xref: /freebsd/sys/netinet/sctp_output.c (revision aa0a1e58) 
1 /*-
2  * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved.
3  * Copyright (c) 2008-2011, by Randall Stewart. All rights reserved.
4  * Copyright (c) 2008-2011, by Michael Tuexen. All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions are met:
8  *
9  * a) Redistributions of source code must retain the above copyright notice,
10  *   this list of conditions and the following disclaimer.
11  *
12  * b) Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in
14  *   the documentation and/or other materials provided with the distribution.
15  *
16  * c) Neither the name of Cisco Systems, Inc. nor the names of its
17  *    contributors may be used to endorse or promote products derived
18  *    from this software without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22  * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
30  * THE POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 /* $KAME: sctp_output.c,v 1.46 2005/03/06 16:04:17 itojun Exp $	 */
34 
35 #include <sys/cdefs.h>
36 __FBSDID("$FreeBSD$");
37 
38 #include <netinet/sctp_os.h>
39 #include <sys/proc.h>
40 #include <netinet/sctp_var.h>
41 #include <netinet/sctp_sysctl.h>
42 #include <netinet/sctp_header.h>
43 #include <netinet/sctp_pcb.h>
44 #include <netinet/sctputil.h>
45 #include <netinet/sctp_output.h>
46 #include <netinet/sctp_uio.h>
47 #include <netinet/sctputil.h>
48 #include <netinet/sctp_auth.h>
49 #include <netinet/sctp_timer.h>
50 #include <netinet/sctp_asconf.h>
51 #include <netinet/sctp_indata.h>
52 #include <netinet/sctp_bsd_addr.h>
53 #include <netinet/sctp_input.h>
54 #include <netinet/sctp_crc32.h>
55 #include <netinet/udp.h>
56 #include <machine/in_cksum.h>
57 
58 
59 
60 #define SCTP_MAX_GAPS_INARRAY 4
61 struct sack_track {
62 	uint8_t right_edge;	/* mergable on the right edge */
63 	uint8_t left_edge;	/* mergable on the left edge */
64 	uint8_t num_entries;
65 	uint8_t spare;
66 	struct sctp_gap_ack_block gaps[SCTP_MAX_GAPS_INARRAY];
67 };
68 
69 struct sack_track sack_array[256] = {
70 	{0, 0, 0, 0,		/* 0x00 */
71 		{{0, 0},
72 		{0, 0},
73 		{0, 0},
74 		{0, 0}
75 		}
76 	},
77 	{1, 0, 1, 0,		/* 0x01 */
78 		{{0, 0},
79 		{0, 0},
80 		{0, 0},
81 		{0, 0}
82 		}
83 	},
84 	{0, 0, 1, 0,		/* 0x02 */
85 		{{1, 1},
86 		{0, 0},
87 		{0, 0},
88 		{0, 0}
89 		}
90 	},
91 	{1, 0, 1, 0,		/* 0x03 */
92 		{{0, 1},
93 		{0, 0},
94 		{0, 0},
95 		{0, 0}
96 		}
97 	},
98 	{0, 0, 1, 0,		/* 0x04 */
99 		{{2, 2},
100 		{0, 0},
101 		{0, 0},
102 		{0, 0}
103 		}
104 	},
105 	{1, 0, 2, 0,		/* 0x05 */
106 		{{0, 0},
107 		{2, 2},
108 		{0, 0},
109 		{0, 0}
110 		}
111 	},
112 	{0, 0, 1, 0,		/* 0x06 */
113 		{{1, 2},
114 		{0, 0},
115 		{0, 0},
116 		{0, 0}
117 		}
118 	},
119 	{1, 0, 1, 0,		/* 0x07 */
120 		{{0, 2},
121 		{0, 0},
122 		{0, 0},
123 		{0, 0}
124 		}
125 	},
126 	{0, 0, 1, 0,		/* 0x08 */
127 		{{3, 3},
128 		{0, 0},
129 		{0, 0},
130 		{0, 0}
131 		}
132 	},
133 	{1, 0, 2, 0,		/* 0x09 */
134 		{{0, 0},
135 		{3, 3},
136 		{0, 0},
137 		{0, 0}
138 		}
139 	},
140 	{0, 0, 2, 0,		/* 0x0a */
141 		{{1, 1},
142 		{3, 3},
143 		{0, 0},
144 		{0, 0}
145 		}
146 	},
147 	{1, 0, 2, 0,		/* 0x0b */
148 		{{0, 1},
149 		{3, 3},
150 		{0, 0},
151 		{0, 0}
152 		}
153 	},
154 	{0, 0, 1, 0,		/* 0x0c */
155 		{{2, 3},
156 		{0, 0},
157 		{0, 0},
158 		{0, 0}
159 		}
160 	},
161 	{1, 0, 2, 0,		/* 0x0d */
162 		{{0, 0},
163 		{2, 3},
164 		{0, 0},
165 		{0, 0}
166 		}
167 	},
168 	{0, 0, 1, 0,		/* 0x0e */
169 		{{1, 3},
170 		{0, 0},
171 		{0, 0},
172 		{0, 0}
173 		}
174 	},
175 	{1, 0, 1, 0,		/* 0x0f */
176 		{{0, 3},
177 		{0, 0},
178 		{0, 0},
179 		{0, 0}
180 		}
181 	},
182 	{0, 0, 1, 0,		/* 0x10 */
183 		{{4, 4},
184 		{0, 0},
185 		{0, 0},
186 		{0, 0}
187 		}
188 	},
189 	{1, 0, 2, 0,		/* 0x11 */
190 		{{0, 0},
191 		{4, 4},
192 		{0, 0},
193 		{0, 0}
194 		}
195 	},
196 	{0, 0, 2, 0,		/* 0x12 */
197 		{{1, 1},
198 		{4, 4},
199 		{0, 0},
200 		{0, 0}
201 		}
202 	},
203 	{1, 0, 2, 0,		/* 0x13 */
204 		{{0, 1},
205 		{4, 4},
206 		{0, 0},
207 		{0, 0}
208 		}
209 	},
210 	{0, 0, 2, 0,		/* 0x14 */
211 		{{2, 2},
212 		{4, 4},
213 		{0, 0},
214 		{0, 0}
215 		}
216 	},
217 	{1, 0, 3, 0,		/* 0x15 */
218 		{{0, 0},
219 		{2, 2},
220 		{4, 4},
221 		{0, 0}
222 		}
223 	},
224 	{0, 0, 2, 0,		/* 0x16 */
225 		{{1, 2},
226 		{4, 4},
227 		{0, 0},
228 		{0, 0}
229 		}
230 	},
231 	{1, 0, 2, 0,		/* 0x17 */
232 		{{0, 2},
233 		{4, 4},
234 		{0, 0},
235 		{0, 0}
236 		}
237 	},
238 	{0, 0, 1, 0,		/* 0x18 */
239 		{{3, 4},
240 		{0, 0},
241 		{0, 0},
242 		{0, 0}
243 		}
244 	},
245 	{1, 0, 2, 0,		/* 0x19 */
246 		{{0, 0},
247 		{3, 4},
248 		{0, 0},
249 		{0, 0}
250 		}
251 	},
252 	{0, 0, 2, 0,		/* 0x1a */
253 		{{1, 1},
254 		{3, 4},
255 		{0, 0},
256 		{0, 0}
257 		}
258 	},
259 	{1, 0, 2, 0,		/* 0x1b */
260 		{{0, 1},
261 		{3, 4},
262 		{0, 0},
263 		{0, 0}
264 		}
265 	},
266 	{0, 0, 1, 0,		/* 0x1c */
267 		{{2, 4},
268 		{0, 0},
269 		{0, 0},
270 		{0, 0}
271 		}
272 	},
273 	{1, 0, 2, 0,		/* 0x1d */
274 		{{0, 0},
275 		{2, 4},
276 		{0, 0},
277 		{0, 0}
278 		}
279 	},
280 	{0, 0, 1, 0,		/* 0x1e */
281 		{{1, 4},
282 		{0, 0},
283 		{0, 0},
284 		{0, 0}
285 		}
286 	},
287 	{1, 0, 1, 0,		/* 0x1f */
288 		{{0, 4},
289 		{0, 0},
290 		{0, 0},
291 		{0, 0}
292 		}
293 	},
294 	{0, 0, 1, 0,		/* 0x20 */
295 		{{5, 5},
296 		{0, 0},
297 		{0, 0},
298 		{0, 0}
299 		}
300 	},
301 	{1, 0, 2, 0,		/* 0x21 */
302 		{{0, 0},
303 		{5, 5},
304 		{0, 0},
305 		{0, 0}
306 		}
307 	},
308 	{0, 0, 2, 0,		/* 0x22 */
309 		{{1, 1},
310 		{5, 5},
311 		{0, 0},
312 		{0, 0}
313 		}
314 	},
315 	{1, 0, 2, 0,		/* 0x23 */
316 		{{0, 1},
317 		{5, 5},
318 		{0, 0},
319 		{0, 0}
320 		}
321 	},
322 	{0, 0, 2, 0,		/* 0x24 */
323 		{{2, 2},
324 		{5, 5},
325 		{0, 0},
326 		{0, 0}
327 		}
328 	},
329 	{1, 0, 3, 0,		/* 0x25 */
330 		{{0, 0},
331 		{2, 2},
332 		{5, 5},
333 		{0, 0}
334 		}
335 	},
336 	{0, 0, 2, 0,		/* 0x26 */
337 		{{1, 2},
338 		{5, 5},
339 		{0, 0},
340 		{0, 0}
341 		}
342 	},
343 	{1, 0, 2, 0,		/* 0x27 */
344 		{{0, 2},
345 		{5, 5},
346 		{0, 0},
347 		{0, 0}
348 		}
349 	},
350 	{0, 0, 2, 0,		/* 0x28 */
351 		{{3, 3},
352 		{5, 5},
353 		{0, 0},
354 		{0, 0}
355 		}
356 	},
357 	{1, 0, 3, 0,		/* 0x29 */
358 		{{0, 0},
359 		{3, 3},
360 		{5, 5},
361 		{0, 0}
362 		}
363 	},
364 	{0, 0, 3, 0,		/* 0x2a */
365 		{{1, 1},
366 		{3, 3},
367 		{5, 5},
368 		{0, 0}
369 		}
370 	},
371 	{1, 0, 3, 0,		/* 0x2b */
372 		{{0, 1},
373 		{3, 3},
374 		{5, 5},
375 		{0, 0}
376 		}
377 	},
378 	{0, 0, 2, 0,		/* 0x2c */
379 		{{2, 3},
380 		{5, 5},
381 		{0, 0},
382 		{0, 0}
383 		}
384 	},
385 	{1, 0, 3, 0,		/* 0x2d */
386 		{{0, 0},
387 		{2, 3},
388 		{5, 5},
389 		{0, 0}
390 		}
391 	},
392 	{0, 0, 2, 0,		/* 0x2e */
393 		{{1, 3},
394 		{5, 5},
395 		{0, 0},
396 		{0, 0}
397 		}
398 	},
399 	{1, 0, 2, 0,		/* 0x2f */
400 		{{0, 3},
401 		{5, 5},
402 		{0, 0},
403 		{0, 0}
404 		}
405 	},
406 	{0, 0, 1, 0,		/* 0x30 */
407 		{{4, 5},
408 		{0, 0},
409 		{0, 0},
410 		{0, 0}
411 		}
412 	},
413 	{1, 0, 2, 0,		/* 0x31 */
414 		{{0, 0},
415 		{4, 5},
416 		{0, 0},
417 		{0, 0}
418 		}
419 	},
420 	{0, 0, 2, 0,		/* 0x32 */
421 		{{1, 1},
422 		{4, 5},
423 		{0, 0},
424 		{0, 0}
425 		}
426 	},
427 	{1, 0, 2, 0,		/* 0x33 */
428 		{{0, 1},
429 		{4, 5},
430 		{0, 0},
431 		{0, 0}
432 		}
433 	},
434 	{0, 0, 2, 0,		/* 0x34 */
435 		{{2, 2},
436 		{4, 5},
437 		{0, 0},
438 		{0, 0}
439 		}
440 	},
441 	{1, 0, 3, 0,		/* 0x35 */
442 		{{0, 0},
443 		{2, 2},
444 		{4, 5},
445 		{0, 0}
446 		}
447 	},
448 	{0, 0, 2, 0,		/* 0x36 */
449 		{{1, 2},
450 		{4, 5},
451 		{0, 0},
452 		{0, 0}
453 		}
454 	},
455 	{1, 0, 2, 0,		/* 0x37 */
456 		{{0, 2},
457 		{4, 5},
458 		{0, 0},
459 		{0, 0}
460 		}
461 	},
462 	{0, 0, 1, 0,		/* 0x38 */
463 		{{3, 5},
464 		{0, 0},
465 		{0, 0},
466 		{0, 0}
467 		}
468 	},
469 	{1, 0, 2, 0,		/* 0x39 */
470 		{{0, 0},
471 		{3, 5},
472 		{0, 0},
473 		{0, 0}
474 		}
475 	},
476 	{0, 0, 2, 0,		/* 0x3a */
477 		{{1, 1},
478 		{3, 5},
479 		{0, 0},
480 		{0, 0}
481 		}
482 	},
483 	{1, 0, 2, 0,		/* 0x3b */
484 		{{0, 1},
485 		{3, 5},
486 		{0, 0},
487 		{0, 0}
488 		}
489 	},
490 	{0, 0, 1, 0,		/* 0x3c */
491 		{{2, 5},
492 		{0, 0},
493 		{0, 0},
494 		{0, 0}
495 		}
496 	},
497 	{1, 0, 2, 0,		/* 0x3d */
498 		{{0, 0},
499 		{2, 5},
500 		{0, 0},
501 		{0, 0}
502 		}
503 	},
504 	{0, 0, 1, 0,		/* 0x3e */
505 		{{1, 5},
506 		{0, 0},
507 		{0, 0},
508 		{0, 0}
509 		}
510 	},
511 	{1, 0, 1, 0,		/* 0x3f */
512 		{{0, 5},
513 		{0, 0},
514 		{0, 0},
515 		{0, 0}
516 		}
517 	},
518 	{0, 0, 1, 0,		/* 0x40 */
519 		{{6, 6},
520 		{0, 0},
521 		{0, 0},
522 		{0, 0}
523 		}
524 	},
525 	{1, 0, 2, 0,		/* 0x41 */
526 		{{0, 0},
527 		{6, 6},
528 		{0, 0},
529 		{0, 0}
530 		}
531 	},
532 	{0, 0, 2, 0,		/* 0x42 */
533 		{{1, 1},
534 		{6, 6},
535 		{0, 0},
536 		{0, 0}
537 		}
538 	},
539 	{1, 0, 2, 0,		/* 0x43 */
540 		{{0, 1},
541 		{6, 6},
542 		{0, 0},
543 		{0, 0}
544 		}
545 	},
546 	{0, 0, 2, 0,		/* 0x44 */
547 		{{2, 2},
548 		{6, 6},
549 		{0, 0},
550 		{0, 0}
551 		}
552 	},
553 	{1, 0, 3, 0,		/* 0x45 */
554 		{{0, 0},
555 		{2, 2},
556 		{6, 6},
557 		{0, 0}
558 		}
559 	},
560 	{0, 0, 2, 0,		/* 0x46 */
561 		{{1, 2},
562 		{6, 6},
563 		{0, 0},
564 		{0, 0}
565 		}
566 	},
567 	{1, 0, 2, 0,		/* 0x47 */
568 		{{0, 2},
569 		{6, 6},
570 		{0, 0},
571 		{0, 0}
572 		}
573 	},
574 	{0, 0, 2, 0,		/* 0x48 */
575 		{{3, 3},
576 		{6, 6},
577 		{0, 0},
578 		{0, 0}
579 		}
580 	},
581 	{1, 0, 3, 0,		/* 0x49 */
582 		{{0, 0},
583 		{3, 3},
584 		{6, 6},
585 		{0, 0}
586 		}
587 	},
588 	{0, 0, 3, 0,		/* 0x4a */
589 		{{1, 1},
590 		{3, 3},
591 		{6, 6},
592 		{0, 0}
593 		}
594 	},
595 	{1, 0, 3, 0,		/* 0x4b */
596 		{{0, 1},
597 		{3, 3},
598 		{6, 6},
599 		{0, 0}
600 		}
601 	},
602 	{0, 0, 2, 0,		/* 0x4c */
603 		{{2, 3},
604 		{6, 6},
605 		{0, 0},
606 		{0, 0}
607 		}
608 	},
609 	{1, 0, 3, 0,		/* 0x4d */
610 		{{0, 0},
611 		{2, 3},
612 		{6, 6},
613 		{0, 0}
614 		}
615 	},
616 	{0, 0, 2, 0,		/* 0x4e */
617 		{{1, 3},
618 		{6, 6},
619 		{0, 0},
620 		{0, 0}
621 		}
622 	},
623 	{1, 0, 2, 0,		/* 0x4f */
624 		{{0, 3},
625 		{6, 6},
626 		{0, 0},
627 		{0, 0}
628 		}
629 	},
630 	{0, 0, 2, 0,		/* 0x50 */
631 		{{4, 4},
632 		{6, 6},
633 		{0, 0},
634 		{0, 0}
635 		}
636 	},
637 	{1, 0, 3, 0,		/* 0x51 */
638 		{{0, 0},
639 		{4, 4},
640 		{6, 6},
641 		{0, 0}
642 		}
643 	},
644 	{0, 0, 3, 0,		/* 0x52 */
645 		{{1, 1},
646 		{4, 4},
647 		{6, 6},
648 		{0, 0}
649 		}
650 	},
651 	{1, 0, 3, 0,		/* 0x53 */
652 		{{0, 1},
653 		{4, 4},
654 		{6, 6},
655 		{0, 0}
656 		}
657 	},
658 	{0, 0, 3, 0,		/* 0x54 */
659 		{{2, 2},
660 		{4, 4},
661 		{6, 6},
662 		{0, 0}
663 		}
664 	},
665 	{1, 0, 4, 0,		/* 0x55 */
666 		{{0, 0},
667 		{2, 2},
668 		{4, 4},
669 		{6, 6}
670 		}
671 	},
672 	{0, 0, 3, 0,		/* 0x56 */
673 		{{1, 2},
674 		{4, 4},
675 		{6, 6},
676 		{0, 0}
677 		}
678 	},
679 	{1, 0, 3, 0,		/* 0x57 */
680 		{{0, 2},
681 		{4, 4},
682 		{6, 6},
683 		{0, 0}
684 		}
685 	},
686 	{0, 0, 2, 0,		/* 0x58 */
687 		{{3, 4},
688 		{6, 6},
689 		{0, 0},
690 		{0, 0}
691 		}
692 	},
693 	{1, 0, 3, 0,		/* 0x59 */
694 		{{0, 0},
695 		{3, 4},
696 		{6, 6},
697 		{0, 0}
698 		}
699 	},
700 	{0, 0, 3, 0,		/* 0x5a */
701 		{{1, 1},
702 		{3, 4},
703 		{6, 6},
704 		{0, 0}
705 		}
706 	},
707 	{1, 0, 3, 0,		/* 0x5b */
708 		{{0, 1},
709 		{3, 4},
710 		{6, 6},
711 		{0, 0}
712 		}
713 	},
714 	{0, 0, 2, 0,		/* 0x5c */
715 		{{2, 4},
716 		{6, 6},
717 		{0, 0},
718 		{0, 0}
719 		}
720 	},
721 	{1, 0, 3, 0,		/* 0x5d */
722 		{{0, 0},
723 		{2, 4},
724 		{6, 6},
725 		{0, 0}
726 		}
727 	},
728 	{0, 0, 2, 0,		/* 0x5e */
729 		{{1, 4},
730 		{6, 6},
731 		{0, 0},
732 		{0, 0}
733 		}
734 	},
735 	{1, 0, 2, 0,		/* 0x5f */
736 		{{0, 4},
737 		{6, 6},
738 		{0, 0},
739 		{0, 0}
740 		}
741 	},
742 	{0, 0, 1, 0,		/* 0x60 */
743 		{{5, 6},
744 		{0, 0},
745 		{0, 0},
746 		{0, 0}
747 		}
748 	},
749 	{1, 0, 2, 0,		/* 0x61 */
750 		{{0, 0},
751 		{5, 6},
752 		{0, 0},
753 		{0, 0}
754 		}
755 	},
756 	{0, 0, 2, 0,		/* 0x62 */
757 		{{1, 1},
758 		{5, 6},
759 		{0, 0},
760 		{0, 0}
761 		}
762 	},
763 	{1, 0, 2, 0,		/* 0x63 */
764 		{{0, 1},
765 		{5, 6},
766 		{0, 0},
767 		{0, 0}
768 		}
769 	},
770 	{0, 0, 2, 0,		/* 0x64 */
771 		{{2, 2},
772 		{5, 6},
773 		{0, 0},
774 		{0, 0}
775 		}
776 	},
777 	{1, 0, 3, 0,		/* 0x65 */
778 		{{0, 0},
779 		{2, 2},
780 		{5, 6},
781 		{0, 0}
782 		}
783 	},
784 	{0, 0, 2, 0,		/* 0x66 */
785 		{{1, 2},
786 		{5, 6},
787 		{0, 0},
788 		{0, 0}
789 		}
790 	},
791 	{1, 0, 2, 0,		/* 0x67 */
792 		{{0, 2},
793 		{5, 6},
794 		{0, 0},
795 		{0, 0}
796 		}
797 	},
798 	{0, 0, 2, 0,		/* 0x68 */
799 		{{3, 3},
800 		{5, 6},
801 		{0, 0},
802 		{0, 0}
803 		}
804 	},
805 	{1, 0, 3, 0,		/* 0x69 */
806 		{{0, 0},
807 		{3, 3},
808 		{5, 6},
809 		{0, 0}
810 		}
811 	},
812 	{0, 0, 3, 0,		/* 0x6a */
813 		{{1, 1},
814 		{3, 3},
815 		{5, 6},
816 		{0, 0}
817 		}
818 	},
819 	{1, 0, 3, 0,		/* 0x6b */
820 		{{0, 1},
821 		{3, 3},
822 		{5, 6},
823 		{0, 0}
824 		}
825 	},
826 	{0, 0, 2, 0,		/* 0x6c */
827 		{{2, 3},
828 		{5, 6},
829 		{0, 0},
830 		{0, 0}
831 		}
832 	},
833 	{1, 0, 3, 0,		/* 0x6d */
834 		{{0, 0},
835 		{2, 3},
836 		{5, 6},
837 		{0, 0}
838 		}
839 	},
840 	{0, 0, 2, 0,		/* 0x6e */
841 		{{1, 3},
842 		{5, 6},
843 		{0, 0},
844 		{0, 0}
845 		}
846 	},
847 	{1, 0, 2, 0,		/* 0x6f */
848 		{{0, 3},
849 		{5, 6},
850 		{0, 0},
851 		{0, 0}
852 		}
853 	},
854 	{0, 0, 1, 0,		/* 0x70 */
855 		{{4, 6},
856 		{0, 0},
857 		{0, 0},
858 		{0, 0}
859 		}
860 	},
861 	{1, 0, 2, 0,		/* 0x71 */
862 		{{0, 0},
863 		{4, 6},
864 		{0, 0},
865 		{0, 0}
866 		}
867 	},
868 	{0, 0, 2, 0,		/* 0x72 */
869 		{{1, 1},
870 		{4, 6},
871 		{0, 0},
872 		{0, 0}
873 		}
874 	},
875 	{1, 0, 2, 0,		/* 0x73 */
876 		{{0, 1},
877 		{4, 6},
878 		{0, 0},
879 		{0, 0}
880 		}
881 	},
882 	{0, 0, 2, 0,		/* 0x74 */
883 		{{2, 2},
884 		{4, 6},
885 		{0, 0},
886 		{0, 0}
887 		}
888 	},
889 	{1, 0, 3, 0,		/* 0x75 */
890 		{{0, 0},
891 		{2, 2},
892 		{4, 6},
893 		{0, 0}
894 		}
895 	},
896 	{0, 0, 2, 0,		/* 0x76 */
897 		{{1, 2},
898 		{4, 6},
899 		{0, 0},
900 		{0, 0}
901 		}
902 	},
903 	{1, 0, 2, 0,		/* 0x77 */
904 		{{0, 2},
905 		{4, 6},
906 		{0, 0},
907 		{0, 0}
908 		}
909 	},
910 	{0, 0, 1, 0,		/* 0x78 */
911 		{{3, 6},
912 		{0, 0},
913 		{0, 0},
914 		{0, 0}
915 		}
916 	},
917 	{1, 0, 2, 0,		/* 0x79 */
918 		{{0, 0},
919 		{3, 6},
920 		{0, 0},
921 		{0, 0}
922 		}
923 	},
924 	{0, 0, 2, 0,		/* 0x7a */
925 		{{1, 1},
926 		{3, 6},
927 		{0, 0},
928 		{0, 0}
929 		}
930 	},
931 	{1, 0, 2, 0,		/* 0x7b */
932 		{{0, 1},
933 		{3, 6},
934 		{0, 0},
935 		{0, 0}
936 		}
937 	},
938 	{0, 0, 1, 0,		/* 0x7c */
939 		{{2, 6},
940 		{0, 0},
941 		{0, 0},
942 		{0, 0}
943 		}
944 	},
945 	{1, 0, 2, 0,		/* 0x7d */
946 		{{0, 0},
947 		{2, 6},
948 		{0, 0},
949 		{0, 0}
950 		}
951 	},
952 	{0, 0, 1, 0,		/* 0x7e */
953 		{{1, 6},
954 		{0, 0},
955 		{0, 0},
956 		{0, 0}
957 		}
958 	},
959 	{1, 0, 1, 0,		/* 0x7f */
960 		{{0, 6},
961 		{0, 0},
962 		{0, 0},
963 		{0, 0}
964 		}
965 	},
966 	{0, 1, 1, 0,		/* 0x80 */
967 		{{7, 7},
968 		{0, 0},
969 		{0, 0},
970 		{0, 0}
971 		}
972 	},
973 	{1, 1, 2, 0,		/* 0x81 */
974 		{{0, 0},
975 		{7, 7},
976 		{0, 0},
977 		{0, 0}
978 		}
979 	},
980 	{0, 1, 2, 0,		/* 0x82 */
981 		{{1, 1},
982 		{7, 7},
983 		{0, 0},
984 		{0, 0}
985 		}
986 	},
987 	{1, 1, 2, 0,		/* 0x83 */
988 		{{0, 1},
989 		{7, 7},
990 		{0, 0},
991 		{0, 0}
992 		}
993 	},
994 	{0, 1, 2, 0,		/* 0x84 */
995 		{{2, 2},
996 		{7, 7},
997 		{0, 0},
998 		{0, 0}
999 		}
1000 	},
1001 	{1, 1, 3, 0,		/* 0x85 */
1002 		{{0, 0},
1003 		{2, 2},
1004 		{7, 7},
1005 		{0, 0}
1006 		}
1007 	},
1008 	{0, 1, 2, 0,		/* 0x86 */
1009 		{{1, 2},
1010 		{7, 7},
1011 		{0, 0},
1012 		{0, 0}
1013 		}
1014 	},
1015 	{1, 1, 2, 0,		/* 0x87 */
1016 		{{0, 2},
1017 		{7, 7},
1018 		{0, 0},
1019 		{0, 0}
1020 		}
1021 	},
1022 	{0, 1, 2, 0,		/* 0x88 */
1023 		{{3, 3},
1024 		{7, 7},
1025 		{0, 0},
1026 		{0, 0}
1027 		}
1028 	},
1029 	{1, 1, 3, 0,		/* 0x89 */
1030 		{{0, 0},
1031 		{3, 3},
1032 		{7, 7},
1033 		{0, 0}
1034 		}
1035 	},
1036 	{0, 1, 3, 0,		/* 0x8a */
1037 		{{1, 1},
1038 		{3, 3},
1039 		{7, 7},
1040 		{0, 0}
1041 		}
1042 	},
1043 	{1, 1, 3, 0,		/* 0x8b */
1044 		{{0, 1},
1045 		{3, 3},
1046 		{7, 7},
1047 		{0, 0}
1048 		}
1049 	},
1050 	{0, 1, 2, 0,		/* 0x8c */
1051 		{{2, 3},
1052 		{7, 7},
1053 		{0, 0},
1054 		{0, 0}
1055 		}
1056 	},
1057 	{1, 1, 3, 0,		/* 0x8d */
1058 		{{0, 0},
1059 		{2, 3},
1060 		{7, 7},
1061 		{0, 0}
1062 		}
1063 	},
1064 	{0, 1, 2, 0,		/* 0x8e */
1065 		{{1, 3},
1066 		{7, 7},
1067 		{0, 0},
1068 		{0, 0}
1069 		}
1070 	},
1071 	{1, 1, 2, 0,		/* 0x8f */
1072 		{{0, 3},
1073 		{7, 7},
1074 		{0, 0},
1075 		{0, 0}
1076 		}
1077 	},
1078 	{0, 1, 2, 0,		/* 0x90 */
1079 		{{4, 4},
1080 		{7, 7},
1081 		{0, 0},
1082 		{0, 0}
1083 		}
1084 	},
1085 	{1, 1, 3, 0,		/* 0x91 */
1086 		{{0, 0},
1087 		{4, 4},
1088 		{7, 7},
1089 		{0, 0}
1090 		}
1091 	},
1092 	{0, 1, 3, 0,		/* 0x92 */
1093 		{{1, 1},
1094 		{4, 4},
1095 		{7, 7},
1096 		{0, 0}
1097 		}
1098 	},
1099 	{1, 1, 3, 0,		/* 0x93 */
1100 		{{0, 1},
1101 		{4, 4},
1102 		{7, 7},
1103 		{0, 0}
1104 		}
1105 	},
1106 	{0, 1, 3, 0,		/* 0x94 */
1107 		{{2, 2},
1108 		{4, 4},
1109 		{7, 7},
1110 		{0, 0}
1111 		}
1112 	},
1113 	{1, 1, 4, 0,		/* 0x95 */
1114 		{{0, 0},
1115 		{2, 2},
1116 		{4, 4},
1117 		{7, 7}
1118 		}
1119 	},
1120 	{0, 1, 3, 0,		/* 0x96 */
1121 		{{1, 2},
1122 		{4, 4},
1123 		{7, 7},
1124 		{0, 0}
1125 		}
1126 	},
1127 	{1, 1, 3, 0,		/* 0x97 */
1128 		{{0, 2},
1129 		{4, 4},
1130 		{7, 7},
1131 		{0, 0}
1132 		}
1133 	},
1134 	{0, 1, 2, 0,		/* 0x98 */
1135 		{{3, 4},
1136 		{7, 7},
1137 		{0, 0},
1138 		{0, 0}
1139 		}
1140 	},
1141 	{1, 1, 3, 0,		/* 0x99 */
1142 		{{0, 0},
1143 		{3, 4},
1144 		{7, 7},
1145 		{0, 0}
1146 		}
1147 	},
1148 	{0, 1, 3, 0,		/* 0x9a */
1149 		{{1, 1},
1150 		{3, 4},
1151 		{7, 7},
1152 		{0, 0}
1153 		}
1154 	},
1155 	{1, 1, 3, 0,		/* 0x9b */
1156 		{{0, 1},
1157 		{3, 4},
1158 		{7, 7},
1159 		{0, 0}
1160 		}
1161 	},
1162 	{0, 1, 2, 0,		/* 0x9c */
1163 		{{2, 4},
1164 		{7, 7},
1165 		{0, 0},
1166 		{0, 0}
1167 		}
1168 	},
1169 	{1, 1, 3, 0,		/* 0x9d */
1170 		{{0, 0},
1171 		{2, 4},
1172 		{7, 7},
1173 		{0, 0}
1174 		}
1175 	},
1176 	{0, 1, 2, 0,		/* 0x9e */
1177 		{{1, 4},
1178 		{7, 7},
1179 		{0, 0},
1180 		{0, 0}
1181 		}
1182 	},
1183 	{1, 1, 2, 0,		/* 0x9f */
1184 		{{0, 4},
1185 		{7, 7},
1186 		{0, 0},
1187 		{0, 0}
1188 		}
1189 	},
1190 	{0, 1, 2, 0,		/* 0xa0 */
1191 		{{5, 5},
1192 		{7, 7},
1193 		{0, 0},
1194 		{0, 0}
1195 		}
1196 	},
1197 	{1, 1, 3, 0,		/* 0xa1 */
1198 		{{0, 0},
1199 		{5, 5},
1200 		{7, 7},
1201 		{0, 0}
1202 		}
1203 	},
1204 	{0, 1, 3, 0,		/* 0xa2 */
1205 		{{1, 1},
1206 		{5, 5},
1207 		{7, 7},
1208 		{0, 0}
1209 		}
1210 	},
1211 	{1, 1, 3, 0,		/* 0xa3 */
1212 		{{0, 1},
1213 		{5, 5},
1214 		{7, 7},
1215 		{0, 0}
1216 		}
1217 	},
1218 	{0, 1, 3, 0,		/* 0xa4 */
1219 		{{2, 2},
1220 		{5, 5},
1221 		{7, 7},
1222 		{0, 0}
1223 		}
1224 	},
1225 	{1, 1, 4, 0,		/* 0xa5 */
1226 		{{0, 0},
1227 		{2, 2},
1228 		{5, 5},
1229 		{7, 7}
1230 		}
1231 	},
1232 	{0, 1, 3, 0,		/* 0xa6 */
1233 		{{1, 2},
1234 		{5, 5},
1235 		{7, 7},
1236 		{0, 0}
1237 		}
1238 	},
1239 	{1, 1, 3, 0,		/* 0xa7 */
1240 		{{0, 2},
1241 		{5, 5},
1242 		{7, 7},
1243 		{0, 0}
1244 		}
1245 	},
1246 	{0, 1, 3, 0,		/* 0xa8 */
1247 		{{3, 3},
1248 		{5, 5},
1249 		{7, 7},
1250 		{0, 0}
1251 		}
1252 	},
1253 	{1, 1, 4, 0,		/* 0xa9 */
1254 		{{0, 0},
1255 		{3, 3},
1256 		{5, 5},
1257 		{7, 7}
1258 		}
1259 	},
1260 	{0, 1, 4, 0,		/* 0xaa */
1261 		{{1, 1},
1262 		{3, 3},
1263 		{5, 5},
1264 		{7, 7}
1265 		}
1266 	},
1267 	{1, 1, 4, 0,		/* 0xab */
1268 		{{0, 1},
1269 		{3, 3},
1270 		{5, 5},
1271 		{7, 7}
1272 		}
1273 	},
1274 	{0, 1, 3, 0,		/* 0xac */
1275 		{{2, 3},
1276 		{5, 5},
1277 		{7, 7},
1278 		{0, 0}
1279 		}
1280 	},
1281 	{1, 1, 4, 0,		/* 0xad */
1282 		{{0, 0},
1283 		{2, 3},
1284 		{5, 5},
1285 		{7, 7}
1286 		}
1287 	},
1288 	{0, 1, 3, 0,		/* 0xae */
1289 		{{1, 3},
1290 		{5, 5},
1291 		{7, 7},
1292 		{0, 0}
1293 		}
1294 	},
1295 	{1, 1, 3, 0,		/* 0xaf */
1296 		{{0, 3},
1297 		{5, 5},
1298 		{7, 7},
1299 		{0, 0}
1300 		}
1301 	},
1302 	{0, 1, 2, 0,		/* 0xb0 */
1303 		{{4, 5},
1304 		{7, 7},
1305 		{0, 0},
1306 		{0, 0}
1307 		}
1308 	},
1309 	{1, 1, 3, 0,		/* 0xb1 */
1310 		{{0, 0},
1311 		{4, 5},
1312 		{7, 7},
1313 		{0, 0}
1314 		}
1315 	},
1316 	{0, 1, 3, 0,		/* 0xb2 */
1317 		{{1, 1},
1318 		{4, 5},
1319 		{7, 7},
1320 		{0, 0}
1321 		}
1322 	},
1323 	{1, 1, 3, 0,		/* 0xb3 */
1324 		{{0, 1},
1325 		{4, 5},
1326 		{7, 7},
1327 		{0, 0}
1328 		}
1329 	},
1330 	{0, 1, 3, 0,		/* 0xb4 */
1331 		{{2, 2},
1332 		{4, 5},
1333 		{7, 7},
1334 		{0, 0}
1335 		}
1336 	},
1337 	{1, 1, 4, 0,		/* 0xb5 */
1338 		{{0, 0},
1339 		{2, 2},
1340 		{4, 5},
1341 		{7, 7}
1342 		}
1343 	},
1344 	{0, 1, 3, 0,		/* 0xb6 */
1345 		{{1, 2},
1346 		{4, 5},
1347 		{7, 7},
1348 		{0, 0}
1349 		}
1350 	},
1351 	{1, 1, 3, 0,		/* 0xb7 */
1352 		{{0, 2},
1353 		{4, 5},
1354 		{7, 7},
1355 		{0, 0}
1356 		}
1357 	},
1358 	{0, 1, 2, 0,		/* 0xb8 */
1359 		{{3, 5},
1360 		{7, 7},
1361 		{0, 0},
1362 		{0, 0}
1363 		}
1364 	},
1365 	{1, 1, 3, 0,		/* 0xb9 */
1366 		{{0, 0},
1367 		{3, 5},
1368 		{7, 7},
1369 		{0, 0}
1370 		}
1371 	},
1372 	{0, 1, 3, 0,		/* 0xba */
1373 		{{1, 1},
1374 		{3, 5},
1375 		{7, 7},
1376 		{0, 0}
1377 		}
1378 	},
1379 	{1, 1, 3, 0,		/* 0xbb */
1380 		{{0, 1},
1381 		{3, 5},
1382 		{7, 7},
1383 		{0, 0}
1384 		}
1385 	},
1386 	{0, 1, 2, 0,		/* 0xbc */
1387 		{{2, 5},
1388 		{7, 7},
1389 		{0, 0},
1390 		{0, 0}
1391 		}
1392 	},
1393 	{1, 1, 3, 0,		/* 0xbd */
1394 		{{0, 0},
1395 		{2, 5},
1396 		{7, 7},
1397 		{0, 0}
1398 		}
1399 	},
1400 	{0, 1, 2, 0,		/* 0xbe */
1401 		{{1, 5},
1402 		{7, 7},
1403 		{0, 0},
1404 		{0, 0}
1405 		}
1406 	},
1407 	{1, 1, 2, 0,		/* 0xbf */
1408 		{{0, 5},
1409 		{7, 7},
1410 		{0, 0},
1411 		{0, 0}
1412 		}
1413 	},
1414 	{0, 1, 1, 0,		/* 0xc0 */
1415 		{{6, 7},
1416 		{0, 0},
1417 		{0, 0},
1418 		{0, 0}
1419 		}
1420 	},
1421 	{1, 1, 2, 0,		/* 0xc1 */
1422 		{{0, 0},
1423 		{6, 7},
1424 		{0, 0},
1425 		{0, 0}
1426 		}
1427 	},
1428 	{0, 1, 2, 0,		/* 0xc2 */
1429 		{{1, 1},
1430 		{6, 7},
1431 		{0, 0},
1432 		{0, 0}
1433 		}
1434 	},
1435 	{1, 1, 2, 0,		/* 0xc3 */
1436 		{{0, 1},
1437 		{6, 7},
1438 		{0, 0},
1439 		{0, 0}
1440 		}
1441 	},
1442 	{0, 1, 2, 0,		/* 0xc4 */
1443 		{{2, 2},
1444 		{6, 7},
1445 		{0, 0},
1446 		{0, 0}
1447 		}
1448 	},
1449 	{1, 1, 3, 0,		/* 0xc5 */
1450 		{{0, 0},
1451 		{2, 2},
1452 		{6, 7},
1453 		{0, 0}
1454 		}
1455 	},
1456 	{0, 1, 2, 0,		/* 0xc6 */
1457 		{{1, 2},
1458 		{6, 7},
1459 		{0, 0},
1460 		{0, 0}
1461 		}
1462 	},
1463 	{1, 1, 2, 0,		/* 0xc7 */
1464 		{{0, 2},
1465 		{6, 7},
1466 		{0, 0},
1467 		{0, 0}
1468 		}
1469 	},
1470 	{0, 1, 2, 0,		/* 0xc8 */
1471 		{{3, 3},
1472 		{6, 7},
1473 		{0, 0},
1474 		{0, 0}
1475 		}
1476 	},
1477 	{1, 1, 3, 0,		/* 0xc9 */
1478 		{{0, 0},
1479 		{3, 3},
1480 		{6, 7},
1481 		{0, 0}
1482 		}
1483 	},
1484 	{0, 1, 3, 0,		/* 0xca */
1485 		{{1, 1},
1486 		{3, 3},
1487 		{6, 7},
1488 		{0, 0}
1489 		}
1490 	},
1491 	{1, 1, 3, 0,		/* 0xcb */
1492 		{{0, 1},
1493 		{3, 3},
1494 		{6, 7},
1495 		{0, 0}
1496 		}
1497 	},
1498 	{0, 1, 2, 0,		/* 0xcc */
1499 		{{2, 3},
1500 		{6, 7},
1501 		{0, 0},
1502 		{0, 0}
1503 		}
1504 	},
1505 	{1, 1, 3, 0,		/* 0xcd */
1506 		{{0, 0},
1507 		{2, 3},
1508 		{6, 7},
1509 		{0, 0}
1510 		}
1511 	},
1512 	{0, 1, 2, 0,		/* 0xce */
1513 		{{1, 3},
1514 		{6, 7},
1515 		{0, 0},
1516 		{0, 0}
1517 		}
1518 	},
1519 	{1, 1, 2, 0,		/* 0xcf */
1520 		{{0, 3},
1521 		{6, 7},
1522 		{0, 0},
1523 		{0, 0}
1524 		}
1525 	},
1526 	{0, 1, 2, 0,		/* 0xd0 */
1527 		{{4, 4},
1528 		{6, 7},
1529 		{0, 0},
1530 		{0, 0}
1531 		}
1532 	},
1533 	{1, 1, 3, 0,		/* 0xd1 */
1534 		{{0, 0},
1535 		{4, 4},
1536 		{6, 7},
1537 		{0, 0}
1538 		}
1539 	},
1540 	{0, 1, 3, 0,		/* 0xd2 */
1541 		{{1, 1},
1542 		{4, 4},
1543 		{6, 7},
1544 		{0, 0}
1545 		}
1546 	},
1547 	{1, 1, 3, 0,		/* 0xd3 */
1548 		{{0, 1},
1549 		{4, 4},
1550 		{6, 7},
1551 		{0, 0}
1552 		}
1553 	},
1554 	{0, 1, 3, 0,		/* 0xd4 */
1555 		{{2, 2},
1556 		{4, 4},
1557 		{6, 7},
1558 		{0, 0}
1559 		}
1560 	},
1561 	{1, 1, 4, 0,		/* 0xd5 */
1562 		{{0, 0},
1563 		{2, 2},
1564 		{4, 4},
1565 		{6, 7}
1566 		}
1567 	},
1568 	{0, 1, 3, 0,		/* 0xd6 */
1569 		{{1, 2},
1570 		{4, 4},
1571 		{6, 7},
1572 		{0, 0}
1573 		}
1574 	},
1575 	{1, 1, 3, 0,		/* 0xd7 */
1576 		{{0, 2},
1577 		{4, 4},
1578 		{6, 7},
1579 		{0, 0}
1580 		}
1581 	},
1582 	{0, 1, 2, 0,		/* 0xd8 */
1583 		{{3, 4},
1584 		{6, 7},
1585 		{0, 0},
1586 		{0, 0}
1587 		}
1588 	},
1589 	{1, 1, 3, 0,		/* 0xd9 */
1590 		{{0, 0},
1591 		{3, 4},
1592 		{6, 7},
1593 		{0, 0}
1594 		}
1595 	},
1596 	{0, 1, 3, 0,		/* 0xda */
1597 		{{1, 1},
1598 		{3, 4},
1599 		{6, 7},
1600 		{0, 0}
1601 		}
1602 	},
1603 	{1, 1, 3, 0,		/* 0xdb */
1604 		{{0, 1},
1605 		{3, 4},
1606 		{6, 7},
1607 		{0, 0}
1608 		}
1609 	},
1610 	{0, 1, 2, 0,		/* 0xdc */
1611 		{{2, 4},
1612 		{6, 7},
1613 		{0, 0},
1614 		{0, 0}
1615 		}
1616 	},
1617 	{1, 1, 3, 0,		/* 0xdd */
1618 		{{0, 0},
1619 		{2, 4},
1620 		{6, 7},
1621 		{0, 0}
1622 		}
1623 	},
1624 	{0, 1, 2, 0,		/* 0xde */
1625 		{{1, 4},
1626 		{6, 7},
1627 		{0, 0},
1628 		{0, 0}
1629 		}
1630 	},
1631 	{1, 1, 2, 0,		/* 0xdf */
1632 		{{0, 4},
1633 		{6, 7},
1634 		{0, 0},
1635 		{0, 0}
1636 		}
1637 	},
1638 	{0, 1, 1, 0,		/* 0xe0 */
1639 		{{5, 7},
1640 		{0, 0},
1641 		{0, 0},
1642 		{0, 0}
1643 		}
1644 	},
1645 	{1, 1, 2, 0,		/* 0xe1 */
1646 		{{0, 0},
1647 		{5, 7},
1648 		{0, 0},
1649 		{0, 0}
1650 		}
1651 	},
1652 	{0, 1, 2, 0,		/* 0xe2 */
1653 		{{1, 1},
1654 		{5, 7},
1655 		{0, 0},
1656 		{0, 0}
1657 		}
1658 	},
1659 	{1, 1, 2, 0,		/* 0xe3 */
1660 		{{0, 1},
1661 		{5, 7},
1662 		{0, 0},
1663 		{0, 0}
1664 		}
1665 	},
1666 	{0, 1, 2, 0,		/* 0xe4 */
1667 		{{2, 2},
1668 		{5, 7},
1669 		{0, 0},
1670 		{0, 0}
1671 		}
1672 	},
1673 	{1, 1, 3, 0,		/* 0xe5 */
1674 		{{0, 0},
1675 		{2, 2},
1676 		{5, 7},
1677 		{0, 0}
1678 		}
1679 	},
1680 	{0, 1, 2, 0,		/* 0xe6 */
1681 		{{1, 2},
1682 		{5, 7},
1683 		{0, 0},
1684 		{0, 0}
1685 		}
1686 	},
1687 	{1, 1, 2, 0,		/* 0xe7 */
1688 		{{0, 2},
1689 		{5, 7},
1690 		{0, 0},
1691 		{0, 0}
1692 		}
1693 	},
1694 	{0, 1, 2, 0,		/* 0xe8 */
1695 		{{3, 3},
1696 		{5, 7},
1697 		{0, 0},
1698 		{0, 0}
1699 		}
1700 	},
1701 	{1, 1, 3, 0,		/* 0xe9 */
1702 		{{0, 0},
1703 		{3, 3},
1704 		{5, 7},
1705 		{0, 0}
1706 		}
1707 	},
1708 	{0, 1, 3, 0,		/* 0xea */
1709 		{{1, 1},
1710 		{3, 3},
1711 		{5, 7},
1712 		{0, 0}
1713 		}
1714 	},
1715 	{1, 1, 3, 0,		/* 0xeb */
1716 		{{0, 1},
1717 		{3, 3},
1718 		{5, 7},
1719 		{0, 0}
1720 		}
1721 	},
1722 	{0, 1, 2, 0,		/* 0xec */
1723 		{{2, 3},
1724 		{5, 7},
1725 		{0, 0},
1726 		{0, 0}
1727 		}
1728 	},
1729 	{1, 1, 3, 0,		/* 0xed */
1730 		{{0, 0},
1731 		{2, 3},
1732 		{5, 7},
1733 		{0, 0}
1734 		}
1735 	},
1736 	{0, 1, 2, 0,		/* 0xee */
1737 		{{1, 3},
1738 		{5, 7},
1739 		{0, 0},
1740 		{0, 0}
1741 		}
1742 	},
1743 	{1, 1, 2, 0,		/* 0xef */
1744 		{{0, 3},
1745 		{5, 7},
1746 		{0, 0},
1747 		{0, 0}
1748 		}
1749 	},
1750 	{0, 1, 1, 0,		/* 0xf0 */
1751 		{{4, 7},
1752 		{0, 0},
1753 		{0, 0},
1754 		{0, 0}
1755 		}
1756 	},
1757 	{1, 1, 2, 0,		/* 0xf1 */
1758 		{{0, 0},
1759 		{4, 7},
1760 		{0, 0},
1761 		{0, 0}
1762 		}
1763 	},
1764 	{0, 1, 2, 0,		/* 0xf2 */
1765 		{{1, 1},
1766 		{4, 7},
1767 		{0, 0},
1768 		{0, 0}
1769 		}
1770 	},
1771 	{1, 1, 2, 0,		/* 0xf3 */
1772 		{{0, 1},
1773 		{4, 7},
1774 		{0, 0},
1775 		{0, 0}
1776 		}
1777 	},
1778 	{0, 1, 2, 0,		/* 0xf4 */
1779 		{{2, 2},
1780 		{4, 7},
1781 		{0, 0},
1782 		{0, 0}
1783 		}
1784 	},
1785 	{1, 1, 3, 0,		/* 0xf5 */
1786 		{{0, 0},
1787 		{2, 2},
1788 		{4, 7},
1789 		{0, 0}
1790 		}
1791 	},
1792 	{0, 1, 2, 0,		/* 0xf6 */
1793 		{{1, 2},
1794 		{4, 7},
1795 		{0, 0},
1796 		{0, 0}
1797 		}
1798 	},
1799 	{1, 1, 2, 0,		/* 0xf7 */
1800 		{{0, 2},
1801 		{4, 7},
1802 		{0, 0},
1803 		{0, 0}
1804 		}
1805 	},
1806 	{0, 1, 1, 0,		/* 0xf8 */
1807 		{{3, 7},
1808 		{0, 0},
1809 		{0, 0},
1810 		{0, 0}
1811 		}
1812 	},
1813 	{1, 1, 2, 0,		/* 0xf9 */
1814 		{{0, 0},
1815 		{3, 7},
1816 		{0, 0},
1817 		{0, 0}
1818 		}
1819 	},
1820 	{0, 1, 2, 0,		/* 0xfa */
1821 		{{1, 1},
1822 		{3, 7},
1823 		{0, 0},
1824 		{0, 0}
1825 		}
1826 	},
1827 	{1, 1, 2, 0,		/* 0xfb */
1828 		{{0, 1},
1829 		{3, 7},
1830 		{0, 0},
1831 		{0, 0}
1832 		}
1833 	},
1834 	{0, 1, 1, 0,		/* 0xfc */
1835 		{{2, 7},
1836 		{0, 0},
1837 		{0, 0},
1838 		{0, 0}
1839 		}
1840 	},
1841 	{1, 1, 2, 0,		/* 0xfd */
1842 		{{0, 0},
1843 		{2, 7},
1844 		{0, 0},
1845 		{0, 0}
1846 		}
1847 	},
1848 	{0, 1, 1, 0,		/* 0xfe */
1849 		{{1, 7},
1850 		{0, 0},
1851 		{0, 0},
1852 		{0, 0}
1853 		}
1854 	},
1855 	{1, 1, 1, 0,		/* 0xff */
1856 		{{0, 7},
1857 		{0, 0},
1858 		{0, 0},
1859 		{0, 0}
1860 		}
1861 	}
1862 };
1863 
1864 
1865 int
1866 sctp_is_address_in_scope(struct sctp_ifa *ifa,
1867     int ipv4_addr_legal,
1868     int ipv6_addr_legal,
1869     int loopback_scope,
1870     int ipv4_local_scope,
1871     int local_scope,
1872     int site_scope,
1873     int do_update)
1874 {
1875 	if ((loopback_scope == 0) &&
1876 	    (ifa->ifn_p) && SCTP_IFN_IS_IFT_LOOP(ifa->ifn_p)) {
1877 		/*
1878 		 * skip loopback if not in scope *
1879 		 */
1880 		return (0);
1881 	}
1882 	switch (ifa->address.sa.sa_family) {
1883 	case AF_INET:
1884 		if (ipv4_addr_legal) {
1885 			struct sockaddr_in *sin;
1886 
1887 			sin = (struct sockaddr_in *)&ifa->address.sin;
1888 			if (sin->sin_addr.s_addr == 0) {
1889 				/* not in scope , unspecified */
1890 				return (0);
1891 			}
1892 			if ((ipv4_local_scope == 0) &&
1893 			    (IN4_ISPRIVATE_ADDRESS(&sin->sin_addr))) {
1894 				/* private address not in scope */
1895 				return (0);
1896 			}
1897 		} else {
1898 			return (0);
1899 		}
1900 		break;
1901 #ifdef INET6
1902 	case AF_INET6:
1903 		if (ipv6_addr_legal) {
1904 			struct sockaddr_in6 *sin6;
1905 
1906 			/*
1907 			 * Must update the flags,  bummer, which means any
1908 			 * IFA locks must now be applied HERE <->
1909 			 */
1910 			if (do_update) {
1911 				sctp_gather_internal_ifa_flags(ifa);
1912 			}
1913 			if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
1914 				return (0);
1915 			}
1916 			/* ok to use deprecated addresses? */
1917 			sin6 = (struct sockaddr_in6 *)&ifa->address.sin6;
1918 			if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) {
1919 				/* skip unspecifed addresses */
1920 				return (0);
1921 			}
1922 			if (	/* (local_scope == 0) && */
1923 			    (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))) {
1924 				return (0);
1925 			}
1926 			if ((site_scope == 0) &&
1927 			    (IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr))) {
1928 				return (0);
1929 			}
1930 		} else {
1931 			return (0);
1932 		}
1933 		break;
1934 #endif
1935 	default:
1936 		return (0);
1937 	}
1938 	return (1);
1939 }
1940 
1941 static struct mbuf *
1942 sctp_add_addr_to_mbuf(struct mbuf *m, struct sctp_ifa *ifa)
1943 {
1944 	struct sctp_paramhdr *parmh;
1945 	struct mbuf *mret;
1946 	int len;
1947 
1948 	if (ifa->address.sa.sa_family == AF_INET) {
1949 		len = sizeof(struct sctp_ipv4addr_param);
1950 	} else if (ifa->address.sa.sa_family == AF_INET6) {
1951 		len = sizeof(struct sctp_ipv6addr_param);
1952 	} else {
1953 		/* unknown type */
1954 		return (m);
1955 	}
1956 	if (M_TRAILINGSPACE(m) >= len) {
1957 		/* easy side we just drop it on the end */
1958 		parmh = (struct sctp_paramhdr *)(SCTP_BUF_AT(m, SCTP_BUF_LEN(m)));
1959 		mret = m;
1960 	} else {
1961 		/* Need more space */
1962 		mret = m;
1963 		while (SCTP_BUF_NEXT(mret) != NULL) {
1964 			mret = SCTP_BUF_NEXT(mret);
1965 		}
1966 		SCTP_BUF_NEXT(mret) = sctp_get_mbuf_for_msg(len, 0, M_DONTWAIT, 1, MT_DATA);
1967 		if (SCTP_BUF_NEXT(mret) == NULL) {
1968 			/* We are hosed, can't add more addresses */
1969 			return (m);
1970 		}
1971 		mret = SCTP_BUF_NEXT(mret);
1972 		parmh = mtod(mret, struct sctp_paramhdr *);
1973 	}
1974 	/* now add the parameter */
1975 	switch (ifa->address.sa.sa_family) {
1976 	case AF_INET:
1977 		{
1978 			struct sctp_ipv4addr_param *ipv4p;
1979 			struct sockaddr_in *sin;
1980 
1981 			sin = (struct sockaddr_in *)&ifa->address.sin;
1982 			ipv4p = (struct sctp_ipv4addr_param *)parmh;
1983 			parmh->param_type = htons(SCTP_IPV4_ADDRESS);
1984 			parmh->param_length = htons(len);
1985 			ipv4p->addr = sin->sin_addr.s_addr;
1986 			SCTP_BUF_LEN(mret) += len;
1987 			break;
1988 		}
1989 #ifdef INET6
1990 	case AF_INET6:
1991 		{
1992 			struct sctp_ipv6addr_param *ipv6p;
1993 			struct sockaddr_in6 *sin6;
1994 
1995 			sin6 = (struct sockaddr_in6 *)&ifa->address.sin6;
1996 			ipv6p = (struct sctp_ipv6addr_param *)parmh;
1997 			parmh->param_type = htons(SCTP_IPV6_ADDRESS);
1998 			parmh->param_length = htons(len);
1999 			memcpy(ipv6p->addr, &sin6->sin6_addr,
2000 			    sizeof(ipv6p->addr));
2001 			/* clear embedded scope in the address */
2002 			in6_clearscope((struct in6_addr *)ipv6p->addr);
2003 			SCTP_BUF_LEN(mret) += len;
2004 			break;
2005 		}
2006 #endif
2007 	default:
2008 		return (m);
2009 	}
2010 	return (mret);
2011 }
2012 
2013 
2014 struct mbuf *
2015 sctp_add_addresses_to_i_ia(struct sctp_inpcb *inp, struct sctp_scoping *scope,
2016     struct mbuf *m_at, int cnt_inits_to)
2017 {
2018 	struct sctp_vrf *vrf = NULL;
2019 	int cnt, limit_out = 0, total_count;
2020 	uint32_t vrf_id;
2021 
2022 	vrf_id = inp->def_vrf_id;
2023 	SCTP_IPI_ADDR_RLOCK();
2024 	vrf = sctp_find_vrf(vrf_id);
2025 	if (vrf == NULL) {
2026 		SCTP_IPI_ADDR_RUNLOCK();
2027 		return (m_at);
2028 	}
2029 	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) {
2030 		struct sctp_ifa *sctp_ifap;
2031 		struct sctp_ifn *sctp_ifnp;
2032 
2033 		cnt = cnt_inits_to;
2034 		if (vrf->total_ifa_count > SCTP_COUNT_LIMIT) {
2035 			limit_out = 1;
2036 			cnt = SCTP_ADDRESS_LIMIT;
2037 			goto skip_count;
2038 		}
2039 		LIST_FOREACH(sctp_ifnp, &vrf->ifnlist, next_ifn) {
2040 			if ((scope->loopback_scope == 0) &&
2041 			    SCTP_IFN_IS_IFT_LOOP(sctp_ifnp)) {
2042 				/*
2043 				 * Skip loopback devices if loopback_scope
2044 				 * not set
2045 				 */
2046 				continue;
2047 			}
2048 			LIST_FOREACH(sctp_ifap, &sctp_ifnp->ifalist, next_ifa) {
2049 				if (sctp_is_address_in_scope(sctp_ifap,
2050 				    scope->ipv4_addr_legal,
2051 				    scope->ipv6_addr_legal,
2052 				    scope->loopback_scope,
2053 				    scope->ipv4_local_scope,
2054 				    scope->local_scope,
2055 				    scope->site_scope, 1) == 0) {
2056 					continue;
2057 				}
2058 				cnt++;
2059 				if (cnt > SCTP_ADDRESS_LIMIT) {
2060 					break;
2061 				}
2062 			}
2063 			if (cnt > SCTP_ADDRESS_LIMIT) {
2064 				break;
2065 			}
2066 		}
2067 skip_count:
2068 		if (cnt > 1) {
2069 			total_count = 0;
2070 			LIST_FOREACH(sctp_ifnp, &vrf->ifnlist, next_ifn) {
2071 				cnt = 0;
2072 				if ((scope->loopback_scope == 0) &&
2073 				    SCTP_IFN_IS_IFT_LOOP(sctp_ifnp)) {
2074 					/*
2075 					 * Skip loopback devices if
2076 					 * loopback_scope not set
2077 					 */
2078 					continue;
2079 				}
2080 				LIST_FOREACH(sctp_ifap, &sctp_ifnp->ifalist, next_ifa) {
2081 					if (sctp_is_address_in_scope(sctp_ifap,
2082 					    scope->ipv4_addr_legal,
2083 					    scope->ipv6_addr_legal,
2084 					    scope->loopback_scope,
2085 					    scope->ipv4_local_scope,
2086 					    scope->local_scope,
2087 					    scope->site_scope, 0) == 0) {
2088 						continue;
2089 					}
2090 					m_at = sctp_add_addr_to_mbuf(m_at, sctp_ifap);
2091 					if (limit_out) {
2092 						cnt++;
2093 						total_count++;
2094 						if (cnt >= 2) {
2095 							/*
2096 							 * two from each
2097 							 * address
2098 							 */
2099 							break;
2100 						}
2101 						if (total_count > SCTP_ADDRESS_LIMIT) {
2102 							/* No more addresses */
2103 							break;
2104 						}
2105 					}
2106 				}
2107 			}
2108 		}
2109 	} else {
2110 		struct sctp_laddr *laddr;
2111 
2112 		cnt = cnt_inits_to;
2113 		/* First, how many ? */
2114 		LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2115 			if (laddr->ifa == NULL) {
2116 				continue;
2117 			}
2118 			if (laddr->ifa->localifa_flags & SCTP_BEING_DELETED)
2119 				/*
2120 				 * Address being deleted by the system, dont
2121 				 * list.
