->vrf_addr_hash[(hash_of_addr & vrf->vrf_addr_hashmark)];
751
3
  LIST_INSERT_HEAD(hash_addr_head, sctp_ifap, next_bucket);
752
3
  sctp_ifap->refcount = 1;
753
3
  LIST_INSERT_HEAD(&sctp_ifnp->ifalist, sctp_ifap, next_ifa);
754
3
  sctp_ifnp->ifa_count++;
755
3
  vrf->total_ifa_count++;
756
3
  atomic_add_int(&SCTP_BASE_INFO(ipi_count_ifas), 1);
757
3
  if (new_ifn_af) {
758
3
    sctp_ifnp->registered_af = new_ifn_af;
759
3
  }
760
3
  SCTP_IPI_ADDR_WUNLOCK();
761
3
  if (new_sctp_ifnp != NULL) {
762
0
    SCTP_FREE(new_sctp_ifnp, SCTP_M_IFN);
763
0
  }
764
765
3
  if (dynamic_add) {
766
    /* Bump up the refcount so that when the timer
767
     * completes it will drop back down.
768
     */
769
0
    struct sctp_laddr *wi;
770
771
0
    atomic_add_int(&sctp_ifap->refcount, 1);
772
0
    wi = SCTP_ZONE_GET(SCTP_BASE_INFO(ipi_zone_laddr), struct sctp_laddr);
773
0
    if (wi == NULL) {
774
      /*
775
       * Gak, what can we do? We have lost an address
776
       * change can you say HOSED?
777
       */
778
0
      SCTPDBG(SCTP_DEBUG_PCB4, "Lost an address change?\n");
779
      /* Opps, must decrement the count */
780
0
      sctp_del_addr_from_vrf(vrf_id, addr, ifn_index,
781
0
                 if_name);
782
0
      return (NULL);
783
0
    }
784
0
    SCTP_INCR_LADDR_COUNT();
785
0
    memset(wi, 0, sizeof(*wi));
786
0
    (void)SCTP_GETTIME_TIMEVAL(&wi->start_time);
787
0
    wi->ifa = sctp_ifap;
788
0
    wi->action = SCTP_ADD_IP_ADDRESS;
789
790
0
    SCTP_WQ_ADDR_LOCK();
791
0
    LIST_INSERT_HEAD(&SCTP_BASE_INFO(addr_wq), wi, sctp_nxt_addr);
792
0
    sctp_timer_start(SCTP_TIMER_TYPE_ADDR_WQ,
793
0
         (struct sctp_inpcb *)NULL,
794
0
         (struct sctp_tcb *)NULL,
795
0
         (struct sctp_nets *)NULL);
796
0
    SCTP_WQ_ADDR_UNLOCK();
797
3
  } else {
798
    /* it's ready for use */
799
3
    sctp_ifap->localifa_flags &= ~SCTP_ADDR_DEFER_USE;
800
3
  }
801
3
  return (sctp_ifap);
802
3
}
803
804
void
805
sctp_del_addr_from_vrf(uint32_t vrf_id, struct sockaddr *addr,
806
           uint32_t ifn_index, const char *if_name)
807
0
{
808
0
  struct sctp_vrf *vrf;
809
0
  struct sctp_ifa *sctp_ifap = NULL;
810
811
0
  SCTP_IPI_ADDR_WLOCK();
812
0
  vrf = sctp_find_vrf(vrf_id);
813
0
  if (vrf == NULL) {
814
0
    SCTPDBG(SCTP_DEBUG_PCB4, "Can't find vrf_id 0x%x\n", vrf_id);
815
0
    goto out_now;
816
0
  }
817
818
#ifdef SCTP_DEBUG
819
  SCTPDBG(SCTP_DEBUG_PCB4, "vrf_id 0x%x: deleting address:", vrf_id);
820
  SCTPDBG_ADDR(SCTP_DEBUG_PCB4, addr);
821
#endif
822
0
  sctp_ifap = sctp_find_ifa_by_addr(addr, vrf->vrf_id, SCTP_ADDR_LOCKED);
823
0
  if (sctp_ifap) {
824
    /* Validate the delete */
825
0
    if (sctp_ifap->ifn_p) {
826
0
      int valid = 0;
827
      /*-
828
       * The name has priority over the ifn_index
829
       * if its given.
830
       */
831
0
      if (if_name) {
832
0
        if (strncmp(if_name, sctp_ifap->ifn_p->ifn_name, SCTP_IFNAMSIZ) == 0) {
833
          /* They match its a correct delete */
834
0
          valid = 1;
835
0
        }
836
0
      }
837
0
      if (!valid) {
838
        /* last ditch check ifn_index */
839
0
        if (ifn_index == sctp_ifap->ifn_p->ifn_index) {
840
0
          valid = 1;
841
0
        }
842
0
      }
843
0
      if (!valid) {
844
0
        SCTPDBG(SCTP_DEBUG_PCB4, "ifn:%d ifname:%s does not match addresses\n",
845
0
          ifn_index, ((if_name == NULL) ? "NULL" : if_name));
846
0
        SCTPDBG(SCTP_DEBUG_PCB4, "ifn:%d ifname:%s - ignoring delete\n",
847
0
          sctp_ifap->ifn_p->ifn_index, sctp_ifap->ifn_p->ifn_name);
848
0
        SCTP_IPI_ADDR_WUNLOCK();
849
0
        return;
850
0
      }
851
0
    }
852
0
    SCTPDBG(SCTP_DEBUG_PCB4, "Deleting ifa %p\n", (void *)sctp_ifap);
853
0
    sctp_ifap->localifa_flags &= SCTP_ADDR_VALID;
854
    /*
855
     * We don't set the flag. This means that the structure will
856
     * hang around in EP's that have bound specific to it until
857
     * they close. This gives us TCP like behavior if someone
858
     * removes an address (or for that matter adds it right back).
859
     */
860
    /* sctp_ifap->localifa_flags |= SCTP_BEING_DELETED; */
861
0
    vrf->total_ifa_count--;
862
0
    LIST_REMOVE(sctp_ifap, next_bucket);
863
0
    sctp_remove_ifa_from_ifn(sctp_ifap);
864
0
  }
865
#ifdef SCTP_DEBUG
866
  else {
867
    SCTPDBG(SCTP_DEBUG_PCB4, "Del Addr-ifn:%d Could not find address:",
868
      ifn_index);
869
    SCTPDBG_ADDR(SCTP_DEBUG_PCB1, addr);
870
  }
871
#endif
872
873
0
 out_now:
874
0
  SCTP_IPI_ADDR_WUNLOCK();
875
0
  if (sctp_ifap) {
876
0
    struct sctp_laddr *wi;
877
878
0
    wi = SCTP_ZONE_GET(SCTP_BASE_INFO(ipi_zone_laddr), struct sctp_laddr);
879
0
    if (wi == NULL) {
880
      /*
881
       * Gak, what can we do? We have lost an address
882
       * change can you say HOSED?
883
       */
884
0
      SCTPDBG(SCTP_DEBUG_PCB4, "Lost an address change?\n");
885
886
      /* Oops, must decrement the count */
887
0
      sctp_free_ifa(sctp_ifap);
888
0
      return;
889
0
    }
890
0
    SCTP_INCR_LADDR_COUNT();
891
0
    memset(wi, 0, sizeof(*wi));
892
0
    (void)SCTP_GETTIME_TIMEVAL(&wi->start_time);
893
0
    wi->ifa = sctp_ifap;
894
0
    wi->action = SCTP_DEL_IP_ADDRESS;
895
0
    SCTP_WQ_ADDR_LOCK();
896
    /*
897
     * Should this really be a tailq? As it is we will process the
898
     * newest first :-0
899
     */
900
0
    LIST_INSERT_HEAD(&SCTP_BASE_INFO(addr_wq), wi, sctp_nxt_addr);
901
0
    sctp_timer_start(SCTP_TIMER_TYPE_ADDR_WQ,
902
0
         (struct sctp_inpcb *)NULL,
903
0
         (struct sctp_tcb *)NULL,
904
0
         (struct sctp_nets *)NULL);
905
0
    SCTP_WQ_ADDR_UNLOCK();
906
0
  }
907
0
  return;
908
0
}
909
910
static int
911
sctp_does_stcb_own_this_addr(struct sctp_tcb *stcb, struct sockaddr *to)
912
37.6k
{
913
37.6k
  int loopback_scope;
914
37.6k
#if defined(INET)
915
37.6k
  int ipv4_local_scope, ipv4_addr_legal;
916
37.6k
#endif
917
37.6k
#if defined(INET6)
918
37.6k
  int local_scope, site_scope, ipv6_addr_legal;
919
37.6k
#endif
920
37.6k
#if defined(__Userspace__)
921
37.6k
  int conn_addr_legal;
922
37.6k
#endif
923
37.6k
  struct sctp_vrf *vrf;
924
37.6k
  struct sctp_ifn *sctp_ifn;
925
37.6k
  struct sctp_ifa *sctp_ifa;
926
927
37.6k
  loopback_scope = stcb->asoc.scope.loopback_scope;
928
37.6k
#if defined(INET)
929
37.6k
  ipv4_local_scope = stcb->asoc.scope.ipv4_local_scope;
930
37.6k
  ipv4_addr_legal = stcb->asoc.scope.ipv4_addr_legal;
931
37.6k
#endif
932
37.6k
#if defined(INET6)
933
37.6k
  local_scope = stcb->asoc.scope.local_scope;
934
37.6k
  site_scope = stcb->asoc.scope.site_scope;
935
37.6k
  ipv6_addr_legal = stcb->asoc.scope.ipv6_addr_legal;
936
37.6k
#endif
937
37.6k
#if defined(__Userspace__)
938
37.6k
  conn_addr_legal = stcb->asoc.scope.conn_addr_legal;
939
37.6k
#endif
940
941
37.6k
  SCTP_IPI_ADDR_RLOCK();
942
37.6k
  vrf = sctp_find_vrf(stcb->asoc.vrf_id);
943
37.6k
  if (vrf == NULL) {
944
    /* no vrf, no addresses */
945
0
    SCTP_IPI_ADDR_RUNLOCK();
946
0
    return (0);
947
0
  }
948
949
37.6k
  if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) {
950
0
    LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
951
0
      if ((loopback_scope == 0) &&
952
0
          SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
953
0
        continue;
954
0
      }
955
0
      LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
956
0
        if (sctp_is_addr_restricted(stcb, sctp_ifa) &&
957
0
            (!sctp_is_addr_pending(stcb, sctp_ifa))) {
958
          /* We allow pending addresses, where we
959
           * have sent an asconf-add to be considered
960
           * valid.
961
           */
962
0
          continue;
963
0
        }
964
0
        if (sctp_ifa->address.sa.sa_family != to->sa_family) {
965
0
          continue;
966
0
        }
967
0
        switch (sctp_ifa->address.sa.sa_family) {
968
0
#ifdef INET
969
0
        case AF_INET:
970
0
          if (ipv4_addr_legal) {
971
0
            struct sockaddr_in *sin, *rsin;
972
973
0
            sin = &sctp_ifa->address.sin;
974
0
            rsin = (struct sockaddr_in *)to;
975
0
            if ((ipv4_local_scope == 0) &&
976
0
                IN4_ISPRIVATE_ADDRESS(&sin->sin_addr)) {
977
0
              continue;
978
0
            }
979
#if defined(__FreeBSD__) && !defined(__Userspace__)
980
            if (prison_check_ip4(stcb->sctp_ep->ip_inp.inp.inp_cred,
981
                                 &sin->sin_addr) != 0) {
982
              continue;
983
            }
984
#endif
985
0
            if (sin->sin_addr.s_addr == rsin->sin_addr.s_addr) {
986
0
              SCTP_IPI_ADDR_RUNLOCK();
987
0
              return (1);
988
0
            }
989
0
          }
990
0
          break;
991
0
#endif
992
0
#ifdef INET6
993
0
        case AF_INET6:
994
0
          if (ipv6_addr_legal) {
995
0
            struct sockaddr_in6 *sin6, *rsin6;
996
#if defined(SCTP_EMBEDDED_V6_SCOPE) && !defined(SCTP_KAME)
997
            struct sockaddr_in6 lsa6;
998
#endif
999
0
            sin6 = &sctp_ifa->address.sin6;
1000
0
            rsin6 = (struct sockaddr_in6 *)to;
1001
#if defined(__FreeBSD__) && !defined(__Userspace__)
1002
            if (prison_check_ip6(stcb->sctp_ep->ip_inp.inp.inp_cred,
1003
                                 &sin6->sin6_addr) != 0) {
1004
              continue;
1005
            }
1006
#endif
1007
0
            if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) {
1008
0
              if (local_scope == 0)
1009
0
                continue;
1010
#if defined(SCTP_EMBEDDED_V6_SCOPE)
1011
              if (sin6->sin6_scope_id == 0) {
1012
#ifdef SCTP_KAME
1013
                if (sa6_recoverscope(sin6) != 0)
1014
                  continue;
1015
#else
1016
                lsa6 = *sin6;
1017
                if (in6_recoverscope(&lsa6,
1018
                                     &lsa6.sin6_addr,
1019
                                     NULL))
1020
                  continue;
1021
                sin6 = &lsa6;
1022
#endif /* SCTP_KAME */
1023
              }
1024
#endif /* SCTP_EMBEDDED_V6_SCOPE */
1025
0
            }
1026
0
            if ((site_scope == 0) &&
1027
0
                (IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr))) {
1028
0
              continue;
1029
0
            }
1030
0
            if (SCTP6_ARE_ADDR_EQUAL(sin6, rsin6)) {
1031
0
              SCTP_IPI_ADDR_RUNLOCK();
1032
0
              return (1);
1033
0
            }
1034
0
          }
1035
0
          break;
1036
0
#endif
1037
0
#if defined(__Userspace__)
1038
0
        case AF_CONN:
1039
0
          if (conn_addr_legal) {
1040
0
            struct sockaddr_conn *sconn, *rsconn;
1041
1042
0
            sconn = &sctp_ifa->address.sconn;
1043
0
            rsconn = (struct sockaddr_conn *)to;
1044
0
            if (sconn->sconn_addr == rsconn->sconn_addr) {
1045
0
              SCTP_IPI_ADDR_RUNLOCK();
1046
0
              return (1);
1047
0
            }
1048
0
          }
1049
0
          break;
1050
0
#endif
1051
0
        default:
1052
          /* TSNH */
1053
0
          break;
1054
0
        }
1055
0
      }
1056
0
    }
1057
37.6k
  } else {
1058
37.6k
    struct sctp_laddr *laddr;
1059
1060
37.6k
    LIST_FOREACH(laddr, &stcb->sctp_ep->sctp_addr_list, sctp_nxt_addr) {
1061
37.6k
      if (laddr->ifa->localifa_flags & SCTP_BEING_DELETED) {
1062
0
        SCTPDBG(SCTP_DEBUG_PCB1, "ifa being deleted\n");
1063
0
        continue;
1064
0
      }
1065
37.6k
      if (sctp_is_addr_restricted(stcb, laddr->ifa) &&
1066
37.6k
          (!sctp_is_addr_pending(stcb, laddr->ifa))) {
1067
        /* We allow pending addresses, where we
1068
         * have sent an asconf-add to be considered
1069
         * valid.
1070
         */
1071
0
        continue;
1072
0
      }
1073
37.6k
      if (laddr->ifa->address.sa.sa_family != to->sa_family) {
1074
0
        continue;
1075
0
      }
1076
37.6k
      switch (to->sa_family) {
1077
0
#ifdef INET
1078
0
      case AF_INET:
1079
0
      {
1080
0
        struct sockaddr_in *sin, *rsin;
1081
1082
0
        sin = &laddr->ifa->address.sin;
1083
0
        rsin = (struct sockaddr_in *)to;
1084
0
        if (sin->sin_addr.s_addr == rsin->sin_addr.s_addr) {
1085
0
          SCTP_IPI_ADDR_RUNLOCK();
1086
0
          return (1);
1087
0
        }
1088
0
        break;
1089
0
      }
1090
0
#endif
1091
0
#ifdef INET6
1092
0
      case AF_INET6:
1093
0
      {
1094
0
        struct sockaddr_in6 *sin6, *rsin6;
1095
1096
0
        sin6 = &laddr->ifa->address.sin6;
1097
0
        rsin6 = (struct sockaddr_in6 *)to;
1098
0
        if (SCTP6_ARE_ADDR_EQUAL(sin6, rsin6)) {
1099
0
          SCTP_IPI_ADDR_RUNLOCK();
1100
0
          return (1);
1101
0
        }
1102
0
        break;
1103
0
      }
1104
1105
0
#endif
1106
0
#if defined(__Userspace__)
1107
37.6k
      case AF_CONN:
1108
37.6k
      {
1109
37.6k
        struct sockaddr_conn *sconn, *rsconn;
1110
1111
37.6k
        sconn = &laddr->ifa->address.sconn;
1112
37.6k
        rsconn = (struct sockaddr_conn *)to;
1113
37.6k
        if (sconn->sconn_addr == rsconn->sconn_addr) {
1114
37.6k
          SCTP_IPI_ADDR_RUNLOCK();
1115
37.6k
          return (1);
1116
37.6k
        }
1117
0
        break;
1118
37.6k
      }
1119
0
#endif
1120
0
      default:
1121
        /* TSNH */
1122
0
        break;
1123
37.6k
      }
1124
37.6k
    }
1125
37.6k
  }
1126
0
  SCTP_IPI_ADDR_RUNLOCK();
1127
0
  return (0);
1128
0
}
1129
1130
static struct sctp_tcb *
1131
sctp_tcb_special_locate(struct sctp_inpcb **inp_p, struct sockaddr *from,
1132
    struct sockaddr *to, struct sctp_nets **netp, uint32_t vrf_id)
1133
0
{
1134
  /**** ASSUMES THE CALLER holds the INP_INFO_RLOCK */
1135
  /*
1136
   * If we support the TCP model, then we must now dig through to see
1137
   * if we can find our endpoint in the list of tcp ep's.
1138
   */
1139
0
  uint16_t lport, rport;
1140
0
  struct sctppcbhead *ephead;
1141
0
  struct sctp_inpcb *inp;
1142
0
  struct sctp_laddr *laddr;
1143
0
  struct sctp_tcb *stcb;
1144
0
  struct sctp_nets *net;
1145
#ifdef SCTP_MVRF
1146
  int fnd, i;
1147
#endif
1148
1149
0
  if ((to == NULL) || (from == NULL)) {
1150
0
    return (NULL);
1151
0
  }
1152
1153
0
  switch (to->sa_family) {
1154
0
#ifdef INET
1155
0
  case AF_INET:
1156
0
    if (from->sa_family == AF_INET) {
1157
0
      lport = ((struct sockaddr_in *)to)->sin_port;
1158
0
      rport = ((struct sockaddr_in *)from)->sin_port;
1159
0
    } else {
1160
0
      return (NULL);
1161
0
    }
1162
0
    break;
1163
0
#endif
1164
0
#ifdef INET6
1165
0
  case AF_INET6:
1166
0
    if (from->sa_family == AF_INET6) {
1167
0
      lport = ((struct sockaddr_in6 *)to)->sin6_port;
1168
0
      rport = ((struct sockaddr_in6 *)from)->sin6_port;
1169
0
    } else {
1170
0
      return (NULL);
1171
0
    }
1172
0
    break;
1173
0
#endif
1174
0
#if defined(__Userspace__)
1175
0
  case AF_CONN:
1176
0
    if (from->sa_family == AF_CONN) {
1177
0
      lport = ((struct sockaddr_conn *)to)->sconn_port;
1178
0
      rport = ((struct sockaddr_conn *)from)->sconn_port;
1179
0
    } else {
1180
0
      return (NULL);
1181
0
    }
1182
0
    break;
1183
0
#endif
1184
0
  default:
1185
0
    return (NULL);
1186
0
  }
1187
0
  ephead = &SCTP_BASE_INFO(sctp_tcpephash)[SCTP_PCBHASH_ALLADDR((lport | rport), SCTP_BASE_INFO(hashtcpmark))];
1188
  /*
1189
   * Ok now for each of the guys in this bucket we must look and see:
1190
   * - Does the remote port match. - Does there single association's
1191
   * addresses match this address (to). If so we update p_ep to point
1192
   * to this ep and return the tcb from it.
1193
   */
1194
0
  LIST_FOREACH(inp, ephead, sctp_hash) {
1195
0
    SCTP_INP_RLOCK(inp);
1196
0
    if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) {
1197
0
      SCTP_INP_RUNLOCK(inp);
1198
0
      continue;
1199
0
    }
1200
0
    if (lport != inp->sctp_lport) {
1201
0
      SCTP_INP_RUNLOCK(inp);
1202
0
      continue;
1203
0
    }
1204
#if defined(__FreeBSD__) && !defined(__Userspace__)
1205
    switch (to->sa_family) {
1206
#ifdef INET
1207
    case AF_INET:
1208
    {
1209
      struct sockaddr_in *sin;
1210
1211
      sin = (struct sockaddr_in *)to;
1212
      if (prison_check_ip4(inp->ip_inp.inp.inp_cred,
1213
                           &sin->sin_addr) != 0) {
1214
        SCTP_INP_RUNLOCK(inp);
1215
        continue;
1216
      }
1217
      break;
1218
    }
1219
#endif
1220
#ifdef INET6
1221
    case AF_INET6:
1222
    {
1223
      struct sockaddr_in6 *sin6;
1224
1225
      sin6 = (struct sockaddr_in6 *)to;
1226
      if (prison_check_ip6(inp->ip_inp.inp.inp_cred,
1227
                           &sin6->sin6_addr) != 0) {
1228
        SCTP_INP_RUNLOCK(inp);
1229
        continue;
1230
      }
1231
      break;
1232
    }
1233
#endif
1234
    default:
1235
      SCTP_INP_RUNLOCK(inp);
1236
      continue;
1237
    }
1238
#endif
1239
#ifdef SCTP_MVRF
1240
    fnd = 0;
1241
    for (i = 0; i < inp->num_vrfs; i++) {
1242
      if (inp->m_vrf_ids[i] == vrf_id) {
1243
        fnd = 1;
1244
        break;
1245
      }
1246
    }
1247
    if (fnd == 0) {
1248
      SCTP_INP_RUNLOCK(inp);
1249
      continue;
1250
    }
1251
#else
1252
0
    if (inp->def_vrf_id != vrf_id) {
1253
0
      SCTP_INP_RUNLOCK(inp);
1254
0
      continue;
1255
0
    }
1256
0
#endif
1257
    /* check to see if the ep has one of the addresses */
1258
0
    if ((inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) == 0) {
1259
      /* We are NOT bound all, so look further */
1260
0
      int match = 0;
1261
1262
0
      LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
1263
0
        if (laddr->ifa == NULL) {
1264
0
          SCTPDBG(SCTP_DEBUG_PCB1, "%s: NULL ifa\n", __func__);
1265
0
          continue;
1266
0
        }
1267
0
        if (laddr->ifa->localifa_flags & SCTP_BEING_DELETED) {
1268
0
          SCTPDBG(SCTP_DEBUG_PCB1, "ifa being deleted\n");
1269
0
          continue;
1270
0
        }
1271
0
        if (laddr->ifa->address.sa.sa_family ==
1272
0
            to->sa_family) {
1273
          /* see if it matches */
1274
0
#ifdef INET
1275
0
          if (from->sa_family == AF_INET) {
1276
0
            struct sockaddr_in *intf_addr, *sin;
1277
1278
0
            intf_addr = &laddr->ifa->address.sin;
1279
0
            sin = (struct sockaddr_in *)to;
1280
0
            if (sin->sin_addr.s_addr ==
1281
0
                intf_addr->sin_addr.s_addr) {
1282
0
              match = 1;
1283
0
              break;
1284
0
            }
1285
0
          }
1286
0
#endif
1287
0
#ifdef INET6
1288
0
          if (from->sa_family == AF_INET6) {
1289
0
            struct sockaddr_in6 *intf_addr6;
1290
0
            struct sockaddr_in6 *sin6;
1291
1292
0
            sin6 = (struct sockaddr_in6 *)
1293
0
                to;
1294
0
            intf_addr6 = &laddr->ifa->address.sin6;
1295
1296
0
            if (SCTP6_ARE_ADDR_EQUAL(sin6,
1297
0
                intf_addr6)) {
1298
0
              match = 1;
1299
0
              break;
1300
0
            }
1301
0
          }
1302
0
#endif
1303
0
#if defined(__Userspace__)
1304
0
          if (from->sa_family == AF_CONN) {
1305
0
            struct sockaddr_conn *intf_addr, *sconn;
1306
1307
0
            intf_addr = &laddr->ifa->address.sconn;
1308
0
            sconn = (struct sockaddr_conn *)to;
1309
0
            if (sconn->sconn_addr ==
1310
0
                intf_addr->sconn_addr) {
1311
0
              match = 1;
1312
0
              break;
1313
0
            }
1314
0
          }
1315
0
#endif
1316
0
        }
1317
0
      }
1318
0
      if (match == 0) {
1319
        /* This endpoint does not have this address */
1320
0
        SCTP_INP_RUNLOCK(inp);
1321
0
        continue;
1322
0
      }
1323
0
    }
1324
    /*
1325
     * Ok if we hit here the ep has the address, does it hold
1326
     * the tcb?
1327
     */
1328
    /* XXX: Why don't we TAILQ_FOREACH through sctp_asoc_list? */
1329
0
    stcb = LIST_FIRST(&inp->sctp_asoc_list);
1330
0
    if (stcb == NULL) {
1331
0
      SCTP_INP_RUNLOCK(inp);
1332
0
      continue;
1333
0
    }
1334
0
    SCTP_TCB_LOCK(stcb);
1335
0
    if (!sctp_does_stcb_own_this_addr(stcb, to)) {
1336
0
      SCTP_TCB_UNLOCK(stcb);
1337
0
      SCTP_INP_RUNLOCK(inp);
1338
0
      continue;
1339
0
    }
1340
0
    if (stcb->rport != rport) {
1341
      /* remote port does not match. */
1342
0
      SCTP_TCB_UNLOCK(stcb);
1343
0
      SCTP_INP_RUNLOCK(inp);
1344
0
      continue;
1345
0
    }
1346
0
    if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
1347
0
      SCTP_TCB_UNLOCK(stcb);
1348
0
      SCTP_INP_RUNLOCK(inp);
1349
0
      continue;
1350
0
    }
1351
0
    if (!sctp_does_stcb_own_this_addr(stcb, to)) {
1352
0
      SCTP_TCB_UNLOCK(stcb);
1353
0
      SCTP_INP_RUNLOCK(inp);
1354
0
      continue;
1355
0
    }
1356
    /* Does this TCB have a matching address? */
1357
0
    TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
1358
0
      if (net->ro._l_addr.sa.sa_family != from->sa_family) {
1359
        /* not the same family, can't be a match */
1360
0
        continue;
1361
0
      }
1362
0
      switch (from->sa_family) {
1363
0
#ifdef INET
1364
0
      case AF_INET:
1365
0
      {
1366
0
        struct sockaddr_in *sin, *rsin;
1367
1368
0
        sin = (struct sockaddr_in *)&net->ro._l_addr;
1369
0
        rsin = (struct sockaddr_in *)from;
1370
0
        if (sin->sin_addr.s_addr ==
1371
0
            rsin->sin_addr.s_addr) {
1372
          /* found it */
1373
0
          if (netp != NULL) {
1374
0
            *netp = net;
1375
0
          }
1376
          /* Update the endpoint pointer */
1377
0
          *inp_p = inp;
1378
0
          SCTP_INP_RUNLOCK(inp);
1379
0
          return (stcb);
1380
0
        }
1381
0
        break;
1382
0
      }
1383
0
#endif
1384
0
#ifdef INET6
1385
0
      case AF_INET6:
1386
0
      {
1387
0
        struct sockaddr_in6 *sin6, *rsin6;
1388
1389
0
        sin6 = (struct sockaddr_in6 *)&net->ro._l_addr;
1390
0
        rsin6 = (struct sockaddr_in6 *)from;
1391
0
        if (SCTP6_ARE_ADDR_EQUAL(sin6,
1392
0
            rsin6)) {
1393
          /* found it */
1394
0
          if (netp != NULL) {
1395
0
            *netp = net;
1396
0
          }
1397
          /* Update the endpoint pointer */
1398
0
          *inp_p = inp;
1399
0
          SCTP_INP_RUNLOCK(inp);
1400
0
          return (stcb);
1401
0
        }
1402
0
        break;
1403
0
      }
1404
0
#endif
1405
0
#if defined(__Userspace__)
1406
0
      case AF_CONN:
1407
0
      {
1408
0
        struct sockaddr_conn *sconn, *rsconn;
1409
1410
0
        sconn = (struct sockaddr_conn *)&net->ro._l_addr;
1411
0
        rsconn = (struct sockaddr_conn *)from;
1412
0
        if (sconn->sconn_addr == rsconn->sconn_addr) {
1413
          /* found it */
1414
0
          if (netp != NULL) {
1415
0
            *netp = net;
1416
0
          }
1417
          /* Update the endpoint pointer */
1418
0
          *inp_p = inp;
1419
0
          SCTP_INP_RUNLOCK(inp);
1420
0
          return (stcb);
1421
0
        }
1422
0
        break;
1423
0
      }
1424
0
#endif
1425
0
      default:
1426
        /* TSNH */
1427
0
        break;
1428
0
      }
1429
0
    }
1430
0
    SCTP_TCB_UNLOCK(stcb);
1431
0
    SCTP_INP_RUNLOCK(inp);
1432
0
  }
1433
0
  return (NULL);
1434
0
}
1435
1436
/*
1437
 * rules for use
1438
 *
1439
 * 1) If I return a NULL you must decrement any INP ref cnt. 2) If I find an
1440
 * stcb, both will be locked (locked_tcb and stcb) but decrement will be done
1441
 * (if locked == NULL). 3) Decrement happens on return ONLY if locked ==
1442
 * NULL.
1443
 */
1444
1445
struct sctp_tcb *
1446
sctp_findassociation_ep_addr(struct sctp_inpcb **inp_p, struct sockaddr *remote,
1447
    struct sctp_nets **netp, struct sockaddr *local, struct sctp_tcb *locked_tcb)
1448
20.8k
{
1449
20.8k
  struct sctpasochead *head;
1450
20.8k
  struct sctp_inpcb *inp;
1451
20.8k
  struct sctp_tcb *stcb = NULL;
1452
20.8k
  struct sctp_nets *net;
1453
20.8k
  uint16_t rport;
1454
1455
20.8k
  inp = *inp_p;
1456
20.8k
  switch (remote->sa_family) {
1457
0
#ifdef INET
1458
0
  case AF_INET:
1459
0
    rport = (((struct sockaddr_in *)remote)->sin_port);
1460
0
    break;
1461
0
#endif
1462
0
#ifdef INET6
1463
0
  case AF_INET6:
1464
0
    rport = (((struct sockaddr_in6 *)remote)->sin6_port);
1465
0
    break;
1466
0
#endif
1467
0
#if defined(__Userspace__)
1468
20.8k
  case AF_CONN:
1469
20.8k
    rport = (((struct sockaddr_conn *)remote)->sconn_port);
1470
20.8k
    break;
1471
0
#endif
1472
0
  default:
1473
0
    return (NULL);
1474
20.8k
  }
1475
20.8k
  if (locked_tcb) {
1476
    /*
1477
     * UN-lock so we can do proper locking here this occurs when
1478
     * called from load_addresses_from_init.
1479
     */
1480
9.22k
    atomic_add_int(&locked_tcb->asoc.refcnt, 1);
1481
9.22k
    SCTP_TCB_UNLOCK(locked_tcb);
1482
9.22k
  }
1483
20.8k
  SCTP_INP_INFO_RLOCK();
1484
20.8k
  if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1485
20.8k
      (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
1486
    /*-
1487
     * Now either this guy is our listener or it's the
1488
     * connector. If it is the one that issued the connect, then
1489
     * it's only chance is to be the first TCB in the list. If
1490
     * it is the acceptor, then do the special_lookup to hash
1491
     * and find the real inp.
1492
     */
1493
20.8k
    if ((inp->sctp_socket) && SCTP_IS_LISTENING(inp)) {
1494
      /* to is peer addr, from is my addr */
1495
0
#ifndef SCTP_MVRF
1496
0
      stcb = sctp_tcb_special_locate(inp_p, remote, local,
1497
0
          netp, inp->def_vrf_id);
1498
0
      if ((stcb != NULL) && (locked_tcb == NULL)) {
1499
        /* we have a locked tcb, lower refcount */
1500
0
        SCTP_INP_DECR_REF(inp);
1501
0
      }
1502
0
      if ((locked_tcb != NULL) && (locked_tcb != stcb)) {
1503
0
        SCTP_INP_RLOCK(locked_tcb->sctp_ep);
1504
0
        SCTP_TCB_LOCK(locked_tcb);
1505
0
        atomic_subtract_int(&locked_tcb->asoc.refcnt, 1);
1506
0
        SCTP_INP_RUNLOCK(locked_tcb->sctp_ep);
1507
0
      }
1508
#else
1509
      /*-
1510
       * MVRF is tricky, we must look in every VRF
1511
       * the endpoint has.
1512
       */
1513
      int i;
1514
1515
      for (i = 0; i < inp->num_vrfs; i++) {
1516
        stcb = sctp_tcb_special_locate(inp_p, remote, local,
1517
                                       netp, inp->m_vrf_ids[i]);
1518
        if ((stcb != NULL) && (locked_tcb == NULL)) {
1519
          /* we have a locked tcb, lower refcount */
1520
          SCTP_INP_DECR_REF(inp);
1521
          break;
1522
        }
1523
        if ((locked_tcb != NULL) && (locked_tcb != stcb)) {
1524
          SCTP_INP_RLOCK(locked_tcb->sctp_ep);
1525
          SCTP_TCB_LOCK(locked_tcb);
1526
          atomic_subtract_int(&locked_tcb->asoc.refcnt, 1);
1527
          SCTP_INP_RUNLOCK(locked_tcb->sctp_ep);
1528
          break;
1529
        }
1530
      }
1531
#endif
1532
0
      SCTP_INP_INFO_RUNLOCK();
1533
0
      return (stcb);
1534
20.8k
    } else {
1535
20.8k
      SCTP_INP_WLOCK(inp);
1536
20.8k
      if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) {
1537
0
        goto null_return;
1538
0
      }
1539
20.8k
      stcb = LIST_FIRST(&inp->sctp_asoc_list);
1540
20.8k
      if (stcb == NULL) {
1541
11.6k
        goto null_return;
1542
11.6k
      }
1543
9.22k
      SCTP_TCB_LOCK(stcb);
1544
1545
9.22k
      if (stcb->rport != rport) {
1546
        /* remote port does not match. */
1547
0
        SCTP_TCB_UNLOCK(stcb);
1548
0
        goto null_return;
1549
0
      }
1550
9.22k
      if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
1551
0
        SCTP_TCB_UNLOCK(stcb);
1552
0
        goto null_return;
1553
0
      }
1554
9.22k
      if (local && !sctp_does_stcb_own_this_addr(stcb, local)) {
1555
0
        SCTP_TCB_UNLOCK(stcb);
1556
0
        goto null_return;
1557
0
      }
1558
      /* now look at the list of remote addresses */
1559
9.22k
      TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
1560
9.22k
#ifdef INVARIANTS
1561
9.22k
        if (net == (TAILQ_NEXT(net, sctp_next))) {
1562
0
          panic("Corrupt net list");
1563
0
        }
1564
9.22k
#endif
1565
9.22k
        if (net->ro._l_addr.sa.sa_family !=
1566
9.22k
            remote->sa_family) {
1567
          /* not the same family */
1568
0
          continue;
1569
0
        }
1570
9.22k
        switch (remote->sa_family) {
1571
0
#ifdef INET
1572
0
        case AF_INET:
1573
0
        {
1574
0
          struct sockaddr_in *sin, *rsin;
1575
1576
0
          sin = (struct sockaddr_in *)
1577
0
              &net->ro._l_addr;
1578
0
          rsin = (struct sockaddr_in *)remote;
1579
0
          if (sin->sin_addr.s_addr ==
1580
0
              rsin->sin_addr.s_addr) {
1581
            /* found it */
1582
0
            if (netp != NULL) {
1583
0
              *netp = net;
1584
0
            }
1585
0
            if (locked_tcb == NULL) {
1586
0
              SCTP_INP_DECR_REF(inp);
1587
0
            } else if (locked_tcb != stcb) {
1588
0
              SCTP_TCB_LOCK(locked_tcb);
1589
0
            }
1590
0
            if (locked_tcb) {
1591
0
              atomic_subtract_int(&locked_tcb->asoc.refcnt, 1);
1592
0
            }
1593
1594
0
            SCTP_INP_WUNLOCK(inp);
1595
0
            SCTP_INP_INFO_RUNLOCK();
1596
0
            return (stcb);
1597
0
          }
1598
0
          break;
1599
0
        }
1600
0
#endif
1601
0
#ifdef INET6
1602
0
        case AF_INET6:
1603
0
        {
1604
0
          struct sockaddr_in6 *sin6, *rsin6;
1605
1606
0
          sin6 = (struct sockaddr_in6 *)&net->ro._l_addr;
1607
0
          rsin6 = (struct sockaddr_in6 *)remote;
1608
0
          if (SCTP6_ARE_ADDR_EQUAL(sin6,
1609
0
              rsin6)) {
1610
            /* found it */
1611
0
            if (netp != NULL) {
1612
0
              *netp = net;
1613
0
            }
1614
0
            if (locked_tcb == NULL) {
1615
0
              SCTP_INP_DECR_REF(inp);
1616
0
            } else if (locked_tcb != stcb) {
1617
0
              SCTP_TCB_LOCK(locked_tcb);
1618
0
            }
1619
0
            if (locked_tcb) {
1620
0
              atomic_subtract_int(&locked_tcb->asoc.refcnt, 1);
1621
0
            }
1622
0
            SCTP_INP_WUNLOCK(inp);
1623
0
            SCTP_INP_INFO_RUNLOCK();
1624
0
            return (stcb);
1625
0
          }
1626
0
          break;
1627
0
        }
1628
0
#endif
1629
0
#if defined(__Userspace__)
1630
9.22k
        case AF_CONN:
1631
9.22k
        {
1632
9.22k
          struct sockaddr_conn *sconn, *rsconn;
1633
1634
9.22k
          sconn = (struct sockaddr_conn *)&net->ro._l_addr;
1635
9.22k
          rsconn = (struct sockaddr_conn *)remote;
1636
9.22k
          if (sconn->sconn_addr == rsconn->sconn_addr) {
1637
            /* found it */
1638
9.22k
            if (netp != NULL) {
1639
9.22k
              *netp = net;
1640
9.22k
            }
1641
9.22k
            if (locked_tcb == NULL) {
1642
0
              SCTP_INP_DECR_REF(inp);
1643
9.22k
            } else if (locked_tcb != stcb) {
1644
0
              SCTP_TCB_LOCK(locked_tcb);
1645
0
            }
1646
9.22k
            if (locked_tcb) {
1647
9.22k
              atomic_subtract_int(&locked_tcb->asoc.refcnt, 1);
1648
9.22k
            }
1649
9.22k
            SCTP_INP_WUNLOCK(inp);
1650
9.22k
            SCTP_INP_INFO_RUNLOCK();
1651
9.22k
            return (stcb);
1652
9.22k
          }
1653
0
          break;
1654
9.22k
        }
1655
0
#endif
1656
0
        default:
1657
          /* TSNH */
1658
0
          break;
1659
9.22k
        }
1660
9.22k
      }
1661
0
      SCTP_TCB_UNLOCK(stcb);
1662
0
    }
1663
20.8k
  } else {
1664
0
    SCTP_INP_WLOCK(inp);
1665
0
    if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) {
1666
0
      goto null_return;
1667
0
    }
1668
0
    head = &inp->sctp_tcbhash[SCTP_PCBHASH_ALLADDR(rport,
1669
0
                                                   inp->sctp_hashmark)];
1670
0
    LIST_FOREACH(stcb, head, sctp_tcbhash) {
1671
0
      if (stcb->rport != rport) {
1672
        /* remote port does not match */
1673
0
        continue;
1674
0
      }
1675
0
      SCTP_TCB_LOCK(stcb);
1676
0
      if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
1677
0
        SCTP_TCB_UNLOCK(stcb);
1678
0
        continue;
1679
0
      }
1680
0
      if (local && !sctp_does_stcb_own_this_addr(stcb, local)) {
1681
0
        SCTP_TCB_UNLOCK(stcb);
1682
0
        continue;
1683
0
      }
1684
      /* now look at the list of remote addresses */
1685
0
      TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
1686
0
#ifdef INVARIANTS
1687
0
        if (net == (TAILQ_NEXT(net, sctp_next))) {
1688
0
          panic("Corrupt net list");
1689
0
        }
1690
0
#endif
1691
0
        if (net->ro._l_addr.sa.sa_family !=
1692
0
            remote->sa_family) {
1693
          /* not the same family */
1694
0
          continue;
1695
0
        }
1696
0
        switch (remote->sa_family) {
1697
0
#ifdef INET
1698
0
        case AF_INET:
1699
0
        {
1700
0
          struct sockaddr_in *sin, *rsin;
1701
1702
0
          sin = (struct sockaddr_in *)
1703
0
              &net->ro._l_addr;
1704
0
          rsin = (struct sockaddr_in *)remote;
1705
0
          if (sin->sin_addr.s_addr ==
1706
0
              rsin->sin_addr.s_addr) {
1707
            /* found it */
1708
0
            if (netp != NULL) {
1709
0
              *netp = net;
1710
0
            }
1711
0
            if (locked_tcb == NULL) {
1712
0
              SCTP_INP_DECR_REF(inp);
1713
0
            } else if (locked_tcb != stcb) {
1714
0
              SCTP_TCB_LOCK(locked_tcb);
1715
0
            }
1716
0
            if (locked_tcb) {
1717
0
              atomic_subtract_int(&locked_tcb->asoc.refcnt, 1);
1718
0
            }
1719
0
            SCTP_INP_WUNLOCK(inp);
1720
0
            SCTP_INP_INFO_RUNLOCK();
1721
0
            return (stcb);
1722
0
          }
1723
0
          break;
1724
0
        }
1725
0
#endif
1726
0
#ifdef INET6
1727
0
        case AF_INET6:
1728
0
        {
1729
0
          struct sockaddr_in6 *sin6, *rsin6;
1730
1731
0
          sin6 = (struct sockaddr_in6 *)
1732
0
              &net->ro._l_addr;
1733
0
          rsin6 = (struct sockaddr_in6 *)remote;
1734
0
          if (SCTP6_ARE_ADDR_EQUAL(sin6,
1735
0
              rsin6)) {
1736
            /* found it */
1737
0
            if (netp != NULL) {
1738
0
              *netp = net;
1739
0
            }
1740
0
            if (locked_tcb == NULL) {
1741
0
              SCTP_INP_DECR_REF(inp);
1742
0
            } else if (locked_tcb != stcb) {
1743
0
              SCTP_TCB_LOCK(locked_tcb);
1744
0
            }
1745
0
            if (locked_tcb) {
1746
0
              atomic_subtract_int(&locked_tcb->asoc.refcnt, 1);
1747
0
            }
1748
0
            SCTP_INP_WUNLOCK(inp);
1749
0
            SCTP_INP_INFO_RUNLOCK();
1750
0
            return (stcb);
1751
0
          }
1752
0
          break;
1753
0
        }
1754
0
#endif
1755
0
#if defined(__Userspace__)
1756
0
        case AF_CONN:
1757
0
        {
1758
0
          struct sockaddr_conn *sconn, *rsconn;
1759
1760
0
          sconn = (struct sockaddr_conn *)&net->ro._l_addr;
1761
0
          rsconn = (struct sockaddr_conn *)remote;
1762
0
          if (sconn->sconn_addr == rsconn->sconn_addr) {
1763
            /* found it */
1764
0
            if (netp != NULL) {
1765
0
              *netp = net;
1766
0
            }
1767
0
            if (locked_tcb == NULL) {
1768
0
              SCTP_INP_DECR_REF(inp);
1769
0
            } else if (locked_tcb != stcb) {
1770
0
              SCTP_TCB_LOCK(locked_tcb);
1771
0
            }
1772
0
            if (locked_tcb) {
1773
0
              atomic_subtract_int(&locked_tcb->asoc.refcnt, 1);
1774
0
            }
1775
0
            SCTP_INP_WUNLOCK(inp);
1776
0
            SCTP_INP_INFO_RUNLOCK();
1777
0
            return (stcb);
1778
0
          }
1779
0
          break;
1780
0
        }
1781
0
#endif
1782
0
        default:
1783
          /* TSNH */
1784
0
          break;
1785
0
        }
1786
0
      }
1787
0
      SCTP_TCB_UNLOCK(stcb);
1788
0
    }
1789
0
  }
1790
11.6k
null_return:
1791
  /* clean up for returning null */
1792
11.6k
  if (locked_tcb) {
1793
0
    SCTP_TCB_LOCK(locked_tcb);
1794
0
    atomic_subtract_int(&locked_tcb->asoc.refcnt, 1);
1795
0
  }
1796
11.6k
  SCTP_INP_WUNLOCK(inp);
1797
11.6k
  SCTP_INP_INFO_RUNLOCK();
1798
  /* not found */
1799
11.6k
  return (NULL);
1800
11.6k
}
1801
1802
/*
1803
 * Find an association for a specific endpoint using the association id given
1804
 * out in the COMM_UP notification
1805
 */
1806
struct sctp_tcb *
1807
sctp_findasoc_ep_asocid_locked(struct sctp_inpcb *inp, sctp_assoc_t asoc_id, int want_lock)
1808
11.6k
{
1809
  /*
1810
   * Use my the assoc_id to find a endpoint
1811
   */
1812
11.6k
  struct sctpasochead *head;
1813
11.6k
  struct sctp_tcb *stcb;
1814
11.6k
  uint32_t id;
1815
1816
11.6k
  if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) {
1817
0
    SCTP_PRINTF("TSNH ep_associd0\n");
1818
0
    return (NULL);
1819
0
  }
1820
11.6k
  id = (uint32_t)asoc_id;
1821
11.6k
  head = &inp->sctp_asocidhash[SCTP_PCBHASH_ASOC(id, inp->hashasocidmark)];
1822
11.6k
  if (head == NULL) {
1823
    /* invalid id TSNH */
1824
0
    SCTP_PRINTF("TSNH ep_associd1\n");
1825
0
    return (NULL);
1826
0
  }
1827
11.6k
  LIST_FOREACH(stcb, head, sctp_tcbasocidhash) {
1828
0
    if (stcb->asoc.assoc_id == id) {
1829
0
      if (inp != stcb->sctp_ep) {
1830
        /*
1831
         * some other guy has the same id active (id
1832
         * collision ??).
1833
         */
1834
0
        SCTP_PRINTF("TSNH ep_associd2\n");
1835
0
        continue;
1836
0
      }
1837
0
      if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
1838
0
        continue;
1839
0
      }
1840
0
      if (want_lock) {
1841
0
        SCTP_TCB_LOCK(stcb);
1842
0
      }
1843
0
      return (stcb);
1844
0
    }
1845
0
  }
1846
11.6k
  return (NULL);
1847
11.6k
}
1848
1849
struct sctp_tcb *
1850
sctp_findassociation_ep_asocid(struct sctp_inpcb *inp, sctp_assoc_t asoc_id, int want_lock)
1851
0
{
1852
0
  struct sctp_tcb *stcb;
1853
1854
0
  SCTP_INP_RLOCK(inp);
1855
0
  stcb = sctp_findasoc_ep_asocid_locked(inp, asoc_id, want_lock);
1856
0
  SCTP_INP_RUNLOCK(inp);
1857
0
  return (stcb);
1858
0
}
1859
1860
/*
1861
 * Endpoint probe expects that the INP_INFO is locked.
1862
 */
1863
static struct sctp_inpcb *
1864
sctp_endpoint_probe(struct sockaddr *nam, struct sctppcbhead *head,
1865
        uint16_t lport, uint32_t vrf_id)
1866
11.6k
{
1867
11.6k
  struct sctp_inpcb *inp;
1868
11.6k
  struct sctp_laddr *laddr;
1869
11.6k
#ifdef INET
1870
11.6k
  struct sockaddr_in *sin;
1871
11.6k
#endif
1872
11.6k
#ifdef INET6
1873
11.6k
  struct sockaddr_in6 *sin6;
1874
11.6k
  struct sockaddr_in6 *intf_addr6;
1875
11.6k
#endif
1876
11.6k
#if defined(__Userspace__)
1877
11.6k
  struct sockaddr_conn *sconn;
1878
11.6k
#endif
1879
#ifdef SCTP_MVRF
1880
  int i;
1881
#endif
1882
11.6k
  int  fnd;
1883
1884
11.6k
#ifdef INET
1885
11.6k
  sin = NULL;
1886
11.6k
#endif
1887
11.6k
#ifdef INET6
1888
11.6k
  sin6 = NULL;
1889
11.6k
#endif
1890
11.6k
#if defined(__Userspace__)
1891
11.6k
  sconn = NULL;
1892
11.6k
#endif
1893
11.6k
  switch (nam->sa_family) {
1894
0
#ifdef INET
1895
0
  case AF_INET:
1896
0
    sin = (struct sockaddr_in *)nam;
1897
0
    break;
1898
0
#endif
1899
0
#ifdef INET6
1900
0
  case AF_INET6:
1901
0
    sin6 = (struct sockaddr_in6 *)nam;
1902
0
    break;
1903
0
#endif
1904
0
#if defined(__Userspace__)
1905
11.6k
  case AF_CONN:
1906
11.6k
    sconn = (struct sockaddr_conn *)nam;
1907
11.6k
    break;
1908
0
#endif
1909
0
  default:
1910
    /* unsupported family */
1911
0
    return (NULL);
1912
11.6k
  }
1913
1914
11.6k
  if (head == NULL)
1915
0
    return (NULL);
1916
1917
11.6k
  LIST_FOREACH(inp, head, sctp_hash) {
1918
0
    SCTP_INP_RLOCK(inp);
1919
0
    if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) {
1920
0
      SCTP_INP_RUNLOCK(inp);
1921
0
      continue;
1922
0
    }
1923
0
    if ((inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) &&
1924
0
        (inp->sctp_lport == lport)) {
1925
      /* got it */
1926
0
      switch (nam->sa_family) {
1927
0
#ifdef INET
1928
0
      case AF_INET:
1929
0
        if ((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) &&
1930
0
            SCTP_IPV6_V6ONLY(inp)) {
1931
          /* IPv4 on a IPv6 socket with ONLY IPv6 set */
1932
0
          SCTP_INP_RUNLOCK(inp);
1933
0
          continue;
1934
0
        }
1935
#if defined(__FreeBSD__) && !defined(__Userspace__)
1936
        if (prison_check_ip4(inp->ip_inp.inp.inp_cred,
1937
                             &sin->sin_addr) != 0) {
1938
          SCTP_INP_RUNLOCK(inp);
1939
          continue;
1940
        }
1941
#endif
1942
0
        break;
1943
0
#endif
1944
0
#ifdef INET6
1945
0
      case AF_INET6:
1946
        /* A V6 address and the endpoint is NOT bound V6 */
1947
0
        if ((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) == 0) {
1948
0
          SCTP_INP_RUNLOCK(inp);
1949
0
          continue;
1950
0
        }
1951
#if defined(__FreeBSD__) && !defined(__Userspace__)
1952
        if (prison_check_ip6(inp->ip_inp.inp.inp_cred,
1953
                             &sin6->sin6_addr) != 0) {
1954
          SCTP_INP_RUNLOCK(inp);
1955
          continue;
1956
        }
1957
#endif
1958
0
        break;
1959
0
#endif
1960
0
      default:
1961
0
        break;
1962
0
      }
1963
      /* does a VRF id match? */
1964
0
      fnd = 0;
1965
#ifdef SCTP_MVRF
1966
      for (i = 0; i < inp->num_vrfs; i++) {
1967
        if (inp->m_vrf_ids[i] == vrf_id) {
1968
          fnd = 1;
1969
          break;
1970
        }
1971
      }
1972
#else
1973
0
      if (inp->def_vrf_id == vrf_id)
1974
0
        fnd = 1;
1975
0
#endif
1976
1977
0
      SCTP_INP_RUNLOCK(inp);
1978
0
      if (!fnd)
1979
0
        continue;
1980
0
      return (inp);
1981
0
    }
1982
0
    SCTP_INP_RUNLOCK(inp);
1983
0
  }
1984
11.6k
  switch (nam->sa_family) {
1985
0
#ifdef INET
1986
0
  case AF_INET:
1987
0
    if (sin->sin_addr.s_addr == INADDR_ANY) {
1988
      /* Can't hunt for one that has no address specified */
1989
0
      return (NULL);
1990
0
    }
1991
0
    break;
1992
0
#endif
1993
0
#ifdef INET6
1994
0
  case AF_INET6:
1995
0
    if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) {
1996
      /* Can't hunt for one that has no address specified */
1997
0
      return (NULL);
1998
0
    }
1999
0
    break;
2000
0
#endif
2001
0
#if defined(__Userspace__)
2002
11.6k
  case AF_CONN:
2003
11.6k
    if (sconn->sconn_addr == NULL) {
2004
0
      return (NULL);
2005
0
    }
2006
11.6k
    break;
2007
11.6k
#endif
2008
11.6k
  default:
2009
0
    break;
2010
11.6k
  }
2011
  /*
2012
   * ok, not bound to all so see if we can find a EP bound to this
2013
   * address.
2014
   */
2015
11.6k
  LIST_FOREACH(inp, head, sctp_hash) {
2016
0
    SCTP_INP_RLOCK(inp);
2017
0
    if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) {
2018
0
      SCTP_INP_RUNLOCK(inp);
2019
0
      continue;
2020
0
    }
2021
0
    if ((inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL)) {
2022
0
      SCTP_INP_RUNLOCK(inp);
2023
0
      continue;
2024
0
    }
2025
    /*
2026
     * Ok this could be a likely candidate, look at all of its
2027
     * addresses
2028
     */
2029
0
    if (inp->sctp_lport != lport) {
2030
0
      SCTP_INP_RUNLOCK(inp);
2031
0
      continue;
2032
0
    }
2033
    /* does a VRF id match? */
2034
0
    fnd = 0;
2035
#ifdef SCTP_MVRF
2036
    for (i = 0; i < inp->num_vrfs; i++) {
2037
      if (inp->m_vrf_ids[i] == vrf_id) {
2038
        fnd = 1;
2039
        break;
2040
      }
2041
    }
2042
#else
2043
0
    if (inp->def_vrf_id == vrf_id)
2044
0
      fnd = 1;
2045
2046
0
#endif
2047
0
    if (!fnd) {
2048
0
      SCTP_INP_RUNLOCK(inp);
2049
0
      continue;
2050
0
    }
2051
0
    LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2052
0
      if (laddr->ifa == NULL) {
2053
0
        SCTPDBG(SCTP_DEBUG_PCB1, "%s: NULL ifa\n",
2054
0
          __func__);
2055
0
        continue;
2056
0
      }
2057
0
      SCTPDBG(SCTP_DEBUG_PCB1, "Ok laddr->ifa:%p is possible, ",
2058
0
        (void *)laddr->ifa);
2059
0
      if (laddr->ifa->localifa_flags & SCTP_BEING_DELETED) {
2060
0
        SCTPDBG(SCTP_DEBUG_PCB1, "Huh IFA being deleted\n");
2061
0
        continue;
2062
0
      }
2063
0
      if (laddr->ifa->address.sa.sa_family == nam->sa_family) {
2064
        /* possible, see if it matches */
2065
0
        switch (nam->sa_family) {
2066
0
#ifdef INET
2067
0
        case AF_INET:
2068
#if defined(__APPLE__) && !defined(__Userspace__)
2069
          if (sin == NULL) {
2070
            /* TSNH */
2071
            break;
2072
          }
2073
#endif
2074
0
          if (sin->sin_addr.s_addr ==
2075
0
              laddr->ifa->address.sin.sin_addr.s_addr) {
2076
0
            SCTP_INP_RUNLOCK(inp);
2077
0
            return (inp);
2078
0
          }
2079
0
          break;
2080
0
#endif
2081
0
#ifdef INET6
2082
0
        case AF_INET6:
2083
0
          intf_addr6 = &laddr->ifa->address.sin6;
2084
0
          if (SCTP6_ARE_ADDR_EQUAL(sin6,
2085
0
              intf_addr6)) {
2086
0
            SCTP_INP_RUNLOCK(inp);
2087
0
            return (inp);
2088
0
          }
2089
0
          break;
2090
0
#endif
2091
0
#if defined(__Userspace__)
2092
0
        case AF_CONN:
2093
0
          if (sconn->sconn_addr == laddr->ifa->address.sconn.sconn_addr) {
2094
0
            SCTP_INP_RUNLOCK(inp);
2095
0
            return (inp);
2096
0
          }
2097
0
          break;
2098
0
#endif
2099
0
        }
2100
0
      }
2101
0
    }
2102
0
    SCTP_INP_RUNLOCK(inp);
2103
0
  }
2104
11.6k
  return (NULL);
2105
11.6k
}
2106
2107
static struct sctp_inpcb *
2108
sctp_isport_inuse(struct sctp_inpcb *inp, uint16_t lport, uint32_t vrf_id)
2109
0
{
2110
0
  struct sctppcbhead *head;
2111
0
  struct sctp_inpcb *t_inp;
2112
#ifdef SCTP_MVRF
2113
  int i;
2114
#endif
2115
0
  int fnd;
2116
2117
0
  head = &SCTP_BASE_INFO(sctp_ephash)[SCTP_PCBHASH_ALLADDR(lport,
2118
0
      SCTP_BASE_INFO(hashmark))];
2119
0
  LIST_FOREACH(t_inp, head, sctp_hash) {
2120
0
    if (t_inp->sctp_lport != lport) {
2121
0
      continue;
2122
0
    }
2123
    /* is it in the VRF in question */
2124
0
    fnd = 0;
2125
#ifdef SCTP_MVRF
2126
    for (i = 0; i < inp->num_vrfs; i++) {
2127
      if (t_inp->m_vrf_ids[i] == vrf_id) {
2128
        fnd = 1;
2129
        break;
2130
      }
2131
    }
2132
#else
2133
0
    if (t_inp->def_vrf_id == vrf_id)
2134
0
      fnd = 1;
2135
0
#endif
2136
0
    if (!fnd)
2137
0
      continue;
2138
2139
    /* This one is in use. */
2140
    /* check the v6/v4 binding issue */
2141
0
    if ((t_inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) &&
2142
0
        SCTP_IPV6_V6ONLY(t_inp)) {
2143
0
      if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
2144
        /* collision in V6 space */
2145
0
        return (t_inp);
2146
0
      } else {
2147
        /* inp is BOUND_V4 no conflict */
2148
0
        continue;
2149
0
      }
2150
0
    } else if (t_inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
2151
      /* t_inp is bound v4 and v6, conflict always */
2152
0
      return (t_inp);
2153
0
    } else {
2154
      /* t_inp is bound only V4 */
2155
0
      if ((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) &&
2156
0
          SCTP_IPV6_V6ONLY(inp)) {
2157
        /* no conflict */
2158
0
        continue;
2159
0
      }
2160
      /* else fall through to conflict */
2161
0
    }
2162
0
    return (t_inp);
2163
0
  }
2164
0
  return (NULL);
2165
0
}
2166
2167
int
2168
sctp_swap_inpcb_for_listen(struct sctp_inpcb *inp)
2169
0
{
2170
  /* For 1-2-1 with port reuse */
2171
0
  struct sctppcbhead *head;
2172
0
  struct sctp_inpcb *tinp, *ninp;
2173
2174
0
  SCTP_INP_INFO_WLOCK_ASSERT();
2175
0
  SCTP_INP_WLOCK_ASSERT(inp);
2176
2177
0
  if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_PORTREUSE)) {
2178
    /* only works with port reuse on */
2179
0
    return (-1);
2180
0
  }
2181
0
  if ((inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL) == 0) {
2182
0
    return (0);
2183
0
  }
2184
0
  SCTP_INP_WUNLOCK(inp);
2185
0
  head = &SCTP_BASE_INFO(sctp_ephash)[SCTP_PCBHASH_ALLADDR(inp->sctp_lport,
2186
0
                                      SCTP_BASE_INFO(hashmark))];
2187
  /* Kick out all non-listeners to the TCP hash */
2188
0
  LIST_FOREACH_SAFE(tinp, head, sctp_hash, ninp) {
2189
0
    if (tinp->sctp_lport != inp->sctp_lport) {
2190
0
      continue;
2191
0
    }
2192
0
    if (tinp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) {
2193
0
      continue;
2194
0
    }
2195
0
    if (tinp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
2196
0
      continue;
2197
0
    }
2198
0
    if (SCTP_IS_LISTENING(tinp)) {
2199
0
      continue;
2200
0
    }
2201
0
    SCTP_INP_WLOCK(tinp);
2202
0
    LIST_REMOVE(tinp, sctp_hash);
2203
0
    head = &SCTP_BASE_INFO(sctp_tcpephash)[SCTP_PCBHASH_ALLADDR(tinp->sctp_lport, SCTP_BASE_INFO(hashtcpmark))];
2204
0
    tinp->sctp_flags |= SCTP_PCB_FLAGS_IN_TCPPOOL;
2205
0
    LIST_INSERT_HEAD(head, tinp, sctp_hash);
2206
0
    SCTP_INP_WUNLOCK(tinp);
2207
0
  }
2208
0
  SCTP_INP_WLOCK(inp);
2209
  /* Pull from where he was */
2210
0
  LIST_REMOVE(inp, sctp_hash);
2211
0
  inp->sctp_flags &= ~SCTP_PCB_FLAGS_IN_TCPPOOL;
2212
0
  head = &SCTP_BASE_INFO(sctp_ephash)[SCTP_PCBHASH_ALLADDR(inp->sctp_lport, SCTP_BASE_INFO(hashmark))];
2213
0
  LIST_INSERT_HEAD(head, inp, sctp_hash);
2214
0
  return (0);
2215
0
}
2216
2217
struct sctp_inpcb *
2218
sctp_pcb_findep(struct sockaddr *nam, int find_tcp_pool, int have_lock,
2219
    uint32_t vrf_id)
2220
11.6k
{
2221
  /*
2222
   * First we check the hash table to see if someone has this port
2223
   * bound with just the port.
2224
   */
2225
11.6k
  struct sctp_inpcb *inp;
2226
11.6k
  struct sctppcbhead *head;
2227
11.6k
  int lport;
2228
11.6k
  unsigned int i;
2229
11.6k
#ifdef INET
2230
11.6k
  struct sockaddr_in *sin;
2231
11.6k
#endif
2232
11.6k
#ifdef INET6
2233
11.6k
  struct sockaddr_in6 *sin6;
2234
11.6k
#endif
2235
11.6k
#if defined(__Userspace__)
2236
11.6k
  struct sockaddr_conn *sconn;
2237
11.6k
#endif
2238
2239
11.6k
  switch (nam->sa_family) {
2240
0
#ifdef INET
2241
0
  case AF_INET:
2242
0
    sin = (struct sockaddr_in *)nam;
2243
0
    lport = sin->sin_port;
2244
0
    break;
2245
0
#endif
2246
0
#ifdef INET6
2247
0
  case AF_INET6:
2248
0
    sin6 = (struct sockaddr_in6 *)nam;
2249
0
    lport = sin6->sin6_port;
2250
0
    break;
2251
0
#endif
2252
0
#if defined(__Userspace__)
2253
11.6k
  case AF_CONN:
2254
11.6k
    sconn = (struct sockaddr_conn *)nam;
2255
11.6k
    lport = sconn->sconn_port;
2256
11.6k
    break;
2257
0
#endif
2258
0
  default:
2259
0
    return (NULL);
2260
11.6k
  }
2261
  /*
2262
   * I could cheat here and just cast to one of the types but we will
2263
   * do it right. It also provides the check against an Unsupported
2264
   * type too.
2265
   */
2266
  /* Find the head of the ALLADDR chain */
2267
11.6k
  if (have_lock == 0) {
2268
0
    SCTP_INP_INFO_RLOCK();
2269
0
  }
2270
11.6k
  head = &SCTP_BASE_INFO(sctp_ephash)[SCTP_PCBHASH_ALLADDR(lport,
2271
11.6k
      SCTP_BASE_INFO(hashmark))];
2272
11.6k
  inp = sctp_endpoint_probe(nam, head, lport, vrf_id);
2273
2274
  /*
2275
   * If the TCP model exists it could be that the main listening
2276
   * endpoint is gone but there still exists a connected socket for this
2277
   * guy. If so we can return the first one that we find. This may NOT
2278
   * be the correct one so the caller should be wary on the returned INP.
2279
   * Currently the only caller that sets find_tcp_pool is in bindx where
2280
   * we are verifying that a user CAN bind the address. He either
2281
   * has bound it already, or someone else has, or its open to bind,
2282
   * so this is good enough.
2283
   */
2284
11.6k
  if (inp == NULL && find_tcp_pool) {
2285
0
    for (i = 0; i < SCTP_BASE_INFO(hashtcpmark) + 1; i++) {
2286
0
      head = &SCTP_BASE_INFO(sctp_tcpephash)[i];
2287
0
      inp = sctp_endpoint_probe(nam, head, lport, vrf_id);
2288
0
      if (inp) {
2289
0
        break;
2290
0
      }
2291
0
    }
2292
0
  }
2293
11.6k
  if (inp) {
2294
0
    SCTP_INP_INCR_REF(inp);
2295
0
  }
2296
11.6k
  if (have_lock == 0) {
2297
0
    SCTP_INP_INFO_RUNLOCK();
2298
0
  }
2299
11.6k
  return (inp);
2300
11.6k
}
2301
2302
/*
2303
 * Find an association for an endpoint with the pointer to whom you want to
2304
 * send to and the endpoint pointer. The address can be IPv4 or IPv6. We may
2305
 * need to change the *to to some other struct like a mbuf...
2306
 */
2307
struct sctp_tcb *
2308
sctp_findassociation_addr_sa(struct sockaddr *from, struct sockaddr *to,
2309
    struct sctp_inpcb **inp_p, struct sctp_nets **netp, int find_tcp_pool,
2310
    uint32_t vrf_id)
2311
0
{
2312
0
  struct sctp_inpcb *inp = NULL;
2313
0
  struct sctp_tcb *stcb;
2314
2315
0
  SCTP_INP_INFO_RLOCK();
2316
0
  if (find_tcp_pool) {
2317
0
    if (inp_p != NULL) {
2318
0
      stcb = sctp_tcb_special_locate(inp_p, from, to, netp,
2319
0
                                     vrf_id);
2320
0
    } else {
2321
0
      stcb = sctp_tcb_special_locate(&inp, from, to, netp,
2322
0
                                     vrf_id);
2323
0
    }
2324
0
    if (stcb != NULL) {
2325
0
      SCTP_INP_INFO_RUNLOCK();
2326
0
      return (stcb);
2327
0
    }
2328
0
  }
2329
0
  inp = sctp_pcb_findep(to, 0, 1, vrf_id);
2330
0
  if (inp_p != NULL) {
2331
0
    *inp_p = inp;
2332
0
  }
2333
0
  SCTP_INP_INFO_RUNLOCK();
2334
0
  if (inp == NULL) {
2335
0
    return (NULL);
2336
0
  }
2337
  /*
2338
   * ok, we have an endpoint, now lets find the assoc for it (if any)
2339
   * we now place the source address or from in the to of the find
2340
   * endpoint call. Since in reality this chain is used from the
2341
   * inbound packet side.
2342
   */
2343
0
  if (inp_p != NULL) {
2344
0
    stcb = sctp_findassociation_ep_addr(inp_p, from, netp, to,
2345
0
                                        NULL);
2346
0
  } else {
2347
0
    stcb = sctp_findassociation_ep_addr(&inp, from, netp, to,
2348
0
                                        NULL);
2349
0
  }
2350
0
  return (stcb);
2351
0
}
2352
2353
/*
2354
 * This routine will grub through the mbuf that is a INIT or INIT-ACK and
2355
 * find all addresses that the sender has specified in any address list. Each
2356
 * address will be used to lookup the TCB and see if one exits.
2357
 */
2358
static struct sctp_tcb *
2359
sctp_findassociation_special_addr(struct mbuf *m, int offset,
2360
    struct sctphdr *sh, struct sctp_inpcb **inp_p, struct sctp_nets **netp,
2361
    struct sockaddr *dst)
2362
0
{
2363
0
  struct sctp_paramhdr *phdr, param_buf;
2364
0
#if defined(INET) || defined(INET6)
2365
0
  struct sctp_tcb *stcb;
2366
0
  uint16_t ptype;
2367
0
#endif
2368
0
  uint16_t plen;
2369
0
#ifdef INET
2370
0
  struct sockaddr_in sin4;
2371
0
#endif
2372
0
#ifdef INET6
2373
0
  struct sockaddr_in6 sin6;
2374
0
#endif
2375
2376
0
#ifdef INET
2377
0
  memset(&sin4, 0, sizeof(sin4));
2378
#ifdef HAVE_SIN_LEN
2379
  sin4.sin_len = sizeof(sin4);
2380
#endif
2381
0
  sin4.sin_family = AF_INET;
2382
0
  sin4.sin_port = sh->src_port;
2383
0
#endif
2384
0
#ifdef INET6
2385
0
  memset(&sin6, 0, sizeof(sin6));
2386
#ifdef HAVE_SIN6_LEN
2387
  sin6.sin6_len = sizeof(sin6);
2388
#endif
2389
0
  sin6.sin6_family = AF_INET6;
2390
0
  sin6.sin6_port = sh->src_port;
2391
0
#endif
2392
2393
0
  offset += sizeof(struct sctp_init_chunk);
2394
2395
0
  phdr = sctp_get_next_param(m, offset, &param_buf, sizeof(param_buf));
2396
0
  while (phdr != NULL) {
2397
    /* now we must see if we want the parameter */
2398
0
#if defined(INET) || defined(INET6)
2399
0
    ptype = ntohs(phdr->param_type);
2400
0
#endif
2401
0
    plen = ntohs(phdr->param_length);
2402
0
    if (plen == 0) {
2403
0
      break;
2404
0
    }
2405
0
#ifdef INET
2406
0
    if (ptype == SCTP_IPV4_ADDRESS &&
2407
0
        plen == sizeof(struct sctp_ipv4addr_param)) {
2408
      /* Get the rest of the address */
2409
0
      struct sctp_ipv4addr_param ip4_param, *p4;
2410
2411
0
      phdr = sctp_get_next_param(m, offset,
2412
0
          (struct sctp_paramhdr *)&ip4_param, sizeof(ip4_param));
2413
0
      if (phdr == NULL) {
2414
0
        return (NULL);
2415
0
      }
2416
0
      p4 = (struct sctp_ipv4addr_param *)phdr;
2417
0
      memcpy(&sin4.sin_addr, &p4->addr, sizeof(p4->addr));
2418
      /* look it up */
2419
0
      stcb = sctp_findassociation_ep_addr(inp_p,
2420
0
          (struct sockaddr *)&sin4, netp, dst, NULL);
2421
0
      if (stcb != NULL) {
2422
0
        return (stcb);
2423
0
      }
2424
0
    }
2425
0
#endif
2426
0
#ifdef INET6
2427
0
    if (ptype == SCTP_IPV6_ADDRESS &&
2428
0
        plen == sizeof(struct sctp_ipv6addr_param)) {
2429
      /* Get the rest of the address */
2430
0
      struct sctp_ipv6addr_param ip6_param, *p6;
2431
2432
0
      phdr = sctp_get_next_param(m, offset,
2433
0
          (struct sctp_paramhdr *)&ip6_param, sizeof(ip6_param));
2434
0
      if (phdr == NULL) {
2435
0
        return (NULL);
2436
0
      }
2437
0
      p6 = (struct sctp_ipv6addr_param *)phdr;
2438
0
      memcpy(&sin6.sin6_addr, &p6->addr, sizeof(p6->addr));
2439
      /* look it up */
2440
0
      stcb = sctp_findassociation_ep_addr(inp_p,
2441
0
          (struct sockaddr *)&sin6, netp, dst, NULL);
2442
0
      if (stcb != NULL) {
2443
0
        return (stcb);
2444
0
      }
2445
0
    }
2446
0
#endif
2447
0
    offset += SCTP_SIZE32(plen);
2448
0
    phdr = sctp_get_next_param(m, offset, &param_buf,
2449
0
             sizeof(param_buf));
2450
0
  }
2451
0
  return (NULL);
2452
0
}
2453
2454
static struct sctp_tcb *
2455
sctp_findassoc_by_vtag(struct sockaddr *from, struct sockaddr *to, uint32_t vtag,
2456
           struct sctp_inpcb **inp_p, struct sctp_nets **netp, uint16_t rport,
2457
           uint16_t lport, int skip_src_check, uint32_t vrf_id, uint32_t remote_tag)
2458
28.4k
{
2459
  /*
2460
   * Use my vtag to hash. If we find it we then verify the source addr
2461
   * is in the assoc. If all goes well we save a bit on rec of a
2462
   * packet.
2463
   */
2464
28.4k
  struct sctpasochead *head;
2465
28.4k
  struct sctp_nets *net;
2466
28.4k
  struct sctp_tcb *stcb;
2467
#ifdef SCTP_MVRF
2468
  unsigned int i;
2469
#endif
2470
2471
28.4k
  SCTP_INP_INFO_RLOCK();
2472
28.4k
  head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(vtag,
2473
28.4k
                                                          SCTP_BASE_INFO(hashasocmark))];
2474
28.4k
  LIST_FOREACH(stcb, head, sctp_asocs) {
2475
28.4k
    SCTP_INP_RLOCK(stcb->sctp_ep);
2476
28.4k
    if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) {
2477
0
      SCTP_INP_RUNLOCK(stcb->sctp_ep);
2478
0
      continue;
2479
0
    }
2480
#ifdef SCTP_MVRF
2481
    for (i = 0; i < stcb->sctp_ep->num_vrfs; i++) {
2482
      if (stcb->sctp_ep->m_vrf_ids[i] == vrf_id) {
2483
        break;
2484
      }
2485
    }
2486
    if (i == stcb->sctp_ep->num_vrfs) {
2487
      SCTP_INP_RUNLOCK(inp);
2488
      continue;
2489
    }
2490
#else
2491
28.4k
    if (stcb->sctp_ep->def_vrf_id != vrf_id) {
2492
0
      SCTP_INP_RUNLOCK(stcb->sctp_ep);
2493
0
      continue;
2494
0
    }
2495
28.4k
#endif
2496
28.4k
    SCTP_TCB_LOCK(stcb);
2497
28.4k
    SCTP_INP_RUNLOCK(stcb->sctp_ep);
2498
28.4k
    if (stcb->asoc.my_vtag == vtag) {
2499
      /* candidate */
2500
28.4k
      if (stcb->rport != rport) {
2501
0
        SCTP_TCB_UNLOCK(stcb);
2502
0
        continue;
2503
0
      }
2504
28.4k
      if (stcb->sctp_ep->sctp_lport != lport) {
2505
0
        SCTP_TCB_UNLOCK(stcb);
2506
0
        continue;
2507
0
      }
2508
28.4k
      if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
2509
0
        SCTP_TCB_UNLOCK(stcb);
2510
0
        continue;
2511
0
      }
2512
      /* RRS:Need toaddr check here */
2513
28.4k
      if (sctp_does_stcb_own_this_addr(stcb, to) == 0) {
2514
              /* Endpoint does not own this address */
2515
0
        SCTP_TCB_UNLOCK(stcb);
2516
0
        continue;
2517
0
      }
2518
28.4k
      if (remote_tag) {
2519
        /* If we have both vtags that's all we match on */
2520
0
        if (stcb->asoc.peer_vtag == remote_tag) {
2521
          /* If both tags match we consider it conclusive
2522
           * and check NO source/destination addresses
2523
           */
2524
0
          goto conclusive;
2525
0
        }
2526
0
      }
2527
28.4k
      if (skip_src_check) {
2528
0
      conclusive:
2529
0
              if (from) {
2530
0
          *netp = sctp_findnet(stcb, from);
2531
0
        } else {
2532
0
          *netp = NULL; /* unknown */
2533
0
        }
2534
0
        if (inp_p)
2535
0
          *inp_p = stcb->sctp_ep;
2536
0
        SCTP_INP_INFO_RUNLOCK();
2537
0
        return (stcb);
2538
0
      }
2539
28.4k
      net = sctp_findnet(stcb, from);
2540
28.4k
      if (net) {
2541
        /* yep its him. */
2542
28.4k
        *netp = net;
2543
28.4k
        SCTP_STAT_INCR(sctps_vtagexpress);
2544
28.4k
        *inp_p = stcb->sctp_ep;
2545
28.4k
        SCTP_INP_INFO_RUNLOCK();
2546
28.4k
        return (stcb);
2547
28.4k
      } else {
2548
        /*
2549
         * not him, this should only happen in rare
2550
         * cases so I peg it.
2551
         */
2552
0
        SCTP_STAT_INCR(sctps_vtagbogus);
2553
0
      }
2554
28.4k
    }
2555
0
    SCTP_TCB_UNLOCK(stcb);
2556
0
  }
2557
0
  SCTP_INP_INFO_RUNLOCK();
2558
0
  return (NULL);
2559
0
}
2560
2561
/*
2562
 * Find an association with the pointer to the inbound IP packet. This can be
2563
 * a IPv4 or IPv6 packet.
2564
 */
2565
struct sctp_tcb *
2566
sctp_findassociation_addr(struct mbuf *m, int offset,
2567
    struct sockaddr *src, struct sockaddr *dst,
2568
    struct sctphdr *sh, struct sctp_chunkhdr *ch,
2569
    struct sctp_inpcb **inp_p, struct sctp_nets **netp, uint32_t vrf_id)
2570
28.4k
{
2571
28.4k
  struct sctp_tcb *stcb;
2572
28.4k
  struct sctp_inpcb *inp;
2573
2574
28.4k
  if (sh->v_tag) {
2575
    /* we only go down this path if vtag is non-zero */
2576
28.4k
    stcb = sctp_findassoc_by_vtag(src, dst, ntohl(sh->v_tag),
2577
28.4k
                                  inp_p, netp, sh->src_port, sh->dest_port, 0, vrf_id, 0);
2578
28.4k
    if (stcb) {
2579
28.4k
      return (stcb);
2580
28.4k
    }
2581
28.4k
  }
2582
2583
0
  if (inp_p) {
2584
0
    stcb = sctp_findassociation_addr_sa(src, dst, inp_p, netp,
2585
0
                                        1, vrf_id);
2586
0
    inp = *inp_p;
2587
0
  } else {
2588
0
    stcb = sctp_findassociation_addr_sa(src, dst, &inp, netp,
2589
0
                                        1, vrf_id);
2590
0
  }
2591
0
  SCTPDBG(SCTP_DEBUG_PCB1, "stcb:%p inp:%p\n", (void *)stcb, (void *)inp);
2592
0
  if (stcb == NULL && inp) {
2593
    /* Found a EP but not this address */
2594
0
    if ((ch->chunk_type == SCTP_INITIATION) ||
2595
0
        (ch->chunk_type == SCTP_INITIATION_ACK)) {
2596
      /*-
2597
       * special hook, we do NOT return linp or an
2598
       * association that is linked to an existing
2599
       * association that is under the TCP pool (i.e. no
2600
       * listener exists). The endpoint finding routine
2601
       * will always find a listener before examining the
2602
       * TCP pool.
2603
       */
2604
0
      if (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL) {
2605
0
        if (inp_p) {
2606
0
          *inp_p = NULL;
2607
0
        }
2608
0
        return (NULL);
2609
0
      }
2610
0
      stcb = sctp_findassociation_special_addr(m,
2611
0
          offset, sh, &inp, netp, dst);
2612
0
      if (inp_p != NULL) {
2613
0
        *inp_p = inp;
2614
0
      }
2615
0
    }
2616
0
  }
2617
0
  SCTPDBG(SCTP_DEBUG_PCB1, "stcb is %p\n", (void *)stcb);
2618
0
  return (stcb);
2619
0
}
2620
2621
/*
2622
 * lookup an association by an ASCONF lookup address.
2623
 * if the lookup address is 0.0.0.0 or ::0, use the vtag to do the lookup
2624
 */
2625
struct sctp_tcb *
2626
sctp_findassociation_ep_asconf(struct mbuf *m, int offset,
2627
             struct sockaddr *dst, struct sctphdr *sh,
2628
                               struct sctp_inpcb **inp_p, struct sctp_nets **netp, uint32_t vrf_id)
2629
0
{
2630
0
  struct sctp_tcb *stcb;
2631
0
  union sctp_sockstore remote_store;
2632
0
  struct sctp_paramhdr param_buf, *phdr;
2633
0
  int ptype;
2634
0
  int zero_address = 0;
2635
0
#ifdef INET
2636
0
  struct sockaddr_in *sin;
2637
0
#endif
2638
0
#ifdef INET6
2639
0
  struct sockaddr_in6 *sin6;
2640
0
#endif
2641
2642
0
  memset(&remote_store, 0, sizeof(remote_store));
2643
0
  phdr = sctp_get_next_param(m, offset + sizeof(struct sctp_asconf_chunk),
2644
0
           &param_buf, sizeof(struct sctp_paramhdr));
2645
0
  if (phdr == NULL) {
2646
0
    SCTPDBG(SCTP_DEBUG_INPUT3, "%s: failed to get asconf lookup addr\n",
2647
0
      __func__);
2648
0
    return NULL;
2649
0
  }
2650
0
  ptype = (int)((uint32_t) ntohs(phdr->param_type));
2651
  /* get the correlation address */
2652
0
  switch (ptype) {
2653
0
#ifdef INET6
2654
0
  case SCTP_IPV6_ADDRESS:
2655
0
  {
2656
    /* ipv6 address param */
2657
0
    struct sctp_ipv6addr_param *p6, p6_buf;
2658
2659
0
    if (ntohs(phdr->param_length) != sizeof(struct sctp_ipv6addr_param)) {
2660
0
      return NULL;
2661
0
    }
2662
0
    p6 = (struct sctp_ipv6addr_param *)sctp_get_next_param(m,
2663
0
                       offset + sizeof(struct sctp_asconf_chunk),
2664
0
                       &p6_buf.ph, sizeof(p6_buf));
2665
0
    if (p6 == NULL) {
2666
0
      SCTPDBG(SCTP_DEBUG_INPUT3, "%s: failed to get asconf v6 lookup addr\n",
2667
0
        __func__);
2668
0
      return (NULL);
2669
0
    }
2670
0
    sin6 = &remote_store.sin6;
2671
0
    sin6->sin6_family = AF_INET6;
2672
#ifdef HAVE_SIN6_LEN
2673
    sin6->sin6_len = sizeof(*sin6);
2674
#endif
2675
0
    sin6->sin6_port = sh->src_port;
2676
0
    memcpy(&sin6->sin6_addr, &p6->addr, sizeof(struct in6_addr));
2677
0
    if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr))
2678
0
      zero_address = 1;
2679
0
    break;
2680
0
  }
2681
0
#endif
2682
0
#ifdef INET
2683
0
  case SCTP_IPV4_ADDRESS:
2684
0
  {
2685
    /* ipv4 address param */
2686
0
    struct sctp_ipv4addr_param *p4, p4_buf;
2687
2688
0
    if (ntohs(phdr->param_length) != sizeof(struct sctp_ipv4addr_param)) {
2689
0
      return NULL;
2690
0
    }
2691
0
    p4 = (struct sctp_ipv4addr_param *)sctp_get_next_param(m,
2692
0
                       offset + sizeof(struct sctp_asconf_chunk),
2693
0
                       &p4_buf.ph, sizeof(p4_buf));
2694
0
    if (p4 == NULL) {
2695
0
      SCTPDBG(SCTP_DEBUG_INPUT3, "%s: failed to get asconf v4 lookup addr\n",
2696
0
        __func__);
2697
0
      return (NULL);
2698
0
    }
2699
0
    sin = &remote_store.sin;
2700
0
    sin->sin_family = AF_INET;
2701
#ifdef HAVE_SIN_LEN
2702
    sin->sin_len = sizeof(*sin);
2703
#endif
2704
0
    sin->sin_port = sh->src_port;
2705
0
    memcpy(&sin->sin_addr, &p4->addr, sizeof(struct in_addr));
2706
0
    if (sin->sin_addr.s_addr == INADDR_ANY)
2707
0
      zero_address = 1;
2708
0
    break;
2709
0
  }
2710
0
#endif
2711
0
  default:
2712
    /* invalid address param type */
2713
0
    return NULL;
2714
0
  }
2715
2716
0
  if (zero_address) {
2717
0
          stcb = sctp_findassoc_by_vtag(NULL, dst, ntohl(sh->v_tag), inp_p,
2718
0
                netp, sh->src_port, sh->dest_port, 1, vrf_id, 0);
2719
0
    if (stcb != NULL) {
2720
0
      SCTP_INP_DECR_REF(*inp_p);
2721
0
    }
2722
0
  } else {
2723
0
    stcb = sctp_findassociation_ep_addr(inp_p,
2724
0
        &remote_store.sa, netp,
2725
0
        dst, NULL);
2726
0
  }
2727
0
  return (stcb);
2728
0
}
2729
2730
/*
2731
 * allocate a sctp_inpcb and setup a temporary binding to a port/all
2732
 * addresses. This way if we don't get a bind we by default pick a ephemeral
2733
 * port with all addresses bound.
2734
 */
2735
int
2736
sctp_inpcb_alloc(struct socket *so, uint32_t vrf_id)
2737
11.6k
{
2738
  /*
2739
   * we get called when a new endpoint starts up. We need to allocate
2740
   * the sctp_inpcb structure from the zone and init it. Mark it as
2741
   * unbound and find a port that we can use as an ephemeral with
2742
   * INADDR_ANY. If the user binds later no problem we can then add in
2743
   * the specific addresses. And setup the default parameters for the
2744
   * EP.