2122 				 */
2123 				continue;
2124 			if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2125 				/*
2126 				 * Address being deleted on this ep don't
2127 				 * list.
2128 				 */
2129 				continue;
2130 			}
2131 			if (sctp_is_address_in_scope(laddr->ifa,
2132 			    scope->ipv4_addr_legal,
2133 			    scope->ipv6_addr_legal,
2134 			    scope->loopback_scope,
2135 			    scope->ipv4_local_scope,
2136 			    scope->local_scope,
2137 			    scope->site_scope, 1) == 0) {
2138 				continue;
2139 			}
2140 			cnt++;
2141 		}
2142 		if (cnt > SCTP_ADDRESS_LIMIT) {
2143 			limit_out = 1;
2144 		}
2145 		/*
2146 		 * To get through a NAT we only list addresses if we have
2147 		 * more than one. That way if you just bind a single address
2148 		 * we let the source of the init dictate our address.
2149 		 */
2150 		if (cnt > 1) {
2151 			LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2152 				cnt = 0;
2153 				if (laddr->ifa == NULL) {
2154 					continue;
2155 				}
2156 				if (laddr->ifa->localifa_flags & SCTP_BEING_DELETED)
2157 					continue;
2158 
2159 				if (sctp_is_address_in_scope(laddr->ifa,
2160 				    scope->ipv4_addr_legal,
2161 				    scope->ipv6_addr_legal,
2162 				    scope->loopback_scope,
2163 				    scope->ipv4_local_scope,
2164 				    scope->local_scope,
2165 				    scope->site_scope, 0) == 0) {
2166 					continue;
2167 				}
2168 				m_at = sctp_add_addr_to_mbuf(m_at, laddr->ifa);
2169 				cnt++;
2170 				if (cnt >= SCTP_ADDRESS_LIMIT) {
2171 					break;
2172 				}
2173 			}
2174 		}
2175 	}
2176 	SCTP_IPI_ADDR_RUNLOCK();
2177 	return (m_at);
2178 }
2179 
2180 static struct sctp_ifa *
2181 sctp_is_ifa_addr_preferred(struct sctp_ifa *ifa,
2182     uint8_t dest_is_loop,
2183     uint8_t dest_is_priv,
2184     sa_family_t fam)
2185 {
2186 	uint8_t dest_is_global = 0;
2187 
2188 	/* dest_is_priv is true if destination is a private address */
2189 	/* dest_is_loop is true if destination is a loopback addresses */
2190 
2191 	/**
2192 	 * Here we determine if its a preferred address. A preferred address
2193 	 * means it is the same scope or higher scope then the destination.
2194 	 * L = loopback, P = private, G = global
2195 	 * -----------------------------------------
2196          *    src    |  dest | result
2197          *  ----------------------------------------
2198          *     L     |    L  |    yes
2199          *  -----------------------------------------
2200          *     P     |    L  |    yes-v4 no-v6
2201          *  -----------------------------------------
2202          *     G     |    L  |    yes-v4 no-v6
2203          *  -----------------------------------------
2204          *     L     |    P  |    no
2205          *  -----------------------------------------
2206          *     P     |    P  |    yes
2207          *  -----------------------------------------
2208          *     G     |    P  |    no
2209          *   -----------------------------------------
2210          *     L     |    G  |    no
2211          *   -----------------------------------------
2212          *     P     |    G  |    no
2213          *    -----------------------------------------
2214          *     G     |    G  |    yes
2215          *    -----------------------------------------
2216 	 */
2217 
2218 	if (ifa->address.sa.sa_family != fam) {
2219 		/* forget mis-matched family */
2220 		return (NULL);
2221 	}
2222 	if ((dest_is_priv == 0) && (dest_is_loop == 0)) {
2223 		dest_is_global = 1;
2224 	}
2225 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Is destination preferred:");
2226 	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &ifa->address.sa);
2227 	/* Ok the address may be ok */
2228 	if (fam == AF_INET6) {
2229 		/* ok to use deprecated addresses? no lets not! */
2230 		if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
2231 			SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:1\n");
2232 			return (NULL);
2233 		}
2234 		if (ifa->src_is_priv && !ifa->src_is_loop) {
2235 			if (dest_is_loop) {
2236 				SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:2\n");
2237 				return (NULL);
2238 			}
2239 		}
2240 		if (ifa->src_is_glob) {
2241 			if (dest_is_loop) {
2242 				SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:3\n");
2243 				return (NULL);
2244 			}
2245 		}
2246 	}
2247 	/*
2248 	 * Now that we know what is what, implement or table this could in
2249 	 * theory be done slicker (it used to be), but this is
2250 	 * straightforward and easier to validate :-)
2251 	 */
2252 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "src_loop:%d src_priv:%d src_glob:%d\n",
2253 	    ifa->src_is_loop, ifa->src_is_priv, ifa->src_is_glob);
2254 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "dest_loop:%d dest_priv:%d dest_glob:%d\n",
2255 	    dest_is_loop, dest_is_priv, dest_is_global);
2256 
2257 	if ((ifa->src_is_loop) && (dest_is_priv)) {
2258 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:4\n");
2259 		return (NULL);
2260 	}
2261 	if ((ifa->src_is_glob) && (dest_is_priv)) {
2262 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:5\n");
2263 		return (NULL);
2264 	}
2265 	if ((ifa->src_is_loop) && (dest_is_global)) {
2266 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:6\n");
2267 		return (NULL);
2268 	}
2269 	if ((ifa->src_is_priv) && (dest_is_global)) {
2270 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:7\n");
2271 		return (NULL);
2272 	}
2273 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "YES\n");
2274 	/* its a preferred address */
2275 	return (ifa);
2276 }
2277 
2278 static struct sctp_ifa *
2279 sctp_is_ifa_addr_acceptable(struct sctp_ifa *ifa,
2280     uint8_t dest_is_loop,
2281     uint8_t dest_is_priv,
2282     sa_family_t fam)
2283 {
2284 	uint8_t dest_is_global = 0;
2285 
2286 	/*
2287 	 * Here we determine if its a acceptable address. A acceptable
2288 	 * address means it is the same scope or higher scope but we can
2289 	 * allow for NAT which means its ok to have a global dest and a
2290 	 * private src.
2291 	 *
2292 	 * L = loopback, P = private, G = global
2293 	 * ----------------------------------------- src    |  dest | result
2294 	 * ----------------------------------------- L     |   L   |    yes
2295 	 * ----------------------------------------- P     |   L   |
2296 	 * yes-v4 no-v6 ----------------------------------------- G     |
2297 	 * L   |    yes ----------------------------------------- L     |
2298 	 * P   |    no ----------------------------------------- P     |   P
2299 	 * |    yes ----------------------------------------- G     |   P
2300 	 * |    yes - May not work -----------------------------------------
2301 	 * L     |   G   |    no ----------------------------------------- P
2302 	 * |   G   |    yes - May not work
2303 	 * ----------------------------------------- G     |   G   |    yes
2304 	 * -----------------------------------------
2305 	 */
2306 
2307 	if (ifa->address.sa.sa_family != fam) {
2308 		/* forget non matching family */
2309 		return (NULL);
2310 	}
2311 	/* Ok the address may be ok */
2312 	if ((dest_is_loop == 0) && (dest_is_priv == 0)) {
2313 		dest_is_global = 1;
2314 	}
2315 	if (fam == AF_INET6) {
2316 		/* ok to use deprecated addresses? */
2317 		if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
2318 			return (NULL);
2319 		}
2320 		if (ifa->src_is_priv) {
2321 			/* Special case, linklocal to loop */
2322 			if (dest_is_loop)
2323 				return (NULL);
2324 		}
2325 	}
2326 	/*
2327 	 * Now that we know what is what, implement our table. This could in
2328 	 * theory be done slicker (it used to be), but this is
2329 	 * straightforward and easier to validate :-)
2330 	 */
2331 	if ((ifa->src_is_loop == 1) && (dest_is_priv)) {
2332 		return (NULL);
2333 	}
2334 	if ((ifa->src_is_loop == 1) && (dest_is_global)) {
2335 		return (NULL);
2336 	}
2337 	/* its an acceptable address */
2338 	return (ifa);
2339 }
2340 
2341 int
2342 sctp_is_addr_restricted(struct sctp_tcb *stcb, struct sctp_ifa *ifa)
2343 {
2344 	struct sctp_laddr *laddr;
2345 
2346 	if (stcb == NULL) {
2347 		/* There are no restrictions, no TCB :-) */
2348 		return (0);
2349 	}
2350 	LIST_FOREACH(laddr, &stcb->asoc.sctp_restricted_addrs, sctp_nxt_addr) {
2351 		if (laddr->ifa == NULL) {
2352 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "%s: NULL ifa\n",
2353 			    __FUNCTION__);
2354 			continue;
2355 		}
2356 		if (laddr->ifa == ifa) {
2357 			/* Yes it is on the list */
2358 			return (1);
2359 		}
2360 	}
2361 	return (0);
2362 }
2363 
2364 
2365 int
2366 sctp_is_addr_in_ep(struct sctp_inpcb *inp, struct sctp_ifa *ifa)
2367 {
2368 	struct sctp_laddr *laddr;
2369 
2370 	if (ifa == NULL)
2371 		return (0);
2372 	LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2373 		if (laddr->ifa == NULL) {
2374 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "%s: NULL ifa\n",
2375 			    __FUNCTION__);
2376 			continue;
2377 		}
2378 		if ((laddr->ifa == ifa) && laddr->action == 0)
2379 			/* same pointer */
2380 			return (1);
2381 	}
2382 	return (0);
2383 }
2384 
2385 
2386 
2387 static struct sctp_ifa *
2388 sctp_choose_boundspecific_inp(struct sctp_inpcb *inp,
2389     sctp_route_t * ro,
2390     uint32_t vrf_id,
2391     int non_asoc_addr_ok,
2392     uint8_t dest_is_priv,
2393     uint8_t dest_is_loop,
2394     sa_family_t fam)
2395 {
2396 	struct sctp_laddr *laddr, *starting_point;
2397 	void *ifn;
2398 	int resettotop = 0;
2399 	struct sctp_ifn *sctp_ifn;
2400 	struct sctp_ifa *sctp_ifa, *sifa;
2401 	struct sctp_vrf *vrf;
2402 	uint32_t ifn_index;
2403 
2404 	vrf = sctp_find_vrf(vrf_id);
2405 	if (vrf == NULL)
2406 		return (NULL);
2407 
2408 	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
2409 	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
2410 	sctp_ifn = sctp_find_ifn(ifn, ifn_index);
2411 	/*
2412 	 * first question, is the ifn we will emit on in our list, if so, we
2413 	 * want such an address. Note that we first looked for a preferred
2414 	 * address.
2415 	 */
2416 	if (sctp_ifn) {
2417 		/* is a preferred one on the interface we route out? */
2418 		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2419 			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2420 			    (non_asoc_addr_ok == 0))
2421 				continue;
2422 			sifa = sctp_is_ifa_addr_preferred(sctp_ifa,
2423 			    dest_is_loop,
2424 			    dest_is_priv, fam);
2425 			if (sifa == NULL)
2426 				continue;
2427 			if (sctp_is_addr_in_ep(inp, sifa)) {
2428 				atomic_add_int(&sifa->refcount, 1);
2429 				return (sifa);
2430 			}
2431 		}
2432 	}
2433 	/*
2434 	 * ok, now we now need to find one on the list of the addresses. We
2435 	 * can't get one on the emitting interface so let's find first a
2436 	 * preferred one. If not that an acceptable one otherwise... we
2437 	 * return NULL.
2438 	 */
2439 	starting_point = inp->next_addr_touse;
2440 once_again:
2441 	if (inp->next_addr_touse == NULL) {
2442 		inp->next_addr_touse = LIST_FIRST(&inp->sctp_addr_list);
2443 		resettotop = 1;
2444 	}
2445 	for (laddr = inp->next_addr_touse; laddr;
2446 	    laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2447 		if (laddr->ifa == NULL) {
2448 			/* address has been removed */
2449 			continue;
2450 		}
2451 		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2452 			/* address is being deleted */
2453 			continue;
2454 		}
2455 		sifa = sctp_is_ifa_addr_preferred(laddr->ifa, dest_is_loop,
2456 		    dest_is_priv, fam);
2457 		if (sifa == NULL)
2458 			continue;
2459 		atomic_add_int(&sifa->refcount, 1);
2460 		return (sifa);
2461 	}
2462 	if (resettotop == 0) {
2463 		inp->next_addr_touse = NULL;
2464 		goto once_again;
2465 	}
2466 	inp->next_addr_touse = starting_point;
2467 	resettotop = 0;
2468 once_again_too:
2469 	if (inp->next_addr_touse == NULL) {
2470 		inp->next_addr_touse = LIST_FIRST(&inp->sctp_addr_list);
2471 		resettotop = 1;
2472 	}
2473 	/* ok, what about an acceptable address in the inp */
2474 	for (laddr = inp->next_addr_touse; laddr;
2475 	    laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2476 		if (laddr->ifa == NULL) {
2477 			/* address has been removed */
2478 			continue;
2479 		}
2480 		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2481 			/* address is being deleted */
2482 			continue;
2483 		}
2484 		sifa = sctp_is_ifa_addr_acceptable(laddr->ifa, dest_is_loop,
2485 		    dest_is_priv, fam);
2486 		if (sifa == NULL)
2487 			continue;
2488 		atomic_add_int(&sifa->refcount, 1);
2489 		return (sifa);
2490 	}
2491 	if (resettotop == 0) {
2492 		inp->next_addr_touse = NULL;
2493 		goto once_again_too;
2494 	}
2495 	/*
2496 	 * no address bound can be a source for the destination we are in
2497 	 * trouble
2498 	 */
2499 	return (NULL);
2500 }
2501 
2502 
2503 
2504 static struct sctp_ifa *
2505 sctp_choose_boundspecific_stcb(struct sctp_inpcb *inp,
2506     struct sctp_tcb *stcb,
2507     struct sctp_nets *net,
2508     sctp_route_t * ro,
2509     uint32_t vrf_id,
2510     uint8_t dest_is_priv,
2511     uint8_t dest_is_loop,
2512     int non_asoc_addr_ok,
2513     sa_family_t fam)
2514 {
2515 	struct sctp_laddr *laddr, *starting_point;
2516 	void *ifn;
2517 	struct sctp_ifn *sctp_ifn;
2518 	struct sctp_ifa *sctp_ifa, *sifa;
2519 	uint8_t start_at_beginning = 0;
2520 	struct sctp_vrf *vrf;
2521 	uint32_t ifn_index;
2522 
2523 	/*
2524 	 * first question, is the ifn we will emit on in our list, if so, we
2525 	 * want that one.
2526 	 */
2527 	vrf = sctp_find_vrf(vrf_id);
2528 	if (vrf == NULL)
2529 		return (NULL);
2530 
2531 	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
2532 	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
2533 	sctp_ifn = sctp_find_ifn(ifn, ifn_index);
2534 
2535 	/*
2536 	 * first question, is the ifn we will emit on in our list?  If so,
2537 	 * we want that one. First we look for a preferred. Second, we go
2538 	 * for an acceptable.
2539 	 */
2540 	if (sctp_ifn) {
2541 		/* first try for a preferred address on the ep */
2542 		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2543 			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) && (non_asoc_addr_ok == 0))
2544 				continue;
2545 			if (sctp_is_addr_in_ep(inp, sctp_ifa)) {
2546 				sifa = sctp_is_ifa_addr_preferred(sctp_ifa, dest_is_loop, dest_is_priv, fam);
2547 				if (sifa == NULL)
2548 					continue;
2549 				if (((non_asoc_addr_ok == 0) &&
2550 				    (sctp_is_addr_restricted(stcb, sifa))) ||
2551 				    (non_asoc_addr_ok &&
2552 				    (sctp_is_addr_restricted(stcb, sifa)) &&
2553 				    (!sctp_is_addr_pending(stcb, sifa)))) {
2554 					/* on the no-no list */
2555 					continue;
2556 				}
2557 				atomic_add_int(&sifa->refcount, 1);
2558 				return (sifa);
2559 			}
2560 		}
2561 		/* next try for an acceptable address on the ep */
2562 		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2563 			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) && (non_asoc_addr_ok == 0))
2564 				continue;
2565 			if (sctp_is_addr_in_ep(inp, sctp_ifa)) {
2566 				sifa = sctp_is_ifa_addr_acceptable(sctp_ifa, dest_is_loop, dest_is_priv, fam);
2567 				if (sifa == NULL)
2568 					continue;
2569 				if (((non_asoc_addr_ok == 0) &&
2570 				    (sctp_is_addr_restricted(stcb, sifa))) ||
2571 				    (non_asoc_addr_ok &&
2572 				    (sctp_is_addr_restricted(stcb, sifa)) &&
2573 				    (!sctp_is_addr_pending(stcb, sifa)))) {
2574 					/* on the no-no list */
2575 					continue;
2576 				}
2577 				atomic_add_int(&sifa->refcount, 1);
2578 				return (sifa);
2579 			}
2580 		}
2581 
2582 	}
2583 	/*
2584 	 * if we can't find one like that then we must look at all addresses
2585 	 * bound to pick one at first preferable then secondly acceptable.
2586 	 */
2587 	starting_point = stcb->asoc.last_used_address;
2588 sctp_from_the_top:
2589 	if (stcb->asoc.last_used_address == NULL) {
2590 		start_at_beginning = 1;
2591 		stcb->asoc.last_used_address = LIST_FIRST(&inp->sctp_addr_list);
2592 	}
2593 	/* search beginning with the last used address */
2594 	for (laddr = stcb->asoc.last_used_address; laddr;
2595 	    laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2596 		if (laddr->ifa == NULL) {
2597 			/* address has been removed */
2598 			continue;
2599 		}
2600 		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2601 			/* address is being deleted */
2602 			continue;
2603 		}
2604 		sifa = sctp_is_ifa_addr_preferred(laddr->ifa, dest_is_loop, dest_is_priv, fam);
2605 		if (sifa == NULL)
2606 			continue;
2607 		if (((non_asoc_addr_ok == 0) &&
2608 		    (sctp_is_addr_restricted(stcb, sifa))) ||
2609 		    (non_asoc_addr_ok &&
2610 		    (sctp_is_addr_restricted(stcb, sifa)) &&
2611 		    (!sctp_is_addr_pending(stcb, sifa)))) {
2612 			/* on the no-no list */
2613 			continue;
2614 		}
2615 		stcb->asoc.last_used_address = laddr;
2616 		atomic_add_int(&sifa->refcount, 1);
2617 		return (sifa);
2618 	}
2619 	if (start_at_beginning == 0) {
2620 		stcb->asoc.last_used_address = NULL;
2621 		goto sctp_from_the_top;
2622 	}
2623 	/* now try for any higher scope than the destination */
2624 	stcb->asoc.last_used_address = starting_point;
2625 	start_at_beginning = 0;
2626 sctp_from_the_top2:
2627 	if (stcb->asoc.last_used_address == NULL) {
2628 		start_at_beginning = 1;
2629 		stcb->asoc.last_used_address = LIST_FIRST(&inp->sctp_addr_list);
2630 	}
2631 	/* search beginning with the last used address */
2632 	for (laddr = stcb->asoc.last_used_address; laddr;
2633 	    laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2634 		if (laddr->ifa == NULL) {
2635 			/* address has been removed */
2636 			continue;
2637 		}
2638 		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2639 			/* address is being deleted */
2640 			continue;
2641 		}
2642 		sifa = sctp_is_ifa_addr_acceptable(laddr->ifa, dest_is_loop,
2643 		    dest_is_priv, fam);
2644 		if (sifa == NULL)
2645 			continue;
2646 		if (((non_asoc_addr_ok == 0) &&
2647 		    (sctp_is_addr_restricted(stcb, sifa))) ||
2648 		    (non_asoc_addr_ok &&
2649 		    (sctp_is_addr_restricted(stcb, sifa)) &&
2650 		    (!sctp_is_addr_pending(stcb, sifa)))) {
2651 			/* on the no-no list */
2652 			continue;
2653 		}
2654 		stcb->asoc.last_used_address = laddr;
2655 		atomic_add_int(&sifa->refcount, 1);
2656 		return (sifa);
2657 	}
2658 	if (start_at_beginning == 0) {
2659 		stcb->asoc.last_used_address = NULL;
2660 		goto sctp_from_the_top2;
2661 	}
2662 	return (NULL);
2663 }
2664 
2665 static struct sctp_ifa *
2666 sctp_select_nth_preferred_addr_from_ifn_boundall(struct sctp_ifn *ifn,
2667     struct sctp_tcb *stcb,
2668     int non_asoc_addr_ok,
2669     uint8_t dest_is_loop,
2670     uint8_t dest_is_priv,
2671     int addr_wanted,
2672     sa_family_t fam,
2673     sctp_route_t * ro
2674 )
2675 {
2676 	struct sctp_ifa *ifa, *sifa;
2677 	int num_eligible_addr = 0;
2678 
2679 #ifdef INET6
2680 	struct sockaddr_in6 sin6, lsa6;
2681 
2682 	if (fam == AF_INET6) {
2683 		memcpy(&sin6, &ro->ro_dst, sizeof(struct sockaddr_in6));
2684 		(void)sa6_recoverscope(&sin6);
2685 	}
2686 #endif				/* INET6 */
2687 	LIST_FOREACH(ifa, &ifn->ifalist, next_ifa) {
2688 		if ((ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2689 		    (non_asoc_addr_ok == 0))
2690 			continue;
2691 		sifa = sctp_is_ifa_addr_preferred(ifa, dest_is_loop,
2692 		    dest_is_priv, fam);
2693 		if (sifa == NULL)
2694 			continue;
2695 #ifdef INET6
2696 		if (fam == AF_INET6 &&
2697 		    dest_is_loop &&
2698 		    sifa->src_is_loop && sifa->src_is_priv) {
2699 			/*
2700 			 * don't allow fe80::1 to be a src on loop ::1, we
2701 			 * don't list it to the peer so we will get an
2702 			 * abort.
2703 			 */
2704 			continue;
2705 		}
2706 		if (fam == AF_INET6 &&
2707 		    IN6_IS_ADDR_LINKLOCAL(&sifa->address.sin6.sin6_addr) &&
2708 		    IN6_IS_ADDR_LINKLOCAL(&sin6.sin6_addr)) {
2709 			/*
2710 			 * link-local <-> link-local must belong to the same
2711 			 * scope.
2712 			 */
2713 			memcpy(&lsa6, &sifa->address.sin6, sizeof(struct sockaddr_in6));
2714 			(void)sa6_recoverscope(&lsa6);
2715 			if (sin6.sin6_scope_id != lsa6.sin6_scope_id) {
2716 				continue;
2717 			}
2718 		}
2719 #endif				/* INET6 */
2720 
2721 		/*
2722 		 * Check if the IPv6 address matches to next-hop. In the
2723 		 * mobile case, old IPv6 address may be not deleted from the
2724 		 * interface. Then, the interface has previous and new
2725 		 * addresses.  We should use one corresponding to the
2726 		 * next-hop.  (by micchie)
2727 		 */
2728 #ifdef INET6
2729 		if (stcb && fam == AF_INET6 &&
2730 		    sctp_is_mobility_feature_on(stcb->sctp_ep, SCTP_MOBILITY_BASE)) {
2731 			if (sctp_v6src_match_nexthop(&sifa->address.sin6, ro)
2732 			    == 0) {
2733 				continue;
2734 			}
2735 		}
2736 #endif
2737 		/* Avoid topologically incorrect IPv4 address */
2738 		if (stcb && fam == AF_INET &&
2739 		    sctp_is_mobility_feature_on(stcb->sctp_ep, SCTP_MOBILITY_BASE)) {
2740 			if (sctp_v4src_match_nexthop(sifa, ro) == 0) {
2741 				continue;
2742 			}
2743 		}
2744 		if (stcb) {
2745 			if (sctp_is_address_in_scope(ifa,
2746 			    stcb->asoc.ipv4_addr_legal,
2747 			    stcb->asoc.ipv6_addr_legal,
2748 			    stcb->asoc.loopback_scope,
2749 			    stcb->asoc.ipv4_local_scope,
2750 			    stcb->asoc.local_scope,
2751 			    stcb->asoc.site_scope, 0) == 0) {
2752 				continue;
2753 			}
2754 			if (((non_asoc_addr_ok == 0) &&
2755 			    (sctp_is_addr_restricted(stcb, sifa))) ||
2756 			    (non_asoc_addr_ok &&
2757 			    (sctp_is_addr_restricted(stcb, sifa)) &&
2758 			    (!sctp_is_addr_pending(stcb, sifa)))) {
2759 				/*
2760 				 * It is restricted for some reason..
2761 				 * probably not yet added.
2762 				 */
2763 				continue;
2764 			}
2765 		}
2766 		if (num_eligible_addr >= addr_wanted) {
2767 			return (sifa);
2768 		}
2769 		num_eligible_addr++;
2770 	}
2771 	return (NULL);
2772 }
2773 
2774 
2775 static int
2776 sctp_count_num_preferred_boundall(struct sctp_ifn *ifn,
2777     struct sctp_tcb *stcb,
2778     int non_asoc_addr_ok,
2779     uint8_t dest_is_loop,
2780     uint8_t dest_is_priv,
2781     sa_family_t fam)
2782 {
2783 	struct sctp_ifa *ifa, *sifa;
2784 	int num_eligible_addr = 0;
2785 
2786 	LIST_FOREACH(ifa, &ifn->ifalist, next_ifa) {
2787 		if ((ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2788 		    (non_asoc_addr_ok == 0)) {
2789 			continue;
2790 		}
2791 		sifa = sctp_is_ifa_addr_preferred(ifa, dest_is_loop,
2792 		    dest_is_priv, fam);
2793 		if (sifa == NULL) {
2794 			continue;
2795 		}
2796 		if (stcb) {
2797 			if (sctp_is_address_in_scope(ifa,
2798 			    stcb->asoc.ipv4_addr_legal,
2799 			    stcb->asoc.ipv6_addr_legal,
2800 			    stcb->asoc.loopback_scope,
2801 			    stcb->asoc.ipv4_local_scope,
2802 			    stcb->asoc.local_scope,
2803 			    stcb->asoc.site_scope, 0) == 0) {
2804 				continue;
2805 			}
2806 			if (((non_asoc_addr_ok == 0) &&
2807 			    (sctp_is_addr_restricted(stcb, sifa))) ||
2808 			    (non_asoc_addr_ok &&
2809 			    (sctp_is_addr_restricted(stcb, sifa)) &&
2810 			    (!sctp_is_addr_pending(stcb, sifa)))) {
2811 				/*
2812 				 * It is restricted for some reason..
2813 				 * probably not yet added.
2814 				 */
2815 				continue;
2816 			}
2817 		}
2818 		num_eligible_addr++;
2819 	}
2820 	return (num_eligible_addr);
2821 }
2822 
2823 static struct sctp_ifa *
2824 sctp_choose_boundall(struct sctp_inpcb *inp,
2825     struct sctp_tcb *stcb,
2826     struct sctp_nets *net,
2827     sctp_route_t * ro,
2828     uint32_t vrf_id,
2829     uint8_t dest_is_priv,
2830     uint8_t dest_is_loop,
2831     int non_asoc_addr_ok,
2832     sa_family_t fam)
2833 {
2834 	int cur_addr_num = 0, num_preferred = 0;
2835 	void *ifn;
2836 	struct sctp_ifn *sctp_ifn, *looked_at = NULL, *emit_ifn;
2837 	struct sctp_ifa *sctp_ifa, *sifa;
2838 	uint32_t ifn_index;
2839 	struct sctp_vrf *vrf;
2840 
2841 	/*-
2842 	 * For boundall we can use any address in the association.
2843 	 * If non_asoc_addr_ok is set we can use any address (at least in
2844 	 * theory). So we look for preferred addresses first. If we find one,
2845 	 * we use it. Otherwise we next try to get an address on the
2846 	 * interface, which we should be able to do (unless non_asoc_addr_ok
2847 	 * is false and we are routed out that way). In these cases where we
2848 	 * can't use the address of the interface we go through all the
2849 	 * ifn's looking for an address we can use and fill that in. Punting
2850 	 * means we send back address 0, which will probably cause problems
2851 	 * actually since then IP will fill in the address of the route ifn,
2852 	 * which means we probably already rejected it.. i.e. here comes an
2853 	 * abort :-<.
2854 	 */
2855 	vrf = sctp_find_vrf(vrf_id);
2856 	if (vrf == NULL)
2857 		return (NULL);
2858 
2859 	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
2860 	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
2861 	emit_ifn = looked_at = sctp_ifn = sctp_find_ifn(ifn, ifn_index);
2862 	if (sctp_ifn == NULL) {
2863 		/* ?? We don't have this guy ?? */
2864 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "No ifn emit interface?\n");
2865 		goto bound_all_plan_b;
2866 	}
2867 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "ifn_index:%d name:%s is emit interface\n",
2868 	    ifn_index, sctp_ifn->ifn_name);
2869 
2870 	if (net) {
2871 		cur_addr_num = net->indx_of_eligible_next_to_use;
2872 	}
2873 	num_preferred = sctp_count_num_preferred_boundall(sctp_ifn,
2874 	    stcb,
2875 	    non_asoc_addr_ok,
2876 	    dest_is_loop,
2877 	    dest_is_priv, fam);
2878 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Found %d preferred source addresses for intf:%s\n",
2879 	    num_preferred, sctp_ifn->ifn_name);
2880 	if (num_preferred == 0) {
2881 		/*
2882 		 * no eligible addresses, we must use some other interface
2883 		 * address if we can find one.
2884 		 */
2885 		goto bound_all_plan_b;
2886 	}
2887 	/*
2888 	 * Ok we have num_eligible_addr set with how many we can use, this
2889 	 * may vary from call to call due to addresses being deprecated
2890 	 * etc..
2891 	 */
2892 	if (cur_addr_num >= num_preferred) {
2893 		cur_addr_num = 0;
2894 	}
2895 	/*
2896 	 * select the nth address from the list (where cur_addr_num is the
2897 	 * nth) and 0 is the first one, 1 is the second one etc...
2898 	 */
2899 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "cur_addr_num:%d\n", cur_addr_num);
2900 
2901 	sctp_ifa = sctp_select_nth_preferred_addr_from_ifn_boundall(sctp_ifn, stcb, non_asoc_addr_ok, dest_is_loop,
2902 	    dest_is_priv, cur_addr_num, fam, ro);
2903 
2904 	/* if sctp_ifa is NULL something changed??, fall to plan b. */
2905 	if (sctp_ifa) {
2906 		atomic_add_int(&sctp_ifa->refcount, 1);
2907 		if (net) {
2908 			/* save off where the next one we will want */
2909 			net->indx_of_eligible_next_to_use = cur_addr_num + 1;
2910 		}
2911 		return (sctp_ifa);
2912 	}
2913 	/*
2914 	 * plan_b: Look at all interfaces and find a preferred address. If
2915 	 * no preferred fall through to plan_c.
2916 	 */
2917 bound_all_plan_b:
2918 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Trying Plan B\n");
2919 	LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
2920 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "Examine interface %s\n",
2921 		    sctp_ifn->ifn_name);
2922 		if (dest_is_loop == 0 && SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
2923 			/* wrong base scope */
2924 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "skip\n");
2925 			continue;
2926 		}
2927 		if ((sctp_ifn == looked_at) && looked_at) {
2928 			/* already looked at this guy */
2929 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "already seen\n");
2930 			continue;
2931 		}
2932 		num_preferred = sctp_count_num_preferred_boundall(sctp_ifn, stcb, non_asoc_addr_ok,
2933 		    dest_is_loop, dest_is_priv, fam);
2934 		SCTPDBG(SCTP_DEBUG_OUTPUT2,
2935 		    "Found ifn:%p %d preferred source addresses\n",
2936 		    ifn, num_preferred);
2937 		if (num_preferred == 0) {
2938 			/* None on this interface. */
2939 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "No prefered -- skipping to next\n");
2940 			continue;
2941 		}
2942 		SCTPDBG(SCTP_DEBUG_OUTPUT2,
2943 		    "num preferred:%d on interface:%p cur_addr_num:%d\n",
2944 		    num_preferred, sctp_ifn, cur_addr_num);
2945 
2946 		/*
2947 		 * Ok we have num_eligible_addr set with how many we can
2948 		 * use, this may vary from call to call due to addresses
2949 		 * being deprecated etc..
2950 		 */
2951 		if (cur_addr_num >= num_preferred) {
2952 			cur_addr_num = 0;
2953 		}
2954 		sifa = sctp_select_nth_preferred_addr_from_ifn_boundall(sctp_ifn, stcb, non_asoc_addr_ok, dest_is_loop,
2955 		    dest_is_priv, cur_addr_num, fam, ro);
2956 		if (sifa == NULL)
2957 			continue;
2958 		if (net) {
2959 			net->indx_of_eligible_next_to_use = cur_addr_num + 1;
2960 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "we selected %d\n",
2961 			    cur_addr_num);
2962 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Source:");
2963 			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &sifa->address.sa);
2964 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Dest:");
2965 			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &net->ro._l_addr.sa);
2966 		}
2967 		atomic_add_int(&sifa->refcount, 1);
2968 		return (sifa);
2969 
2970 	}
2971 
2972 	/* plan_c: do we have an acceptable address on the emit interface */
2973 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Trying Plan C: find acceptable on interface\n");
2974 	if (emit_ifn == NULL) {
2975 		goto plan_d;
2976 	}
2977 	LIST_FOREACH(sctp_ifa, &emit_ifn->ifalist, next_ifa) {
2978 		if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2979 		    (non_asoc_addr_ok == 0))
2980 			continue;
2981 		sifa = sctp_is_ifa_addr_acceptable(sctp_ifa, dest_is_loop,
2982 		    dest_is_priv, fam);
2983 		if (sifa == NULL)
2984 			continue;
2985 		if (stcb) {
2986 			if (sctp_is_address_in_scope(sifa,
2987 			    stcb->asoc.ipv4_addr_legal,
2988 			    stcb->asoc.ipv6_addr_legal,
2989 			    stcb->asoc.loopback_scope,
2990 			    stcb->asoc.ipv4_local_scope,
2991 			    stcb->asoc.local_scope,
2992 			    stcb->asoc.site_scope, 0) == 0) {
2993 				continue;
2994 			}
2995 			if (((non_asoc_addr_ok == 0) &&
2996 			    (sctp_is_addr_restricted(stcb, sifa))) ||
2997 			    (non_asoc_addr_ok &&
2998 			    (sctp_is_addr_restricted(stcb, sifa)) &&
2999 			    (!sctp_is_addr_pending(stcb, sifa)))) {
3000 				/*
3001 				 * It is restricted for some reason..
3002 				 * probably not yet added.
3003 				 */
3004 				continue;
3005 			}
3006 		}
3007 		atomic_add_int(&sifa->refcount, 1);
3008 		return (sifa);
3009 	}
3010 plan_d:
3011 	/*
3012 	 * plan_d: We are in trouble. No preferred address on the emit
3013 	 * interface. And not even a preferred address on all interfaces. Go
3014 	 * out and see if we can find an acceptable address somewhere
3015 	 * amongst all interfaces.
3016 	 */
3017 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Trying Plan D\n");
3018 	LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
3019 		if (dest_is_loop == 0 && SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
3020 			/* wrong base scope */
3021 			continue;
3022 		}
3023 		if ((sctp_ifn == looked_at) && looked_at)
3024 			/* already looked at this guy */
3025 			continue;
3026 
3027 		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
3028 			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
3029 			    (non_asoc_addr_ok == 0))
3030 				continue;
3031 			sifa = sctp_is_ifa_addr_acceptable(sctp_ifa,
3032 			    dest_is_loop,
3033 			    dest_is_priv, fam);
3034 			if (sifa == NULL)
3035 				continue;
3036 			if (stcb) {
3037 				if (sctp_is_address_in_scope(sifa,
3038 				    stcb->asoc.ipv4_addr_legal,
3039 				    stcb->asoc.ipv6_addr_legal,
3040 				    stcb->asoc.loopback_scope,
3041 				    stcb->asoc.ipv4_local_scope,
3042 				    stcb->asoc.local_scope,
3043 				    stcb->asoc.site_scope, 0) == 0) {
3044 					continue;
3045 				}
3046 				if (((non_asoc_addr_ok == 0) &&
3047 				    (sctp_is_addr_restricted(stcb, sifa))) ||
3048 				    (non_asoc_addr_ok &&
3049 				    (sctp_is_addr_restricted(stcb, sifa)) &&
3050 				    (!sctp_is_addr_pending(stcb, sifa)))) {
3051 					/*
3052 					 * It is restricted for some
3053 					 * reason.. probably not yet added.