2745
   */
2746
11.6k
  int i, error;
2747
11.6k
  struct sctp_inpcb *inp;
2748
11.6k
  struct sctp_pcb *m;
2749
11.6k
  struct timeval time;
2750
11.6k
  sctp_sharedkey_t *null_key;
2751
2752
11.6k
  error = 0;
2753
2754
11.6k
  SCTP_INP_INFO_WLOCK();
2755
11.6k
  inp = SCTP_ZONE_GET(SCTP_BASE_INFO(ipi_zone_ep), struct sctp_inpcb);
2756
11.6k
  if (inp == NULL) {
2757
0
    SCTP_PRINTF("Out of SCTP-INPCB structures - no resources\n");
2758
0
    SCTP_INP_INFO_WUNLOCK();
2759
0
    SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, ENOBUFS);
2760
0
    return (ENOBUFS);
2761
0
  }
2762
  /* zap it */
2763
11.6k
  memset(inp, 0, sizeof(*inp));
2764
2765
  /* bump generations */
2766
#if defined(__APPLE__) && !defined(__Userspace__)
2767
  inp->ip_inp.inp.inp_state = INPCB_STATE_INUSE;
2768
#endif
2769
  /* setup socket pointers */
2770
11.6k
  inp->sctp_socket = so;
2771
11.6k
  inp->ip_inp.inp.inp_socket = so;
2772
#if defined(__FreeBSD__) && !defined(__Userspace__)
2773
  inp->ip_inp.inp.inp_cred = crhold(so->so_cred);
2774
#endif
2775
11.6k
#ifdef INET6
2776
#if !defined(__Userspace__) && !defined(_WIN32)
2777
  if (INP_SOCKAF(so) == AF_INET6) {
2778
    if (MODULE_GLOBAL(ip6_auto_flowlabel)) {
2779
      inp->ip_inp.inp.inp_flags |= IN6P_AUTOFLOWLABEL;
2780
    }
2781
    if (MODULE_GLOBAL(ip6_v6only)) {
2782
      inp->ip_inp.inp.inp_flags |= IN6P_IPV6_V6ONLY;
2783
    }
2784
  }
2785
#endif
2786
11.6k
#endif
2787
11.6k
  inp->sctp_associd_counter = 1;
2788
11.6k
  inp->partial_delivery_point = SCTP_SB_LIMIT_RCV(so) >> SCTP_PARTIAL_DELIVERY_SHIFT;
2789
11.6k
  inp->sctp_frag_point = 0;
2790
11.6k
  inp->max_cwnd = 0;
2791
11.6k
  inp->sctp_cmt_on_off = SCTP_BASE_SYSCTL(sctp_cmt_on_off);
2792
11.6k
  inp->ecn_supported = (uint8_t)SCTP_BASE_SYSCTL(sctp_ecn_enable);
2793
11.6k
  inp->prsctp_supported = (uint8_t)SCTP_BASE_SYSCTL(sctp_pr_enable);
2794
11.6k
  inp->auth_supported = (uint8_t)SCTP_BASE_SYSCTL(sctp_auth_enable);
2795
11.6k
  inp->asconf_supported = (uint8_t)SCTP_BASE_SYSCTL(sctp_asconf_enable);
2796
11.6k
  inp->reconfig_supported = (uint8_t)SCTP_BASE_SYSCTL(sctp_reconfig_enable);
2797
11.6k
  inp->nrsack_supported = (uint8_t)SCTP_BASE_SYSCTL(sctp_nrsack_enable);
2798
11.6k
  inp->pktdrop_supported = (uint8_t)SCTP_BASE_SYSCTL(sctp_pktdrop_enable);
2799
11.6k
  inp->idata_supported = 0;
2800
2801
#if defined(__FreeBSD__) && !defined(__Userspace__)
2802
  inp->fibnum = so->so_fibnum;
2803
#else
2804
11.6k
  inp->fibnum = 0;
2805
11.6k
#endif
2806
11.6k
#if defined(__Userspace__)
2807
11.6k
  inp->ulp_info = NULL;
2808
11.6k
  inp->recv_callback = NULL;
2809
11.6k
  inp->send_callback = NULL;
2810
11.6k
  inp->send_sb_threshold = 0;
2811
11.6k
#endif
2812
  /* init the small hash table we use to track asocid <-> tcb */
2813
11.6k
  inp->sctp_asocidhash = SCTP_HASH_INIT(SCTP_STACK_VTAG_HASH_SIZE, &inp->hashasocidmark);
2814
11.6k
  if (inp->sctp_asocidhash == NULL) {
2815
#if defined(__FreeBSD__) && !defined(__Userspace__)
2816
    crfree(inp->ip_inp.inp.inp_cred);
2817
#endif
2818
0
    SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_ep), inp);
2819
0
    SCTP_INP_INFO_WUNLOCK();
2820
0
    return (ENOBUFS);
2821
0
  }
2822
11.6k
  SCTP_INCR_EP_COUNT();
2823
11.6k
  inp->ip_inp.inp.inp_ip_ttl = MODULE_GLOBAL(ip_defttl);
2824
11.6k
  SCTP_INP_INFO_WUNLOCK();
2825
2826
11.6k
  so->so_pcb = (caddr_t)inp;
2827
2828
11.6k
  if (SCTP_SO_TYPE(so) == SOCK_SEQPACKET) {
2829
    /* UDP style socket */
2830
0
    inp->sctp_flags = (SCTP_PCB_FLAGS_UDPTYPE |
2831
0
        SCTP_PCB_FLAGS_UNBOUND);
2832
    /* Be sure it is NON-BLOCKING IO for UDP */
2833
    /* SCTP_SET_SO_NBIO(so); */
2834
11.6k
  } else if (SCTP_SO_TYPE(so) == SOCK_STREAM) {
2835
    /* TCP style socket */
2836
11.6k
    inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE |
2837
11.6k
        SCTP_PCB_FLAGS_UNBOUND);
2838
    /* Be sure we have blocking IO by default */
2839
11.6k
    SOCK_LOCK(so);
2840
11.6k
    SCTP_CLEAR_SO_NBIO(so);
2841
11.6k
    SOCK_UNLOCK(so);
2842
11.6k
  } else {
2843
    /*
2844
     * unsupported socket type (RAW, etc)- in case we missed it
2845
     * in protosw
2846
     */
2847
0
    SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, EOPNOTSUPP);
2848
0
    so->so_pcb = NULL;
2849
#if defined(__FreeBSD__) && !defined(__Userspace__)
2850
    crfree(inp->ip_inp.inp.inp_cred);
2851
#endif
2852
0
    SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_ep), inp);
2853
0
    return (EOPNOTSUPP);
2854
0
  }
2855
11.6k
  if (SCTP_BASE_SYSCTL(sctp_default_frag_interleave) == SCTP_FRAG_LEVEL_1) {
2856
11.6k
    sctp_feature_on(inp, SCTP_PCB_FLAGS_FRAG_INTERLEAVE);
2857
11.6k
    sctp_feature_off(inp, SCTP_PCB_FLAGS_INTERLEAVE_STRMS);
2858
11.6k
  } else if (SCTP_BASE_SYSCTL(sctp_default_frag_interleave) == SCTP_FRAG_LEVEL_2) {
2859
0
    sctp_feature_on(inp, SCTP_PCB_FLAGS_FRAG_INTERLEAVE);
2860
0
    sctp_feature_on(inp, SCTP_PCB_FLAGS_INTERLEAVE_STRMS);
2861
0
  } else if (SCTP_BASE_SYSCTL(sctp_default_frag_interleave) == SCTP_FRAG_LEVEL_0) {
2862
0
    sctp_feature_off(inp, SCTP_PCB_FLAGS_FRAG_INTERLEAVE);
2863
0
    sctp_feature_off(inp, SCTP_PCB_FLAGS_INTERLEAVE_STRMS);
2864
0
  }
2865
11.6k
  inp->sctp_tcbhash = SCTP_HASH_INIT(SCTP_BASE_SYSCTL(sctp_pcbtblsize),
2866
11.6k
             &inp->sctp_hashmark);
2867
11.6k
  if (inp->sctp_tcbhash == NULL) {
2868
0
    SCTP_PRINTF("Out of SCTP-INPCB->hashinit - no resources\n");
2869
0
    SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, ENOBUFS);
2870
0
    so->so_pcb = NULL;
2871
#if defined(__FreeBSD__) && !defined(__Userspace__)
2872
    crfree(inp->ip_inp.inp.inp_cred);
2873
#endif
2874
0
    SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_ep), inp);
2875
0
    return (ENOBUFS);
2876
0
  }
2877
#ifdef SCTP_MVRF
2878
  inp->vrf_size = SCTP_DEFAULT_VRF_SIZE;
2879
  SCTP_MALLOC(inp->m_vrf_ids, uint32_t *,
2880
        (sizeof(uint32_t) * inp->vrf_size), SCTP_M_MVRF);
2881
  if (inp->m_vrf_ids == NULL) {
2882
    SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, ENOBUFS);
2883
    so->so_pcb = NULL;
2884
    SCTP_HASH_FREE(inp->sctp_tcbhash, inp->sctp_hashmark);
2885
#if defined(__FreeBSD__) && !defined(__Userspace__)
2886
    crfree(inp->ip_inp.inp.inp_cred);
2887
#endif
2888
    SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_ep), inp);
2889
    return (ENOBUFS);
2890
  }
2891
  inp->m_vrf_ids[0] = vrf_id;
2892
  inp->num_vrfs = 1;
2893
#endif
2894
11.6k
  inp->def_vrf_id = vrf_id;
2895
2896
#if defined(__APPLE__) && !defined(__Userspace__)
2897
#if defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD)
2898
  inp->ip_inp.inp.inpcb_mtx = lck_mtx_alloc_init(SCTP_BASE_INFO(sctbinfo).mtx_grp, SCTP_BASE_INFO(sctbinfo).mtx_attr);
2899
  if (inp->ip_inp.inp.inpcb_mtx == NULL) {
2900
    SCTP_PRINTF("in_pcballoc: can't alloc mutex! so=%p\n", (void *)so);
2901
#ifdef SCTP_MVRF
2902
    SCTP_FREE(inp->m_vrf_ids, SCTP_M_MVRF);
2903
#endif
2904
    SCTP_HASH_FREE(inp->sctp_tcbhash, inp->sctp_hashmark);
2905
    so->so_pcb = NULL;
2906
    SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_ep), inp);
2907
    SCTP_UNLOCK_EXC(SCTP_BASE_INFO(sctbinfo).ipi_lock);
2908
    SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, ENOMEM);
2909
    return (ENOMEM);
2910
  }
2911
#elif defined(APPLE_LION) || defined(APPLE_MOUNTAINLION)
2912
  lck_mtx_init(&inp->ip_inp.inp.inpcb_mtx, SCTP_BASE_INFO(sctbinfo).mtx_grp, SCTP_BASE_INFO(sctbinfo).mtx_attr);
2913
#else
2914
  lck_mtx_init(&inp->ip_inp.inp.inpcb_mtx, SCTP_BASE_INFO(sctbinfo).ipi_lock_grp, SCTP_BASE_INFO(sctbinfo).ipi_lock_attr);
2915
#endif
2916
#endif
2917
11.6k
  SCTP_INP_INFO_WLOCK();
2918
11.6k
  SCTP_INP_LOCK_INIT(inp);
2919
#if defined(__FreeBSD__) && !defined(__Userspace__)
2920
  rw_init_flags(&inp->ip_inp.inp.inp_lock, "sctpinp",
2921
      RW_RECURSE | RW_DUPOK);
2922
#endif
2923
11.6k
  SCTP_INP_READ_INIT(inp);
2924
11.6k
  SCTP_ASOC_CREATE_LOCK_INIT(inp);
2925
  /* lock the new ep */
2926
11.6k
  SCTP_INP_WLOCK(inp);
2927
2928
  /* add it to the info area */
2929
11.6k
  LIST_INSERT_HEAD(&SCTP_BASE_INFO(listhead), inp, sctp_list);
2930
#if defined(__APPLE__) && !defined(__Userspace__)
2931
  inp->ip_inp.inp.inp_pcbinfo = &SCTP_BASE_INFO(sctbinfo);
2932
#if defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD) || defined(APPLE_LION) || defined(APPLE_MOUNTAINLION)
2933
  LIST_INSERT_HEAD(SCTP_BASE_INFO(sctbinfo).listhead, &inp->ip_inp.inp, inp_list);
2934
#else
2935
  LIST_INSERT_HEAD(SCTP_BASE_INFO(sctbinfo).ipi_listhead, &inp->ip_inp.inp, inp_list);
2936
#endif
2937
#endif
2938
11.6k
  SCTP_INP_INFO_WUNLOCK();
2939
2940
11.6k
  TAILQ_INIT(&inp->read_queue);
2941
11.6k
  LIST_INIT(&inp->sctp_addr_list);
2942
2943
11.6k
  LIST_INIT(&inp->sctp_asoc_list);
2944
2945
#ifdef SCTP_TRACK_FREED_ASOCS
2946
  /* TEMP CODE */
2947
  LIST_INIT(&inp->sctp_asoc_free_list);
2948
#endif
2949
  /* Init the timer structure for signature change */
2950
11.6k
  SCTP_OS_TIMER_INIT(&inp->sctp_ep.signature_change.timer);
2951
11.6k
  inp->sctp_ep.signature_change.type = SCTP_TIMER_TYPE_NEWCOOKIE;
2952
2953
  /* now init the actual endpoint default data */
2954
11.6k
  m = &inp->sctp_ep;
2955
2956
  /* setup the base timeout information */
2957
11.6k
  m->sctp_timeoutticks[SCTP_TIMER_SEND] = sctp_secs_to_ticks(SCTP_SEND_SEC);  /* needed ? */
2958
11.6k
  m->sctp_timeoutticks[SCTP_TIMER_INIT] = sctp_secs_to_ticks(SCTP_INIT_SEC);  /* needed ? */
2959
11.6k
  m->sctp_timeoutticks[SCTP_TIMER_RECV] = sctp_msecs_to_ticks(SCTP_BASE_SYSCTL(sctp_delayed_sack_time_default));
2960
11.6k
  m->sctp_timeoutticks[SCTP_TIMER_HEARTBEAT] = sctp_msecs_to_ticks(SCTP_BASE_SYSCTL(sctp_heartbeat_interval_default));
2961
11.6k
  m->sctp_timeoutticks[SCTP_TIMER_PMTU] = sctp_secs_to_ticks(SCTP_BASE_SYSCTL(sctp_pmtu_raise_time_default));
2962
11.6k
  m->sctp_timeoutticks[SCTP_TIMER_MAXSHUTDOWN] = sctp_secs_to_ticks(SCTP_BASE_SYSCTL(sctp_shutdown_guard_time_default));
2963
11.6k
  m->sctp_timeoutticks[SCTP_TIMER_SIGNATURE] = sctp_secs_to_ticks(SCTP_BASE_SYSCTL(sctp_secret_lifetime_default));
2964
  /* all max/min max are in ms */
2965
11.6k
  m->sctp_maxrto = SCTP_BASE_SYSCTL(sctp_rto_max_default);
2966
11.6k
  m->sctp_minrto = SCTP_BASE_SYSCTL(sctp_rto_min_default);
2967
11.6k
  m->initial_rto = SCTP_BASE_SYSCTL(sctp_rto_initial_default);
2968
11.6k
  m->initial_init_rto_max = SCTP_BASE_SYSCTL(sctp_init_rto_max_default);
2969
11.6k
  m->sctp_sack_freq = SCTP_BASE_SYSCTL(sctp_sack_freq_default);
2970
11.6k
  m->max_init_times = SCTP_BASE_SYSCTL(sctp_init_rtx_max_default);
2971
11.6k
  m->max_send_times = SCTP_BASE_SYSCTL(sctp_assoc_rtx_max_default);
2972
11.6k
  m->def_net_failure = SCTP_BASE_SYSCTL(sctp_path_rtx_max_default);
2973
11.6k
  m->def_net_pf_threshold = SCTP_BASE_SYSCTL(sctp_path_pf_threshold);
2974
11.6k
  m->sctp_sws_sender = SCTP_SWS_SENDER_DEF;
2975
11.6k
  m->sctp_sws_receiver = SCTP_SWS_RECEIVER_DEF;
2976
11.6k
  m->max_burst = SCTP_BASE_SYSCTL(sctp_max_burst_default);
2977
11.6k
  m->fr_max_burst = SCTP_BASE_SYSCTL(sctp_fr_max_burst_default);
2978
2979
11.6k
  m->sctp_default_cc_module = SCTP_BASE_SYSCTL(sctp_default_cc_module);
2980
11.6k
  m->sctp_default_ss_module = SCTP_BASE_SYSCTL(sctp_default_ss_module);
2981
11.6k
  m->max_open_streams_intome = SCTP_BASE_SYSCTL(sctp_nr_incoming_streams_default);
2982
  /* number of streams to pre-open on a association */
2983
11.6k
  m->pre_open_stream_count = SCTP_BASE_SYSCTL(sctp_nr_outgoing_streams_default);
2984
2985
11.6k
  m->default_mtu = 0;
2986
  /* Add adaptation cookie */
2987
11.6k
  m->adaptation_layer_indicator = 0;
2988
11.6k
  m->adaptation_layer_indicator_provided = 0;
2989
2990
  /* seed random number generator */
2991
11.6k
  m->random_counter = 1;
2992
11.6k
  m->store_at = SCTP_SIGNATURE_SIZE;
2993
11.6k
  SCTP_READ_RANDOM(m->random_numbers, sizeof(m->random_numbers));
2994
11.6k
  sctp_fill_random_store(m);
2995
2996
  /* Minimum cookie size */
2997
11.6k
  m->size_of_a_cookie = (sizeof(struct sctp_init_msg) * 2) +
2998
11.6k
      sizeof(struct sctp_state_cookie);
2999
11.6k
  m->size_of_a_cookie += SCTP_SIGNATURE_SIZE;
3000
3001
  /* Setup the initial secret */
3002
11.6k
  (void)SCTP_GETTIME_TIMEVAL(&time);
3003
11.6k
  m->time_of_secret_change = (unsigned int)time.tv_sec;
3004
3005
104k
  for (i = 0; i < SCTP_NUMBER_OF_SECRETS; i++) {
3006
93.2k
    m->secret_key[0][i] = sctp_select_initial_TSN(m);
3007
93.2k
  }
3008
11.6k
  sctp_timer_start(SCTP_TIMER_TYPE_NEWCOOKIE, inp, NULL, NULL);
3009
3010
  /* How long is a cookie good for ? */
3011
11.6k
  m->def_cookie_life = sctp_msecs_to_ticks(SCTP_BASE_SYSCTL(sctp_valid_cookie_life_default));
3012
  /*
3013
   * Initialize authentication parameters
3014
   */
3015
11.6k
  m->local_hmacs = sctp_default_supported_hmaclist();
3016
11.6k
  m->local_auth_chunks = sctp_alloc_chunklist();
3017
11.6k
  if (inp->asconf_supported) {
3018
11.6k
    sctp_auth_add_chunk(SCTP_ASCONF, m->local_auth_chunks);
3019
11.6k
    sctp_auth_add_chunk(SCTP_ASCONF_ACK, m->local_auth_chunks);
3020
11.6k
  }
3021
11.6k
  m->default_dscp = 0;
3022
11.6k
#ifdef INET6
3023
11.6k
  m->default_flowlabel = 0;
3024
11.6k
#endif
3025
11.6k
  m->port = 0; /* encapsulation disabled by default */
3026
11.6k
  LIST_INIT(&m->shared_keys);
3027
  /* add default NULL key as key id 0 */
3028
11.6k
  null_key = sctp_alloc_sharedkey();
3029
11.6k
  sctp_insert_sharedkey(&m->shared_keys, null_key);
3030
11.6k
  SCTP_INP_WUNLOCK(inp);
3031
#ifdef SCTP_LOG_CLOSING
3032
  sctp_log_closing(inp, NULL, 12);
3033
#endif
3034
11.6k
  return (error);
3035
11.6k
}
3036
3037
void
3038
sctp_move_pcb_and_assoc(struct sctp_inpcb *old_inp, struct sctp_inpcb *new_inp,
3039
    struct sctp_tcb *stcb)
3040
0
{
3041
0
  struct sctp_nets *net;
3042
0
  uint16_t lport, rport;
3043
0
  struct sctppcbhead *head;
3044
0
  struct sctp_laddr *laddr, *oladdr;
3045
3046
0
  atomic_add_int(&stcb->asoc.refcnt, 1);
3047
0
  SCTP_TCB_UNLOCK(stcb);
3048
0
  SCTP_INP_INFO_WLOCK();
3049
0
  SCTP_INP_WLOCK(old_inp);
3050
0
  SCTP_INP_WLOCK(new_inp);
3051
0
  SCTP_TCB_LOCK(stcb);
3052
0
  atomic_subtract_int(&stcb->asoc.refcnt, 1);
3053
3054
#if defined(__FreeBSD__) && !defined(__Userspace__)
3055
#ifdef INET6
3056
  if (old_inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
3057
    new_inp->ip_inp.inp.inp_flags |= old_inp->ip_inp.inp.inp_flags & INP_CONTROLOPTS;
3058
    if (old_inp->ip_inp.inp.in6p_outputopts) {
3059
      new_inp->ip_inp.inp.in6p_outputopts = ip6_copypktopts(old_inp->ip_inp.inp.in6p_outputopts, M_NOWAIT);
3060
    }
3061
  }
3062
#endif
3063
#if defined(INET) && defined(INET6)
3064
  else
3065
#endif
3066
#ifdef INET
3067
  {
3068
    new_inp->ip_inp.inp.inp_ip_tos = old_inp->ip_inp.inp.inp_ip_tos;
3069
    new_inp->ip_inp.inp.inp_ip_ttl = old_inp->ip_inp.inp.inp_ip_ttl;
3070
  }
3071
#endif
3072
#endif
3073
0
  new_inp->sctp_ep.time_of_secret_change =
3074
0
      old_inp->sctp_ep.time_of_secret_change;
3075
0
  memcpy(new_inp->sctp_ep.secret_key, old_inp->sctp_ep.secret_key,
3076
0
      sizeof(old_inp->sctp_ep.secret_key));
3077
0
  new_inp->sctp_ep.current_secret_number =
3078
0
      old_inp->sctp_ep.current_secret_number;
3079
0
  new_inp->sctp_ep.last_secret_number =
3080
0
      old_inp->sctp_ep.last_secret_number;
3081
0
  new_inp->sctp_ep.size_of_a_cookie = old_inp->sctp_ep.size_of_a_cookie;
3082
3083
  /* make it so new data pours into the new socket */
3084
0
  stcb->sctp_socket = new_inp->sctp_socket;
3085
0
  stcb->sctp_ep = new_inp;
3086
3087
  /* Copy the port across */
3088
0
  lport = new_inp->sctp_lport = old_inp->sctp_lport;
3089
0
  rport = stcb->rport;
3090
  /* Pull the tcb from the old association */
3091
0
  LIST_REMOVE(stcb, sctp_tcbhash);
3092
0
  LIST_REMOVE(stcb, sctp_tcblist);
3093
0
  if (stcb->asoc.in_asocid_hash) {
3094
0
    LIST_REMOVE(stcb, sctp_tcbasocidhash);
3095
0
  }
3096
  /* Now insert the new_inp into the TCP connected hash */
3097
0
  head = &SCTP_BASE_INFO(sctp_tcpephash)[SCTP_PCBHASH_ALLADDR((lport | rport), SCTP_BASE_INFO(hashtcpmark))];
3098
3099
0
  LIST_INSERT_HEAD(head, new_inp, sctp_hash);
3100
  /* Its safe to access */
3101
0
  new_inp->sctp_flags &= ~SCTP_PCB_FLAGS_UNBOUND;
3102
3103
  /* Now move the tcb into the endpoint list */
3104
0
  LIST_INSERT_HEAD(&new_inp->sctp_asoc_list, stcb, sctp_tcblist);
3105
  /*
3106
   * Question, do we even need to worry about the ep-hash since we
3107
   * only have one connection? Probably not :> so lets get rid of it
3108
   * and not suck up any kernel memory in that.
3109
   */
3110
0
  if (stcb->asoc.in_asocid_hash) {
3111
0
    struct sctpasochead *lhd;
3112
0
    lhd = &new_inp->sctp_asocidhash[SCTP_PCBHASH_ASOC(stcb->asoc.assoc_id,
3113
0
      new_inp->hashasocidmark)];
3114
0
    LIST_INSERT_HEAD(lhd, stcb, sctp_tcbasocidhash);
3115
0
  }
3116
  /* Ok. Let's restart timer. */
3117
0
  TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
3118
0
    sctp_timer_start(SCTP_TIMER_TYPE_PATHMTURAISE, new_inp,
3119
0
        stcb, net);
3120
0
  }
3121
3122
0
  SCTP_INP_INFO_WUNLOCK();
3123
0
  if (new_inp->sctp_tcbhash != NULL) {
3124
0
    SCTP_HASH_FREE(new_inp->sctp_tcbhash, new_inp->sctp_hashmark);
3125
0
    new_inp->sctp_tcbhash = NULL;
3126
0
  }
3127
0
  if ((new_inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) == 0) {
3128
    /* Subset bound, so copy in the laddr list from the old_inp */
3129
0
    LIST_FOREACH(oladdr, &old_inp->sctp_addr_list, sctp_nxt_addr) {
3130
0
      laddr = SCTP_ZONE_GET(SCTP_BASE_INFO(ipi_zone_laddr), struct sctp_laddr);
3131
0
      if (laddr == NULL) {
3132
        /*
3133
         * Gak, what can we do? This assoc is really
3134
         * HOSED. We probably should send an abort
3135
         * here.
3136
         */
3137
0
        SCTPDBG(SCTP_DEBUG_PCB1, "Association hosed in TCP model, out of laddr memory\n");
3138
0
        continue;
3139
0
      }
3140
0
      SCTP_INCR_LADDR_COUNT();
3141
0
      memset(laddr, 0, sizeof(*laddr));
3142
0
      (void)SCTP_GETTIME_TIMEVAL(&laddr->start_time);
3143
0
      laddr->ifa = oladdr->ifa;
3144
0
      atomic_add_int(&laddr->ifa->refcount, 1);
3145
0
      LIST_INSERT_HEAD(&new_inp->sctp_addr_list, laddr,
3146
0
          sctp_nxt_addr);
3147
0
      new_inp->laddr_count++;
3148
0
      if (oladdr == stcb->asoc.last_used_address) {
3149
0
        stcb->asoc.last_used_address = laddr;
3150
0
      }
3151
0
    }
3152
0
  }
3153
  /* Now any running timers need to be adjusted. */
3154
0
  if (stcb->asoc.dack_timer.ep == old_inp) {
3155
0
    SCTP_INP_DECR_REF(old_inp);
3156
0
    stcb->asoc.dack_timer.ep = new_inp;
3157
0
    SCTP_INP_INCR_REF(new_inp);
3158
0
  }
3159
0
  if (stcb->asoc.asconf_timer.ep == old_inp) {
3160
0
    SCTP_INP_DECR_REF(old_inp);
3161
0
    stcb->asoc.asconf_timer.ep = new_inp;
3162
0
    SCTP_INP_INCR_REF(new_inp);
3163
0
  }
3164
0
  if (stcb->asoc.strreset_timer.ep == old_inp) {
3165
0
    SCTP_INP_DECR_REF(old_inp);
3166
0
    stcb->asoc.strreset_timer.ep = new_inp;
3167
0
    SCTP_INP_INCR_REF(new_inp);
3168
0
  }
3169
0
  if (stcb->asoc.shut_guard_timer.ep == old_inp) {
3170
0
    SCTP_INP_DECR_REF(old_inp);
3171
0
    stcb->asoc.shut_guard_timer.ep = new_inp;
3172
0
    SCTP_INP_INCR_REF(new_inp);
3173
0
  }
3174
0
  if (stcb->asoc.autoclose_timer.ep == old_inp) {
3175
0
    SCTP_INP_DECR_REF(old_inp);
3176
0
    stcb->asoc.autoclose_timer.ep = new_inp;
3177
0
    SCTP_INP_INCR_REF(new_inp);
3178
0
  }
3179
0
  if (stcb->asoc.delete_prim_timer.ep == old_inp) {
3180
0
    SCTP_INP_DECR_REF(old_inp);
3181
0
    stcb->asoc.delete_prim_timer.ep = new_inp;
3182
0
    SCTP_INP_INCR_REF(new_inp);
3183
0
  }
3184
  /* now what about the nets? */
3185
0
  TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
3186
0
    if (net->pmtu_timer.ep == old_inp) {
3187
0
      SCTP_INP_DECR_REF(old_inp);
3188
0
      net->pmtu_timer.ep = new_inp;
3189
0
      SCTP_INP_INCR_REF(new_inp);
3190
0
    }
3191
0
    if (net->hb_timer.ep == old_inp) {
3192
0
      SCTP_INP_DECR_REF(old_inp);
3193
0
      net->hb_timer.ep = new_inp;
3194
0
      SCTP_INP_INCR_REF(new_inp);
3195
0
    }
3196
0
    if (net->rxt_timer.ep == old_inp) {
3197
0
      SCTP_INP_DECR_REF(old_inp);
3198
0
      net->rxt_timer.ep = new_inp;
3199
0
      SCTP_INP_INCR_REF(new_inp);
3200
0
    }
3201
0
  }
3202
0
  SCTP_INP_WUNLOCK(new_inp);
3203
0
  SCTP_INP_WUNLOCK(old_inp);
3204
0
}
3205
3206
/*
3207
 * insert an laddr entry with the given ifa for the desired list
3208
 */
3209
static int
3210
sctp_insert_laddr(struct sctpladdr *list, struct sctp_ifa *ifa, uint32_t act)
3211
11.6k
{
3212
11.6k
  struct sctp_laddr *laddr;
3213
3214
11.6k
  laddr = SCTP_ZONE_GET(SCTP_BASE_INFO(ipi_zone_laddr), struct sctp_laddr);
3215
11.6k
  if (laddr == NULL) {
3216
    /* out of memory? */
3217
0
    SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_PCB, EINVAL);
3218
0
    return (EINVAL);
3219
0
  }
3220
11.6k
  SCTP_INCR_LADDR_COUNT();
3221
11.6k
  memset(laddr, 0, sizeof(*laddr));
3222
11.6k
  (void)SCTP_GETTIME_TIMEVAL(&laddr->start_time);
3223
11.6k
  laddr->ifa = ifa;
3224
11.6k
  laddr->action = act;
3225
11.6k
  atomic_add_int(&ifa->refcount, 1);
3226
  /* insert it */
3227
11.6k
  LIST_INSERT_HEAD(list, laddr, sctp_nxt_addr);
3228
3229
11.6k
  return (0);
3230
11.6k
}
3231
3232
/*
3233
 * Remove an laddr entry from the local address list (on an assoc)
3234
 */
3235
static void
3236
sctp_remove_laddr(struct sctp_laddr *laddr)
3237
11.6k
{
3238
3239
  /* remove from the list */
3240
11.6k
  LIST_REMOVE(laddr, sctp_nxt_addr);
3241
11.6k
  sctp_free_ifa(laddr->ifa);
3242
11.6k
  SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_laddr), laddr);
3243
11.6k
  SCTP_DECR_LADDR_COUNT();
3244
11.6k
}
3245
#if !(defined(__FreeBSD__) || defined(__APPLE__) || defined(__Userspace__))
3246
3247
/*
3248
 * Don't know why, but without this there is an unknown reference when
3249
 * compiling NetBSD... hmm
3250
 */
3251
extern void in6_sin6_2_sin(struct sockaddr_in *, struct sockaddr_in6 *sin6);
3252
#endif
3253
3254
/*
3255
 * Bind the socket, with the PCB and global info locks held.  Note, if a
3256
 * socket address is specified, the PCB lock may be dropped and re-acquired.
3257
 *
3258
 * sctp_ifap is used to bypass normal local address validation checks.
3259
 */
3260
int
3261
#if defined(__FreeBSD__) && !defined(__Userspace__)
3262
sctp_inpcb_bind_locked(struct sctp_inpcb *inp, struct sockaddr *addr,
3263
                       struct sctp_ifa *sctp_ifap, struct thread *td)
3264
#elif defined(_WIN32) && !defined(__Userspace__)
3265
sctp_inpcb_bind_locked(struct sctp_inpcb *inp, struct sockaddr *addr,
3266
                       struct sctp_ifa *sctp_ifap, PKTHREAD p)
3267
#else
3268
sctp_inpcb_bind_locked(struct sctp_inpcb *inp, struct sockaddr *addr,
3269
                       struct sctp_ifa *sctp_ifap, struct proc *p)
3270
#endif
3271
11.6k
{
3272
  /* bind a ep to a socket address */
3273
11.6k
  struct sctppcbhead *head;
3274
11.6k
  struct sctp_inpcb *inp_tmp;
3275
#if (defined(__FreeBSD__) || defined(__APPLE__)) && !defined(__Userspace__)
3276
  struct inpcb *ip_inp;
3277
#endif
3278
11.6k
  int port_reuse_active = 0;
3279
11.6k
  int bindall;
3280
#ifdef SCTP_MVRF
3281
  int i;
3282
#endif
3283
11.6k
  uint16_t lport;
3284
11.6k
  int error;
3285
11.6k
  uint32_t vrf_id;
3286
3287
#if defined(__FreeBSD__) && !defined(__Userspace__)
3288
  KASSERT(td != NULL, ("%s: null thread", __func__));
3289
3290
#endif
3291
11.6k
  error = 0;
3292
11.6k
  lport = 0;
3293
11.6k
  bindall = 1;
3294
#if (defined(__FreeBSD__) || defined(__APPLE__)) && !defined(__Userspace__)
3295
  ip_inp = &inp->ip_inp.inp;
3296
#endif
3297
3298
11.6k
  SCTP_INP_INFO_WLOCK_ASSERT();
3299
11.6k
  SCTP_INP_WLOCK_ASSERT(inp);
3300
3301
#ifdef SCTP_DEBUG
3302
  if (addr) {
3303
    SCTPDBG(SCTP_DEBUG_PCB1, "Bind called port: %d\n",
3304
      ntohs(((struct sockaddr_in *)addr)->sin_port));
3305
    SCTPDBG(SCTP_DEBUG_PCB1, "Addr: ");
3306
    SCTPDBG_ADDR(SCTP_DEBUG_PCB1, addr);
3307
  }
3308
#endif
3309
11.6k
  if ((inp->sctp_flags & SCTP_PCB_FLAGS_UNBOUND) == 0) {
3310
0
    error = EINVAL;
3311
    /* already did a bind, subsequent binds NOT allowed ! */
3312
0
    SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, error);
3313
0
    goto out;
3314
0
  }
3315
11.6k
  if (addr != NULL) {
3316
11.6k
    switch (addr->sa_family) {
3317
0
#ifdef INET
3318
0
    case AF_INET:
3319
0
    {
3320
0
      struct sockaddr_in *sin;
3321
3322
      /* IPV6_V6ONLY socket? */
3323
0
      if (SCTP_IPV6_V6ONLY(inp)) {
3324
0
        error = EINVAL;
3325
0
        SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, error);
3326
0
        goto out;
3327
0
      }
3328
#ifdef HAVE_SA_LEN
3329
      if (addr->sa_len != sizeof(*sin)) {
3330
        error = EINVAL;
3331
        SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, error);
3332
        goto out;
3333
      }
3334
#endif
3335
3336
0
      sin = (struct sockaddr_in *)addr;
3337
0
      lport = sin->sin_port;
3338
#if defined(__FreeBSD__) && !defined(__Userspace__)
3339
      /*
3340
       * For LOOPBACK the prison_local_ip4() call will transmute the ip address
3341
       * to the proper value.
3342
       */
3343
      if ((error = prison_local_ip4(td->td_ucred, &sin->sin_addr)) != 0) {
3344
        SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, error);
3345
        goto out;
3346
      }
3347
#endif
3348
0
      if (sin->sin_addr.s_addr != INADDR_ANY) {
3349
0
        bindall = 0;
3350
0
      }
3351
0
      break;
3352
0
    }
3353
0
#endif
3354
0
#ifdef INET6
3355
0
    case AF_INET6:
3356
0
    {
3357
      /* Only for pure IPv6 Address. (No IPv4 Mapped!) */
3358
0
      struct sockaddr_in6 *sin6;
3359
3360
0
      sin6 = (struct sockaddr_in6 *)addr;
3361
#ifdef HAVE_SA_LEN
3362
      if (addr->sa_len != sizeof(*sin6)) {
3363
        error = EINVAL;
3364
        SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, error);
3365
        goto out;
3366
      }
3367
#endif
3368
0
      lport = sin6->sin6_port;
3369
#if defined(__FreeBSD__) && !defined(__Userspace__)
3370
      /*
3371
       * For LOOPBACK the prison_local_ip6() call will transmute the ipv6 address
3372
       * to the proper value.
3373
       */
3374
      if ((error = prison_local_ip6(td->td_ucred, &sin6->sin6_addr,
3375
          (SCTP_IPV6_V6ONLY(inp) != 0))) != 0) {
3376
        SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, error);
3377
        goto out;
3378
      }
3379
#endif
3380
0
      if (!IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) {
3381
0
        bindall = 0;
3382
#ifdef SCTP_EMBEDDED_V6_SCOPE
3383
        /* KAME hack: embed scopeid */
3384
#if defined(SCTP_KAME)
3385
        if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0) {
3386
          error = EINVAL;
3387
          SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, error);
3388
          goto out;
3389
        }
3390
#elif defined(__APPLE__) && !defined(__Userspace__)
3391
#if defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD)
3392
        if (in6_embedscope(&sin6->sin6_addr, sin6, ip_inp, NULL) != 0) {
3393
#else
3394
        if (in6_embedscope(&sin6->sin6_addr, sin6, ip_inp, NULL, NULL) != 0) {
3395
#endif
3396
          error = EINVAL;
3397
          SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, error);
3398
          goto out;
3399
        }
3400
#elif defined(__FreeBSD__) && !defined(__Userspace__)
3401
        error = scope6_check_id(sin6, MODULE_GLOBAL(ip6_use_defzone));
3402
        if (error != 0) {
3403
          error = EINVAL;
3404
          SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, error);
3405
          goto out;
3406
        }
3407
#else
3408
        if (in6_embedscope(&sin6->sin6_addr, sin6) != 0) {
3409
          error = EINVAL;
3410
          SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, error);
3411
          goto out;
3412
        }
3413
#endif
3414
#endif /* SCTP_EMBEDDED_V6_SCOPE */
3415
0
      }
3416
0
#ifndef SCOPEDROUTING
3417
      /* this must be cleared for ifa_ifwithaddr() */
3418
0
      sin6->sin6_scope_id = 0;
3419
0
#endif /* SCOPEDROUTING */
3420
0
      break;
3421
0
    }
3422
0
#endif
3423
0
#if defined(__Userspace__)
3424
11.6k
    case AF_CONN:
3425
11.6k
    {
3426
11.6k
      struct sockaddr_conn *sconn;
3427
3428
#ifdef HAVE_SA_LEN
3429
      if (addr->sa_len != sizeof(struct sockaddr_conn)) {
3430
        error = EINVAL;
3431
        SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, error);
3432
        goto out;
3433
      }
3434
#endif
3435
11.6k
      sconn = (struct sockaddr_conn *)addr;
3436
11.6k
      lport = sconn->sconn_port;
3437
11.6k
      if (sconn->sconn_addr != NULL) {
3438
11.6k
        bindall = 0;
3439
11.6k
      }
3440
11.6k
      break;
3441
0
    }
3442
0
#endif
3443
0
    default:
3444
0
      error = EAFNOSUPPORT;
3445
0
      SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, error);
3446
0
      goto out;
3447
11.6k
    }
3448
11.6k
  }
3449
  /* Setup a vrf_id to be the default for the non-bind-all case. */
3450
11.6k
  vrf_id = inp->def_vrf_id;
3451
3452
11.6k
  if (lport) {
3453
    /*
3454
     * Did the caller specify a port? if so we must see if an ep
3455
     * already has this one bound.
3456
     */
3457
    /* got to be root to get at low ports */
3458
11.6k
#if !(defined(_WIN32) && !defined(__Userspace__))
3459
11.6k
    if (ntohs(lport) < IPPORT_RESERVED &&
3460
#if defined(__FreeBSD__) && !defined(__Userspace__)
3461
        (error = priv_check(td, PRIV_NETINET_RESERVEDPORT)) != 0) {
3462
#elif defined(__APPLE__) && !defined(__Userspace__)
3463
        (error = suser(p->p_ucred, &p->p_acflag)) != 0) {
3464
#elif defined(__Userspace__)
3465
      /* TODO ensure uid is 0, etc... */
3466
11.6k
        0) {
3467
#else
3468
        (error = suser(p, 0)) != 0) {
3469
#endif
3470
0
      goto out;
3471
0
    }
3472
11.6k
#endif
3473
11.6k
    SCTP_INP_INCR_REF(inp);
3474
11.6k
    SCTP_INP_WUNLOCK(inp);
3475
11.6k
    if (bindall) {
3476
#ifdef SCTP_MVRF
3477
      for (i = 0; i < inp->num_vrfs; i++) {
3478
        vrf_id = inp->m_vrf_ids[i];
3479
#else
3480
0
        vrf_id = inp->def_vrf_id;
3481
0
#endif
3482
0
        inp_tmp = sctp_pcb_findep(addr, 0, 1, vrf_id);
3483
0
        if (inp_tmp != NULL) {
3484
          /*
3485
           * lock guy returned and lower count
3486
           * note that we are not bound so
3487
           * inp_tmp should NEVER be inp. And
3488
           * it is this inp (inp_tmp) that gets
3489
           * the reference bump, so we must
3490
           * lower it.
3491
           */
3492
0
          SCTP_INP_DECR_REF(inp_tmp);
3493
          /* unlock info */
3494
0
          if ((sctp_is_feature_on(inp, SCTP_PCB_FLAGS_PORTREUSE)) &&
3495
0
              (sctp_is_feature_on(inp_tmp, SCTP_PCB_FLAGS_PORTREUSE))) {
3496
            /* Ok, must be one-2-one and allowing port re-use */
3497
0
            port_reuse_active = 1;
3498
0
            goto continue_anyway;
3499
0
          }
3500
0
          SCTP_INP_WLOCK(inp);
3501
0
          SCTP_INP_DECR_REF(inp);
3502
0
          error = EADDRINUSE;
3503
0
          SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, error);
3504
0
          goto out;
3505
0
        }
3506
#ifdef SCTP_MVRF
3507
      }
3508
#endif
3509
11.6k
    } else {
3510
11.6k
      inp_tmp = sctp_pcb_findep(addr, 0, 1, vrf_id);
3511
11.6k
      if (inp_tmp != NULL) {
3512
        /*
3513
         * lock guy returned and lower count note
3514
         * that we are not bound so inp_tmp should
3515
         * NEVER be inp. And it is this inp (inp_tmp)
3516
         * that gets the reference bump, so we must
3517
         * lower it.
3518
         */
3519
0
        SCTP_INP_DECR_REF(inp_tmp);
3520
        /* unlock info */
3521
0
        if ((sctp_is_feature_on(inp, SCTP_PCB_FLAGS_PORTREUSE)) &&
3522
0
            (sctp_is_feature_on(inp_tmp, SCTP_PCB_FLAGS_PORTREUSE))) {
3523
          /* Ok, must be one-2-one and allowing port re-use */
3524
0
          port_reuse_active = 1;
3525
0
          goto continue_anyway;
3526
0
        }
3527
0
        SCTP_INP_WLOCK(inp);
3528
0
        SCTP_INP_DECR_REF(inp);
3529
0
        error = EADDRINUSE;
3530
0
        SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, error);
3531
0
        goto out;
3532
0
      }
3533
11.6k
    }
3534
11.6k
  continue_anyway:
3535
11.6k
    SCTP_INP_WLOCK(inp);
3536
11.6k
    SCTP_INP_DECR_REF(inp);
3537
11.6k
    if (bindall) {
3538
      /* verify that no lport is not used by a singleton */
3539
0
      if ((port_reuse_active == 0) &&
3540
0
          (inp_tmp = sctp_isport_inuse(inp, lport, vrf_id))) {
3541
        /* Sorry someone already has this one bound */
3542
0
        if ((sctp_is_feature_on(inp, SCTP_PCB_FLAGS_PORTREUSE)) &&
3543
0
            (sctp_is_feature_on(inp_tmp, SCTP_PCB_FLAGS_PORTREUSE))) {
3544
0
          port_reuse_active = 1;
3545
0
        } else {
3546
0
          error = EADDRINUSE;
3547
0
          SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, error);
3548
0
          goto out;
3549
0
        }
3550
0
      }
3551
0
    }
3552
11.6k
  } else {
3553
0
    uint16_t first, last, candidate;
3554
0
    uint16_t count;
3555
3556
0
#if defined(__Userspace__)
3557
0
    first = MODULE_GLOBAL(ipport_firstauto);
3558
0
    last = MODULE_GLOBAL(ipport_lastauto);
3559
#elif defined(_WIN32)
3560
    first = 1;
3561
    last = 0xffff;
3562
#elif defined(__FreeBSD__) || defined(__APPLE__)
3563
    if (ip_inp->inp_flags & INP_HIGHPORT) {
3564
      first = MODULE_GLOBAL(ipport_hifirstauto);
3565
      last = MODULE_GLOBAL(ipport_hilastauto);
3566
    } else if (ip_inp->inp_flags & INP_LOWPORT) {
3567
#if defined(__FreeBSD__)
3568
      if ((error = priv_check(td, PRIV_NETINET_RESERVEDPORT)) != 0) {
3569
#else
3570
      if ((error = suser(p->p_ucred, &p->p_acflag)) != 0) {
3571
#endif
3572
        SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, error);
3573
        goto out;
3574
      }
3575
      first = MODULE_GLOBAL(ipport_lowfirstauto);
3576
      last = MODULE_GLOBAL(ipport_lowlastauto);
3577
    } else {
3578
      first = MODULE_GLOBAL(ipport_firstauto);
3579
      last = MODULE_GLOBAL(ipport_lastauto);
3580
    }
3581
#endif
3582
0
    if (first > last) {
3583
0
      uint16_t temp;
3584
3585
0
      temp = first;
3586
0
      first = last;
3587
0
      last = temp;
3588
0
    }
3589
0
    count = last - first + 1; /* number of candidates */
3590
0
    candidate = first + sctp_select_initial_TSN(&inp->sctp_ep) % (count);
3591
3592
0
    for (;;) {
3593
#ifdef SCTP_MVRF
3594
      for (i = 0; i < inp->num_vrfs; i++) {
3595
        if (sctp_isport_inuse(inp, htons(candidate), inp->m_vrf_ids[i]) != NULL) {
3596
          break;
3597
        }
3598
      }
3599
      if (i == inp->num_vrfs) {
3600
        lport = htons(candidate);
3601
        break;
3602
      }
3603
#else
3604
0
      if (sctp_isport_inuse(inp, htons(candidate), inp->def_vrf_id) == NULL) {
3605
0
        lport = htons(candidate);
3606
0
        break;
3607
0
      }
3608
0
#endif
3609
0
      if (--count == 0) {
3610
0
        error = EADDRINUSE;
3611
0
        SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, error);
3612
0
        goto out;
3613
0
      }
3614
0
      if (candidate == last)
3615
0
        candidate = first;
3616
0
      else
3617
0
        candidate = candidate + 1;
3618
0
    }
3619
0
  }
3620
11.6k
  if (inp->sctp_flags & (SCTP_PCB_FLAGS_SOCKET_GONE |
3621
11.6k
             SCTP_PCB_FLAGS_SOCKET_ALLGONE)) {
3622
    /*
3623
     * this really should not happen. The guy did a non-blocking
3624
     * bind and then did a close at the same time.
3625
     */
3626
0
    error = EINVAL;
3627
0
    SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, error);
3628
0
    goto out;
3629
0
  }
3630
  /* ok we look clear to give out this port, so lets setup the binding */
3631
11.6k
  if (bindall) {
3632
    /* binding to all addresses, so just set in the proper flags */
3633
0
    inp->sctp_flags |= SCTP_PCB_FLAGS_BOUNDALL;
3634
    /* set the automatic addr changes from kernel flag */
3635
0
    if (SCTP_BASE_SYSCTL(sctp_auto_asconf) == 0) {
3636
0
      sctp_feature_off(inp, SCTP_PCB_FLAGS_DO_ASCONF);
3637
0
      sctp_feature_off(inp, SCTP_PCB_FLAGS_AUTO_ASCONF);
3638
0
    } else {
3639
0
      sctp_feature_on(inp, SCTP_PCB_FLAGS_DO_ASCONF);
3640
0
      sctp_feature_on(inp, SCTP_PCB_FLAGS_AUTO_ASCONF);
3641
0
    }
3642
0
    if (SCTP_BASE_SYSCTL(sctp_multiple_asconfs) == 0) {
3643
0
      sctp_feature_off(inp, SCTP_PCB_FLAGS_MULTIPLE_ASCONFS);
3644
0
    } else {
3645
0
      sctp_feature_on(inp, SCTP_PCB_FLAGS_MULTIPLE_ASCONFS);
3646
0
    }
3647
    /* set the automatic mobility_base from kernel
3648
       flag (by micchie)
3649
    */
3650
0
    if (SCTP_BASE_SYSCTL(sctp_mobility_base) == 0) {
3651
0
      sctp_mobility_feature_off(inp, SCTP_MOBILITY_BASE);
3652
0
      sctp_mobility_feature_off(inp, SCTP_MOBILITY_PRIM_DELETED);
3653
0
    } else {
3654
0
      sctp_mobility_feature_on(inp, SCTP_MOBILITY_BASE);
3655
0
      sctp_mobility_feature_off(inp, SCTP_MOBILITY_PRIM_DELETED);
3656
0
    }
3657
    /* set the automatic mobility_fasthandoff from kernel
3658
       flag (by micchie)
3659
    */
3660
0
    if (SCTP_BASE_SYSCTL(sctp_mobility_fasthandoff) == 0) {
3661
0
      sctp_mobility_feature_off(inp, SCTP_MOBILITY_FASTHANDOFF);
3662
0
      sctp_mobility_feature_off(inp, SCTP_MOBILITY_PRIM_DELETED);
3663
0
    } else {
3664
0
      sctp_mobility_feature_on(inp, SCTP_MOBILITY_FASTHANDOFF);
3665
0
      sctp_mobility_feature_off(inp, SCTP_MOBILITY_PRIM_DELETED);
3666
0
    }
3667
11.6k
  } else {
3668
    /*
3669
     * bind specific, make sure flags is off and add a new
3670
     * address structure to the sctp_addr_list inside the ep
3671
     * structure.
3672
     *
3673
     * We will need to allocate one and insert it at the head. The
3674
     * socketopt call can just insert new addresses in there as
3675
     * well. It will also have to do the embed scope kame hack
3676
     * too (before adding).
3677
     */
3678
11.6k
    struct sctp_ifa *ifa;
3679
11.6k
    union sctp_sockstore store;
3680
3681
11.6k
    memset(&store, 0, sizeof(store));
3682
11.6k
    switch (addr->sa_family) {
3683
0
#ifdef INET
3684
0
    case AF_INET:
3685
0
      memcpy(&store.sin, addr, sizeof(struct sockaddr_in));
3686
0
      store.sin.sin_port = 0;
3687
0
      break;
3688
0
#endif
3689
0
#ifdef INET6
3690
0
    case AF_INET6:
3691
0
      memcpy(&store.sin6, addr, sizeof(struct sockaddr_in6));
3692
0
      store.sin6.sin6_port = 0;
3693
0
      break;
3694
0
#endif
3695
0
#if defined(__Userspace__)
3696
11.6k
    case AF_CONN:
3697
11.6k
      memcpy(&store.sconn, addr, sizeof(struct sockaddr_conn));
3698
11.6k
      store.sconn.sconn_port = 0;
3699
11.6k
      break;
3700
0
#endif
3701
0
    default:
3702
0
      break;
3703
11.6k
    }
3704
    /*
3705
     * first find the interface with the bound address need to
3706
     * zero out the port to find the address! yuck! can't do
3707
     * this earlier since need port for sctp_pcb_findep()
3708
     */
3709
11.6k
    if (sctp_ifap != NULL) {
3710
0
      ifa = sctp_ifap;
3711
11.6k
    } else {
3712
      /* Note for BSD we hit here always other
3713
       * O/S's will pass things in via the
3714
       * sctp_ifap argument.
3715
       */
3716
11.6k
      ifa = sctp_find_ifa_by_addr(&store.sa,
3717
11.6k
                vrf_id, SCTP_ADDR_NOT_LOCKED);
3718
11.6k
    }
3719
11.6k
    if (ifa == NULL) {
3720
0
      error = EADDRNOTAVAIL;
3721
      /* Can't find an interface with that address */
3722
0
      SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, error);
3723
0
      goto out;
3724
0
    }
3725
11.6k
#ifdef INET6
3726
11.6k
    if (addr->sa_family == AF_INET6) {
3727
      /* GAK, more FIXME IFA lock? */
3728
0
      if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
3729
        /* Can't bind a non-existent addr. */
3730
0
        error = EINVAL;
3731
0
        SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, error);
3732
0
        goto out;
3733
0
      }
3734
0
    }
3735
11.6k
#endif
3736
    /* we're not bound all */
3737
11.6k
    inp->sctp_flags &= ~SCTP_PCB_FLAGS_BOUNDALL;
3738
    /* allow bindx() to send ASCONF's for binding changes */
3739
11.6k
    sctp_feature_on(inp, SCTP_PCB_FLAGS_DO_ASCONF);
3740
    /* clear automatic addr changes from kernel flag */
3741
11.6k
    sctp_feature_off(inp, SCTP_PCB_FLAGS_AUTO_ASCONF);
3742
3743
    /* add this address to the endpoint list */
3744
11.6k
    error = sctp_insert_laddr(&inp->sctp_addr_list, ifa, 0);
3745
11.6k
    if (error != 0)
3746
0
      goto out;
3747
11.6k
    inp->laddr_count++;
3748
11.6k
  }
3749
  /* find the bucket */
3750
11.6k
  if (port_reuse_active) {
3751
    /* Put it into tcp 1-2-1 hash */
3752
0
    head = &SCTP_BASE_INFO(sctp_tcpephash)[SCTP_PCBHASH_ALLADDR(lport, SCTP_BASE_INFO(hashtcpmark))];
3753
0
    inp->sctp_flags |= SCTP_PCB_FLAGS_IN_TCPPOOL;
3754
11.6k
  } else {
3755
11.6k
    head = &SCTP_BASE_INFO(sctp_ephash)[SCTP_PCBHASH_ALLADDR(lport, SCTP_BASE_INFO(hashmark))];
3756
11.6k
  }
3757
  /* put it in the bucket */
3758
11.6k
  LIST_INSERT_HEAD(head, inp, sctp_hash);
3759
11.6k
  SCTPDBG(SCTP_DEBUG_PCB1, "Main hash to bind at head:%p, bound port:%d - in tcp_pool=%d\n",
3760
11.6k
    (void *)head, ntohs(lport), port_reuse_active);
3761
  /* set in the port */
3762
11.6k
  inp->sctp_lport = lport;
3763
3764
  /* turn off just the unbound flag */
3765
11.6k
  KASSERT((inp->sctp_flags & SCTP_PCB_FLAGS_UNBOUND) != 0,
3766
11.6k
      ("%s: inp %p is already bound", __func__, inp));
3767
11.6k
  inp->sctp_flags &= ~SCTP_PCB_FLAGS_UNBOUND;
3768
11.6k
out:
3769
11.6k
  return (error);
3770
11.6k
}
3771
3772
int
3773
#if defined(__FreeBSD__) && !defined(__Userspace__)
3774
sctp_inpcb_bind(struct socket *so, struct sockaddr *addr,
3775
                struct sctp_ifa *sctp_ifap, struct thread *td)
3776
#elif defined(_WIN32) && !defined(__Userspace__)
3777
sctp_inpcb_bind(struct socket *so, struct sockaddr *addr,
3778
                struct sctp_ifa *sctp_ifap, PKTHREAD p)
3779
#else
3780
sctp_inpcb_bind(struct socket *so, struct sockaddr *addr,
3781
                struct sctp_ifa *sctp_ifap, struct proc *p)
3782
#endif
3783
11.6k
{
3784
11.6k
  struct sctp_inpcb *inp;
3785
11.6k
  int error;
3786
3787
11.6k
  inp = so->so_pcb;
3788
11.6k
  SCTP_INP_INFO_WLOCK();
3789
11.6k
  SCTP_INP_WLOCK(inp);
3790
#if defined(__FreeBSD__) && !defined(__Userspace__)
3791
  error = sctp_inpcb_bind_locked(inp, addr, sctp_ifap, td);
3792
#else
3793
11.6k
  error = sctp_inpcb_bind_locked(inp, addr, sctp_ifap, p);
3794
11.6k
#endif
3795
11.6k
  SCTP_INP_WUNLOCK(inp);
3796
11.6k
  SCTP_INP_INFO_WUNLOCK();
3797
11.6k
  return (error);
3798
11.6k
}
3799
3800
static void
3801
sctp_iterator_inp_being_freed(struct sctp_inpcb *inp)
3802
11.7k
{
3803
11.7k
  struct sctp_iterator *it, *nit;
3804
3805
  /*
3806
   * We enter with the only the ITERATOR_LOCK in place and a write
3807
   * lock on the inp_info stuff.
3808
   */
3809
11.7k
  it = sctp_it_ctl.cur_it;
3810
#if defined(__FreeBSD__) && !defined(__Userspace__)
3811
  if (it && (it->vn != curvnet)) {
3812
    /* Its not looking at our VNET */
3813
    return;
3814
  }
3815
#endif
3816
11.7k
  if (it && (it->inp == inp)) {
3817
    /*
3818
     * This is tricky and we hold the iterator lock,
3819
     * but when it returns and gets the lock (when we
3820
     * release it) the iterator will try to operate on
3821
     * inp. We need to stop that from happening. But
3822
     * of course the iterator has a reference on the
3823
     * stcb and inp. We can mark it and it will stop.
3824
     *
3825
     * If its a single iterator situation, we
3826
     * set the end iterator flag. Otherwise
3827
     * we set the iterator to go to the next inp.
3828
     *
3829
     */
3830
0
    if (it->iterator_flags & SCTP_ITERATOR_DO_SINGLE_INP) {
3831
0
      sctp_it_ctl.iterator_flags |= SCTP_ITERATOR_STOP_CUR_IT;
3832
0
    } else {
3833
0
      sctp_it_ctl.iterator_flags |= SCTP_ITERATOR_STOP_CUR_INP;
3834
0
    }
3835
0
  }
3836
  /* Now go through and remove any single reference to
3837
   * our inp that may be still pending on the list
3838
   */
3839
11.7k
  SCTP_IPI_ITERATOR_WQ_LOCK();
3840
11.7k
  TAILQ_FOREACH_SAFE(it, &sctp_it_ctl.iteratorhead, sctp_nxt_itr, nit) {
3841
#if defined(__FreeBSD__) && !defined(__Userspace__)
3842
    if (it->vn != curvnet) {
3843
      continue;
3844
    }
3845
#endif
3846
0
    if (it->inp == inp) {
3847
      /* This one points to me is it inp specific? */
3848
0
      if (it->iterator_flags & SCTP_ITERATOR_DO_SINGLE_INP) {
3849
        /* Remove and free this one */
3850
0
        TAILQ_REMOVE(&sctp_it_ctl.iteratorhead,
3851
0
            it, sctp_nxt_itr);
3852
0
        if (it->function_atend != NULL) {
3853
0
          (*it->function_atend) (it->pointer, it->val);
3854
0
        }
3855
0
        SCTP_FREE(it, SCTP_M_ITER);
3856
0
      } else {
3857
0
        it->inp = LIST_NEXT(it->inp, sctp_list);
3858
0
        if (it->inp) {
3859
0
          SCTP_INP_INCR_REF(it->inp);
3860
0
        }
3861
0
      }
3862
      /* When its put in the refcnt is incremented so decr it */
3863
0
      SCTP_INP_DECR_REF(inp);
3864
0
    }
3865
0
  }
3866
11.7k
  SCTP_IPI_ITERATOR_WQ_UNLOCK();
3867
11.7k
}
3868
3869
/* release sctp_inpcb unbind the port */
3870
void
3871
sctp_inpcb_free(struct sctp_inpcb *inp, int immediate, int from)
3872
11.7k
{
3873
  /*
3874
   * Here we free a endpoint. We must find it (if it is in the Hash
3875
   * table) and remove it from there. Then we must also find it in the
3876
   * overall list and remove it from there. After all removals are
3877
   * complete then any timer has to be stopped. Then start the actual
3878
   * freeing. a) Any local lists. b) Any associations. c) The hash of
3879
   * all associations. d) finally the ep itself.
3880
   */
3881
11.7k
  struct sctp_tcb *stcb, *nstcb;
3882
11.7k
  struct sctp_laddr *laddr, *nladdr;
3883
11.7k
  struct inpcb *ip_pcb;
3884
11.7k
  struct socket *so;
3885
11.7k
  int being_refed = 0;
3886
11.7k
  struct sctp_queued_to_read *sq, *nsq;
3887
#if !defined(__Userspace__)
3888
#if !defined(__FreeBSD__)
3889
  sctp_rtentry_t *rt;
3890
#endif
3891
#endif
3892
11.7k
  int cnt;
3893
11.7k
  sctp_sharedkey_t *shared_key, *nshared_key;
3894
3895
#if defined(__APPLE__) && !defined(__Userspace__)
3896
  sctp_lock_assert(SCTP_INP_SO(inp));
3897
#endif
3898
#ifdef SCTP_LOG_CLOSING
3899
  sctp_log_closing(inp, NULL, 0);
3900
#endif
3901
11.7k
  SCTP_ITERATOR_LOCK();
3902
  /* mark any iterators on the list or being processed */
3903
11.7k
  sctp_iterator_inp_being_freed(inp);
3904
11.7k
  SCTP_ITERATOR_UNLOCK();
3905
3906
11.7k
  SCTP_ASOC_CREATE_LOCK(inp);
3907
11.7k
  SCTP_INP_INFO_WLOCK();
3908
11.7k
  SCTP_INP_WLOCK(inp);
3909
11.7k
  so = inp->sctp_socket;
3910
11.7k
  KASSERT((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) != 0,
3911
11.7k
      ("%s: inp %p still has socket", __func__, inp));
3912
11.7k
  KASSERT((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) == 0,
3913
11.7k
      ("%s: double free of inp %p", __func__, inp));
3914
11.7k
  if (from == SCTP_CALLED_AFTER_CMPSET_OFCLOSE) {
3915
11.6k
    inp->sctp_flags &= ~SCTP_PCB_FLAGS_CLOSE_IP;
3916
    /* socket is gone, so no more wakeups allowed */
3917
11.6k
    inp->sctp_flags |= SCTP_PCB_FLAGS_DONT_WAKE;
3918
11.6k
    inp->sctp_flags &= ~SCTP_PCB_FLAGS_WAKEINPUT;
3919
11.6k
    inp->sctp_flags &= ~SCTP_PCB_FLAGS_WAKEOUTPUT;
3920
11.6k
  }
3921
  /* First time through we have the socket lock, after that no more. */
3922
11.7k
  sctp_timer_stop(SCTP_TIMER_TYPE_NEWCOOKIE, inp, NULL, NULL,
3923
11.7k
                  SCTP_FROM_SCTP_PCB + SCTP_LOC_1);
3924
3925
11.7k
  if (inp->control) {
3926
0
    sctp_m_freem(inp->control);
3927
0
    inp->control = NULL;
3928
0
  }
3929
11.7k
  if (inp->pkt) {
3930
0
    sctp_m_freem(inp->pkt);
3931
0
    inp->pkt = NULL;
3932
0
  }
3933
11.7k
  ip_pcb = &inp->ip_inp.inp;  /* we could just cast the main pointer
3934
           * here but I will be nice :> (i.e.
3935
           * ip_pcb = ep;) */
3936
11.7k
  if (immediate == SCTP_FREE_SHOULD_USE_GRACEFUL_CLOSE) {
3937
26
    int cnt_in_sd;
3938
3939
26
    cnt_in_sd = 0;
3940
26
    LIST_FOREACH_SAFE(stcb, &inp->sctp_asoc_list, sctp_tcblist, nstcb) {
3941
0
      SCTP_TCB_LOCK(stcb);
3942
      /* Disconnect the socket please. */
3943
0
      stcb->sctp_socket = NULL;
3944
0
      SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_CLOSED_SOCKET);
3945
0
      if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
3946
        /* Skip guys being freed */
3947
0
        cnt_in_sd++;
3948
0
        if (stcb->asoc.state & SCTP_STATE_IN_ACCEPT_QUEUE) {
3949
          /*
3950
           * Special case - we did not start a kill
3951
           * timer on the asoc due to it was not
3952
           * closed. So go ahead and start it now.
3953
           */
3954
0
          SCTP_CLEAR_SUBSTATE(stcb, SCTP_STATE_IN_ACCEPT_QUEUE);
3955
0
          sctp_timer_start(SCTP_TIMER_TYPE_ASOCKILL, inp, stcb, NULL);
3956
0
        }
3957
0
        SCTP_TCB_UNLOCK(stcb);
3958
0
        continue;
3959
0
      }
3960
0
      if (((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) ||
3961
0
           (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) &&
3962
0
          (stcb->asoc.total_output_queue_size == 0)) {
3963
        /* If we have data in queue, we don't want to just
3964
         * free since the app may have done, send()/close
3965
         * or connect/send/close. And it wants the data
3966
         * to get across first.
3967
         */
3968
        /* Just abandon things in the front states */
3969
0
        if (sctp_free_assoc(inp, stcb, SCTP_PCBFREE_NOFORCE,
3970
0
               SCTP_FROM_SCTP_PCB + SCTP_LOC_2) == 0) {
3971
0
          cnt_in_sd++;
3972
0
        }
3973
0
        continue;
3974
0
      }
3975
0
      if ((stcb->asoc.size_on_reasm_queue > 0) ||
3976
0
          (stcb->asoc.control_pdapi) ||
3977
0
          (stcb->asoc.size_on_all_streams > 0) ||
3978
0
          ((so != NULL) && (SCTP_SBAVAIL(&so->so_rcv) > 0))) {
3979
        /* Left with Data unread */
3980
0
        struct mbuf *op_err;
3981
3982
0
        op_err = sctp_generate_cause(SCTP_CAUSE_USER_INITIATED_ABT, "");
3983
0
        stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_PCB + SCTP_LOC_3;
3984
0
        sctp_send_abort_tcb(stcb, op_err, SCTP_SO_LOCKED);
3985
0
        SCTP_STAT_INCR_COUNTER32(sctps_aborted);
3986
0
        if ((SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) ||
3987
0
            (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
3988
0
          SCTP_STAT_DECR_GAUGE32(sctps_currestab);
3989
0
        }
3990
0
        if (sctp_free_assoc(inp, stcb,
3991
0
                SCTP_PCBFREE_NOFORCE, SCTP_FROM_SCTP_PCB + SCTP_LOC_4) == 0) {
3992
0
          cnt_in_sd++;
3993
0
        }
3994
0
        continue;
3995
0
      } else if (TAILQ_EMPTY(&stcb->asoc.send_queue) &&
3996
0
                 TAILQ_EMPTY(&stcb->asoc.sent_queue) &&
3997
0
                 (stcb->asoc.stream_queue_cnt == 0)) {
3998
0
        if ((*stcb->asoc.ss_functions.sctp_ss_is_user_msgs_incomplete)(stcb, &stcb->asoc)) {
3999
0
          goto abort_anyway;
4000
0
        }
4001
0
        if ((SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT) &&
4002
0
            (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
4003
0
          struct sctp_nets *netp;
4004
4005
          /*
4006
           * there is nothing queued to send,
4007
           * so I send shutdown
4008
           */
4009
0
          if ((SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) ||
4010
0
              (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
4011
0
            SCTP_STAT_DECR_GAUGE32(sctps_currestab);
4012
0
          }
4013
0
          SCTP_SET_STATE(stcb, SCTP_STATE_SHUTDOWN_SENT);
4014
0
          sctp_stop_timers_for_shutdown(stcb);
4015
0
          if (stcb->asoc.alternate) {
4016
0
            netp = stcb->asoc.alternate;
4017
0
          } else {
4018
0
            netp = stcb->asoc.primary_destination;
4019
0
          }
4020
0
          sctp_send_shutdown(stcb, netp);
4021
0
          sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb,
4022
0
              netp);
4023
0
          sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb, NULL);
4024
0
          sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_SHUT_TMR, SCTP_SO_LOCKED);
4025
0
        }
4026
0
      } else {
4027
        /* mark into shutdown pending */
4028
0
        SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_SHUTDOWN_PENDING);
4029
0
        sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb, NULL);
4030
0
        if ((*stcb->asoc.ss_functions.sctp_ss_is_user_msgs_incomplete)(stcb, &stcb->asoc)) {
4031
0
          SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_PARTIAL_MSG_LEFT);
4032
0
        }
4033
0
        if (TAILQ_EMPTY(&stcb->asoc.send_queue) &&
4034
0
            TAILQ_EMPTY(&stcb->asoc.sent_queue) &&
4035
0
            (stcb->asoc.state & SCTP_STATE_PARTIAL_MSG_LEFT)) {
4036
0
          struct mbuf *op_err;
4037
0
        abort_anyway:
4038
0
          op_err = sctp_generate_cause(SCTP_CAUSE_USER_INITIATED_ABT, "");
4039
0
          stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_PCB + SCTP_LOC_5;
4040
0
          sctp_send_abort_tcb(stcb, op_err, SCTP_SO_LOCKED);
4041
0
          SCTP_STAT_INCR_COUNTER32(sctps_aborted);
4042
0
          if ((SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) ||
4043
0
              (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
4044
0
            SCTP_STAT_DECR_GAUGE32(sctps_currestab);
4045
0
          }
4046
0
          if (sctp_free_assoc(inp, stcb,
4047
0
                  SCTP_PCBFREE_NOFORCE,
4048
0
                  SCTP_FROM_SCTP_PCB + SCTP_LOC_6) == 0) {
4049
0
            cnt_in_sd++;
4050
0
          }
4051
0
          continue;
4052
0
        } else {
4053
0
          sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CLOSING, SCTP_SO_LOCKED);
4054
0
        }
4055
0
      }
4056
0
      cnt_in_sd++;
4057
0
      SCTP_TCB_UNLOCK(stcb);
4058
0
    }
4059
    /* now is there some left in our SHUTDOWN state? */
4060
26
    if (cnt_in_sd) {
4061
#ifdef SCTP_LOG_CLOSING
4062
      sctp_log_closing(inp, NULL, 2);
4063
#endif
4064
0
      inp->sctp_socket = NULL;
4065
0
      SCTP_INP_WUNLOCK(inp);
4066
0
      SCTP_ASOC_CREATE_UNLOCK(inp);
4067
0
      SCTP_INP_INFO_WUNLOCK();
4068
0
      return;
4069
0
    }
4070
26
  }
4071
11.7k
  inp->sctp_socket = NULL;
4072
11.7k
  if ((inp->sctp_flags & SCTP_PCB_FLAGS_UNBOUND) == 0) {
4073
    /*
4074
     * ok, this guy has been bound. It's port is
4075
     * somewhere in the SCTP_BASE_INFO(hash table). Remove
4076
     * it!
4077
     */
4078
11.6k
    LIST_REMOVE(inp, sctp_hash);
4079
11.6k
    inp->sctp_flags |= SCTP_PCB_FLAGS_UNBOUND;
4080
11.6k
  }
4081
4082
  /* If there is a timer running to kill us,
4083
   * forget it, since it may have a contest
4084
   * on the INP lock.. which would cause us
4085
   * to die ...
4086
   */
4087
11.7k
  cnt = 0;
4088
11.7k
  LIST_FOREACH_SAFE(stcb, &inp->sctp_asoc_list, sctp_tcblist, nstcb) {
4089
9.84k
    SCTP_TCB_LOCK(stcb);
4090
9.84k
    if (immediate != SCTP_FREE_SHOULD_USE_GRACEFUL_CLOSE) {
4091
      /* Disconnect the socket please */
4092
9.84k
      stcb->sctp_socket = NULL;
4093
9.84k
      SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_CLOSED_SOCKET);
4094
9.84k
    }
4095
9.84k
    if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
4096
17
      if (stcb->asoc.state & SCTP_STATE_IN_ACCEPT_QUEUE) {
4097
0
        SCTP_CLEAR_SUBSTATE(stcb, SCTP_STATE_IN_ACCEPT_QUEUE);
4098
0
        sctp_timer_start(SCTP_TIMER_TYPE_ASOCKILL, inp, stcb, NULL);
4099
0
      }
4100
17
      cnt++;
4101
17
      SCTP_TCB_UNLOCK(stcb);
4102
17
      continue;
4103
17
    }
4104
    /* Free associations that are NOT killing us */
4105
9.82k
    if ((SCTP_GET_STATE(stcb) != SCTP_STATE_COOKIE_WAIT) &&
4106
9.82k
        ((stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0)) {
4107
7.73k
      struct mbuf *op_err;
4108
4109
7.73k
      op_err = sctp_generate_cause(SCTP_CAUSE_USER_INITIATED_ABT, "");
4110
7.73k
      stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_PCB + SCTP_LOC_7;
4111
7.73k
      sctp_send_abort_tcb(stcb, op_err, SCTP_SO_LOCKED);
4112
7.73k
      SCTP_STAT_INCR_COUNTER32(sctps_aborted);
4113
7.73k
    } else if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
4114
0
      cnt++;
4115
0
      SCTP_TCB_UNLOCK(stcb);
4116
0
      continue;
4117
0
    }
4118
9.82k
    if ((SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) ||
4119
9.82k
        (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
4120
5.22k
      SCTP_STAT_DECR_GAUGE32(sctps_currestab);
4121
5.22k
    }
4122
9.82k
    if (sctp_free_assoc(inp, stcb, SCTP_PCBFREE_FORCE,
4123
9.82k
                        SCTP_FROM_SCTP_PCB + SCTP_LOC_8) == 0) {
4124
9
      cnt++;
4125
9
    }
4126
9.82k
  }
4127
11.7k
  if (cnt) {
4128
    /* Ok we have someone out there that will kill us */
4129
#ifdef SCTP_LOG_CLOSING
4130
    sctp_log_closing(inp, NULL, 3);
4131
#endif
4132
26
    SCTP_INP_WUNLOCK(inp);
4133
26
    SCTP_ASOC_CREATE_UNLOCK(inp);
4134
26
    SCTP_INP_INFO_WUNLOCK();
4135
26
    return;
4136
26
  }
4137
11.6k
  if (SCTP_INP_LOCK_CONTENDED(inp))
4138
0
    being_refed++;
4139
11.6k
  if (SCTP_INP_READ_CONTENDED(inp))
4140
0
    being_refed++;
4141
11.6k
  if (SCTP_ASOC_CREATE_LOCK_CONTENDED(inp))
4142
0
    being_refed++;
4143
  /* NOTE: 0 refcount also means no timers are referencing us. */
4144
11.6k
  if ((inp->refcount) ||
4145
11.6k
      (being_refed) ||
4146
11.6k
      (inp->sctp_flags & SCTP_PCB_FLAGS_CLOSE_IP)) {
4147
#ifdef SCTP_LOG_CLOSING
4148
    sctp_log_closing(inp, NULL, 4);
4149
#endif
4150
26
    sctp_timer_start(SCTP_TIMER_TYPE_INPKILL, inp, NULL, NULL);
4151
26
    SCTP_INP_WUNLOCK(inp);
4152
26
    SCTP_ASOC_CREATE_UNLOCK(inp);
4153
26
    SCTP_INP_INFO_WUNLOCK();
4154
26
    return;
4155
26
  }
4156
11.6k
  inp->sctp_ep.signature_change.type = 0;
4157
11.6k
  inp->sctp_flags |= SCTP_PCB_FLAGS_SOCKET_ALLGONE;
4158
  /* Remove it from the list .. last thing we need a
4159
   * lock for.
4160
   */
4161
11.6k
  LIST_REMOVE(inp, sctp_list);
4162
11.6k
  SCTP_INP_WUNLOCK(inp);
4163
11.6k
  SCTP_ASOC_CREATE_UNLOCK(inp);
4164
11.6k
  SCTP_INP_INFO_WUNLOCK();
4165
4166
#ifdef SCTP_LOG_CLOSING
4167
  sctp_log_closing(inp, NULL, 5);
4168
#endif
4169
#if !(defined(_WIN32) || defined(__Userspace__))
4170
#if !(defined(__FreeBSD__) && !defined(__Userspace__))
4171
  rt = ip_pcb->inp_route.ro_rt;
4172
#endif
4173
#endif
4174
11.6k
  if ((inp->sctp_asocidhash) != NULL) {
4175
11.6k
    SCTP_HASH_FREE(inp->sctp_asocidhash, inp->hashasocidmark);
4176
11.6k
    inp->sctp_asocidhash = NULL;
4177
11.6k
  }
4178
  /*sa_ignore FREED_MEMORY*/
4179
11.6k
  TAILQ_FOREACH_SAFE(sq, &inp->read_queue, next, nsq) {
4180
    /* Its only abandoned if it had data left */
4181
0
    if (sq->length)
4182
0
      SCTP_STAT_INCR(sctps_left_abandon);
4183
4184
0
    TAILQ_REMOVE(&inp->read_queue, sq, next);
4185
0
    sctp_free_remote_addr(sq->whoFrom);
4186
0
    if (so)
4187
0
      so->so_rcv.sb_cc -= sq->length;
4188
0
    if (sq->data) {
4189
0
      sctp_m_freem(sq->data);
4190
0
      sq->data = NULL;
4191
0
    }
4192
    /*
4193
     * no need to free the net count, since at this point all
4194
     * assoc's are gone.
4195
     */
4196
0
    sctp_free_a_readq(NULL, sq);
4197
0
  }
4198
  /* Now the sctp_pcb things */
4199
  /*
4200
   * free each asoc if it is not already closed/free. we can't use the
4201
   * macro here since le_next will get freed as part of the
4202
   * sctp_free_assoc() call.
4203
   */
4204
11.6k
  if (ip_pcb->inp_options) {
4205
0
    (void)sctp_m_free(ip_pcb->inp_options);
4206
0
    ip_pcb->inp_options = 0;
4207
0
  }
4208
#if !(defined(_WIN32) || defined(__Userspace__))
4209
#if !defined(__FreeBSD__)
4210
  if (rt) {
4211
    RTFREE(rt);
4212
    ip_pcb->inp_route.ro_rt = 0;
4213
  }
4214
#endif
4215
#endif
4216
11.6k
#ifdef INET6
4217
#if !(defined(_WIN32) || defined(__Userspace__))
4218
#if (defined(__FreeBSD__) || defined(__APPLE__) && !defined(__Userspace__))
4219
  if (ip_pcb->inp_vflag & INP_IPV6) {
4220
#else
4221
  if (inp->inp_vflag & INP_IPV6) {
4222
#endif
4223
    ip6_freepcbopts(ip_pcb->in6p_outputopts);
4224
  }
4225
#endif
4226
11.6k
#endif        /* INET6 */
4227
11.6k
  ip_pcb->inp_vflag = 0;
4228
  /* free up authentication fields */
4229
11.6k
  if (inp->sctp_ep.local_auth_chunks != NULL)
4230
11.6k
    sctp_free_chunklist(inp->sctp_ep.local_auth_chunks);
4231
11.6k
  if (inp->sctp_ep.local_hmacs != NULL)
4232
11.6k
    sctp_free_hmaclist(inp->sctp_ep.local_hmacs);
4233
4234
11.6k
  LIST_FOREACH_SAFE(shared_key, &inp->sctp_ep.shared_keys, next, nshared_key) {
4235
11.6k
    LIST_REMOVE(shared_key, next);
4236
11.6k
    sctp_free_sharedkey(shared_key);
4237
    /*sa_ignore FREED_MEMORY*/
4238
11.6k
  }
4239
4240
#if defined(__APPLE__) && !defined(__Userspace__)
4241
  inp->ip_inp.inp.inp_state = INPCB_STATE_DEAD;
4242
  if (in_pcb_checkstate(&inp->ip_inp.inp, WNT_STOPUSING, 1) != WNT_STOPUSING) {
4243
#ifdef INVARIANTS
4244
    panic("sctp_inpcb_free inp = %p couldn't set to STOPUSING", (void *)inp);
4245
#else
4246
    SCTP_PRINTF("sctp_inpcb_free inp = %p couldn't set to STOPUSING\n", (void *)inp);
4247
#endif
4248
  }
4249
  inp->ip_inp.inp.inp_socket->so_flags |= SOF_PCBCLEARING;
4250
#endif
4251
  /*
4252
   * if we have an address list the following will free the list of
4253
   * ifaddr's that are set into this ep. Again macro limitations here,
4254
   * since the LIST_FOREACH could be a bad idea.
4255
   */
4256
11.6k
  LIST_FOREACH_SAFE(laddr, &inp->sctp_addr_list, sctp_nxt_addr, nladdr) {
4257
11.6k
    sctp_remove_laddr(laddr);
4258
11.6k
  }
4259
4260
#ifdef SCTP_TRACK_FREED_ASOCS
4261
  /* TEMP CODE */
4262
  LIST_FOREACH_SAFE(stcb, &inp->sctp_asoc_free_list, sctp_tcblist, nstcb) {
4263
    LIST_REMOVE(stcb, sctp_tcblist);
4264
    SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_asoc), stcb);
4265
    SCTP_DECR_ASOC_COUNT();
4266
  }
4267
  /* *** END TEMP CODE ****/
4268
#endif
4269
#ifdef SCTP_MVRF
4270
  SCTP_FREE(inp->m_vrf_ids, SCTP_M_MVRF);
4271
#endif
4272
  /* Now lets see about freeing the EP hash table. */
4273
11.6k
  if (inp->sctp_tcbhash != NULL) {
4274
11.6k
    SCTP_HASH_FREE(inp->sctp_tcbhash, inp->sctp_hashmark);
4275
11.6k
    inp->sctp_tcbhash = NULL;
4276
11.6k
  }
4277
  /* Now we must put the ep memory back into the zone pool */
4278
#if defined(__FreeBSD__) && !defined(__Userspace__)
4279
  crfree(inp->ip_inp.inp.inp_cred);
4280
  INP_LOCK_DESTROY(&inp->ip_inp.inp);
4281
#endif
4282
11.6k
  SCTP_INP_LOCK_DESTROY(inp);
4283
11.6k
  SCTP_INP_READ_DESTROY(inp);
4284
11.6k
  SCTP_ASOC_CREATE_LOCK_DESTROY(inp);
4285
11.6k
#if !(defined(__APPLE__) && !defined(__Userspace__))
4286
11.6k
  SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_ep), inp);
4287
11.6k
  SCTP_DECR_EP_COUNT();
4288
#else
4289
  /* For Tiger, we will do this later... */
4290
#endif
4291
11.6k
}
4292
4293
struct sctp_nets *
4294
sctp_findnet(struct sctp_tcb *stcb, struct sockaddr *addr)
4295
135k
{
4296
135k
  struct sctp_nets *net;
4297
  /* locate the address */
4298
421k
  TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
4299
421k
    if (sctp_cmpaddr(addr, (struct sockaddr *)&net->ro._l_addr))
4300
56.5k
      return (net);
4301
421k
  }
4302
78.5k
  return (NULL);
4303
135k
}
4304
4305
int
4306
sctp_is_address_on_local_host(struct sockaddr *addr, uint32_t vrf_id)
4307
73.4k
{
4308
73.4k
  struct sctp_ifa *sctp_ifa;
4309
73.4k
  sctp_ifa = sctp_find_ifa_by_addr(addr, vrf_id, SCTP_ADDR_NOT_LOCKED);
4310
73.4k
  if (sctp_ifa) {
4311
11.6k
    return (1);
4312
61.7k
  } else {
4313
61.7k
    return (0);
4314
61.7k
  }
4315
73.4k
}
4316
4317
/*
4318
 * add's a remote endpoint address, done with the INIT/INIT-ACK as well as
4319
 * when a ASCONF arrives that adds it. It will also initialize all the cwnd
4320
 * stats of stuff.
4321
 */
4322
int
4323
sctp_add_remote_addr(struct sctp_tcb *stcb, struct sockaddr *newaddr,
4324
    struct sctp_nets **netp, uint16_t port, int set_scope, int from)
4325
83.3k
{
4326
  /*
4327
   * The following is redundant to the same lines in the
4328
   * sctp_aloc_assoc() but is needed since others call the add
4329
   * address function
4330
   */
4331
83.3k
  struct sctp_nets *net, *netfirst;
4332
83.3k
  int addr_inscope;
4333
4334
83.3k
  SCTPDBG(SCTP_DEBUG_PCB1, "Adding an address (from:%d) to the peer: ",
4335
83.3k
    from);
4336
83.3k
  SCTPDBG_ADDR(SCTP_DEBUG_PCB1, newaddr);
4337
4338
83.3k
  netfirst = sctp_findnet(stcb, newaddr);
4339
83.3k
  if (netfirst) {
4340
    /*
4341
     * Lie and return ok, we don't want to make the association
4342
     * go away for this behavior. It will happen in the TCP
4343
     * model in a connected socket. It does not reach the hash
4344
     * table until after the association is built so it can't be
4345
     * found. Mark as reachable, since the initial creation will
4346
     * have been cleared and the NOT_IN_ASSOC flag will have
4347
     * been added... and we don't want to end up removing it
4348
     * back out.
4349
     */
4350
9.93k
    if (netfirst->dest_state & SCTP_ADDR_UNCONFIRMED) {
4351
5.37k
      netfirst->dest_state = (SCTP_ADDR_REACHABLE |
4352
5.37k
          SCTP_ADDR_UNCONFIRMED);
4353
5.37k
    } else {
4354
4.56k
      netfirst->dest_state = SCTP_ADDR_REACHABLE;
4355
4.56k
    }
4356
4357
9.93k
    return (0);
4358
9.93k
  }
4359
73.4k
  addr_inscope = 1;
4360
73.4k
  switch (newaddr->sa_family) {
4361
0
#ifdef INET
4362
53.5k
  case AF_INET:
4363
53.5k
  {
4364
53.5k
    struct sockaddr_in *sin;
4365
4366
53.5k
    sin = (struct sockaddr_in *)newaddr;
4367
53.5k
    if (sin->sin_addr.s_addr == 0) {
4368
      /* Invalid address */
4369
0
      return (-1);
4370
0
    }
4371
    /* zero out the zero area */
4372
53.5k
    memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));
4373
4374
    /* assure len is set */
4375
#ifdef HAVE_SIN_LEN
4376
    sin->sin_len = sizeof(struct sockaddr_in);
4377
#endif
4378
53.5k
    if (set_scope) {
4379
0
      if (IN4_ISPRIVATE_ADDRESS(&sin->sin_addr)) {
4380
0
        stcb->asoc.scope.ipv4_local_scope = 1;
4381
0
      }
4382
53.5k
    } else {
4383
      /* Validate the address is in scope */
4384
53.5k
      if ((IN4_ISPRIVATE_ADDRESS(&sin->sin_addr)) &&
4385
53.5k
          (stcb->asoc.scope.ipv4_local_scope == 0)) {
4386
0
        addr_inscope = 0;
4387
0
      }
4388
53.5k
    }
4389
53.5k
    break;
4390
53.5k
  }
4391
0
#endif
4392
0
#ifdef INET6
4393
8.21k
  case AF_INET6:
4394
8.21k
  {
4395
8.21k
    struct sockaddr_in6 *sin6;
4396
4397
8.21k
    sin6 = (struct sockaddr_in6 *)newaddr;
4398
8.21k
    if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) {
4399
      /* Invalid address */
4400
0
      return (-1);
4401
0
    }
4402
    /* assure len is set */
4403
#ifdef HAVE_SIN6_LEN
4404
    sin6->sin6_len = sizeof(struct sockaddr_in6);
4405
#endif
4406
8.21k
    if (set_scope) {
4407
0
      if (sctp_is_address_on_local_host(newaddr, stcb->asoc.vrf_id)) {
4408
0
        stcb->asoc.scope.loopback_scope = 1;
4409
0
        stcb->asoc.scope.local_scope = 0;
4410
0
        stcb->asoc.scope.ipv4_local_scope = 1;
4411
0
        stcb->asoc.scope.site_scope = 1;
4412
0
      } else if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) {
4413
        /*
4414
         * If the new destination is a LINK_LOCAL we
4415
         * must have common site scope. Don't set
4416
         * the local scope since we may not share
4417
         * all links, only loopback can do this.
4418
         * Links on the local network would also be
4419
         * on our private network for v4 too.
4420
         */
4421
0
        stcb->asoc.scope.ipv4_local_scope = 1;
4422
0
        stcb->asoc.scope.site_scope = 1;
4423
0
      } else if (IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr)) {
4424
        /*
4425
         * If the new destination is SITE_LOCAL then
4426
         * we must have site scope in common.