3054 					 */
3055 					continue;
3056 				}
3057 			}
3058 			atomic_add_int(&sifa->refcount, 1);
3059 			return (sifa);
3060 		}
3061 	}
3062 	/*
3063 	 * Ok we can find NO address to source from that is not on our
3064 	 * restricted list and non_asoc_address is NOT ok, or it is on our
3065 	 * restricted list. We can't source to it :-(
3066 	 */
3067 	return (NULL);
3068 }
3069 
3070 
3071 
3072 /* tcb may be NULL */
3073 struct sctp_ifa *
3074 sctp_source_address_selection(struct sctp_inpcb *inp,
3075     struct sctp_tcb *stcb,
3076     sctp_route_t * ro,
3077     struct sctp_nets *net,
3078     int non_asoc_addr_ok, uint32_t vrf_id)
3079 {
3080 	struct sockaddr_in *to = (struct sockaddr_in *)&ro->ro_dst;
3081 
3082 #ifdef INET6
3083 	struct sockaddr_in6 *to6 = (struct sockaddr_in6 *)&ro->ro_dst;
3084 
3085 #endif
3086 	struct sctp_ifa *answer;
3087 	uint8_t dest_is_priv, dest_is_loop;
3088 	sa_family_t fam;
3089 
3090 	/*-
3091 	 * Rules: - Find the route if needed, cache if I can. - Look at
3092 	 * interface address in route, Is it in the bound list. If so we
3093 	 * have the best source. - If not we must rotate amongst the
3094 	 * addresses.
3095 	 *
3096 	 * Cavets and issues
3097 	 *
3098 	 * Do we need to pay attention to scope. We can have a private address
3099 	 * or a global address we are sourcing or sending to. So if we draw
3100 	 * it out
3101 	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3102 	 * For V4
3103 	 * ------------------------------------------
3104 	 *      source     *      dest  *  result
3105 	 * -----------------------------------------
3106 	 * <a>  Private    *    Global  *  NAT
3107 	 * -----------------------------------------
3108 	 * <b>  Private    *    Private *  No problem
3109 	 * -----------------------------------------
3110 	 * <c>  Global     *    Private *  Huh, How will this work?
3111 	 * -----------------------------------------
3112 	 * <d>  Global     *    Global  *  No Problem
3113 	 *------------------------------------------
3114 	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3115 	 * For V6
3116 	 *------------------------------------------
3117 	 *      source     *      dest  *  result
3118 	 * -----------------------------------------
3119 	 * <a>  Linklocal  *    Global  *
3120 	 * -----------------------------------------
3121 	 * <b>  Linklocal  * Linklocal  *  No problem
3122 	 * -----------------------------------------
3123 	 * <c>  Global     * Linklocal  *  Huh, How will this work?
3124 	 * -----------------------------------------
3125 	 * <d>  Global     *    Global  *  No Problem
3126 	 *------------------------------------------
3127 	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3128 	 *
3129 	 * And then we add to that what happens if there are multiple addresses
3130 	 * assigned to an interface. Remember the ifa on a ifn is a linked
3131 	 * list of addresses. So one interface can have more than one IP
3132 	 * address. What happens if we have both a private and a global
3133 	 * address? Do we then use context of destination to sort out which
3134 	 * one is best? And what about NAT's sending P->G may get you a NAT
3135 	 * translation, or should you select the G thats on the interface in
3136 	 * preference.
3137 	 *
3138 	 * Decisions:
3139 	 *
3140 	 * - count the number of addresses on the interface.
3141 	 * - if it is one, no problem except case <c>.
3142 	 *   For <a> we will assume a NAT out there.
3143 	 * - if there are more than one, then we need to worry about scope P
3144 	 *   or G. We should prefer G -> G and P -> P if possible.
3145 	 *   Then as a secondary fall back to mixed types G->P being a last
3146 	 *   ditch one.
3147 	 * - The above all works for bound all, but bound specific we need to
3148 	 *   use the same concept but instead only consider the bound
3149 	 *   addresses. If the bound set is NOT assigned to the interface then
3150 	 *   we must use rotation amongst the bound addresses..
3151 	 */
3152 	if (ro->ro_rt == NULL) {
3153 		/*
3154 		 * Need a route to cache.
3155 		 */
3156 		SCTP_RTALLOC(ro, vrf_id);
3157 	}
3158 	if (ro->ro_rt == NULL) {
3159 		return (NULL);
3160 	}
3161 	fam = to->sin_family;
3162 	dest_is_priv = dest_is_loop = 0;
3163 	/* Setup our scopes for the destination */
3164 	switch (fam) {
3165 	case AF_INET:
3166 		/* Scope based on outbound address */
3167 		if (IN4_ISLOOPBACK_ADDRESS(&to->sin_addr)) {
3168 			dest_is_loop = 1;
3169 			if (net != NULL) {
3170 				/* mark it as local */
3171 				net->addr_is_local = 1;
3172 			}
3173 		} else if ((IN4_ISPRIVATE_ADDRESS(&to->sin_addr))) {
3174 			dest_is_priv = 1;
3175 		}
3176 		break;
3177 #ifdef INET6
3178 	case AF_INET6:
3179 		/* Scope based on outbound address */
3180 		if (IN6_IS_ADDR_LOOPBACK(&to6->sin6_addr) ||
3181 		    SCTP_ROUTE_IS_REAL_LOOP(ro)) {
3182 			/*
3183 			 * If the address is a loopback address, which
3184 			 * consists of "::1" OR "fe80::1%lo0", we are
3185 			 * loopback scope. But we don't use dest_is_priv
3186 			 * (link local addresses).
3187 			 */
3188 			dest_is_loop = 1;
3189 			if (net != NULL) {
3190 				/* mark it as local */
3191 				net->addr_is_local = 1;
3192 			}
3193 		} else if (IN6_IS_ADDR_LINKLOCAL(&to6->sin6_addr)) {
3194 			dest_is_priv = 1;
3195 		}
3196 		break;
3197 #endif
3198 	}
3199 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Select source addr for:");
3200 	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)to);
3201 	SCTP_IPI_ADDR_RLOCK();
3202 	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) {
3203 		/*
3204 		 * Bound all case
3205 		 */
3206 		answer = sctp_choose_boundall(inp, stcb, net, ro, vrf_id,
3207 		    dest_is_priv, dest_is_loop,
3208 		    non_asoc_addr_ok, fam);
3209 		SCTP_IPI_ADDR_RUNLOCK();
3210 		return (answer);
3211 	}
3212 	/*
3213 	 * Subset bound case
3214 	 */
3215 	if (stcb) {
3216 		answer = sctp_choose_boundspecific_stcb(inp, stcb, net, ro,
3217 		    vrf_id, dest_is_priv,
3218 		    dest_is_loop,
3219 		    non_asoc_addr_ok, fam);
3220 	} else {
3221 		answer = sctp_choose_boundspecific_inp(inp, ro, vrf_id,
3222 		    non_asoc_addr_ok,
3223 		    dest_is_priv,
3224 		    dest_is_loop, fam);
3225 	}
3226 	SCTP_IPI_ADDR_RUNLOCK();
3227 	return (answer);
3228 }
3229 
3230 static int
3231 sctp_find_cmsg(int c_type, void *data, struct mbuf *control, int cpsize)
3232 {
3233 	struct cmsghdr cmh;
3234 	int tlen, at;
3235 
3236 	tlen = SCTP_BUF_LEN(control);
3237 	at = 0;
3238 	/*
3239 	 * Independent of how many mbufs, find the c_type inside the control
3240 	 * structure and copy out the data.
3241 	 */
3242 	while (at < tlen) {
3243 		if ((tlen - at) < (int)CMSG_ALIGN(sizeof(cmh))) {
3244 			/* not enough room for one more we are done. */
3245 			return (0);
3246 		}
3247 		m_copydata(control, at, sizeof(cmh), (caddr_t)&cmh);
3248 		if (((int)cmh.cmsg_len + at) > tlen) {
3249 			/*
3250 			 * this is real messed up since there is not enough
3251 			 * data here to cover the cmsg header. We are done.
3252 			 */
3253 			return (0);
3254 		}
3255 		if ((cmh.cmsg_level == IPPROTO_SCTP) &&
3256 		    (c_type == cmh.cmsg_type)) {
3257 			/* found the one we want, copy it out */
3258 			at += CMSG_ALIGN(sizeof(struct cmsghdr));
3259 			if ((int)(cmh.cmsg_len - CMSG_ALIGN(sizeof(struct cmsghdr))) < cpsize) {
3260 				/*
3261 				 * space of cmsg_len after header not big
3262 				 * enough
3263 				 */
3264 				return (0);
3265 			}
3266 			m_copydata(control, at, cpsize, data);
3267 			return (1);
3268 		} else {
3269 			at += CMSG_ALIGN(cmh.cmsg_len);
3270 			if (cmh.cmsg_len == 0) {
3271 				break;
3272 			}
3273 		}
3274 	}
3275 	/* not found */
3276 	return (0);
3277 }
3278 
3279 static struct mbuf *
3280 sctp_add_cookie(struct sctp_inpcb *inp, struct mbuf *init, int init_offset,
3281     struct mbuf *initack, int initack_offset, struct sctp_state_cookie *stc_in, uint8_t ** signature)
3282 {
3283 	struct mbuf *copy_init, *copy_initack, *m_at, *sig, *mret;
3284 	struct sctp_state_cookie *stc;
3285 	struct sctp_paramhdr *ph;
3286 	uint8_t *foo;
3287 	int sig_offset;
3288 	uint16_t cookie_sz;
3289 
3290 	mret = NULL;
3291 	mret = sctp_get_mbuf_for_msg((sizeof(struct sctp_state_cookie) +
3292 	    sizeof(struct sctp_paramhdr)), 0,
3293 	    M_DONTWAIT, 1, MT_DATA);
3294 	if (mret == NULL) {
3295 		return (NULL);
3296 	}
3297 	copy_init = SCTP_M_COPYM(init, init_offset, M_COPYALL, M_DONTWAIT);
3298 	if (copy_init == NULL) {
3299 		sctp_m_freem(mret);
3300 		return (NULL);
3301 	}
3302 #ifdef SCTP_MBUF_LOGGING
3303 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
3304 		struct mbuf *mat;
3305 
3306 		mat = copy_init;
3307 		while (mat) {
3308 			if (SCTP_BUF_IS_EXTENDED(mat)) {
3309 				sctp_log_mb(mat, SCTP_MBUF_ICOPY);
3310 			}
3311 			mat = SCTP_BUF_NEXT(mat);
3312 		}
3313 	}
3314 #endif
3315 	copy_initack = SCTP_M_COPYM(initack, initack_offset, M_COPYALL,
3316 	    M_DONTWAIT);
3317 	if (copy_initack == NULL) {
3318 		sctp_m_freem(mret);
3319 		sctp_m_freem(copy_init);
3320 		return (NULL);
3321 	}
3322 #ifdef SCTP_MBUF_LOGGING
3323 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
3324 		struct mbuf *mat;
3325 
3326 		mat = copy_initack;
3327 		while (mat) {
3328 			if (SCTP_BUF_IS_EXTENDED(mat)) {
3329 				sctp_log_mb(mat, SCTP_MBUF_ICOPY);
3330 			}
3331 			mat = SCTP_BUF_NEXT(mat);
3332 		}
3333 	}
3334 #endif
3335 	/* easy side we just drop it on the end */
3336 	ph = mtod(mret, struct sctp_paramhdr *);
3337 	SCTP_BUF_LEN(mret) = sizeof(struct sctp_state_cookie) +
3338 	    sizeof(struct sctp_paramhdr);
3339 	stc = (struct sctp_state_cookie *)((caddr_t)ph +
3340 	    sizeof(struct sctp_paramhdr));
3341 	ph->param_type = htons(SCTP_STATE_COOKIE);
3342 	ph->param_length = 0;	/* fill in at the end */
3343 	/* Fill in the stc cookie data */
3344 	memcpy(stc, stc_in, sizeof(struct sctp_state_cookie));
3345 
3346 	/* tack the INIT and then the INIT-ACK onto the chain */
3347 	cookie_sz = 0;
3348 	m_at = mret;
3349 	for (m_at = mret; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
3350 		cookie_sz += SCTP_BUF_LEN(m_at);
3351 		if (SCTP_BUF_NEXT(m_at) == NULL) {
3352 			SCTP_BUF_NEXT(m_at) = copy_init;
3353 			break;
3354 		}
3355 	}
3356 
3357 	for (m_at = copy_init; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
3358 		cookie_sz += SCTP_BUF_LEN(m_at);
3359 		if (SCTP_BUF_NEXT(m_at) == NULL) {
3360 			SCTP_BUF_NEXT(m_at) = copy_initack;
3361 			break;
3362 		}
3363 	}
3364 
3365 	for (m_at = copy_initack; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
3366 		cookie_sz += SCTP_BUF_LEN(m_at);
3367 		if (SCTP_BUF_NEXT(m_at) == NULL) {
3368 			break;
3369 		}
3370 	}
3371 	sig = sctp_get_mbuf_for_msg(SCTP_SECRET_SIZE, 0, M_DONTWAIT, 1, MT_DATA);
3372 	if (sig == NULL) {
3373 		/* no space, so free the entire chain */
3374 		sctp_m_freem(mret);
3375 		return (NULL);
3376 	}
3377 	SCTP_BUF_LEN(sig) = 0;
3378 	SCTP_BUF_NEXT(m_at) = sig;
3379 	sig_offset = 0;
3380 	foo = (uint8_t *) (mtod(sig, caddr_t)+sig_offset);
3381 	memset(foo, 0, SCTP_SIGNATURE_SIZE);
3382 	*signature = foo;
3383 	SCTP_BUF_LEN(sig) += SCTP_SIGNATURE_SIZE;
3384 	cookie_sz += SCTP_SIGNATURE_SIZE;
3385 	ph->param_length = htons(cookie_sz);
3386 	return (mret);
3387 }
3388 
3389 
3390 static uint8_t
3391 sctp_get_ect(struct sctp_tcb *stcb,
3392     struct sctp_tmit_chunk *chk)
3393 {
3394 	if ((stcb != NULL) && (stcb->asoc.ecn_allowed == 1)) {
3395 		return (SCTP_ECT0_BIT);
3396 	} else {
3397 		return (0);
3398 	}
3399 }
3400 
3401 static int
3402 sctp_lowlevel_chunk_output(struct sctp_inpcb *inp,
3403     struct sctp_tcb *stcb,	/* may be NULL */
3404     struct sctp_nets *net,
3405     struct sockaddr *to,
3406     struct mbuf *m,
3407     uint32_t auth_offset,
3408     struct sctp_auth_chunk *auth,
3409     uint16_t auth_keyid,
3410     int nofragment_flag,
3411     int ecn_ok,
3412     struct sctp_tmit_chunk *chk,
3413     int out_of_asoc_ok,
3414     uint16_t src_port,
3415     uint16_t dest_port,
3416     uint32_t v_tag,
3417     uint16_t port,
3418     int so_locked,
3419 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
3420     SCTP_UNUSED
3421 #endif
3422     union sctp_sockstore *over_addr,
3423     struct mbuf *init
3424 )
3425 /* nofragment_flag to tell if IP_DF should be set (IPv4 only) */
3426 {
3427 	/*
3428 	 * Given a mbuf chain (via SCTP_BUF_NEXT()) that holds a packet
3429 	 * header WITH an SCTPHDR but no IP header, endpoint inp and sa
3430 	 * structure: - fill in the HMAC digest of any AUTH chunk in the
3431 	 * packet. - calculate and fill in the SCTP checksum. - prepend an
3432 	 * IP address header. - if boundall use INADDR_ANY. - if
3433 	 * boundspecific do source address selection. - set fragmentation
3434 	 * option for ipV4. - On return from IP output, check/adjust mtu
3435 	 * size of output interface and smallest_mtu size as well.
3436 	 */
3437 	/* Will need ifdefs around this */
3438 	struct mbuf *o_pak;
3439 	struct mbuf *newm;
3440 	struct sctphdr *sctphdr;
3441 	int packet_length;
3442 	int ret;
3443 	uint32_t vrf_id;
3444 	sctp_route_t *ro = NULL;
3445 	struct udphdr *udp = NULL;
3446 
3447 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3448 	struct socket *so = NULL;
3449 
3450 #endif
3451 
3452 	if ((net) && (net->dest_state & SCTP_ADDR_OUT_OF_SCOPE)) {
3453 		SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EFAULT);
3454 		sctp_m_freem(m);
3455 		return (EFAULT);
3456 	}
3457 	if (stcb) {
3458 		vrf_id = stcb->asoc.vrf_id;
3459 	} else {
3460 		vrf_id = inp->def_vrf_id;
3461 	}
3462 
3463 	/* fill in the HMAC digest for any AUTH chunk in the packet */
3464 	if ((auth != NULL) && (stcb != NULL)) {
3465 		sctp_fill_hmac_digest_m(m, auth_offset, auth, stcb, auth_keyid);
3466 	}
3467 	if (to->sa_family == AF_INET) {
3468 		struct ip *ip = NULL;
3469 		sctp_route_t iproute;
3470 		uint8_t tos_value;
3471 		int len;
3472 
3473 		len = sizeof(struct ip) + sizeof(struct sctphdr);
3474 		if (port) {
3475 			len += sizeof(struct udphdr);
3476 		}
3477 		newm = sctp_get_mbuf_for_msg(len, 1, M_DONTWAIT, 1, MT_DATA);
3478 		if (newm == NULL) {
3479 			sctp_m_freem(m);
3480 			SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
3481 			return (ENOMEM);
3482 		}
3483 		SCTP_ALIGN_TO_END(newm, len);
3484 		SCTP_BUF_LEN(newm) = len;
3485 		SCTP_BUF_NEXT(newm) = m;
3486 		m = newm;
3487 		if (net != NULL) {
3488 #ifdef INVARIANTS
3489 			if (net->flowidset == 0) {
3490 				panic("Flow ID not set");
3491 			}
3492 #endif
3493 			m->m_pkthdr.flowid = net->flowid;
3494 			m->m_flags |= M_FLOWID;
3495 		} else {
3496 			if ((init != NULL) && (init->m_flags & M_FLOWID)) {
3497 				m->m_pkthdr.flowid = init->m_pkthdr.flowid;
3498 				m->m_flags |= M_FLOWID;
3499 			}
3500 		}
3501 		packet_length = sctp_calculate_len(m);
3502 		ip = mtod(m, struct ip *);
3503 		ip->ip_v = IPVERSION;
3504 		ip->ip_hl = (sizeof(struct ip) >> 2);
3505 		if (net) {
3506 			tos_value = net->tos_flowlabel & 0x000000ff;
3507 		} else {
3508 			tos_value = inp->ip_inp.inp.inp_ip_tos;
3509 		}
3510 		if ((nofragment_flag) && (port == 0)) {
3511 			ip->ip_off = IP_DF;
3512 		} else
3513 			ip->ip_off = 0;
3514 
3515 		/* FreeBSD has a function for ip_id's */
3516 		ip->ip_id = ip_newid();
3517 
3518 		ip->ip_ttl = inp->ip_inp.inp.inp_ip_ttl;
3519 		ip->ip_len = packet_length;
3520 		ip->ip_tos = tos_value & 0xfc;
3521 		if (ecn_ok) {
3522 			ip->ip_tos |= sctp_get_ect(stcb, chk);
3523 		}
3524 		if (port) {
3525 			ip->ip_p = IPPROTO_UDP;
3526 		} else {
3527 			ip->ip_p = IPPROTO_SCTP;
3528 		}
3529 		ip->ip_sum = 0;
3530 		if (net == NULL) {
3531 			ro = &iproute;
3532 			memset(&iproute, 0, sizeof(iproute));
3533 			memcpy(&ro->ro_dst, to, to->sa_len);
3534 		} else {
3535 			ro = (sctp_route_t *) & net->ro;
3536 		}
3537 		/* Now the address selection part */
3538 		ip->ip_dst.s_addr = ((struct sockaddr_in *)to)->sin_addr.s_addr;
3539 
3540 		/* call the routine to select the src address */
3541 		if (net && out_of_asoc_ok == 0) {
3542 			if (net->ro._s_addr && (net->ro._s_addr->localifa_flags & (SCTP_BEING_DELETED | SCTP_ADDR_IFA_UNUSEABLE))) {
3543 				sctp_free_ifa(net->ro._s_addr);
3544 				net->ro._s_addr = NULL;
3545 				net->src_addr_selected = 0;
3546 				if (ro->ro_rt) {
3547 					RTFREE(ro->ro_rt);
3548 					ro->ro_rt = NULL;
3549 				}
3550 			}
3551 			if (net->src_addr_selected == 0) {
3552 				/* Cache the source address */
3553 				net->ro._s_addr = sctp_source_address_selection(inp, stcb,
3554 				    ro, net, 0,
3555 				    vrf_id);
3556 				net->src_addr_selected = 1;
3557 			}
3558 			if (net->ro._s_addr == NULL) {
3559 				/* No route to host */
3560 				net->src_addr_selected = 0;
3561 				goto no_route;
3562 			}
3563 			ip->ip_src = net->ro._s_addr->address.sin.sin_addr;
3564 		} else {
3565 			if (over_addr == NULL) {
3566 				struct sctp_ifa *_lsrc;
3567 
3568 				_lsrc = sctp_source_address_selection(inp, stcb, ro,
3569 				    net,
3570 				    out_of_asoc_ok,
3571 				    vrf_id);
3572 				if (_lsrc == NULL) {
3573 					goto no_route;
3574 				}
3575 				ip->ip_src = _lsrc->address.sin.sin_addr;
3576 				sctp_free_ifa(_lsrc);
3577 			} else {
3578 				ip->ip_src = over_addr->sin.sin_addr;
3579 				SCTP_RTALLOC(ro, vrf_id);
3580 			}
3581 		}
3582 		if (port) {
3583 			udp = (struct udphdr *)((caddr_t)ip + sizeof(struct ip));
3584 			udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
3585 			udp->uh_dport = port;
3586 			udp->uh_ulen = htons(packet_length - sizeof(struct ip));
3587 			udp->uh_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
3588 			sctphdr = (struct sctphdr *)((caddr_t)udp + sizeof(struct udphdr));
3589 		} else {
3590 			sctphdr = (struct sctphdr *)((caddr_t)ip + sizeof(struct ip));
3591 		}
3592 
3593 		sctphdr->src_port = src_port;
3594 		sctphdr->dest_port = dest_port;
3595 		sctphdr->v_tag = v_tag;
3596 		sctphdr->checksum = 0;
3597 
3598 		/*
3599 		 * If source address selection fails and we find no route
3600 		 * then the ip_output should fail as well with a
3601 		 * NO_ROUTE_TO_HOST type error. We probably should catch
3602 		 * that somewhere and abort the association right away
3603 		 * (assuming this is an INIT being sent).
3604 		 */
3605 		if ((ro->ro_rt == NULL)) {
3606 			/*
3607 			 * src addr selection failed to find a route (or
3608 			 * valid source addr), so we can't get there from
3609 			 * here (yet)!
3610 			 */
3611 	no_route:
3612 			SCTPDBG(SCTP_DEBUG_OUTPUT1,
3613 			    "%s: dropped packet - no valid source addr\n",
3614 			    __FUNCTION__);
3615 			if (net) {
3616 				SCTPDBG(SCTP_DEBUG_OUTPUT1,
3617 				    "Destination was ");
3618 				SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT1,
3619 				    &net->ro._l_addr.sa);
3620 				if (net->dest_state & SCTP_ADDR_CONFIRMED) {
3621 					if ((net->dest_state & SCTP_ADDR_REACHABLE) && stcb) {
3622 						SCTPDBG(SCTP_DEBUG_OUTPUT1, "no route takes interface %p down\n", net);
3623 						sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_DOWN,
3624 						    stcb,
3625 						    SCTP_FAILED_THRESHOLD,
3626 						    (void *)net,
3627 						    so_locked);
3628 						net->dest_state &= ~SCTP_ADDR_REACHABLE;
3629 						net->dest_state |= SCTP_ADDR_NOT_REACHABLE;
3630 						/*
3631 						 * JRS 5/14/07 - If a
3632 						 * destination is
3633 						 * unreachable, the PF bit
3634 						 * is turned off.  This
3635 						 * allows an unambiguous use
3636 						 * of the PF bit for
3637 						 * destinations that are
3638 						 * reachable but potentially
3639 						 * failed. If the
3640 						 * destination is set to the
3641 						 * unreachable state, also
3642 						 * set the destination to
3643 						 * the PF state.
3644 						 */
3645 						/*
3646 						 * Add debug message here if
3647 						 * destination is not in PF
3648 						 * state.
3649 						 */
3650 						/*
3651 						 * Stop any running T3
3652 						 * timers here?
3653 						 */
3654 						if ((stcb->asoc.sctp_cmt_on_off > 0) &&
3655 						    (stcb->asoc.sctp_cmt_pf > 0)) {
3656 							net->dest_state &= ~SCTP_ADDR_PF;
3657 							SCTPDBG(SCTP_DEBUG_OUTPUT1, "Destination %p moved from PF to unreachable.\n",
3658 							    net);
3659 						}
3660 					}
3661 				}
3662 				if (stcb) {
3663 					if (net == stcb->asoc.primary_destination) {
3664 						/* need a new primary */
3665 						struct sctp_nets *alt;
3666 
3667 						alt = sctp_find_alternate_net(stcb, net, 0);
3668 						if (alt != net) {
3669 							if (sctp_set_primary_addr(stcb,
3670 							    (struct sockaddr *)NULL,
3671 							    alt) == 0) {
3672 								net->dest_state |= SCTP_ADDR_WAS_PRIMARY;
3673 								if (net->ro._s_addr) {
3674 									sctp_free_ifa(net->ro._s_addr);
3675 									net->ro._s_addr = NULL;
3676 								}
3677 								net->src_addr_selected = 0;
3678 							}
3679 						}
3680 					}
3681 				}
3682 			}
3683 			SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
3684 			sctp_m_freem(m);
3685 			return (EHOSTUNREACH);
3686 		}
3687 		if (ro != &iproute) {
3688 			memcpy(&iproute, ro, sizeof(*ro));
3689 		}
3690 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "Calling ipv4 output routine from low level src addr:%x\n",
3691 		    (uint32_t) (ntohl(ip->ip_src.s_addr)));
3692 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "Destination is %x\n",
3693 		    (uint32_t) (ntohl(ip->ip_dst.s_addr)));
3694 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "RTP route is %p through\n",
3695 		    ro->ro_rt);
3696 
3697 		if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
3698 			/* failed to prepend data, give up */
3699 			SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
3700 			sctp_m_freem(m);
3701 			return (ENOMEM);
3702 		}
3703 #ifdef  SCTP_PACKET_LOGGING
3704 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
3705 			sctp_packet_log(m, packet_length);
3706 #endif
3707 		SCTP_ATTACH_CHAIN(o_pak, m, packet_length);
3708 		if (port) {
3709 #if defined(SCTP_WITH_NO_CSUM)
3710 			SCTP_STAT_INCR(sctps_sendnocrc);
3711 #else
3712 			if (!(SCTP_BASE_SYSCTL(sctp_no_csum_on_loopback) &&
3713 			    (stcb) &&
3714 			    (stcb->asoc.loopback_scope))) {
3715 				sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip) + sizeof(struct udphdr));
3716 				SCTP_STAT_INCR(sctps_sendswcrc);
3717 			} else {
3718 				SCTP_STAT_INCR(sctps_sendnocrc);
3719 			}
3720 #endif
3721 			SCTP_ENABLE_UDP_CSUM(o_pak);
3722 		} else {
3723 #if defined(SCTP_WITH_NO_CSUM)
3724 			SCTP_STAT_INCR(sctps_sendnocrc);
3725 #else
3726 			m->m_pkthdr.csum_flags = CSUM_SCTP;
3727 			m->m_pkthdr.csum_data = 0;
3728 			SCTP_STAT_INCR(sctps_sendhwcrc);
3729 #endif
3730 		}
3731 		/* send it out.  table id is taken from stcb */
3732 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3733 		if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
3734 			so = SCTP_INP_SO(inp);
3735 			SCTP_SOCKET_UNLOCK(so, 0);
3736 		}
3737 #endif
3738 		SCTP_IP_OUTPUT(ret, o_pak, ro, stcb, vrf_id);
3739 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3740 		if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
3741 			atomic_add_int(&stcb->asoc.refcnt, 1);
3742 			SCTP_TCB_UNLOCK(stcb);
3743 			SCTP_SOCKET_LOCK(so, 0);
3744 			SCTP_TCB_LOCK(stcb);
3745 			atomic_subtract_int(&stcb->asoc.refcnt, 1);
3746 		}
3747 #endif
3748 		SCTP_STAT_INCR(sctps_sendpackets);
3749 		SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
3750 		if (ret)
3751 			SCTP_STAT_INCR(sctps_senderrors);
3752 
3753 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "IP output returns %d\n", ret);
3754 		if (net == NULL) {
3755 			/* free tempy routes */
3756 			if (ro->ro_rt) {
3757 				RTFREE(ro->ro_rt);
3758 				ro->ro_rt = NULL;
3759 			}
3760 		} else {
3761 			/* PMTU check versus smallest asoc MTU goes here */
3762 			if ((ro->ro_rt != NULL) &&
3763 			    (net->ro._s_addr)) {
3764 				uint32_t mtu;
3765 
3766 				mtu = SCTP_GATHER_MTU_FROM_ROUTE(net->ro._s_addr, &net->ro._l_addr.sa, ro->ro_rt);
3767 				if (net->port) {
3768 					mtu -= sizeof(struct udphdr);
3769 				}
3770 				if (mtu && (stcb->asoc.smallest_mtu > mtu)) {
3771 					sctp_mtu_size_reset(inp, &stcb->asoc, mtu);
3772 					net->mtu = mtu;
3773 				}
3774 			} else if (ro->ro_rt == NULL) {
3775 				/* route was freed */
3776 				if (net->ro._s_addr &&
3777 				    net->src_addr_selected) {
3778 					sctp_free_ifa(net->ro._s_addr);
3779 					net->ro._s_addr = NULL;
3780 				}
3781 				net->src_addr_selected = 0;
3782 			}
3783 		}
3784 		return (ret);
3785 	}
3786 #ifdef INET6
3787 	else if (to->sa_family == AF_INET6) {
3788 		uint32_t flowlabel;
3789 		struct ip6_hdr *ip6h;
3790 		struct route_in6 ip6route;
3791 		struct ifnet *ifp;
3792 		u_char flowTop;
3793 		uint16_t flowBottom;
3794 		u_char tosBottom, tosTop;
3795 		struct sockaddr_in6 *sin6, tmp, *lsa6, lsa6_tmp;
3796 		int prev_scope = 0;
3797 		struct sockaddr_in6 lsa6_storage;
3798 		int error;
3799 		u_short prev_port = 0;
3800 		int len;
3801 
3802 		if (net != NULL) {
3803 			flowlabel = net->tos_flowlabel;
3804 		} else {
3805 			flowlabel = ((struct in6pcb *)inp)->in6p_flowinfo;
3806 		}
3807 
3808 		len = sizeof(struct ip6_hdr) + sizeof(struct sctphdr);
3809 		if (port) {
3810 			len += sizeof(struct udphdr);
3811 		}
3812 		newm = sctp_get_mbuf_for_msg(len, 1, M_DONTWAIT, 1, MT_DATA);
3813 		if (newm == NULL) {
3814 			sctp_m_freem(m);
3815 			SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
3816 			return (ENOMEM);
3817 		}
3818 		SCTP_ALIGN_TO_END(newm, len);
3819 		SCTP_BUF_LEN(newm) = len;
3820 		SCTP_BUF_NEXT(newm) = m;
3821 		m = newm;
3822 		if (net != NULL) {
3823 #ifdef INVARIANTS
3824 			if (net->flowidset == 0) {
3825 				panic("Flow ID not set");
3826 			}
3827 #endif
3828 			m->m_pkthdr.flowid = net->flowid;
3829 			m->m_flags |= M_FLOWID;
3830 		} else {
3831 			if ((init != NULL) && (init->m_flags & M_FLOWID)) {
3832 				m->m_pkthdr.flowid = init->m_pkthdr.flowid;
3833 				m->m_flags |= M_FLOWID;
3834 			}
3835 		}
3836 		packet_length = sctp_calculate_len(m);
3837 
3838 		ip6h = mtod(m, struct ip6_hdr *);
3839 		/*
3840 		 * We assume here that inp_flow is in host byte order within
3841 		 * the TCB!
3842 		 */
3843 		flowBottom = flowlabel & 0x0000ffff;
3844 		flowTop = ((flowlabel & 0x000f0000) >> 16);
3845 		tosTop = (((flowlabel & 0xf0) >> 4) | IPV6_VERSION);
3846 		/* protect *sin6 from overwrite */
3847 		sin6 = (struct sockaddr_in6 *)to;
3848 		tmp = *sin6;
3849 		sin6 = &tmp;
3850 
3851 		/* KAME hack: embed scopeid */
3852 		if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0) {
3853 			SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
3854 			return (EINVAL);
3855 		}
3856 		if (net == NULL) {
3857 			memset(&ip6route, 0, sizeof(ip6route));
3858 			ro = (sctp_route_t *) & ip6route;
3859 			memcpy(&ro->ro_dst, sin6, sin6->sin6_len);
3860 		} else {
3861 			ro = (sctp_route_t *) & net->ro;
3862 		}
3863 		tosBottom = (((struct in6pcb *)inp)->in6p_flowinfo & 0x0c);
3864 		if (ecn_ok) {
3865 			tosBottom |= sctp_get_ect(stcb, chk);
3866 		}
3867 		tosBottom <<= 4;
3868 		ip6h->ip6_flow = htonl(((tosTop << 24) | ((tosBottom | flowTop) << 16) | flowBottom));
3869 		if (port) {
3870 			ip6h->ip6_nxt = IPPROTO_UDP;
3871 		} else {
3872 			ip6h->ip6_nxt = IPPROTO_SCTP;
3873 		}
3874 		ip6h->ip6_plen = (packet_length - sizeof(struct ip6_hdr));
3875 		ip6h->ip6_dst = sin6->sin6_addr;
3876 
3877 		/*
3878 		 * Add SRC address selection here: we can only reuse to a
3879 		 * limited degree the kame src-addr-sel, since we can try
3880 		 * their selection but it may not be bound.
3881 		 */
3882 		bzero(&lsa6_tmp, sizeof(lsa6_tmp));
3883 		lsa6_tmp.sin6_family = AF_INET6;
3884 		lsa6_tmp.sin6_len = sizeof(lsa6_tmp);
3885 		lsa6 = &lsa6_tmp;
3886 		if (net && out_of_asoc_ok == 0) {
3887 			if (net->ro._s_addr && (net->ro._s_addr->localifa_flags & (SCTP_BEING_DELETED | SCTP_ADDR_IFA_UNUSEABLE))) {
3888 				sctp_free_ifa(net->ro._s_addr);
3889 				net->ro._s_addr = NULL;
3890 				net->src_addr_selected = 0;
3891 				if (ro->ro_rt) {
3892 					RTFREE(ro->ro_rt);
3893 					ro->ro_rt = NULL;
3894 				}
3895 			}
3896 			if (net->src_addr_selected == 0) {
3897 				sin6 = (struct sockaddr_in6 *)&net->ro._l_addr;
3898 				/* KAME hack: embed scopeid */
3899 				if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0) {
3900 					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
3901 					return (EINVAL);
3902 				}
3903 				/* Cache the source address */
3904 				net->ro._s_addr = sctp_source_address_selection(inp,
3905 				    stcb,
3906 				    ro,
3907 				    net,
3908 				    0,
3909 				    vrf_id);
3910 				(void)sa6_recoverscope(sin6);
3911 				net->src_addr_selected = 1;
3912 			}
3913 			if (net->ro._s_addr == NULL) {
3914 				SCTPDBG(SCTP_DEBUG_OUTPUT3, "V6:No route to host\n");
3915 				net->src_addr_selected = 0;
3916 				goto no_route;
3917 			}
3918 			lsa6->sin6_addr = net->ro._s_addr->address.sin6.sin6_addr;
3919 		} else {
3920 			sin6 = (struct sockaddr_in6 *)&ro->ro_dst;
3921 			/* KAME hack: embed scopeid */
3922 			if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0) {
3923 				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
3924 				return (EINVAL);
3925 			}
3926 			if (over_addr == NULL) {
3927 				struct sctp_ifa *_lsrc;
3928 
3929 				_lsrc = sctp_source_address_selection(inp, stcb, ro,
3930 				    net,
3931 				    out_of_asoc_ok,
3932 				    vrf_id);
3933 				if (_lsrc == NULL) {
3934 					goto no_route;
3935 				}
3936 				lsa6->sin6_addr = _lsrc->address.sin6.sin6_addr;
3937 				sctp_free_ifa(_lsrc);
3938 			} else {
3939 				lsa6->sin6_addr = over_addr->sin6.sin6_addr;
3940 				SCTP_RTALLOC(ro, vrf_id);
3941 			}
3942 			(void)sa6_recoverscope(sin6);
3943 		}
3944 		lsa6->sin6_port = inp->sctp_lport;
3945 
3946 		if (ro->ro_rt == NULL) {
3947 			/*
3948 			 * src addr selection failed to find a route (or
3949 			 * valid source addr), so we can't get there from
3950 			 * here!
3951 			 */
3952 			goto no_route;
3953 		}
3954 		/*
3955 		 * XXX: sa6 may not have a valid sin6_scope_id in the
3956 		 * non-SCOPEDROUTING case.
3957 		 */
3958 		bzero(&lsa6_storage, sizeof(lsa6_storage));
3959 		lsa6_storage.sin6_family = AF_INET6;
3960 		lsa6_storage.sin6_len = sizeof(lsa6_storage);
3961 		lsa6_storage.sin6_addr = lsa6->sin6_addr;
3962 		if ((error = sa6_recoverscope(&lsa6_storage)) != 0) {
3963 			SCTPDBG(SCTP_DEBUG_OUTPUT3, "recover scope fails error %d\n", error);
3964 			sctp_m_freem(m);
3965 			return (error);
3966 		}
3967 		/* XXX */
3968 		lsa6_storage.sin6_addr = lsa6->sin6_addr;
3969 		lsa6_storage.sin6_port = inp->sctp_lport;
3970 		lsa6 = &lsa6_storage;
3971 		ip6h->ip6_src = lsa6->sin6_addr;
3972 
3973 		if (port) {
3974 			udp = (struct udphdr *)((caddr_t)ip6h + sizeof(struct ip6_hdr));
3975 			udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
3976 			udp->uh_dport = port;
3977 			udp->uh_ulen = htons(packet_length - sizeof(struct ip6_hdr));
3978 			udp->uh_sum = 0;
3979 			sctphdr = (struct sctphdr *)((caddr_t)udp + sizeof(struct udphdr));
3980 		} else {
3981 			sctphdr = (struct sctphdr *)((caddr_t)ip6h + sizeof(struct ip6_hdr));
3982 		}
3983 
3984 		sctphdr->src_port = src_port;
3985 		sctphdr->dest_port = dest_port;
3986 		sctphdr->v_tag = v_tag;
3987 		sctphdr->checksum = 0;
3988 
3989 		/*
3990 		 * We set the hop limit now since there is a good chance
3991 		 * that our ro pointer is now filled
3992 		 */
3993 		ip6h->ip6_hlim = SCTP_GET_HLIM(inp, ro);
3994 		ifp = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
3995 
3996 #ifdef SCTP_DEBUG
3997 		/* Copy to be sure something bad is not happening */
3998 		sin6->sin6_addr = ip6h->ip6_dst;
3999 		lsa6->sin6_addr = ip6h->ip6_src;
4000 #endif
4001 
4002 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "Calling ipv6 output routine from low level\n");
4003 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "src: ");
4004 		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT3, (struct sockaddr *)lsa6);
4005 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "dst: ");
4006 		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT3, (struct sockaddr *)sin6);
4007 		if (net) {
4008 			sin6 = (struct sockaddr_in6 *)&net->ro._l_addr;
4009 			/* preserve the port and scope for link local send */
4010 			prev_scope = sin6->sin6_scope_id;
4011 			prev_port = sin6->sin6_port;
4012 		}
4013 		if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
4014 			/* failed to prepend data, give up */
4015 			sctp_m_freem(m);
4016 			SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4017 			return (ENOMEM);
4018 		}
4019 #ifdef  SCTP_PACKET_LOGGING
4020 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
4021 			sctp_packet_log(m, packet_length);
4022 #endif
4023 		SCTP_ATTACH_CHAIN(o_pak, m, packet_length);
4024 		if (port) {
4025 #if defined(SCTP_WITH_NO_CSUM)
4026 			SCTP_STAT_INCR(sctps_sendnocrc);
4027 #else
4028 			if (!(SCTP_BASE_SYSCTL(sctp_no_csum_on_loopback) &&
4029 			    (stcb) &&
4030 			    (stcb->asoc.loopback_scope))) {
4031 				sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip6_hdr) + sizeof(struct udphdr));
4032 				SCTP_STAT_INCR(sctps_sendswcrc);
4033 			} else {
4034 				SCTP_STAT_INCR(sctps_sendnocrc);
4035 			}
4036 #endif
4037 			if ((udp->uh_sum = in6_cksum(o_pak, IPPROTO_UDP, sizeof(struct ip6_hdr), packet_length - sizeof(struct ip6_hdr))) == 0) {
4038 				udp->uh_sum = 0xffff;
4039 			}
4040 		} else {
4041 #if defined(SCTP_WITH_NO_CSUM)
4042 			SCTP_STAT_INCR(sctps_sendnocrc);
4043 #else
4044 			m->m_pkthdr.csum_flags = CSUM_SCTP;
4045 			m->m_pkthdr.csum_data = 0;
4046 			SCTP_STAT_INCR(sctps_sendhwcrc);
4047 #endif
4048 		}
4049 		/* send it out. table id is taken from stcb */
4050 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4051 		if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
4052 			so = SCTP_INP_SO(inp);
4053 			SCTP_SOCKET_UNLOCK(so, 0);
4054 		}
4055 #endif
4056 		SCTP_IP6_OUTPUT(ret, o_pak, (struct route_in6 *)ro, &ifp, stcb, vrf_id);
4057 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4058 		if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
4059 			atomic_add_int(&stcb->asoc.refcnt, 1);
4060 			SCTP_TCB_UNLOCK(stcb);
4061 			SCTP_SOCKET_LOCK(so, 0);
4062 			SCTP_TCB_LOCK(stcb);
4063 			atomic_subtract_int(&stcb->asoc.refcnt, 1);
4064 		}
4065 #endif
4066 		if (net) {
4067 			/* for link local this must be done */
4068 			sin6->sin6_scope_id = prev_scope;
4069 			sin6->sin6_port = prev_port;
4070 		}
4071 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "return from send is %d\n", ret);
4072 		SCTP_STAT_INCR(sctps_sendpackets);
4073 		SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
4074 		if (ret) {
4075 			SCTP_STAT_INCR(sctps_senderrors);
4076 		}
4077 		if (net == NULL) {
4078 			/* Now if we had a temp route free it */
4079 			if (ro->ro_rt) {
4080 				RTFREE(ro->ro_rt);
4081 			}
4082 		} else {
4083 			/* PMTU check versus smallest asoc MTU goes here */
4084 			if (ro->ro_rt == NULL) {
4085 				/* Route was freed */
4086 				if (net->ro._s_addr &&
4087 				    net->src_addr_selected) {
4088 					sctp_free_ifa(net->ro._s_addr);
4089 					net->ro._s_addr = NULL;
4090 				}
4091 				net->src_addr_selected = 0;
4092 			}
4093 			if ((ro->ro_rt != NULL) &&
4094 			    (net->ro._s_addr)) {
4095 				uint32_t mtu;
4096 
4097 				mtu = SCTP_GATHER_MTU_FROM_ROUTE(net->ro._s_addr, &net->ro._l_addr.sa, ro->ro_rt);
4098 				if (mtu &&
4099 				    (stcb->asoc.smallest_mtu > mtu)) {
4100 					sctp_mtu_size_reset(inp, &stcb->asoc, mtu);
4101 					net->mtu = mtu;
4102 					if (net->port) {
4103 						net->mtu -= sizeof(struct udphdr);
4104 					}
4105 				}
4106 			} else if (ifp) {
4107 				if (ND_IFINFO(ifp)->linkmtu &&
4108 				    (stcb->asoc.smallest_mtu > ND_IFINFO(ifp)->linkmtu)) {
4109 					sctp_mtu_size_reset(inp,
4110 					    &stcb->asoc,
4111 					    ND_IFINFO(ifp)->linkmtu);
4112 				}
4113 			}
4114 		}
4115 		return (ret);
4116 	}
4117 #endif
4118 	else {
4119 		SCTPDBG(SCTP_DEBUG_OUTPUT1, "Unknown protocol (TSNH) type %d\n",
4120 		    ((struct sockaddr *)to)->sa_family);
4121 		sctp_m_freem(m);
4122 		SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EFAULT);
4123 		return (EFAULT);
4124 	}
4125 }
4126 
4127 
4128 void
4129 sctp_send_initiate(struct sctp_inpcb *inp, struct sctp_tcb *stcb, int so_locked
4130 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
4131     SCTP_UNUSED
4132 #endif
4133 )
4134 {
4135 	struct mbuf *m, *m_at, *mp_last;
4136 	struct sctp_nets *net;
4137 	struct sctp_init_chunk *init;
4138 	struct sctp_supported_addr_param *sup_addr;
4139 	struct sctp_adaptation_layer_indication *ali;
4140 	struct sctp_ecn_supported_param *ecn;
4141 	struct sctp_prsctp_supported_param *prsctp;
4142 	struct sctp_supported_chunk_types_param *pr_supported;
4143 	int cnt_inits_to = 0;
4144 	int padval, ret;
4145 	int num_ext;
4146 	int p_len;
4147 
4148 	/* INIT's always go to the primary (and usually ONLY address) */
4149 	mp_last = NULL;
4150 	net = stcb->asoc.primary_destination;
4151 	if (net == NULL) {
4152 		net = TAILQ_FIRST(&stcb->asoc.nets);
4153 		if (net == NULL) {
4154 			/* TSNH */
4155 			return;
4156 		}
4157 		/* we confirm any address we send an INIT to */
4158 		net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
4159 		(void)sctp_set_primary_addr(stcb, NULL, net);
4160 	} else {
4161 		/* we confirm any address we send an INIT to */
4162 		net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
4163 	}
4164 	SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT\n");
4165 #ifdef INET6
4166 	if (((struct sockaddr *)&(net->ro._l_addr))->sa_family == AF_INET6) {
4167 		/*
4168 		 * special hook, if we are sending to link local it will not
4169 		 * show up in our private address count.
4170 		 */
4171 		struct sockaddr_in6 *sin6l;
4172 
4173 		sin6l = &net->ro._l_addr.sin6;
4174 		if (IN6_IS_ADDR_LINKLOCAL(&sin6l->sin6_addr))
4175 			cnt_inits_to = 1;
4176 	}
4177 #endif
4178 	if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
4179 		/* This case should not happen */
4180 		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - failed timer?\n");
4181 		return;
4182 	}
4183 	/* start the INIT timer */
4184 	sctp_timer_start(SCTP_TIMER_TYPE_INIT, inp, stcb, net);
4185 
4186 	m = sctp_get_mbuf_for_msg(MCLBYTES, 1, M_DONTWAIT, 1, MT_DATA);
4187 	if (m == NULL) {
4188 		/* No memory, INIT timer will re-attempt. */
4189 		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - mbuf?\n");
4190 		return;
4191 	}
4192 	SCTP_BUF_LEN(m) = sizeof(struct sctp_init_chunk);
4193 	/*
4194 	 * assume peer supports asconf in order to be able to queue local
4195 	 * address changes while an INIT is in flight and before the assoc
4196 	 * is established.