4427
         */
4428
0
        stcb->asoc.scope.site_scope = 1;
4429
0
      }
4430
8.21k
    } else {
4431
      /* Validate the address is in scope */
4432
8.21k
      if (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr) &&
4433
8.21k
          (stcb->asoc.scope.loopback_scope == 0)) {
4434
0
        addr_inscope = 0;
4435
8.21k
      } else if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr) &&
4436
8.21k
          (stcb->asoc.scope.local_scope == 0)) {
4437
2.51k
        addr_inscope = 0;
4438
5.69k
      } else if (IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr) &&
4439
5.69k
          (stcb->asoc.scope.site_scope == 0)) {
4440
0
        addr_inscope = 0;
4441
0
      }
4442
8.21k
    }
4443
8.21k
    break;
4444
8.21k
  }
4445
0
#endif
4446
0
#if defined(__Userspace__)
4447
11.6k
  case AF_CONN:
4448
11.6k
  {
4449
11.6k
    struct sockaddr_conn *sconn;
4450
4451
11.6k
    sconn = (struct sockaddr_conn *)newaddr;
4452
11.6k
    if (sconn->sconn_addr == NULL) {
4453
      /* Invalid address */
4454
0
      return (-1);
4455
0
    }
4456
#ifdef HAVE_SCONN_LEN
4457
    sconn->sconn_len = sizeof(struct sockaddr_conn);
4458
#endif
4459
11.6k
    break;
4460
11.6k
  }
4461
11.6k
#endif
4462
11.6k
  default:
4463
    /* not supported family type */
4464
0
    return (-1);
4465
73.4k
  }
4466
73.4k
  net = SCTP_ZONE_GET(SCTP_BASE_INFO(ipi_zone_net), struct sctp_nets);
4467
73.4k
  if (net == NULL) {
4468
0
    return (-1);
4469
0
  }
4470
73.4k
  SCTP_INCR_RADDR_COUNT();
4471
73.4k
  memset(net, 0, sizeof(struct sctp_nets));
4472
73.4k
  (void)SCTP_GETTIME_TIMEVAL(&net->start_time);
4473
#ifdef HAVE_SA_LEN
4474
  memcpy(&net->ro._l_addr, newaddr, newaddr->sa_len);
4475
#endif
4476
73.4k
  switch (newaddr->sa_family) {
4477
0
#ifdef INET
4478
53.5k
  case AF_INET:
4479
53.5k
#ifndef HAVE_SA_LEN
4480
53.5k
    memcpy(&net->ro._l_addr, newaddr, sizeof(struct sockaddr_in));
4481
53.5k
#endif
4482
53.5k
    ((struct sockaddr_in *)&net->ro._l_addr)->sin_port = stcb->rport;
4483
53.5k
    break;
4484
0
#endif
4485
0
#ifdef INET6
4486
8.21k
  case AF_INET6:
4487
8.21k
#ifndef HAVE_SA_LEN
4488
8.21k
    memcpy(&net->ro._l_addr, newaddr, sizeof(struct sockaddr_in6));
4489
8.21k
#endif
4490
8.21k
    ((struct sockaddr_in6 *)&net->ro._l_addr)->sin6_port = stcb->rport;
4491
8.21k
    break;
4492
0
#endif
4493
0
#if defined(__Userspace__)
4494
11.6k
  case AF_CONN:
4495
11.6k
#ifndef HAVE_SA_LEN
4496
11.6k
    memcpy(&net->ro._l_addr, newaddr, sizeof(struct sockaddr_conn));
4497
11.6k
#endif
4498
11.6k
    ((struct sockaddr_conn *)&net->ro._l_addr)->sconn_port = stcb->rport;
4499
11.6k
    break;
4500
0
#endif
4501
0
  default:
4502
0
    break;
4503
73.4k
  }
4504
73.4k
  net->addr_is_local = sctp_is_address_on_local_host(newaddr, stcb->asoc.vrf_id);
4505
73.4k
  if (net->addr_is_local && ((set_scope || (from == SCTP_ADDR_IS_CONFIRMED)))) {
4506
11.6k
    stcb->asoc.scope.loopback_scope = 1;
4507
11.6k
    stcb->asoc.scope.ipv4_local_scope = 1;
4508
11.6k
    stcb->asoc.scope.local_scope = 0;
4509
11.6k
    stcb->asoc.scope.site_scope = 1;
4510
11.6k
    addr_inscope = 1;
4511
11.6k
  }
4512
73.4k
  net->failure_threshold = stcb->asoc.def_net_failure;
4513
73.4k
  net->pf_threshold = stcb->asoc.def_net_pf_threshold;
4514
73.4k
  if (addr_inscope == 0) {
4515
2.51k
    net->dest_state = (SCTP_ADDR_REACHABLE |
4516
2.51k
        SCTP_ADDR_OUT_OF_SCOPE);
4517
70.9k
  } else {
4518
70.9k
    if (from == SCTP_ADDR_IS_CONFIRMED)
4519
      /* SCTP_ADDR_IS_CONFIRMED is passed by connect_x */
4520
0
      net->dest_state = SCTP_ADDR_REACHABLE;
4521
70.9k
    else
4522
70.9k
      net->dest_state = SCTP_ADDR_REACHABLE |
4523
70.9k
          SCTP_ADDR_UNCONFIRMED;
4524
70.9k
  }
4525
  /* We set this to 0, the timer code knows that
4526
   * this means its an initial value
4527
   */
4528
73.4k
  net->rto_needed = 1;
4529
73.4k
  net->RTO = 0;
4530
73.4k
  net->RTO_measured = 0;
4531
73.4k
  stcb->asoc.numnets++;
4532
73.4k
  net->ref_count = 1;
4533
73.4k
  net->cwr_window_tsn = net->last_cwr_tsn = stcb->asoc.sending_seq - 1;
4534
73.4k
  net->port = port;
4535
73.4k
  net->dscp = stcb->asoc.default_dscp;
4536
73.4k
#ifdef INET6
4537
73.4k
  net->flowlabel = stcb->asoc.default_flowlabel;
4538
73.4k
#endif
4539
73.4k
  if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_DONOT_HEARTBEAT)) {
4540
0
    net->dest_state |= SCTP_ADDR_NOHB;
4541
73.4k
  } else {
4542
73.4k
    net->dest_state &= ~SCTP_ADDR_NOHB;
4543
73.4k
  }
4544
73.4k
  if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_DO_NOT_PMTUD)) {
4545
0
    net->dest_state |= SCTP_ADDR_NO_PMTUD;
4546
73.4k
  } else {
4547
73.4k
    net->dest_state &= ~SCTP_ADDR_NO_PMTUD;
4548
73.4k
  }
4549
73.4k
  net->heart_beat_delay = stcb->asoc.heart_beat_delay;
4550
  /* Init the timer structure */
4551
73.4k
  SCTP_OS_TIMER_INIT(&net->rxt_timer.timer);
4552
73.4k
  SCTP_OS_TIMER_INIT(&net->pmtu_timer.timer);
4553
73.4k
  SCTP_OS_TIMER_INIT(&net->hb_timer.timer);
4554
4555
  /* Now generate a route for this guy */
4556
73.4k
#ifdef INET6
4557
#ifdef SCTP_EMBEDDED_V6_SCOPE
4558
  /* KAME hack: embed scopeid */
4559
  if (newaddr->sa_family == AF_INET6) {
4560
    struct sockaddr_in6 *sin6;
4561
4562
    sin6 = (struct sockaddr_in6 *)&net->ro._l_addr;
4563
#if defined(__APPLE__) && !defined(__Userspace__)
4564
#if defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD)
4565
    (void)in6_embedscope(&sin6->sin6_addr, sin6, &stcb->sctp_ep->ip_inp.inp, NULL);
4566
#else
4567
    (void)in6_embedscope(&sin6->sin6_addr, sin6, &stcb->sctp_ep->ip_inp.inp, NULL, NULL);
4568
#endif
4569
#elif defined(SCTP_KAME)
4570
    (void)sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone));
4571
#else
4572
    (void)in6_embedscope(&sin6->sin6_addr, sin6);
4573
#endif
4574
#ifndef SCOPEDROUTING
4575
    sin6->sin6_scope_id = 0;
4576
#endif
4577
  }
4578
#endif /* SCTP_EMBEDDED_V6_SCOPE */
4579
73.4k
#endif
4580
73.4k
  SCTP_RTALLOC((sctp_route_t *)&net->ro,
4581
73.4k
               stcb->asoc.vrf_id,
4582
73.4k
               stcb->sctp_ep->fibnum);
4583
4584
73.4k
  net->src_addr_selected = 0;
4585
#if !defined(__Userspace__)
4586
  if (SCTP_ROUTE_HAS_VALID_IFN(&net->ro)) {
4587
    /* Get source address */
4588
    net->ro._s_addr = sctp_source_address_selection(stcb->sctp_ep,
4589
                                                    stcb,
4590
                                                    (sctp_route_t *)&net->ro,
4591
                                                    net,
4592
                                                    0,
4593
                                                    stcb->asoc.vrf_id);
4594
    if (stcb->asoc.default_mtu > 0) {
4595
      net->mtu = stcb->asoc.default_mtu;
4596
      switch (net->ro._l_addr.sa.sa_family) {
4597
#ifdef INET
4598
      case AF_INET:
4599
        net->mtu += SCTP_MIN_V4_OVERHEAD;
4600
        break;
4601
#endif
4602
#ifdef INET6
4603
      case AF_INET6:
4604
        net->mtu += SCTP_MIN_OVERHEAD;
4605
        break;
4606
#endif
4607
#if defined(__Userspace__)
4608
      case AF_CONN:
4609
        net->mtu += sizeof(struct sctphdr);
4610
        break;
4611
#endif
4612
      default:
4613
        break;
4614
      }
4615
#if defined(INET) || defined(INET6)
4616
      if (net->port) {
4617
        net->mtu += (uint32_t)sizeof(struct udphdr);
4618
      }
4619
#endif
4620
    } else if (net->ro._s_addr != NULL) {
4621
      uint32_t imtu, rmtu, hcmtu;
4622
4623
      net->src_addr_selected = 1;
4624
      /* Now get the interface MTU */
4625
      if (net->ro._s_addr->ifn_p != NULL) {
4626
        /*
4627
         * XXX: Should we here just use
4628
         * net->ro._s_addr->ifn_p->ifn_mtu
4629
         */
4630
        imtu = SCTP_GATHER_MTU_FROM_IFN_INFO(net->ro._s_addr->ifn_p->ifn_p,
4631
                                             net->ro._s_addr->ifn_p->ifn_index);
4632
      } else {
4633
        imtu = 0;
4634
      }
4635
#if defined(__FreeBSD__) && !defined(__Userspace__)
4636
      rmtu = SCTP_GATHER_MTU_FROM_ROUTE(net->ro._s_addr, &net->ro._l_addr.sa, net->ro.ro_nh);
4637
      hcmtu = sctp_hc_get_mtu(&net->ro._l_addr, stcb->sctp_ep->fibnum);
4638
#else
4639
      rmtu = SCTP_GATHER_MTU_FROM_ROUTE(net->ro._s_addr, &net->ro._l_addr.sa, net->ro.ro_rt);
4640
      hcmtu = 0;
4641
#endif
4642
      net->mtu = sctp_min_mtu(hcmtu, rmtu, imtu);
4643
#if defined(__FreeBSD__) && !defined(__Userspace__)
4644
#else
4645
      if (rmtu == 0) {
4646
        /* Start things off to match mtu of interface please. */
4647
        SCTP_SET_MTU_OF_ROUTE(&net->ro._l_addr.sa,
4648
                              net->ro.ro_rt, net->mtu);
4649
      }
4650
#endif
4651
    }
4652
  }
4653
#endif
4654
73.4k
  if (net->mtu == 0) {
4655
73.4k
    if (stcb->asoc.default_mtu > 0) {
4656
0
      net->mtu = stcb->asoc.default_mtu;
4657
0
      switch (net->ro._l_addr.sa.sa_family) {
4658
0
#ifdef INET
4659
0
      case AF_INET:
4660
0
        net->mtu += SCTP_MIN_V4_OVERHEAD;
4661
0
        break;
4662
0
#endif
4663
0
#ifdef INET6
4664
0
      case AF_INET6:
4665
0
        net->mtu += SCTP_MIN_OVERHEAD;
4666
0
        break;
4667
0
#endif
4668
0
#if defined(__Userspace__)
4669
0
      case AF_CONN:
4670
0
        net->mtu += sizeof(struct sctphdr);
4671
0
        break;
4672
0
#endif
4673
0
      default:
4674
0
        break;
4675
0
      }
4676
0
#if defined(INET) || defined(INET6)
4677
0
      if (net->port) {
4678
0
        net->mtu += (uint32_t)sizeof(struct udphdr);
4679
0
      }
4680
0
#endif
4681
73.4k
    } else {
4682
73.4k
      switch (newaddr->sa_family) {
4683
0
#ifdef INET
4684
53.5k
      case AF_INET:
4685
53.5k
        net->mtu = SCTP_DEFAULT_MTU;
4686
53.5k
        break;
4687
0
#endif
4688
0
#ifdef INET6
4689
8.21k
      case AF_INET6:
4690
8.21k
        net->mtu = 1280;
4691
8.21k
        break;
4692
0
#endif
4693
0
#if defined(__Userspace__)
4694
11.6k
      case AF_CONN:
4695
11.6k
        net->mtu = 1280;
4696
11.6k
        break;
4697
0
#endif
4698
0
      default:
4699
0
        break;
4700
73.4k
      }
4701
73.4k
    }
4702
73.4k
  }
4703
73.4k
#if defined(INET) || defined(INET6)
4704
73.4k
  if (net->port) {
4705
0
    net->mtu -= (uint32_t)sizeof(struct udphdr);
4706
0
  }
4707
73.4k
#endif
4708
73.4k
  if (from == SCTP_ALLOC_ASOC) {
4709
11.6k
    stcb->asoc.smallest_mtu = net->mtu;
4710
11.6k
  }
4711
73.4k
  if (stcb->asoc.smallest_mtu > net->mtu) {
4712
0
    sctp_pathmtu_adjustment(stcb, net->mtu, true);
4713
0
  }
4714
73.4k
#ifdef INET6
4715
#ifdef SCTP_EMBEDDED_V6_SCOPE
4716
  if (newaddr->sa_family == AF_INET6) {
4717
    struct sockaddr_in6 *sin6;
4718
4719
    sin6 = (struct sockaddr_in6 *)&net->ro._l_addr;
4720
#ifdef SCTP_KAME
4721
    (void)sa6_recoverscope(sin6);
4722
#else
4723
    (void)in6_recoverscope(sin6, &sin6->sin6_addr, NULL);
4724
#endif /* SCTP_KAME */
4725
  }
4726
#endif /* SCTP_EMBEDDED_V6_SCOPE */
4727
73.4k
#endif
4728
4729
  /* JRS - Use the congestion control given in the CC module */
4730
73.4k
  if (stcb->asoc.cc_functions.sctp_set_initial_cc_param != NULL)
4731
73.4k
    (*stcb->asoc.cc_functions.sctp_set_initial_cc_param)(stcb, net);
4732
4733
  /*
4734
   * CMT: CUC algo - set find_pseudo_cumack to TRUE (1) at beginning
4735
   * of assoc (2005/06/27, iyengar@cis.udel.edu)
4736
   */
4737
73.4k
  net->find_pseudo_cumack = 1;
4738
73.4k
  net->find_rtx_pseudo_cumack = 1;
4739
#if defined(__FreeBSD__) && !defined(__Userspace__)
4740
  /* Choose an initial flowid. */
4741
  net->flowid = stcb->asoc.my_vtag ^
4742
                ntohs(stcb->rport) ^
4743
                ntohs(stcb->sctp_ep->sctp_lport);
4744
  net->flowtype = M_HASHTYPE_OPAQUE_HASH;
4745
#endif
4746
73.4k
  if (netp) {
4747
61.7k
    *netp = net;
4748
61.7k
  }
4749
73.4k
  netfirst = TAILQ_FIRST(&stcb->asoc.nets);
4750
#if defined(__FreeBSD__) && !defined(__Userspace__)
4751
  if (net->ro.ro_nh == NULL) {
4752
#else
4753
73.4k
  if (net->ro.ro_rt == NULL) {
4754
0
#endif
4755
    /* Since we have no route put it at the back */
4756
0
    TAILQ_INSERT_TAIL(&stcb->asoc.nets, net, sctp_next);
4757
73.4k
  } else if (netfirst == NULL) {
4758
    /* We are the first one in the pool. */
4759
11.6k
    TAILQ_INSERT_HEAD(&stcb->asoc.nets, net, sctp_next);
4760
#if defined(__FreeBSD__) && !defined(__Userspace__)
4761
  } else if (netfirst->ro.ro_nh == NULL) {
4762
#else
4763
61.7k
  } else if (netfirst->ro.ro_rt == NULL) {
4764
0
#endif
4765
    /*
4766
     * First one has NO route. Place this one ahead of the first
4767
     * one.
4768
     */
4769
0
    TAILQ_INSERT_HEAD(&stcb->asoc.nets, net, sctp_next);
4770
#if defined(__FreeBSD__) && !defined(__Userspace__)
4771
  } else if (net->ro.ro_nh->nh_ifp != netfirst->ro.ro_nh->nh_ifp) {
4772
#else
4773
61.7k
  } else if (net->ro.ro_rt->rt_ifp != netfirst->ro.ro_rt->rt_ifp) {
4774
0
#endif
4775
    /*
4776
     * This one has a different interface than the one at the
4777
     * top of the list. Place it ahead.
4778
     */
4779
0
    TAILQ_INSERT_HEAD(&stcb->asoc.nets, net, sctp_next);
4780
61.7k
  } else {
4781
    /*
4782
     * Ok we have the same interface as the first one. Move
4783
     * forward until we find either a) one with a NULL route...
4784
     * insert ahead of that b) one with a different ifp.. insert
4785
     * after that. c) end of the list.. insert at the tail.
4786
     */
4787
61.7k
    struct sctp_nets *netlook;
4788
4789
259k
    do {
4790
259k
      netlook = TAILQ_NEXT(netfirst, sctp_next);
4791
259k
      if (netlook == NULL) {
4792
        /* End of the list */
4793
61.7k
        TAILQ_INSERT_TAIL(&stcb->asoc.nets, net, sctp_next);
4794
61.7k
        break;
4795
#if defined(__FreeBSD__) && !defined(__Userspace__)
4796
      } else if (netlook->ro.ro_nh == NULL) {
4797
#else
4798
198k
      } else if (netlook->ro.ro_rt == NULL) {
4799
0
#endif
4800
        /* next one has NO route */
4801
0
        TAILQ_INSERT_BEFORE(netfirst, net, sctp_next);
4802
0
        break;
4803
#if defined(__FreeBSD__) && !defined(__Userspace__)
4804
      } else if (netlook->ro.ro_nh->nh_ifp != net->ro.ro_nh->nh_ifp) {
4805
#else
4806
198k
      } else if (netlook->ro.ro_rt->rt_ifp != net->ro.ro_rt->rt_ifp) {
4807
0
#endif
4808
0
        TAILQ_INSERT_AFTER(&stcb->asoc.nets, netlook,
4809
0
                           net, sctp_next);
4810
0
        break;
4811
0
      }
4812
      /* Shift forward */
4813
198k
      netfirst = netlook;
4814
198k
    } while (netlook != NULL);
4815
61.7k
  }
4816
4817
  /* got to have a primary set */
4818
73.4k
  if (stcb->asoc.primary_destination == 0) {
4819
11.6k
    stcb->asoc.primary_destination = net;
4820
#if defined(__FreeBSD__) && !defined(__Userspace__)
4821
  } else if ((stcb->asoc.primary_destination->ro.ro_nh == NULL) &&
4822
             (net->ro.ro_nh) &&
4823
#else
4824
61.7k
  } else if ((stcb->asoc.primary_destination->ro.ro_rt == NULL) &&
4825
61.7k
             (net->ro.ro_rt) &&
4826
61.7k
#endif
4827
61.7k
             ((net->dest_state & SCTP_ADDR_UNCONFIRMED) == 0)) {
4828
    /* No route to current primary adopt new primary */
4829
0
    stcb->asoc.primary_destination = net;
4830
0
  }
4831
  /* Validate primary is first */
4832
73.4k
  net = TAILQ_FIRST(&stcb->asoc.nets);
4833
73.4k
  if ((net != stcb->asoc.primary_destination) &&
4834
73.4k
      (stcb->asoc.primary_destination)) {
4835
    /* first one on the list is NOT the primary
4836
     * sctp_cmpaddr() is much more efficient if
4837
     * the primary is the first on the list, make it
4838
     * so.
4839
     */
4840
94
    TAILQ_REMOVE(&stcb->asoc.nets,
4841
94
           stcb->asoc.primary_destination, sctp_next);
4842
94
    TAILQ_INSERT_HEAD(&stcb->asoc.nets,
4843
94
          stcb->asoc.primary_destination, sctp_next);
4844
94
  }
4845
73.4k
  return (0);
4846
73.4k
}
4847
4848
static uint32_t
4849
sctp_aloc_a_assoc_id(struct sctp_inpcb *inp, struct sctp_tcb *stcb)
4850
11.6k
{
4851
11.6k
  uint32_t id;
4852
11.6k
  struct sctpasochead *head;
4853
11.6k
  struct sctp_tcb *lstcb;
4854
4855
11.6k
 try_again:
4856
11.6k
  if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) {
4857
    /* TSNH */
4858
0
    return (0);
4859
0
  }
4860
  /*
4861
   * We don't allow assoc id to be one of SCTP_FUTURE_ASSOC,
4862
   * SCTP_CURRENT_ASSOC and SCTP_ALL_ASSOC.
4863
   */
4864
11.6k
  if (inp->sctp_associd_counter <= SCTP_ALL_ASSOC) {
4865
11.6k
    inp->sctp_associd_counter = SCTP_ALL_ASSOC + 1;
4866
11.6k
  }
4867
11.6k
  id = inp->sctp_associd_counter;
4868
11.6k
  inp->sctp_associd_counter++;
4869
11.6k
  lstcb = sctp_findasoc_ep_asocid_locked(inp, (sctp_assoc_t)id, 0);
4870
11.6k
  if (lstcb) {
4871
0
    goto try_again;
4872
0
  }
4873
11.6k
  head = &inp->sctp_asocidhash[SCTP_PCBHASH_ASOC(id, inp->hashasocidmark)];
4874
11.6k
  LIST_INSERT_HEAD(head, stcb, sctp_tcbasocidhash);
4875
11.6k
  stcb->asoc.in_asocid_hash = 1;
4876
11.6k
  return (id);
4877
11.6k
}
4878
4879
/*
4880
 * allocate an association and add it to the endpoint. The caller must be
4881
 * careful to add all additional addresses once they are know right away or
4882
 * else the assoc will be may experience a blackout scenario.
4883
 */
4884
static struct sctp_tcb *
4885
sctp_aloc_assoc_locked(struct sctp_inpcb *inp, struct sockaddr *firstaddr,
4886
                       int *error, uint32_t override_tag, uint32_t initial_tsn,
4887
                       uint32_t vrf_id, uint16_t o_streams, uint16_t port,
4888
#if defined(__FreeBSD__) && !defined(__Userspace__)
4889
                       struct thread *p,
4890
#elif defined(_WIN32) && !defined(__Userspace__)
4891
                       PKTHREAD p,
4892
#else
4893
#if defined(__Userspace__)
4894
                       /*  __Userspace__ NULL proc is going to be passed here. See sctp_lower_sosend */
4895
#endif
4896
                       struct proc *p,
4897
#endif
4898
                       int initialize_auth_params)
4899
11.6k
{
4900
  /* note the p argument is only valid in unbound sockets */
4901
4902
11.6k
  struct sctp_tcb *stcb;
4903
11.6k
  struct sctp_association *asoc;
4904
11.6k
  struct sctpasochead *head;
4905
11.6k
  uint16_t rport;
4906
11.6k
  int err;
4907
4908
11.6k
  SCTP_INP_INFO_WLOCK_ASSERT();
4909
11.6k
  SCTP_INP_WLOCK_ASSERT(inp);
4910
4911
  /*
4912
   * Assumption made here: Caller has done a
4913
   * sctp_findassociation_ep_addr(ep, addr's); to make sure the
4914
   * address does not exist already.
4915
   */
4916
11.6k
  if (SCTP_BASE_INFO(ipi_count_asoc) >= SCTP_MAX_NUM_OF_ASOC) {
4917
    /* Hit max assoc, sorry no more */
4918
0
    SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, ENOBUFS);
4919
0
    *error = ENOBUFS;
4920
0
    return (NULL);
4921
0
  }
4922
11.6k
  if (firstaddr == NULL) {
4923
0
    SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, EINVAL);
4924
0
    *error = EINVAL;
4925
0
    return (NULL);
4926
0
  }
4927
11.6k
  if (inp->sctp_flags & (SCTP_PCB_FLAGS_SOCKET_GONE | SCTP_PCB_FLAGS_SOCKET_ALLGONE)) {
4928
0
    SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, EINVAL);
4929
0
    *error = EINVAL;
4930
0
    return (NULL);
4931
0
  }
4932
11.6k
  if ((inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL) &&
4933
11.6k
      ((sctp_is_feature_off(inp, SCTP_PCB_FLAGS_PORTREUSE)) ||
4934
0
       (inp->sctp_flags & SCTP_PCB_FLAGS_CONNECTED))) {
4935
    /*
4936
     * If its in the TCP pool, its NOT allowed to create an
4937
     * association. The parent listener needs to call
4938
     * sctp_aloc_assoc.. or the one-2-many socket. If a peeled
4939
     * off, or connected one does this.. its an error.
4940
     */
4941
0
    SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, EINVAL);
4942
0
    *error = EINVAL;
4943
0
    return (NULL);
4944
0
  }
4945
11.6k
  if ((inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL) ||
4946
11.6k
      (inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE)) {
4947
11.6k
    if ((inp->sctp_flags & SCTP_PCB_FLAGS_WAS_CONNECTED) ||
4948
11.6k
        (inp->sctp_flags & SCTP_PCB_FLAGS_WAS_ABORTED)) {
4949
0
      SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, EINVAL);
4950
0
      *error = EINVAL;
4951
0
      return (NULL);
4952
0
    }
4953
11.6k
  }
4954
11.6k
  SCTPDBG(SCTP_DEBUG_PCB3, "Allocate an association for peer:");
4955
#ifdef SCTP_DEBUG
4956
  if (firstaddr) {
4957
    SCTPDBG_ADDR(SCTP_DEBUG_PCB3, firstaddr);
4958
    switch (firstaddr->sa_family) {
4959
#ifdef INET
4960
    case AF_INET:
4961
      SCTPDBG(SCTP_DEBUG_PCB3, "Port:%d\n",
4962
              ntohs(((struct sockaddr_in *)firstaddr)->sin_port));
4963
      break;
4964
#endif
4965
#ifdef INET6
4966
    case AF_INET6:
4967
      SCTPDBG(SCTP_DEBUG_PCB3, "Port:%d\n",
4968
              ntohs(((struct sockaddr_in6 *)firstaddr)->sin6_port));
4969
      break;
4970
#endif
4971
#if defined(__Userspace__)
4972
    case AF_CONN:
4973
      SCTPDBG(SCTP_DEBUG_PCB3, "Port:%d\n",
4974
              ntohs(((struct sockaddr_conn *)firstaddr)->sconn_port));
4975
      break;
4976
#endif
4977
    default:
4978
      break;
4979
    }
4980
  } else {
4981
    SCTPDBG(SCTP_DEBUG_PCB3,"None\n");
4982
  }
4983
#endif        /* SCTP_DEBUG */
4984
11.6k
  switch (firstaddr->sa_family) {
4985
0
#ifdef INET
4986
0
  case AF_INET:
4987
0
  {
4988
0
    struct sockaddr_in *sin;
4989
4990
0
    sin = (struct sockaddr_in *)firstaddr;
4991
0
    if ((ntohs(sin->sin_port) == 0) ||
4992
0
        (sin->sin_addr.s_addr == INADDR_ANY) ||
4993
0
        (sin->sin_addr.s_addr == INADDR_BROADCAST) ||
4994
0
        IN_MULTICAST(ntohl(sin->sin_addr.s_addr)) ||
4995
0
#if defined(__Userspace__)
4996
0
        ((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_CONN) ||
4997
0
         ((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) &&
4998
0
          (SCTP_IPV6_V6ONLY(inp) != 0)))) {
4999
#else
5000
        ((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) &&
5001
         (SCTP_IPV6_V6ONLY(inp) != 0))) {
5002
#endif
5003
      /* Invalid address */
5004
0
      SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, EINVAL);
5005
0
      *error = EINVAL;
5006
0
      return (NULL);
5007
0
    }
5008
0
    rport = sin->sin_port;
5009
0
    break;
5010
0
  }
5011
0
#endif
5012
0
#ifdef INET6
5013
0
  case AF_INET6:
5014
0
  {
5015
0
    struct sockaddr_in6 *sin6;
5016
5017
0
    sin6 = (struct sockaddr_in6 *)firstaddr;
5018
0
    if ((ntohs(sin6->sin6_port) == 0) ||
5019
0
        IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr) ||
5020
0
        IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr) ||
5021
0
        ((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) == 0)) {
5022
      /* Invalid address */
5023
0
      SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, EINVAL);
5024
0
      *error = EINVAL;
5025
0
      return (NULL);
5026
0
    }
5027
0
    rport = sin6->sin6_port;
5028
0
    break;
5029
0
  }
5030
0
#endif
5031
0
#if defined(__Userspace__)
5032
11.6k
  case AF_CONN:
5033
11.6k
  {
5034
11.6k
    struct sockaddr_conn *sconn;
5035
5036
11.6k
    sconn = (struct sockaddr_conn *)firstaddr;
5037
11.6k
    if ((ntohs(sconn->sconn_port) == 0) ||
5038
11.6k
        (sconn->sconn_addr == NULL) ||
5039
11.6k
        ((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_CONN) == 0)) {
5040
      /* Invalid address */
5041
0
      SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, EINVAL);
5042
0
      *error = EINVAL;
5043
0
      return (NULL);
5044
0
    }
5045
11.6k
    rport = sconn->sconn_port;
5046
11.6k
    break;
5047
11.6k
  }
5048
0
#endif
5049
0
  default:
5050
    /* not supported family type */
5051
0
    SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, EINVAL);
5052
0
    *error = EINVAL;
5053
0
    return (NULL);
5054
11.6k
  }
5055
11.6k
  if (inp->sctp_flags & SCTP_PCB_FLAGS_UNBOUND) {
5056
    /*
5057
     * If you have not performed a bind, then we need to do the
5058
     * ephemeral bind for you.
5059
     */
5060
0
    if ((err = sctp_inpcb_bind_locked(inp, NULL, NULL, p))) {
5061
      /* bind error, probably perm */
5062
0
      *error = err;
5063
0
      return (NULL);
5064
0
    }
5065
0
  }
5066
11.6k
  stcb = SCTP_ZONE_GET(SCTP_BASE_INFO(ipi_zone_asoc), struct sctp_tcb);
5067
11.6k
  if (stcb == NULL) {
5068
    /* out of memory? */
5069
0
    SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, ENOMEM);
5070
0
    *error = ENOMEM;
5071
0
    return (NULL);
5072
0
  }
5073
11.6k
  SCTP_INCR_ASOC_COUNT();
5074
5075
11.6k
  memset(stcb, 0, sizeof(*stcb));
5076
11.6k
  asoc = &stcb->asoc;
5077
5078
11.6k
  SCTP_TCB_LOCK_INIT(stcb);
5079
11.6k
  stcb->rport = rport;
5080
  /* setup back pointer's */
5081
11.6k
  stcb->sctp_ep = inp;
5082
11.6k
  stcb->sctp_socket = inp->sctp_socket;
5083
11.6k
  if ((err = sctp_init_asoc(inp, stcb, override_tag, initial_tsn, vrf_id, o_streams))) {
5084
    /* failed */
5085
0
    SCTP_TCB_LOCK_DESTROY(stcb);
5086
0
    SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_asoc), stcb);
5087
0
    SCTP_DECR_ASOC_COUNT();
5088
0
    *error = err;
5089
0
    return (NULL);
5090
0
  }
5091
11.6k
  SCTP_TCB_LOCK(stcb);
5092
5093
11.6k
  asoc->assoc_id = sctp_aloc_a_assoc_id(inp, stcb);
5094
  /* now that my_vtag is set, add it to the hash */
5095
11.6k
  head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))];
5096
  /* put it in the bucket in the vtag hash of assoc's for the system */
5097
11.6k
  LIST_INSERT_HEAD(head, stcb, sctp_asocs);
5098
5099
11.6k
  if (sctp_add_remote_addr(stcb, firstaddr, NULL, port, SCTP_DO_SETSCOPE, SCTP_ALLOC_ASOC)) {
5100
    /* failure.. memory error? */
5101
0
    if (asoc->strmout) {
5102
0
      SCTP_FREE(asoc->strmout, SCTP_M_STRMO);
5103
0
      asoc->strmout = NULL;
5104
0
    }
5105
0
    if (asoc->mapping_array) {
5106
0
      SCTP_FREE(asoc->mapping_array, SCTP_M_MAP);
5107
0
      asoc->mapping_array = NULL;
5108
0
    }
5109
0
    if (asoc->nr_mapping_array) {
5110
0
      SCTP_FREE(asoc->nr_mapping_array, SCTP_M_MAP);
5111
0
      asoc->nr_mapping_array = NULL;
5112
0
    }
5113
0
    SCTP_DECR_ASOC_COUNT();
5114
0
    SCTP_TCB_UNLOCK(stcb);
5115
0
    SCTP_TCB_LOCK_DESTROY(stcb);
5116
0
    LIST_REMOVE(stcb, sctp_asocs);
5117
0
    LIST_REMOVE(stcb, sctp_tcbasocidhash);
5118
0
    SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_asoc), stcb);
5119
0
    SCTP_INP_WUNLOCK(inp);
5120
0
    SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_PCB, ENOBUFS);
5121
0
    *error = ENOBUFS;
5122
0
    return (NULL);
5123
0
  }
5124
  /* Init all the timers */
5125
11.6k
  SCTP_OS_TIMER_INIT(&asoc->dack_timer.timer);
5126
11.6k
  SCTP_OS_TIMER_INIT(&asoc->strreset_timer.timer);
5127
11.6k
  SCTP_OS_TIMER_INIT(&asoc->asconf_timer.timer);
5128
11.6k
  SCTP_OS_TIMER_INIT(&asoc->shut_guard_timer.timer);
5129
11.6k
  SCTP_OS_TIMER_INIT(&asoc->autoclose_timer.timer);
5130
11.6k
  SCTP_OS_TIMER_INIT(&asoc->delete_prim_timer.timer);
5131
5132
11.6k
  LIST_INSERT_HEAD(&inp->sctp_asoc_list, stcb, sctp_tcblist);
5133
  /* now file the port under the hash as well */
5134
11.6k
  if (inp->sctp_tcbhash != NULL) {
5135
11.6k
    head = &inp->sctp_tcbhash[SCTP_PCBHASH_ALLADDR(stcb->rport,
5136
11.6k
        inp->sctp_hashmark)];
5137
11.6k
    LIST_INSERT_HEAD(head, stcb, sctp_tcbhash);
5138
11.6k
  }
5139
11.6k
  if (initialize_auth_params == SCTP_INITIALIZE_AUTH_PARAMS) {
5140
11.6k
    sctp_initialize_auth_params(inp, stcb);
5141
11.6k
  }
5142
11.6k
  SCTPDBG(SCTP_DEBUG_PCB1, "Association %p now allocated\n", (void *)stcb);
5143
11.6k
  return (stcb);
5144
11.6k
}
5145
5146
struct sctp_tcb *
5147
sctp_aloc_assoc(struct sctp_inpcb *inp, struct sockaddr *firstaddr,
5148
                int *error, uint32_t override_tag, uint32_t initial_tsn,
5149
                uint32_t vrf_id, uint16_t o_streams, uint16_t port,
5150
#if defined(__FreeBSD__) && !defined(__Userspace__)
5151
                struct thread *p,
5152
#elif defined(_WIN32) && !defined(__Userspace__)
5153
                PKTHREAD p,
5154
#else
5155
                struct proc *p,
5156
#endif
5157
                int initialize_auth_params)
5158
0
{
5159
0
  struct sctp_tcb *stcb;
5160
5161
0
  SCTP_INP_INFO_WLOCK();
5162
0
  SCTP_INP_WLOCK(inp);
5163
0
  stcb = sctp_aloc_assoc_locked(inp, firstaddr, error, override_tag,
5164
0
      initial_tsn, vrf_id, o_streams, port, p, initialize_auth_params);
5165
0
  SCTP_INP_INFO_WUNLOCK();
5166
0
  SCTP_INP_WUNLOCK(inp);
5167
0
  return (stcb);
5168
0
}
5169
5170
struct sctp_tcb *
5171
sctp_aloc_assoc_connected(struct sctp_inpcb *inp, struct sockaddr *firstaddr,
5172
                          int *error, uint32_t override_tag, uint32_t initial_tsn,
5173
                          uint32_t vrf_id, uint16_t o_streams, uint16_t port,
5174
#if defined(__FreeBSD__) && !defined(__Userspace__)
5175
                          struct thread *p,
5176
#elif defined(_WIN32) && !defined(__Userspace__)
5177
                          PKTHREAD p,
5178
#else
5179
                          struct proc *p,
5180
#endif
5181
                          int initialize_auth_params)
5182
11.6k
{
5183
11.6k
  struct sctp_tcb *stcb;
5184
5185
11.6k
  SCTP_INP_INFO_WLOCK();
5186
11.6k
  SCTP_INP_WLOCK(inp);
5187
11.6k
  if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
5188
11.6k
      SCTP_IS_LISTENING(inp)) {
5189
0
    SCTP_INP_INFO_WUNLOCK();
5190
0
    SCTP_INP_WUNLOCK(inp);
5191
0
    *error = EINVAL;
5192
0
    return (NULL);
5193
0
  }
5194
11.6k
  stcb = sctp_aloc_assoc_locked(inp, firstaddr, error, override_tag,
5195
11.6k
      initial_tsn, vrf_id, o_streams, port, p, initialize_auth_params);
5196
11.6k
  SCTP_INP_INFO_WUNLOCK();
5197
11.6k
  if (stcb != NULL && (inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE)) {
5198
11.6k
    inp->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
5199
11.6k
    soisconnecting(inp->sctp_socket);
5200
11.6k
  }
5201
11.6k
  SCTP_INP_WUNLOCK(inp);
5202
11.6k
  return (stcb);
5203
11.6k
}
5204
5205
void
5206
sctp_remove_net(struct sctp_tcb *stcb, struct sctp_nets *net)
5207
55.8k
{
5208
55.8k
  struct sctp_inpcb *inp;
5209
55.8k
  struct sctp_association *asoc;
5210
5211
55.8k
  inp = stcb->sctp_ep;
5212
55.8k
  asoc = &stcb->asoc;
5213
55.8k
  asoc->numnets--;
5214
55.8k
  TAILQ_REMOVE(&asoc->nets, net, sctp_next);
5215
55.8k
  if (net == asoc->primary_destination) {
5216
    /* Reset primary */
5217
807
    struct sctp_nets *lnet;
5218
5219
807
    lnet = TAILQ_FIRST(&asoc->nets);
5220
    /* Mobility adaptation
5221
       Ideally, if deleted destination is the primary, it becomes
5222
       a fast retransmission trigger by the subsequent SET PRIMARY.
5223
       (by micchie)
5224
     */
5225
807
    if (sctp_is_mobility_feature_on(stcb->sctp_ep,
5226
807
                                    SCTP_MOBILITY_BASE) ||
5227
807
        sctp_is_mobility_feature_on(stcb->sctp_ep,
5228
807
                                    SCTP_MOBILITY_FASTHANDOFF)) {
5229
0
      SCTPDBG(SCTP_DEBUG_ASCONF1, "remove_net: primary dst is deleting\n");
5230
0
      if (asoc->deleted_primary != NULL) {
5231
0
        SCTPDBG(SCTP_DEBUG_ASCONF1, "remove_net: deleted primary may be already stored\n");
5232
0
        goto out;
5233
0
      }
5234
0
      asoc->deleted_primary = net;
5235
0
      atomic_add_int(&net->ref_count, 1);
5236
0
      memset(&net->lastsa, 0, sizeof(net->lastsa));
5237
0
      memset(&net->lastsv, 0, sizeof(net->lastsv));
5238
0
      sctp_mobility_feature_on(stcb->sctp_ep,
5239
0
             SCTP_MOBILITY_PRIM_DELETED);
5240
0
      sctp_timer_start(SCTP_TIMER_TYPE_PRIM_DELETED,
5241
0
           stcb->sctp_ep, stcb, NULL);
5242
0
    }
5243
807
out:
5244
    /* Try to find a confirmed primary */
5245
807
    asoc->primary_destination = sctp_find_alternate_net(stcb, lnet, 0);
5246
807
  }
5247
55.8k
  if (net == asoc->last_data_chunk_from) {
5248
    /* Reset primary */
5249
0
    asoc->last_data_chunk_from = TAILQ_FIRST(&asoc->nets);
5250
0
  }
5251
55.8k
  if (net == asoc->last_control_chunk_from) {
5252
    /* Clear net */
5253
0
    asoc->last_control_chunk_from = NULL;
5254
0
  }
5255
55.8k
  if (net == asoc->last_net_cmt_send_started) {
5256
    /* Clear net */
5257
0
    asoc->last_net_cmt_send_started = NULL;
5258
0
  }
5259
55.8k
  if (net == stcb->asoc.alternate) {
5260
3
    sctp_free_remote_addr(stcb->asoc.alternate);
5261
3
    stcb->asoc.alternate = NULL;
5262
3
  }
5263
55.8k
  sctp_timer_stop(SCTP_TIMER_TYPE_PATHMTURAISE, inp, stcb, net,
5264
55.8k
                  SCTP_FROM_SCTP_PCB + SCTP_LOC_9);
5265
55.8k
  sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net,
5266
55.8k
                  SCTP_FROM_SCTP_PCB + SCTP_LOC_10);
5267
55.8k
  net->dest_state |= SCTP_ADDR_BEING_DELETED;
5268
55.8k
  sctp_free_remote_addr(net);
5269
55.8k
}
5270
5271
/*
5272
 * remove a remote endpoint address from an association, it will fail if the
5273
 * address does not exist.
5274
 */
5275
int
5276
sctp_del_remote_addr(struct sctp_tcb *stcb, struct sockaddr *remaddr)
5277
10.2k
{
5278
  /*
5279
   * Here we need to remove a remote address. This is quite simple, we
5280
   * first find it in the list of address for the association
5281
   * (tasoc->asoc.nets) and then if it is there, we do a LIST_REMOVE
5282
   * on that item. Note we do not allow it to be removed if there are
5283
   * no other addresses.
5284
   */
5285
10.2k
  struct sctp_association *asoc;
5286
10.2k
  struct sctp_nets *net, *nnet;
5287
5288
10.2k
  asoc = &stcb->asoc;
5289
5290
  /* locate the address */
5291
52.6k
  TAILQ_FOREACH_SAFE(net, &asoc->nets, sctp_next, nnet) {
5292
52.6k
    if (net->ro._l_addr.sa.sa_family != remaddr->sa_family) {
5293
16.3k
      continue;
5294
16.3k
    }
5295
36.3k
    if (sctp_cmpaddr((struct sockaddr *)&net->ro._l_addr,
5296
36.3k
        remaddr)) {
5297
      /* we found the guy */
5298
1.89k
      if (asoc->numnets < 2) {
5299
        /* Must have at LEAST two remote addresses */
5300
0
        return (-1);
5301
1.89k
      } else {
5302
1.89k
        sctp_remove_net(stcb, net);
5303
1.89k
        return (0);
5304
1.89k
      }
5305
1.89k
    }
5306
36.3k
  }
5307
  /* not found. */
5308
8.36k
  return (-2);
5309
10.2k
}
5310
5311
static bool
5312
sctp_is_in_timewait(uint32_t tag, uint16_t lport, uint16_t rport, uint32_t now)
5313
27.5k
{
5314
27.5k
  struct sctpvtaghead *chain;
5315
27.5k
  struct sctp_tagblock *twait_block;
5316
27.5k
  int i;
5317
5318
27.5k
  SCTP_INP_INFO_LOCK_ASSERT();
5319
27.5k
  chain = &SCTP_BASE_INFO(vtag_timewait)[(tag % SCTP_STACK_VTAG_HASH_SIZE)];
5320
511k
  LIST_FOREACH(twait_block, chain, sctp_nxt_tagblock) {
5321
8.18M
    for (i = 0; i < SCTP_NUMBER_IN_VTAG_BLOCK; i++) {
5322
7.67M
      if ((twait_block->vtag_block[i].tv_sec_at_expire >= now) &&
5323
7.67M
          (twait_block->vtag_block[i].v_tag == tag) &&
5324
7.67M
          (twait_block->vtag_block[i].lport == lport) &&
5325
7.67M
          (twait_block->vtag_block[i].rport == rport)) {
5326
0
        return (true);
5327
0
      }
5328
7.67M
    }
5329
511k
  }
5330
27.5k
  return (false);
5331
27.5k
}
5332
5333
static void
5334
sctp_set_vtag_block(struct sctp_timewait *vtag_block, uint32_t time,
5335
    uint32_t tag, uint16_t lport, uint16_t rport)
5336
11.6k
{
5337
11.6k
  vtag_block->tv_sec_at_expire = time;
5338
11.6k
  vtag_block->v_tag = tag;
5339
11.6k
  vtag_block->lport = lport;
5340
11.6k
  vtag_block->rport = rport;
5341
11.6k
}
5342
5343
static void
5344
sctp_add_vtag_to_timewait(uint32_t tag, uint16_t lport, uint16_t rport)
5345
11.6k
{
5346
11.6k
  struct sctpvtaghead *chain;
5347
11.6k
  struct sctp_tagblock *twait_block;
5348
11.6k
  struct timeval now;
5349
11.6k
  uint32_t time;
5350
11.6k
  int i;
5351
11.6k
  bool set;
5352
5353
11.6k
  SCTP_INP_INFO_WLOCK_ASSERT();
5354
11.6k
  (void)SCTP_GETTIME_TIMEVAL(&now);
5355
11.6k
  time = (uint32_t)now.tv_sec + SCTP_BASE_SYSCTL(sctp_vtag_time_wait);
5356
11.6k
  chain = &SCTP_BASE_INFO(vtag_timewait)[(tag % SCTP_STACK_VTAG_HASH_SIZE)];
5357
11.6k
  set = false;
5358
20.3k
  LIST_FOREACH(twait_block, chain, sctp_nxt_tagblock) {
5359
    /* Block(s) present, lets find space, and expire on the fly */
5360
325k
    for (i = 0; i < SCTP_NUMBER_IN_VTAG_BLOCK; i++) {
5361
305k
      if ((twait_block->vtag_block[i].v_tag == 0) && !set) {
5362
10.8k
        sctp_set_vtag_block(twait_block->vtag_block + i, time, tag, lport, rport);
5363
10.8k
        set = true;
5364
10.8k
        continue;
5365
10.8k
      }
5366
294k
      if ((twait_block->vtag_block[i].v_tag != 0) &&
5367
294k
          (twait_block->vtag_block[i].tv_sec_at_expire < (uint32_t)now.tv_sec)) {
5368
0
        if (set) {
5369
          /* Audit expires this guy */
5370
0
          sctp_set_vtag_block(twait_block->vtag_block + i, 0, 0, 0, 0);
5371
0
        } else {
5372
          /* Reuse it for the new tag */
5373
0
          sctp_set_vtag_block(twait_block->vtag_block + i, time, tag, lport, rport);
5374
0
          set = true;
5375
0
        }
5376
0
      }
5377
294k
    }
5378
20.3k
    if (set) {
5379
      /*
5380
       * We only do up to the block where we can
5381
       * place our tag for audits
5382
       */
5383
10.8k
      break;
5384
10.8k
    }
5385
20.3k
  }
5386
  /* Need to add a new block to chain */
5387
11.6k
  if (!set) {
5388
794
    SCTP_MALLOC(twait_block, struct sctp_tagblock *,
5389
794
        sizeof(struct sctp_tagblock), SCTP_M_TIMW);
5390
794
    if (twait_block == NULL) {
5391
0
      return;
5392
0
    }
5393
794
    memset(twait_block, 0, sizeof(struct sctp_tagblock));
5394
794
    LIST_INSERT_HEAD(chain, twait_block, sctp_nxt_tagblock);
5395
794
    sctp_set_vtag_block(twait_block->vtag_block, time, tag, lport, rport);
5396
794
  }
5397
11.6k
}
5398
5399
void
5400
sctp_clean_up_stream(struct sctp_tcb *stcb, struct sctp_readhead *rh)
5401
4.64M
{
5402
4.64M
  struct sctp_tmit_chunk *chk, *nchk;
5403
4.64M
  struct sctp_queued_to_read *control, *ncontrol;
5404
5405
4.64M
  TAILQ_FOREACH_SAFE(control, rh, next_instrm, ncontrol) {
5406
3.69k
    TAILQ_REMOVE(rh, control, next_instrm);
5407
3.69k
    control->on_strm_q = 0;
5408
3.69k
    if (control->on_read_q == 0) {
5409
3.69k
      sctp_free_remote_addr(control->whoFrom);
5410
3.69k
      if (control->data) {
5411
1.94k
        sctp_m_freem(control->data);
5412
1.94k
        control->data = NULL;
5413
1.94k
      }
5414
3.69k
    }
5415
    /* Reassembly free? */
5416
3.69k
    TAILQ_FOREACH_SAFE(chk, &control->reasm, sctp_next, nchk) {
5417
3.17k
      TAILQ_REMOVE(&control->reasm, chk, sctp_next);
5418
3.17k
      if (chk->data) {
5419
3.17k
        sctp_m_freem(chk->data);
5420
3.17k
        chk->data = NULL;
5421
3.17k
      }
5422
3.17k
      if (chk->holds_key_ref)
5423
0
        sctp_auth_key_release(stcb, chk->auth_keyid, SCTP_SO_LOCKED);
5424
3.17k
      sctp_free_remote_addr(chk->whoTo);
5425
3.17k
      SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_chunk), chk);
5426
3.17k
      SCTP_DECR_CHK_COUNT();
5427
      /*sa_ignore FREED_MEMORY*/
5428
3.17k
    }
5429
    /*
5430
     * We don't free the address here
5431
     * since all the net's were freed
5432
     * above.