4197 	 */
4198 	stcb->asoc.peer_supports_asconf = 1;
4199 	/* Now lets put the SCTP header in place */
4200 	init = mtod(m, struct sctp_init_chunk *);
4201 	/* now the chunk header */
4202 	init->ch.chunk_type = SCTP_INITIATION;
4203 	init->ch.chunk_flags = 0;
4204 	/* fill in later from mbuf we build */
4205 	init->ch.chunk_length = 0;
4206 	/* place in my tag */
4207 	init->init.initiate_tag = htonl(stcb->asoc.my_vtag);
4208 	/* set up some of the credits. */
4209 	init->init.a_rwnd = htonl(max(inp->sctp_socket ? SCTP_SB_LIMIT_RCV(inp->sctp_socket) : 0,
4210 	    SCTP_MINIMAL_RWND));
4211 
4212 	init->init.num_outbound_streams = htons(stcb->asoc.pre_open_streams);
4213 	init->init.num_inbound_streams = htons(stcb->asoc.max_inbound_streams);
4214 	init->init.initial_tsn = htonl(stcb->asoc.init_seq_number);
4215 	/* now the address restriction */
4216 	sup_addr = (struct sctp_supported_addr_param *)((caddr_t)init +
4217 	    sizeof(*init));
4218 	sup_addr->ph.param_type = htons(SCTP_SUPPORTED_ADDRTYPE);
4219 #ifdef INET6
4220 	/* we support 2 types: IPv6/IPv4 */
4221 	sup_addr->ph.param_length = htons(sizeof(*sup_addr) + sizeof(uint16_t));
4222 	sup_addr->addr_type[0] = htons(SCTP_IPV4_ADDRESS);
4223 	sup_addr->addr_type[1] = htons(SCTP_IPV6_ADDRESS);
4224 #else
4225 	/* we support 1 type: IPv4 */
4226 	sup_addr->ph.param_length = htons(sizeof(*sup_addr) + sizeof(uint8_t));
4227 	sup_addr->addr_type[0] = htons(SCTP_IPV4_ADDRESS);
4228 	sup_addr->addr_type[1] = htons(0);	/* this is the padding */
4229 #endif
4230 	SCTP_BUF_LEN(m) += sizeof(*sup_addr) + sizeof(uint16_t);
4231 	/* adaptation layer indication parameter */
4232 	ali = (struct sctp_adaptation_layer_indication *)((caddr_t)sup_addr + sizeof(*sup_addr) + sizeof(uint16_t));
4233 	ali->ph.param_type = htons(SCTP_ULP_ADAPTATION);
4234 	ali->ph.param_length = htons(sizeof(*ali));
4235 	ali->indication = ntohl(inp->sctp_ep.adaptation_layer_indicator);
4236 	SCTP_BUF_LEN(m) += sizeof(*ali);
4237 	ecn = (struct sctp_ecn_supported_param *)((caddr_t)ali + sizeof(*ali));
4238 
4239 	if (SCTP_BASE_SYSCTL(sctp_inits_include_nat_friendly)) {
4240 		/* Add NAT friendly parameter */
4241 		struct sctp_paramhdr *ph;
4242 
4243 		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t)+SCTP_BUF_LEN(m));
4244 		ph->param_type = htons(SCTP_HAS_NAT_SUPPORT);
4245 		ph->param_length = htons(sizeof(struct sctp_paramhdr));
4246 		SCTP_BUF_LEN(m) += sizeof(struct sctp_paramhdr);
4247 		ecn = (struct sctp_ecn_supported_param *)((caddr_t)ph + sizeof(*ph));
4248 	}
4249 	/* now any cookie time extensions */
4250 	if (stcb->asoc.cookie_preserve_req) {
4251 		struct sctp_cookie_perserve_param *cookie_preserve;
4252 
4253 		cookie_preserve = (struct sctp_cookie_perserve_param *)(ecn);
4254 		cookie_preserve->ph.param_type = htons(SCTP_COOKIE_PRESERVE);
4255 		cookie_preserve->ph.param_length = htons(
4256 		    sizeof(*cookie_preserve));
4257 		cookie_preserve->time = htonl(stcb->asoc.cookie_preserve_req);
4258 		SCTP_BUF_LEN(m) += sizeof(*cookie_preserve);
4259 		ecn = (struct sctp_ecn_supported_param *)(
4260 		    (caddr_t)cookie_preserve + sizeof(*cookie_preserve));
4261 		stcb->asoc.cookie_preserve_req = 0;
4262 	}
4263 	/* ECN parameter */
4264 	if (stcb->asoc.ecn_allowed == 1) {
4265 		ecn->ph.param_type = htons(SCTP_ECN_CAPABLE);
4266 		ecn->ph.param_length = htons(sizeof(*ecn));
4267 		SCTP_BUF_LEN(m) += sizeof(*ecn);
4268 		prsctp = (struct sctp_prsctp_supported_param *)((caddr_t)ecn +
4269 		    sizeof(*ecn));
4270 	} else {
4271 		prsctp = (struct sctp_prsctp_supported_param *)((caddr_t)ecn);
4272 	}
4273 	/* And now tell the peer we do pr-sctp */
4274 	prsctp->ph.param_type = htons(SCTP_PRSCTP_SUPPORTED);
4275 	prsctp->ph.param_length = htons(sizeof(*prsctp));
4276 	SCTP_BUF_LEN(m) += sizeof(*prsctp);
4277 
4278 	/* And now tell the peer we do all the extensions */
4279 	pr_supported = (struct sctp_supported_chunk_types_param *)
4280 	    ((caddr_t)prsctp + sizeof(*prsctp));
4281 	pr_supported->ph.param_type = htons(SCTP_SUPPORTED_CHUNK_EXT);
4282 	num_ext = 0;
4283 	pr_supported->chunk_types[num_ext++] = SCTP_ASCONF;
4284 	pr_supported->chunk_types[num_ext++] = SCTP_ASCONF_ACK;
4285 	pr_supported->chunk_types[num_ext++] = SCTP_FORWARD_CUM_TSN;
4286 	pr_supported->chunk_types[num_ext++] = SCTP_PACKET_DROPPED;
4287 	pr_supported->chunk_types[num_ext++] = SCTP_STREAM_RESET;
4288 	if (!SCTP_BASE_SYSCTL(sctp_auth_disable)) {
4289 		pr_supported->chunk_types[num_ext++] = SCTP_AUTHENTICATION;
4290 	}
4291 	if (stcb->asoc.sctp_nr_sack_on_off == 1) {
4292 		pr_supported->chunk_types[num_ext++] = SCTP_NR_SELECTIVE_ACK;
4293 	}
4294 	p_len = sizeof(*pr_supported) + num_ext;
4295 	pr_supported->ph.param_length = htons(p_len);
4296 	bzero((caddr_t)pr_supported + p_len, SCTP_SIZE32(p_len) - p_len);
4297 	SCTP_BUF_LEN(m) += SCTP_SIZE32(p_len);
4298 
4299 
4300 	/* add authentication parameters */
4301 	if (!SCTP_BASE_SYSCTL(sctp_auth_disable)) {
4302 		struct sctp_auth_random *randp;
4303 		struct sctp_auth_hmac_algo *hmacs;
4304 		struct sctp_auth_chunk_list *chunks;
4305 
4306 		/* attach RANDOM parameter, if available */
4307 		if (stcb->asoc.authinfo.random != NULL) {
4308 			randp = (struct sctp_auth_random *)(mtod(m, caddr_t)+SCTP_BUF_LEN(m));
4309 			p_len = sizeof(*randp) + stcb->asoc.authinfo.random_len;
4310 			/* random key already contains the header */
4311 			bcopy(stcb->asoc.authinfo.random->key, randp, p_len);
4312 			/* zero out any padding required */
4313 			bzero((caddr_t)randp + p_len, SCTP_SIZE32(p_len) - p_len);
4314 			SCTP_BUF_LEN(m) += SCTP_SIZE32(p_len);
4315 		}
4316 		/* add HMAC_ALGO parameter */
4317 		hmacs = (struct sctp_auth_hmac_algo *)(mtod(m, caddr_t)+SCTP_BUF_LEN(m));
4318 		p_len = sctp_serialize_hmaclist(stcb->asoc.local_hmacs,
4319 		    (uint8_t *) hmacs->hmac_ids);
4320 		if (p_len > 0) {
4321 			p_len += sizeof(*hmacs);
4322 			hmacs->ph.param_type = htons(SCTP_HMAC_LIST);
4323 			hmacs->ph.param_length = htons(p_len);
4324 			/* zero out any padding required */
4325 			bzero((caddr_t)hmacs + p_len, SCTP_SIZE32(p_len) - p_len);
4326 			SCTP_BUF_LEN(m) += SCTP_SIZE32(p_len);
4327 		}
4328 		/* add CHUNKS parameter */
4329 		chunks = (struct sctp_auth_chunk_list *)(mtod(m, caddr_t)+SCTP_BUF_LEN(m));
4330 		p_len = sctp_serialize_auth_chunks(stcb->asoc.local_auth_chunks,
4331 		    chunks->chunk_types);
4332 		if (p_len > 0) {
4333 			p_len += sizeof(*chunks);
4334 			chunks->ph.param_type = htons(SCTP_CHUNK_LIST);
4335 			chunks->ph.param_length = htons(p_len);
4336 			/* zero out any padding required */
4337 			bzero((caddr_t)chunks + p_len, SCTP_SIZE32(p_len) - p_len);
4338 			SCTP_BUF_LEN(m) += SCTP_SIZE32(p_len);
4339 		}
4340 	}
4341 	m_at = m;
4342 	/* now the addresses */
4343 	{
4344 		struct sctp_scoping scp;
4345 
4346 		/*
4347 		 * To optimize this we could put the scoping stuff into a
4348 		 * structure and remove the individual uint8's from the
4349 		 * assoc structure. Then we could just sifa in the address
4350 		 * within the stcb.. but for now this is a quick hack to get
4351 		 * the address stuff teased apart.
4352 		 */
4353 		scp.ipv4_addr_legal = stcb->asoc.ipv4_addr_legal;
4354 		scp.ipv6_addr_legal = stcb->asoc.ipv6_addr_legal;
4355 		scp.loopback_scope = stcb->asoc.loopback_scope;
4356 		scp.ipv4_local_scope = stcb->asoc.ipv4_local_scope;
4357 		scp.local_scope = stcb->asoc.local_scope;
4358 		scp.site_scope = stcb->asoc.site_scope;
4359 
4360 		m_at = sctp_add_addresses_to_i_ia(inp, &scp, m_at, cnt_inits_to);
4361 	}
4362 
4363 	/* calulate the size and update pkt header and chunk header */
4364 	p_len = 0;
4365 	for (m_at = m; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
4366 		if (SCTP_BUF_NEXT(m_at) == NULL)
4367 			mp_last = m_at;
4368 		p_len += SCTP_BUF_LEN(m_at);
4369 	}
4370 	init->ch.chunk_length = htons(p_len);
4371 	/*
4372 	 * We sifa 0 here to NOT set IP_DF if its IPv4, we ignore the return
4373 	 * here since the timer will drive a retranmission.
4374 	 */
4375 
4376 	/* I don't expect this to execute but we will be safe here */
4377 	padval = p_len % 4;
4378 	if ((padval) && (mp_last)) {
4379 		/*
4380 		 * The compiler worries that mp_last may not be set even
4381 		 * though I think it is impossible :-> however we add
4382 		 * mp_last here just in case.
4383 		 */
4384 		ret = sctp_add_pad_tombuf(mp_last, (4 - padval));
4385 		if (ret) {
4386 			/* Houston we have a problem, no space */
4387 			sctp_m_freem(m);
4388 			return;
4389 		}
4390 		p_len += padval;
4391 	}
4392 	SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - calls lowlevel_output\n");
4393 	ret = sctp_lowlevel_chunk_output(inp, stcb, net,
4394 	    (struct sockaddr *)&net->ro._l_addr,
4395 	    m, 0, NULL, 0, 0, 0, NULL, 0,
4396 	    inp->sctp_lport, stcb->rport, htonl(0),
4397 	    net->port, so_locked, NULL, NULL);
4398 	SCTPDBG(SCTP_DEBUG_OUTPUT4, "lowlevel_output - %d\n", ret);
4399 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
4400 	(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
4401 }
4402 
4403 struct mbuf *
4404 sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt,
4405     int param_offset, int *abort_processing, struct sctp_chunkhdr *cp, int *nat_friendly)
4406 {
4407 	/*
4408 	 * Given a mbuf containing an INIT or INIT-ACK with the param_offset
4409 	 * being equal to the beginning of the params i.e. (iphlen +
4410 	 * sizeof(struct sctp_init_msg) parse through the parameters to the
4411 	 * end of the mbuf verifying that all parameters are known.
4412 	 *
4413 	 * For unknown parameters build and return a mbuf with
4414 	 * UNRECOGNIZED_PARAMETER errors. If the flags indicate to stop
4415 	 * processing this chunk stop, and set *abort_processing to 1.
4416 	 *
4417 	 * By having param_offset be pre-set to where parameters begin it is
4418 	 * hoped that this routine may be reused in the future by new
4419 	 * features.
4420 	 */
4421 	struct sctp_paramhdr *phdr, params;
4422 
4423 	struct mbuf *mat, *op_err;
4424 	char tempbuf[SCTP_PARAM_BUFFER_SIZE];
4425 	int at, limit, pad_needed;
4426 	uint16_t ptype, plen, padded_size;
4427 	int err_at;
4428 
4429 	*abort_processing = 0;
4430 	mat = in_initpkt;
4431 	err_at = 0;
4432 	limit = ntohs(cp->chunk_length) - sizeof(struct sctp_init_chunk);
4433 	at = param_offset;
4434 	op_err = NULL;
4435 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "Check for unrecognized param's\n");
4436 	phdr = sctp_get_next_param(mat, at, &params, sizeof(params));
4437 	while ((phdr != NULL) && ((size_t)limit >= sizeof(struct sctp_paramhdr))) {
4438 		ptype = ntohs(phdr->param_type);
4439 		plen = ntohs(phdr->param_length);
4440 		if ((plen > limit) || (plen < sizeof(struct sctp_paramhdr))) {
4441 			/* wacked parameter */
4442 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error %d\n", plen);
4443 			goto invalid_size;
4444 		}
4445 		limit -= SCTP_SIZE32(plen);
4446 		/*-
4447 		 * All parameters for all chunks that we know/understand are
4448 		 * listed here. We process them other places and make
4449 		 * appropriate stop actions per the upper bits. However this
4450 		 * is the generic routine processor's can call to get back
4451 		 * an operr.. to either incorporate (init-ack) or send.
4452 		 */
4453 		padded_size = SCTP_SIZE32(plen);
4454 		switch (ptype) {
4455 			/* Param's with variable size */
4456 		case SCTP_HEARTBEAT_INFO:
4457 		case SCTP_STATE_COOKIE:
4458 		case SCTP_UNRECOG_PARAM:
4459 		case SCTP_ERROR_CAUSE_IND:
4460 			/* ok skip fwd */
4461 			at += padded_size;
4462 			break;
4463 			/* Param's with variable size within a range */
4464 		case SCTP_CHUNK_LIST:
4465 		case SCTP_SUPPORTED_CHUNK_EXT:
4466 			if (padded_size > (sizeof(struct sctp_supported_chunk_types_param) + (sizeof(uint8_t) * SCTP_MAX_SUPPORTED_EXT))) {
4467 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error chklist %d\n", plen);
4468 				goto invalid_size;
4469 			}
4470 			at += padded_size;
4471 			break;
4472 		case SCTP_SUPPORTED_ADDRTYPE:
4473 			if (padded_size > SCTP_MAX_ADDR_PARAMS_SIZE) {
4474 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error supaddrtype %d\n", plen);
4475 				goto invalid_size;
4476 			}
4477 			at += padded_size;
4478 			break;
4479 		case SCTP_RANDOM:
4480 			if (padded_size > (sizeof(struct sctp_auth_random) + SCTP_RANDOM_MAX_SIZE)) {
4481 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error random %d\n", plen);
4482 				goto invalid_size;
4483 			}
4484 			at += padded_size;
4485 			break;
4486 		case SCTP_SET_PRIM_ADDR:
4487 		case SCTP_DEL_IP_ADDRESS:
4488 		case SCTP_ADD_IP_ADDRESS:
4489 			if ((padded_size != sizeof(struct sctp_asconf_addrv4_param)) &&
4490 			    (padded_size != sizeof(struct sctp_asconf_addr_param))) {
4491 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error setprim %d\n", plen);
4492 				goto invalid_size;
4493 			}
4494 			at += padded_size;
4495 			break;
4496 			/* Param's with a fixed size */
4497 		case SCTP_IPV4_ADDRESS:
4498 			if (padded_size != sizeof(struct sctp_ipv4addr_param)) {
4499 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ipv4 addr %d\n", plen);
4500 				goto invalid_size;
4501 			}
4502 			at += padded_size;
4503 			break;
4504 		case SCTP_IPV6_ADDRESS:
4505 			if (padded_size != sizeof(struct sctp_ipv6addr_param)) {
4506 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ipv6 addr %d\n", plen);
4507 				goto invalid_size;
4508 			}
4509 			at += padded_size;
4510 			break;
4511 		case SCTP_COOKIE_PRESERVE:
4512 			if (padded_size != sizeof(struct sctp_cookie_perserve_param)) {
4513 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error cookie-preserve %d\n", plen);
4514 				goto invalid_size;
4515 			}
4516 			at += padded_size;
4517 			break;
4518 		case SCTP_HAS_NAT_SUPPORT:
4519 			*nat_friendly = 1;
4520 			/* fall through */
4521 		case SCTP_PRSCTP_SUPPORTED:
4522 
4523 			if (padded_size != sizeof(struct sctp_paramhdr)) {
4524 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error prsctp/nat support %d\n", plen);
4525 				goto invalid_size;
4526 			}
4527 			at += padded_size;
4528 			break;
4529 		case SCTP_ECN_CAPABLE:
4530 			if (padded_size != sizeof(struct sctp_ecn_supported_param)) {
4531 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ecn %d\n", plen);
4532 				goto invalid_size;
4533 			}
4534 			at += padded_size;
4535 			break;
4536 		case SCTP_ULP_ADAPTATION:
4537 			if (padded_size != sizeof(struct sctp_adaptation_layer_indication)) {
4538 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error adapatation %d\n", plen);
4539 				goto invalid_size;
4540 			}
4541 			at += padded_size;
4542 			break;
4543 		case SCTP_SUCCESS_REPORT:
4544 			if (padded_size != sizeof(struct sctp_asconf_paramhdr)) {
4545 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error success %d\n", plen);
4546 				goto invalid_size;
4547 			}
4548 			at += padded_size;
4549 			break;
4550 		case SCTP_HOSTNAME_ADDRESS:
4551 			{
4552 				/* We can NOT handle HOST NAME addresses!! */
4553 				int l_len;
4554 
4555 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Can't handle hostname addresses.. abort processing\n");
4556 				*abort_processing = 1;
4557 				if (op_err == NULL) {
4558 					/* Ok need to try to get a mbuf */
4559 #ifdef INET6
4560 					l_len = sizeof(struct ip6_hdr) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
4561 #else
4562 					l_len = sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
4563 #endif
4564 					l_len += plen;
4565 					l_len += sizeof(struct sctp_paramhdr);
4566 					op_err = sctp_get_mbuf_for_msg(l_len, 0, M_DONTWAIT, 1, MT_DATA);
4567 					if (op_err) {
4568 						SCTP_BUF_LEN(op_err) = 0;
4569 						/*
4570 						 * pre-reserve space for ip
4571 						 * and sctp header  and
4572 						 * chunk hdr
4573 						 */
4574 #ifdef INET6
4575 						SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
4576 #else
4577 						SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
4578 #endif
4579 						SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
4580 						SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
4581 					}
4582 				}
4583 				if (op_err) {
4584 					/* If we have space */
4585 					struct sctp_paramhdr s;
4586 
4587 					if (err_at % 4) {
4588 						uint32_t cpthis = 0;
4589 
4590 						pad_needed = 4 - (err_at % 4);
4591 						m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
4592 						err_at += pad_needed;
4593 					}
4594 					s.param_type = htons(SCTP_CAUSE_UNRESOLVABLE_ADDR);
4595 					s.param_length = htons(sizeof(s) + plen);
4596 					m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s);
4597 					err_at += sizeof(s);
4598 					phdr = sctp_get_next_param(mat, at, (struct sctp_paramhdr *)tempbuf, min(sizeof(tempbuf), plen));
4599 					if (phdr == NULL) {
4600 						sctp_m_freem(op_err);
4601 						/*
4602 						 * we are out of memory but
4603 						 * we still need to have a
4604 						 * look at what to do (the
4605 						 * system is in trouble
4606 						 * though).
4607 						 */
4608 						return (NULL);
4609 					}
4610 					m_copyback(op_err, err_at, plen, (caddr_t)phdr);
4611 					err_at += plen;
4612 				}
4613 				return (op_err);
4614 				break;
4615 			}
4616 		default:
4617 			/*
4618 			 * we do not recognize the parameter figure out what
4619 			 * we do.
4620 			 */
4621 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Hit default param %x\n", ptype);
4622 			if ((ptype & 0x4000) == 0x4000) {
4623 				/* Report bit is set?? */
4624 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "report op err\n");
4625 				if (op_err == NULL) {
4626 					int l_len;
4627 
4628 					/* Ok need to try to get an mbuf */
4629 #ifdef INET6
4630 					l_len = sizeof(struct ip6_hdr) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
4631 #else
4632 					l_len = sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
4633 #endif
4634 					l_len += plen;
4635 					l_len += sizeof(struct sctp_paramhdr);
4636 					op_err = sctp_get_mbuf_for_msg(l_len, 0, M_DONTWAIT, 1, MT_DATA);
4637 					if (op_err) {
4638 						SCTP_BUF_LEN(op_err) = 0;
4639 #ifdef INET6
4640 						SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
4641 #else
4642 						SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
4643 #endif
4644 						SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
4645 						SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
4646 					}
4647 				}
4648 				if (op_err) {
4649 					/* If we have space */
4650 					struct sctp_paramhdr s;
4651 
4652 					if (err_at % 4) {
4653 						uint32_t cpthis = 0;
4654 
4655 						pad_needed = 4 - (err_at % 4);
4656 						m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
4657 						err_at += pad_needed;
4658 					}
4659 					s.param_type = htons(SCTP_UNRECOG_PARAM);
4660 					s.param_length = htons(sizeof(s) + plen);
4661 					m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s);
4662 					err_at += sizeof(s);
4663 					if (plen > sizeof(tempbuf)) {
4664 						plen = sizeof(tempbuf);
4665 					}
4666 					phdr = sctp_get_next_param(mat, at, (struct sctp_paramhdr *)tempbuf, min(sizeof(tempbuf), plen));
4667 					if (phdr == NULL) {
4668 						sctp_m_freem(op_err);
4669 						/*
4670 						 * we are out of memory but
4671 						 * we still need to have a
4672 						 * look at what to do (the
4673 						 * system is in trouble
4674 						 * though).
4675 						 */
4676 						op_err = NULL;
4677 						goto more_processing;
4678 					}
4679 					m_copyback(op_err, err_at, plen, (caddr_t)phdr);
4680 					err_at += plen;
4681 				}
4682 			}
4683 	more_processing:
4684 			if ((ptype & 0x8000) == 0x0000) {
4685 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "stop proc\n");
4686 				return (op_err);
4687 			} else {
4688 				/* skip this chunk and continue processing */
4689 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "move on\n");
4690 				at += SCTP_SIZE32(plen);
4691 			}
4692 			break;
4693 
4694 		}
4695 		phdr = sctp_get_next_param(mat, at, &params, sizeof(params));
4696 	}
4697 	return (op_err);
4698 invalid_size:
4699 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "abort flag set\n");
4700 	*abort_processing = 1;
4701 	if ((op_err == NULL) && phdr) {
4702 		int l_len;
4703 
4704 #ifdef INET6
4705 		l_len = sizeof(struct ip6_hdr) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
4706 #else
4707 		l_len = sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
4708 #endif
4709 		l_len += (2 * sizeof(struct sctp_paramhdr));
4710 		op_err = sctp_get_mbuf_for_msg(l_len, 0, M_DONTWAIT, 1, MT_DATA);
4711 		if (op_err) {
4712 			SCTP_BUF_LEN(op_err) = 0;
4713 #ifdef INET6
4714 			SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
4715 #else
4716 			SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
4717 #endif
4718 			SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
4719 			SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
4720 		}
4721 	}
4722 	if ((op_err) && phdr) {
4723 		struct sctp_paramhdr s;
4724 
4725 		if (err_at % 4) {
4726 			uint32_t cpthis = 0;
4727 
4728 			pad_needed = 4 - (err_at % 4);
4729 			m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
4730 			err_at += pad_needed;
4731 		}
4732 		s.param_type = htons(SCTP_CAUSE_PROTOCOL_VIOLATION);
4733 		s.param_length = htons(sizeof(s) + sizeof(struct sctp_paramhdr));
4734 		m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s);
4735 		err_at += sizeof(s);
4736 		/* Only copy back the p-hdr that caused the issue */
4737 		m_copyback(op_err, err_at, sizeof(struct sctp_paramhdr), (caddr_t)phdr);
4738 	}
4739 	return (op_err);
4740 }
4741 
4742 static int
4743 sctp_are_there_new_addresses(struct sctp_association *asoc,
4744     struct mbuf *in_initpkt, int iphlen, int offset)
4745 {
4746 	/*
4747 	 * Given a INIT packet, look through the packet to verify that there
4748 	 * are NO new addresses. As we go through the parameters add reports
4749 	 * of any un-understood parameters that require an error.  Also we
4750 	 * must return (1) to drop the packet if we see a un-understood
4751 	 * parameter that tells us to drop the chunk.
4752 	 */
4753 	struct sockaddr_in sin4, *sa4;
4754 
4755 #ifdef INET6
4756 	struct sockaddr_in6 sin6, *sa6;
4757 
4758 #endif
4759 	struct sockaddr *sa_touse;
4760 	struct sockaddr *sa;
4761 	struct sctp_paramhdr *phdr, params;
4762 	struct ip *iph;
4763 
4764 #ifdef INET6
4765 	struct ip6_hdr *ip6h;
4766 
4767 #endif
4768 	struct mbuf *mat;
4769 	uint16_t ptype, plen;
4770 	int err_at;
4771 	uint8_t fnd;
4772 	struct sctp_nets *net;
4773 
4774 	memset(&sin4, 0, sizeof(sin4));
4775 #ifdef INET6
4776 	memset(&sin6, 0, sizeof(sin6));
4777 #endif
4778 	sin4.sin_family = AF_INET;
4779 	sin4.sin_len = sizeof(sin4);
4780 #ifdef INET6
4781 	sin6.sin6_family = AF_INET6;
4782 	sin6.sin6_len = sizeof(sin6);
4783 #endif
4784 	sa_touse = NULL;
4785 	/* First what about the src address of the pkt ? */
4786 	iph = mtod(in_initpkt, struct ip *);
4787 	switch (iph->ip_v) {
4788 	case IPVERSION:
4789 		/* source addr is IPv4 */
4790 		sin4.sin_addr = iph->ip_src;
4791 		sa_touse = (struct sockaddr *)&sin4;
4792 		break;
4793 #ifdef INET6
4794 	case IPV6_VERSION >> 4:
4795 		/* source addr is IPv6 */
4796 		ip6h = mtod(in_initpkt, struct ip6_hdr *);
4797 		sin6.sin6_addr = ip6h->ip6_src;
4798 		sa_touse = (struct sockaddr *)&sin6;
4799 		break;
4800 #endif
4801 	default:
4802 		return (1);
4803 	}
4804 
4805 	fnd = 0;
4806 	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4807 		sa = (struct sockaddr *)&net->ro._l_addr;
4808 		if (sa->sa_family == sa_touse->sa_family) {
4809 			if (sa->sa_family == AF_INET) {
4810 				sa4 = (struct sockaddr_in *)sa;
4811 				if (sa4->sin_addr.s_addr ==
4812 				    sin4.sin_addr.s_addr) {
4813 					fnd = 1;
4814 					break;
4815 				}
4816 			}
4817 #ifdef INET6
4818 			if (sa->sa_family == AF_INET6) {
4819 				sa6 = (struct sockaddr_in6 *)sa;
4820 				if (SCTP6_ARE_ADDR_EQUAL(sa6,
4821 				    &sin6)) {
4822 					fnd = 1;
4823 					break;
4824 				}
4825 			}
4826 #endif
4827 		}
4828 	}
4829 	if (fnd == 0) {
4830 		/* New address added! no need to look futher. */
4831 		return (1);
4832 	}
4833 	/* Ok so far lets munge through the rest of the packet */
4834 	mat = in_initpkt;
4835 	err_at = 0;
4836 	sa_touse = NULL;
4837 	offset += sizeof(struct sctp_init_chunk);
4838 	phdr = sctp_get_next_param(mat, offset, &params, sizeof(params));
4839 	while (phdr) {
4840 		ptype = ntohs(phdr->param_type);
4841 		plen = ntohs(phdr->param_length);
4842 		if (ptype == SCTP_IPV4_ADDRESS) {
4843 			struct sctp_ipv4addr_param *p4, p4_buf;
4844 
4845 			phdr = sctp_get_next_param(mat, offset,
4846 			    (struct sctp_paramhdr *)&p4_buf, sizeof(p4_buf));
4847 			if (plen != sizeof(struct sctp_ipv4addr_param) ||
4848 			    phdr == NULL) {
4849 				return (1);
4850 			}
4851 			p4 = (struct sctp_ipv4addr_param *)phdr;
4852 			sin4.sin_addr.s_addr = p4->addr;
4853 			sa_touse = (struct sockaddr *)&sin4;
4854 		} else if (ptype == SCTP_IPV6_ADDRESS) {
4855 			struct sctp_ipv6addr_param *p6, p6_buf;
4856 
4857 			phdr = sctp_get_next_param(mat, offset,
4858 			    (struct sctp_paramhdr *)&p6_buf, sizeof(p6_buf));
4859 			if (plen != sizeof(struct sctp_ipv6addr_param) ||
4860 			    phdr == NULL) {
4861 				return (1);
4862 			}
4863 			p6 = (struct sctp_ipv6addr_param *)phdr;
4864 #ifdef INET6
4865 			memcpy((caddr_t)&sin6.sin6_addr, p6->addr,
4866 			    sizeof(p6->addr));
4867 #endif
4868 			sa_touse = (struct sockaddr *)&sin4;
4869 		}
4870 		if (sa_touse) {
4871 			/* ok, sa_touse points to one to check */
4872 			fnd = 0;
4873 			TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4874 				sa = (struct sockaddr *)&net->ro._l_addr;
4875 				if (sa->sa_family != sa_touse->sa_family) {
4876 					continue;
4877 				}
4878 				if (sa->sa_family == AF_INET) {
4879 					sa4 = (struct sockaddr_in *)sa;
4880 					if (sa4->sin_addr.s_addr ==
4881 					    sin4.sin_addr.s_addr) {
4882 						fnd = 1;
4883 						break;
4884 					}
4885 				}
4886 #ifdef INET6
4887 				if (sa->sa_family == AF_INET6) {
4888 					sa6 = (struct sockaddr_in6 *)sa;
4889 					if (SCTP6_ARE_ADDR_EQUAL(
4890 					    sa6, &sin6)) {
4891 						fnd = 1;
4892 						break;
4893 					}
4894 				}
4895 #endif
4896 			}
4897 			if (!fnd) {
4898 				/* New addr added! no need to look further */
4899 				return (1);
4900 			}
4901 		}
4902 		offset += SCTP_SIZE32(plen);
4903 		phdr = sctp_get_next_param(mat, offset, &params, sizeof(params));
4904 	}
4905 	return (0);
4906 }
4907 
4908 /*
4909  * Given a MBUF chain that was sent into us containing an INIT. Build a
4910  * INIT-ACK with COOKIE and send back. We assume that the in_initpkt has done
4911  * a pullup to include IPv6/4header, SCTP header and initial part of INIT
4912  * message (i.e. the struct sctp_init_msg).
4913  */
4914 void
4915 sctp_send_initiate_ack(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
4916     struct mbuf *init_pkt, int iphlen, int offset, struct sctphdr *sh,
4917     struct sctp_init_chunk *init_chk, uint32_t vrf_id, uint16_t port, int hold_inp_lock)
4918 {
4919 	struct sctp_association *asoc;
4920 	struct mbuf *m, *m_at, *m_tmp, *m_cookie, *op_err, *mp_last;
4921 	struct sctp_init_ack_chunk *initack;
4922 	struct sctp_adaptation_layer_indication *ali;
4923 	struct sctp_ecn_supported_param *ecn;
4924 	struct sctp_prsctp_supported_param *prsctp;
4925 	struct sctp_supported_chunk_types_param *pr_supported;
4926 	union sctp_sockstore store, store1, *over_addr;
4927 	struct sockaddr_in *sin, *to_sin;
4928 
4929 #ifdef INET6
4930 	struct sockaddr_in6 *sin6, *to_sin6;
4931 
4932 #endif
4933 	struct ip *iph;
4934 
4935 #ifdef INET6
4936 	struct ip6_hdr *ip6;
4937 
4938 #endif
4939 	struct sockaddr *to;
4940 	struct sctp_state_cookie stc;
4941 	struct sctp_nets *net = NULL;
4942 	uint8_t *signature = NULL;
4943 	int cnt_inits_to = 0;
4944 	uint16_t his_limit, i_want;
4945 	int abort_flag, padval;
4946 	int num_ext;
4947 	int p_len;
4948 	int nat_friendly = 0;
4949 	struct socket *so;
4950 
4951 	if (stcb)
4952 		asoc = &stcb->asoc;
4953 	else
4954 		asoc = NULL;
4955 	mp_last = NULL;
4956 	if ((asoc != NULL) &&
4957 	    (SCTP_GET_STATE(asoc) != SCTP_STATE_COOKIE_WAIT) &&
4958 	    (sctp_are_there_new_addresses(asoc, init_pkt, iphlen, offset))) {
4959 		/* new addresses, out of here in non-cookie-wait states */
4960 		/*
4961 		 * Send a ABORT, we don't add the new address error clause
4962 		 * though we even set the T bit and copy in the 0 tag.. this
4963 		 * looks no different than if no listener was present.
4964 		 */
4965 		sctp_send_abort(init_pkt, iphlen, sh, 0, NULL, vrf_id, port);
4966 		return;
4967 	}
4968 	abort_flag = 0;
4969 	op_err = sctp_arethere_unrecognized_parameters(init_pkt,
4970 	    (offset + sizeof(struct sctp_init_chunk)),
4971 	    &abort_flag, (struct sctp_chunkhdr *)init_chk, &nat_friendly);
4972 	if (abort_flag) {
4973 do_a_abort:
4974 		sctp_send_abort(init_pkt, iphlen, sh,
4975 		    init_chk->init.initiate_tag, op_err, vrf_id, port);
4976 		return;
4977 	}
4978 	m = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
4979 	if (m == NULL) {
4980 		/* No memory, INIT timer will re-attempt. */
4981 		if (op_err)
4982 			sctp_m_freem(op_err);
4983 		return;
4984 	}
4985 	SCTP_BUF_LEN(m) = sizeof(struct sctp_init_chunk);
4986 
4987 	/* the time I built cookie */
4988 	(void)SCTP_GETTIME_TIMEVAL(&stc.time_entered);
4989 
4990 	/* populate any tie tags */
4991 	if (asoc != NULL) {
4992 		/* unlock before tag selections */
4993 		stc.tie_tag_my_vtag = asoc->my_vtag_nonce;
4994 		stc.tie_tag_peer_vtag = asoc->peer_vtag_nonce;
4995 		stc.cookie_life = asoc->cookie_life;
4996 		net = asoc->primary_destination;
4997 	} else {
4998 		stc.tie_tag_my_vtag = 0;
4999 		stc.tie_tag_peer_vtag = 0;
5000 		/* life I will award this cookie */
5001 		stc.cookie_life = inp->sctp_ep.def_cookie_life;
5002 	}
5003 
5004 	/* copy in the ports for later check */
5005 	stc.myport = sh->dest_port;
5006 	stc.peerport = sh->src_port;
5007 
5008 	/*
5009 	 * If we wanted to honor cookie life extentions, we would add to
5010 	 * stc.cookie_life. For now we should NOT honor any extension
5011 	 */
5012 	stc.site_scope = stc.local_scope = stc.loopback_scope = 0;
5013 	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
5014 		struct inpcb *in_inp;
5015 
5016 		/* Its a V6 socket */
5017 		in_inp = (struct inpcb *)inp;
5018 		stc.ipv6_addr_legal = 1;
5019 		/* Now look at the binding flag to see if V4 will be legal */
5020 		if (SCTP_IPV6_V6ONLY(in_inp) == 0) {
5021 			stc.ipv4_addr_legal = 1;
5022 		} else {
5023 			/* V4 addresses are NOT legal on the association */
5024 			stc.ipv4_addr_legal = 0;
5025 		}
5026 	} else {
5027 		/* Its a V4 socket, no - V6 */
5028 		stc.ipv4_addr_legal = 1;
5029 		stc.ipv6_addr_legal = 0;
5030 	}
5031 
5032 #ifdef SCTP_DONT_DO_PRIVADDR_SCOPE
5033 	stc.ipv4_scope = 1;
5034 #else
5035 	stc.ipv4_scope = 0;
5036 #endif
5037 	/* now for scope setup */
5038 	memset((caddr_t)&store, 0, sizeof(store));
5039 	memset((caddr_t)&store1, 0, sizeof(store1));
5040 	sin = &store.sin;
5041 	to_sin = &store1.sin;
5042 #ifdef INET6
5043 	sin6 = &store.sin6;
5044 	to_sin6 = &store1.sin6;
5045 #endif
5046 	iph = mtod(init_pkt, struct ip *);
5047 	/* establish the to_addr's */
5048 	switch (iph->ip_v) {
5049 	case IPVERSION:
5050 		to_sin->sin_port = sh->dest_port;
5051 		to_sin->sin_family = AF_INET;
5052 		to_sin->sin_len = sizeof(struct sockaddr_in);
5053 		to_sin->sin_addr = iph->ip_dst;
5054 		break;
5055 #ifdef INET6
5056 	case IPV6_VERSION >> 4:
5057 		ip6 = mtod(init_pkt, struct ip6_hdr *);
5058 		to_sin6->sin6_addr = ip6->ip6_dst;
5059 		to_sin6->sin6_scope_id = 0;
5060 		to_sin6->sin6_port = sh->dest_port;
5061 		to_sin6->sin6_family = AF_INET6;
5062 		to_sin6->sin6_len = sizeof(struct sockaddr_in6);
5063 		break;
5064 #endif
5065 	default:
5066 		goto do_a_abort;
5067 		break;
5068 	};
5069 
5070 	if (net == NULL) {
5071 		to = (struct sockaddr *)&store;
5072 		switch (iph->ip_v) {
5073 		case IPVERSION:
5074 			{
5075 				sin->sin_family = AF_INET;
5076 				sin->sin_len = sizeof(struct sockaddr_in);
5077 				sin->sin_port = sh->src_port;
5078 				sin->sin_addr = iph->ip_src;
5079 				/* lookup address */
5080 				stc.address[0] = sin->sin_addr.s_addr;
5081 				stc.address[1] = 0;
5082 				stc.address[2] = 0;
5083 				stc.address[3] = 0;
5084 				stc.addr_type = SCTP_IPV4_ADDRESS;
5085 				/* local from address */
5086 				stc.laddress[0] = to_sin->sin_addr.s_addr;
5087 				stc.laddress[1] = 0;
5088 				stc.laddress[2] = 0;
5089 				stc.laddress[3] = 0;
5090 				stc.laddr_type = SCTP_IPV4_ADDRESS;
5091 				/* scope_id is only for v6 */
5092 				stc.scope_id = 0;
5093 #ifndef SCTP_DONT_DO_PRIVADDR_SCOPE
5094 				if (IN4_ISPRIVATE_ADDRESS(&sin->sin_addr)) {
5095 					stc.ipv4_scope = 1;
5096 				}
5097 #else
5098 				stc.ipv4_scope = 1;
5099 #endif				/* SCTP_DONT_DO_PRIVADDR_SCOPE */
5100 				/* Must use the address in this case */
5101 				if (sctp_is_address_on_local_host((struct sockaddr *)sin, vrf_id)) {
5102 					stc.loopback_scope = 1;
5103 					stc.ipv4_scope = 1;
5104 					stc.site_scope = 1;
5105 					stc.local_scope = 0;
5106 				}
5107 				break;
5108 			}
5109 #ifdef INET6
5110 		case IPV6_VERSION >> 4:
5111 			{
5112 				ip6 = mtod(init_pkt, struct ip6_hdr *);
5113 				sin6->sin6_family = AF_INET6;
5114 				sin6->sin6_len = sizeof(struct sockaddr_in6);
5115 				sin6->sin6_port = sh->src_port;
5116 				sin6->sin6_addr = ip6->ip6_src;
5117 				/* lookup address */
5118 				memcpy(&stc.address, &sin6->sin6_addr,
5119 				    sizeof(struct in6_addr));
5120 				sin6->sin6_scope_id = 0;
5121 				stc.addr_type = SCTP_IPV6_ADDRESS;
5122 				stc.scope_id = 0;
5123 				if (sctp_is_address_on_local_host((struct sockaddr *)sin6, vrf_id)) {
5124 					/*
5125 					 * FIX ME: does this have scope from
5126 					 * rcvif?
5127 					 */
5128 					(void)sa6_recoverscope(sin6);
5129 					stc.scope_id = sin6->sin6_scope_id;
5130 					sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone));
5131 					stc.loopback_scope = 1;
5132 					stc.local_scope = 0;
5133 					stc.site_scope = 1;
5134 					stc.ipv4_scope = 1;
5135 				} else if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) {
5136 					/*
5137 					 * If the new destination is a
5138 					 * LINK_LOCAL we must have common
5139 					 * both site and local scope. Don't
5140 					 * set local scope though since we
5141 					 * must depend on the source to be
5142 					 * added implicitly. We cannot
5143 					 * assure just because we share one
5144 					 * link that all links are common.
5145 					 */
5146 					stc.local_scope = 0;
5147 					stc.site_scope = 1;
5148 					stc.ipv4_scope = 1;
5149 					/*
5150 					 * we start counting for the private
5151 					 * address stuff at 1. since the
5152 					 * link local we source from won't
5153 					 * show up in our scoped count.
5154 					 */
5155 					cnt_inits_to = 1;
5156 					/*
5157 					 * pull out the scope_id from
5158 					 * incoming pkt
5159 					 */
5160 					/*
5161 					 * FIX ME: does this have scope from
5162 					 * rcvif?
5163 					 */
5164 					(void)sa6_recoverscope(sin6);
5165 					stc.scope_id = sin6->sin6_scope_id;
5166 					sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone));
5167 				} else if (IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr)) {
5168 					/*
5169 					 * If the new destination is
5170 					 * SITE_LOCAL then we must have site
5171 					 * scope in common.
5172 					 */
5173 					stc.site_scope = 1;
5174 				}
5175 				memcpy(&stc.laddress, &to_sin6->sin6_addr, sizeof(struct in6_addr));
5176 				stc.laddr_type = SCTP_IPV6_ADDRESS;
5177 				break;
5178 			}
5179 #endif
5180 		default:
5181 			/* TSNH */
5182 			goto do_a_abort;
5183 			break;
5184 		}
5185 	} else {
5186 		/* set the scope per the existing tcb */
5187 
5188 #ifdef INET6
5189 		struct sctp_nets *lnet;
5190 
5191 #endif
5192 
5193 		stc.loopback_scope = asoc->loopback_scope;
5194 		stc.ipv4_scope = asoc->ipv4_local_scope;
5195 		stc.site_scope = asoc->site_scope;
5196 		stc.local_scope = asoc->local_scope;
5197 #ifdef INET6
5198 		/* Why do we not consider IPv4 LL addresses? */
5199 		TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) {
5200 			if (lnet->ro._l_addr.sin6.sin6_family == AF_INET6) {
5201 				if (IN6_IS_ADDR_LINKLOCAL(&lnet->ro._l_addr.sin6.sin6_addr)) {
5202 					/*
5203 					 * if we have a LL address, start
5204 					 * counting at 1.
5205 					 */
5206 					cnt_inits_to = 1;
5207 				}
5208 			}
5209 		}
5210 #endif
5211 		/* use the net pointer */
5212 		to = (struct sockaddr *)&net->ro._l_addr;
5213 		switch (to->sa_family) {
5214 		case AF_INET:
5215 			sin = (struct sockaddr_in *)to;
5216 			stc.address[0] = sin->sin_addr.s_addr;
5217 			stc.address[1] = 0;
5218 			stc.address[2] = 0;
5219 			stc.address[3] = 0;
5220 			stc.addr_type = SCTP_IPV4_ADDRESS;
5221 			if (net->src_addr_selected == 0) {
5222 				/*
5223 				 * strange case here, the INIT should have
5224 				 * did the selection.
5225 				 */
5226 				net->ro._s_addr = sctp_source_address_selection(inp,
5227 				    stcb, (sctp_route_t *) & net->ro,
5228 				    net, 0, vrf_id);
5229 				if (net->ro._s_addr == NULL)
5230 					return;
5231 
5232 				net->src_addr_selected = 1;
5233 
5234 			}
5235 			stc.laddress[0] = net->ro._s_addr->address.sin.sin_addr.s_addr;
5236 			stc.laddress[1] = 0;
5237 			stc.laddress[2] = 0;
5238 			stc.laddress[3] = 0;
5239 			stc.laddr_type = SCTP_IPV4_ADDRESS;
5240 			break;
5241 #ifdef INET6
5242 		case AF_INET6:
5243 			sin6 = (struct sockaddr_in6 *)to;
5244 			memcpy(&stc.address, &sin6->sin6_addr,
5245 			    sizeof(struct in6_addr));
5246 			stc.addr_type = SCTP_IPV6_ADDRESS;
5247 			if (net->src_addr_selected == 0) {
5248 				/*
5249 				 * strange case here, the INIT should have
5250 				 * did the selection.
5251 				 */
5252 				net->ro._s_addr = sctp_source_address_selection(inp,
5253 				    stcb, (sctp_route_t *) & net->ro,
5254 				    net, 0, vrf_id);
5255 				if (net->ro._s_addr == NULL)
5256 					return;
5257 
5258 				net->src_addr_selected = 1;
5259 			}
5260 			memcpy(&stc.laddress, &net->ro._s_addr->address.sin6.sin6_addr,
5261 			    sizeof(struct in6_addr));
5262 			stc.laddr_type = SCTP_IPV6_ADDRESS;
5263 			break;
5264 #endif
5265 		}
5266 	}
5267 	/* Now lets put the SCTP header in place */
5268 	initack = mtod(m, struct sctp_init_ack_chunk *);
5269 	/* Save it off for quick ref */
5270 	stc.peers_vtag = init_chk->init.initiate_tag;
5271 	/* who are we */
5272 	memcpy(stc.identification, SCTP_VERSION_STRING,
5273 	    min(strlen(SCTP_VERSION_STRING), sizeof(stc.identification)));
5274 	/* now the chunk header */
5275 	initack->ch.chunk_type = SCTP_INITIATION_ACK;
5276 	initack->ch.chunk_flags = 0;
5277 	/* fill in later from mbuf we build */
5278 	initack->ch.chunk_length = 0;
5279 	/* place in my tag */
5280 	if ((asoc != NULL) &&
5281 	    ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
5282 	    (SCTP_GET_STATE(asoc) == SCTP_STATE_INUSE) ||
5283 	    (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED))) {
5284 		/* re-use the v-tags and init-seq here */
5285 		initack->init.initiate_tag = htonl(asoc->my_vtag);
5286 		initack->init.initial_tsn = htonl(asoc->init_seq_number);
5287 	} else {
5288 		uint32_t vtag, itsn;
5289 
5290 		if (hold_inp_lock) {
5291 			SCTP_INP_INCR_REF(inp);
5292 			SCTP_INP_RUNLOCK(inp);
5293 		}
5294 		if (asoc) {
5295 			atomic_add_int(&asoc->refcnt, 1);
5296 			SCTP_TCB_UNLOCK(stcb);
5297 	new_tag:
5298 			vtag = sctp_select_a_tag(inp, inp->sctp_lport, sh->src_port, 1);
5299 			if ((asoc->peer_supports_nat) && (vtag == asoc->my_vtag)) {
5300 				/*
5301 				 * Got a duplicate vtag on some guy behind a
5302 				 * nat make sure we don't use it.
5303 				 */
5304 				goto new_tag;
5305 			}
5306 			initack->init.initiate_tag = htonl(vtag);
5307 			/* get a TSN to use too */
5308 			itsn = sctp_select_initial_TSN(&inp->sctp_ep);
5309 			initack->init.initial_tsn = htonl(itsn);
5310 			SCTP_TCB_LOCK(stcb);
5311 			atomic_add_int(&asoc->refcnt, -1);
5312 		} else {
5313 			vtag = sctp_select_a_tag(inp, inp->sctp_lport, sh->src_port, 1);
5314 			initack->init.initiate_tag = htonl(vtag);
5315 			/* get a TSN to use too */
5316 			initack->init.initial_tsn = htonl(sctp_select_initial_TSN(&inp->sctp_ep));
5317 		}
5318 		if (hold_inp_lock) {
5319 			SCTP_INP_RLOCK(inp);
5320 			SCTP_INP_DECR_REF(inp);
5321 		}
5322 	}
5323 	/* save away my tag to */
5324 	stc.my_vtag = initack->init.initiate_tag;
5325 
5326 	/* set up some of the credits. */
5327 	so = inp->sctp_socket;
5328 	if (so == NULL) {
5329 		/* memory problem */
5330 		sctp_m_freem(m);
5331 		return;
5332 	} else {
5333 		initack->init.a_rwnd = htonl(max(SCTP_SB_LIMIT_RCV(so), SCTP_MINIMAL_RWND));
5334 	}
5335 	/* set what I want */
5336 	his_limit = ntohs(init_chk->init.num_inbound_streams);
5337 	/* choose what I want */
5338 	if (asoc != NULL) {
5339 		if (asoc->streamoutcnt > inp->sctp_ep.pre_open_stream_count) {
5340 			i_want = asoc->streamoutcnt;
5341 		} else {
5342 			i_want = inp->sctp_ep.pre_open_stream_count;
5343 		}
5344 	} else {
5345 		i_want = inp->sctp_ep.pre_open_stream_count;
5346 	}
5347 	if (his_limit < i_want) {
5348 		/* I Want more :< */
5349 		initack->init.num_outbound_streams = init_chk->init.num_inbound_streams;
5350 	} else {
5351 		/* I can have what I want :> */
5352 		initack->init.num_outbound_streams = htons(i_want);
5353 	}
5354 	/* tell him his limt. */
5355 	initack->init.num_inbound_streams =
5356 	    htons(inp->sctp_ep.max_open_streams_intome);
5357 
5358 	/* adaptation layer indication parameter */
5359 	ali = (struct sctp_adaptation_layer_indication *)((caddr_t)initack + sizeof(*initack));
5360 	ali->ph.param_type = htons(SCTP_ULP_ADAPTATION);
5361 	ali->ph.param_length = htons(sizeof(*ali));
5362 	ali->indication = ntohl(inp->sctp_ep.adaptation_layer_indicator);
5363 	SCTP_BUF_LEN(m) += sizeof(*ali);
5364 	ecn = (struct sctp_ecn_supported_param *)((caddr_t)ali + sizeof(*ali));
5365 
5366 	/* ECN parameter */
5367 	if (((asoc != NULL) && (asoc->ecn_allowed == 1)) ||
5368 	    (inp->sctp_ecn_enable == 1)) {
5369 		ecn->ph.param_type = htons(SCTP_ECN_CAPABLE);
5370 		ecn->ph.param_length = htons(sizeof(*ecn));
5371 		SCTP_BUF_LEN(m) += sizeof(*ecn);
5372 
5373 		prsctp = (struct sctp_prsctp_supported_param *)((caddr_t)ecn +
5374 		    sizeof(*ecn));
5375 	} else {
5376 		prsctp = (struct sctp_prsctp_supported_param *)((caddr_t)ecn);
5377 	}
5378 	/* And now tell the peer we do  pr-sctp */
5379 	prsctp->ph.param_type = htons(SCTP_PRSCTP_SUPPORTED);
5380 	prsctp->ph.param_length = htons(sizeof(*prsctp));
5381 	SCTP_BUF_LEN(m) += sizeof(*prsctp);
5382 	if (nat_friendly) {
5383 		/* Add NAT friendly parameter */
5384 		struct sctp_paramhdr *ph;
5385 
5386 		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t)+SCTP_BUF_LEN(m));
5387 		ph->param_type = htons(SCTP_HAS_NAT_SUPPORT);
5388 		ph->param_length = htons(sizeof(struct sctp_paramhdr));
5389 		SCTP_BUF_LEN(m) += sizeof(struct sctp_paramhdr);
5390 	}
5391 	/* And now tell the peer we do all the extensions */
5392 	pr_supported = (struct sctp_supported_chunk_types_param *)(mtod(m, caddr_t)+SCTP_BUF_LEN(m));
5393 	pr_supported->ph.param_type = htons(SCTP_SUPPORTED_CHUNK_EXT);
5394 	num_ext = 0;
5395 	pr_supported->chunk_types[num_ext++] = SCTP_ASCONF;
5396 	pr_supported->chunk_types[num_ext++] = SCTP_ASCONF_ACK;
5397 	pr_supported->chunk_types[num_ext++] = SCTP_FORWARD_CUM_TSN;
5398 	pr_supported->chunk_types[num_ext++] = SCTP_PACKET_DROPPED;
5399 	pr_supported->chunk_types[num_ext++] = SCTP_STREAM_RESET;
5400 	if (!SCTP_BASE_SYSCTL(sctp_auth_disable))
5401 		pr_supported->chunk_types[num_ext++] = SCTP_AUTHENTICATION;
5402 	if (SCTP_BASE_SYSCTL(sctp_nr_sack_on_off))
5403 		pr_supported->chunk_types[num_ext++] = SCTP_NR_SELECTIVE_ACK;
5404 	p_len = sizeof(*pr_supported) + num_ext;
5405 	pr_supported->ph.param_length = htons(p_len);
5406 	bzero((caddr_t)pr_supported + p_len, SCTP_SIZE32(p_len) - p_len);
5407 	SCTP_BUF_LEN(m) += SCTP_SIZE32(p_len);
5408 
5409 	/* add authentication parameters */
5410 	if (!SCTP_BASE_SYSCTL(sctp_auth_disable)) {
5411 		struct sctp_auth_random *randp;
5412 		struct sctp_auth_hmac_algo *hmacs;
5413 		struct sctp_auth_chunk_list *chunks;
5414 		uint16_t random_len;
5415 
5416 		/* generate and add RANDOM parameter */
5417 		random_len = SCTP_AUTH_RANDOM_SIZE_DEFAULT;
5418 		randp = (struct sctp_auth_random *)(mtod(m, caddr_t)+SCTP_BUF_LEN(m));
5419 		randp->ph.param_type = htons(SCTP_RANDOM);
5420 		p_len = sizeof(*randp) + random_len;
5421 		randp->ph.param_length = htons(p_len);
5422 		SCTP_READ_RANDOM(randp->random_data, random_len);
5423 		/* zero out any padding required */
5424 		bzero((caddr_t)randp + p_len, SCTP_SIZE32(p_len) - p_len);
5425 		SCTP_BUF_LEN(m) += SCTP_SIZE32(p_len);
5426 
5427 		/* add HMAC_ALGO parameter */
5428 		hmacs = (struct sctp_auth_hmac_algo *)(mtod(m, caddr_t)+SCTP_BUF_LEN(m));
5429 		p_len = sctp_serialize_hmaclist(inp->sctp_ep.local_hmacs,
5430 		    (uint8_t *) hmacs->hmac_ids);
5431 		if (p_len > 0) {
5432 			p_len += sizeof(*hmacs);
5433 			hmacs->ph.param_type = htons(SCTP_HMAC_LIST);
5434 			hmacs->ph.param_length = htons(p_len);
5435 			/* zero out any padding required */
5436 			bzero((caddr_t)hmacs + p_len, SCTP_SIZE32(p_len) - p_len);
5437 			SCTP_BUF_LEN(m) += SCTP_SIZE32(p_len);
5438 		}
5439 		/* add CHUNKS parameter */
5440 		chunks = (struct sctp_auth_chunk_list *)(mtod(m, caddr_t)+SCTP_BUF_LEN(m));
5441 		p_len = sctp_serialize_auth_chunks(inp->sctp_ep.local_auth_chunks,
5442 		    chunks->chunk_types);
5443 		if (p_len > 0) {
5444 			p_len += sizeof(*chunks);
5445 			chunks->ph.param_type = htons(SCTP_CHUNK_LIST);
5446 			chunks->ph.param_length = htons(p_len);
5447 			/* zero out any padding required */
5448 			bzero((caddr_t)chunks + p_len, SCTP_SIZE32(p_len) - p_len);
5449 			SCTP_BUF_LEN(m) += SCTP_SIZE32(p_len);
5450 		}
5451 	}
5452 	m_at = m;
5453 	/* now the addresses */
5454 	{
5455 		struct sctp_scoping scp;
5456 
5457 		/*
5458 		 * To optimize this we could put the scoping stuff into a
5459 		 * structure and remove the individual uint8's from the stc
5460 		 * structure. Then we could just sifa in the address within
5461 		 * the stc.. but for now this is a quick hack to get the
5462 		 * address stuff teased apart.
5463 		 */
5464 		scp.ipv4_addr_legal = stc.ipv4_addr_legal;
5465 		scp.ipv6_addr_legal = stc.ipv6_addr_legal;
5466 		scp.loopback_scope = stc.loopback_scope;
5467 		scp.ipv4_local_scope = stc.ipv4_scope;
5468 		scp.local_scope = stc.local_scope;
5469 		scp.site_scope = stc.site_scope;
5470 		m_at = sctp_add_addresses_to_i_ia(inp, &scp, m_at, cnt_inits_to);
5471 	}
5472 
5473 	/* tack on the operational error if present */
5474 	if (op_err) {
5475 		struct mbuf *ol;
5476 		int llen;
5477 
5478 		llen = 0;
5479 		ol = op_err;
5480 		while (ol) {
5481 			llen += SCTP_BUF_LEN(ol);
5482 			ol = SCTP_BUF_NEXT(ol);
5483 		}
5484 		if (llen % 4) {
5485 			/* must add a pad to the param */
5486 			uint32_t cpthis = 0;
5487 			int padlen;
5488 
5489 			padlen = 4 - (llen % 4);
5490 			m_copyback(op_err, llen, padlen, (caddr_t)&cpthis);
5491 		}
5492 		while (SCTP_BUF_NEXT(m_at) != NULL) {
5493 			m_at = SCTP_BUF_NEXT(m_at);
5494 		}
5495 		SCTP_BUF_NEXT(m_at) = op_err;
5496 		while (SCTP_BUF_NEXT(m_at) != NULL) {
5497 			m_at = SCTP_BUF_NEXT(m_at);
5498 		}
5499 	}
5500 	/* pre-calulate the size and update pkt header and chunk header */
5501 	p_len = 0;
5502 	for (m_tmp = m; m_tmp; m_tmp = SCTP_BUF_NEXT(m_tmp)) {
5503 		p_len += SCTP_BUF_LEN(m_tmp);
5504 		if (SCTP_BUF_NEXT(m_tmp) == NULL) {
5505 			/* m_tmp should now point to last one */
5506 			break;
5507 		}
5508 	}
5509 
5510 	/* Now we must build a cookie */
5511 	m_cookie = sctp_add_cookie(inp, init_pkt, offset, m, 0, &stc, &signature);
5512 	if (m_cookie == NULL) {
5513 		/* memory problem */
5514 		sctp_m_freem(m);
5515 		return;
5516 	}
5517 	/* Now append the cookie to the end and update the space/size */
5518 	SCTP_BUF_NEXT(m_tmp) = m_cookie;
5519 
5520 	for (m_tmp = m_cookie; m_tmp; m_tmp = SCTP_BUF_NEXT(m_tmp)) {
5521 		p_len += SCTP_BUF_LEN(m_tmp);
5522 		if (SCTP_BUF_NEXT(m_tmp) == NULL) {
5523 			/* m_tmp should now point to last one */
5524 			mp_last = m_tmp;
5525 			break;
5526 		}
5527 	}
5528 	/*
5529 	 * Place in the size, but we don't include the last pad (if any) in
5530 	 * the INIT-ACK.
5531 	 */
5532 	initack->ch.chunk_length = htons(p_len);
5533 
5534 	/*
5535 	 * Time to sign the cookie, we don't sign over the cookie signature
5536 	 * though thus we set trailer.
5537 	 */
5538 	(void)sctp_hmac_m(SCTP_HMAC,
5539 	    (uint8_t *) inp->sctp_ep.secret_key[(int)(inp->sctp_ep.current_secret_number)],
5540 	    SCTP_SECRET_SIZE, m_cookie, sizeof(struct sctp_paramhdr),
5541 	    (uint8_t *) signature, SCTP_SIGNATURE_SIZE);
5542 	/*
5543 	 * We sifa 0 here to NOT set IP_DF if its IPv4, we ignore the return
5544 	 * here since the timer will drive a retranmission.
5545 	 */
5546 	padval = p_len % 4;
5547 	if ((padval) && (mp_last)) {
5548 		/* see my previous comments on mp_last */
5549 		int ret;
5550 
5551 		ret = sctp_add_pad_tombuf(mp_last, (4 - padval));
5552 		if (ret) {
5553 			/* Houston we have a problem, no space */
5554 			sctp_m_freem(m);
5555 			return;
5556 		}
5557 		p_len += padval;
5558 	}
5559 	if (stc.loopback_scope) {
5560 		over_addr = &store1;
5561 	} else {
5562 		over_addr = NULL;
5563 	}
5564 
5565 	(void)sctp_lowlevel_chunk_output(inp, NULL, NULL, to, m, 0, NULL, 0, 0,
5566 	    0, NULL, 0,
5567 	    inp->sctp_lport, sh->src_port, init_chk->init.initiate_tag,
5568 	    port, SCTP_SO_NOT_LOCKED, over_addr, init_pkt);
5569 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
5570 }
5571 
5572 
5573 static void
5574 sctp_prune_prsctp(struct sctp_tcb *stcb,
5575     struct sctp_association *asoc,
5576     struct sctp_sndrcvinfo *srcv,
5577     int dataout)
5578 {
5579 	int freed_spc = 0;
5580 	struct sctp_tmit_chunk *chk, *nchk;
5581 
5582 	SCTP_TCB_LOCK_ASSERT(stcb);
5583 	if ((asoc->peer_supports_prsctp) &&
5584 	    (asoc->sent_queue_cnt_removeable > 0)) {
5585 		TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) {
5586 			/*
5587 			 * Look for chunks marked with the PR_SCTP flag AND
5588 			 * the buffer space flag. If the one being sent is
5589 			 * equal or greater priority then purge the old one
5590 			 * and free some space.
5591 			 */
5592 			if (PR_SCTP_BUF_ENABLED(chk->flags)) {
5593 				/*
5594 				 * This one is PR-SCTP AND buffer space
5595 				 * limited type
5596 				 */
5597 				if (chk->rec.data.timetodrop.tv_sec >= (long)srcv->sinfo_timetolive) {
5598 					/*
5599 					 * Lower numbers equates to higher
5600 					 * priority so if the one we are
5601 					 * looking at has a larger or equal
5602 					 * priority we want to drop the data
5603 					 * and NOT retransmit it.
5604 					 */
5605 					if (chk->data) {
5606 						/*
5607 						 * We release the book_size
5608 						 * if the mbuf is here
5609 						 */
5610 						int ret_spc;
5611 						int cause;
5612 
5613 						if (chk->sent > SCTP_DATAGRAM_UNSENT)
5614 							cause = SCTP_RESPONSE_TO_USER_REQ | SCTP_NOTIFY_DATAGRAM_SENT;
5615 						else
5616 							cause = SCTP_RESPONSE_TO_USER_REQ | SCTP_NOTIFY_DATAGRAM_UNSENT;
5617 						ret_spc = sctp_release_pr_sctp_chunk(stcb, chk,
5618 						    cause,
5619 						    SCTP_SO_LOCKED);
5620 						freed_spc += ret_spc;
5621 						if (freed_spc >= dataout) {
5622 							return;
5623 						}
5624 					}	/* if chunk was present */
5625 				}	/* if of sufficent priority */
5626 			}	/* if chunk has enabled */
5627 		}		/* tailqforeach */
5628 
5629 		TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
5630 			/* Here we must move to the sent queue and mark */
5631 			if (PR_SCTP_BUF_ENABLED(chk->flags)) {
5632 				if (chk->rec.data.timetodrop.tv_sec >= (long)srcv->sinfo_timetolive) {
5633 					if (chk->data) {
5634 						/*
5635 						 * We release the book_size
5636 						 * if the mbuf is here
5637 						 */
5638 						int ret_spc;
5639 
5640 						ret_spc = sctp_release_pr_sctp_chunk(stcb, chk,
5641 						    SCTP_RESPONSE_TO_USER_REQ | SCTP_NOTIFY_DATAGRAM_UNSENT,
5642 						    SCTP_SO_LOCKED);
5643 
5644 						freed_spc += ret_spc;
5645 						if (freed_spc >= dataout) {
5646 							return;
5647 						}
5648 					}	/* end if chk->data */
5649 				}	/* end if right class */
5650 			}	/* end if chk pr-sctp */
5651 		}		/* tailqforeachsafe (chk) */
5652 	}			/* if enabled in asoc */
5653 }
5654 
5655 int
5656 sctp_get_frag_point(struct sctp_tcb *stcb,
5657     struct sctp_association *asoc)
5658 {
5659 	int siz, ovh;
5660 
5661 	/*
5662 	 * For endpoints that have both v6 and v4 addresses we must reserve
5663 	 * room for the ipv6 header, for those that are only dealing with V4
5664 	 * we use a larger frag point.
5665 	 */
5666 	if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
5667 		ovh = SCTP_MED_OVERHEAD;
5668 	} else {
5669 		ovh = SCTP_MED_V4_OVERHEAD;
5670 	}
5671 
5672 	if (stcb->asoc.sctp_frag_point > asoc->smallest_mtu)
5673 		siz = asoc->smallest_mtu - ovh;
5674 	else
5675 		siz = (stcb->asoc.sctp_frag_point - ovh);
5676 	/*
5677 	 * if (siz > (MCLBYTES-sizeof(struct sctp_data_chunk))) {
5678 	 */
5679 	/* A data chunk MUST fit in a cluster */
5680 	/* siz = (MCLBYTES - sizeof(struct sctp_data_chunk)); */
5681 	/* } */
5682 
5683 	/* adjust for an AUTH chunk if DATA requires auth */
5684 	if (sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks))
5685 		siz -= sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
5686 
5687 	if (siz % 4) {
5688 		/* make it an even word boundary please */
5689 		siz -= (siz % 4);
5690 	}
5691 	return (siz);
5692 }
5693 
5694 static void
5695 sctp_set_prsctp_policy(struct sctp_stream_queue_pending *sp)
5696 {
5697 	sp->pr_sctp_on = 0;
5698 	/*
5699 	 * We assume that the user wants PR_SCTP_TTL if the user provides a
5700 	 * positive lifetime but does not specify any PR_SCTP policy. This
5701 	 * is a BAD assumption and causes problems at least with the
5702 	 * U-Vancovers MPI folks. I will change this to be no policy means
5703 	 * NO PR-SCTP.
5704 	 */
5705 	if (PR_SCTP_ENABLED(sp->sinfo_flags)) {
5706 		sp->act_flags |= PR_SCTP_POLICY(sp->sinfo_flags);
5707 		sp->pr_sctp_on = 1;
5708 	} else {
5709 		return;
5710 	}
5711 	switch (PR_SCTP_POLICY(sp->sinfo_flags)) {
5712 	case CHUNK_FLAGS_PR_SCTP_BUF:
5713 		/*
5714 		 * Time to live is a priority stored in tv_sec when doing
5715 		 * the buffer drop thing.
5716 		 */
5717 		sp->ts.tv_sec = sp->timetolive;
5718 		sp->ts.tv_usec = 0;
5719 		break;
5720 	case CHUNK_FLAGS_PR_SCTP_TTL:
5721 		{
5722 			struct timeval tv;
5723 
5724 			(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
5725 			tv.tv_sec = sp->timetolive / 1000;
5726 			tv.tv_usec = (sp->timetolive * 1000) % 1000000;
5727 			/*
5728 			 * TODO sctp_constants.h needs alternative time
5729 			 * macros when _KERNEL is undefined.
5730 			 */
5731 			timevaladd(&sp->ts, &tv);
5732 		}
5733 		break;
5734 	case CHUNK_FLAGS_PR_SCTP_RTX:
5735 		/*
5736 		 * Time to live is a the number or retransmissions stored in
5737 		 * tv_sec.
5738 		 */
5739 		sp->ts.tv_sec = sp->timetolive;
5740 		sp->ts.tv_usec = 0;
5741 		break;
5742 	default:
5743 		SCTPDBG(SCTP_DEBUG_USRREQ1,
5744 		    "Unknown PR_SCTP policy %u.\n",
5745 		    PR_SCTP_POLICY(sp->sinfo_flags));
5746 		break;
5747 	}
5748 }
5749 
5750 static int
5751 sctp_msg_append(struct sctp_tcb *stcb,
5752     struct sctp_nets *net,
5753     struct mbuf *m,
5754     struct sctp_sndrcvinfo *srcv, int hold_stcb_lock)
5755 {
5756 	int error = 0, holds_lock;
5757 	struct mbuf *at;
5758 	struct sctp_stream_queue_pending *sp = NULL;
5759 	struct sctp_stream_out *strm;
5760 
5761 	/*
5762 	 * Given an mbuf chain, put it into the association send queue and
5763 	 * place it on the wheel
5764 	 */
5765 	holds_lock = hold_stcb_lock;
5766 	if (srcv->sinfo_stream >= stcb->asoc.streamoutcnt) {
5767 		/* Invalid stream number */
5768 		SCTP_LTRACE_ERR_RET_PKT(m, NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
5769 		error = EINVAL;
5770 		goto out_now;
5771 	}
5772 	if ((stcb->asoc.stream_locked) &&
5773 	    (stcb->asoc.stream_locked_on != srcv->sinfo_stream)) {
5774 		SCTP_LTRACE_ERR_RET_PKT(m, NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
5775 		error = EINVAL;
5776 		goto out_now;
5777 	}
5778 	strm = &stcb->asoc.strmout[srcv->sinfo_stream];
5779 	/* Now can we send this? */
5780 	if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_SENT) ||
5781 	    (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
5782 	    (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
5783 	    (stcb->asoc.state & SCTP_STATE_SHUTDOWN_PENDING)) {
5784 		/* got data while shutting down */
5785 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
5786 		error = ECONNRESET;
5787 		goto out_now;
5788 	}
5789 	sctp_alloc_a_strmoq(stcb, sp);
5790 	if (sp == NULL) {
5791 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
5792 		error = ENOMEM;
5793 		goto out_now;
5794 	}
5795 	sp->sinfo_flags = srcv->sinfo_flags;
5796 	sp->timetolive = srcv->sinfo_timetolive;
5797 	sp->ppid = srcv->sinfo_ppid;
5798 	sp->context = srcv->sinfo_context;
5799 	sp->strseq = 0;
5800 	if (sp->sinfo_flags & SCTP_ADDR_OVER) {
5801 		sp->net = net;
5802 		atomic_add_int(&sp->net->ref_count, 1);
5803 	} else {
5804 		sp->net = NULL;
5805 	}
5806 	(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
5807 	sp->stream = srcv->sinfo_stream;
5808 	sp->msg_is_complete = 1;
5809 	sp->sender_all_done = 1;
5810 	sp->some_taken = 0;
5811 	sp->data = m;
5812 	sp->tail_mbuf = NULL;
5813 	sp->length = 0;
5814 	at = m;
5815 	sctp_set_prsctp_policy(sp);
5816 	/*
5817 	 * We could in theory (for sendall) sifa the length in, but we would
5818 	 * still have to hunt through the chain since we need to setup the
5819 	 * tail_mbuf
5820 	 */
5821 	while (at) {
5822 		if (SCTP_BUF_NEXT(at) == NULL)
5823 			sp->tail_mbuf = at;
5824 		sp->length += SCTP_BUF_LEN(at);
5825 		at = SCTP_BUF_NEXT(at);
5826 	}
5827 	SCTP_TCB_SEND_LOCK(stcb);
5828 	sctp_snd_sb_alloc(stcb, sp->length);
5829 	atomic_add_int(&stcb->asoc.stream_queue_cnt, 1);
5830 	TAILQ_INSERT_TAIL(&strm->outqueue, sp, next);
5831 	if ((srcv->sinfo_flags & SCTP_UNORDERED) == 0) {
5832 		sp->strseq = strm->next_sequence_sent;
5833 		strm->next_sequence_sent++;
5834 	}
5835 	stcb->asoc.ss_functions.sctp_ss_add_to_stream(stcb, &stcb->asoc, strm, sp, 1);
5836 	m = NULL;
5837 	SCTP_TCB_SEND_UNLOCK(stcb);
5838 out_now:
5839 	if (m) {
5840 		sctp_m_freem(m);
5841 	}
5842 	return (error);
5843 }
5844 
5845 
5846 static struct mbuf *
5847 sctp_copy_mbufchain(struct mbuf *clonechain,
5848     struct mbuf *outchain,
5849     struct mbuf **endofchain,
5850     int can_take_mbuf,
5851     int sizeofcpy,
5852     uint8_t copy_by_ref)
5853 {
5854 	struct mbuf *m;
5855 	struct mbuf *appendchain;
5856 	caddr_t cp;
5857 	int len;
5858 
5859 	if (endofchain == NULL) {
5860 		/* error */
5861 error_out:
5862 		if (outchain)
5863 			sctp_m_freem(outchain);
5864 		return (NULL);
5865 	}
5866 	if (can_take_mbuf) {
5867 		appendchain = clonechain;
5868 	} else {
5869 		if (!copy_by_ref &&
5870 		    (sizeofcpy <= (int)((((SCTP_BASE_SYSCTL(sctp_mbuf_threshold_count) - 1) * MLEN) + MHLEN)))
5871 		    ) {
5872 			/* Its not in a cluster */
5873 			if (*endofchain == NULL) {
5874 				/* lets get a mbuf cluster */
5875 				if (outchain == NULL) {
5876 					/* This is the general case */
5877 			new_mbuf:
5878 					outchain = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_HEADER);
5879 					if (outchain == NULL) {
5880 						goto error_out;
5881 					}
5882 					SCTP_BUF_LEN(outchain) = 0;
5883 					*endofchain = outchain;
5884 					/* get the prepend space */
5885 					SCTP_BUF_RESV_UF(outchain, (SCTP_FIRST_MBUF_RESV + 4));
5886 				} else {
5887 					/*
5888 					 * We really should not get a NULL
5889 					 * in endofchain
5890 					 */
5891 					/* find end */
5892 					m = outchain;
5893 					while (m) {
5894 						if (SCTP_BUF_NEXT(m) == NULL) {
5895 							*endofchain = m;
5896 							break;
5897 						}
5898 						m = SCTP_BUF_NEXT(m);
5899 					}
5900 					/* sanity */
5901 					if (*endofchain == NULL) {
5902 						/*
5903 						 * huh, TSNH XXX maybe we
5904 						 * should panic
5905 						 */
5906 						sctp_m_freem(outchain);
5907 						goto new_mbuf;
5908 					}
5909 				}
5910 				/* get the new end of length */
5911 				len = M_TRAILINGSPACE(*endofchain);
5912 			} else {
5913 				/* how much is left at the end? */
5914 				len = M_TRAILINGSPACE(*endofchain);
5915 			}
5916 			/* Find the end of the data, for appending */
5917 			cp = (mtod((*endofchain), caddr_t)+SCTP_BUF_LEN((*endofchain)));
5918 
5919 			/* Now lets copy it out */
5920 			if (len >= sizeofcpy) {
5921 				/* It all fits, copy it in */
5922 				m_copydata(clonechain, 0, sizeofcpy, cp);
5923 				SCTP_BUF_LEN((*endofchain)) += sizeofcpy;
5924 			} else {
5925 				/* fill up the end of the chain */
5926 				if (len > 0) {
5927 					m_copydata(clonechain, 0, len, cp);
5928 					SCTP_BUF_LEN((*endofchain)) += len;
5929 					/* now we need another one */
5930 					sizeofcpy -= len;
5931 				}
5932 				m = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_HEADER);
5933 				if (m == NULL) {
5934 					/* We failed */
5935 					goto error_out;
5936 				}
5937 				SCTP_BUF_NEXT((*endofchain)) = m;
5938 				*endofchain = m;
5939 				cp = mtod((*endofchain), caddr_t);
5940 				m_copydata(clonechain, len, sizeofcpy, cp);
5941 				SCTP_BUF_LEN((*endofchain)) += sizeofcpy;
5942 			}
5943 			return (outchain);
5944 		} else {
5945 			/* copy the old fashion way */
5946 			appendchain = SCTP_M_COPYM(clonechain, 0, M_COPYALL, M_DONTWAIT);
5947 #ifdef SCTP_MBUF_LOGGING
5948 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
5949 				struct mbuf *mat;
5950 
5951 				mat = appendchain;
5952 				while (mat) {
5953 					if (SCTP_BUF_IS_EXTENDED(mat)) {
5954 						sctp_log_mb(mat, SCTP_MBUF_ICOPY);
5955 					}
5956 					mat = SCTP_BUF_NEXT(mat);
5957 				}
5958 			}
5959 #endif
5960 		}
5961 	}
5962 	if (appendchain == NULL) {
5963 		/* error */
5964 		if (outchain)
5965 			sctp_m_freem(outchain);
5966 		return (NULL);
5967 	}
5968 	if (outchain) {
5969 		/* tack on to the end */
5970 		if (*endofchain != NULL) {
5971 			SCTP_BUF_NEXT(((*endofchain))) = appendchain;
5972 		} else {
5973 			m = outchain;
5974 			while (m) {
5975 				if (SCTP_BUF_NEXT(m) == NULL) {
5976 					SCTP_BUF_NEXT(m) = appendchain;
5977 					break;
5978 				}
5979 				m = SCTP_BUF_NEXT(m);
5980 			}
5981 		}
5982 		/*
5983 		 * save off the end and update the end-chain postion
5984 		 */
5985 		m = appendchain;
5986 		while (m) {
5987 			if (SCTP_BUF_NEXT(m) == NULL) {
5988 				*endofchain = m;
5989 				break;
5990 			}
5991 			m = SCTP_BUF_NEXT(m);
5992 		}
5993 		return (outchain);
5994 	} else {
5995 		/* save off the end and update the end-chain postion */
5996 		m = appendchain;
5997 		while (m) {
5998 			if (SCTP_BUF_NEXT(m) == NULL) {
5999 				*endofchain = m;
6000 				break;
6001 			}
6002 			m = SCTP_BUF_NEXT(m);
6003 		}
6004 		return (appendchain);
6005 	}
6006 }
6007 
6008 int
6009 sctp_med_chunk_output(struct sctp_inpcb *inp,
6010     struct sctp_tcb *stcb,
6011     struct sctp_association *asoc,
6012     int *num_out,
6013     int *reason_code,
6014     int control_only, int from_where,
6015     struct timeval *now, int *now_filled, int frag_point, int so_locked
6016 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
6017     SCTP_UNUSED
6018 #endif
6019 );
6020 
6021 static void
6022 sctp_sendall_iterator(struct sctp_inpcb *inp, struct sctp_tcb *stcb, void *ptr,
6023     uint32_t val)
6024 {
6025 	struct sctp_copy_all *ca;
6026 	struct mbuf *m;
6027 	int ret = 0;
6028 	int added_control = 0;
6029 	int un_sent, do_chunk_output = 1;
6030 	struct sctp_association *asoc;
6031 
6032 	ca = (struct sctp_copy_all *)ptr;
6033 	if (ca->m == NULL) {
6034 		return;
6035 	}
6036 	if (ca->inp != inp) {
6037 		/* TSNH */
6038 		return;
6039 	}
6040 	if ((ca->m) && ca->sndlen) {
6041 		m = SCTP_M_COPYM(ca->m, 0, M_COPYALL, M_DONTWAIT);
6042 		if (m == NULL) {
6043 			/* can't copy so we are done */
6044 			ca->cnt_failed++;
6045 			return;
6046 		}
6047 #ifdef SCTP_MBUF_LOGGING
6048 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
6049 			struct mbuf *mat;
6050 
6051 			mat = m;
6052 			while (mat) {
6053 				if (SCTP_BUF_IS_EXTENDED(mat)) {
6054 					sctp_log_mb(mat, SCTP_MBUF_ICOPY);
6055 				}
6056 				mat = SCTP_BUF_NEXT(mat);
6057 			}
6058 		}
6059 #endif
6060 	} else {
6061 		m = NULL;
6062 	}
6063 	SCTP_TCB_LOCK_ASSERT(stcb);
6064 	if (ca->sndrcv.sinfo_flags & SCTP_ABORT) {
6065 		/* Abort this assoc with m as the user defined reason */
6066 		if (m) {
6067 			struct sctp_paramhdr *ph;
6068 
6069 			SCTP_BUF_PREPEND(m, sizeof(struct sctp_paramhdr), M_DONTWAIT);
6070 			if (m) {
6071 				ph = mtod(m, struct sctp_paramhdr *);
6072 				ph->param_type = htons(SCTP_CAUSE_USER_INITIATED_ABT);
6073 				ph->param_length = htons(ca->sndlen);
6074 			}
6075 			/*
6076 			 * We add one here to keep the assoc from
6077 			 * dis-appearing on us.
6078 			 */
6079 			atomic_add_int(&stcb->asoc.refcnt, 1);
6080 			sctp_abort_an_association(inp, stcb,
6081 			    SCTP_RESPONSE_TO_USER_REQ,
6082 			    m, SCTP_SO_NOT_LOCKED);
6083 			/*
6084 			 * sctp_abort_an_association calls sctp_free_asoc()
6085 			 * free association will NOT free it since we
6086 			 * incremented the refcnt .. we do this to prevent
6087 			 * it being freed and things getting tricky since we
6088 			 * could end up (from free_asoc) calling inpcb_free
6089 			 * which would get a recursive lock call to the
6090 			 * iterator lock.. But as a consequence of that the
6091 			 * stcb will return to us un-locked.. since
6092 			 * free_asoc returns with either no TCB or the TCB
6093 			 * unlocked, we must relock.. to unlock in the
6094 			 * iterator timer :-0
6095 			 */
6096 			SCTP_TCB_LOCK(stcb);
6097 			atomic_add_int(&stcb->asoc.refcnt, -1);
6098 			goto no_chunk_output;
6099 		}
6100 	} else {
6101 		if (m) {
6102 			ret = sctp_msg_append(stcb, stcb->asoc.primary_destination, m,
6103 			    &ca->sndrcv, 1);
6104 		}
6105 		asoc = &stcb->asoc;
6106 		if (ca->sndrcv.sinfo_flags & SCTP_EOF) {
6107 			/* shutdown this assoc */
6108 			int cnt;
6109 
6110 			cnt = sctp_is_there_unsent_data(stcb);
6111 
6112 			if (TAILQ_EMPTY(&asoc->send_queue) &&
6113 			    TAILQ_EMPTY(&asoc->sent_queue) &&
6114 			    (cnt == 0)) {
6115 				if (asoc->locked_on_sending) {
6116 					goto abort_anyway;
6117 				}
6118 				/*
6119 				 * there is nothing queued to send, so I'm
6120 				 * done...
6121 				 */
6122 				if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
6123 				    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
6124 				    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
6125 					/*
6126 					 * only send SHUTDOWN the first time
6127 					 * through
6128 					 */
6129 					sctp_send_shutdown(stcb, stcb->asoc.primary_destination);
6130 					if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) {
6131 						SCTP_STAT_DECR_GAUGE32(sctps_currestab);
6132 					}
6133 					SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_SENT);
6134 					SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
6135 					sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb,
6136 					    asoc->primary_destination);
6137 					sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
6138 					    asoc->primary_destination);
6139 					added_control = 1;
6140 					do_chunk_output = 0;
6141 				}
6142 			} else {
6143 				/*
6144 				 * we still got (or just got) data to send,
6145 				 * so set SHUTDOWN_PENDING
6146 				 */
6147 				/*
6148 				 * XXX sockets draft says that SCTP_EOF
6149 				 * should be sent with no data.  currently,
6150 				 * we will allow user data to be sent first
6151 				 * and move to SHUTDOWN-PENDING
6152 				 */
6153 				if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
6154 				    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
6155 				    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
6156 					if (asoc->locked_on_sending) {
6157 						/*
6158 						 * Locked to send out the
6159 						 * data
6160 						 */
6161 						struct sctp_stream_queue_pending *sp;
6162 
6163 						sp = TAILQ_LAST(&asoc->locked_on_sending->outqueue, sctp_streamhead);
6164 						if (sp) {
6165 							if ((sp->length == 0) && (sp->msg_is_complete == 0))
6166 								asoc->state |= SCTP_STATE_PARTIAL_MSG_LEFT;
6167 						}
6168 					}
6169 					asoc->state |= SCTP_STATE_SHUTDOWN_PENDING;
6170 					if (TAILQ_EMPTY(&asoc->send_queue) &&
6171 					    TAILQ_EMPTY(&asoc->sent_queue) &&
6172 					    (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) {
6173 				abort_anyway:
6174 						atomic_add_int(&stcb->asoc.refcnt, 1);
6175 						sctp_abort_an_association(stcb->sctp_ep, stcb,
6176 						    SCTP_RESPONSE_TO_USER_REQ,
6177 						    NULL, SCTP_SO_NOT_LOCKED);
6178 						atomic_add_int(&stcb->asoc.refcnt, -1);
6179 						goto no_chunk_output;
6180 					}
6181 					sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
6182 					    asoc->primary_destination);
6183 				}
6184 			}
6185 
6186 		}
6187 	}
6188 	un_sent = ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) +
6189 	    (stcb->asoc.stream_queue_cnt * sizeof(struct sctp_data_chunk)));
6190 
6191 	if ((sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY)) &&
6192 	    (stcb->asoc.total_flight > 0) &&
6193 	    (un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD))
6194 	    ) {
6195 		do_chunk_output = 0;
6196 	}
6197 	if (do_chunk_output)
6198 		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_NOT_LOCKED);
6199 	else if (added_control) {
6200 		int num_out = 0, reason = 0, now_filled = 0;
6201 		struct timeval now;
6202 		int frag_point;
6203 
6204 		frag_point = sctp_get_frag_point(stcb, &stcb->asoc);
6205 		(void)sctp_med_chunk_output(inp, stcb, &stcb->asoc, &num_out,
6206 		    &reason, 1, 1, &now, &now_filled, frag_point, SCTP_SO_NOT_LOCKED);
6207 	}
6208 no_chunk_output:
6209 	if (ret) {
6210 		ca->cnt_failed++;
6211 	} else {
6212 		ca->cnt_sent++;
6213 	}
6214 }
6215 
6216 static void
6217 sctp_sendall_completes(void *ptr, uint32_t val)
6218 {
6219 	struct sctp_copy_all *ca;
6220 
6221 	ca = (struct sctp_copy_all *)ptr;
6222 	/*
6223 	 * Do a notify here? Kacheong suggests that the notify be done at
6224 	 * the send time.. so you would push up a notification if any send
6225 	 * failed. Don't know if this is feasable since the only failures we
6226 	 * have is "memory" related and if you cannot get an mbuf to send
6227 	 * the data you surely can't get an mbuf to send up to notify the
6228 	 * user you can't send the data :->
6229 	 */
6230 
6231 	/* now free everything */
6232 	sctp_m_freem(ca->m);
6233 	SCTP_FREE(ca, SCTP_M_COPYAL);
6234 }
6235 
6236 
6237 #define	MC_ALIGN(m, len) do {						\
6238 	SCTP_BUF_RESV_UF(m, ((MCLBYTES - (len)) & ~(sizeof(long) - 1));	\
6239 } while (0)
6240 
6241 
6242 
6243 static struct mbuf *
6244 sctp_copy_out_all(struct uio *uio, int len)
6245 {
6246 	struct mbuf *ret, *at;
6247 	int left, willcpy, cancpy, error;
6248 
6249 	ret = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_WAIT, 1, MT_DATA);
6250 	if (ret == NULL) {
6251 		/* TSNH */
6252 		return (NULL);
6253 	}
6254 	left = len;
6255 	SCTP_BUF_LEN(ret) = 0;
6256 	/* save space for the data chunk header */
6257 	cancpy = M_TRAILINGSPACE(ret);
6258 	willcpy = min(cancpy, left);
6259 	at = ret;
6260 	while (left > 0) {
6261 		/* Align data to the end */
6262 		error = uiomove(mtod(at, caddr_t), willcpy, uio);
6263 		if (error) {
6264 	err_out_now:
6265 			sctp_m_freem(at);
6266 			return (NULL);
6267 		}
6268 		SCTP_BUF_LEN(at) = willcpy;
6269 		SCTP_BUF_NEXT_PKT(at) = SCTP_BUF_NEXT(at) = 0;
6270 		left -= willcpy;
6271 		if (left > 0) {
6272 			SCTP_BUF_NEXT(at) = sctp_get_mbuf_for_msg(left, 0, M_WAIT, 1, MT_DATA);
6273 			if (SCTP_BUF_NEXT(at) == NULL) {
6274 				goto err_out_now;
6275 			}
6276 			at = SCTP_BUF_NEXT(at);
6277 			SCTP_BUF_LEN(at) = 0;
6278 			cancpy = M_TRAILINGSPACE(at);
6279 			willcpy = min(cancpy, left);
6280 		}
6281 	}
6282 	return (ret);
6283 }
6284 
6285 static int
6286 sctp_sendall(struct sctp_inpcb *inp, struct uio *uio, struct mbuf *m,
6287     struct sctp_sndrcvinfo *srcv)
6288 {
6289 	int ret;
6290 	struct sctp_copy_all *ca;
6291 
6292 	SCTP_MALLOC(ca, struct sctp_copy_all *, sizeof(struct sctp_copy_all),
6293 	    SCTP_M_COPYAL);
6294 	if (ca == NULL) {
6295 		sctp_m_freem(m);
6296 		SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
6297 		return (ENOMEM);
6298 	}
6299 	memset(ca, 0, sizeof(struct sctp_copy_all));
6300 
6301 	ca->inp = inp;
6302 	memcpy(&ca->sndrcv, srcv, sizeof(struct sctp_nonpad_sndrcvinfo));
6303 	/*
6304 	 * take off the sendall flag, it would be bad if we failed to do
6305 	 * this :-0
6306 	 */
6307 	ca->sndrcv.sinfo_flags &= ~SCTP_SENDALL;
6308 	/* get length and mbuf chain */
6309 	if (uio) {
6310 		ca->sndlen = uio->uio_resid;
6311 		ca->m = sctp_copy_out_all(uio, ca->sndlen);
6312 		if (ca->m == NULL) {
6313 			SCTP_FREE(ca, SCTP_M_COPYAL);
6314 			SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
6315 			return (ENOMEM);
6316 		}
6317 	} else {
6318 		/* Gather the length of the send */
6319 		struct mbuf *mat;
6320 
6321 		mat = m;
6322 		ca->sndlen = 0;
6323 		while (m) {
6324 			ca->sndlen += SCTP_BUF_LEN(m);
6325 			m = SCTP_BUF_NEXT(m);
6326 		}
6327 		ca->m = mat;
6328 	}
6329 	ret = sctp_initiate_iterator(NULL, sctp_sendall_iterator, NULL,
6330 	    SCTP_PCB_ANY_FLAGS, SCTP_PCB_ANY_FEATURES,
6331 	    SCTP_ASOC_ANY_STATE,
6332 	    (void *)ca, 0,
6333 	    sctp_sendall_completes, inp, 1);
6334 	if (ret) {
6335 		SCTP_PRINTF("Failed to initiate iterator for sendall\n");
6336 		SCTP_FREE(ca, SCTP_M_COPYAL);
6337 		SCTP_LTRACE_ERR_RET_PKT(m, inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EFAULT);
6338 		return (EFAULT);
6339 	}
6340 	return (0);
6341 }
6342 
6343 
6344 void
6345 sctp_toss_old_cookies(struct sctp_tcb *stcb, struct sctp_association *asoc)
6346 {
6347 	struct sctp_tmit_chunk *chk, *nchk;
6348 
6349 	TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
6350 		if (chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
6351 			TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
6352 			if (chk->data) {
6353 				sctp_m_freem(chk->data);
6354 				chk->data = NULL;
6355 			}
6356 			asoc->ctrl_queue_cnt--;
6357 			sctp_free_a_chunk(stcb, chk);
6358 		}
6359 	}
6360 }
6361 
6362 void
6363 sctp_toss_old_asconf(struct sctp_tcb *stcb)
6364 {
6365 	struct sctp_association *asoc;
6366 	struct sctp_tmit_chunk *chk, *nchk;
6367 	struct sctp_asconf_chunk *acp;
6368 
6369 	asoc = &stcb->asoc;
6370 	TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) {
6371 		/* find SCTP_ASCONF chunk in queue */
6372 		if (chk->rec.chunk_id.id == SCTP_ASCONF) {
6373 			if (chk->data) {
6374 				acp = mtod(chk->data, struct sctp_asconf_chunk *);
6375 				if (SCTP_TSN_GT(ntohl(acp->serial_number), asoc->asconf_seq_out_acked)) {
6376 					/* Not Acked yet */
6377 					break;
6378 				}
6379 			}
6380 			TAILQ_REMOVE(&asoc->asconf_send_queue, chk, sctp_next);
6381 			if (chk->data) {
6382 				sctp_m_freem(chk->data);
6383 				chk->data = NULL;
6384 			}
6385 			asoc->ctrl_queue_cnt--;
6386 			sctp_free_a_chunk(stcb, chk);
6387 		}
6388 	}
6389 }
6390 
6391 
6392 static void
6393 sctp_clean_up_datalist(struct sctp_tcb *stcb,
6394     struct sctp_association *asoc,
6395     struct sctp_tmit_chunk **data_list,
6396     int bundle_at,
6397     struct sctp_nets *net)
6398 {
6399 	int i;
6400 	struct sctp_tmit_chunk *tp1;
6401 
6402 	for (i = 0; i < bundle_at; i++) {
6403 		/* off of the send queue */
6404 		TAILQ_REMOVE(&asoc->send_queue, data_list[i], sctp_next);
6405 		asoc->send_queue_cnt--;
6406 		if (i > 0) {
6407 			/*
6408 			 * Any chunk NOT 0 you zap the time chunk 0 gets
6409 			 * zapped or set based on if a RTO measurment is
6410 			 * needed.
6411 			 */
6412 			data_list[i]->do_rtt = 0;
6413 		}
6414 		/* record time */
6415 		data_list[i]->sent_rcv_time = net->last_sent_time;
6416 		data_list[i]->rec.data.cwnd_at_send = net->cwnd;
6417 		data_list[i]->rec.data.fast_retran_tsn = data_list[i]->rec.data.TSN_seq;
6418 		if (data_list[i]->whoTo == NULL) {
6419 			data_list[i]->whoTo = net;
6420 			atomic_add_int(&net->ref_count, 1);
6421 		}
6422 		/* on to the sent queue */
6423 		tp1 = TAILQ_LAST(&asoc->sent_queue, sctpchunk_listhead);
6424 		if ((tp1) && SCTP_TSN_GT(tp1->rec.data.TSN_seq, data_list[i]->rec.data.TSN_seq)) {
6425 			struct sctp_tmit_chunk *tpp;
6426 
6427 			/* need to move back */
6428 	back_up_more:
6429 			tpp = TAILQ_PREV(tp1, sctpchunk_listhead, sctp_next);
6430 			if (tpp == NULL) {
6431 				TAILQ_INSERT_BEFORE(tp1, data_list[i], sctp_next);
6432 				goto all_done;
6433 			}
6434 			tp1 = tpp;
6435 			if (SCTP_TSN_GT(tp1->rec.data.TSN_seq, data_list[i]->rec.data.TSN_seq)) {
6436 				goto back_up_more;
6437 			}
6438 			TAILQ_INSERT_AFTER(&asoc->sent_queue, tp1, data_list[i], sctp_next);
6439 		} else {
6440 			TAILQ_INSERT_TAIL(&asoc->sent_queue,
6441 			    data_list[i],
6442 			    sctp_next);
6443 		}
6444 all_done:
6445 		/* This does not lower until the cum-ack passes it */
6446 		asoc->sent_queue_cnt++;
6447 		if ((asoc->peers_rwnd <= 0) &&
6448 		    (asoc->total_flight == 0) &&
6449 		    (bundle_at == 1)) {
6450 			/* Mark the chunk as being a window probe */
6451 			SCTP_STAT_INCR(sctps_windowprobed);
6452 		}
6453 #ifdef SCTP_AUDITING_ENABLED
6454 		sctp_audit_log(0xC2, 3);
6455 #endif
6456 		data_list[i]->sent = SCTP_DATAGRAM_SENT;
6457 		data_list[i]->snd_count = 1;
6458 		data_list[i]->rec.data.chunk_was_revoked = 0;
6459 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
6460 			sctp_misc_ints(SCTP_FLIGHT_LOG_UP,
6461 			    data_list[i]->whoTo->flight_size,
6462 			    data_list[i]->book_size,
6463 			    (uintptr_t) data_list[i]->whoTo,
6464 			    data_list[i]->rec.data.TSN_seq);
6465 		}
6466 		sctp_flight_size_increase(data_list[i]);
6467 		sctp_total_flight_increase(stcb, data_list[i]);
6468 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
6469 			sctp_log_rwnd(SCTP_DECREASE_PEER_RWND,
6470 			    asoc->peers_rwnd, data_list[i]->send_size, SCTP_BASE_SYSCTL(sctp_peer_chunk_oh));
6471 		}
6472 		asoc->peers_rwnd = sctp_sbspace_sub(asoc->peers_rwnd,
6473 		    (uint32_t) (data_list[i]->send_size + SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)));
6474 		if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
6475 			/* SWS sender side engages */
6476 			asoc->peers_rwnd = 0;
6477 		}
6478 	}
6479 	if (asoc->cc_functions.sctp_cwnd_update_packet_transmitted) {
6480 		(*asoc->cc_functions.sctp_cwnd_update_packet_transmitted) (stcb, net);
6481 	}
6482 }
6483 
6484 static void
6485 sctp_clean_up_ctl(struct sctp_tcb *stcb, struct sctp_association *asoc)
6486 {
6487 	struct sctp_tmit_chunk *chk, *nchk;
6488 
6489 	TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
6490 		if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
6491 		    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK) ||	/* EY */
6492 		    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_REQUEST) ||
6493 		    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_ACK) ||
6494 		    (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) ||
6495 		    (chk->rec.chunk_id.id == SCTP_SHUTDOWN) ||
6496 		    (chk->rec.chunk_id.id == SCTP_SHUTDOWN_ACK) ||
6497 		    (chk->rec.chunk_id.id == SCTP_OPERATION_ERROR) ||
6498 		    (chk->rec.chunk_id.id == SCTP_PACKET_DROPPED) ||
6499 		    (chk->rec.chunk_id.id == SCTP_COOKIE_ACK) ||
6500 		    (chk->rec.chunk_id.id == SCTP_ECN_CWR) ||
6501 		    (chk->rec.chunk_id.id == SCTP_ASCONF_ACK)) {
6502 			/* Stray chunks must be cleaned up */
6503 	clean_up_anyway:
6504 			TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
6505 			if (chk->data) {
6506 				sctp_m_freem(chk->data);
6507 				chk->data = NULL;
6508 			}
6509 			asoc->ctrl_queue_cnt--;
6510 			if (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN)
6511 				asoc->fwd_tsn_cnt--;
6512 			sctp_free_a_chunk(stcb, chk);
6513 		} else if (chk->rec.chunk_id.id == SCTP_STREAM_RESET) {
6514 			/* special handling, we must look into the param */
6515 			if (chk != asoc->str_reset) {
6516 				goto clean_up_anyway;
6517 			}
6518 		}
6519 	}
6520 }
6521 
6522 
6523 static int
6524 sctp_can_we_split_this(struct sctp_tcb *stcb,
6525     uint32_t length,
6526     uint32_t goal_mtu, uint32_t frag_point, int eeor_on)
6527 {
6528 	/*
6529 	 * Make a decision on if I should split a msg into multiple parts.