5433
     */
5434
3.69k
    if (control->on_read_q == 0) {
5435
3.69k
      sctp_free_a_readq(stcb, control);
5436
3.69k
    }
5437
3.69k
  }
5438
4.64M
}
5439
5440
/*-
5441
 * Free the association after un-hashing the remote port. This
5442
 * function ALWAYS returns holding NO LOCK on the stcb. It DOES
5443
 * expect that the input to this function IS a locked TCB.
5444
 * It will return 0, if it did NOT destroy the association (instead
5445
 * it unlocks it. It will return NON-zero if it either destroyed the
5446
 * association OR the association is already destroyed.
5447
 */
5448
int
5449
sctp_free_assoc(struct sctp_inpcb *inp, struct sctp_tcb *stcb, int from_inpcbfree, int from_location)
5450
14.2k
{
5451
14.2k
  int i;
5452
14.2k
  struct sctp_association *asoc;
5453
14.2k
  struct sctp_nets *net, *nnet;
5454
14.2k
  struct sctp_laddr *laddr, *naddr;
5455
14.2k
  struct sctp_tmit_chunk *chk, *nchk;
5456
14.2k
  struct sctp_asconf_addr *aparam, *naparam;
5457
14.2k
  struct sctp_asconf_ack *aack, *naack;
5458
14.2k
  struct sctp_stream_reset_list *strrst, *nstrrst;
5459
14.2k
  struct sctp_queued_to_read *sq, *nsq;
5460
14.2k
  struct sctp_stream_queue_pending *sp, *nsp;
5461
14.2k
  sctp_sharedkey_t *shared_key, *nshared_key;
5462
14.2k
  struct socket *so;
5463
5464
  /* first, lets purge the entry from the hash table. */
5465
#if defined(__APPLE__) && !defined(__Userspace__)
5466
  sctp_lock_assert(SCTP_INP_SO(inp));
5467
#endif
5468
14.2k
  SCTP_TCB_LOCK_ASSERT(stcb);
5469
5470
#ifdef SCTP_LOG_CLOSING
5471
  sctp_log_closing(inp, stcb, 6);
5472
#endif
5473
14.2k
  if (stcb->asoc.state == 0) {
5474
#ifdef SCTP_LOG_CLOSING
5475
    sctp_log_closing(inp, NULL, 7);
5476
#endif
5477
    /* there is no asoc, really TSNH :-0 */
5478
0
    return (1);
5479
0
  }
5480
14.2k
  if (stcb->asoc.alternate) {
5481
84
    sctp_free_remote_addr(stcb->asoc.alternate);
5482
84
    stcb->asoc.alternate = NULL;
5483
84
  }
5484
14.2k
#if !(defined(__APPLE__) && !defined(__Userspace__))
5485
  /* TEMP CODE */
5486
14.2k
  if (stcb->freed_from_where == 0) {
5487
    /* Only record the first place free happened from */
5488
11.6k
    stcb->freed_from_where = from_location;
5489
11.6k
  }
5490
  /* TEMP CODE */
5491
14.2k
#endif
5492
5493
14.2k
  asoc = &stcb->asoc;
5494
14.2k
  if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) ||
5495
14.2k
      (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE))
5496
    /* nothing around */
5497
12.4k
    so = NULL;
5498
1.82k
  else
5499
1.82k
    so = inp->sctp_socket;
5500
5501
  /*
5502
   * We used timer based freeing if a reader or writer is in the way.
5503
   * So we first check if we are actually being called from a timer,
5504
   * if so we abort early if a reader or writer is still in the way.
5505
   */
5506
14.2k
  if ((stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) &&
5507
14.2k
      (from_inpcbfree == SCTP_NORMAL_PROC)) {
5508
    /*
5509
     * is it the timer driving us? if so are the reader/writers
5510
     * gone?
5511
     */
5512
2.60k
    if (stcb->asoc.refcnt) {
5513
      /* nope, reader or writer in the way */
5514
2.57k
      sctp_timer_start(SCTP_TIMER_TYPE_ASOCKILL, inp, stcb, NULL);
5515
      /* no asoc destroyed */
5516
2.57k
      SCTP_TCB_UNLOCK(stcb);
5517
#ifdef SCTP_LOG_CLOSING
5518
      sctp_log_closing(inp, stcb, 8);
5519
#endif
5520
2.57k
      return (0);
5521
2.57k
    }
5522
2.60k
  }
5523
  /* Now clean up any other timers */
5524
11.6k
  sctp_stop_association_timers(stcb, false);
5525
  /* Now the read queue needs to be cleaned up (only once) */
5526
11.6k
  if ((stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) == 0) {
5527
11.6k
    SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_ABOUT_TO_BE_FREED);
5528
11.6k
    SCTP_INP_READ_LOCK(inp);
5529
174k
    TAILQ_FOREACH(sq, &inp->read_queue, next) {
5530
174k
      if (sq->stcb == stcb) {
5531
174k
        sq->do_not_ref_stcb = 1;
5532
174k
        sq->sinfo_cumtsn = stcb->asoc.cumulative_tsn;
5533
        /* If there is no end, there never
5534
         * will be now.
5535
         */
5536
174k
        if (sq->end_added == 0) {
5537
          /* Held for PD-API clear that. */
5538
0
          sq->pdapi_aborted = 1;
5539
0
          sq->held_length = 0;
5540
0
          if (sctp_stcb_is_feature_on(inp, stcb, SCTP_PCB_FLAGS_PDAPIEVNT) && (so != NULL)) {
5541
            /*
5542
             * Need to add a PD-API aborted indication.
5543
             * Setting the control_pdapi assures that it will
5544
             * be added right after this msg.
5545
             */
5546
0
            uint32_t strseq;
5547
0
            stcb->asoc.control_pdapi = sq;
5548
0
            strseq = (sq->sinfo_stream << 16) | (sq->mid & 0x0000ffff);
5549
0
            sctp_ulp_notify(SCTP_NOTIFY_PARTIAL_DELVIERY_INDICATION,
5550
0
                            stcb,
5551
0
                            SCTP_PARTIAL_DELIVERY_ABORTED,
5552
0
                            (void *)&strseq,
5553
0
                            SCTP_SO_LOCKED);
5554
0
            stcb->asoc.control_pdapi = NULL;
5555
0
          }
5556
0
        }
5557
        /* Add an end to wake them */
5558
174k
        sq->end_added = 1;
5559
174k
      }
5560
174k
    }
5561
11.6k
    SCTP_INP_READ_UNLOCK(inp);
5562
11.6k
    if (stcb->block_entry) {
5563
0
      SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_PCB, ECONNRESET);
5564
0
      stcb->block_entry->error = ECONNRESET;
5565
0
      stcb->block_entry = NULL;
5566
0
    }
5567
11.6k
  }
5568
11.6k
  if ((stcb->asoc.refcnt) || (stcb->asoc.state & SCTP_STATE_IN_ACCEPT_QUEUE)) {
5569
    /* Someone holds a reference OR the socket is unaccepted yet.
5570
    */
5571
26
    if ((stcb->asoc.refcnt) ||
5572
26
        (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) ||
5573
26
        (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE)) {
5574
26
      SCTP_CLEAR_SUBSTATE(stcb, SCTP_STATE_IN_ACCEPT_QUEUE);
5575
26
      sctp_timer_start(SCTP_TIMER_TYPE_ASOCKILL, inp, stcb, NULL);
5576
26
    }
5577
26
    if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) ||
5578
26
        (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE))
5579
      /* nothing around */
5580
9
      so = NULL;
5581
26
    if (so) {
5582
      /* Wake any reader/writers */
5583
17
      sctp_sorwakeup(inp, so);
5584
17
      sctp_sowwakeup(inp, so);
5585
17
    }
5586
26
    SCTP_TCB_UNLOCK(stcb);
5587
5588
#ifdef SCTP_LOG_CLOSING
5589
    sctp_log_closing(inp, stcb, 9);
5590
#endif
5591
    /* no asoc destroyed */
5592
26
    return (0);
5593
26
  }
5594
#ifdef SCTP_LOG_CLOSING
5595
  sctp_log_closing(inp, stcb, 10);
5596
#endif
5597
  /* When I reach here, no others want
5598
   * to kill the assoc yet.. and I own
5599
   * the lock. Now its possible an abort
5600
   * comes in when I do the lock exchange
5601
   * below to grab all the locks to do
5602
   * the final take out. to prevent this
5603
   * we increment the count, which will
5604
   * start a timer and blow out above thus
5605
   * assuring us that we hold exclusive
5606
   * killing of the asoc. Note that
5607
   * after getting back the TCB lock
5608
   * we will go ahead and increment the
5609
   * counter back up and stop any timer
5610
   * a passing stranger may have started :-S
5611
   */
5612
11.6k
  if (from_inpcbfree == SCTP_NORMAL_PROC) {
5613
1.83k
    atomic_add_int(&stcb->asoc.refcnt, 1);
5614
5615
1.83k
    SCTP_TCB_UNLOCK(stcb);
5616
1.83k
    SCTP_INP_INFO_WLOCK();
5617
1.83k
    SCTP_INP_WLOCK(inp);
5618
1.83k
    SCTP_TCB_LOCK(stcb);
5619
1.83k
  }
5620
  /* Double check the GONE flag */
5621
11.6k
  if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) ||
5622
11.6k
      (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE))
5623
    /* nothing around */
5624
9.84k
    so = NULL;
5625
5626
11.6k
  if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
5627
11.6k
      (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
5628
    /*
5629
     * For TCP type we need special handling when we are
5630
     * connected. We also include the peel'ed off ones to.
5631
     */
5632
11.6k
    if (inp->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) {
5633
11.6k
      inp->sctp_flags &= ~SCTP_PCB_FLAGS_CONNECTED;
5634
11.6k
      inp->sctp_flags |= SCTP_PCB_FLAGS_WAS_CONNECTED;
5635
11.6k
      if (so) {
5636
1.81k
        SOCKBUF_LOCK(&so->so_rcv);
5637
1.81k
        so->so_state &= ~(SS_ISCONNECTING |
5638
1.81k
            SS_ISDISCONNECTING |
5639
1.81k
            SS_ISCONFIRMING |
5640
1.81k
            SS_ISCONNECTED);
5641
1.81k
        so->so_state |= SS_ISDISCONNECTED;
5642
#if defined(__APPLE__) && !defined(__Userspace__)
5643
        socantrcvmore(so);
5644
#else
5645
1.81k
        socantrcvmore_locked(so);
5646
1.81k
#endif
5647
1.81k
        socantsendmore(so);
5648
1.81k
        sctp_sowwakeup(inp, so);
5649
1.81k
        sctp_sorwakeup(inp, so);
5650
1.81k
        SCTP_SOWAKEUP(so);
5651
1.81k
      }
5652
11.6k
    }
5653
11.6k
  }
5654
5655
  /* Make it invalid too, that way if its
5656
   * about to run it will abort and return.
5657
   */
5658
  /* re-increment the lock */
5659
11.6k
  if (from_inpcbfree == SCTP_NORMAL_PROC) {
5660
1.83k
    atomic_subtract_int(&stcb->asoc.refcnt, 1);
5661
1.83k
  }
5662
11.6k
  if (stcb->asoc.refcnt) {
5663
0
    SCTP_CLEAR_SUBSTATE(stcb, SCTP_STATE_IN_ACCEPT_QUEUE);
5664
0
    sctp_timer_start(SCTP_TIMER_TYPE_ASOCKILL, inp, stcb, NULL);
5665
0
    if (from_inpcbfree == SCTP_NORMAL_PROC) {
5666
0
      SCTP_INP_INFO_WUNLOCK();
5667
0
      SCTP_INP_WUNLOCK(inp);
5668
0
    }
5669
0
    SCTP_TCB_UNLOCK(stcb);
5670
0
    return (0);
5671
0
  }
5672
11.6k
  asoc->state = 0;
5673
11.6k
  if (inp->sctp_tcbhash) {
5674
11.6k
    LIST_REMOVE(stcb, sctp_tcbhash);
5675
11.6k
  }
5676
11.6k
  if (stcb->asoc.in_asocid_hash) {
5677
11.6k
    LIST_REMOVE(stcb, sctp_tcbasocidhash);
5678
11.6k
  }
5679
11.6k
  if (inp->sctp_socket == NULL) {
5680
9.84k
    stcb->sctp_socket = NULL;
5681
9.84k
  }
5682
  /* Now lets remove it from the list of ALL associations in the EP */
5683
11.6k
  LIST_REMOVE(stcb, sctp_tcblist);
5684
11.6k
  if (from_inpcbfree == SCTP_NORMAL_PROC) {
5685
1.83k
    SCTP_INP_INCR_REF(inp);
5686
1.83k
    SCTP_INP_WUNLOCK(inp);
5687
1.83k
  }
5688
  /* pull from vtag hash */
5689
11.6k
  LIST_REMOVE(stcb, sctp_asocs);
5690
11.6k
  sctp_add_vtag_to_timewait(asoc->my_vtag, inp->sctp_lport, stcb->rport);
5691
5692
  /* Now restop the timers to be sure
5693
   * this is paranoia at is finest!
5694
   */
5695
11.6k
  sctp_stop_association_timers(stcb, true);
5696
5697
  /*
5698
   * The chunk lists and such SHOULD be empty but we check them just
5699
   * in case.
5700
   */
5701
  /* anything on the wheel needs to be removed */
5702
2.92M
  for (i = 0; i < asoc->streamoutcnt; i++) {
5703
2.91M
    struct sctp_stream_out *outs;
5704
5705
2.91M
    outs = &asoc->strmout[i];
5706
    /* now clean up any chunks here */
5707
2.91M
    TAILQ_FOREACH_SAFE(sp, &outs->outqueue, next, nsp) {
5708
75
      atomic_subtract_int(&asoc->stream_queue_cnt, 1);
5709
75
      TAILQ_REMOVE(&outs->outqueue, sp, next);
5710
75
      stcb->asoc.ss_functions.sctp_ss_remove_from_stream(stcb, asoc, outs, sp);
5711
75
      sctp_free_spbufspace(stcb, asoc, sp);
5712
75
      if (sp->data) {
5713
75
        if (so) {
5714
          /* Still an open socket - report */
5715
0
          sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL, stcb,
5716
0
                          0, (void *)sp, SCTP_SO_LOCKED);
5717
0
        }
5718
75
        if (sp->data) {
5719
75
          sctp_m_freem(sp->data);
5720
75
          sp->data = NULL;
5721
75
          sp->tail_mbuf = NULL;
5722
75
          sp->length = 0;
5723
75
        }
5724
75
      }
5725
75
      if (sp->net) {
5726
0
        sctp_free_remote_addr(sp->net);
5727
0
        sp->net = NULL;
5728
0
      }
5729
75
      sctp_free_a_strmoq(stcb, sp, SCTP_SO_LOCKED);
5730
75
    }
5731
2.91M
  }
5732
  /*sa_ignore FREED_MEMORY*/
5733
11.6k
  TAILQ_FOREACH_SAFE(strrst, &asoc->resetHead, next_resp, nstrrst) {
5734
437
    TAILQ_REMOVE(&asoc->resetHead, strrst, next_resp);
5735
437
    SCTP_FREE(strrst, SCTP_M_STRESET);
5736
437
  }
5737
11.6k
  TAILQ_FOREACH_SAFE(sq, &asoc->pending_reply_queue, next, nsq) {
5738
207
    TAILQ_REMOVE(&asoc->pending_reply_queue, sq, next);
5739
207
    if (sq->data) {
5740
207
      sctp_m_freem(sq->data);
5741
207
      sq->data = NULL;
5742
207
    }
5743
207
    sctp_free_remote_addr(sq->whoFrom);
5744
207
    sq->whoFrom = NULL;
5745
207
    sq->stcb = NULL;
5746
    /* Free the ctl entry */
5747
207
    sctp_free_a_readq(stcb, sq);
5748
    /*sa_ignore FREED_MEMORY*/
5749
207
  }
5750
19.9k
  TAILQ_FOREACH_SAFE(chk, &asoc->free_chunks, sctp_next, nchk) {
5751
19.9k
    TAILQ_REMOVE(&asoc->free_chunks, chk, sctp_next);
5752
19.9k
    if (chk->data) {
5753
0
      sctp_m_freem(chk->data);
5754
0
      chk->data = NULL;
5755
0
    }
5756
19.9k
    if (chk->holds_key_ref)
5757
0
      sctp_auth_key_release(stcb, chk->auth_keyid, SCTP_SO_LOCKED);
5758
19.9k
    SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_chunk), chk);
5759
19.9k
    SCTP_DECR_CHK_COUNT();
5760
19.9k
    atomic_subtract_int(&SCTP_BASE_INFO(ipi_free_chunks), 1);
5761
19.9k
    asoc->free_chunk_cnt--;
5762
    /*sa_ignore FREED_MEMORY*/
5763
19.9k
  }
5764
  /* pending send queue SHOULD be empty */
5765
11.6k
  TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
5766
1.52k
    if (asoc->strmout[chk->rec.data.sid].chunks_on_queues > 0) {
5767
1.52k
      asoc->strmout[chk->rec.data.sid].chunks_on_queues--;
5768
1.52k
#ifdef INVARIANTS
5769
1.52k
    } else {
5770
0
      panic("No chunks on the queues for sid %u.", chk->rec.data.sid);
5771
0
#endif
5772
0
    }
5773
1.52k
    TAILQ_REMOVE(&asoc->send_queue, chk, sctp_next);
5774
1.52k
    if (chk->data) {
5775
1.52k
      if (so) {
5776
        /* Still a socket? */
5777
0
        sctp_ulp_notify(SCTP_NOTIFY_UNSENT_DG_FAIL, stcb,
5778
0
                        0, chk, SCTP_SO_LOCKED);
5779
0
      }
5780
1.52k
      if (chk->data) {
5781
1.52k
        sctp_m_freem(chk->data);
5782
1.52k
        chk->data = NULL;
5783
1.52k
      }
5784
1.52k
    }
5785
1.52k
    if (chk->holds_key_ref)
5786
0
      sctp_auth_key_release(stcb, chk->auth_keyid, SCTP_SO_LOCKED);
5787
1.52k
    if (chk->whoTo) {
5788
0
      sctp_free_remote_addr(chk->whoTo);
5789
0
      chk->whoTo = NULL;
5790
0
    }
5791
1.52k
    SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_chunk), chk);
5792
1.52k
    SCTP_DECR_CHK_COUNT();
5793
    /*sa_ignore FREED_MEMORY*/
5794
1.52k
  }
5795
  /* sent queue SHOULD be empty */
5796
11.6k
  TAILQ_FOREACH_SAFE(chk, &asoc->sent_queue, sctp_next, nchk) {
5797
3.62k
    if (chk->sent != SCTP_DATAGRAM_NR_ACKED) {
5798
3.62k
      if (asoc->strmout[chk->rec.data.sid].chunks_on_queues > 0) {
5799
3.62k
        asoc->strmout[chk->rec.data.sid].chunks_on_queues--;
5800
3.62k
#ifdef INVARIANTS
5801
3.62k
      } else {
5802
0
        panic("No chunks on the queues for sid %u.", chk->rec.data.sid);
5803
0
#endif
5804
0
      }
5805
3.62k
    }
5806
3.62k
    TAILQ_REMOVE(&asoc->sent_queue, chk, sctp_next);
5807
3.62k
    if (chk->data) {
5808
3.62k
      if (so) {
5809
        /* Still a socket? */
5810
0
        sctp_ulp_notify(SCTP_NOTIFY_SENT_DG_FAIL, stcb,
5811
0
                        0, chk, SCTP_SO_LOCKED);
5812
0
      }
5813
3.62k
      if (chk->data) {
5814
3.62k
        sctp_m_freem(chk->data);
5815
3.62k
        chk->data = NULL;
5816
3.62k
      }
5817
3.62k
    }
5818
3.62k
    if (chk->holds_key_ref)
5819
0
      sctp_auth_key_release(stcb, chk->auth_keyid, SCTP_SO_LOCKED);
5820
3.62k
    sctp_free_remote_addr(chk->whoTo);
5821
3.62k
    SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_chunk), chk);
5822
3.62k
    SCTP_DECR_CHK_COUNT();
5823
    /*sa_ignore FREED_MEMORY*/
5824
3.62k
  }
5825
11.6k
#ifdef INVARIANTS
5826
2.92M
  for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
5827
2.91M
    if (stcb->asoc.strmout[i].chunks_on_queues > 0) {
5828
0
      panic("%u chunks left for stream %u.", stcb->asoc.strmout[i].chunks_on_queues, i);
5829
0
    }
5830
2.91M
  }
5831
11.6k
#endif
5832
  /* control queue MAY not be empty */
5833
20.6k
  TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
5834
20.6k
    TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
5835
20.6k
    if (chk->data) {
5836
20.6k
      sctp_m_freem(chk->data);
5837
20.6k
      chk->data = NULL;
5838
20.6k
    }
5839
20.6k
    if (chk->holds_key_ref)
5840
0
      sctp_auth_key_release(stcb, chk->auth_keyid, SCTP_SO_LOCKED);
5841
20.6k
    sctp_free_remote_addr(chk->whoTo);
5842
20.6k
    SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_chunk), chk);
5843
20.6k
    SCTP_DECR_CHK_COUNT();
5844
    /*sa_ignore FREED_MEMORY*/
5845
20.6k
  }
5846
  /* ASCONF queue MAY not be empty */
5847
11.6k
  TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) {
5848
0
    TAILQ_REMOVE(&asoc->asconf_send_queue, chk, sctp_next);
5849
0
    if (chk->data) {
5850
0
      sctp_m_freem(chk->data);
5851
0
      chk->data = NULL;
5852
0
    }
5853
0
    if (chk->holds_key_ref)
5854
0
      sctp_auth_key_release(stcb, chk->auth_keyid, SCTP_SO_LOCKED);
5855
0
    sctp_free_remote_addr(chk->whoTo);
5856
0
    SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_chunk), chk);
5857
0
    SCTP_DECR_CHK_COUNT();
5858
    /*sa_ignore FREED_MEMORY*/
5859
0
  }
5860
11.6k
  if (asoc->mapping_array) {
5861
11.6k
    SCTP_FREE(asoc->mapping_array, SCTP_M_MAP);
5862
11.6k
    asoc->mapping_array = NULL;
5863
11.6k
  }
5864
11.6k
  if (asoc->nr_mapping_array) {
5865
11.6k
    SCTP_FREE(asoc->nr_mapping_array, SCTP_M_MAP);
5866
11.6k
    asoc->nr_mapping_array = NULL;
5867
11.6k
  }
5868
  /* the stream outs */
5869
11.6k
  if (asoc->strmout) {
5870
11.6k
    SCTP_FREE(asoc->strmout, SCTP_M_STRMO);
5871
11.6k
    asoc->strmout = NULL;
5872
11.6k
  }
5873
11.6k
  asoc->strm_realoutsize = asoc->streamoutcnt = 0;
5874
11.6k
  if (asoc->strmin) {
5875
2.32M
    for (i = 0; i < asoc->streamincnt; i++) {
5876
2.32M
      sctp_clean_up_stream(stcb, &asoc->strmin[i].inqueue);
5877
2.32M
      sctp_clean_up_stream(stcb, &asoc->strmin[i].uno_inqueue);
5878
2.32M
    }
5879
9.22k
    SCTP_FREE(asoc->strmin, SCTP_M_STRMI);
5880
9.22k
    asoc->strmin = NULL;
5881
9.22k
  }
5882
11.6k
  asoc->streamincnt = 0;
5883
17.5k
  TAILQ_FOREACH_SAFE(net, &asoc->nets, sctp_next, nnet) {
5884
17.5k
#ifdef INVARIANTS
5885
17.5k
    if (SCTP_BASE_INFO(ipi_count_raddr) == 0) {
5886
0
      panic("no net's left alloc'ed, or list points to itself");
5887
0
    }
5888
17.5k
#endif
5889
17.5k
    TAILQ_REMOVE(&asoc->nets, net, sctp_next);
5890
17.5k
    sctp_free_remote_addr(net);
5891
17.5k
  }
5892
11.6k
  LIST_FOREACH_SAFE(laddr, &asoc->sctp_restricted_addrs, sctp_nxt_addr, naddr) {
5893
    /*sa_ignore FREED_MEMORY*/
5894
0
    sctp_remove_laddr(laddr);
5895
0
  }
5896
5897
  /* pending asconf (address) parameters */
5898
11.6k
  TAILQ_FOREACH_SAFE(aparam, &asoc->asconf_queue, next, naparam) {
5899
    /*sa_ignore FREED_MEMORY*/
5900
0
    TAILQ_REMOVE(&asoc->asconf_queue, aparam, next);
5901
0
    SCTP_FREE(aparam,SCTP_M_ASC_ADDR);
5902
0
  }
5903
11.6k
  TAILQ_FOREACH_SAFE(aack, &asoc->asconf_ack_sent, next, naack) {
5904
    /*sa_ignore FREED_MEMORY*/
5905
1.34k
    TAILQ_REMOVE(&asoc->asconf_ack_sent, aack, next);
5906
1.34k
    if (aack->data != NULL) {
5907
1.34k
      sctp_m_freem(aack->data);
5908
1.34k
    }
5909
1.34k
    SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_asconf_ack), aack);
5910
1.34k
  }
5911
  /* clean up auth stuff */
5912
11.6k
  if (asoc->local_hmacs)
5913
11.6k
    sctp_free_hmaclist(asoc->local_hmacs);
5914
11.6k
  if (asoc->peer_hmacs)
5915
8.46k
    sctp_free_hmaclist(asoc->peer_hmacs);
5916
5917
11.6k
  if (asoc->local_auth_chunks)
5918
11.6k
    sctp_free_chunklist(asoc->local_auth_chunks);
5919
11.6k
  if (asoc->peer_auth_chunks)
5920
8.60k
    sctp_free_chunklist(asoc->peer_auth_chunks);
5921
5922
11.6k
  sctp_free_authinfo(&asoc->authinfo);
5923
5924
11.6k
  LIST_FOREACH_SAFE(shared_key, &asoc->shared_keys, next, nshared_key) {
5925
11.6k
    LIST_REMOVE(shared_key, next);
5926
11.6k
    sctp_free_sharedkey(shared_key);
5927
    /*sa_ignore FREED_MEMORY*/
5928
11.6k
  }
5929
5930
  /* Insert new items here :> */
5931
5932
  /* Get rid of LOCK */
5933
11.6k
  SCTP_TCB_UNLOCK(stcb);
5934
11.6k
  SCTP_TCB_LOCK_DESTROY(stcb);
5935
11.6k
  if (from_inpcbfree == SCTP_NORMAL_PROC) {
5936
1.83k
    SCTP_INP_INFO_WUNLOCK();
5937
1.83k
    SCTP_INP_RLOCK(inp);
5938
1.83k
  }
5939
#if defined(__APPLE__) && !defined(__Userspace__)
5940
  /* TEMP CODE */
5941
  stcb->freed_from_where = from_location;
5942
#endif
5943
#ifdef SCTP_TRACK_FREED_ASOCS
5944
  if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
5945
    /* now clean up the tasoc itself */
5946
    SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_asoc), stcb);
5947
    SCTP_DECR_ASOC_COUNT();
5948
  } else {
5949
    LIST_INSERT_HEAD(&inp->sctp_asoc_free_list, stcb, sctp_tcblist);
5950
  }
5951
#else
5952
11.6k
  SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_asoc), stcb);
5953
11.6k
  SCTP_DECR_ASOC_COUNT();
5954
11.6k
#endif
5955
11.6k
  if (from_inpcbfree == SCTP_NORMAL_PROC) {
5956
1.83k
    if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
5957
      /* If its NOT the inp_free calling us AND
5958
       * sctp_close as been called, we
5959
       * call back...
5960
       */
5961
26
      SCTP_INP_RUNLOCK(inp);
5962
      /* This will start the kill timer (if we are
5963
       * the last one) since we hold an increment yet. But
5964
       * this is the only safe way to do this
5965
       * since otherwise if the socket closes
5966
       * at the same time we are here we might
5967
       * collide in the cleanup.
5968
       */
5969
26
      sctp_inpcb_free(inp,
5970
26
          SCTP_FREE_SHOULD_USE_GRACEFUL_CLOSE,
5971
26
          SCTP_CALLED_DIRECTLY_NOCMPSET);
5972
26
      SCTP_INP_DECR_REF(inp);
5973
1.81k
    } else {
5974
      /* The socket is still open. */
5975
1.81k
      SCTP_INP_DECR_REF(inp);
5976
1.81k
      SCTP_INP_RUNLOCK(inp);
5977
1.81k
    }
5978
1.83k
  }
5979
  /* destroyed the asoc */
5980
#ifdef SCTP_LOG_CLOSING
5981
  sctp_log_closing(inp, NULL, 11);
5982
#endif
5983
11.6k
  return (1);
5984
11.6k
}
5985
5986
/*
5987
 * determine if a destination is "reachable" based upon the addresses bound
5988
 * to the current endpoint (e.g. only v4 or v6 currently bound)
5989
 */
5990
/*
5991
 * FIX: if we allow assoc-level bindx(), then this needs to be fixed to use
5992
 * assoc level v4/v6 flags, as the assoc *may* not have the same address
5993
 * types bound as its endpoint
5994
 */
5995
int
5996
sctp_destination_is_reachable(struct sctp_tcb *stcb, struct sockaddr *destaddr)
5997
0
{
5998
0
  struct sctp_inpcb *inp;
5999
0
  int answer;
6000
6001
  /*
6002
   * No locks here, the TCB, in all cases is already locked and an
6003
   * assoc is up. There is either a INP lock by the caller applied (in
6004
   * asconf case when deleting an address) or NOT in the HB case,
6005
   * however if HB then the INP increment is up and the INP will not
6006
   * be removed (on top of the fact that we have a TCB lock). So we
6007
   * only want to read the sctp_flags, which is either bound-all or
6008
   * not.. no protection needed since once an assoc is up you can't be
6009
   * changing your binding.
6010
   */
6011
0
  inp = stcb->sctp_ep;
6012
0
  if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) {
6013
    /* if bound all, destination is not restricted */
6014
    /*
6015
     * RRS: Question during lock work: Is this correct? If you
6016
     * are bound-all you still might need to obey the V4--V6
6017
     * flags??? IMO this bound-all stuff needs to be removed!
6018
     */
6019
0
    return (1);
6020
0
  }
6021
  /* NOTE: all "scope" checks are done when local addresses are added */
6022
0
  switch (destaddr->sa_family) {
6023
0
#ifdef INET6
6024
0
  case AF_INET6:
6025
0
    answer = inp->ip_inp.inp.inp_vflag & INP_IPV6;
6026
0
    break;
6027
0
#endif
6028
0
#ifdef INET
6029
0
  case AF_INET:
6030
0
    answer = inp->ip_inp.inp.inp_vflag & INP_IPV4;
6031
0
    break;
6032
0
#endif
6033
0
#if defined(__Userspace__)
6034
0
  case AF_CONN:
6035
0
    answer = inp->ip_inp.inp.inp_vflag & INP_CONN;
6036
0
    break;
6037
0
#endif
6038
0
  default:
6039
    /* invalid family, so it's unreachable */
6040
0
    answer = 0;
6041
0
    break;
6042
0
  }
6043
0
  return (answer);
6044
0
}
6045
6046
/*
6047
 * update the inp_vflags on an endpoint
6048
 */
6049
static void
6050
sctp_update_ep_vflag(struct sctp_inpcb *inp)
6051
0
{
6052
0
  struct sctp_laddr *laddr;
6053
6054
  /* first clear the flag */
6055
0
  inp->ip_inp.inp.inp_vflag = 0;
6056
  /* set the flag based on addresses on the ep list */
6057
0
  LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
6058
0
    if (laddr->ifa == NULL) {
6059
0
      SCTPDBG(SCTP_DEBUG_PCB1, "%s: NULL ifa\n",
6060
0
        __func__);
6061
0
      continue;
6062
0
    }
6063
6064
0
    if (laddr->ifa->localifa_flags & SCTP_BEING_DELETED) {
6065
0
      continue;
6066
0
    }
6067
0
    switch (laddr->ifa->address.sa.sa_family) {
6068
0
#ifdef INET6
6069
0
    case AF_INET6:
6070
0
      inp->ip_inp.inp.inp_vflag |= INP_IPV6;
6071
0
      break;
6072
0
#endif
6073
0
#ifdef INET
6074
0
    case AF_INET:
6075
0
      inp->ip_inp.inp.inp_vflag |= INP_IPV4;
6076
0
      break;
6077
0
#endif
6078
0
#if defined(__Userspace__)
6079
0
    case AF_CONN:
6080
0
      inp->ip_inp.inp.inp_vflag |= INP_CONN;
6081
0
      break;
6082
0
#endif
6083
0
    default:
6084
0
      break;
6085
0
    }
6086
0
  }
6087
0
}
6088
6089
/*
6090
 * Add the address to the endpoint local address list There is nothing to be
6091
 * done if we are bound to all addresses
6092
 */
6093
void
6094
sctp_add_local_addr_ep(struct sctp_inpcb *inp, struct sctp_ifa *ifa, uint32_t action)
6095
0
{
6096
0
  struct sctp_laddr *laddr;
6097
0
  struct sctp_tcb *stcb;
6098
0
  int fnd, error = 0;
6099
6100
0
  fnd = 0;
6101
6102
0
  if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) {
6103
    /* You are already bound to all. You have it already */
6104
0
    return;
6105
0
  }
6106
0
#ifdef INET6
6107
0
  if (ifa->address.sa.sa_family == AF_INET6) {
6108
0
    if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
6109
      /* Can't bind a non-useable addr. */
6110
0
      return;
6111
0
    }
6112
0
  }
6113
0
#endif
6114
  /* first, is it already present? */
6115
0
  LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
6116
0
    if (laddr->ifa == ifa) {
6117
0
      fnd = 1;
6118
0
      break;
6119
0
    }
6120
0
  }
6121
6122
0
  if (fnd == 0) {
6123
    /* Not in the ep list */
6124
0
    error = sctp_insert_laddr(&inp->sctp_addr_list, ifa, action);
6125
0
    if (error != 0)
6126
0
      return;
6127
0
    inp->laddr_count++;
6128
    /* update inp_vflag flags */
6129
0
    switch (ifa->address.sa.sa_family) {
6130
0
#ifdef INET6
6131
0
    case AF_INET6:
6132
0
      inp->ip_inp.inp.inp_vflag |= INP_IPV6;
6133
0
      break;
6134
0
#endif
6135
0
#ifdef INET
6136
0
    case AF_INET:
6137
0
      inp->ip_inp.inp.inp_vflag |= INP_IPV4;
6138
0
      break;
6139
0
#endif
6140
0
#if defined(__Userspace__)
6141
0
    case AF_CONN:
6142
0
      inp->ip_inp.inp.inp_vflag |= INP_CONN;
6143
0
      break;
6144
0
#endif
6145
0
    default:
6146
0
      break;
6147
0
    }
6148
0
    LIST_FOREACH(stcb, &inp->sctp_asoc_list, sctp_tcblist) {
6149
0
      sctp_add_local_addr_restricted(stcb, ifa);
6150
0
    }
6151
0
  }
6152
0
  return;
6153
0
}
6154
6155
/*
6156
 * select a new (hopefully reachable) destination net (should only be used
6157
 * when we deleted an ep addr that is the only usable source address to reach
6158
 * the destination net)
6159
 */
6160
static void
6161
sctp_select_primary_destination(struct sctp_tcb *stcb)
6162
0
{
6163
0
  struct sctp_nets *net;
6164
6165
0
  TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
6166
    /* for now, we'll just pick the first reachable one we find */
6167
0
    if (net->dest_state & SCTP_ADDR_UNCONFIRMED)
6168
0
      continue;
6169
0
    if (sctp_destination_is_reachable(stcb,
6170
0
        (struct sockaddr *)&net->ro._l_addr)) {
6171
      /* found a reachable destination */
6172
0
      stcb->asoc.primary_destination = net;
6173
0
    }
6174
0
  }
6175
  /* I can't there from here! ...we're gonna die shortly... */
6176
0
}
6177
6178
/*
6179
 * Delete the address from the endpoint local address list. There is nothing
6180
 * to be done if we are bound to all addresses
6181
 */
6182
void
6183
sctp_del_local_addr_ep(struct sctp_inpcb *inp, struct sctp_ifa *ifa)
6184
0
{
6185
0
  struct sctp_laddr *laddr;
6186
0
  int fnd;
6187
6188
0
  fnd = 0;
6189
0
  if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) {
6190
    /* You are already bound to all. You have it already */
6191
0
    return;
6192
0
  }
6193
0
  LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
6194
0
    if (laddr->ifa == ifa) {
6195
0
      fnd = 1;
6196
0
      break;
6197
0
    }
6198
0
  }
6199
0
  if (fnd && (inp->laddr_count < 2)) {
6200
    /* can't delete unless there are at LEAST 2 addresses */
6201
0
    return;
6202
0
  }
6203
0
  if (fnd) {
6204
    /*
6205
     * clean up any use of this address go through our
6206
     * associations and clear any last_used_address that match
6207
     * this one for each assoc, see if a new primary_destination
6208
     * is needed
6209
     */
6210
0
    struct sctp_tcb *stcb;
6211
6212
    /* clean up "next_addr_touse" */
6213
0
    if (inp->next_addr_touse == laddr)
6214
      /* delete this address */
6215
0
      inp->next_addr_touse = NULL;
6216
6217
    /* clean up "last_used_address" */
6218
0
    LIST_FOREACH(stcb, &inp->sctp_asoc_list, sctp_tcblist) {
6219
0
      struct sctp_nets *net;
6220
6221
0
      SCTP_TCB_LOCK(stcb);
6222
0
      if (stcb->asoc.last_used_address == laddr)
6223
        /* delete this address */
6224
0
        stcb->asoc.last_used_address = NULL;
6225
      /* Now spin through all the nets and purge any ref to laddr */
6226
0
      TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
6227
0
        if (net->ro._s_addr == laddr->ifa) {
6228
          /* Yep, purge src address selected */
6229
#if defined(__FreeBSD__) && !defined(__Userspace__)
6230
          RO_NHFREE(&net->ro);
6231
#else
6232
0
          sctp_rtentry_t *rt;
6233
6234
          /* delete this address if cached */
6235
0
          rt = net->ro.ro_rt;
6236
0
          if (rt != NULL) {
6237
0
            RTFREE(rt);
6238
0
            net->ro.ro_rt = NULL;
6239
0
          }
6240
0
#endif
6241
0
          sctp_free_ifa(net->ro._s_addr);
6242
0
          net->ro._s_addr = NULL;
6243
0
          net->src_addr_selected = 0;
6244
0
        }
6245
0
      }
6246
0
      SCTP_TCB_UNLOCK(stcb);
6247
0
    }    /* for each tcb */
6248
    /* remove it from the ep list */
6249
0
    sctp_remove_laddr(laddr);
6250
0
    inp->laddr_count--;
6251
    /* update inp_vflag flags */
6252
0
    sctp_update_ep_vflag(inp);
6253
0
  }
6254
0
  return;
6255
0
}
6256
6257
/*
6258
 * Add the address to the TCB local address restricted list.
6259
 * This is a "pending" address list (eg. addresses waiting for an
6260
 * ASCONF-ACK response) and cannot be used as a valid source address.
6261
 */
6262
void
6263
sctp_add_local_addr_restricted(struct sctp_tcb *stcb, struct sctp_ifa *ifa)
6264
0
{
6265
0
  struct sctp_laddr *laddr;
6266
0
  struct sctpladdr *list;
6267
6268
  /*
6269
   * Assumes TCB is locked.. and possibly the INP. May need to
6270
   * confirm/fix that if we need it and is not the case.
6271
   */
6272
0
  list = &stcb->asoc.sctp_restricted_addrs;
6273
6274
0
#ifdef INET6
6275
0
  if (ifa->address.sa.sa_family == AF_INET6) {
6276
0
    if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
6277
      /* Can't bind a non-existent addr. */
6278
0
      return;
6279
0
    }
6280
0
  }
6281
0
#endif
6282
  /* does the address already exist? */
6283
0
  LIST_FOREACH(laddr, list, sctp_nxt_addr) {
6284
0
    if (laddr->ifa == ifa) {
6285
0
      return;
6286
0
    }
6287
0
  }
6288
6289
  /* add to the list */
6290
0
  (void)sctp_insert_laddr(list, ifa, 0);
6291
0
  return;
6292
0
}
6293
6294
/*
6295
 * Remove a local address from the TCB local address restricted list
6296
 */
6297
void
6298
sctp_del_local_addr_restricted(struct sctp_tcb *stcb, struct sctp_ifa *ifa)
6299
0
{
6300
0
  struct sctp_inpcb *inp;
6301
0
  struct sctp_laddr *laddr;
6302
6303
  /*
6304
   * This is called by asconf work. It is assumed that a) The TCB is
6305
   * locked and b) The INP is locked. This is true in as much as I can
6306
   * trace through the entry asconf code where I did these locks.
6307
   * Again, the ASCONF code is a bit different in that it does lock
6308
   * the INP during its work often times. This must be since we don't
6309
   * want other proc's looking up things while what they are looking
6310
   * up is changing :-D
6311
   */
6312
6313
0
  inp = stcb->sctp_ep;
6314
  /* if subset bound and don't allow ASCONF's, can't delete last */
6315
0
  if (((inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) == 0) &&
6316
0
      sctp_is_feature_off(inp, SCTP_PCB_FLAGS_DO_ASCONF)) {
6317
0
    if (stcb->sctp_ep->laddr_count < 2) {
6318
      /* can't delete last address */
6319
0
      return;
6320
0
    }
6321
0
  }
6322
0
  LIST_FOREACH(laddr, &stcb->asoc.sctp_restricted_addrs, sctp_nxt_addr) {
6323
    /* remove the address if it exists */
6324
0
    if (laddr->ifa == NULL)
6325
0
      continue;
6326
0
    if (laddr->ifa == ifa) {
6327
0
      sctp_remove_laddr(laddr);
6328
0
      return;
6329
0
    }
6330
0
  }
6331
6332
  /* address not found! */
6333
0
  return;
6334
0
}
6335
6336
#if defined(__FreeBSD__) && !defined(__Userspace__)
6337
/* sysctl */
6338
static int sctp_max_number_of_assoc = SCTP_MAX_NUM_OF_ASOC;
6339
static int sctp_scale_up_for_address = SCTP_SCALE_FOR_ADDR;
6340
#endif
6341
6342
#if defined(__FreeBSD__) && !defined(__Userspace__)
6343
#if defined(SCTP_MCORE_INPUT) && defined(SMP)
6344
struct sctp_mcore_ctrl *sctp_mcore_workers = NULL;
6345
int *sctp_cpuarry = NULL;
6346
6347
void
6348
sctp_queue_to_mcore(struct mbuf *m, int off, int cpu_to_use)
6349
{
6350
  /* Queue a packet to a processor for the specified core */
6351
  struct sctp_mcore_queue *qent;
6352
  struct sctp_mcore_ctrl *wkq;
6353
  int need_wake = 0;
6354
6355
  if (sctp_mcore_workers == NULL) {
6356
    /* Something went way bad during setup */
6357
    sctp_input_with_port(m, off, 0);
6358
    return;
6359
  }
6360
  SCTP_MALLOC(qent, struct sctp_mcore_queue *,
6361
        (sizeof(struct sctp_mcore_queue)),
6362
        SCTP_M_MCORE);
6363
  if (qent == NULL) {
6364
    /* This is trouble  */
6365
    sctp_input_with_port(m, off, 0);
6366
    return;
6367
  }
6368
  qent->vn = curvnet;
6369
  qent->m = m;
6370
  qent->off = off;
6371
  qent->v6 = 0;
6372
  wkq = &sctp_mcore_workers[cpu_to_use];
6373
  SCTP_MCORE_QLOCK(wkq);
6374
6375
  TAILQ_INSERT_TAIL(&wkq->que, qent, next);
6376
  if (wkq->running == 0) {
6377
    need_wake = 1;
6378
  }
6379
  SCTP_MCORE_QUNLOCK(wkq);
6380
  if (need_wake) {
6381
    wakeup(&wkq->running);
6382
  }
6383
}
6384
6385
static void
6386
sctp_mcore_thread(void *arg)
6387
{
6388
6389
  struct sctp_mcore_ctrl *wkq;
6390
  struct sctp_mcore_queue *qent;
6391
6392
  wkq = (struct sctp_mcore_ctrl *)arg;
6393
  struct mbuf *m;
6394
  int off, v6;
6395
6396
  /* Wait for first tickle */
6397
  SCTP_MCORE_LOCK(wkq);
6398
  wkq->running = 0;
6399
  msleep(&wkq->running,
6400
         &wkq->core_mtx,
6401
         0, "wait for pkt", 0);
6402
  SCTP_MCORE_UNLOCK(wkq);
6403
6404
  /* Bind to our cpu */
6405
  thread_lock(curthread);
6406
  sched_bind(curthread, wkq->cpuid);
6407
  thread_unlock(curthread);
6408
6409
  /* Now lets start working */
6410
  SCTP_MCORE_LOCK(wkq);
6411
  /* Now grab lock and go */
6412
  for (;;) {
6413
    SCTP_MCORE_QLOCK(wkq);
6414
  skip_sleep:
6415
    wkq->running = 1;
6416
    qent = TAILQ_FIRST(&wkq->que);
6417
    if (qent) {
6418
      TAILQ_REMOVE(&wkq->que, qent, next);
6419
      SCTP_MCORE_QUNLOCK(wkq);
6420
      CURVNET_SET(qent->vn);
6421
      m = qent->m;
6422
      off = qent->off;
6423
      v6 = qent->v6;
6424
      SCTP_FREE(qent, SCTP_M_MCORE);
6425
      if (v6 == 0) {
6426
        sctp_input_with_port(m, off, 0);
6427
      } else {
6428
        SCTP_PRINTF("V6 not yet supported\n");
6429
        sctp_m_freem(m);
6430
      }
6431
      CURVNET_RESTORE();
6432
      SCTP_MCORE_QLOCK(wkq);
6433
    }
6434
    wkq->running = 0;
6435
    if (!TAILQ_EMPTY(&wkq->que)) {
6436
      goto skip_sleep;
6437
    }
6438
    SCTP_MCORE_QUNLOCK(wkq);
6439
    msleep(&wkq->running,
6440
           &wkq->core_mtx,
6441
           0, "wait for pkt", 0);
6442
  }
6443
}
6444
6445
static void
6446
sctp_startup_mcore_threads(void)
6447
{
6448
  int i, cpu;
6449
6450
  if (mp_ncpus == 1)
6451
    return;
6452
6453
  if (sctp_mcore_workers != NULL) {
6454
    /* Already been here in some previous
6455
     * vnet?