6530 	 * This is only asked of incomplete messages.
6531 	 */
6532 	if (eeor_on) {
6533 		/*
6534 		 * If we are doing EEOR we need to always send it if its the
6535 		 * entire thing, since it might be all the guy is putting in
6536 		 * the hopper.
6537 		 */
6538 		if (goal_mtu >= length) {
6539 			/*-
6540 			 * If we have data outstanding,
6541 			 * we get another chance when the sack
6542 			 * arrives to transmit - wait for more data
6543 			 */
6544 			if (stcb->asoc.total_flight == 0) {
6545 				/*
6546 				 * If nothing is in flight, we zero the
6547 				 * packet counter.
6548 				 */
6549 				return (length);
6550 			}
6551 			return (0);
6552 
6553 		} else {
6554 			/* You can fill the rest */
6555 			return (goal_mtu);
6556 		}
6557 	}
6558 	/*-
6559 	 * For those strange folk that make the send buffer
6560 	 * smaller than our fragmentation point, we can't
6561 	 * get a full msg in so we have to allow splitting.
6562 	 */
6563 	if (SCTP_SB_LIMIT_SND(stcb->sctp_socket) < frag_point) {
6564 		return (length);
6565 	}
6566 	if ((length <= goal_mtu) ||
6567 	    ((length - goal_mtu) < SCTP_BASE_SYSCTL(sctp_min_residual))) {
6568 		/* Sub-optimial residual don't split in non-eeor mode. */
6569 		return (0);
6570 	}
6571 	/*
6572 	 * If we reach here length is larger than the goal_mtu. Do we wish
6573 	 * to split it for the sake of packet putting together?
6574 	 */
6575 	if (goal_mtu >= min(SCTP_BASE_SYSCTL(sctp_min_split_point), frag_point)) {
6576 		/* Its ok to split it */
6577 		return (min(goal_mtu, frag_point));
6578 	}
6579 	/* Nope, can't split */
6580 	return (0);
6581 
6582 }
6583 
6584 static uint32_t
6585 sctp_move_to_outqueue(struct sctp_tcb *stcb,
6586     struct sctp_stream_out *strq,
6587     uint32_t goal_mtu,
6588     uint32_t frag_point,
6589     int *locked,
6590     int *giveup,
6591     int eeor_mode,
6592     int *bail)
6593 {
6594 	/* Move from the stream to the send_queue keeping track of the total */
6595 	struct sctp_association *asoc;
6596 	struct sctp_stream_queue_pending *sp;
6597 	struct sctp_tmit_chunk *chk;
6598 	struct sctp_data_chunk *dchkh;
6599 	uint32_t to_move, length;
6600 	uint8_t rcv_flags = 0;
6601 	uint8_t some_taken;
6602 	uint8_t send_lock_up = 0;
6603 
6604 	SCTP_TCB_LOCK_ASSERT(stcb);
6605 	asoc = &stcb->asoc;
6606 one_more_time:
6607 	/* sa_ignore FREED_MEMORY */
6608 	sp = TAILQ_FIRST(&strq->outqueue);
6609 	if (sp == NULL) {
6610 		*locked = 0;
6611 		if (send_lock_up == 0) {
6612 			SCTP_TCB_SEND_LOCK(stcb);
6613 			send_lock_up = 1;
6614 		}
6615 		sp = TAILQ_FIRST(&strq->outqueue);
6616 		if (sp) {
6617 			goto one_more_time;
6618 		}
6619 		if (strq->last_msg_incomplete) {
6620 			SCTP_PRINTF("Huh? Stream:%d lm_in_c=%d but queue is NULL\n",
6621 			    strq->stream_no,
6622 			    strq->last_msg_incomplete);
6623 			strq->last_msg_incomplete = 0;
6624 		}
6625 		to_move = 0;
6626 		if (send_lock_up) {
6627 			SCTP_TCB_SEND_UNLOCK(stcb);
6628 			send_lock_up = 0;
6629 		}
6630 		goto out_of;
6631 	}
6632 	if ((sp->msg_is_complete) && (sp->length == 0)) {
6633 		if (sp->sender_all_done) {
6634 			/*
6635 			 * We are doing differed cleanup. Last time through
6636 			 * when we took all the data the sender_all_done was
6637 			 * not set.
6638 			 */
6639 			if ((sp->put_last_out == 0) && (sp->discard_rest == 0)) {
6640 				SCTP_PRINTF("Gak, put out entire msg with NO end!-1\n");
6641 				SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d send_lock:%d\n",
6642 				    sp->sender_all_done,
6643 				    sp->length,
6644 				    sp->msg_is_complete,
6645 				    sp->put_last_out,
6646 				    send_lock_up);
6647 			}
6648 			if ((TAILQ_NEXT(sp, next) == NULL) && (send_lock_up == 0)) {
6649 				SCTP_TCB_SEND_LOCK(stcb);
6650 				send_lock_up = 1;
6651 			}
6652 			atomic_subtract_int(&asoc->stream_queue_cnt, 1);
6653 			TAILQ_REMOVE(&strq->outqueue, sp, next);
6654 			stcb->asoc.ss_functions.sctp_ss_remove_from_stream(stcb, asoc, strq, sp, send_lock_up);
6655 			if (sp->net) {
6656 				sctp_free_remote_addr(sp->net);
6657 				sp->net = NULL;
6658 			}
6659 			if (sp->data) {
6660 				sctp_m_freem(sp->data);
6661 				sp->data = NULL;
6662 			}
6663 			sctp_free_a_strmoq(stcb, sp);
6664 			/* we can't be locked to it */
6665 			*locked = 0;
6666 			stcb->asoc.locked_on_sending = NULL;
6667 			if (send_lock_up) {
6668 				SCTP_TCB_SEND_UNLOCK(stcb);
6669 				send_lock_up = 0;
6670 			}
6671 			/* back to get the next msg */
6672 			goto one_more_time;
6673 		} else {
6674 			/*
6675 			 * sender just finished this but still holds a
6676 			 * reference
6677 			 */
6678 			*locked = 1;
6679 			*giveup = 1;
6680 			to_move = 0;
6681 			goto out_of;
6682 		}
6683 	} else {
6684 		/* is there some to get */
6685 		if (sp->length == 0) {
6686 			/* no */
6687 			*locked = 1;
6688 			*giveup = 1;
6689 			to_move = 0;
6690 			goto out_of;
6691 		} else if (sp->discard_rest) {
6692 			if (send_lock_up == 0) {
6693 				SCTP_TCB_SEND_LOCK(stcb);
6694 				send_lock_up = 1;
6695 			}
6696 			/* Whack down the size */
6697 			atomic_subtract_int(&stcb->asoc.total_output_queue_size, sp->length);
6698 			if ((stcb->sctp_socket != NULL) && \
6699 			    ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
6700 			    (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL))) {
6701 				atomic_subtract_int(&stcb->sctp_socket->so_snd.sb_cc, sp->length);
6702 			}
6703 			if (sp->data) {
6704 				sctp_m_freem(sp->data);
6705 				sp->data = NULL;
6706 				sp->tail_mbuf = NULL;
6707 			}
6708 			sp->length = 0;
6709 			sp->some_taken = 1;
6710 			*locked = 1;
6711 			*giveup = 1;
6712 			to_move = 0;
6713 			goto out_of;
6714 		}
6715 	}
6716 	some_taken = sp->some_taken;
6717 	if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
6718 		sp->msg_is_complete = 1;
6719 	}
6720 re_look:
6721 	length = sp->length;
6722 	if (sp->msg_is_complete) {
6723 		/* The message is complete */
6724 		to_move = min(length, frag_point);
6725 		if (to_move == length) {
6726 			/* All of it fits in the MTU */
6727 			if (sp->some_taken) {
6728 				rcv_flags |= SCTP_DATA_LAST_FRAG;
6729 				sp->put_last_out = 1;
6730 			} else {
6731 				rcv_flags |= SCTP_DATA_NOT_FRAG;
6732 				sp->put_last_out = 1;
6733 			}
6734 		} else {
6735 			/* Not all of it fits, we fragment */
6736 			if (sp->some_taken == 0) {
6737 				rcv_flags |= SCTP_DATA_FIRST_FRAG;
6738 			}
6739 			sp->some_taken = 1;
6740 		}
6741 	} else {
6742 		to_move = sctp_can_we_split_this(stcb, length, goal_mtu, frag_point, eeor_mode);
6743 		if (to_move) {
6744 			/*-
6745 			 * We use a snapshot of length in case it
6746 			 * is expanding during the compare.
6747 			 */
6748 			uint32_t llen;
6749 
6750 			llen = length;
6751 			if (to_move >= llen) {
6752 				to_move = llen;
6753 				if (send_lock_up == 0) {
6754 					/*-
6755 					 * We are taking all of an incomplete msg
6756 					 * thus we need a send lock.
6757 					 */
6758 					SCTP_TCB_SEND_LOCK(stcb);
6759 					send_lock_up = 1;
6760 					if (sp->msg_is_complete) {
6761 						/*
6762 						 * the sender finished the
6763 						 * msg
6764 						 */
6765 						goto re_look;
6766 					}
6767 				}
6768 			}
6769 			if (sp->some_taken == 0) {
6770 				rcv_flags |= SCTP_DATA_FIRST_FRAG;
6771 				sp->some_taken = 1;
6772 			}
6773 		} else {
6774 			/* Nothing to take. */
6775 			if (sp->some_taken) {
6776 				*locked = 1;
6777 			}
6778 			*giveup = 1;
6779 			to_move = 0;
6780 			goto out_of;
6781 		}
6782 	}
6783 
6784 	/* If we reach here, we can copy out a chunk */
6785 	sctp_alloc_a_chunk(stcb, chk);
6786 	if (chk == NULL) {
6787 		/* No chunk memory */
6788 		*giveup = 1;
6789 		to_move = 0;
6790 		goto out_of;
6791 	}
6792 	/*
6793 	 * Setup for unordered if needed by looking at the user sent info
6794 	 * flags.
6795 	 */
6796 	if (sp->sinfo_flags & SCTP_UNORDERED) {
6797 		rcv_flags |= SCTP_DATA_UNORDERED;
6798 	}
6799 	if ((SCTP_BASE_SYSCTL(sctp_enable_sack_immediately) && ((sp->sinfo_flags & SCTP_EOF) == SCTP_EOF)) ||
6800 	    ((sp->sinfo_flags & SCTP_SACK_IMMEDIATELY) == SCTP_SACK_IMMEDIATELY)) {
6801 		rcv_flags |= SCTP_DATA_SACK_IMMEDIATELY;
6802 	}
6803 	/* clear out the chunk before setting up */
6804 	memset(chk, 0, sizeof(*chk));
6805 	chk->rec.data.rcv_flags = rcv_flags;
6806 
6807 	if (to_move >= length) {
6808 		/* we think we can steal the whole thing */
6809 		if ((sp->sender_all_done == 0) && (send_lock_up == 0)) {
6810 			SCTP_TCB_SEND_LOCK(stcb);
6811 			send_lock_up = 1;
6812 		}
6813 		if (to_move < sp->length) {
6814 			/* bail, it changed */
6815 			goto dont_do_it;
6816 		}
6817 		chk->data = sp->data;
6818 		chk->last_mbuf = sp->tail_mbuf;
6819 		/* register the stealing */
6820 		sp->data = sp->tail_mbuf = NULL;
6821 	} else {
6822 		struct mbuf *m;
6823 
6824 dont_do_it:
6825 		chk->data = SCTP_M_COPYM(sp->data, 0, to_move, M_DONTWAIT);
6826 		chk->last_mbuf = NULL;
6827 		if (chk->data == NULL) {
6828 			sp->some_taken = some_taken;
6829 			sctp_free_a_chunk(stcb, chk);
6830 			*bail = 1;
6831 			to_move = 0;
6832 			goto out_of;
6833 		}
6834 #ifdef SCTP_MBUF_LOGGING
6835 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
6836 			struct mbuf *mat;
6837 
6838 			mat = chk->data;
6839 			while (mat) {
6840 				if (SCTP_BUF_IS_EXTENDED(mat)) {
6841 					sctp_log_mb(mat, SCTP_MBUF_ICOPY);
6842 				}
6843 				mat = SCTP_BUF_NEXT(mat);
6844 			}
6845 		}
6846 #endif
6847 		/* Pull off the data */
6848 		m_adj(sp->data, to_move);
6849 		/* Now lets work our way down and compact it */
6850 		m = sp->data;
6851 		while (m && (SCTP_BUF_LEN(m) == 0)) {
6852 			sp->data = SCTP_BUF_NEXT(m);
6853 			SCTP_BUF_NEXT(m) = NULL;
6854 			if (sp->tail_mbuf == m) {
6855 				/*-
6856 				 * Freeing tail? TSNH since
6857 				 * we supposedly were taking less
6858 				 * than the sp->length.
6859 				 */
6860 #ifdef INVARIANTS
6861 				panic("Huh, freing tail? - TSNH");
6862 #else
6863 				SCTP_PRINTF("Huh, freeing tail? - TSNH\n");
6864 				sp->tail_mbuf = sp->data = NULL;
6865 				sp->length = 0;
6866 #endif
6867 
6868 			}
6869 			sctp_m_free(m);
6870 			m = sp->data;
6871 		}
6872 	}
6873 	if (SCTP_BUF_IS_EXTENDED(chk->data)) {
6874 		chk->copy_by_ref = 1;
6875 	} else {
6876 		chk->copy_by_ref = 0;
6877 	}
6878 	/*
6879 	 * get last_mbuf and counts of mb useage This is ugly but hopefully
6880 	 * its only one mbuf.
6881 	 */
6882 	if (chk->last_mbuf == NULL) {
6883 		chk->last_mbuf = chk->data;
6884 		while (SCTP_BUF_NEXT(chk->last_mbuf) != NULL) {
6885 			chk->last_mbuf = SCTP_BUF_NEXT(chk->last_mbuf);
6886 		}
6887 	}
6888 	if (to_move > length) {
6889 		/*- This should not happen either
6890 		 * since we always lower to_move to the size
6891 		 * of sp->length if its larger.
6892 		 */
6893 #ifdef INVARIANTS
6894 		panic("Huh, how can to_move be larger?");
6895 #else
6896 		SCTP_PRINTF("Huh, how can to_move be larger?\n");
6897 		sp->length = 0;
6898 #endif
6899 	} else {
6900 		atomic_subtract_int(&sp->length, to_move);
6901 	}
6902 	if (M_LEADINGSPACE(chk->data) < (int)sizeof(struct sctp_data_chunk)) {
6903 		/* Not enough room for a chunk header, get some */
6904 		struct mbuf *m;
6905 
6906 		m = sctp_get_mbuf_for_msg(1, 0, M_DONTWAIT, 0, MT_DATA);
6907 		if (m == NULL) {
6908 			/*
6909 			 * we're in trouble here. _PREPEND below will free
6910 			 * all the data if there is no leading space, so we
6911 			 * must put the data back and restore.
6912 			 */
6913 			if (send_lock_up == 0) {
6914 				SCTP_TCB_SEND_LOCK(stcb);
6915 				send_lock_up = 1;
6916 			}
6917 			if (chk->data == NULL) {
6918 				/* unsteal the data */
6919 				sp->data = chk->data;
6920 				sp->tail_mbuf = chk->last_mbuf;
6921 			} else {
6922 				struct mbuf *m_tmp;
6923 
6924 				/* reassemble the data */
6925 				m_tmp = sp->data;
6926 				sp->data = chk->data;
6927 				SCTP_BUF_NEXT(chk->last_mbuf) = m_tmp;
6928 			}
6929 			sp->some_taken = some_taken;
6930 			atomic_add_int(&sp->length, to_move);
6931 			chk->data = NULL;
6932 			*bail = 1;
6933 			sctp_free_a_chunk(stcb, chk);
6934 			to_move = 0;
6935 			goto out_of;
6936 		} else {
6937 			SCTP_BUF_LEN(m) = 0;
6938 			SCTP_BUF_NEXT(m) = chk->data;
6939 			chk->data = m;
6940 			M_ALIGN(chk->data, 4);
6941 		}
6942 	}
6943 	SCTP_BUF_PREPEND(chk->data, sizeof(struct sctp_data_chunk), M_DONTWAIT);
6944 	if (chk->data == NULL) {
6945 		/* HELP, TSNH since we assured it would not above? */
6946 #ifdef INVARIANTS
6947 		panic("prepend failes HELP?");
6948 #else
6949 		SCTP_PRINTF("prepend fails HELP?\n");
6950 		sctp_free_a_chunk(stcb, chk);
6951 #endif
6952 		*bail = 1;
6953 		to_move = 0;
6954 		goto out_of;
6955 	}
6956 	sctp_snd_sb_alloc(stcb, sizeof(struct sctp_data_chunk));
6957 	chk->book_size = chk->send_size = (to_move + sizeof(struct sctp_data_chunk));
6958 	chk->book_size_scale = 0;
6959 	chk->sent = SCTP_DATAGRAM_UNSENT;
6960 
6961 	chk->flags = 0;
6962 	chk->asoc = &stcb->asoc;
6963 	chk->pad_inplace = 0;
6964 	chk->no_fr_allowed = 0;
6965 	chk->rec.data.stream_seq = sp->strseq;
6966 	chk->rec.data.stream_number = sp->stream;
6967 	chk->rec.data.payloadtype = sp->ppid;
6968 	chk->rec.data.context = sp->context;
6969 	chk->rec.data.doing_fast_retransmit = 0;
6970 
6971 	chk->rec.data.timetodrop = sp->ts;
6972 	chk->flags = sp->act_flags;
6973 
6974 	if (sp->net) {
6975 		chk->whoTo = sp->net;
6976 		atomic_add_int(&chk->whoTo->ref_count, 1);
6977 	} else
6978 		chk->whoTo = NULL;
6979 
6980 	if (sp->holds_key_ref) {
6981 		chk->auth_keyid = sp->auth_keyid;
6982 		sctp_auth_key_acquire(stcb, chk->auth_keyid);
6983 		chk->holds_key_ref = 1;
6984 	}
6985 	chk->rec.data.TSN_seq = atomic_fetchadd_int(&asoc->sending_seq, 1);
6986 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_AT_SEND_2_OUTQ) {
6987 		sctp_misc_ints(SCTP_STRMOUT_LOG_SEND,
6988 		    (uintptr_t) stcb, sp->length,
6989 		    (uint32_t) ((chk->rec.data.stream_number << 16) | chk->rec.data.stream_seq),
6990 		    chk->rec.data.TSN_seq);
6991 	}
6992 	dchkh = mtod(chk->data, struct sctp_data_chunk *);
6993 	/*
6994 	 * Put the rest of the things in place now. Size was done earlier in
6995 	 * previous loop prior to padding.
6996 	 */
6997 
6998 #ifdef SCTP_ASOCLOG_OF_TSNS
6999 	SCTP_TCB_LOCK_ASSERT(stcb);
7000 	if (asoc->tsn_out_at >= SCTP_TSN_LOG_SIZE) {
7001 		asoc->tsn_out_at = 0;
7002 		asoc->tsn_out_wrapped = 1;
7003 	}
7004 	asoc->out_tsnlog[asoc->tsn_out_at].tsn = chk->rec.data.TSN_seq;
7005 	asoc->out_tsnlog[asoc->tsn_out_at].strm = chk->rec.data.stream_number;
7006 	asoc->out_tsnlog[asoc->tsn_out_at].seq = chk->rec.data.stream_seq;
7007 	asoc->out_tsnlog[asoc->tsn_out_at].sz = chk->send_size;
7008 	asoc->out_tsnlog[asoc->tsn_out_at].flgs = chk->rec.data.rcv_flags;
7009 	asoc->out_tsnlog[asoc->tsn_out_at].stcb = (void *)stcb;
7010 	asoc->out_tsnlog[asoc->tsn_out_at].in_pos = asoc->tsn_out_at;
7011 	asoc->out_tsnlog[asoc->tsn_out_at].in_out = 2;
7012 	asoc->tsn_out_at++;
7013 #endif
7014 
7015 	dchkh->ch.chunk_type = SCTP_DATA;
7016 	dchkh->ch.chunk_flags = chk->rec.data.rcv_flags;
7017 	dchkh->dp.tsn = htonl(chk->rec.data.TSN_seq);
7018 	dchkh->dp.stream_id = htons(strq->stream_no);
7019 	dchkh->dp.stream_sequence = htons(chk->rec.data.stream_seq);
7020 	dchkh->dp.protocol_id = chk->rec.data.payloadtype;
7021 	dchkh->ch.chunk_length = htons(chk->send_size);
7022 	/* Now advance the chk->send_size by the actual pad needed. */
7023 	if (chk->send_size < SCTP_SIZE32(chk->book_size)) {
7024 		/* need a pad */
7025 		struct mbuf *lm;
7026 		int pads;
7027 
7028 		pads = SCTP_SIZE32(chk->book_size) - chk->send_size;
7029 		if (sctp_pad_lastmbuf(chk->data, pads, chk->last_mbuf) == 0) {
7030 			chk->pad_inplace = 1;
7031 		}
7032 		if ((lm = SCTP_BUF_NEXT(chk->last_mbuf)) != NULL) {
7033 			/* pad added an mbuf */
7034 			chk->last_mbuf = lm;
7035 		}
7036 		chk->send_size += pads;
7037 	}
7038 	/* We only re-set the policy if it is on */
7039 	if (sp->pr_sctp_on) {
7040 		sctp_set_prsctp_policy(sp);
7041 		asoc->pr_sctp_cnt++;
7042 		chk->pr_sctp_on = 1;
7043 	} else {
7044 		chk->pr_sctp_on = 0;
7045 	}
7046 	if (sp->msg_is_complete && (sp->length == 0) && (sp->sender_all_done)) {
7047 		/* All done pull and kill the message */
7048 		atomic_subtract_int(&asoc->stream_queue_cnt, 1);
7049 		if (sp->put_last_out == 0) {
7050 			SCTP_PRINTF("Gak, put out entire msg with NO end!-2\n");
7051 			SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d send_lock:%d\n",
7052 			    sp->sender_all_done,
7053 			    sp->length,
7054 			    sp->msg_is_complete,
7055 			    sp->put_last_out,
7056 			    send_lock_up);
7057 		}
7058 		if ((send_lock_up == 0) && (TAILQ_NEXT(sp, next) == NULL)) {
7059 			SCTP_TCB_SEND_LOCK(stcb);
7060 			send_lock_up = 1;
7061 		}
7062 		TAILQ_REMOVE(&strq->outqueue, sp, next);
7063 		stcb->asoc.ss_functions.sctp_ss_remove_from_stream(stcb, asoc, strq, sp, send_lock_up);
7064 		if (sp->net) {
7065 			sctp_free_remote_addr(sp->net);
7066 			sp->net = NULL;
7067 		}
7068 		if (sp->data) {
7069 			sctp_m_freem(sp->data);
7070 			sp->data = NULL;
7071 		}
7072 		sctp_free_a_strmoq(stcb, sp);
7073 
7074 		/* we can't be locked to it */
7075 		*locked = 0;
7076 		stcb->asoc.locked_on_sending = NULL;
7077 	} else {
7078 		/* more to go, we are locked */
7079 		*locked = 1;
7080 	}
7081 	asoc->chunks_on_out_queue++;
7082 	TAILQ_INSERT_TAIL(&asoc->send_queue, chk, sctp_next);
7083 	asoc->send_queue_cnt++;
7084 out_of:
7085 	if (send_lock_up) {
7086 		SCTP_TCB_SEND_UNLOCK(stcb);
7087 		send_lock_up = 0;
7088 	}
7089 	return (to_move);
7090 }
7091 
7092 
7093 static void
7094 sctp_fill_outqueue(struct sctp_tcb *stcb,
7095     struct sctp_nets *net, int frag_point, int eeor_mode, int *quit_now)
7096 {
7097 	struct sctp_association *asoc;
7098 	struct sctp_stream_out *strq, *strqn;
7099 	int goal_mtu, moved_how_much, total_moved = 0, bail = 0;
7100 	int locked, giveup;
7101 
7102 	SCTP_TCB_LOCK_ASSERT(stcb);
7103 	asoc = &stcb->asoc;
7104 #ifdef INET6
7105 	if (net->ro._l_addr.sin6.sin6_family == AF_INET6) {
7106 		goal_mtu = net->mtu - SCTP_MIN_OVERHEAD;
7107 	} else {
7108 		/* ?? not sure what else to do */
7109 		goal_mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
7110 	}
7111 #else
7112 	goal_mtu = net->mtu - SCTP_MIN_OVERHEAD;
7113 #endif
7114 	/* Need an allowance for the data chunk header too */
7115 	goal_mtu -= sizeof(struct sctp_data_chunk);
7116 
7117 	/* must make even word boundary */
7118 	goal_mtu &= 0xfffffffc;
7119 	if (asoc->locked_on_sending) {
7120 		/* We are stuck on one stream until the message completes. */
7121 		strq = asoc->locked_on_sending;
7122 		locked = 1;
7123 	} else {
7124 		strq = stcb->asoc.ss_functions.sctp_ss_select_stream(stcb, net, asoc);
7125 		locked = 0;
7126 	}
7127 	strqn = strq;
7128 	while ((goal_mtu > 0) && strq) {
7129 		giveup = 0;
7130 		bail = 0;
7131 		moved_how_much = sctp_move_to_outqueue(stcb, strq, goal_mtu, frag_point, &locked,
7132 		    &giveup, eeor_mode, &bail);
7133 		if (moved_how_much)
7134 			stcb->asoc.ss_functions.sctp_ss_scheduled(stcb, net, asoc, strq, moved_how_much);
7135 
7136 		if (locked) {
7137 			asoc->locked_on_sending = strq;
7138 			if ((moved_how_much == 0) || (giveup) || bail)
7139 				/* no more to move for now */
7140 				break;
7141 		} else {
7142 			asoc->locked_on_sending = NULL;
7143 			if ((giveup) || bail) {
7144 				break;
7145 			}
7146 			strq = stcb->asoc.ss_functions.sctp_ss_select_stream(stcb, net, asoc);
7147 			if (strq == NULL) {
7148 				break;
7149 			}
7150 		}
7151 		total_moved += moved_how_much;
7152 		goal_mtu -= (moved_how_much + sizeof(struct sctp_data_chunk));
7153 		goal_mtu &= 0xfffffffc;
7154 	}
7155 	if (bail)
7156 		*quit_now = 1;
7157 
7158 	stcb->asoc.ss_functions.sctp_ss_packet_done(stcb, net, asoc);
7159 
7160 	if (total_moved == 0) {
7161 		if ((stcb->asoc.sctp_cmt_on_off == 0) &&
7162 		    (net == stcb->asoc.primary_destination)) {
7163 			/* ran dry for primary network net */
7164 			SCTP_STAT_INCR(sctps_primary_randry);
7165 		} else if (stcb->asoc.sctp_cmt_on_off > 0) {
7166 			/* ran dry with CMT on */
7167 			SCTP_STAT_INCR(sctps_cmt_randry);
7168 		}
7169 	}
7170 }
7171 
7172 void
7173 sctp_fix_ecn_echo(struct sctp_association *asoc)
7174 {
7175 	struct sctp_tmit_chunk *chk;
7176 
7177 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
7178 		if (chk->rec.chunk_id.id == SCTP_ECN_ECHO) {
7179 			chk->sent = SCTP_DATAGRAM_UNSENT;
7180 		}
7181 	}
7182 }
7183 
7184 void
7185 sctp_move_chunks_from_net(struct sctp_tcb *stcb, struct sctp_nets *net)
7186 {
7187 	struct sctp_association *asoc;
7188 	struct sctp_tmit_chunk *chk;
7189 	struct sctp_stream_queue_pending *sp;
7190 	unsigned int i;
7191 
7192 	if (net == NULL) {
7193 		return;
7194 	}
7195 	asoc = &stcb->asoc;
7196 	for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
7197 		TAILQ_FOREACH(sp, &stcb->asoc.strmout[i].outqueue, next) {
7198 			if (sp->net == net) {
7199 				sctp_free_remote_addr(sp->net);
7200 				sp->net = NULL;
7201 			}
7202 		}
7203 	}
7204 	TAILQ_FOREACH(chk, &asoc->send_queue, sctp_next) {
7205 		if (chk->whoTo == net) {
7206 			sctp_free_remote_addr(chk->whoTo);
7207 			chk->whoTo = NULL;
7208 		}
7209 	}
7210 }
7211 
7212 int
7213 sctp_med_chunk_output(struct sctp_inpcb *inp,
7214     struct sctp_tcb *stcb,
7215     struct sctp_association *asoc,
7216     int *num_out,
7217     int *reason_code,
7218     int control_only, int from_where,
7219     struct timeval *now, int *now_filled, int frag_point, int so_locked
7220 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
7221     SCTP_UNUSED
7222 #endif
7223 )
7224 {
7225 	/*
7226 	 * Ok this is the generic chunk service queue. we must do the
7227 	 * following: - Service the stream queue that is next, moving any
7228 	 * message (note I must get a complete message i.e. FIRST/MIDDLE and
7229 	 * LAST to the out queue in one pass) and assigning TSN's - Check to
7230 	 * see if the cwnd/rwnd allows any output, if so we go ahead and
7231 	 * fomulate and send the low level chunks. Making sure to combine
7232 	 * any control in the control chunk queue also.
7233 	 */
7234 	struct sctp_nets *net, *start_at, *sack_goes_to = NULL, *old_start_at = NULL;
7235 	struct mbuf *outchain, *endoutchain;
7236 	struct sctp_tmit_chunk *chk, *nchk;
7237 
7238 	/* temp arrays for unlinking */
7239 	struct sctp_tmit_chunk *data_list[SCTP_MAX_DATA_BUNDLING];
7240 	int no_fragmentflg, error;
7241 	unsigned int max_rwnd_per_dest, max_send_per_dest;
7242 	int one_chunk, hbflag, skip_data_for_this_net;
7243 	int asconf, cookie, no_out_cnt;
7244 	int bundle_at, ctl_cnt, no_data_chunks, eeor_mode;
7245 	unsigned int mtu, r_mtu, omtu, mx_mtu, to_out;
7246 	int tsns_sent = 0;
7247 	uint32_t auth_offset = 0;
7248 	struct sctp_auth_chunk *auth = NULL;
7249 	uint16_t auth_keyid;
7250 	int override_ok = 1;
7251 	int data_auth_reqd = 0;
7252 
7253 	/*
7254 	 * JRS 5/14/07 - Add flag for whether a heartbeat is sent to the
7255 	 * destination.
7256 	 */
7257 	int pf_hbflag = 0;
7258 	int quit_now = 0;
7259 
7260 	*num_out = 0;
7261 	auth_keyid = stcb->asoc.authinfo.active_keyid;
7262 
7263 	if ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) ||
7264 	    (asoc->state & SCTP_STATE_SHUTDOWN_RECEIVED) ||
7265 	    (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXPLICIT_EOR))) {
7266 		eeor_mode = 1;
7267 	} else {
7268 		eeor_mode = 0;
7269 	}
7270 	ctl_cnt = no_out_cnt = asconf = cookie = 0;
7271 	/*
7272 	 * First lets prime the pump. For each destination, if there is room
7273 	 * in the flight size, attempt to pull an MTU's worth out of the
7274 	 * stream queues into the general send_queue
7275 	 */
7276 #ifdef SCTP_AUDITING_ENABLED
7277 	sctp_audit_log(0xC2, 2);
7278 #endif
7279 	SCTP_TCB_LOCK_ASSERT(stcb);
7280 	hbflag = 0;
7281 	if ((control_only) || (asoc->stream_reset_outstanding))
7282 		no_data_chunks = 1;
7283 	else
7284 		no_data_chunks = 0;
7285 
7286 	/* Nothing to possible to send? */
7287 	if ((TAILQ_EMPTY(&asoc->control_send_queue) ||
7288 	    (asoc->ctrl_queue_cnt == stcb->asoc.ecn_echo_cnt_onq)) &&
7289 	    TAILQ_EMPTY(&asoc->asconf_send_queue) &&
7290 	    TAILQ_EMPTY(&asoc->send_queue) &&
7291 	    stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) {
7292 nothing_to_send:
7293 		*reason_code = 9;
7294 		return (0);
7295 	}
7296 	if (asoc->peers_rwnd == 0) {
7297 		/* No room in peers rwnd */
7298 		*reason_code = 1;
7299 		if (asoc->total_flight > 0) {
7300 			/* we are allowed one chunk in flight */
7301 			no_data_chunks = 1;
7302 		}
7303 	}
7304 	if (stcb->asoc.ecn_echo_cnt_onq) {
7305 		/* Record where a sack goes, if any */
7306 		if (no_data_chunks &&
7307 		    (asoc->ctrl_queue_cnt == stcb->asoc.ecn_echo_cnt_onq)) {
7308 			/* Nothing but ECNe to send - we don't do that */
7309 			goto nothing_to_send;
7310 		}
7311 		TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
7312 			if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
7313 			    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK)) {
7314 				sack_goes_to = chk->whoTo;
7315 				break;
7316 			}
7317 		}
7318 	}
7319 	max_rwnd_per_dest = ((asoc->peers_rwnd + asoc->total_flight) / asoc->numnets);
7320 	if (stcb->sctp_socket)
7321 		max_send_per_dest = SCTP_SB_LIMIT_SND(stcb->sctp_socket) / asoc->numnets;
7322 	else
7323 		max_send_per_dest = 0;
7324 	if ((no_data_chunks == 0) &&
7325 	    (!stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc))) {
7326 		TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
7327 			/*
7328 			 * This for loop we are in takes in each net, if
7329 			 * its's got space in cwnd and has data sent to it
7330 			 * (when CMT is off) then it calls
7331 			 * sctp_fill_outqueue for the net. This gets data on
7332 			 * the send queue for that network.
7333 			 *
7334 			 * In sctp_fill_outqueue TSN's are assigned and data is
7335 			 * copied out of the stream buffers. Note mostly
7336 			 * copy by reference (we hope).
7337 			 */
7338 			net->window_probe = 0;
7339 			if ((net->dest_state & SCTP_ADDR_NOT_REACHABLE) ||
7340 			    (net->dest_state & SCTP_ADDR_UNCONFIRMED)) {
7341 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
7342 					sctp_log_cwnd(stcb, net, 1,
7343 					    SCTP_CWND_LOG_FILL_OUTQ_CALLED);
7344 				}
7345 				continue;
7346 			}
7347 			if ((stcb->asoc.cc_functions.sctp_cwnd_new_transmission_begins) &&
7348 			    (net->flight_size == 0)) {
7349 				(*stcb->asoc.cc_functions.sctp_cwnd_new_transmission_begins) (stcb, net);
7350 			}
7351 			if ((asoc->sctp_cmt_on_off == 0) &&
7352 			    (asoc->primary_destination != net) &&
7353 			    (net->ref_count < 2)) {
7354 				/* nothing can be in queue for this guy */
7355 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
7356 					sctp_log_cwnd(stcb, net, 2,
7357 					    SCTP_CWND_LOG_FILL_OUTQ_CALLED);
7358 				}
7359 				continue;
7360 			}
7361 			if (net->flight_size >= net->cwnd) {
7362 				/* skip this network, no room - can't fill */
7363 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
7364 					sctp_log_cwnd(stcb, net, 3,
7365 					    SCTP_CWND_LOG_FILL_OUTQ_CALLED);
7366 				}
7367 				continue;
7368 			}
7369 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
7370 				sctp_log_cwnd(stcb, net, 4, SCTP_CWND_LOG_FILL_OUTQ_CALLED);
7371 			}
7372 			sctp_fill_outqueue(stcb, net, frag_point, eeor_mode, &quit_now);
7373 			if (quit_now) {
7374 				/* memory alloc failure */
7375 				no_data_chunks = 1;
7376 				break;
7377 			}
7378 		}
7379 	}
7380 	/* now service each destination and send out what we can for it */
7381 	/* Nothing to send? */
7382 	if (TAILQ_EMPTY(&asoc->control_send_queue) &&
7383 	    TAILQ_EMPTY(&asoc->asconf_send_queue) &&
7384 	    TAILQ_EMPTY(&asoc->send_queue)) {
7385 		*reason_code = 8;
7386 		return (0);
7387 	}
7388 	if (asoc->sctp_cmt_on_off > 0) {
7389 		/* get the last start point */
7390 		start_at = asoc->last_net_cmt_send_started;
7391 		if (start_at == NULL) {
7392 			/* null so to beginning */
7393 			start_at = TAILQ_FIRST(&asoc->nets);
7394 		} else {
7395 			start_at = TAILQ_NEXT(asoc->last_net_cmt_send_started, sctp_next);
7396 			if (start_at == NULL) {
7397 				start_at = TAILQ_FIRST(&asoc->nets);
7398 			}
7399 		}
7400 		asoc->last_net_cmt_send_started = start_at;
7401 	} else {
7402 		start_at = TAILQ_FIRST(&asoc->nets);
7403 	}
7404 	old_start_at = NULL;
7405 again_one_more_time:
7406 	for (net = start_at; net != NULL; net = TAILQ_NEXT(net, sctp_next)) {
7407 		/* how much can we send? */
7408 		/* SCTPDBG("Examine for sending net:%x\n", (uint32_t)net); */
7409 		if (old_start_at && (old_start_at == net)) {
7410 			/* through list ocmpletely. */
7411 			break;
7412 		}
7413 		tsns_sent = 0xa;
7414 		if ((asoc->sctp_cmt_on_off == 0) &&
7415 		    (asoc->primary_destination != net) &&
7416 		    (net->ref_count < 2)) {
7417 			/*
7418 			 * Ref-count of 1 so we cannot have data or control
7419 			 * queued to this address. Skip it (non-CMT).
7420 			 */
7421 			continue;
7422 		}
7423 		if (TAILQ_EMPTY(&asoc->control_send_queue) &&
7424 		    TAILQ_EMPTY(&asoc->asconf_send_queue) &&
7425 		    (net->flight_size >= net->cwnd)) {
7426 			/*
7427 			 * Nothing on control or asconf and flight is full,
7428 			 * we can skip even in the CMT case.
7429 			 */
7430 			continue;
7431 		}
7432 		ctl_cnt = bundle_at = 0;
7433 		endoutchain = outchain = NULL;
7434 		no_fragmentflg = 1;
7435 		one_chunk = 0;
7436 		if (net->dest_state & SCTP_ADDR_UNCONFIRMED) {
7437 			skip_data_for_this_net = 1;
7438 		} else {
7439 			skip_data_for_this_net = 0;
7440 		}
7441 		if ((net->ro.ro_rt) && (net->ro.ro_rt->rt_ifp)) {
7442 			/*
7443 			 * if we have a route and an ifp check to see if we
7444 			 * have room to send to this guy
7445 			 */
7446 			struct ifnet *ifp;
7447 
7448 			ifp = net->ro.ro_rt->rt_ifp;
7449 			if ((ifp->if_snd.ifq_len + 2) >= ifp->if_snd.ifq_maxlen) {
7450 				SCTP_STAT_INCR(sctps_ifnomemqueued);
7451 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
7452 					sctp_log_maxburst(stcb, net, ifp->if_snd.ifq_len, ifp->if_snd.ifq_maxlen, SCTP_MAX_IFP_APPLIED);
7453 				}
7454 				continue;
7455 			}
7456 		}
7457 		switch (((struct sockaddr *)&net->ro._l_addr)->sa_family) {
7458 		case AF_INET:
7459 			mtu = net->mtu - (sizeof(struct ip) + sizeof(struct sctphdr));
7460 			break;
7461 #ifdef INET6
7462 		case AF_INET6:
7463 			mtu = net->mtu - (sizeof(struct ip6_hdr) + sizeof(struct sctphdr));
7464 			break;
7465 #endif
7466 		default:
7467 			/* TSNH */
7468 			mtu = net->mtu;
7469 			break;
7470 		}
7471 		mx_mtu = mtu;
7472 		to_out = 0;
7473 		if (mtu > asoc->peers_rwnd) {
7474 			if (asoc->total_flight > 0) {
7475 				/* We have a packet in flight somewhere */
7476 				r_mtu = asoc->peers_rwnd;
7477 			} else {
7478 				/* We are always allowed to send one MTU out */
7479 				one_chunk = 1;
7480 				r_mtu = mtu;
7481 			}
7482 		} else {
7483 			r_mtu = mtu;
7484 		}
7485 		/************************/
7486 		/* ASCONF transmission */
7487 		/************************/
7488 		/* Now first lets go through the asconf queue */
7489 		TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) {
7490 			if (chk->rec.chunk_id.id != SCTP_ASCONF) {
7491 				continue;
7492 			}
7493 			if (chk->whoTo != net) {
7494 				/*
7495 				 * No, not sent to the network we are
7496 				 * looking at
7497 				 */
7498 				break;
7499 			}
7500 			if (chk->data == NULL) {
7501 				break;
7502 			}
7503 			if (chk->sent != SCTP_DATAGRAM_UNSENT &&
7504 			    chk->sent != SCTP_DATAGRAM_RESEND) {
7505 				break;
7506 			}
7507 			/*
7508 			 * if no AUTH is yet included and this chunk
7509 			 * requires it, make sure to account for it.  We
7510 			 * don't apply the size until the AUTH chunk is
7511 			 * actually added below in case there is no room for
7512 			 * this chunk. NOTE: we overload the use of "omtu"
7513 			 * here
7514 			 */
7515 			if ((auth == NULL) &&
7516 			    sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
7517 			    stcb->asoc.peer_auth_chunks)) {
7518 				omtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
7519 			} else
7520 				omtu = 0;
7521 			/* Here we do NOT factor the r_mtu */
7522 			if ((chk->send_size < (int)(mtu - omtu)) ||
7523 			    (chk->flags & CHUNK_FLAGS_FRAGMENT_OK)) {
7524 				/*
7525 				 * We probably should glom the mbuf chain
7526 				 * from the chk->data for control but the
7527 				 * problem is it becomes yet one more level
7528 				 * of tracking to do if for some reason
7529 				 * output fails. Then I have got to
7530 				 * reconstruct the merged control chain.. el
7531 				 * yucko.. for now we take the easy way and
7532 				 * do the copy
7533 				 */
7534 				/*
7535 				 * Add an AUTH chunk, if chunk requires it
7536 				 * save the offset into the chain for AUTH
7537 				 */
7538 				if ((auth == NULL) &&
7539 				    (sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
7540 				    stcb->asoc.peer_auth_chunks))) {
7541 					outchain = sctp_add_auth_chunk(outchain,
7542 					    &endoutchain,
7543 					    &auth,
7544 					    &auth_offset,
7545 					    stcb,
7546 					    chk->rec.chunk_id.id);
7547 					SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
7548 				}
7549 				outchain = sctp_copy_mbufchain(chk->data, outchain, &endoutchain,
7550 				    (int)chk->rec.chunk_id.can_take_data,
7551 				    chk->send_size, chk->copy_by_ref);
7552 				if (outchain == NULL) {
7553 					*reason_code = 8;
7554 					SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
7555 					return (ENOMEM);
7556 				}
7557 				SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
7558 				/* update our MTU size */
7559 				if (mtu > (chk->send_size + omtu))
7560 					mtu -= (chk->send_size + omtu);
7561 				else
7562 					mtu = 0;
7563 				to_out += (chk->send_size + omtu);
7564 				/* Do clear IP_DF ? */
7565 				if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
7566 					no_fragmentflg = 0;
7567 				}
7568 				if (chk->rec.chunk_id.can_take_data)
7569 					chk->data = NULL;
7570 				/*
7571 				 * set hb flag since we can use these for
7572 				 * RTO
7573 				 */
7574 				hbflag = 1;
7575 				asconf = 1;
7576 				/*
7577 				 * should sysctl this: don't bundle data
7578 				 * with ASCONF since it requires AUTH
7579 				 */
7580 				no_data_chunks = 1;
7581 				chk->sent = SCTP_DATAGRAM_SENT;
7582 				chk->snd_count++;
7583 				if (mtu == 0) {
7584 					/*
7585 					 * Ok we are out of room but we can
7586 					 * output without effecting the
7587 					 * flight size since this little guy
7588 					 * is a control only packet.
7589 					 */
7590 					sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp, stcb, net);
7591 					/*
7592 					 * do NOT clear the asconf flag as
7593 					 * it is used to do appropriate
7594 					 * source address selection.
7595 					 */
7596 					if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
7597 					    (struct sockaddr *)&net->ro._l_addr,
7598 					    outchain, auth_offset, auth,
7599 					    stcb->asoc.authinfo.active_keyid,
7600 					    no_fragmentflg, 0, NULL, asconf,
7601 					    inp->sctp_lport, stcb->rport,
7602 					    htonl(stcb->asoc.peer_vtag),
7603 					    net->port, so_locked, NULL, NULL))) {
7604 						if (error == ENOBUFS) {
7605 							asoc->ifp_had_enobuf = 1;
7606 							SCTP_STAT_INCR(sctps_lowlevelerr);
7607 						}
7608 						if (from_where == 0) {
7609 							SCTP_STAT_INCR(sctps_lowlevelerrusr);
7610 						}
7611 						if (*now_filled == 0) {
7612 							(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
7613 							*now_filled = 1;
7614 							*now = net->last_sent_time;
7615 						} else {
7616 							net->last_sent_time = *now;
7617 						}
7618 						hbflag = 0;
7619 						/* error, could not output */
7620 						if (error == EHOSTUNREACH) {
7621 							/*
7622 							 * Destination went
7623 							 * unreachable
7624 							 * during this send
7625 							 */
7626 							sctp_move_chunks_from_net(stcb, net);
7627 						}
7628 						*reason_code = 7;
7629 						continue;
7630 					} else
7631 						asoc->ifp_had_enobuf = 0;
7632 					if (*now_filled == 0) {
7633 						(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
7634 						*now_filled = 1;
7635 						*now = net->last_sent_time;
7636 					} else {
7637 						net->last_sent_time = *now;
7638 					}
7639 					hbflag = 0;
7640 					/*
7641 					 * increase the number we sent, if a
7642 					 * cookie is sent we don't tell them
7643 					 * any was sent out.
7644 					 */
7645 					outchain = endoutchain = NULL;
7646 					auth = NULL;
7647 					auth_offset = 0;
7648 					if (!no_out_cnt)
7649 						*num_out += ctl_cnt;
7650 					/* recalc a clean slate and setup */
7651 					if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
7652 						mtu = (net->mtu - SCTP_MIN_OVERHEAD);
7653 					} else {
7654 						mtu = (net->mtu - SCTP_MIN_V4_OVERHEAD);
7655 					}
7656 					to_out = 0;
7657 					no_fragmentflg = 1;
7658 				}
7659 			}
7660 		}
7661 		/************************/
7662 		/* Control transmission */
7663 		/************************/
7664 		/* Now first lets go through the control queue */
7665 		TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
7666 			if ((sack_goes_to) &&
7667 			    (chk->rec.chunk_id.id == SCTP_ECN_ECHO) &&
7668 			    (chk->whoTo != sack_goes_to)) {
7669 				/*
7670 				 * if we have a sack in queue, and we are
7671 				 * looking at an ecn echo that is NOT queued
7672 				 * to where the sack is going..
7673 				 */
7674 				if (chk->whoTo == net) {
7675 					/*
7676 					 * Don't transmit it to where its
7677 					 * going (current net)
7678 					 */
7679 					continue;
7680 				} else if (sack_goes_to == net) {
7681 					/*
7682 					 * But do transmit it to this
7683 					 * address
7684 					 */
7685 					goto skip_net_check;
7686 				}
7687 			}
7688 			if (chk->whoTo != net) {
7689 				/*
7690 				 * No, not sent to the network we are
7691 				 * looking at
7692 				 */
7693 				continue;
7694 			}
7695 	skip_net_check:
7696 			if (chk->data == NULL) {
7697 				continue;
7698 			}
7699 			if (chk->sent != SCTP_DATAGRAM_UNSENT) {
7700 				/*
7701 				 * It must be unsent. Cookies and ASCONF's
7702 				 * hang around but there timers will force
7703 				 * when marked for resend.
7704 				 */
7705 				continue;
7706 			}
7707 			/*
7708 			 * if no AUTH is yet included and this chunk
7709 			 * requires it, make sure to account for it.  We
7710 			 * don't apply the size until the AUTH chunk is
7711 			 * actually added below in case there is no room for
7712 			 * this chunk. NOTE: we overload the use of "omtu"
7713 			 * here
7714 			 */
7715 			if ((auth == NULL) &&
7716 			    sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
7717 			    stcb->asoc.peer_auth_chunks)) {
7718 				omtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
7719 			} else
7720 				omtu = 0;
7721 			/* Here we do NOT factor the r_mtu */
7722 			if ((chk->send_size <= (int)(mtu - omtu)) ||
7723 			    (chk->flags & CHUNK_FLAGS_FRAGMENT_OK)) {
7724 				/*
7725 				 * We probably should glom the mbuf chain
7726 				 * from the chk->data for control but the
7727 				 * problem is it becomes yet one more level
7728 				 * of tracking to do if for some reason
7729 				 * output fails. Then I have got to
7730 				 * reconstruct the merged control chain.. el
7731 				 * yucko.. for now we take the easy way and
7732 				 * do the copy
7733 				 */
7734 				/*
7735 				 * Add an AUTH chunk, if chunk requires it
7736 				 * save the offset into the chain for AUTH
7737 				 */
7738 				if ((auth == NULL) &&
7739 				    (sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
7740 				    stcb->asoc.peer_auth_chunks))) {
7741 					outchain = sctp_add_auth_chunk(outchain,
7742 					    &endoutchain,
7743 					    &auth,
7744 					    &auth_offset,
7745 					    stcb,
7746 					    chk->rec.chunk_id.id);
7747 					SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
7748 				}
7749 				outchain = sctp_copy_mbufchain(chk->data, outchain, &endoutchain,
7750 				    (int)chk->rec.chunk_id.can_take_data,
7751 				    chk->send_size, chk->copy_by_ref);
7752 				if (outchain == NULL) {
7753 					*reason_code = 8;
7754 					SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
7755 					return (ENOMEM);
7756 				}
7757 				SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
7758 				/* update our MTU size */
7759 				if (mtu > (chk->send_size + omtu))
7760 					mtu -= (chk->send_size + omtu);
7761 				else
7762 					mtu = 0;
7763 				to_out += (chk->send_size + omtu);
7764 				/* Do clear IP_DF ? */
7765 				if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
7766 					no_fragmentflg = 0;
7767 				}
7768 				if (chk->rec.chunk_id.can_take_data)
7769 					chk->data = NULL;
7770 				/* Mark things to be removed, if needed */
7771 				if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
7772 				    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK) ||	/* EY */
7773 				    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_REQUEST) ||
7774 				    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_ACK) ||
7775 				    (chk->rec.chunk_id.id == SCTP_SHUTDOWN) ||
7776 				    (chk->rec.chunk_id.id == SCTP_SHUTDOWN_ACK) ||
7777 				    (chk->rec.chunk_id.id == SCTP_OPERATION_ERROR) ||
7778 				    (chk->rec.chunk_id.id == SCTP_COOKIE_ACK) ||
7779 				    (chk->rec.chunk_id.id == SCTP_ECN_CWR) ||
7780 				    (chk->rec.chunk_id.id == SCTP_PACKET_DROPPED) ||
7781 				    (chk->rec.chunk_id.id == SCTP_ASCONF_ACK)) {
7782 
7783 					if (chk->rec.chunk_id.id == SCTP_HEARTBEAT_REQUEST) {
7784 						hbflag = 1;
7785 						/*
7786 						 * JRS 5/14/07 - Set the
7787 						 * flag to say a heartbeat
7788 						 * is being sent.
7789 						 */
7790 						pf_hbflag = 1;
7791 					}
7792 					/* remove these chunks at the end */
7793 					if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
7794 					    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK)) {
7795 						/* turn off the timer */
7796 						if (SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) {
7797 							sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
7798 							    inp, stcb, net, SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_1);
7799 						}
7800 					}
7801 					ctl_cnt++;
7802 				} else {
7803 					/*
7804 					 * Other chunks, since they have
7805 					 * timers running (i.e. COOKIE) we
7806 					 * just "trust" that it gets sent or
7807 					 * retransmitted.
7808 					 */
7809 					ctl_cnt++;
7810 					if (chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
7811 						cookie = 1;
7812 						no_out_cnt = 1;
7813 					} else if (chk->rec.chunk_id.id == SCTP_ECN_ECHO) {
7814 						/*
7815 						 * Increment ecne send count
7816 						 * here this means we may be
7817 						 * over-zealous in our
7818 						 * counting if the send
7819 						 * fails, but its the best
7820 						 * place to do it (we used
7821 						 * to do it in the queue of
7822 						 * the chunk, but that did
7823 						 * not tell how many times
7824 						 * it was sent.
7825 						 */
7826 						SCTP_STAT_INCR(sctps_sendecne);
7827 					}
7828 					chk->sent = SCTP_DATAGRAM_SENT;
7829 					chk->snd_count++;
7830 				}
7831 				if (mtu == 0) {
7832 					/*
7833 					 * Ok we are out of room but we can
7834 					 * output without effecting the
7835 					 * flight size since this little guy
7836 					 * is a control only packet.
7837 					 */
7838 					if (asconf) {
7839 						sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp, stcb, net);
7840 						/*
7841 						 * do NOT clear the asconf
7842 						 * flag as it is used to do
7843 						 * appropriate source
7844 						 * address selection.
7845 						 */
7846 					}
7847 					if (cookie) {
7848 						sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net);
7849 						cookie = 0;
7850 					}
7851 					if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
7852 					    (struct sockaddr *)&net->ro._l_addr,
7853 					    outchain,
7854 					    auth_offset, auth,
7855 					    stcb->asoc.authinfo.active_keyid,
7856 					    no_fragmentflg, 0, NULL, asconf,
7857 					    inp->sctp_lport, stcb->rport,
7858 					    htonl(stcb->asoc.peer_vtag),
7859 					    net->port, so_locked, NULL, NULL))) {
7860 						if (error == ENOBUFS) {
7861 							asoc->ifp_had_enobuf = 1;
7862 							SCTP_STAT_INCR(sctps_lowlevelerr);
7863 						}
7864 						if (from_where == 0) {
7865 							SCTP_STAT_INCR(sctps_lowlevelerrusr);
7866 						}
7867 						/* error, could not output */
7868 						if (hbflag) {
7869 							if (*now_filled == 0) {
7870 								(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
7871 								*now_filled = 1;
7872 								*now = net->last_sent_time;
7873 							} else {
7874 								net->last_sent_time = *now;
7875 							}
7876 							hbflag = 0;
7877 						}
7878 						if (error == EHOSTUNREACH) {
7879 							/*
7880 							 * Destination went
7881 							 * unreachable
7882 							 * during this send
7883 							 */
7884 							sctp_move_chunks_from_net(stcb, net);
7885 						}
7886 						*reason_code = 7;
7887 						continue;
7888 					} else
7889 						asoc->ifp_had_enobuf = 0;
7890 					/* Only HB or ASCONF advances time */
7891 					if (hbflag) {
7892 						if (*now_filled == 0) {
7893 							(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
7894 							*now_filled = 1;
7895 							*now = net->last_sent_time;
7896 						} else {
7897 							net->last_sent_time = *now;
7898 						}
7899 						hbflag = 0;
7900 					}
7901 					/*
7902 					 * increase the number we sent, if a
7903 					 * cookie is sent we don't tell them
7904 					 * any was sent out.
7905 					 */
7906 					outchain = endoutchain = NULL;
7907 					auth = NULL;
7908 					auth_offset = 0;
7909 					if (!no_out_cnt)
7910 						*num_out += ctl_cnt;
7911 					/* recalc a clean slate and setup */
7912 					if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
7913 						mtu = (net->mtu - SCTP_MIN_OVERHEAD);
7914 					} else {
7915 						mtu = (net->mtu - SCTP_MIN_V4_OVERHEAD);
7916 					}
7917 					to_out = 0;
7918 					no_fragmentflg = 1;
7919 				}
7920 			}
7921 		}
7922 		/* JRI: if dest is in PF state, do not send data to it */
7923 		if ((asoc->sctp_cmt_on_off > 0) &&
7924 		    (asoc->sctp_cmt_pf > 0) &&
7925 		    (net->dest_state & SCTP_ADDR_PF)) {
7926 			goto no_data_fill;
7927 		}
7928 		if (net->flight_size >= net->cwnd) {
7929 			goto no_data_fill;
7930 		}
7931 		if ((asoc->sctp_cmt_on_off > 0) &&
7932 		    (SCTP_BASE_SYSCTL(sctp_buffer_splitting) & SCTP_RECV_BUFFER_SPLITTING) &&
7933 		    (net->flight_size > max_rwnd_per_dest)) {
7934 			goto no_data_fill;
7935 		}
7936 		/*
7937 		 * We need a specific accounting for the usage of the send
7938 		 * buffer. We also need to check the number of messages per
7939 		 * net. For now, this is better than nothing and it disabled
7940 		 * by default...
7941 		 */
7942 		if ((asoc->sctp_cmt_on_off > 0) &&
7943 		    (SCTP_BASE_SYSCTL(sctp_buffer_splitting) & SCTP_SEND_BUFFER_SPLITTING) &&
7944 		    (max_send_per_dest > 0) &&
7945 		    (net->flight_size > max_send_per_dest)) {
7946 			goto no_data_fill;
7947 		}
7948 		/*********************/
7949 		/* Data transmission */
7950 		/*********************/
7951 		/*
7952 		 * if AUTH for DATA is required and no AUTH has been added
7953 		 * yet, account for this in the mtu now... if no data can be
7954 		 * bundled, this adjustment won't matter anyways since the
7955 		 * packet will be going out...
7956 		 */
7957 		data_auth_reqd = sctp_auth_is_required_chunk(SCTP_DATA,
7958 		    stcb->asoc.peer_auth_chunks);
7959 		if (data_auth_reqd && (auth == NULL)) {
7960 			mtu -= sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
7961 		}
7962 		/* now lets add any data within the MTU constraints */
7963 		switch (((struct sockaddr *)&net->ro._l_addr)->sa_family) {
7964 		case AF_INET:
7965 			if (net->mtu > (sizeof(struct ip) + sizeof(struct sctphdr)))
7966 				omtu = net->mtu - (sizeof(struct ip) + sizeof(struct sctphdr));
7967 			else
7968 				omtu = 0;
7969 			break;
7970 #ifdef INET6
7971 		case AF_INET6:
7972 			if (net->mtu > (sizeof(struct ip6_hdr) + sizeof(struct sctphdr)))
7973 				omtu = net->mtu - (sizeof(struct ip6_hdr) + sizeof(struct sctphdr));
7974 			else
7975 				omtu = 0;
7976 			break;
7977 #endif
7978 		default:
7979 			/* TSNH */
7980 			omtu = 0;
7981 			break;
7982 		}
7983 		if ((((asoc->state & SCTP_STATE_OPEN) == SCTP_STATE_OPEN) &&
7984 		    (skip_data_for_this_net == 0)) ||
7985 		    (cookie)) {
7986 			TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
7987 				if (no_data_chunks) {
7988 					/* let only control go out */
7989 					*reason_code = 1;
7990 					break;
7991 				}
7992 				if (net->flight_size >= net->cwnd) {
7993 					/* skip this net, no room for data */
7994 					*reason_code = 2;
7995 					break;
7996 				}
7997 				if ((chk->whoTo != NULL) &&
7998 				    (chk->whoTo != net)) {
7999 					/* Don't send the chunk on this net */
8000 					continue;
8001 				}
8002 				if ((chk->send_size > omtu) && ((chk->flags & CHUNK_FLAGS_FRAGMENT_OK) == 0)) {
8003 					/*-
8004 					 * strange, we have a chunk that is
8005 					 * to big for its destination and
8006 					 * yet no fragment ok flag.
8007 					 * Something went wrong when the
8008 					 * PMTU changed...we did not mark
8009 					 * this chunk for some reason?? I
8010 					 * will fix it here by letting IP
8011 					 * fragment it for now and printing
8012 					 * a warning. This really should not
8013 					 * happen ...
8014 					 */
8015 					SCTP_PRINTF("Warning chunk of %d bytes > mtu:%d and yet PMTU disc missed\n",
8016 					    chk->send_size, mtu);
8017 					chk->flags |= CHUNK_FLAGS_FRAGMENT_OK;
8018 				}
8019 				if (SCTP_BASE_SYSCTL(sctp_enable_sack_immediately) &&
8020 				    ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) == SCTP_STATE_SHUTDOWN_PENDING)) {
8021 					struct sctp_data_chunk *dchkh;
8022 
8023 					dchkh = mtod(chk->data, struct sctp_data_chunk *);
8024 					dchkh->ch.chunk_flags |= SCTP_DATA_SACK_IMMEDIATELY;
8025 				}
8026 				if (((chk->send_size <= mtu) && (chk->send_size <= r_mtu)) ||
8027 				    ((chk->flags & CHUNK_FLAGS_FRAGMENT_OK) && (chk->send_size <= asoc->peers_rwnd))) {
8028 					/* ok we will add this one */
8029 
8030 					/*
8031 					 * Add an AUTH chunk, if chunk
8032 					 * requires it, save the offset into
8033 					 * the chain for AUTH
8034 					 */
8035 					if (data_auth_reqd) {
8036 						if (auth == NULL) {
8037 							outchain = sctp_add_auth_chunk(outchain,
8038 							    &endoutchain,
8039 							    &auth,
8040 							    &auth_offset,
8041 							    stcb,
8042 							    SCTP_DATA);
8043 							auth_keyid = chk->auth_keyid;
8044 							override_ok = 0;
8045 							SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8046 						} else if (override_ok) {
8047 							/*
8048 							 * use this data's
8049 							 * keyid
8050 							 */
8051 							auth_keyid = chk->auth_keyid;
8052 							override_ok = 0;
8053 						} else if (auth_keyid != chk->auth_keyid) {
8054 							/*
8055 							 * different keyid,
8056 							 * so done bundling
8057 							 */
8058 							break;
8059 						}
8060 					}
8061 					outchain = sctp_copy_mbufchain(chk->data, outchain, &endoutchain, 0,
8062 					    chk->send_size, chk->copy_by_ref);
8063 					if (outchain == NULL) {
8064 						SCTPDBG(SCTP_DEBUG_OUTPUT3, "No memory?\n");
8065 						if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
8066 							sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
8067 						}
8068 						*reason_code = 3;
8069 						SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
8070 						return (ENOMEM);
8071 					}
8072 					/* upate our MTU size */
8073 					/* Do clear IP_DF ? */
8074 					if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
8075 						no_fragmentflg = 0;
8076 					}
8077 					/* unsigned subtraction of mtu */
8078 					if (mtu > chk->send_size)
8079 						mtu -= chk->send_size;
8080 					else
8081 						mtu = 0;
8082 					/* unsigned subtraction of r_mtu */
8083 					if (r_mtu > chk->send_size)
8084 						r_mtu -= chk->send_size;
8085 					else
8086 						r_mtu = 0;
8087 
8088 					to_out += chk->send_size;
8089 					if ((to_out > mx_mtu) && no_fragmentflg) {
8090 #ifdef INVARIANTS
8091 						panic("Exceeding mtu of %d out size is %d", mx_mtu, to_out);
8092 #else
8093 						SCTP_PRINTF("Exceeding mtu of %d out size is %d\n",
8094 						    mx_mtu, to_out);
8095 #endif
8096 					}
8097 					chk->window_probe = 0;
8098 					data_list[bundle_at++] = chk;
8099 					if (bundle_at >= SCTP_MAX_DATA_BUNDLING) {
8100 						mtu = 0;
8101 						break;
8102 					}
8103 					if (chk->sent == SCTP_DATAGRAM_UNSENT) {
8104 						if ((chk->rec.data.rcv_flags & SCTP_DATA_UNORDERED) == 0) {
8105 							SCTP_STAT_INCR_COUNTER64(sctps_outorderchunks);
8106 						} else {
8107 							SCTP_STAT_INCR_COUNTER64(sctps_outunorderchunks);
8108 						}
8109 						if (((chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) == SCTP_DATA_LAST_FRAG) &&
8110 						    ((chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) == 0))
8111 							/*
8112 							 * Count number of
8113 							 * user msg's that
8114 							 * were fragmented
8115 							 * we do this by
8116 							 * counting when we
8117 							 * see a LAST
8118 							 * fragment only.
8119 							 */
8120 							SCTP_STAT_INCR_COUNTER64(sctps_fragusrmsgs);
8121 					}
8122 					if ((mtu == 0) || (r_mtu == 0) || (one_chunk)) {
8123 						if ((one_chunk) && (stcb->asoc.total_flight == 0)) {
8124 							data_list[0]->window_probe = 1;
8125 							net->window_probe = 1;
8126 						}
8127 						break;
8128 					}
8129 				} else {
8130 					/*
8131 					 * Must be sent in order of the
8132 					 * TSN's (on a network)
8133 					 */
8134 					break;
8135 				}
8136 			}	/* for (chunk gather loop for this net) */
8137 		}		/* if asoc.state OPEN */
8138 no_data_fill:
8139 		/* Is there something to send for this destination? */
8140 		if (outchain) {
8141 			/* We may need to start a control timer or two */
8142 			if (asconf) {
8143 				sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp,
8144 				    stcb, net);
8145 				/*
8146 				 * do NOT clear the asconf flag as it is
8147 				 * used to do appropriate source address
8148 				 * selection.
8149 				 */
8150 			}
8151 			if (cookie) {
8152 				sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net);
8153 				cookie = 0;
8154 			}
8155 			/* must start a send timer if data is being sent */
8156 			if (bundle_at && (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer))) {
8157 				/*
8158 				 * no timer running on this destination
8159 				 * restart it.
8160 				 */
8161 				sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
8162 			} else if ((asoc->sctp_cmt_on_off > 0) &&
8163 				    (asoc->sctp_cmt_pf > 0) &&
8164 				    pf_hbflag &&
8165 				    ((net->dest_state & SCTP_ADDR_PF) == SCTP_ADDR_PF) &&
8166 			    (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer))) {
8167 				/*
8168 				 * JRS 5/14/07 - If a HB has been sent to a
8169 				 * PF destination and no T3 timer is
8170 				 * currently running, start the T3 timer to
8171 				 * track the HBs that were sent.
8172 				 */
8173 				sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
8174 			}
8175 			/* Now send it, if there is anything to send :> */
8176 			if ((error = sctp_lowlevel_chunk_output(inp,
8177 			    stcb,
8178 			    net,
8179 			    (struct sockaddr *)&net->ro._l_addr,
8180 			    outchain,
8181 			    auth_offset,
8182 			    auth,
8183 			    auth_keyid,
8184 			    no_fragmentflg,
8185 			    bundle_at,
8186 			    data_list[0],
8187 			    asconf,
8188 			    inp->sctp_lport, stcb->rport,
8189 			    htonl(stcb->asoc.peer_vtag),
8190 			    net->port, so_locked, NULL, NULL))) {
8191 				/* error, we could not output */
8192 				if (error == ENOBUFS) {
8193 					SCTP_STAT_INCR(sctps_lowlevelerr);
8194 					asoc->ifp_had_enobuf = 1;
8195 				}
8196 				if (from_where == 0) {
8197 					SCTP_STAT_INCR(sctps_lowlevelerrusr);
8198 				}
8199 				SCTPDBG(SCTP_DEBUG_OUTPUT3, "Gak send error %d\n", error);
8200 				if (hbflag) {
8201 					if (*now_filled == 0) {
8202 						(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
8203 						*now_filled = 1;
8204 						*now = net->last_sent_time;
8205 					} else {
8206 						net->last_sent_time = *now;
8207 					}
8208 					hbflag = 0;
8209 				}
8210 				if (error == EHOSTUNREACH) {
8211 					/*
8212 					 * Destination went unreachable
8213 					 * during this send
8214 					 */
8215 					sctp_move_chunks_from_net(stcb, net);
8216 				}
8217 				*reason_code = 6;
8218 				/*-
8219 				 * I add this line to be paranoid. As far as
8220 				 * I can tell the continue, takes us back to
8221 				 * the top of the for, but just to make sure
8222 				 * I will reset these again here.
8223 				 */
8224 				ctl_cnt = bundle_at = 0;
8225 				continue;	/* This takes us back to the
8226 						 * for() for the nets. */
8227 			} else {
8228 				asoc->ifp_had_enobuf = 0;
8229 			}
8230 			outchain = endoutchain = NULL;
8231 			auth = NULL;
8232 			auth_offset = 0;
8233 			if (bundle_at || hbflag) {
8234 				/* For data/asconf and hb set time */
8235 				if (*now_filled == 0) {
8236 					(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
8237 					*now_filled = 1;
8238 					*now = net->last_sent_time;
8239 				} else {
8240 					net->last_sent_time = *now;
8241 				}
8242 			}
8243 			if (!no_out_cnt) {
8244 				*num_out += (ctl_cnt + bundle_at);
8245 			}
8246 			if (bundle_at) {
8247 				/* setup for a RTO measurement */
8248 				tsns_sent = data_list[0]->rec.data.TSN_seq;
8249 				/* fill time if not already filled */
8250 				if (*now_filled == 0) {
8251 					(void)SCTP_GETTIME_TIMEVAL(&asoc->time_last_sent);
8252 					*now_filled = 1;
8253 					*now = asoc->time_last_sent;
8254 				} else {
8255 					asoc->time_last_sent = *now;
8256 				}
8257 				if (net->rto_needed) {
8258 					data_list[0]->do_rtt = 1;
8259 					net->rto_needed = 0;
8260 				}
8261 				SCTP_STAT_INCR_BY(sctps_senddata, bundle_at);
8262 				sctp_clean_up_datalist(stcb, asoc, data_list, bundle_at, net);
8263 				if (SCTP_BASE_SYSCTL(sctp_early_fr)) {
8264 					if (net->flight_size < net->cwnd) {
8265 						/* start or restart it */
8266 						if (SCTP_OS_TIMER_PENDING(&net->fr_timer.timer)) {
8267 							sctp_timer_stop(SCTP_TIMER_TYPE_EARLYFR, inp, stcb, net,
8268 							    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_2);
8269 						}
8270 						SCTP_STAT_INCR(sctps_earlyfrstrout);
8271 						sctp_timer_start(SCTP_TIMER_TYPE_EARLYFR, inp, stcb, net);
8272 					} else {
8273 						/* stop it if its running */
8274 						if (SCTP_OS_TIMER_PENDING(&net->fr_timer.timer)) {
8275 							SCTP_STAT_INCR(sctps_earlyfrstpout);
8276 							sctp_timer_stop(SCTP_TIMER_TYPE_EARLYFR, inp, stcb, net,
8277 							    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_3);
8278 						}
8279 					}
8280 				}
8281 			}
8282 			if (one_chunk) {
8283 				break;
8284 			}
8285 		}
8286 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
8287 			sctp_log_cwnd(stcb, net, tsns_sent, SCTP_CWND_LOG_FROM_SEND);
8288 		}
8289 	}
8290 	if (old_start_at == NULL) {
8291 		old_start_at = start_at;
8292 		start_at = TAILQ_FIRST(&asoc->nets);
8293 		if (old_start_at)
8294 			goto again_one_more_time;
8295 	}
8296 	/*
8297 	 * At the end there should be no NON timed chunks hanging on this
8298 	 * queue.
8299 	 */
8300 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
8301 		sctp_log_cwnd(stcb, net, *num_out, SCTP_CWND_LOG_FROM_SEND);
8302 	}
8303 	if ((*num_out == 0) && (*reason_code == 0)) {
8304 		*reason_code = 4;
8305 	} else {
8306 		*reason_code = 5;
8307 	}
8308 	sctp_clean_up_ctl(stcb, asoc);
8309 	return (0);
8310 }
8311 
8312 void
8313 sctp_queue_op_err(struct sctp_tcb *stcb, struct mbuf *op_err)
8314 {
8315 	/*-
8316 	 * Prepend a OPERATIONAL_ERROR chunk header and put on the end of
8317 	 * the control chunk queue.
8318 	 */
8319 	struct sctp_chunkhdr *hdr;
8320 	struct sctp_tmit_chunk *chk;
8321 	struct mbuf *mat;
8322 
8323 	SCTP_TCB_LOCK_ASSERT(stcb);
8324 	sctp_alloc_a_chunk(stcb, chk);
8325 	if (chk == NULL) {
8326 		/* no memory */
8327 		sctp_m_freem(op_err);
8328 		return;
8329 	}
8330 	chk->copy_by_ref = 0;
8331 	SCTP_BUF_PREPEND(op_err, sizeof(struct sctp_chunkhdr), M_DONTWAIT);
8332 	if (op_err == NULL) {
8333 		sctp_free_a_chunk(stcb, chk);
8334 		return;
8335 	}
8336 	chk->send_size = 0;
8337 	mat = op_err;
8338 	while (mat != NULL) {
8339 		chk->send_size += SCTP_BUF_LEN(mat);
8340 		mat = SCTP_BUF_NEXT(mat);
8341 	}
8342 	chk->rec.chunk_id.id = SCTP_OPERATION_ERROR;
8343 	chk->rec.chunk_id.can_take_data = 1;
8344 	chk->sent = SCTP_DATAGRAM_UNSENT;
8345 	chk->snd_count = 0;
8346 	chk->flags = 0;
8347 	chk->asoc = &stcb->asoc;
8348 	chk->data = op_err;
8349 	chk->whoTo = chk->asoc->primary_destination;
8350 	atomic_add_int(&chk->whoTo->ref_count, 1);
8351 	hdr = mtod(op_err, struct sctp_chunkhdr *);
8352 	hdr->chunk_type = SCTP_OPERATION_ERROR;
8353 	hdr->chunk_flags = 0;
8354 	hdr->chunk_length = htons(chk->send_size);
8355 	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue,
8356 	    chk,
8357 	    sctp_next);
8358 	chk->asoc->ctrl_queue_cnt++;
8359 }
8360 
8361 int
8362 sctp_send_cookie_echo(struct mbuf *m,
8363     int offset,
8364     struct sctp_tcb *stcb,
8365     struct sctp_nets *net)
8366 {
8367 	/*-
8368 	 * pull out the cookie and put it at the front of the control chunk
8369 	 * queue.
8370 	 */
8371 	int at;
8372 	struct mbuf *cookie;
8373 	struct sctp_paramhdr parm, *phdr;
8374 	struct sctp_chunkhdr *hdr;
8375 	struct sctp_tmit_chunk *chk;
8376 	uint16_t ptype, plen;
8377 
8378 	/* First find the cookie in the param area */
8379 	cookie = NULL;
8380 	at = offset + sizeof(struct sctp_init_chunk);
8381 
8382 	SCTP_TCB_LOCK_ASSERT(stcb);
8383 	do {
8384 		phdr = sctp_get_next_param(m, at, &parm, sizeof(parm));
8385 		if (phdr == NULL) {
8386 			return (-3);
8387 		}
8388 		ptype = ntohs(phdr->param_type);
8389 		plen = ntohs(phdr->param_length);
8390 		if (ptype == SCTP_STATE_COOKIE) {
8391 			int pad;
8392 
8393 			/* found the cookie */
8394 			if ((pad = (plen % 4))) {
8395 				plen += 4 - pad;
8396 			}
8397 			cookie = SCTP_M_COPYM(m, at, plen, M_DONTWAIT);
8398 			if (cookie == NULL) {
8399 				/* No memory */
8400 				return (-2);
8401 			}
8402 #ifdef SCTP_MBUF_LOGGING
8403 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
8404 				struct mbuf *mat;
8405 
8406 				mat = cookie;
8407 				while (mat) {
8408 					if (SCTP_BUF_IS_EXTENDED(mat)) {
8409 						sctp_log_mb(mat, SCTP_MBUF_ICOPY);
8410 					}
8411 					mat = SCTP_BUF_NEXT(mat);
8412 				}
8413 			}
8414 #endif
8415 			break;
8416 		}
8417 		at += SCTP_SIZE32(plen);
8418 	} while (phdr);
8419 	if (cookie == NULL) {
8420 		/* Did not find the cookie */
8421 		return (-3);
8422 	}
8423 	/* ok, we got the cookie lets change it into a cookie echo chunk */
8424 
8425 	/* first the change from param to cookie */
8426 	hdr = mtod(cookie, struct sctp_chunkhdr *);
8427 	hdr->chunk_type = SCTP_COOKIE_ECHO;
8428 	hdr->chunk_flags = 0;
8429 	/* get the chunk stuff now and place it in the FRONT of the queue */
8430 	sctp_alloc_a_chunk(stcb, chk);
8431 	if (chk == NULL) {
8432 		/* no memory */
8433 		sctp_m_freem(cookie);
8434 		return (-5);
8435 	}
8436 	chk->copy_by_ref = 0;
8437 	chk->send_size = plen;
8438 	chk->rec.chunk_id.id = SCTP_COOKIE_ECHO;
8439 	chk->rec.chunk_id.can_take_data = 0;
8440 	chk->sent = SCTP_DATAGRAM_UNSENT;
8441 	chk->snd_count = 0;
8442 	chk->flags = CHUNK_FLAGS_FRAGMENT_OK;
8443 	chk->asoc = &stcb->asoc;
8444 	chk->data = cookie;
8445 	chk->whoTo = chk->asoc->primary_destination;
8446 	atomic_add_int(&chk->whoTo->ref_count, 1);
8447 	TAILQ_INSERT_HEAD(&chk->asoc->control_send_queue, chk, sctp_next);
8448 	chk->asoc->ctrl_queue_cnt++;
8449 	return (0);
8450 }
8451 
8452 void
8453 sctp_send_heartbeat_ack(struct sctp_tcb *stcb,
8454     struct mbuf *m,
8455     int offset,
8456     int chk_length,
8457     struct sctp_nets *net)
8458 {
8459 	/*
8460 	 * take a HB request and make it into a HB ack and send it.
8461 	 */
8462 	struct mbuf *outchain;
8463 	struct sctp_chunkhdr *chdr;
8464 	struct sctp_tmit_chunk *chk;
8465 
8466 
8467 	if (net == NULL)
8468 		/* must have a net pointer */
8469 		return;
8470 
8471 	outchain = SCTP_M_COPYM(m, offset, chk_length, M_DONTWAIT);
8472 	if (outchain == NULL) {
8473 		/* gak out of memory */
8474 		return;
8475 	}
8476 #ifdef SCTP_MBUF_LOGGING
8477 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
8478 		struct mbuf *mat;
8479 
8480 		mat = outchain;
8481 		while (mat) {
8482 			if (SCTP_BUF_IS_EXTENDED(mat)) {
8483 				sctp_log_mb(mat, SCTP_MBUF_ICOPY);
8484 			}
8485 			mat = SCTP_BUF_NEXT(mat);
8486 		}
8487 	}
8488 #endif
8489 	chdr = mtod(outchain, struct sctp_chunkhdr *);
8490 	chdr->chunk_type = SCTP_HEARTBEAT_ACK;
8491 	chdr->chunk_flags = 0;
8492 	if (chk_length % 4) {
8493 		/* need pad */
8494 		uint32_t cpthis = 0;
8495 		int padlen;
8496 
8497 		padlen = 4 - (chk_length % 4);
8498 		m_copyback(outchain, chk_length, padlen, (caddr_t)&cpthis);
8499 	}
8500 	sctp_alloc_a_chunk(stcb, chk);
8501 	if (chk == NULL) {
8502 		/* no memory */
8503 		sctp_m_freem(outchain);
8504 		return;
8505 	}
8506 	chk->copy_by_ref = 0;
8507 	chk->send_size = chk_length;
8508 	chk->rec.chunk_id.id = SCTP_HEARTBEAT_ACK;
8509 	chk->rec.chunk_id.can_take_data = 1;
8510 	chk->sent = SCTP_DATAGRAM_UNSENT;
8511 	chk->snd_count = 0;
8512 	chk->flags = 0;
8513 	chk->asoc = &stcb->asoc;
8514 	chk->data = outchain;
8515 	chk->whoTo = net;
8516 	atomic_add_int(&chk->whoTo->ref_count, 1);
8517 	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
8518 	chk->asoc->ctrl_queue_cnt++;
8519 }
8520 
8521 void
8522 sctp_send_cookie_ack(struct sctp_tcb *stcb)
8523 {
8524 	/* formulate and queue a cookie-ack back to sender */
8525 	struct mbuf *cookie_ack;
8526 	struct sctp_chunkhdr *hdr;
8527 	struct sctp_tmit_chunk *chk;
8528 
8529 	cookie_ack = NULL;
8530 	SCTP_TCB_LOCK_ASSERT(stcb);
8531 
8532 	cookie_ack = sctp_get_mbuf_for_msg(sizeof(struct sctp_chunkhdr), 0, M_DONTWAIT, 1, MT_HEADER);
8533 	if (cookie_ack == NULL) {
8534 		/* no mbuf's */
8535 		return;
8536 	}
8537 	SCTP_BUF_RESV_UF(cookie_ack, SCTP_MIN_OVERHEAD);
8538 	sctp_alloc_a_chunk(stcb, chk);
8539 	if (chk == NULL) {
8540 		/* no memory */
8541 		sctp_m_freem(cookie_ack);
8542 		return;
8543 	}
8544 	chk->copy_by_ref = 0;
8545 	chk->send_size = sizeof(struct sctp_chunkhdr);
8546 	chk->rec.chunk_id.id = SCTP_COOKIE_ACK;
8547 	chk->rec.chunk_id.can_take_data = 1;
8548 	chk->sent = SCTP_DATAGRAM_UNSENT;
8549 	chk->snd_count = 0;
8550 	chk->flags = 0;
8551 	chk->asoc = &stcb->asoc;
8552 	chk->data = cookie_ack;
8553 	if (chk->asoc->last_control_chunk_from != NULL) {
8554 		chk->whoTo = chk->asoc->last_control_chunk_from;
8555 	} else {
8556 		chk->whoTo = chk->asoc->primary_destination;
8557 	}
8558 	atomic_add_int(&chk->whoTo->ref_count, 1);
8559 	hdr = mtod(cookie_ack, struct sctp_chunkhdr *);
8560 	hdr->chunk_type = SCTP_COOKIE_ACK;
8561 	hdr->chunk_flags = 0;
8562 	hdr->chunk_length = htons(chk->send_size);
8563 	SCTP_BUF_LEN(cookie_ack) = chk->send_size;
8564 	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
8565 	chk->asoc->ctrl_queue_cnt++;
8566 	return;
8567 }
8568 
8569 
8570 void
8571 sctp_send_shutdown_ack(struct sctp_tcb *stcb, struct sctp_nets *net)
8572 {
8573 	/* formulate and queue a SHUTDOWN-ACK back to the sender */
8574 	struct mbuf *m_shutdown_ack;
8575 	struct sctp_shutdown_ack_chunk *ack_cp;
8576 	struct sctp_tmit_chunk *chk;
8577 
8578 	m_shutdown_ack = sctp_get_mbuf_for_msg(sizeof(struct sctp_shutdown_ack_chunk), 0, M_DONTWAIT, 1, MT_HEADER);
8579 	if (m_shutdown_ack == NULL) {
8580 		/* no mbuf's */
8581 		return;
8582 	}
8583 	SCTP_BUF_RESV_UF(m_shutdown_ack, SCTP_MIN_OVERHEAD);
8584 	sctp_alloc_a_chunk(stcb, chk);
8585 	if (chk == NULL) {
8586 		/* no memory */
8587 		sctp_m_freem(m_shutdown_ack);
8588 		return;
8589 	}
8590 	chk->copy_by_ref = 0;
8591 	chk->send_size = sizeof(struct sctp_chunkhdr);
8592 	chk->rec.chunk_id.id = SCTP_SHUTDOWN_ACK;
8593 	chk->rec.chunk_id.can_take_data = 1;
8594 	chk->sent = SCTP_DATAGRAM_UNSENT;
8595 	chk->snd_count = 0;
8596 	chk->flags = 0;
8597 	chk->asoc = &stcb->asoc;
8598 	chk->data = m_shutdown_ack;
8599 	chk->whoTo = net;
8600 	atomic_add_int(&net->ref_count, 1);
8601 
8602 	ack_cp = mtod(m_shutdown_ack, struct sctp_shutdown_ack_chunk *);
8603 	ack_cp->ch.chunk_type = SCTP_SHUTDOWN_ACK;
8604 	ack_cp->ch.chunk_flags = 0;
8605 	ack_cp->ch.chunk_length = htons(chk->send_size);
8606 	SCTP_BUF_LEN(m_shutdown_ack) = chk->send_size;
8607 	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
8608 	chk->asoc->ctrl_queue_cnt++;
8609 	return;
8610 }
8611 
8612 void
8613 sctp_send_shutdown(struct sctp_tcb *stcb, struct sctp_nets *net)
8614 {
8615 	/* formulate and queue a SHUTDOWN to the sender */
8616 	struct mbuf *m_shutdown;
8617 	struct sctp_shutdown_chunk *shutdown_cp;
8618 	struct sctp_tmit_chunk *chk;
8619 
8620 	m_shutdown = sctp_get_mbuf_for_msg(sizeof(struct sctp_shutdown_chunk), 0, M_DONTWAIT, 1, MT_HEADER);
8621 	if (m_shutdown == NULL) {
8622 		/* no mbuf's */
8623 		return;
8624 	}
8625 	SCTP_BUF_RESV_UF(m_shutdown, SCTP_MIN_OVERHEAD);
8626 	sctp_alloc_a_chunk(stcb, chk);
8627 	if (chk == NULL) {
8628 		/* no memory */
8629 		sctp_m_freem(m_shutdown);
8630 		return;
8631 	}
8632 	chk->copy_by_ref = 0;
8633 	chk->send_size = sizeof(struct sctp_shutdown_chunk);
8634 	chk->rec.chunk_id.id = SCTP_SHUTDOWN;
8635 	chk->rec.chunk_id.can_take_data = 1;
8636 	chk->sent = SCTP_DATAGRAM_UNSENT;
8637 	chk->snd_count = 0;
8638 	chk->flags = 0;
8639 	chk->asoc = &stcb->asoc;
8640 	chk->data = m_shutdown;
8641 	chk->whoTo = net;
8642 	atomic_add_int(&net->ref_count, 1);
8643 
8644 	shutdown_cp = mtod(m_shutdown, struct sctp_shutdown_chunk *);
8645 	shutdown_cp->ch.chunk_type = SCTP_SHUTDOWN;
8646 	shutdown_cp->ch.chunk_flags = 0;
8647 	shutdown_cp->ch.chunk_length = htons(chk->send_size);
8648 	shutdown_cp->cumulative_tsn_ack = htonl(stcb->asoc.cumulative_tsn);
8649 	SCTP_BUF_LEN(m_shutdown) = chk->send_size;
8650 	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
8651 	chk->asoc->ctrl_queue_cnt++;
8652 	return;
8653 }
8654 
8655 void
8656 sctp_send_asconf(struct sctp_tcb *stcb, struct sctp_nets *net, int addr_locked)
8657 {
8658 	/*
8659 	 * formulate and queue an ASCONF to the peer. ASCONF parameters
8660 	 * should be queued on the assoc queue.
8661 	 */
8662 	struct sctp_tmit_chunk *chk;
8663 	struct mbuf *m_asconf;
8664 	int len;
8665 
8666 	SCTP_TCB_LOCK_ASSERT(stcb);
8667 
8668 	if ((!TAILQ_EMPTY(&stcb->asoc.asconf_send_queue)) &&
8669 	    (!sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_MULTIPLE_ASCONFS))) {
8670 		/* can't send a new one if there is one in flight already */
8671 		return;
8672 	}
8673 	/* compose an ASCONF chunk, maximum length is PMTU */
8674 	m_asconf = sctp_compose_asconf(stcb, &len, addr_locked);
8675 	if (m_asconf == NULL) {
8676 		return;
8677 	}
8678 	sctp_alloc_a_chunk(stcb, chk);
8679 	if (chk == NULL) {
8680 		/* no memory */
8681 		sctp_m_freem(m_asconf);
8682 		return;
8683 	}
8684 	chk->copy_by_ref = 0;
8685 	chk->data = m_asconf;
8686 	chk->send_size = len;
8687 	chk->rec.chunk_id.id = SCTP_ASCONF;
8688 	chk->rec.chunk_id.can_take_data = 0;
8689 	chk->sent = SCTP_DATAGRAM_UNSENT;
8690 	chk->snd_count = 0;
8691 	chk->flags = CHUNK_FLAGS_FRAGMENT_OK;
8692 	chk->asoc = &stcb->asoc;
8693 	chk->whoTo = net;
8694 	atomic_add_int(&chk->whoTo->ref_count, 1);
8695 	TAILQ_INSERT_TAIL(&chk->asoc->asconf_send_queue, chk, sctp_next);
8696 	chk->asoc->ctrl_queue_cnt++;
8697 	return;
8698 }
8699 
8700 void
8701 sctp_send_asconf_ack(struct sctp_tcb *stcb)
8702 {
8703 	/*
8704 	 * formulate and queue a asconf-ack back to sender. the asconf-ack
8705 	 * must be stored in the tcb.
8706 	 */
8707 	struct sctp_tmit_chunk *chk;
8708 	struct sctp_asconf_ack *ack, *latest_ack;
8709 	struct mbuf *m_ack, *m;
8710 	struct sctp_nets *net = NULL;
8711 
8712 	SCTP_TCB_LOCK_ASSERT(stcb);
8713 	/* Get the latest ASCONF-ACK */
8714 	latest_ack = TAILQ_LAST(&stcb->asoc.asconf_ack_sent, sctp_asconf_ackhead);
8715 	if (latest_ack == NULL) {
8716 		return;
8717 	}
8718 	if (latest_ack->last_sent_to != NULL &&
8719 	    latest_ack->last_sent_to == stcb->asoc.last_control_chunk_from) {
8720 		/* we're doing a retransmission */
8721 		net = sctp_find_alternate_net(stcb, stcb->asoc.last_control_chunk_from, 0);
8722 		if (net == NULL) {
8723 			/* no alternate */
8724 			if (stcb->asoc.last_control_chunk_from == NULL)
8725 				net = stcb->asoc.primary_destination;
8726 			else
8727 				net = stcb->asoc.last_control_chunk_from;
8728 		}
8729 	} else {
8730 		/* normal case */
8731 		if (stcb->asoc.last_control_chunk_from == NULL)
8732 			net = stcb->asoc.primary_destination;
8733 		else
8734 			net = stcb->asoc.last_control_chunk_from;
8735 	}
8736 	latest_ack->last_sent_to = net;
8737 
8738 	TAILQ_FOREACH(ack, &stcb->asoc.asconf_ack_sent, next) {
8739 		if (ack->data == NULL) {
8740 			continue;
8741 		}
8742 		/* copy the asconf_ack */
8743 		m_ack = SCTP_M_COPYM(ack->data, 0, M_COPYALL, M_DONTWAIT);
8744 		if (m_ack == NULL) {
8745 			/* couldn't copy it */
8746 			return;
8747 		}
8748 #ifdef SCTP_MBUF_LOGGING
8749 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
8750 			struct mbuf *mat;
8751 
8752 			mat = m_ack;
8753 			while (mat) {
8754 				if (SCTP_BUF_IS_EXTENDED(mat)) {
8755 					sctp_log_mb(mat, SCTP_MBUF_ICOPY);
8756 				}
8757 				mat = SCTP_BUF_NEXT(mat);
8758 			}
8759 		}
8760 #endif
8761 
8762 		sctp_alloc_a_chunk(stcb, chk);
8763 		if (chk == NULL) {
8764 			/* no memory */
8765 			if (m_ack)
8766 				sctp_m_freem(m_ack);
8767 			return;
8768 		}
8769 		chk->copy_by_ref = 0;
8770 
8771 		chk->whoTo = net;
8772 		chk->data = m_ack;
8773 		chk->send_size = 0;
8774 		/* Get size */
8775 		m = m_ack;
8776 		chk->send_size = ack->len;
8777 		chk->rec.chunk_id.id = SCTP_ASCONF_ACK;
8778 		chk->rec.chunk_id.can_take_data = 1;
8779 		chk->sent = SCTP_DATAGRAM_UNSENT;
8780 		chk->snd_count = 0;
8781 		chk->flags |= CHUNK_FLAGS_FRAGMENT_OK;	/* XXX */
8782 		chk->asoc = &stcb->asoc;
8783 		atomic_add_int(&chk->whoTo->ref_count, 1);
8784 
8785 		TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
8786 		chk->asoc->ctrl_queue_cnt++;
8787 	}
8788 	return;
8789 }
8790 
8791 
8792 static int
8793 sctp_chunk_retransmission(struct sctp_inpcb *inp,
8794     struct sctp_tcb *stcb,
8795     struct sctp_association *asoc,
8796     int *cnt_out, struct timeval *now, int *now_filled, int *fr_done, int so_locked
8797 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
8798     SCTP_UNUSED
8799 #endif
8800 )
8801 {
8802 	/*-
8803 	 * send out one MTU of retransmission. If fast_retransmit is
8804 	 * happening we ignore the cwnd. Otherwise we obey the cwnd and
8805 	 * rwnd. For a Cookie or Asconf in the control chunk queue we
8806 	 * retransmit them by themselves.
8807 	 *
8808 	 * For data chunks we will pick out the lowest TSN's in the sent_queue
8809 	 * marked for resend and bundle them all together (up to a MTU of
8810 	 * destination). The address to send to should have been
8811 	 * selected/changed where the retransmission was marked (i.e. in FR
8812 	 * or t3-timeout routines).
8813 	 */
8814 	struct sctp_tmit_chunk *data_list[SCTP_MAX_DATA_BUNDLING];
8815 	struct sctp_tmit_chunk *chk, *fwd;
8816 	struct mbuf *m, *endofchain;
8817 	struct sctp_nets *net = NULL;
8818 	uint32_t tsns_sent = 0;
8819 	int no_fragmentflg, bundle_at, cnt_thru;
8820 	unsigned int mtu;
8821 	int error, i, one_chunk, fwd_tsn, ctl_cnt, tmr_started;
8822 	struct sctp_auth_chunk *auth = NULL;
8823 	uint32_t auth_offset = 0;
8824 	uint16_t auth_keyid;
8825 	int override_ok = 1;
8826 	int data_auth_reqd = 0;
8827 	uint32_t dmtu = 0;
8828 
8829 	SCTP_TCB_LOCK_ASSERT(stcb);
8830 	tmr_started = ctl_cnt = bundle_at = error = 0;
8831 	no_fragmentflg = 1;
8832 	fwd_tsn = 0;
8833 	*cnt_out = 0;
8834 	fwd = NULL;
8835 	endofchain = m = NULL;
8836 	auth_keyid = stcb->asoc.authinfo.active_keyid;
8837 #ifdef SCTP_AUDITING_ENABLED
8838 	sctp_audit_log(0xC3, 1);
8839 #endif
8840 	if ((TAILQ_EMPTY(&asoc->sent_queue)) &&
8841 	    (TAILQ_EMPTY(&asoc->control_send_queue))) {
8842 		SCTPDBG(SCTP_DEBUG_OUTPUT1, "SCTP hits empty queue with cnt set to %d?\n",
8843 		    asoc->sent_queue_retran_cnt);
8844 		asoc->sent_queue_cnt = 0;
8845 		asoc->sent_queue_cnt_removeable = 0;
8846 		/* send back 0/0 so we enter normal transmission */
8847 		*cnt_out = 0;
8848 		return (0);
8849 	}
8850 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
8851 		if ((chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) ||
8852 		    (chk->rec.chunk_id.id == SCTP_STREAM_RESET) ||
8853 		    (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN)) {
8854 			if (chk->sent != SCTP_DATAGRAM_RESEND) {
8855 				continue;
8856 			}
8857 			if (chk->rec.chunk_id.id == SCTP_STREAM_RESET) {
8858 				if (chk != asoc->str_reset) {
8859 					/*
8860 					 * not eligible for retran if its
8861 					 * not ours
8862 					 */
8863 					continue;
8864 				}
8865 			}
8866 			ctl_cnt++;
8867 			if (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) {
8868 				fwd_tsn = 1;
8869 				fwd = chk;
8870 			}
8871 			/*
8872 			 * Add an AUTH chunk, if chunk requires it save the
8873 			 * offset into the chain for AUTH
8874 			 */
8875 			if ((auth == NULL) &&
8876 			    (sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
8877 			    stcb->asoc.peer_auth_chunks))) {
8878 				m = sctp_add_auth_chunk(m, &endofchain,
8879 				    &auth, &auth_offset,
8880 				    stcb,
8881 				    chk->rec.chunk_id.id);
8882 				SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8883 			}
8884 			m = sctp_copy_mbufchain(chk->data, m, &endofchain, 0, chk->send_size, chk->copy_by_ref);
8885 			break;
8886 		}
8887 	}
8888 	one_chunk = 0;
8889 	cnt_thru = 0;
8890 	/* do we have control chunks to retransmit? */
8891 	if (m != NULL) {
8892 		/* Start a timer no matter if we suceed or fail */
8893 		if (chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
8894 			sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, inp, stcb, chk->whoTo);
8895 		} else if (chk->rec.chunk_id.id == SCTP_ASCONF)
8896 			sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp, stcb, chk->whoTo);
8897 		chk->snd_count++;	/* update our count */
8898 		if ((error = sctp_lowlevel_chunk_output(inp, stcb, chk->whoTo,
8899 		    (struct sockaddr *)&chk->whoTo->ro._l_addr, m,
8900 		    auth_offset, auth, stcb->asoc.authinfo.active_keyid,
8901 		    no_fragmentflg, 0, NULL, 0,
8902 		    inp->sctp_lport, stcb->rport, htonl(stcb->asoc.peer_vtag),
8903 		    chk->whoTo->port, so_locked, NULL, NULL))) {
8904 			SCTP_STAT_INCR(sctps_lowlevelerr);
8905 			return (error);
8906 		}
8907 		m = endofchain = NULL;
8908 		auth = NULL;
8909 		auth_offset = 0;
8910 		/*
8911 		 * We don't want to mark the net->sent time here since this
8912 		 * we use this for HB and retrans cannot measure RTT
8913 		 */
8914 		/* (void)SCTP_GETTIME_TIMEVAL(&chk->whoTo->last_sent_time); */
8915 		*cnt_out += 1;
8916 		chk->sent = SCTP_DATAGRAM_SENT;
8917 		sctp_ucount_decr(stcb->asoc.sent_queue_retran_cnt);
8918 		if (fwd_tsn == 0) {
8919 			return (0);
8920 		} else {
8921 			/* Clean up the fwd-tsn list */
8922 			sctp_clean_up_ctl(stcb, asoc);
8923 			return (0);
8924 		}
8925 	}
8926 	/*
8927 	 * Ok, it is just data retransmission we need to do or that and a
8928 	 * fwd-tsn with it all.