6456
     */
6457
    return;
6458
  }
6459
  SCTP_MALLOC(sctp_mcore_workers, struct sctp_mcore_ctrl *,
6460
        ((mp_maxid+1) * sizeof(struct sctp_mcore_ctrl)),
6461
        SCTP_M_MCORE);
6462
  if (sctp_mcore_workers == NULL) {
6463
    /* TSNH I hope */
6464
    return;
6465
  }
6466
  memset(sctp_mcore_workers, 0 , ((mp_maxid+1) *
6467
          sizeof(struct sctp_mcore_ctrl)));
6468
  /* Init the structures */
6469
  for (i = 0; i<=mp_maxid; i++) {
6470
    TAILQ_INIT(&sctp_mcore_workers[i].que);
6471
    SCTP_MCORE_LOCK_INIT(&sctp_mcore_workers[i]);
6472
    SCTP_MCORE_QLOCK_INIT(&sctp_mcore_workers[i]);
6473
    sctp_mcore_workers[i].cpuid = i;
6474
  }
6475
  if (sctp_cpuarry == NULL) {
6476
    SCTP_MALLOC(sctp_cpuarry, int *,
6477
          (mp_ncpus * sizeof(int)),
6478
          SCTP_M_MCORE);
6479
    i = 0;
6480
    CPU_FOREACH(cpu) {
6481
      sctp_cpuarry[i] = cpu;
6482
      i++;
6483
    }
6484
  }
6485
  /* Now start them all */
6486
  CPU_FOREACH(cpu) {
6487
    (void)kproc_create(sctp_mcore_thread,
6488
           (void *)&sctp_mcore_workers[cpu],
6489
           &sctp_mcore_workers[cpu].thread_proc,
6490
           0,
6491
           SCTP_KTHREAD_PAGES,
6492
           SCTP_MCORE_NAME);
6493
  }
6494
}
6495
#endif
6496
#endif
6497
6498
#if defined(__FreeBSD__) && !defined(__Userspace__)
6499
#if defined(SCTP_NOT_YET)
6500
static struct mbuf *
6501
sctp_netisr_hdlr(struct mbuf *m, uintptr_t source)
6502
{
6503
  struct ip *ip;
6504
  struct sctphdr *sh;
6505
  int offset;
6506
  uint32_t flowid, tag;
6507
6508
  /*
6509
   * No flow id built by lower layers fix it so we
6510
   * create one.
6511
   */
6512
  ip = mtod(m, struct ip *);
6513
  offset = (ip->ip_hl << 2) + sizeof(struct sctphdr);
6514
  if (SCTP_BUF_LEN(m) < offset) {
6515
    if ((m = m_pullup(m, offset)) == NULL) {
6516
      SCTP_STAT_INCR(sctps_hdrops);
6517
      return (NULL);
6518
    }
6519
    ip = mtod(m, struct ip *);
6520
  }
6521
  sh = (struct sctphdr *)((caddr_t)ip + (ip->ip_hl << 2));
6522
  tag = htonl(sh->v_tag);
6523
  flowid = tag ^ ntohs(sh->dest_port) ^ ntohs(sh->src_port);
6524
  m->m_pkthdr.flowid = flowid;
6525
  /* FIX ME */
6526
  m->m_flags |= M_FLOWID;
6527
  return (m);
6528
}
6529
6530
#endif
6531
#endif
6532
void
6533
#if defined(__Userspace__)
6534
sctp_pcb_init(int start_threads)
6535
#else
6536
sctp_pcb_init(void)
6537
#endif
6538
1
{
6539
  /*
6540
   * SCTP initialization for the PCB structures should be called by
6541
   * the sctp_init() function.
6542
   */
6543
1
  int i;
6544
1
  struct timeval tv;
6545
6546
1
  if (SCTP_BASE_VAR(sctp_pcb_initialized) != 0) {
6547
    /* error I was called twice */
6548
0
    return;
6549
0
  }
6550
1
  SCTP_BASE_VAR(sctp_pcb_initialized) = 1;
6551
6552
1
#if defined(SCTP_PROCESS_LEVEL_LOCKS)
6553
1
#if !defined(_WIN32)
6554
1
  pthread_mutexattr_init(&SCTP_BASE_VAR(mtx_attr));
6555
1
  pthread_rwlockattr_init(&SCTP_BASE_VAR(rwlock_attr));
6556
1
#ifdef INVARIANTS
6557
1
  pthread_mutexattr_settype(&SCTP_BASE_VAR(mtx_attr), PTHREAD_MUTEX_ERRORCHECK);
6558
1
#endif
6559
1
#endif
6560
1
#endif
6561
#if defined(SCTP_LOCAL_TRACE_BUF)
6562
#if defined(_WIN32) && !defined(__Userspace__)
6563
  if (SCTP_BASE_SYSCTL(sctp_log) != NULL) {
6564
    memset(SCTP_BASE_SYSCTL(sctp_log), 0, sizeof(struct sctp_log));
6565
  }
6566
#else
6567
  memset(&SCTP_BASE_SYSCTL(sctp_log), 0, sizeof(struct sctp_log));
6568
#endif
6569
#endif
6570
#if defined(__FreeBSD__) && !defined(__Userspace__)
6571
#if defined(SMP) && defined(SCTP_USE_PERCPU_STAT)
6572
  SCTP_MALLOC(SCTP_BASE_STATS, struct sctpstat *,
6573
        ((mp_maxid+1) * sizeof(struct sctpstat)),
6574
        SCTP_M_MCORE);
6575
#endif
6576
#endif
6577
1
  (void)SCTP_GETTIME_TIMEVAL(&tv);
6578
#if defined(__FreeBSD__) && !defined(__Userspace__)
6579
#if defined(SMP) && defined(SCTP_USE_PERCPU_STAT)
6580
  memset(SCTP_BASE_STATS, 0, sizeof(struct sctpstat) * (mp_maxid+1));
6581
  SCTP_BASE_STATS[PCPU_GET(cpuid)].sctps_discontinuitytime.tv_sec = (uint32_t)tv.tv_sec;
6582
  SCTP_BASE_STATS[PCPU_GET(cpuid)].sctps_discontinuitytime.tv_usec = (uint32_t)tv.tv_usec;
6583
#else
6584
  memset(&SCTP_BASE_STATS, 0, sizeof(struct sctpstat));
6585
  SCTP_BASE_STAT(sctps_discontinuitytime).tv_sec = (uint32_t)tv.tv_sec;
6586
  SCTP_BASE_STAT(sctps_discontinuitytime).tv_usec = (uint32_t)tv.tv_usec;
6587
#endif
6588
#else
6589
1
  memset(&SCTP_BASE_STATS, 0, sizeof(struct sctpstat));
6590
1
  SCTP_BASE_STAT(sctps_discontinuitytime).tv_sec = (uint32_t)tv.tv_sec;
6591
1
  SCTP_BASE_STAT(sctps_discontinuitytime).tv_usec = (uint32_t)tv.tv_usec;
6592
1
#endif
6593
  /* init the empty list of (All) Endpoints */
6594
1
  LIST_INIT(&SCTP_BASE_INFO(listhead));
6595
#if defined(__APPLE__) && !defined(__Userspace__)
6596
  LIST_INIT(&SCTP_BASE_INFO(inplisthead));
6597
#if defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD) || defined(APPLE_LION) || defined(APPLE_MOUNTAINLION)
6598
  SCTP_BASE_INFO(sctbinfo).listhead = &SCTP_BASE_INFO(inplisthead);
6599
  SCTP_BASE_INFO(sctbinfo).mtx_grp_attr = lck_grp_attr_alloc_init();
6600
  lck_grp_attr_setdefault(SCTP_BASE_INFO(sctbinfo).mtx_grp_attr);
6601
  SCTP_BASE_INFO(sctbinfo).mtx_grp = lck_grp_alloc_init("sctppcb", SCTP_BASE_INFO(sctbinfo).mtx_grp_attr);
6602
  SCTP_BASE_INFO(sctbinfo).mtx_attr = lck_attr_alloc_init();
6603
  lck_attr_setdefault(SCTP_BASE_INFO(sctbinfo).mtx_attr);
6604
#else
6605
  SCTP_BASE_INFO(sctbinfo).ipi_listhead = &SCTP_BASE_INFO(inplisthead);
6606
  SCTP_BASE_INFO(sctbinfo).ipi_lock_grp_attr = lck_grp_attr_alloc_init();
6607
  lck_grp_attr_setdefault(SCTP_BASE_INFO(sctbinfo).ipi_lock_grp_attr);
6608
  SCTP_BASE_INFO(sctbinfo).ipi_lock_grp = lck_grp_alloc_init("sctppcb", SCTP_BASE_INFO(sctbinfo).ipi_lock_grp_attr);
6609
  SCTP_BASE_INFO(sctbinfo).ipi_lock_attr = lck_attr_alloc_init();
6610
  lck_attr_setdefault(SCTP_BASE_INFO(sctbinfo).ipi_lock_attr);
6611
#endif
6612
#if !defined(APPLE_LEOPARD) && !defined(APPLE_SNOWLEOPARD) && !defined(APPLE_LION) && !defined(APPLE_MOUNTAINLION)
6613
  SCTP_BASE_INFO(sctbinfo).ipi_gc = sctp_gc;
6614
  in_pcbinfo_attach(&SCTP_BASE_INFO(sctbinfo));
6615
#endif
6616
#endif
6617
6618
  /* init the hash table of endpoints */
6619
#if defined(__FreeBSD__) && !defined(__Userspace__)
6620
  TUNABLE_INT_FETCH("net.inet.sctp.tcbhashsize", &SCTP_BASE_SYSCTL(sctp_hashtblsize));
6621
  TUNABLE_INT_FETCH("net.inet.sctp.pcbhashsize", &SCTP_BASE_SYSCTL(sctp_pcbtblsize));
6622
  TUNABLE_INT_FETCH("net.inet.sctp.chunkscale", &SCTP_BASE_SYSCTL(sctp_chunkscale));
6623
#endif
6624
1
  SCTP_BASE_INFO(sctp_asochash) = SCTP_HASH_INIT((SCTP_BASE_SYSCTL(sctp_hashtblsize) * 31),
6625
1
                   &SCTP_BASE_INFO(hashasocmark));
6626
1
  SCTP_BASE_INFO(sctp_ephash) = SCTP_HASH_INIT(SCTP_BASE_SYSCTL(sctp_hashtblsize),
6627
1
                 &SCTP_BASE_INFO(hashmark));
6628
1
  SCTP_BASE_INFO(sctp_tcpephash) = SCTP_HASH_INIT(SCTP_BASE_SYSCTL(sctp_hashtblsize),
6629
1
              &SCTP_BASE_INFO(hashtcpmark));
6630
1
  SCTP_BASE_INFO(hashtblsize) = SCTP_BASE_SYSCTL(sctp_hashtblsize);
6631
1
  SCTP_BASE_INFO(sctp_vrfhash) = SCTP_HASH_INIT(SCTP_SIZE_OF_VRF_HASH,
6632
1
                  &SCTP_BASE_INFO(hashvrfmark));
6633
6634
1
  SCTP_BASE_INFO(vrf_ifn_hash) = SCTP_HASH_INIT(SCTP_VRF_IFN_HASH_SIZE,
6635
1
                  &SCTP_BASE_INFO(vrf_ifn_hashmark));
6636
  /* init the zones */
6637
  /*
6638
   * FIX ME: Should check for NULL returns, but if it does fail we are
6639
   * doomed to panic anyways... add later maybe.
6640
   */
6641
1
  SCTP_ZONE_INIT(SCTP_BASE_INFO(ipi_zone_ep), "sctp_ep",
6642
1
           sizeof(struct sctp_inpcb), maxsockets);
6643
6644
1
  SCTP_ZONE_INIT(SCTP_BASE_INFO(ipi_zone_asoc), "sctp_asoc",
6645
1
           sizeof(struct sctp_tcb), sctp_max_number_of_assoc);
6646
6647
1
  SCTP_ZONE_INIT(SCTP_BASE_INFO(ipi_zone_laddr), "sctp_laddr",
6648
1
           sizeof(struct sctp_laddr),
6649
1
           (sctp_max_number_of_assoc * sctp_scale_up_for_address));
6650
6651
1
  SCTP_ZONE_INIT(SCTP_BASE_INFO(ipi_zone_net), "sctp_raddr",
6652
1
           sizeof(struct sctp_nets),
6653
1
           (sctp_max_number_of_assoc * sctp_scale_up_for_address));
6654
6655
1
  SCTP_ZONE_INIT(SCTP_BASE_INFO(ipi_zone_chunk), "sctp_chunk",
6656
1
           sizeof(struct sctp_tmit_chunk),
6657
1
           (sctp_max_number_of_assoc * SCTP_BASE_SYSCTL(sctp_chunkscale)));
6658
6659
1
  SCTP_ZONE_INIT(SCTP_BASE_INFO(ipi_zone_readq), "sctp_readq",
6660
1
           sizeof(struct sctp_queued_to_read),
6661
1
           (sctp_max_number_of_assoc * SCTP_BASE_SYSCTL(sctp_chunkscale)));
6662
6663
1
  SCTP_ZONE_INIT(SCTP_BASE_INFO(ipi_zone_strmoq), "sctp_stream_msg_out",
6664
1
           sizeof(struct sctp_stream_queue_pending),
6665
1
           (sctp_max_number_of_assoc * SCTP_BASE_SYSCTL(sctp_chunkscale)));
6666
6667
1
  SCTP_ZONE_INIT(SCTP_BASE_INFO(ipi_zone_asconf), "sctp_asconf",
6668
1
           sizeof(struct sctp_asconf),
6669
1
           (sctp_max_number_of_assoc * SCTP_BASE_SYSCTL(sctp_chunkscale)));
6670
6671
1
  SCTP_ZONE_INIT(SCTP_BASE_INFO(ipi_zone_asconf_ack), "sctp_asconf_ack",
6672
1
           sizeof(struct sctp_asconf_ack),
6673
1
           (sctp_max_number_of_assoc * SCTP_BASE_SYSCTL(sctp_chunkscale)));
6674
6675
  /* Master Lock INIT for info structure */
6676
1
  SCTP_INP_INFO_LOCK_INIT();
6677
1
  SCTP_STATLOG_INIT_LOCK();
6678
6679
1
  SCTP_IPI_COUNT_INIT();
6680
1
  SCTP_IPI_ADDR_INIT();
6681
#ifdef SCTP_PACKET_LOGGING
6682
  SCTP_IP_PKTLOG_INIT();
6683
#endif
6684
1
  LIST_INIT(&SCTP_BASE_INFO(addr_wq));
6685
6686
1
  SCTP_WQ_ADDR_INIT();
6687
  /* not sure if we need all the counts */
6688
1
  SCTP_BASE_INFO(ipi_count_ep) = 0;
6689
  /* assoc/tcb zone info */
6690
1
  SCTP_BASE_INFO(ipi_count_asoc) = 0;
6691
  /* local addrlist zone info */
6692
1
  SCTP_BASE_INFO(ipi_count_laddr) = 0;
6693
  /* remote addrlist zone info */
6694
1
  SCTP_BASE_INFO(ipi_count_raddr) = 0;
6695
  /* chunk info */
6696
1
  SCTP_BASE_INFO(ipi_count_chunk) = 0;
6697
6698
  /* socket queue zone info */
6699
1
  SCTP_BASE_INFO(ipi_count_readq) = 0;
6700
6701
  /* stream out queue cont */
6702
1
  SCTP_BASE_INFO(ipi_count_strmoq) = 0;
6703
6704
1
  SCTP_BASE_INFO(ipi_free_strmoq) = 0;
6705
1
  SCTP_BASE_INFO(ipi_free_chunks) = 0;
6706
6707
1
  SCTP_OS_TIMER_INIT(&SCTP_BASE_INFO(addr_wq_timer.timer));
6708
6709
  /* Init the TIMEWAIT list */
6710
33
  for (i = 0; i < SCTP_STACK_VTAG_HASH_SIZE; i++) {
6711
32
    LIST_INIT(&SCTP_BASE_INFO(vtag_timewait)[i]);
6712
32
  }
6713
1
#if defined(SCTP_PROCESS_LEVEL_LOCKS)
6714
#if defined(_WIN32)
6715
  InitializeConditionVariable(&sctp_it_ctl.iterator_wakeup);
6716
#else
6717
1
  (void)pthread_cond_init(&sctp_it_ctl.iterator_wakeup, NULL);
6718
1
#endif
6719
1
#endif
6720
1
  sctp_startup_iterator();
6721
6722
#if defined(__FreeBSD__) && !defined(__Userspace__)
6723
#if defined(SCTP_MCORE_INPUT) && defined(SMP)
6724
  sctp_startup_mcore_threads();
6725
#endif
6726
#endif
6727
6728
  /*
6729
   * INIT the default VRF which for BSD is the only one, other O/S's
6730
   * may have more. But initially they must start with one and then
6731
   * add the VRF's as addresses are added.
6732
   */
6733
1
  sctp_init_vrf_list(SCTP_DEFAULT_VRF);
6734
#if defined(__FreeBSD__) && !defined(__Userspace__) && defined(SCTP_NOT_YET)
6735
  if (ip_register_flow_handler(sctp_netisr_hdlr, IPPROTO_SCTP)) {
6736
    SCTP_PRINTF("***SCTP- Error can't register netisr handler***\n");
6737
  }
6738
#endif
6739
1
#if defined(_SCTP_NEEDS_CALLOUT_) || defined(_USER_SCTP_NEEDS_CALLOUT_)
6740
  /* allocate the lock for the callout/timer queue */
6741
1
  SCTP_TIMERQ_LOCK_INIT();
6742
1
  TAILQ_INIT(&SCTP_BASE_INFO(callqueue));
6743
1
#endif
6744
1
#if defined(__Userspace__)
6745
1
  mbuf_initialize(NULL);
6746
1
  atomic_init();
6747
1
#if defined(INET) || defined(INET6)
6748
1
  if (start_threads)
6749
1
    recv_thread_init();
6750
1
#endif
6751
1
#endif
6752
1
}
6753
6754
/*
6755
 * Assumes that the SCTP_BASE_INFO() lock is NOT held.
6756
 */
6757
void
6758
sctp_pcb_finish(void)
6759
0
{
6760
0
  struct sctp_vrflist *vrf_bucket;
6761
0
  struct sctp_vrf *vrf, *nvrf;
6762
0
  struct sctp_ifn *ifn, *nifn;
6763
0
  struct sctp_ifa *ifa, *nifa;
6764
0
  struct sctpvtaghead *chain;
6765
0
  struct sctp_tagblock *twait_block, *prev_twait_block;
6766
0
  struct sctp_laddr *wi, *nwi;
6767
0
  int i;
6768
0
  struct sctp_iterator *it, *nit;
6769
6770
0
  if (SCTP_BASE_VAR(sctp_pcb_initialized) == 0) {
6771
0
    SCTP_PRINTF("%s: race condition on teardown.\n", __func__);
6772
0
    return;
6773
0
  }
6774
0
  SCTP_BASE_VAR(sctp_pcb_initialized) = 0;
6775
0
#if !(defined(__FreeBSD__) && !defined(__Userspace__))
6776
  /* Notify the iterator to exit. */
6777
0
  SCTP_IPI_ITERATOR_WQ_LOCK();
6778
0
  sctp_it_ctl.iterator_flags |= SCTP_ITERATOR_MUST_EXIT;
6779
0
  sctp_wakeup_iterator();
6780
0
  SCTP_IPI_ITERATOR_WQ_UNLOCK();
6781
0
#endif
6782
#if defined(__APPLE__) && !defined(__Userspace__)
6783
#if !defined(APPLE_LEOPARD) && !defined(APPLE_SNOWLEOPARD) && !defined(APPLE_LION) && !defined(APPLE_MOUNTAINLION)
6784
  in_pcbinfo_detach(&SCTP_BASE_INFO(sctbinfo));
6785
#endif
6786
  SCTP_IPI_ITERATOR_WQ_LOCK();
6787
  do {
6788
    msleep(&sctp_it_ctl.iterator_flags,
6789
           sctp_it_ctl.ipi_iterator_wq_mtx,
6790
           0, "waiting_for_work", 0);
6791
  } while ((sctp_it_ctl.iterator_flags & SCTP_ITERATOR_EXITED) == 0);
6792
  thread_deallocate(sctp_it_ctl.thread_proc);
6793
  SCTP_IPI_ITERATOR_WQ_UNLOCK();
6794
#endif
6795
#if defined(_WIN32) && !defined(__Userspace__)
6796
  if (sctp_it_ctl.iterator_thread_obj != NULL) {
6797
    NTSTATUS status = STATUS_SUCCESS;
6798
6799
    KeSetEvent(&sctp_it_ctl.iterator_wakeup[1], IO_NO_INCREMENT, FALSE);
6800
    status = KeWaitForSingleObject(sctp_it_ctl.iterator_thread_obj,
6801
                 Executive,
6802
                 KernelMode,
6803
                 FALSE,
6804
                 NULL);
6805
    ObDereferenceObject(sctp_it_ctl.iterator_thread_obj);
6806
  }
6807
#endif
6808
0
#if defined(__Userspace__)
6809
0
  if (SCTP_BASE_VAR(iterator_thread_started)) {
6810
#if defined(_WIN32)
6811
    WaitForSingleObject(sctp_it_ctl.thread_proc, INFINITE);
6812
    CloseHandle(sctp_it_ctl.thread_proc);
6813
    sctp_it_ctl.thread_proc = NULL;
6814
#else
6815
0
    pthread_join(sctp_it_ctl.thread_proc, NULL);
6816
0
    sctp_it_ctl.thread_proc = 0;
6817
0
#endif
6818
0
  }
6819
0
#endif
6820
0
#if defined(SCTP_PROCESS_LEVEL_LOCKS)
6821
#if defined(_WIN32)
6822
  DeleteConditionVariable(&sctp_it_ctl.iterator_wakeup);
6823
#else
6824
0
  pthread_cond_destroy(&sctp_it_ctl.iterator_wakeup);
6825
0
  pthread_mutexattr_destroy(&SCTP_BASE_VAR(mtx_attr));
6826
0
  pthread_rwlockattr_destroy(&SCTP_BASE_VAR(rwlock_attr));
6827
0
#endif
6828
0
#endif
6829
  /* In FreeBSD the iterator thread never exits
6830
   * but we do clean up.
6831
   * The only way FreeBSD reaches here is if we have VRF's
6832
   * but we still add the ifdef to make it compile on old versions.
6833
   */
6834
#if defined(__FreeBSD__) && !defined(__Userspace__)
6835
retry:
6836
#endif
6837
0
  SCTP_IPI_ITERATOR_WQ_LOCK();
6838
#if defined(__FreeBSD__) && !defined(__Userspace__)
6839
  /*
6840
   * sctp_iterator_worker() might be working on an it entry without
6841
   * holding the lock.  We won't find it on the list either and
6842
   * continue and free/destroy it.  While holding the lock, spin, to
6843
   * avoid the race condition as sctp_iterator_worker() will have to
6844
   * wait to re-acquire the lock.
6845
   */
6846
  if (sctp_it_ctl.iterator_running != 0 || sctp_it_ctl.cur_it != NULL) {
6847
    SCTP_IPI_ITERATOR_WQ_UNLOCK();
6848
    SCTP_PRINTF("%s: Iterator running while we held the lock. Retry. "
6849
                "cur_it=%p\n", __func__, sctp_it_ctl.cur_it);
6850
    DELAY(10);
6851
    goto retry;
6852
  }
6853
#endif
6854
0
  TAILQ_FOREACH_SAFE(it, &sctp_it_ctl.iteratorhead, sctp_nxt_itr, nit) {
6855
#if defined(__FreeBSD__) && !defined(__Userspace__)
6856
    if (it->vn != curvnet) {
6857
      continue;
6858
    }
6859
#endif
6860
0
    TAILQ_REMOVE(&sctp_it_ctl.iteratorhead, it, sctp_nxt_itr);
6861
0
    if (it->function_atend != NULL) {
6862
0
      (*it->function_atend) (it->pointer, it->val);
6863
0
    }
6864
0
    SCTP_FREE(it,SCTP_M_ITER);
6865
0
  }
6866
0
  SCTP_IPI_ITERATOR_WQ_UNLOCK();
6867
#if defined(__FreeBSD__) && !defined(__Userspace__)
6868
  SCTP_ITERATOR_LOCK();
6869
  if ((sctp_it_ctl.cur_it) &&
6870
      (sctp_it_ctl.cur_it->vn == curvnet)) {
6871
    sctp_it_ctl.iterator_flags |= SCTP_ITERATOR_STOP_CUR_IT;
6872
  }
6873
  SCTP_ITERATOR_UNLOCK();
6874
#endif
6875
0
#if !(defined(__FreeBSD__) && !defined(__Userspace__))
6876
0
  SCTP_IPI_ITERATOR_WQ_DESTROY();
6877
0
  SCTP_ITERATOR_LOCK_DESTROY();
6878
0
#endif
6879
0
  SCTP_OS_TIMER_STOP_DRAIN(&SCTP_BASE_INFO(addr_wq_timer.timer));
6880
0
  SCTP_WQ_ADDR_LOCK();
6881
0
  LIST_FOREACH_SAFE(wi, &SCTP_BASE_INFO(addr_wq), sctp_nxt_addr, nwi) {
6882
0
    LIST_REMOVE(wi, sctp_nxt_addr);
6883
0
    SCTP_DECR_LADDR_COUNT();
6884
0
    if (wi->action == SCTP_DEL_IP_ADDRESS) {
6885
0
      SCTP_FREE(wi->ifa, SCTP_M_IFA);
6886
0
    }
6887
0
    SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_laddr), wi);
6888
0
  }
6889
0
  SCTP_WQ_ADDR_UNLOCK();
6890
6891
  /*
6892
   * free the vrf/ifn/ifa lists and hashes (be sure address monitor
6893
   * is destroyed first).
6894
   */
6895
0
  SCTP_IPI_ADDR_WLOCK();
6896
0
  vrf_bucket = &SCTP_BASE_INFO(sctp_vrfhash)[(SCTP_DEFAULT_VRFID & SCTP_BASE_INFO(hashvrfmark))];
6897
0
  LIST_FOREACH_SAFE(vrf, vrf_bucket, next_vrf, nvrf) {
6898
0
    LIST_FOREACH_SAFE(ifn, &vrf->ifnlist, next_ifn, nifn) {
6899
0
      LIST_FOREACH_SAFE(ifa, &ifn->ifalist, next_ifa, nifa) {
6900
        /* free the ifa */
6901
0
        LIST_REMOVE(ifa, next_bucket);
6902
0
        LIST_REMOVE(ifa, next_ifa);
6903
0
        SCTP_FREE(ifa, SCTP_M_IFA);
6904
0
      }
6905
      /* free the ifn */
6906
0
      LIST_REMOVE(ifn, next_bucket);
6907
0
      LIST_REMOVE(ifn, next_ifn);
6908
0
      SCTP_FREE(ifn, SCTP_M_IFN);
6909
0
    }
6910
0
    SCTP_HASH_FREE(vrf->vrf_addr_hash, vrf->vrf_addr_hashmark);
6911
    /* free the vrf */
6912
0
    LIST_REMOVE(vrf, next_vrf);
6913
0
    SCTP_FREE(vrf, SCTP_M_VRF);
6914
0
  }
6915
0
  SCTP_IPI_ADDR_WUNLOCK();
6916
  /* free the vrf hashes */
6917
0
  SCTP_HASH_FREE(SCTP_BASE_INFO(sctp_vrfhash), SCTP_BASE_INFO(hashvrfmark));
6918
0
  SCTP_HASH_FREE(SCTP_BASE_INFO(vrf_ifn_hash), SCTP_BASE_INFO(vrf_ifn_hashmark));
6919
6920
  /* free the TIMEWAIT list elements malloc'd in the function
6921
   * sctp_add_vtag_to_timewait()...
6922
   */
6923
0
  for (i = 0; i < SCTP_STACK_VTAG_HASH_SIZE; i++) {
6924
0
    chain = &SCTP_BASE_INFO(vtag_timewait)[i];
6925
0
    if (!LIST_EMPTY(chain)) {
6926
0
      prev_twait_block = NULL;
6927
0
      LIST_FOREACH(twait_block, chain, sctp_nxt_tagblock) {
6928
0
        if (prev_twait_block) {
6929
0
          SCTP_FREE(prev_twait_block, SCTP_M_TIMW);
6930
0
        }
6931
0
        prev_twait_block = twait_block;
6932
0
      }
6933
0
      SCTP_FREE(prev_twait_block, SCTP_M_TIMW);
6934
0
    }
6935
0
  }
6936
6937
  /* free the locks and mutexes */
6938
#if defined(__APPLE__) && !defined(__Userspace__)
6939
  SCTP_TIMERQ_LOCK_DESTROY();
6940
#endif
6941
#ifdef SCTP_PACKET_LOGGING
6942
  SCTP_IP_PKTLOG_DESTROY();
6943
#endif
6944
0
  SCTP_IPI_ADDR_DESTROY();
6945
#if defined(__APPLE__) && !defined(__Userspace__)
6946
  SCTP_IPI_COUNT_DESTROY();
6947
#endif
6948
0
  SCTP_STATLOG_DESTROY();
6949
0
  SCTP_INP_INFO_LOCK_DESTROY();
6950
6951
0
  SCTP_WQ_ADDR_DESTROY();
6952
6953
#if defined(__APPLE__) && !defined(__Userspace__)
6954
#if defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD) || defined(APPLE_LION) || defined(APPLE_MOUNTAINLION)
6955
  lck_grp_attr_free(SCTP_BASE_INFO(sctbinfo).mtx_grp_attr);
6956
  lck_grp_free(SCTP_BASE_INFO(sctbinfo).mtx_grp);
6957
  lck_attr_free(SCTP_BASE_INFO(sctbinfo).mtx_attr);
6958
#else
6959
  lck_grp_attr_free(SCTP_BASE_INFO(sctbinfo).ipi_lock_grp_attr);
6960
  lck_grp_free(SCTP_BASE_INFO(sctbinfo).ipi_lock_grp);
6961
  lck_attr_free(SCTP_BASE_INFO(sctbinfo).ipi_lock_attr);
6962
#endif
6963
#endif
6964
0
#if defined(__Userspace__)
6965
0
  SCTP_TIMERQ_LOCK_DESTROY();
6966
0
  SCTP_ZONE_DESTROY(zone_mbuf);
6967
0
  SCTP_ZONE_DESTROY(zone_clust);
6968
0
  SCTP_ZONE_DESTROY(zone_ext_refcnt);
6969
0
#endif
6970
  /* Get rid of other stuff too. */
6971
0
  if (SCTP_BASE_INFO(sctp_asochash) != NULL)
6972
0
    SCTP_HASH_FREE(SCTP_BASE_INFO(sctp_asochash), SCTP_BASE_INFO(hashasocmark));
6973
0
  if (SCTP_BASE_INFO(sctp_ephash) != NULL)
6974
0
    SCTP_HASH_FREE(SCTP_BASE_INFO(sctp_ephash), SCTP_BASE_INFO(hashmark));
6975
0
  if (SCTP_BASE_INFO(sctp_tcpephash) != NULL)
6976
0
    SCTP_HASH_FREE(SCTP_BASE_INFO(sctp_tcpephash), SCTP_BASE_INFO(hashtcpmark));
6977
6978
0
#if defined(_WIN32) || defined(__FreeBSD__) || defined(__Userspace__)
6979
0
  SCTP_ZONE_DESTROY(SCTP_BASE_INFO(ipi_zone_ep));
6980
0
  SCTP_ZONE_DESTROY(SCTP_BASE_INFO(ipi_zone_asoc));
6981
0
  SCTP_ZONE_DESTROY(SCTP_BASE_INFO(ipi_zone_laddr));
6982
0
  SCTP_ZONE_DESTROY(SCTP_BASE_INFO(ipi_zone_net));
6983
0
  SCTP_ZONE_DESTROY(SCTP_BASE_INFO(ipi_zone_chunk));
6984
0
  SCTP_ZONE_DESTROY(SCTP_BASE_INFO(ipi_zone_readq));
6985
0
  SCTP_ZONE_DESTROY(SCTP_BASE_INFO(ipi_zone_strmoq));
6986
0
  SCTP_ZONE_DESTROY(SCTP_BASE_INFO(ipi_zone_asconf));
6987
0
  SCTP_ZONE_DESTROY(SCTP_BASE_INFO(ipi_zone_asconf_ack));
6988
0
#endif
6989
#if defined(__FreeBSD__) && !defined(__Userspace__)
6990
#if defined(SMP) && defined(SCTP_USE_PERCPU_STAT)
6991
  SCTP_FREE(SCTP_BASE_STATS, SCTP_M_MCORE);
6992
#endif
6993
#endif
6994
0
}
6995
6996
int
6997
sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m,
6998
                              int offset, int limit,
6999
                              struct sockaddr *src, struct sockaddr *dst,
7000
                              struct sockaddr *altsa, uint16_t port)
7001
9.22k
{
7002
  /*
7003
   * grub through the INIT pulling addresses and loading them to the
7004
   * nets structure in the asoc. The from address in the mbuf should
7005
   * also be loaded (if it is not already). This routine can be called
7006
   * with either INIT or INIT-ACK's as long as the m points to the IP
7007
   * packet and the offset points to the beginning of the parameters.
7008
   */
7009
9.22k
  struct sctp_inpcb *inp;
7010
9.22k
  struct sctp_nets *net, *nnet, *net_tmp;
7011
9.22k
  struct sctp_paramhdr *phdr, param_buf;
7012
9.22k
  struct sctp_tcb *stcb_tmp;
7013
9.22k
  uint16_t ptype, plen;
7014
9.22k
  struct sockaddr *sa;
7015
9.22k
  uint8_t random_store[SCTP_PARAM_BUFFER_SIZE];
7016
9.22k
  struct sctp_auth_random *p_random = NULL;
7017
9.22k
  uint16_t random_len = 0;
7018
9.22k
  uint8_t hmacs_store[SCTP_PARAM_BUFFER_SIZE];
7019
9.22k
  struct sctp_auth_hmac_algo *hmacs = NULL;
7020
9.22k
  uint16_t hmacs_len = 0;
7021
9.22k
  uint8_t saw_asconf = 0;
7022
9.22k
  uint8_t saw_asconf_ack = 0;
7023
9.22k
  uint8_t chunks_store[SCTP_PARAM_BUFFER_SIZE];
7024
9.22k
  struct sctp_auth_chunk_list *chunks = NULL;
7025
9.22k
  uint16_t num_chunks = 0;
7026
9.22k
  sctp_key_t *new_key;
7027
9.22k
  uint32_t keylen;
7028
9.22k
  int got_random = 0, got_hmacs = 0, got_chklist = 0;
7029
9.22k
  uint8_t peer_supports_ecn;
7030
9.22k
  uint8_t peer_supports_prsctp;
7031
9.22k
  uint8_t peer_supports_auth;
7032
9.22k
  uint8_t peer_supports_asconf;
7033
9.22k
  uint8_t peer_supports_asconf_ack;
7034
9.22k
  uint8_t peer_supports_reconfig;
7035
9.22k
  uint8_t peer_supports_nrsack;
7036
9.22k
  uint8_t peer_supports_pktdrop;
7037
9.22k
  uint8_t peer_supports_idata;
7038
9.22k
#ifdef INET
7039
9.22k
  struct sockaddr_in sin;
7040
9.22k
#endif
7041
9.22k
#ifdef INET6
7042
9.22k
  struct sockaddr_in6 sin6;
7043
9.22k
#endif
7044
7045
  /* First get the destination address setup too. */
7046
9.22k
#ifdef INET
7047
9.22k
  memset(&sin, 0, sizeof(sin));
7048
9.22k
  sin.sin_family = AF_INET;
7049
#ifdef HAVE_SIN_LEN
7050
  sin.sin_len = sizeof(sin);
7051
#endif
7052
9.22k
  sin.sin_port = stcb->rport;
7053
9.22k
#endif
7054
9.22k
#ifdef INET6
7055
9.22k
  memset(&sin6, 0, sizeof(sin6));
7056
9.22k
  sin6.sin6_family = AF_INET6;
7057
#ifdef HAVE_SIN6_LEN
7058
  sin6.sin6_len = sizeof(struct sockaddr_in6);
7059
#endif
7060
9.22k
  sin6.sin6_port = stcb->rport;
7061
9.22k
#endif
7062
9.22k
  if (altsa) {
7063
0
    sa = altsa;
7064
9.22k
  } else {
7065
9.22k
    sa = src;
7066
9.22k
  }
7067
9.22k
  peer_supports_idata = 0;
7068
9.22k
  peer_supports_ecn = 0;
7069
9.22k
  peer_supports_prsctp = 0;
7070
9.22k
  peer_supports_auth = 0;
7071
9.22k
  peer_supports_asconf = 0;
7072
9.22k
  peer_supports_asconf_ack = 0;
7073
9.22k
  peer_supports_reconfig = 0;
7074
9.22k
  peer_supports_nrsack = 0;
7075
9.22k
  peer_supports_pktdrop = 0;
7076
9.22k
  TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
7077
    /* mark all addresses that we have currently on the list */
7078
9.22k
    net->dest_state |= SCTP_ADDR_NOT_IN_ASSOC;
7079
9.22k
  }
7080
  /* does the source address already exist? if so skip it */
7081
9.22k
  inp = stcb->sctp_ep;
7082
9.22k
  atomic_add_int(&stcb->asoc.refcnt, 1);
7083
9.22k
  stcb_tmp = sctp_findassociation_ep_addr(&inp, sa, &net_tmp, dst, stcb);
7084
9.22k
  atomic_subtract_int(&stcb->asoc.refcnt, 1);
7085
7086
9.22k
  if ((stcb_tmp == NULL && inp == stcb->sctp_ep) || inp == NULL) {
7087
    /* we must add the source address */
7088
    /* no scope set here since we have a tcb already. */
7089
0
    switch (sa->sa_family) {
7090
0
#ifdef INET
7091
0
    case AF_INET:
7092
0
      if (stcb->asoc.scope.ipv4_addr_legal) {
7093
0
        if (sctp_add_remote_addr(stcb, sa, NULL, port, SCTP_DONOT_SETSCOPE, SCTP_LOAD_ADDR_2)) {
7094
0
          return (-1);
7095
0
        }
7096
0
      }
7097
0
      break;
7098
0
#endif
7099
0
#ifdef INET6
7100
0
    case AF_INET6:
7101
0
      if (stcb->asoc.scope.ipv6_addr_legal) {
7102
0
        if (sctp_add_remote_addr(stcb, sa, NULL, port, SCTP_DONOT_SETSCOPE, SCTP_LOAD_ADDR_3)) {
7103
0
          return (-2);
7104
0
        }
7105
0
      }
7106
0
      break;
7107
0
#endif
7108
0
#if defined(__Userspace__)
7109
0
    case AF_CONN:
7110
0
      if (stcb->asoc.scope.conn_addr_legal) {
7111
0
        if (sctp_add_remote_addr(stcb, sa, NULL, port, SCTP_DONOT_SETSCOPE, SCTP_LOAD_ADDR_3)) {
7112
0
          return (-2);
7113
0
        }
7114
0
      }
7115
0
      break;
7116
0
#endif
7117
0
    default:
7118
0
      break;
7119
0
    }
7120
9.22k
  } else {
7121
9.22k
    if (net_tmp != NULL && stcb_tmp == stcb) {
7122
9.22k
      net_tmp->dest_state &= ~SCTP_ADDR_NOT_IN_ASSOC;
7123
9.22k
    } else if (stcb_tmp != stcb) {
7124
      /* It belongs to another association? */
7125
0
      if (stcb_tmp)
7126
0
        SCTP_TCB_UNLOCK(stcb_tmp);
7127
0
      return (-3);
7128
0
    }
7129
9.22k
  }
7130
9.22k
  if (stcb->asoc.state == 0) {
7131
    /* the assoc was freed? */
7132
0
    return (-4);
7133
0
  }
7134
  /* now we must go through each of the params. */
7135
9.22k
  phdr = sctp_get_next_param(m, offset, &param_buf, sizeof(param_buf));
7136
149k
  while (phdr) {
7137
149k
    ptype = ntohs(phdr->param_type);
7138
149k
    plen = ntohs(phdr->param_length);
7139
    /*
7140
     * SCTP_PRINTF("ptype => %0x, plen => %d\n", (uint32_t)ptype,
7141
     * (int)plen);
7142
     */
7143
149k
    if (offset + plen > limit) {
7144
32
      break;
7145
32
    }
7146
149k
    if (plen < sizeof(struct sctp_paramhdr)) {
7147
2
      break;
7148
2
    }
7149
149k
#ifdef INET
7150
149k
    if (ptype == SCTP_IPV4_ADDRESS) {
7151
544
      if (stcb->asoc.scope.ipv4_addr_legal) {
7152
0
        struct sctp_ipv4addr_param *p4, p4_buf;
7153
7154
        /* ok get the v4 address and check/add */
7155
0
        phdr = sctp_get_next_param(m, offset,
7156
0
                 (struct sctp_paramhdr *)&p4_buf,
7157
0
                 sizeof(p4_buf));
7158
0
        if (plen != sizeof(struct sctp_ipv4addr_param) ||
7159
0
            phdr == NULL) {
7160
0
          return (-5);
7161
0
        }
7162
0
        p4 = (struct sctp_ipv4addr_param *)phdr;
7163
0
        sin.sin_addr.s_addr = p4->addr;
7164
0
        if (IN_MULTICAST(ntohl(sin.sin_addr.s_addr))) {
7165
          /* Skip multi-cast addresses */
7166
0
          goto next_param;
7167
0
        }
7168
0
        if ((sin.sin_addr.s_addr == INADDR_BROADCAST) ||
7169
0
            (sin.sin_addr.s_addr == INADDR_ANY)) {
7170
0
          goto next_param;
7171
0
        }
7172
0
        sa = (struct sockaddr *)&sin;
7173
0
        inp = stcb->sctp_ep;
7174
0
        atomic_add_int(&stcb->asoc.refcnt, 1);
7175
0
        stcb_tmp = sctp_findassociation_ep_addr(&inp, sa, &net,
7176
0
                  dst, stcb);
7177
0
        atomic_subtract_int(&stcb->asoc.refcnt, 1);
7178
7179
0
        if ((stcb_tmp == NULL && inp == stcb->sctp_ep) ||
7180
0
            inp == NULL) {
7181
          /* we must add the source address */
7182
          /*
7183
           * no scope set since we have a tcb
7184
           * already
7185
           */
7186
7187
          /*
7188
           * we must validate the state again
7189
           * here
7190
           */
7191
0
        add_it_now:
7192
0
          if (stcb->asoc.state == 0) {
7193
            /* the assoc was freed? */
7194
0
            return (-7);
7195
0
          }
7196
0
          if (sctp_add_remote_addr(stcb, sa, NULL, port, SCTP_DONOT_SETSCOPE, SCTP_LOAD_ADDR_4)) {
7197
0
            return (-8);
7198
0
          }
7199
0
        } else if (stcb_tmp == stcb) {
7200
0
          if (stcb->asoc.state == 0) {
7201
            /* the assoc was freed? */
7202
0
            return (-10);
7203
0
          }
7204
0
          if (net != NULL) {
7205
            /* clear flag */
7206
0
            net->dest_state &=
7207
0
              ~SCTP_ADDR_NOT_IN_ASSOC;
7208
0
          }
7209
0
        } else {
7210
          /*
7211
           * strange, address is in another
7212
           * assoc? straighten out locks.
7213
           */
7214
0
          if (stcb_tmp) {
7215
0
            if (SCTP_GET_STATE(stcb_tmp) == SCTP_STATE_COOKIE_WAIT) {
7216
0
              struct mbuf *op_err;
7217
0
              char msg[SCTP_DIAG_INFO_LEN];
7218
7219
              /* in setup state we abort this guy */
7220
0
              SCTP_SNPRINTF(msg, sizeof(msg),
7221
0
                            "%s:%d at %s", __FILE__, __LINE__, __func__);
7222
0
              op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
7223
0
                       msg);
7224
0
              sctp_abort_an_association(stcb_tmp->sctp_ep,
7225
0
                                        stcb_tmp, op_err, false,
7226
0
                                        SCTP_SO_NOT_LOCKED);
7227
0
              goto add_it_now;
7228
0
            }
7229
0
            SCTP_TCB_UNLOCK(stcb_tmp);
7230
0
          }
7231
7232
0
          if (stcb->asoc.state == 0) {
7233
            /* the assoc was freed? */
7234
0
            return (-12);
7235
0
          }
7236
0
          return (-13);
7237
0
        }
7238
0
      }
7239
544
    } else
7240
148k
#endif
7241
148k
#ifdef INET6
7242
148k
    if (ptype == SCTP_IPV6_ADDRESS) {
7243
164
      if (stcb->asoc.scope.ipv6_addr_legal) {
7244
        /* ok get the v6 address and check/add */
7245
0
        struct sctp_ipv6addr_param *p6, p6_buf;
7246
7247
0
        phdr = sctp_get_next_param(m, offset,
7248
0
                 (struct sctp_paramhdr *)&p6_buf,
7249
0
                 sizeof(p6_buf));
7250
0
        if (plen != sizeof(struct sctp_ipv6addr_param) ||
7251
0
            phdr == NULL) {
7252
0
          return (-14);
7253
0
        }
7254
0
        p6 = (struct sctp_ipv6addr_param *)phdr;
7255
0
        memcpy((caddr_t)&sin6.sin6_addr, p6->addr,
7256
0
               sizeof(p6->addr));
7257
0
        if (IN6_IS_ADDR_MULTICAST(&sin6.sin6_addr)) {
7258
          /* Skip multi-cast addresses */
7259
0
          goto next_param;
7260
0
        }
7261
0
        if (IN6_IS_ADDR_LINKLOCAL(&sin6.sin6_addr)) {
7262
          /* Link local make no sense without scope */
7263
0
          goto next_param;
7264
0
        }
7265
0
        sa = (struct sockaddr *)&sin6;
7266
0
        inp = stcb->sctp_ep;
7267
0
        atomic_add_int(&stcb->asoc.refcnt, 1);
7268
0
        stcb_tmp = sctp_findassociation_ep_addr(&inp, sa, &net,
7269
0
                  dst, stcb);
7270
0
        atomic_subtract_int(&stcb->asoc.refcnt, 1);
7271
0
        if (stcb_tmp == NULL &&
7272
0
            (inp == stcb->sctp_ep || inp == NULL)) {
7273
          /*
7274
           * we must validate the state again
7275
           * here
7276
           */
7277
0
        add_it_now6:
7278
0
          if (stcb->asoc.state == 0) {
7279
            /* the assoc was freed? */
7280
0
            return (-16);
7281
0
          }
7282
          /*
7283
           * we must add the address, no scope
7284
           * set
7285
           */
7286
0
          if (sctp_add_remote_addr(stcb, sa, NULL, port, SCTP_DONOT_SETSCOPE, SCTP_LOAD_ADDR_5)) {
7287
0
            return (-17);
7288
0
          }
7289
0
        } else if (stcb_tmp == stcb) {
7290
          /*
7291
           * we must validate the state again
7292
           * here
7293
           */
7294
0
          if (stcb->asoc.state == 0) {
7295
            /* the assoc was freed? */
7296
0
            return (-19);
7297
0
          }
7298
0
          if (net != NULL) {
7299
            /* clear flag */
7300
0
            net->dest_state &=
7301
0
              ~SCTP_ADDR_NOT_IN_ASSOC;
7302
0
          }
7303
0
        } else {
7304
          /*
7305
           * strange, address is in another
7306
           * assoc? straighten out locks.
7307
           */
7308
0
          if (stcb_tmp) {
7309
0
            if (SCTP_GET_STATE(stcb_tmp) == SCTP_STATE_COOKIE_WAIT) {
7310
0
              struct mbuf *op_err;
7311
0
              char msg[SCTP_DIAG_INFO_LEN];
7312
7313
              /* in setup state we abort this guy */
7314
0
              SCTP_SNPRINTF(msg, sizeof(msg),
7315
0
                            "%s:%d at %s", __FILE__, __LINE__, __func__);
7316
0
              op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
7317
0
                       msg);
7318
0
              sctp_abort_an_association(stcb_tmp->sctp_ep,
7319
0
                                        stcb_tmp, op_err, false,
7320
0
                                        SCTP_SO_NOT_LOCKED);
7321
0
              goto add_it_now6;
7322
0
            }
7323
0
            SCTP_TCB_UNLOCK(stcb_tmp);
7324
0
          }
7325
0
          if (stcb->asoc.state == 0) {
7326
            /* the assoc was freed? */
7327
0
            return (-21);
7328
0
          }
7329
0
          return (-22);
7330
0
        }
7331
0
      }
7332
164
    } else
7333
148k
#endif
7334
148k
    if (ptype == SCTP_ECN_CAPABLE) {
7335
15.4k
      peer_supports_ecn = 1;
7336
133k
    } else if (ptype == SCTP_ULP_ADAPTATION) {
7337
8.81k
      if (stcb->asoc.state != SCTP_STATE_OPEN) {
7338
8.81k
        struct sctp_adaptation_layer_indication ai, *aip;
7339
7340
8.81k
        phdr = sctp_get_next_param(m, offset,
7341
8.81k
                 (struct sctp_paramhdr *)&ai, sizeof(ai));
7342
8.81k
        aip = (struct sctp_adaptation_layer_indication *)phdr;
7343
8.81k
        if (aip) {
7344
8.81k
          stcb->asoc.peers_adaptation = ntohl(aip->indication);
7345
8.81k
          stcb->asoc.adaptation_needed = 1;
7346
8.81k
        }
7347
8.81k
      }
7348
124k
    } else if (ptype == SCTP_SET_PRIM_ADDR) {
7349
3.18k
      struct sctp_asconf_addr_param lstore, *fee;
7350
3.18k
      int lptype;
7351
3.18k
      struct sockaddr *lsa = NULL;
7352
3.18k
#ifdef INET
7353
3.18k
      struct sctp_asconf_addrv4_param *fii;
7354
3.18k
#endif
7355
7356
3.18k
      if (stcb->asoc.asconf_supported == 0) {
7357
0
        return (-100);
7358
0
      }
7359
3.18k
      if (plen > sizeof(lstore)) {
7360
0
        return (-23);
7361
0
      }
7362
3.18k
      if (plen < sizeof(struct sctp_asconf_addrv4_param)) {
7363
1
        return (-101);
7364
1
      }
7365
3.18k
      phdr = sctp_get_next_param(m, offset,
7366
3.18k
               (struct sctp_paramhdr *)&lstore,
7367
3.18k
               plen);
7368
3.18k
      if (phdr == NULL) {
7369
0
        return (-24);
7370
0
      }
7371
3.18k
      fee = (struct sctp_asconf_addr_param *)phdr;
7372
3.18k
      lptype = ntohs(fee->addrp.ph.param_type);
7373
3.18k
      switch (lptype) {
7374
0
#ifdef INET
7375
1.25k
      case SCTP_IPV4_ADDRESS:
7376
1.25k
        if (plen !=
7377
1.25k
            sizeof(struct sctp_asconf_addrv4_param)) {
7378
92
          SCTP_PRINTF("Sizeof setprim in init/init ack not %d but %d - ignored\n",
7379
92
                (int)sizeof(struct sctp_asconf_addrv4_param),
7380
92
                plen);
7381
1.16k
        } else {
7382
1.16k
          fii = (struct sctp_asconf_addrv4_param *)fee;
7383
1.16k
          sin.sin_addr.s_addr = fii->addrp.addr;
7384
1.16k
          lsa = (struct sockaddr *)&sin;
7385
1.16k
        }
7386
1.25k
        break;
7387
0
#endif
7388
0
#ifdef INET6
7389
427
      case SCTP_IPV6_ADDRESS:
7390
427
        if (plen !=
7391
427
            sizeof(struct sctp_asconf_addr_param)) {
7392
339
          SCTP_PRINTF("Sizeof setprim (v6) in init/init ack not %d but %d - ignored\n",
7393
339
                (int)sizeof(struct sctp_asconf_addr_param),
7394
339
                plen);
7395
339
        } else {
7396
88
          memcpy(sin6.sin6_addr.s6_addr,
7397
88
                 fee->addrp.addr,
7398
88
                 sizeof(fee->addrp.addr));
7399
88
          lsa = (struct sockaddr *)&sin6;
7400
88
        }
7401
427
        break;
7402
0
#endif
7403
1.50k
      default:
7404
1.50k
        break;
7405
3.18k
      }
7406
3.18k
      if (lsa) {
7407
1.25k
        (void)sctp_set_primary_addr(stcb, sa, NULL);
7408
1.25k
      }
7409
121k
    } else if (ptype == SCTP_HAS_NAT_SUPPORT) {
7410
3.57k
      stcb->asoc.peer_supports_nat = 1;
7411
117k
    } else if (ptype == SCTP_PRSCTP_SUPPORTED) {
7412
      /* Peer supports pr-sctp */
7413
12.1k
      peer_supports_prsctp = 1;
7414
105k
    } else if (ptype == SCTP_SUPPORTED_CHUNK_EXT) {
7415
      /* A supported extension chunk */
7416
32.2k
      struct sctp_supported_chunk_types_param *pr_supported;
7417
32.2k
      uint8_t local_store[SCTP_PARAM_BUFFER_SIZE];
7418
32.2k
      int num_ent, i;
7419
7420
32.2k
      if (plen > sizeof(local_store)) {
7421
0
        return (-35);
7422
0
      }
7423
32.2k
      phdr = sctp_get_next_param(m, offset,
7424
32.2k
               (struct sctp_paramhdr *)&local_store, plen);
7425
32.2k
      if (phdr == NULL) {
7426
0
        return (-25);
7427
0
      }
7428
32.2k
      pr_supported = (struct sctp_supported_chunk_types_param *)phdr;
7429
32.2k
      num_ent = plen - sizeof(struct sctp_paramhdr);
7430
330k
      for (i = 0; i < num_ent; i++) {
7431
298k
        switch (pr_supported->chunk_types[i]) {
7432
9.22k
        case SCTP_ASCONF:
7433
9.22k
          peer_supports_asconf = 1;
7434
9.22k
          break;
7435
26.5k
        case SCTP_ASCONF_ACK:
7436
26.5k
          peer_supports_asconf_ack = 1;
7437
26.5k
          break;
7438
19.0k
        case SCTP_FORWARD_CUM_TSN:
7439
19.0k
          peer_supports_prsctp = 1;
7440
19.0k
          break;
7441
2.08k
        case SCTP_PACKET_DROPPED:
7442
2.08k
          peer_supports_pktdrop = 1;
7443
2.08k
          break;
7444
4.01k
        case SCTP_NR_SELECTIVE_ACK:
7445
4.01k
          peer_supports_nrsack = 1;
7446
4.01k
          break;
7447
18.2k
        case SCTP_STREAM_RESET:
7448
18.2k
          peer_supports_reconfig = 1;
7449
18.2k
          break;
7450
10.6k
        case SCTP_AUTHENTICATION:
7451
10.6k
          peer_supports_auth = 1;
7452
10.6k
          break;
7453
11.4k
        case SCTP_IDATA:
7454
11.4k
          peer_supports_idata = 1;
7455
11.4k
          break;
7456
197k
        default:
7457
          /* one I have not learned yet */
7458
197k
          break;
7459
298k
        }
7460
298k
      }
7461
73.3k
    } else if (ptype == SCTP_RANDOM) {
7462
8.58k
      if (plen > sizeof(random_store))
7463
0
        break;
7464
8.58k
      if (got_random) {
7465
        /* already processed a RANDOM */
7466
144
        goto next_param;
7467
144
      }
7468
8.44k
      phdr = sctp_get_next_param(m, offset,
7469
8.44k
               (struct sctp_paramhdr *)random_store,
7470
8.44k
               plen);
7471
8.44k
      if (phdr == NULL)
7472
0
        return (-26);
7473
8.44k
      p_random = (struct sctp_auth_random *)phdr;
7474
8.44k
      random_len = plen - sizeof(*p_random);
7475
      /* enforce the random length */
7476
8.44k
      if (random_len != SCTP_AUTH_RANDOM_SIZE_REQUIRED) {
7477
12
        SCTPDBG(SCTP_DEBUG_AUTH1, "SCTP: invalid RANDOM len\n");
7478
12
        return (-27);
7479
12
      }
7480
8.42k
      got_random = 1;
7481
64.7k
    } else if (ptype == SCTP_HMAC_LIST) {
7482
8.96k
      uint16_t num_hmacs;
7483
8.96k
      uint16_t i;
7484
7485
8.96k
      if (plen > sizeof(hmacs_store))
7486
2
        break;
7487
8.96k
      if (got_hmacs) {
7488
        /* already processed a HMAC list */
7489
471
        goto next_param;
7490
471
      }
7491
8.49k
      phdr = sctp_get_next_param(m, offset,
7492
8.49k
               (struct sctp_paramhdr *)hmacs_store,
7493
8.49k
               plen);
7494
8.49k
      if (phdr == NULL)
7495
0
        return (-28);
7496
8.49k
      hmacs = (struct sctp_auth_hmac_algo *)phdr;
7497
8.49k
      hmacs_len = plen - sizeof(*hmacs);
7498
8.49k
      num_hmacs = hmacs_len / sizeof(hmacs->hmac_ids[0]);
7499
      /* validate the hmac list */
7500
8.49k
      if (sctp_verify_hmac_param(hmacs, num_hmacs)) {
7501
22
        return (-29);
7502
22
      }
7503
8.46k
      if (stcb->asoc.peer_hmacs != NULL)
7504
0
        sctp_free_hmaclist(stcb->asoc.peer_hmacs);
7505
8.46k
      stcb->asoc.peer_hmacs = sctp_alloc_hmaclist(num_hmacs);
7506
8.46k
      if (stcb->asoc.peer_hmacs != NULL) {
7507
27.7k
        for (i = 0; i < num_hmacs; i++) {
7508
19.2k
          (void)sctp_auth_add_hmacid(stcb->asoc.peer_hmacs,
7509
19.2k
                   ntohs(hmacs->hmac_ids[i]));
7510
19.2k
        }
7511
8.46k
      }
7512
8.46k
      got_hmacs = 1;
7513
55.7k
    } else if (ptype == SCTP_CHUNK_LIST) {
7514
10.5k
      int i;
7515
7516
10.5k
      if (plen > sizeof(chunks_store))
7517
0
        break;
7518
10.5k
      if (got_chklist) {
7519
        /* already processed a Chunks list */
7520
1.92k
        goto next_param;
7521
1.92k
      }
7522
8.60k
      phdr = sctp_get_next_param(m, offset,
7523
8.60k
               (struct sctp_paramhdr *)chunks_store,
7524
8.60k
               plen);
7525
8.60k
      if (phdr == NULL)
7526
0
        return (-30);
7527
8.60k
      chunks = (struct sctp_auth_chunk_list *)phdr;
7528
8.60k
      num_chunks = plen - sizeof(*chunks);
7529
8.60k
      if (stcb->asoc.peer_auth_chunks != NULL)
7530
0
        sctp_clear_chunklist(stcb->asoc.peer_auth_chunks);
7531
8.60k
      else
7532
8.60k
        stcb->asoc.peer_auth_chunks = sctp_alloc_chunklist();
7533
32.3k
      for (i = 0; i < num_chunks; i++) {
7534
23.7k
        (void)sctp_auth_add_chunk(chunks->chunk_types[i],
7535
23.7k
                stcb->asoc.peer_auth_chunks);
7536
        /* record asconf/asconf-ack if listed */
7537
23.7k
        if (chunks->chunk_types[i] == SCTP_ASCONF)
7538
8.68k
          saw_asconf = 1;
7539
23.7k
        if (chunks->chunk_types[i] == SCTP_ASCONF_ACK)
7540
8.79k
          saw_asconf_ack = 1;
7541
23.7k
      }
7542
8.60k
      got_chklist = 1;
7543
45.2k
    } else if ((ptype == SCTP_HEARTBEAT_INFO) ||
7544
45.2k
         (ptype == SCTP_STATE_COOKIE) ||
7545
45.2k
         (ptype == SCTP_UNRECOG_PARAM) ||
7546
45.2k
         (ptype == SCTP_COOKIE_PRESERVE) ||
7547
45.2k
         (ptype == SCTP_SUPPORTED_ADDRTYPE) ||
7548
45.2k
         (ptype == SCTP_ADD_IP_ADDRESS) ||
7549
45.2k
         (ptype == SCTP_DEL_IP_ADDRESS) ||
7550
45.2k
         (ptype == SCTP_ERROR_CAUSE_IND) ||
7551
45.2k
         (ptype == SCTP_SUCCESS_REPORT)) {
7552
      /* don't care */
7553
25.4k
    } else {
7554
25.4k
      if ((ptype & 0x8000) == 0x0000) {
7555
        /*
7556
         * must stop processing the rest of the
7557
         * param's. Any report bits were handled
7558
         * with the call to
7559
         * sctp_arethere_unrecognized_parameters()
7560
         * when the INIT or INIT-ACK was first seen.
7561
         */
7562
189
        break;
7563
189
      }
7564
25.4k
    }
7565
7566
149k
  next_param:
7567
149k
    offset += SCTP_SIZE32(plen);
7568
149k
    if (offset >= limit) {
7569
8.80k
      break;
7570
8.80k
    }
7571
140k
    phdr = sctp_get_next_param(m, offset, &param_buf,
7572
140k
                               sizeof(param_buf));
7573
140k
  }
7574
  /* Now check to see if we need to purge any addresses */
7575
9.18k
  TAILQ_FOREACH_SAFE(net, &stcb->asoc.nets, sctp_next, nnet) {
7576
9.18k
    if ((net->dest_state & SCTP_ADDR_NOT_IN_ASSOC) ==
7577
9.18k
        SCTP_ADDR_NOT_IN_ASSOC) {
7578
      /* This address has been removed from the asoc */
7579
      /* remove and free it */
7580
0
      stcb->asoc.numnets--;
7581
0
      TAILQ_REMOVE(&stcb->asoc.nets, net, sctp_next);
7582
0
      if (net == stcb->asoc.alternate) {
7583
0
        sctp_free_remote_addr(stcb->asoc.alternate);
7584
0
        stcb->asoc.alternate = NULL;
7585
0
      }
7586
0
      if (net == stcb->asoc.primary_destination) {
7587
0
        stcb->asoc.primary_destination = NULL;
7588
0
        sctp_select_primary_destination(stcb);
7589
0
      }
7590
0
      sctp_free_remote_addr(net);
7591
0
    }
7592
9.18k
  }
7593
9.18k
  if ((stcb->asoc.ecn_supported == 1) &&
7594
9.18k
      (peer_supports_ecn == 0)) {
7595
706
    stcb->asoc.ecn_supported = 0;
7596
706
  }
7597
9.18k
  if ((stcb->asoc.prsctp_supported == 1) &&
7598
9.18k
      (peer_supports_prsctp == 0)) {
7599
619
    stcb->asoc.prsctp_supported = 0;
7600
619
  }
7601
9.18k
  if ((stcb->asoc.auth_supported == 1) &&
7602
9.18k
      ((peer_supports_auth == 0) ||
7603
9.18k
       (got_random == 0) || (got_hmacs == 0))) {
7604
778
    stcb->asoc.auth_supported = 0;
7605
778
  }
7606
9.18k
  if ((stcb->asoc.asconf_supported == 1) &&
7607
9.18k
      ((peer_supports_asconf == 0) || (peer_supports_asconf_ack == 0) ||
7608
9.18k
       (stcb->asoc.auth_supported == 0) ||
7609
9.18k
       (saw_asconf == 0) || (saw_asconf_ack == 0))) {
7610
789
    stcb->asoc.asconf_supported = 0;
7611
789
  }
7612
9.18k
  if ((stcb->asoc.reconfig_supported == 1) &&
7613
9.18k
      (peer_supports_reconfig == 0)) {
7614
702
    stcb->asoc.reconfig_supported = 0;
7615
702
  }
7616
9.18k
  if ((stcb->asoc.idata_supported == 1) &&
7617
9.18k
      (peer_supports_idata == 0)) {
7618
602
    stcb->asoc.idata_supported = 0;
7619
602
  }
7620
9.18k
  if ((stcb->asoc.nrsack_supported == 1) &&
7621
9.18k
      (peer_supports_nrsack == 0)) {
7622
9.07k
    stcb->asoc.nrsack_supported = 0;
7623
9.07k
  }
7624
9.18k
  if ((stcb->asoc.pktdrop_supported == 1) &&
7625
9.18k
      (peer_supports_pktdrop == 0)) {
7626
9.08k
    stcb->asoc.pktdrop_supported = 0;
7627
9.08k
  }
7628
  /* validate authentication required parameters */
7629
9.18k
  if ((peer_supports_auth == 0) && (got_chklist == 1)) {
7630
    /* peer does not support auth but sent a chunks list? */
7631
121
    return (-31);
7632
121
  }
7633
9.06k
  if ((peer_supports_asconf == 1) && (peer_supports_auth == 0)) {
7634
    /* peer supports asconf but not auth? */
7635
27
    return (-32);
7636
9.04k
  } else if ((peer_supports_asconf == 1) &&
7637
9.04k
             (peer_supports_auth == 1) &&
7638
9.04k
       ((saw_asconf == 0) || (saw_asconf_ack == 0))) {
7639
40
    return (-33);
7640
40
  }
7641
  /* concatenate the full random key */
7642
9.00k
  keylen = sizeof(*p_random) + random_len + sizeof(*hmacs) + hmacs_len;
7643
9.00k
  if (chunks != NULL) {
7644
8.45k
    keylen += sizeof(*chunks) + num_chunks;
7645
8.45k
  }
7646
9.00k
  new_key = sctp_alloc_key(keylen);
7647
9.00k
  if (new_key != NULL) {
7648
    /* copy in the RANDOM */
7649
9.00k
    if (p_random != NULL) {
7650
8.41k
      keylen = sizeof(*p_random) + random_len;
7651
8.41k
      memcpy(new_key->key, p_random, keylen);
7652
8.41k
    } else {
7653
583
      keylen = 0;
7654
583
    }
7655
    /* append in the AUTH chunks */
7656
9.00k
    if (chunks != NULL) {
7657
8.45k
      memcpy(new_key->key + keylen, chunks,
7658
8.45k
             sizeof(*chunks) + num_chunks);
7659
8.45k
      keylen += sizeof(*chunks) + num_chunks;
7660
8.45k
    }
7661
    /* append in the HMACs */
7662
9.00k
    if (hmacs != NULL) {
7663
8.45k
      memcpy(new_key->key + keylen, hmacs,
7664
8.45k
             sizeof(*hmacs) + hmacs_len);
7665
8.45k
    }
7666
9.00k
  } else {
7667
    /* failed to get memory for the key */
7668
0
    return (-34);
7669
0
  }
7670
9.00k
  if (stcb->asoc.authinfo.peer_random != NULL)
7671
0
    sctp_free_key(stcb->asoc.authinfo.peer_random);
7672
9.00k
  stcb->asoc.authinfo.peer_random = new_key;
7673
9.00k
  sctp_clear_cachedkeys(stcb, stcb->asoc.authinfo.assoc_keyid);
7674
9.00k
  sctp_clear_cachedkeys(stcb, stcb->asoc.authinfo.recv_keyid);
7675
7676
9.00k
  return (0);
7677
9.00k
}
7678
7679
int
7680
sctp_set_primary_addr(struct sctp_tcb *stcb, struct sockaddr *sa,
7681
          struct sctp_nets *net)
7682
7.79k
{
7683
  /* make sure the requested primary address exists in the assoc */
7684
7.79k
  if (net == NULL && sa)
7685
7.79k
    net = sctp_findnet(stcb, sa);
7686
7687
7.79k
  if (net == NULL) {
7688
    /* didn't find the requested primary address! */
7689
4.41k
    return (-1);
7690
4.41k
  } else {
7691
    /* set the primary address */
7692
3.37k
    if (net->dest_state & SCTP_ADDR_UNCONFIRMED) {
7693
      /* Must be confirmed, so queue to set */
7694
844
      net->dest_state |= SCTP_ADDR_REQ_PRIMARY;
7695
844
      return (0);
7696
844
    }
7697
2.53k
    stcb->asoc.primary_destination = net;
7698
2.53k
    if (((net->dest_state & SCTP_ADDR_PF) == 0) &&
7699
2.53k
        (stcb->asoc.alternate != NULL)) {
7700
4
      sctp_free_remote_addr(stcb->asoc.alternate);
7701
4
      stcb->asoc.alternate = NULL;
7702
4
    }
7703
2.53k
    net = TAILQ_FIRST(&stcb->asoc.nets);
7704
2.53k
    if (net != stcb->asoc.primary_destination) {
7705
      /* first one on the list is NOT the primary
7706
       * sctp_cmpaddr() is much more efficient if
7707
       * the primary is the first on the list, make it
7708
       * so.
7709
       */
7710
638
      TAILQ_REMOVE(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next);
7711
638
      TAILQ_INSERT_HEAD(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next);
7712
638
    }
7713
2.53k
    return (0);
7714
2.53k
  }
7715
7.79k
}
7716
7717
bool
7718
sctp_is_vtag_good(uint32_t tag, uint16_t lport, uint16_t rport, struct timeval *now)
7719
27.5k
{
7720
27.5k
  struct sctpasochead *head;
7721
27.5k
  struct sctp_tcb *stcb;
7722
7723
27.5k
  SCTP_INP_INFO_LOCK_ASSERT();
7724
7725
27.5k
  head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(tag, SCTP_BASE_INFO(hashasocmark))];
7726
27.5k
  LIST_FOREACH(stcb, head, sctp_asocs) {
7727
    /* We choose not to lock anything here. TCB's can't be
7728
     * removed since we have the read lock, so they can't
7729
     * be freed on us, same thing for the INP. I may
7730
     * be wrong with this assumption, but we will go
7731
     * with it for now :-)
7732
     */
7733
19
    if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) {
7734
0
      continue;
7735
0
    }
7736
19
    if (stcb->asoc.my_vtag == tag) {
7737
      /* candidate */
7738
0
      if (stcb->rport != rport) {
7739
0
        continue;
7740
0
      }
7741
0
      if (stcb->sctp_ep->sctp_lport != lport) {
7742
0
        continue;
7743
0
      }
7744
      /* The tag is currently used, so don't use it. */
7745
0
      return (false);
7746
0
    }
7747
19
  }
7748
27.5k
  return (!sctp_is_in_timewait(tag, lport, rport, (uint32_t)now->tv_sec));
7749
27.5k
}
7750
7751
static void
7752
sctp_drain_mbufs(struct sctp_tcb *stcb)
7753
0
{
7754
  /*
7755
   * We must hunt this association for MBUF's past the cumack (i.e.
7756
   * out of order data that we can renege on).
7757
   */
7758
0
  struct sctp_association *asoc;
7759
0
  struct sctp_tmit_chunk *chk, *nchk;
7760
0
  uint32_t cumulative_tsn_p1;
7761
0
  struct sctp_queued_to_read *control, *ncontrol;
7762
0
  int cnt, strmat;
7763
0
  uint32_t gap, i;
7764
0
  int fnd = 0;
7765
7766
  /* We look for anything larger than the cum-ack + 1 */
7767
7768
0
  asoc = &stcb->asoc;
7769
0
  if (asoc->cumulative_tsn == asoc->highest_tsn_inside_map) {
7770
    /* none we can reneg on. */
7771
0
    return;
7772
0
  }
7773
0
  SCTP_STAT_INCR(sctps_protocol_drains_done);
7774
0
  cumulative_tsn_p1 = asoc->cumulative_tsn + 1;
7775
0
  cnt = 0;
7776
  /* Ok that was fun, now we will drain all the inbound streams? */
7777
0
  for (strmat = 0; strmat < asoc->streamincnt; strmat++) {
7778
0
    TAILQ_FOREACH_SAFE(control, &asoc->strmin[strmat].inqueue, next_instrm, ncontrol) {
7779
0
#ifdef INVARIANTS
7780
0
      if (control->on_strm_q != SCTP_ON_ORDERED) {
7781
0
        panic("Huh control: %p on_q: %d -- not ordered?",
7782
0
              control, control->on_strm_q);
7783
0
      }
7784
0
#endif
7785
0
      if (SCTP_TSN_GT(control->sinfo_tsn, cumulative_tsn_p1)) {
7786
        /* Yep it is above cum-ack */
7787
0
        cnt++;
7788
0
        SCTP_CALC_TSN_TO_GAP(gap, control->sinfo_tsn, asoc->mapping_array_base_tsn);
7789
0
        KASSERT(control->length > 0, ("control has zero length"));
7790
0
        if (asoc->size_on_all_streams >= control->length) {
7791
0
          asoc->size_on_all_streams -= control->length;
7792
0
        } else {
7793
0
#ifdef INVARIANTS
7794
0
          panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
7795
#else
7796
          asoc->size_on_all_streams = 0;
7797
#endif
7798
0
        }
7799
0
        sctp_ucount_decr(asoc->cnt_on_all_streams);
7800
0
        SCTP_UNSET_TSN_PRESENT(asoc->mapping_array, gap);
7801
0
        if (control->on_read_q) {
7802
0
          TAILQ_REMOVE(&stcb->sctp_ep->read_queue, control, next);
7803
0
          control->on_read_q = 0;
7804
0
        }
7805
0
        TAILQ_REMOVE(&asoc->strmin[strmat].inqueue, control, next_instrm);
7806
0
        control->on_strm_q = 0;
7807
0
        if (control->data) {
7808
0
          sctp_m_freem(control->data);
7809
0
          control->data = NULL;
7810
0
        }
7811
0
        sctp_free_remote_addr(control->whoFrom);
7812
        /* Now its reasm? */
7813
0
        TAILQ_FOREACH_SAFE(chk, &control->reasm, sctp_next, nchk) {
7814
0
          cnt++;
7815
0
          SCTP_CALC_TSN_TO_GAP(gap, chk->rec.data.tsn, asoc->mapping_array_base_tsn);
7816
0
          KASSERT(chk->send_size > 0, ("chunk has zero length"));
7817
0
          if (asoc->size_on_reasm_queue >= chk->send_size) {
7818
0
            asoc->size_on_reasm_queue -= chk->send_size;
7819
0
          } else {
7820
0
#ifdef INVARIANTS
7821
0
            panic("size_on_reasm_queue = %u smaller than chunk length %u", asoc->size_on_reasm_queue, chk->send_size);
7822
#else
7823
            asoc->size_on_reasm_queue = 0;
7824
#endif
7825
0
          }
7826
0
          sctp_ucount_decr(asoc->cnt_on_reasm_queue);
7827
0
          SCTP_UNSET_TSN_PRESENT(asoc->mapping_array, gap);
7828
0
          TAILQ_REMOVE(&control->reasm, chk, sctp_next);
7829
0
          if (chk->data) {
7830
0
            sctp_m_freem(chk->data);
7831
0
            chk->data = NULL;
7832
0
          }
7833
0
          sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
7834
0
        }
7835
0
        sctp_free_a_readq(stcb, control);
7836
0
      }
7837
0
    }
7838
0
    TAILQ_FOREACH_SAFE(control, &asoc->strmin[strmat].uno_inqueue, next_instrm, ncontrol) {
7839
0
#ifdef INVARIANTS
7840
0
      if (control->on_strm_q != SCTP_ON_UNORDERED) {
7841
0
        panic("Huh control: %p on_q: %d -- not unordered?",
7842
0
              control, control->on_strm_q);
7843
0
      }
7844
0
#endif
7845
0
      if (SCTP_TSN_GT(control->sinfo_tsn, cumulative_tsn_p1)) {
7846
        /* Yep it is above cum-ack */
7847
0
        cnt++;
7848
0
        SCTP_CALC_TSN_TO_GAP(gap, control->sinfo_tsn, asoc->mapping_array_base_tsn);
7849
0
        KASSERT(control->length > 0, ("control has zero length"));
7850
0
        if (asoc->size_on_all_streams >= control->length) {
7851
0
          asoc->size_on_all_streams -= control->length;
7852
0
        } else {
7853
0
#ifdef INVARIANTS
7854
0
          panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
7855
#else
7856
          asoc->size_on_all_streams = 0;
7857
#endif
7858
0
        }
7859
0
        sctp_ucount_decr(asoc->cnt_on_all_streams);
7860
0
        SCTP_UNSET_TSN_PRESENT(asoc->mapping_array, gap);
7861
0
        if (control->on_read_q) {
7862
0
          TAILQ_REMOVE(&stcb->sctp_ep->read_queue, control, next);
7863
0
          control->on_read_q = 0;
7864
0
        }
7865
0
        TAILQ_REMOVE(&asoc->strmin[strmat].uno_inqueue, control, next_instrm);
7866
0
        control->on_strm_q = 0;
7867
0
        if (control->data) {
7868
0
          sctp_m_freem(control->data);
7869
0
          control->data = NULL;
7870
0
        }
7871
0
        sctp_free_remote_addr(control->whoFrom);
7872
        /* Now its reasm? */
7873
0
        TAILQ_FOREACH_SAFE(chk, &control->reasm, sctp_next, nchk) {
7874
0
          cnt++;
7875
0
          SCTP_CALC_TSN_TO_GAP(gap, chk->rec.data.tsn, asoc->mapping_array_base_tsn);
7876
0
          KASSERT(chk->send_size > 0, ("chunk has zero length"));
7877
0
          if (asoc->size_on_reasm_queue >= chk->send_size) {
7878
0
            asoc->size_on_reasm_queue -= chk->send_size;
7879
0
          } else {
7880
0
#ifdef INVARIANTS
7881
0
            panic("size_on_reasm_queue = %u smaller than chunk length %u", asoc->size_on_reasm_queue, chk->send_size);
7882
#else
7883
            asoc->size_on_reasm_queue = 0;
7884
#endif
7885
0
          }
7886
0
          sctp_ucount_decr(asoc->cnt_on_reasm_queue);
7887
0
          SCTP_UNSET_TSN_PRESENT(asoc->mapping_array, gap);
7888
0
          TAILQ_REMOVE(&control->reasm, chk, sctp_next);
7889
0
          if (chk->data) {
7890
0
            sctp_m_freem(chk->data);
7891
0
            chk->data = NULL;
7892
0
          }
7893
0
          sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
7894
0
        }
7895
0
        sctp_free_a_readq(stcb, control);
7896
0
      }
7897
0
    }
7898
0
  }
7899
0
  if (cnt) {
7900
    /* We must back down to see what the new highest is */
7901
0
    for (i = asoc->highest_tsn_inside_map; SCTP_TSN_GE(i, asoc->mapping_array_base_tsn); i--) {
7902
0
      SCTP_CALC_TSN_TO_GAP(gap, i, asoc->mapping_array_base_tsn);
7903
0
      if (SCTP_IS_TSN_PRESENT(asoc->mapping_array, gap)) {
7904
0
        asoc->highest_tsn_inside_map = i;
7905
0
        fnd = 1;
7906
0
        break;
7907
0
      }
7908
0
    }
7909
0
    if (!fnd) {
7910
0
      asoc->highest_tsn_inside_map = asoc->mapping_array_base_tsn - 1;
7911
0
    }
7912
7913
    /*
7914
     * Question, should we go through the delivery queue? The only
7915
     * reason things are on here is the app not reading OR a p-d-api up.
7916
     * An attacker COULD send enough in to initiate the PD-API and then
7917
     * send a bunch of stuff to other streams... these would wind up on
7918
     * the delivery queue.. and then we would not get to them. But in
7919
     * order to do this I then have to back-track and un-deliver
7920
     * sequence numbers in streams.. el-yucko. I think for now we will
7921
     * NOT look at the delivery queue and leave it to be something to
7922
     * consider later. An alternative would be to abort the P-D-API with
7923
     * a notification and then deliver the data.... Or another method
7924
     * might be to keep track of how many times the situation occurs and
7925
     * if we see a possible attack underway just abort the association.
7926
     */
7927
#ifdef SCTP_DEBUG
7928
    SCTPDBG(SCTP_DEBUG_PCB1, "Freed %d chunks from reneg harvest\n", cnt);
7929
#endif
7930
    /*
7931
     * Now do we need to find a new
7932
     * asoc->highest_tsn_inside_map?
7933
     */
7934
0
    asoc->last_revoke_count = cnt;
7935
0
    sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, NULL,
7936
0
                    SCTP_FROM_SCTP_PCB + SCTP_LOC_11);
7937
    /*sa_ignore NO_NULL_CHK*/
7938
0
    sctp_send_sack(stcb, SCTP_SO_NOT_LOCKED);
7939
0
    sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_DRAIN, SCTP_SO_NOT_LOCKED);
7940
0
  }
7941
  /*
7942
   * Another issue, in un-setting the TSN's in the mapping array we
7943
   * DID NOT adjust the highest_tsn marker.  This will cause one of two
7944
   * things to occur. It may cause us to do extra work in checking for
7945
   * our mapping array movement. More importantly it may cause us to
7946
   * SACK every datagram. This may not be a bad thing though since we
7947
   * will recover once we get our cum-ack above and all this stuff we
7948
   * dumped recovered.
7949
   */
7950
0
}
7951
7952
void
7953
sctp_drain(void)
7954
0
{
7955
  /*
7956
   * We must walk the PCB lists for ALL associations here. The system
7957
   * is LOW on MBUF's and needs help. This is where reneging will
7958
   * occur. We really hope this does NOT happen!
7959
   */
7960
#if defined(__FreeBSD__) && !defined(__Userspace__)
7961
  VNET_ITERATOR_DECL(vnet_iter);
7962
#else
7963
0
  struct sctp_inpcb *inp;
7964
0
  struct sctp_tcb *stcb;
7965
7966
0
  SCTP_STAT_INCR(sctps_protocol_drain_calls);
7967
0
  if (SCTP_BASE_SYSCTL(sctp_do_drain) == 0) {
7968
0
    return;
7969
0
  }
7970
0
#endif
7971
#if defined(__FreeBSD__) && !defined(__Userspace__)
7972
  VNET_LIST_RLOCK_NOSLEEP();
7973
  VNET_FOREACH(vnet_iter) {
7974
    CURVNET_SET(vnet_iter);
7975
    struct sctp_inpcb *inp;
7976
    struct sctp_tcb *stcb;
7977
#endif
7978
7979
#if defined(__FreeBSD__) && !defined(__Userspace__)
7980
    SCTP_STAT_INCR(sctps_protocol_drain_calls);
7981
    if (SCTP_BASE_SYSCTL(sctp_do_drain) == 0) {
7982
#ifdef VIMAGE
7983
      continue;
7984
#else
7985
      return;
7986
#endif
7987
    }
7988
#endif
7989
0
    SCTP_INP_INFO_RLOCK();
7990
0
    LIST_FOREACH(inp, &SCTP_BASE_INFO(listhead), sctp_list) {
7991
      /* For each endpoint */
7992
0
      SCTP_INP_RLOCK(inp);
7993
0
      LIST_FOREACH(stcb, &inp->sctp_asoc_list, sctp_tcblist) {
7994
        /* For each association */
7995
0
        SCTP_TCB_LOCK(stcb);
7996
0
        sctp_drain_mbufs(stcb);
7997
0
        SCTP_TCB_UNLOCK(stcb);
7998
0
      }
7999
0
      SCTP_INP_RUNLOCK(inp);
8000
0
    }
8001
0
    SCTP_INP_INFO_RUNLOCK();
8002
#if defined(__FreeBSD__) && !defined(__Userspace__)
8003
    CURVNET_RESTORE();
8004
  }
8005
  VNET_LIST_RUNLOCK_NOSLEEP();
8006
#endif
8007
0
}
8008
8009
/*
8010
 * start a new iterator
8011
 * iterates through all endpoints and associations based on the pcb_state
8012
 * flags and asoc_state.  "af" (mandatory) is executed for all matching
8013
 * assocs and "ef" (optional) is executed when the iterator completes.
8014
 * "inpf" (optional) is executed for each new endpoint as it is being
8015
 * iterated through. inpe (optional) is called when the inp completes
8016
 * its way through all the stcbs.
8017
 */
8018
int
8019
sctp_initiate_iterator(inp_func inpf,
8020
           asoc_func af,
8021
           inp_func inpe,
8022
           uint32_t pcb_state,
8023
           uint32_t pcb_features,
8024
           uint32_t asoc_state,
8025
           void *argp,
8026
           uint32_t argi,
8027
           end_func ef,
8028
           struct sctp_inpcb *s_inp,
8029
           uint8_t chunk_output_off)
8030
0
{
8031
0
  struct sctp_iterator *it = NULL;
8032
8033
0
  if (af == NULL) {
8034
0
    return (-1);
8035
0
  }
8036
0
  if (SCTP_BASE_VAR(sctp_pcb_initialized) == 0) {
8037
0
    SCTP_PRINTF("%s: abort on initialize being %d\n", __func__,
8038
0
                SCTP_BASE_VAR(sctp_pcb_initialized));
8039
0
    return (-1);
8040
0
  }
8041
0
  SCTP_MALLOC(it, struct sctp_iterator *, sizeof(struct sctp_iterator),
8042
0
        SCTP_M_ITER);
8043
0
  if (it == NULL) {
8044
0
    SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_PCB, ENOMEM);
8045
0
    return (-1);
8046
0
  }
8047
0
  memset(it, 0, sizeof(*it));
8048
0
  it->function_assoc = af;
8049
0
  it->function_inp = inpf;
8050
0
  if (inpf)
8051
0
    it->done_current_ep = 0;
8052
0
  else
8053
0
    it->done_current_ep = 1;
8054
0
  it->function_atend = ef;
8055
0
  it->pointer = argp;
8056
0
  it->val = argi;
8057
0
  it->pcb_flags = pcb_state;
8058
0
  it->pcb_features = pcb_features;
8059
0
  it->asoc_state = asoc_state;
8060
0
  it->function_inp_end = inpe;
8061
0
  it->no_chunk_output = chunk_output_off;
8062
#if defined(__FreeBSD__) && !defined(__Userspace__)
8063
  it->vn = curvnet;
8064
#endif
8065
0
  if (s_inp) {
8066
    /* Assume lock is held here */
8067
0
    it->inp = s_inp;
8068
0
    SCTP_INP_INCR_REF(it->inp);
8069
0
    it->iterator_flags = SCTP_ITERATOR_DO_SINGLE_INP;
8070
0
  } else {
8071
0
    SCTP_INP_INFO_RLOCK();
8072
0
    it->inp = LIST_FIRST(&SCTP_BASE_INFO(listhead));
8073
0
    if (it->inp) {
8074
0
      SCTP_INP_INCR_REF(it->inp);
8075
0
    }
8076
0
    SCTP_INP_INFO_RUNLOCK();
8077
0
    it->iterator_flags = SCTP_ITERATOR_DO_ALL_INP;
8078
0
  }
8079
0
  SCTP_IPI_ITERATOR_WQ_LOCK();
8080
0
  if (SCTP_BASE_VAR(sctp_pcb_initialized) == 0) {
8081
0
    SCTP_IPI_ITERATOR_WQ_UNLOCK();
8082
0
    SCTP_PRINTF("%s: rollback on initialize being %d it=%p\n", __func__,
8083
0
                SCTP_BASE_VAR(sctp_pcb_initialized), it);
8084
0
    SCTP_FREE(it, SCTP_M_ITER);
8085
0
    return (-1);
8086
0
  }
8087
0
  TAILQ_INSERT_TAIL(&sctp_it_ctl.iteratorhead, it, sctp_nxt_itr);
8088
0
  if (sctp_it_ctl.iterator_running == 0) {
8089
0
    sctp_wakeup_iterator();
8090
0
  }
8091
0
  SCTP_IPI_ITERATOR_WQ_UNLOCK();
8092
  /* sa_ignore MEMLEAK {memory is put on the tailq for the iterator} */
8093
0
  return (0);
8094
0
}
8095
8096
/*
8097
 * Atomically add flags to the sctp_flags of an inp.
8098
 * To be used when the write lock of the inp is not held.
8099
 */
8100
void
8101
sctp_pcb_add_flags(struct sctp_inpcb *inp, uint32_t flags)
8102
8.15k
{
8103
8.15k
  uint32_t old_flags, new_flags;
8104
8105
8.15k
  do {
8106
8.15k
    old_flags = inp->sctp_flags;
8107
8.15k
    new_flags = old_flags | flags;
8108
8.15k
  } while (atomic_cmpset_int(&inp->sctp_flags, old_flags, new_flags) == 0);
8109
8.15k
}