8929 	 */
8930 	if (TAILQ_EMPTY(&asoc->sent_queue)) {
8931 		return (SCTP_RETRAN_DONE);
8932 	}
8933 	if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) ||
8934 	    (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT)) {
8935 		/* not yet open, resend the cookie and that is it */
8936 		return (1);
8937 	}
8938 #ifdef SCTP_AUDITING_ENABLED
8939 	sctp_auditing(20, inp, stcb, NULL);
8940 #endif
8941 	data_auth_reqd = sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks);
8942 	TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) {
8943 		if (chk->sent != SCTP_DATAGRAM_RESEND) {
8944 			/* No, not sent to this net or not ready for rtx */
8945 			continue;
8946 		}
8947 		if (chk->data == NULL) {
8948 			printf("TSN:%x chk->snd_count:%d chk->sent:%d can't retran - no data\n",
8949 			    chk->rec.data.TSN_seq, chk->snd_count, chk->sent);
8950 			continue;
8951 		}
8952 		if ((SCTP_BASE_SYSCTL(sctp_max_retran_chunk)) &&
8953 		    (chk->snd_count >= SCTP_BASE_SYSCTL(sctp_max_retran_chunk))) {
8954 			/* Gak, we have exceeded max unlucky retran, abort! */
8955 			SCTP_PRINTF("Gak, chk->snd_count:%d >= max:%d - send abort\n",
8956 			    chk->snd_count,
8957 			    SCTP_BASE_SYSCTL(sctp_max_retran_chunk));
8958 			atomic_add_int(&stcb->asoc.refcnt, 1);
8959 			sctp_abort_an_association(stcb->sctp_ep, stcb, 0, NULL, so_locked);
8960 			SCTP_TCB_LOCK(stcb);
8961 			atomic_subtract_int(&stcb->asoc.refcnt, 1);
8962 			return (SCTP_RETRAN_EXIT);
8963 		}
8964 		/* pick up the net */
8965 		net = chk->whoTo;
8966 		if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
8967 			mtu = (net->mtu - SCTP_MIN_OVERHEAD);
8968 		} else {
8969 			mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
8970 		}
8971 
8972 		if ((asoc->peers_rwnd < mtu) && (asoc->total_flight > 0)) {
8973 			/* No room in peers rwnd */
8974 			uint32_t tsn;
8975 
8976 			tsn = asoc->last_acked_seq + 1;
8977 			if (tsn == chk->rec.data.TSN_seq) {
8978 				/*
8979 				 * we make a special exception for this
8980 				 * case. The peer has no rwnd but is missing
8981 				 * the lowest chunk.. which is probably what
8982 				 * is holding up the rwnd.
8983 				 */
8984 				goto one_chunk_around;
8985 			}
8986 			return (1);
8987 		}
8988 one_chunk_around:
8989 		if (asoc->peers_rwnd < mtu) {
8990 			one_chunk = 1;
8991 			if ((asoc->peers_rwnd == 0) &&
8992 			    (asoc->total_flight == 0)) {
8993 				chk->window_probe = 1;
8994 				chk->whoTo->window_probe = 1;
8995 			}
8996 		}
8997 #ifdef SCTP_AUDITING_ENABLED
8998 		sctp_audit_log(0xC3, 2);
8999 #endif
9000 		bundle_at = 0;
9001 		m = NULL;
9002 		net->fast_retran_ip = 0;
9003 		if (chk->rec.data.doing_fast_retransmit == 0) {
9004 			/*
9005 			 * if no FR in progress skip destination that have
9006 			 * flight_size > cwnd.
9007 			 */
9008 			if (net->flight_size >= net->cwnd) {
9009 				continue;
9010 			}
9011 		} else {
9012 			/*
9013 			 * Mark the destination net to have FR recovery
9014 			 * limits put on it.
9015 			 */
9016 			*fr_done = 1;
9017 			net->fast_retran_ip = 1;
9018 		}
9019 
9020 		/*
9021 		 * if no AUTH is yet included and this chunk requires it,
9022 		 * make sure to account for it.  We don't apply the size
9023 		 * until the AUTH chunk is actually added below in case
9024 		 * there is no room for this chunk.
9025 		 */
9026 		if (data_auth_reqd && (auth == NULL)) {
9027 			dmtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
9028 		} else
9029 			dmtu = 0;
9030 
9031 		if ((chk->send_size <= (mtu - dmtu)) ||
9032 		    (chk->flags & CHUNK_FLAGS_FRAGMENT_OK)) {
9033 			/* ok we will add this one */
9034 			if (data_auth_reqd) {
9035 				if (auth == NULL) {
9036 					m = sctp_add_auth_chunk(m,
9037 					    &endofchain,
9038 					    &auth,
9039 					    &auth_offset,
9040 					    stcb,
9041 					    SCTP_DATA);
9042 					auth_keyid = chk->auth_keyid;
9043 					override_ok = 0;
9044 					SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
9045 				} else if (override_ok) {
9046 					auth_keyid = chk->auth_keyid;
9047 					override_ok = 0;
9048 				} else if (chk->auth_keyid != auth_keyid) {
9049 					/* different keyid, so done bundling */
9050 					break;
9051 				}
9052 			}
9053 			m = sctp_copy_mbufchain(chk->data, m, &endofchain, 0, chk->send_size, chk->copy_by_ref);
9054 			if (m == NULL) {
9055 				SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
9056 				return (ENOMEM);
9057 			}
9058 			/* Do clear IP_DF ? */
9059 			if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
9060 				no_fragmentflg = 0;
9061 			}
9062 			/* upate our MTU size */
9063 			if (mtu > (chk->send_size + dmtu))
9064 				mtu -= (chk->send_size + dmtu);
9065 			else
9066 				mtu = 0;
9067 			data_list[bundle_at++] = chk;
9068 			if (one_chunk && (asoc->total_flight <= 0)) {
9069 				SCTP_STAT_INCR(sctps_windowprobed);
9070 			}
9071 		}
9072 		if (one_chunk == 0) {
9073 			/*
9074 			 * now are there anymore forward from chk to pick
9075 			 * up?
9076 			 */
9077 			fwd = TAILQ_NEXT(chk, sctp_next);
9078 			while (fwd) {
9079 				if (fwd->sent != SCTP_DATAGRAM_RESEND) {
9080 					/* Nope, not for retran */
9081 					fwd = TAILQ_NEXT(fwd, sctp_next);
9082 					continue;
9083 				}
9084 				if (fwd->whoTo != net) {
9085 					/* Nope, not the net in question */
9086 					fwd = TAILQ_NEXT(fwd, sctp_next);
9087 					continue;
9088 				}
9089 				if (data_auth_reqd && (auth == NULL)) {
9090 					dmtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
9091 				} else
9092 					dmtu = 0;
9093 				if (fwd->send_size <= (mtu - dmtu)) {
9094 					if (data_auth_reqd) {
9095 						if (auth == NULL) {
9096 							m = sctp_add_auth_chunk(m,
9097 							    &endofchain,
9098 							    &auth,
9099 							    &auth_offset,
9100 							    stcb,
9101 							    SCTP_DATA);
9102 							auth_keyid = fwd->auth_keyid;
9103 							override_ok = 0;
9104 							SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
9105 						} else if (override_ok) {
9106 							auth_keyid = fwd->auth_keyid;
9107 							override_ok = 0;
9108 						} else if (fwd->auth_keyid != auth_keyid) {
9109 							/*
9110 							 * different keyid,
9111 							 * so done bundling
9112 							 */
9113 							break;
9114 						}
9115 					}
9116 					m = sctp_copy_mbufchain(fwd->data, m, &endofchain, 0, fwd->send_size, fwd->copy_by_ref);
9117 					if (m == NULL) {
9118 						SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
9119 						return (ENOMEM);
9120 					}
9121 					/* Do clear IP_DF ? */
9122 					if (fwd->flags & CHUNK_FLAGS_FRAGMENT_OK) {
9123 						no_fragmentflg = 0;
9124 					}
9125 					/* upate our MTU size */
9126 					if (mtu > (fwd->send_size + dmtu))
9127 						mtu -= (fwd->send_size + dmtu);
9128 					else
9129 						mtu = 0;
9130 					data_list[bundle_at++] = fwd;
9131 					if (bundle_at >= SCTP_MAX_DATA_BUNDLING) {
9132 						break;
9133 					}
9134 					fwd = TAILQ_NEXT(fwd, sctp_next);
9135 				} else {
9136 					/* can't fit so we are done */
9137 					break;
9138 				}
9139 			}
9140 		}
9141 		/* Is there something to send for this destination? */
9142 		if (m) {
9143 			/*
9144 			 * No matter if we fail/or suceed we should start a
9145 			 * timer. A failure is like a lost IP packet :-)
9146 			 */
9147 			if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
9148 				/*
9149 				 * no timer running on this destination
9150 				 * restart it.
9151 				 */
9152 				sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
9153 				tmr_started = 1;
9154 			}
9155 			/* Now lets send it, if there is anything to send :> */
9156 			if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
9157 			    (struct sockaddr *)&net->ro._l_addr, m,
9158 			    auth_offset, auth, auth_keyid,
9159 			    no_fragmentflg, 0, NULL, 0,
9160 			    inp->sctp_lport, stcb->rport, htonl(stcb->asoc.peer_vtag),
9161 			    net->port, so_locked, NULL, NULL))) {
9162 				/* error, we could not output */
9163 				SCTP_STAT_INCR(sctps_lowlevelerr);
9164 				return (error);
9165 			}
9166 			m = endofchain = NULL;
9167 			auth = NULL;
9168 			auth_offset = 0;
9169 			/* For HB's */
9170 			/*
9171 			 * We don't want to mark the net->sent time here
9172 			 * since this we use this for HB and retrans cannot
9173 			 * measure RTT
9174 			 */
9175 			/* (void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time); */
9176 
9177 			/* For auto-close */
9178 			cnt_thru++;
9179 			if (*now_filled == 0) {
9180 				(void)SCTP_GETTIME_TIMEVAL(&asoc->time_last_sent);
9181 				*now = asoc->time_last_sent;
9182 				*now_filled = 1;
9183 			} else {
9184 				asoc->time_last_sent = *now;
9185 			}
9186 			*cnt_out += bundle_at;
9187 #ifdef SCTP_AUDITING_ENABLED
9188 			sctp_audit_log(0xC4, bundle_at);
9189 #endif
9190 			if (bundle_at) {
9191 				tsns_sent = data_list[0]->rec.data.TSN_seq;
9192 			}
9193 			for (i = 0; i < bundle_at; i++) {
9194 				SCTP_STAT_INCR(sctps_sendretransdata);
9195 				data_list[i]->sent = SCTP_DATAGRAM_SENT;
9196 				/*
9197 				 * When we have a revoked data, and we
9198 				 * retransmit it, then we clear the revoked
9199 				 * flag since this flag dictates if we
9200 				 * subtracted from the fs
9201 				 */
9202 				if (data_list[i]->rec.data.chunk_was_revoked) {
9203 					/* Deflate the cwnd */
9204 					data_list[i]->whoTo->cwnd -= data_list[i]->book_size;
9205 					data_list[i]->rec.data.chunk_was_revoked = 0;
9206 				}
9207 				data_list[i]->snd_count++;
9208 				sctp_ucount_decr(asoc->sent_queue_retran_cnt);
9209 				/* record the time */
9210 				data_list[i]->sent_rcv_time = asoc->time_last_sent;
9211 				if (data_list[i]->book_size_scale) {
9212 					/*
9213 					 * need to double the book size on
9214 					 * this one
9215 					 */
9216 					data_list[i]->book_size_scale = 0;
9217 					/*
9218 					 * Since we double the booksize, we
9219 					 * must also double the output queue
9220 					 * size, since this get shrunk when
9221 					 * we free by this amount.
9222 					 */
9223 					atomic_add_int(&((asoc)->total_output_queue_size), data_list[i]->book_size);
9224 					data_list[i]->book_size *= 2;
9225 
9226 
9227 				} else {
9228 					if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
9229 						sctp_log_rwnd(SCTP_DECREASE_PEER_RWND,
9230 						    asoc->peers_rwnd, data_list[i]->send_size, SCTP_BASE_SYSCTL(sctp_peer_chunk_oh));
9231 					}
9232 					asoc->peers_rwnd = sctp_sbspace_sub(asoc->peers_rwnd,
9233 					    (uint32_t) (data_list[i]->send_size +
9234 					    SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)));
9235 				}
9236 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
9237 					sctp_misc_ints(SCTP_FLIGHT_LOG_UP_RSND,
9238 					    data_list[i]->whoTo->flight_size,
9239 					    data_list[i]->book_size,
9240 					    (uintptr_t) data_list[i]->whoTo,
9241 					    data_list[i]->rec.data.TSN_seq);
9242 				}
9243 				sctp_flight_size_increase(data_list[i]);
9244 				sctp_total_flight_increase(stcb, data_list[i]);
9245 				if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
9246 					/* SWS sender side engages */
9247 					asoc->peers_rwnd = 0;
9248 				}
9249 				if ((i == 0) &&
9250 				    (data_list[i]->rec.data.doing_fast_retransmit)) {
9251 					SCTP_STAT_INCR(sctps_sendfastretrans);
9252 					if ((data_list[i] == TAILQ_FIRST(&asoc->sent_queue)) &&
9253 					    (tmr_started == 0)) {
9254 						/*-
9255 						 * ok we just fast-retrans'd
9256 						 * the lowest TSN, i.e the
9257 						 * first on the list. In
9258 						 * this case we want to give
9259 						 * some more time to get a
9260 						 * SACK back without a
9261 						 * t3-expiring.
9262 						 */
9263 						sctp_timer_stop(SCTP_TIMER_TYPE_SEND, inp, stcb, net,
9264 						    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_4);
9265 						sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
9266 					}
9267 				}
9268 			}
9269 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
9270 				sctp_log_cwnd(stcb, net, tsns_sent, SCTP_CWND_LOG_FROM_RESEND);
9271 			}
9272 #ifdef SCTP_AUDITING_ENABLED
9273 			sctp_auditing(21, inp, stcb, NULL);
9274 #endif
9275 		} else {
9276 			/* None will fit */
9277 			return (1);
9278 		}
9279 		if (asoc->sent_queue_retran_cnt <= 0) {
9280 			/* all done we have no more to retran */
9281 			asoc->sent_queue_retran_cnt = 0;
9282 			break;
9283 		}
9284 		if (one_chunk) {
9285 			/* No more room in rwnd */
9286 			return (1);
9287 		}
9288 		/* stop the for loop here. we sent out a packet */
9289 		break;
9290 	}
9291 	return (0);
9292 }
9293 
9294 
9295 static int
9296 sctp_timer_validation(struct sctp_inpcb *inp,
9297     struct sctp_tcb *stcb,
9298     struct sctp_association *asoc,
9299     int ret)
9300 {
9301 	struct sctp_nets *net;
9302 
9303 	/* Validate that a timer is running somewhere */
9304 	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
9305 		if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
9306 			/* Here is a timer */
9307 			return (ret);
9308 		}
9309 	}
9310 	SCTP_TCB_LOCK_ASSERT(stcb);
9311 	/* Gak, we did not have a timer somewhere */
9312 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "Deadlock avoided starting timer on a dest at retran\n");
9313 	sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, asoc->primary_destination);
9314 	return (ret);
9315 }
9316 
9317 void
9318 sctp_chunk_output(struct sctp_inpcb *inp,
9319     struct sctp_tcb *stcb,
9320     int from_where,
9321     int so_locked
9322 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
9323     SCTP_UNUSED
9324 #endif
9325 )
9326 {
9327 	/*-
9328 	 * Ok this is the generic chunk service queue. we must do the
9329 	 * following:
9330 	 * - See if there are retransmits pending, if so we must
9331 	 *   do these first.
9332 	 * - Service the stream queue that is next, moving any
9333 	 *   message (note I must get a complete message i.e.
9334 	 *   FIRST/MIDDLE and LAST to the out queue in one pass) and assigning
9335 	 *   TSN's
9336 	 * - Check to see if the cwnd/rwnd allows any output, if so we
9337 	 *   go ahead and fomulate and send the low level chunks. Making sure
9338 	 *   to combine any control in the control chunk queue also.
9339 	 */
9340 	struct sctp_association *asoc;
9341 	struct sctp_nets *net;
9342 	int error = 0, num_out = 0, tot_out = 0, ret = 0, reason_code = 0;
9343 	unsigned int burst_cnt = 0;
9344 	struct timeval now;
9345 	int now_filled = 0;
9346 	int nagle_on = 0;
9347 	int frag_point = sctp_get_frag_point(stcb, &stcb->asoc);
9348 	int un_sent = 0;
9349 	int fr_done;
9350 	unsigned int tot_frs = 0;
9351 
9352 	asoc = &stcb->asoc;
9353 	if (from_where == SCTP_OUTPUT_FROM_USR_SEND) {
9354 		if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_NODELAY)) {
9355 			nagle_on = 0;
9356 		} else {
9357 			nagle_on = 1;
9358 		}
9359 	}
9360 	SCTP_TCB_LOCK_ASSERT(stcb);
9361 
9362 	un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight);
9363 
9364 	if ((un_sent <= 0) &&
9365 	    (TAILQ_EMPTY(&asoc->control_send_queue)) &&
9366 	    (TAILQ_EMPTY(&asoc->asconf_send_queue)) &&
9367 	    (asoc->sent_queue_retran_cnt == 0)) {
9368 		/* Nothing to do unless there is something to be sent left */
9369 		return;
9370 	}
9371 	/*
9372 	 * Do we have something to send, data or control AND a sack timer
9373 	 * running, if so piggy-back the sack.
9374 	 */
9375 	if (SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) {
9376 		sctp_send_sack(stcb);
9377 		(void)SCTP_OS_TIMER_STOP(&stcb->asoc.dack_timer.timer);
9378 	}
9379 	while (asoc->sent_queue_retran_cnt) {
9380 		/*-
9381 		 * Ok, it is retransmission time only, we send out only ONE
9382 		 * packet with a single call off to the retran code.
9383 		 */
9384 		if (from_where == SCTP_OUTPUT_FROM_COOKIE_ACK) {
9385 			/*-
9386 			 * Special hook for handling cookiess discarded
9387 			 * by peer that carried data. Send cookie-ack only
9388 			 * and then the next call with get the retran's.
9389 			 */
9390 			(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out, &reason_code, 1,
9391 			    from_where,
9392 			    &now, &now_filled, frag_point, so_locked);
9393 			return;
9394 		} else if (from_where != SCTP_OUTPUT_FROM_HB_TMR) {
9395 			/* if its not from a HB then do it */
9396 			fr_done = 0;
9397 			ret = sctp_chunk_retransmission(inp, stcb, asoc, &num_out, &now, &now_filled, &fr_done, so_locked);
9398 			if (fr_done) {
9399 				tot_frs++;
9400 			}
9401 		} else {
9402 			/*
9403 			 * its from any other place, we don't allow retran
9404 			 * output (only control)
9405 			 */
9406 			ret = 1;
9407 		}
9408 		if (ret > 0) {
9409 			/* Can't send anymore */
9410 			/*-
9411 			 * now lets push out control by calling med-level
9412 			 * output once. this assures that we WILL send HB's
9413 			 * if queued too.
9414 			 */
9415 			(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out, &reason_code, 1,
9416 			    from_where,
9417 			    &now, &now_filled, frag_point, so_locked);
9418 #ifdef SCTP_AUDITING_ENABLED
9419 			sctp_auditing(8, inp, stcb, NULL);
9420 #endif
9421 			(void)sctp_timer_validation(inp, stcb, asoc, ret);
9422 			return;
9423 		}
9424 		if (ret < 0) {
9425 			/*-
9426 			 * The count was off.. retran is not happening so do
9427 			 * the normal retransmission.
9428 			 */
9429 #ifdef SCTP_AUDITING_ENABLED
9430 			sctp_auditing(9, inp, stcb, NULL);
9431 #endif
9432 			if (ret == SCTP_RETRAN_EXIT) {
9433 				return;
9434 			}
9435 			break;
9436 		}
9437 		if (from_where == SCTP_OUTPUT_FROM_T3) {
9438 			/* Only one transmission allowed out of a timeout */
9439 #ifdef SCTP_AUDITING_ENABLED
9440 			sctp_auditing(10, inp, stcb, NULL);
9441 #endif
9442 			/* Push out any control */
9443 			(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out, &reason_code, 1, from_where,
9444 			    &now, &now_filled, frag_point, so_locked);
9445 			return;
9446 		}
9447 		if ((asoc->fr_max_burst > 0) && (tot_frs >= asoc->fr_max_burst)) {
9448 			/* Hit FR burst limit */
9449 			return;
9450 		}
9451 		if ((num_out == 0) && (ret == 0)) {
9452 			/* No more retrans to send */
9453 			break;
9454 		}
9455 	}
9456 #ifdef SCTP_AUDITING_ENABLED
9457 	sctp_auditing(12, inp, stcb, NULL);
9458 #endif
9459 	/* Check for bad destinations, if they exist move chunks around. */
9460 	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
9461 		if ((net->dest_state & SCTP_ADDR_NOT_REACHABLE) ==
9462 		    SCTP_ADDR_NOT_REACHABLE) {
9463 			/*-
9464 			 * if possible move things off of this address we
9465 			 * still may send below due to the dormant state but
9466 			 * we try to find an alternate address to send to
9467 			 * and if we have one we move all queued data on the
9468 			 * out wheel to this alternate address.
9469 			 */
9470 			if (net->ref_count > 1)
9471 				sctp_move_chunks_from_net(stcb, net);
9472 		} else if ((asoc->sctp_cmt_on_off > 0) &&
9473 			    (asoc->sctp_cmt_pf > 0) &&
9474 		    ((net->dest_state & SCTP_ADDR_PF) == SCTP_ADDR_PF)) {
9475 			/*
9476 			 * JRS 5/14/07 - If CMT PF is on and the current
9477 			 * destination is in PF state, move all queued data
9478 			 * to an alternate desination.
9479 			 */
9480 			if (net->ref_count > 1)
9481 				sctp_move_chunks_from_net(stcb, net);
9482 		} else {
9483 			/*-
9484 			 * if ((asoc->sat_network) || (net->addr_is_local))
9485 			 * { burst_limit = asoc->max_burst *
9486 			 * SCTP_SAT_NETWORK_BURST_INCR; }
9487 			 */
9488 			if (asoc->max_burst > 0) {
9489 				if (SCTP_BASE_SYSCTL(sctp_use_cwnd_based_maxburst)) {
9490 					if ((net->flight_size + (asoc->max_burst * net->mtu)) < net->cwnd) {
9491 						/*
9492 						 * JRS - Use the congestion
9493 						 * control given in the
9494 						 * congestion control module
9495 						 */
9496 						asoc->cc_functions.sctp_cwnd_update_after_output(stcb, net, asoc->max_burst);
9497 						if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
9498 							sctp_log_maxburst(stcb, net, 0, asoc->max_burst, SCTP_MAX_BURST_APPLIED);
9499 						}
9500 						SCTP_STAT_INCR(sctps_maxburstqueued);
9501 					}
9502 					net->fast_retran_ip = 0;
9503 				} else {
9504 					if (net->flight_size == 0) {
9505 						/*
9506 						 * Should be decaying the
9507 						 * cwnd here
9508 						 */
9509 						;
9510 					}
9511 				}
9512 			}
9513 		}
9514 
9515 	}
9516 	burst_cnt = 0;
9517 	do {
9518 		error = sctp_med_chunk_output(inp, stcb, asoc, &num_out,
9519 		    &reason_code, 0, from_where,
9520 		    &now, &now_filled, frag_point, so_locked);
9521 		if (error) {
9522 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Error %d was returned from med-c-op\n", error);
9523 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
9524 				sctp_log_maxburst(stcb, asoc->primary_destination, error, burst_cnt, SCTP_MAX_BURST_ERROR_STOP);
9525 			}
9526 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
9527 				sctp_log_cwnd(stcb, NULL, error, SCTP_SEND_NOW_COMPLETES);
9528 				sctp_log_cwnd(stcb, NULL, 0xdeadbeef, SCTP_SEND_NOW_COMPLETES);
9529 			}
9530 			break;
9531 		}
9532 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "m-c-o put out %d\n", num_out);
9533 
9534 		tot_out += num_out;
9535 		burst_cnt++;
9536 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
9537 			sctp_log_cwnd(stcb, NULL, num_out, SCTP_SEND_NOW_COMPLETES);
9538 			if (num_out == 0) {
9539 				sctp_log_cwnd(stcb, NULL, reason_code, SCTP_SEND_NOW_COMPLETES);
9540 			}
9541 		}
9542 		if (nagle_on) {
9543 			/*-
9544 			 * When nagle is on, we look at how much is un_sent, then
9545 			 * if its smaller than an MTU and we have data in
9546 			 * flight we stop.
9547 			 */
9548 			un_sent = ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) +
9549 			    (stcb->asoc.stream_queue_cnt * sizeof(struct sctp_data_chunk)));
9550 			if ((un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD)) &&
9551 			    (stcb->asoc.total_flight > 0)) {
9552 				break;
9553 			}
9554 		}
9555 		if (TAILQ_EMPTY(&asoc->control_send_queue) &&
9556 		    TAILQ_EMPTY(&asoc->send_queue) &&
9557 		    stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) {
9558 			/* Nothing left to send */
9559 			break;
9560 		}
9561 		if ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) <= 0) {
9562 			/* Nothing left to send */
9563 			break;
9564 		}
9565 	} while (num_out &&
9566 	    ((asoc->max_burst == 0) ||
9567 	    SCTP_BASE_SYSCTL(sctp_use_cwnd_based_maxburst) ||
9568 	    (burst_cnt < asoc->max_burst)));
9569 
9570 	if (SCTP_BASE_SYSCTL(sctp_use_cwnd_based_maxburst) == 0) {
9571 		if ((asoc->max_burst > 0) && (burst_cnt >= asoc->max_burst)) {
9572 			SCTP_STAT_INCR(sctps_maxburstqueued);
9573 			asoc->burst_limit_applied = 1;
9574 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
9575 				sctp_log_maxburst(stcb, asoc->primary_destination, 0, burst_cnt, SCTP_MAX_BURST_APPLIED);
9576 			}
9577 		} else {
9578 			asoc->burst_limit_applied = 0;
9579 		}
9580 	}
9581 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
9582 		sctp_log_cwnd(stcb, NULL, tot_out, SCTP_SEND_NOW_COMPLETES);
9583 	}
9584 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "Ok, we have put out %d chunks\n",
9585 	    tot_out);
9586 
9587 	/*-
9588 	 * Now we need to clean up the control chunk chain if a ECNE is on
9589 	 * it. It must be marked as UNSENT again so next call will continue
9590 	 * to send it until such time that we get a CWR, to remove it.
9591 	 */
9592 	if (stcb->asoc.ecn_echo_cnt_onq)
9593 		sctp_fix_ecn_echo(asoc);
9594 	return;
9595 }
9596 
9597 
9598 int
9599 sctp_output(inp, m, addr, control, p, flags)
9600 	struct sctp_inpcb *inp;
9601 	struct mbuf *m;
9602 	struct sockaddr *addr;
9603 	struct mbuf *control;
9604 	struct thread *p;
9605 	int flags;
9606 {
9607 	if (inp == NULL) {
9608 		SCTP_LTRACE_ERR_RET_PKT(m, inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
9609 		return (EINVAL);
9610 	}
9611 	if (inp->sctp_socket == NULL) {
9612 		SCTP_LTRACE_ERR_RET_PKT(m, inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
9613 		return (EINVAL);
9614 	}
9615 	return (sctp_sosend(inp->sctp_socket,
9616 	    addr,
9617 	    (struct uio *)NULL,
9618 	    m,
9619 	    control,
9620 	    flags, p
9621 	    ));
9622 }
9623 
9624 void
9625 send_forward_tsn(struct sctp_tcb *stcb,
9626     struct sctp_association *asoc)
9627 {
9628 	struct sctp_tmit_chunk *chk;
9629 	struct sctp_forward_tsn_chunk *fwdtsn;
9630 	uint32_t advance_peer_ack_point;
9631 
9632 	SCTP_TCB_LOCK_ASSERT(stcb);
9633 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
9634 		if (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) {
9635 			/* mark it to unsent */
9636 			chk->sent = SCTP_DATAGRAM_UNSENT;
9637 			chk->snd_count = 0;
9638 			/* Do we correct its output location? */
9639 			if (chk->whoTo != asoc->primary_destination) {
9640 				sctp_free_remote_addr(chk->whoTo);
9641 				chk->whoTo = asoc->primary_destination;
9642 				atomic_add_int(&chk->whoTo->ref_count, 1);
9643 			}
9644 			goto sctp_fill_in_rest;
9645 		}
9646 	}
9647 	/* Ok if we reach here we must build one */
9648 	sctp_alloc_a_chunk(stcb, chk);
9649 	if (chk == NULL) {
9650 		return;
9651 	}
9652 	asoc->fwd_tsn_cnt++;
9653 	chk->copy_by_ref = 0;
9654 	chk->rec.chunk_id.id = SCTP_FORWARD_CUM_TSN;
9655 	chk->rec.chunk_id.can_take_data = 0;
9656 	chk->asoc = asoc;
9657 	chk->whoTo = NULL;
9658 	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
9659 	if (chk->data == NULL) {
9660 		sctp_free_a_chunk(stcb, chk);
9661 		return;
9662 	}
9663 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
9664 	chk->sent = SCTP_DATAGRAM_UNSENT;
9665 	chk->snd_count = 0;
9666 	chk->whoTo = asoc->primary_destination;
9667 	atomic_add_int(&chk->whoTo->ref_count, 1);
9668 	TAILQ_INSERT_TAIL(&asoc->control_send_queue, chk, sctp_next);
9669 	asoc->ctrl_queue_cnt++;
9670 sctp_fill_in_rest:
9671 	/*-
9672 	 * Here we go through and fill out the part that deals with
9673 	 * stream/seq of the ones we skip.
9674 	 */
9675 	SCTP_BUF_LEN(chk->data) = 0;
9676 	{
9677 		struct sctp_tmit_chunk *at, *tp1, *last;
9678 		struct sctp_strseq *strseq;
9679 		unsigned int cnt_of_space, i, ovh;
9680 		unsigned int space_needed;
9681 		unsigned int cnt_of_skipped = 0;
9682 
9683 		TAILQ_FOREACH(at, &asoc->sent_queue, sctp_next) {
9684 			if (at->sent != SCTP_FORWARD_TSN_SKIP) {
9685 				/* no more to look at */
9686 				break;
9687 			}
9688 			if (at->rec.data.rcv_flags & SCTP_DATA_UNORDERED) {
9689 				/* We don't report these */
9690 				continue;
9691 			}
9692 			cnt_of_skipped++;
9693 		}
9694 		space_needed = (sizeof(struct sctp_forward_tsn_chunk) +
9695 		    (cnt_of_skipped * sizeof(struct sctp_strseq)));
9696 
9697 		cnt_of_space = M_TRAILINGSPACE(chk->data);
9698 
9699 		if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
9700 			ovh = SCTP_MIN_OVERHEAD;
9701 		} else {
9702 			ovh = SCTP_MIN_V4_OVERHEAD;
9703 		}
9704 		if (cnt_of_space > (asoc->smallest_mtu - ovh)) {
9705 			/* trim to a mtu size */
9706 			cnt_of_space = asoc->smallest_mtu - ovh;
9707 		}
9708 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
9709 			sctp_misc_ints(SCTP_FWD_TSN_CHECK,
9710 			    0xff, 0, cnt_of_skipped,
9711 			    asoc->advanced_peer_ack_point);
9712 
9713 		}
9714 		advance_peer_ack_point = asoc->advanced_peer_ack_point;
9715 		if (cnt_of_space < space_needed) {
9716 			/*-
9717 			 * ok we must trim down the chunk by lowering the
9718 			 * advance peer ack point.
9719 			 */
9720 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
9721 				sctp_misc_ints(SCTP_FWD_TSN_CHECK,
9722 				    0xff, 0xff, cnt_of_space,
9723 				    space_needed);
9724 			}
9725 			cnt_of_skipped = cnt_of_space - sizeof(struct sctp_forward_tsn_chunk);
9726 			cnt_of_skipped /= sizeof(struct sctp_strseq);
9727 			/*-
9728 			 * Go through and find the TSN that will be the one
9729 			 * we report.
9730 			 */
9731 			at = TAILQ_FIRST(&asoc->sent_queue);
9732 			for (i = 0; i < cnt_of_skipped; i++) {
9733 				tp1 = TAILQ_NEXT(at, sctp_next);
9734 				if (tp1 == NULL) {
9735 					break;
9736 				}
9737 				at = tp1;
9738 			}
9739 			if (at && SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
9740 				sctp_misc_ints(SCTP_FWD_TSN_CHECK,
9741 				    0xff, cnt_of_skipped, at->rec.data.TSN_seq,
9742 				    asoc->advanced_peer_ack_point);
9743 			}
9744 			last = at;
9745 			/*-
9746 			 * last now points to last one I can report, update
9747 			 * peer ack point
9748 			 */
9749 			if (last)
9750 				advance_peer_ack_point = last->rec.data.TSN_seq;
9751 			space_needed = sizeof(struct sctp_forward_tsn_chunk) +
9752 			    cnt_of_skipped * sizeof(struct sctp_strseq);
9753 		}
9754 		chk->send_size = space_needed;
9755 		/* Setup the chunk */
9756 		fwdtsn = mtod(chk->data, struct sctp_forward_tsn_chunk *);
9757 		fwdtsn->ch.chunk_length = htons(chk->send_size);
9758 		fwdtsn->ch.chunk_flags = 0;
9759 		fwdtsn->ch.chunk_type = SCTP_FORWARD_CUM_TSN;
9760 		fwdtsn->new_cumulative_tsn = htonl(advance_peer_ack_point);
9761 		SCTP_BUF_LEN(chk->data) = chk->send_size;
9762 		fwdtsn++;
9763 		/*-
9764 		 * Move pointer to after the fwdtsn and transfer to the
9765 		 * strseq pointer.
9766 		 */
9767 		strseq = (struct sctp_strseq *)fwdtsn;
9768 		/*-
9769 		 * Now populate the strseq list. This is done blindly
9770 		 * without pulling out duplicate stream info. This is
9771 		 * inefficent but won't harm the process since the peer will
9772 		 * look at these in sequence and will thus release anything.
9773 		 * It could mean we exceed the PMTU and chop off some that
9774 		 * we could have included.. but this is unlikely (aka 1432/4
9775 		 * would mean 300+ stream seq's would have to be reported in
9776 		 * one FWD-TSN. With a bit of work we can later FIX this to
9777 		 * optimize and pull out duplcates.. but it does add more
9778 		 * overhead. So for now... not!
9779 		 */
9780 		at = TAILQ_FIRST(&asoc->sent_queue);
9781 		for (i = 0; i < cnt_of_skipped; i++) {
9782 			tp1 = TAILQ_NEXT(at, sctp_next);
9783 			if (tp1 == NULL)
9784 				break;
9785 			if (at->rec.data.rcv_flags & SCTP_DATA_UNORDERED) {
9786 				/* We don't report these */
9787 				i--;
9788 				at = tp1;
9789 				continue;
9790 			}
9791 			if (at->rec.data.TSN_seq == advance_peer_ack_point) {
9792 				at->rec.data.fwd_tsn_cnt = 0;
9793 			}
9794 			strseq->stream = ntohs(at->rec.data.stream_number);
9795 			strseq->sequence = ntohs(at->rec.data.stream_seq);
9796 			strseq++;
9797 			at = tp1;
9798 		}
9799 	}
9800 	return;
9801 
9802 }
9803 
9804 void
9805 sctp_send_sack(struct sctp_tcb *stcb)
9806 {
9807 	/*-
9808 	 * Queue up a SACK or NR-SACK in the control queue.
9809 	 * We must first check to see if a SACK or NR-SACK is
9810 	 * somehow on the control queue.
9811 	 * If so, we will take and and remove the old one.
9812 	 */
9813 	struct sctp_association *asoc;
9814 	struct sctp_tmit_chunk *chk, *a_chk;
9815 	struct sctp_sack_chunk *sack;
9816 	struct sctp_nr_sack_chunk *nr_sack;
9817 	struct sctp_gap_ack_block *gap_descriptor;
9818 	struct sack_track *selector;
9819 	int mergeable = 0;
9820 	int offset;
9821 	caddr_t limit;
9822 	uint32_t *dup;
9823 	int limit_reached = 0;
9824 	unsigned int i, siz, j;
9825 	unsigned int num_gap_blocks = 0, num_nr_gap_blocks = 0, space;
9826 	int num_dups = 0;
9827 	int space_req;
9828 	uint32_t highest_tsn;
9829 	uint8_t flags;
9830 	uint8_t type;
9831 	uint8_t tsn_map;
9832 
9833 	if ((stcb->asoc.sctp_nr_sack_on_off == 1) &&
9834 	    (stcb->asoc.peer_supports_nr_sack == 1)) {
9835 		type = SCTP_NR_SELECTIVE_ACK;
9836 	} else {
9837 		type = SCTP_SELECTIVE_ACK;
9838 	}
9839 	a_chk = NULL;
9840 	asoc = &stcb->asoc;
9841 	SCTP_TCB_LOCK_ASSERT(stcb);
9842 	if (asoc->last_data_chunk_from == NULL) {
9843 		/* Hmm we never received anything */
9844 		return;
9845 	}
9846 	sctp_slide_mapping_arrays(stcb);
9847 	sctp_set_rwnd(stcb, asoc);
9848 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
9849 		if (chk->rec.chunk_id.id == type) {
9850 			/* Hmm, found a sack already on queue, remove it */
9851 			TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
9852 			asoc->ctrl_queue_cnt--;
9853 			a_chk = chk;
9854 			if (a_chk->data) {
9855 				sctp_m_freem(a_chk->data);
9856 				a_chk->data = NULL;
9857 			}
9858 			sctp_free_remote_addr(a_chk->whoTo);
9859 			a_chk->whoTo = NULL;
9860 			break;
9861 		}
9862 	}
9863 	if (a_chk == NULL) {
9864 		sctp_alloc_a_chunk(stcb, a_chk);
9865 		if (a_chk == NULL) {
9866 			/* No memory so we drop the idea, and set a timer */
9867 			if (stcb->asoc.delayed_ack) {
9868 				sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
9869 				    stcb->sctp_ep, stcb, NULL, SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_5);
9870 				sctp_timer_start(SCTP_TIMER_TYPE_RECV,
9871 				    stcb->sctp_ep, stcb, NULL);
9872 			} else {
9873 				stcb->asoc.send_sack = 1;
9874 			}
9875 			return;
9876 		}
9877 		a_chk->copy_by_ref = 0;
9878 		a_chk->rec.chunk_id.id = type;
9879 		a_chk->rec.chunk_id.can_take_data = 1;
9880 	}
9881 	/* Clear our pkt counts */
9882 	asoc->data_pkts_seen = 0;
9883 
9884 	a_chk->asoc = asoc;
9885 	a_chk->snd_count = 0;
9886 	a_chk->send_size = 0;	/* fill in later */
9887 	a_chk->sent = SCTP_DATAGRAM_UNSENT;
9888 	a_chk->whoTo = NULL;
9889 
9890 	if ((asoc->numduptsns) ||
9891 	    (asoc->last_data_chunk_from->dest_state & SCTP_ADDR_NOT_REACHABLE)) {
9892 		/*-
9893 		 * Ok, we have some duplicates or the destination for the
9894 		 * sack is unreachable, lets see if we can select an
9895 		 * alternate than asoc->last_data_chunk_from
9896 		 */
9897 		if ((!(asoc->last_data_chunk_from->dest_state & SCTP_ADDR_NOT_REACHABLE)) &&
9898 		    (asoc->used_alt_onsack > asoc->numnets)) {
9899 			/* We used an alt last time, don't this time */
9900 			a_chk->whoTo = NULL;
9901 		} else {
9902 			asoc->used_alt_onsack++;
9903 			a_chk->whoTo = sctp_find_alternate_net(stcb, asoc->last_data_chunk_from, 0);
9904 		}
9905 		if (a_chk->whoTo == NULL) {
9906 			/* Nope, no alternate */
9907 			a_chk->whoTo = asoc->last_data_chunk_from;
9908 			asoc->used_alt_onsack = 0;
9909 		}
9910 	} else {
9911 		/*
9912 		 * No duplicates so we use the last place we received data
9913 		 * from.
9914 		 */
9915 		asoc->used_alt_onsack = 0;
9916 		a_chk->whoTo = asoc->last_data_chunk_from;
9917 	}
9918 	if (a_chk->whoTo) {
9919 		atomic_add_int(&a_chk->whoTo->ref_count, 1);
9920 	}
9921 	if (SCTP_TSN_GT(asoc->highest_tsn_inside_map, asoc->highest_tsn_inside_nr_map)) {
9922 		highest_tsn = asoc->highest_tsn_inside_map;
9923 	} else {
9924 		highest_tsn = asoc->highest_tsn_inside_nr_map;
9925 	}
9926 	if (highest_tsn == asoc->cumulative_tsn) {
9927 		/* no gaps */
9928 		if (type == SCTP_SELECTIVE_ACK) {
9929 			space_req = sizeof(struct sctp_sack_chunk);
9930 		} else {
9931 			space_req = sizeof(struct sctp_nr_sack_chunk);
9932 		}
9933 	} else {
9934 		/* gaps get a cluster */
9935 		space_req = MCLBYTES;
9936 	}
9937 	/* Ok now lets formulate a MBUF with our sack */
9938 	a_chk->data = sctp_get_mbuf_for_msg(space_req, 0, M_DONTWAIT, 1, MT_DATA);
9939 	if ((a_chk->data == NULL) ||
9940 	    (a_chk->whoTo == NULL)) {
9941 		/* rats, no mbuf memory */
9942 		if (a_chk->data) {
9943 			/* was a problem with the destination */
9944 			sctp_m_freem(a_chk->data);
9945 			a_chk->data = NULL;
9946 		}
9947 		sctp_free_a_chunk(stcb, a_chk);
9948 		/* sa_ignore NO_NULL_CHK */
9949 		if (stcb->asoc.delayed_ack) {
9950 			sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
9951 			    stcb->sctp_ep, stcb, NULL, SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_6);
9952 			sctp_timer_start(SCTP_TIMER_TYPE_RECV,
9953 			    stcb->sctp_ep, stcb, NULL);
9954 		} else {
9955 			stcb->asoc.send_sack = 1;
9956 		}
9957 		return;
9958 	}
9959 	/* ok, lets go through and fill it in */
9960 	SCTP_BUF_RESV_UF(a_chk->data, SCTP_MIN_OVERHEAD);
9961 	space = M_TRAILINGSPACE(a_chk->data);
9962 	if (space > (a_chk->whoTo->mtu - SCTP_MIN_OVERHEAD)) {
9963 		space = (a_chk->whoTo->mtu - SCTP_MIN_OVERHEAD);
9964 	}
9965 	limit = mtod(a_chk->data, caddr_t);
9966 	limit += space;
9967 
9968 	flags = 0;
9969 
9970 	if ((asoc->sctp_cmt_on_off > 0) &&
9971 	    SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
9972 		/*-
9973 		 * CMT DAC algorithm: If 2 (i.e., 0x10) packets have been
9974 		 * received, then set high bit to 1, else 0. Reset
9975 		 * pkts_rcvd.
9976 		 */
9977 		flags |= (asoc->cmt_dac_pkts_rcvd << 6);
9978 		asoc->cmt_dac_pkts_rcvd = 0;
9979 	}
9980 #ifdef SCTP_ASOCLOG_OF_TSNS
9981 	stcb->asoc.cumack_logsnt[stcb->asoc.cumack_log_atsnt] = asoc->cumulative_tsn;
9982 	stcb->asoc.cumack_log_atsnt++;
9983 	if (stcb->asoc.cumack_log_atsnt >= SCTP_TSN_LOG_SIZE) {
9984 		stcb->asoc.cumack_log_atsnt = 0;
9985 	}
9986 #endif
9987 	/* reset the readers interpretation */
9988 	stcb->freed_by_sorcv_sincelast = 0;
9989 
9990 	if (type == SCTP_SELECTIVE_ACK) {
9991 		sack = mtod(a_chk->data, struct sctp_sack_chunk *);
9992 		nr_sack = NULL;
9993 		gap_descriptor = (struct sctp_gap_ack_block *)((caddr_t)sack + sizeof(struct sctp_sack_chunk));
9994 		if (highest_tsn > asoc->mapping_array_base_tsn) {
9995 			siz = (((highest_tsn - asoc->mapping_array_base_tsn) + 1) + 7) / 8;
9996 		} else {
9997 			siz = (((MAX_TSN - highest_tsn) + 1) + highest_tsn + 7) / 8;
9998 		}
9999 	} else {
10000 		sack = NULL;
10001 		nr_sack = mtod(a_chk->data, struct sctp_nr_sack_chunk *);
10002 		gap_descriptor = (struct sctp_gap_ack_block *)((caddr_t)nr_sack + sizeof(struct sctp_nr_sack_chunk));
10003 		if (asoc->highest_tsn_inside_map > asoc->mapping_array_base_tsn) {
10004 			siz = (((asoc->highest_tsn_inside_map - asoc->mapping_array_base_tsn) + 1) + 7) / 8;
10005 		} else {
10006 			siz = (((MAX_TSN - asoc->mapping_array_base_tsn) + 1) + asoc->highest_tsn_inside_map + 7) / 8;
10007 		}
10008 	}
10009 
10010 	if (SCTP_TSN_GT(asoc->mapping_array_base_tsn, asoc->cumulative_tsn)) {
10011 		offset = 1;
10012 	} else {
10013 		offset = asoc->mapping_array_base_tsn - asoc->cumulative_tsn;
10014 	}
10015 	if (((type == SCTP_SELECTIVE_ACK) &&
10016 	    SCTP_TSN_GT(highest_tsn, asoc->cumulative_tsn)) ||
10017 	    ((type == SCTP_NR_SELECTIVE_ACK) &&
10018 	    SCTP_TSN_GT(asoc->highest_tsn_inside_map, asoc->cumulative_tsn))) {
10019 		/* we have a gap .. maybe */
10020 		for (i = 0; i < siz; i++) {
10021 			tsn_map = asoc->mapping_array[i];
10022 			if (type == SCTP_SELECTIVE_ACK) {
10023 				tsn_map |= asoc->nr_mapping_array[i];
10024 			}
10025 			if (i == 0) {
10026 				/*
10027 				 * Clear all bits corresponding to TSNs
10028 				 * smaller or equal to the cumulative TSN.
10029 				 */
10030 				tsn_map &= (~0 << (1 - offset));
10031 			}
10032 			selector = &sack_array[tsn_map];
10033 			if (mergeable && selector->right_edge) {
10034 				/*
10035 				 * Backup, left and right edges were ok to
10036 				 * merge.
10037 				 */
10038 				num_gap_blocks--;
10039 				gap_descriptor--;
10040 			}
10041 			if (selector->num_entries == 0)
10042 				mergeable = 0;
10043 			else {
10044 				for (j = 0; j < selector->num_entries; j++) {
10045 					if (mergeable && selector->right_edge) {
10046 						/*
10047 						 * do a merge by NOT setting
10048 						 * the left side
10049 						 */
10050 						mergeable = 0;
10051 					} else {
10052 						/*
10053 						 * no merge, set the left
10054 						 * side
10055 						 */
10056 						mergeable = 0;
10057 						gap_descriptor->start = htons((selector->gaps[j].start + offset));
10058 					}
10059 					gap_descriptor->end = htons((selector->gaps[j].end + offset));
10060 					num_gap_blocks++;
10061 					gap_descriptor++;
10062 					if (((caddr_t)gap_descriptor + sizeof(struct sctp_gap_ack_block)) > limit) {
10063 						/* no more room */
10064 						limit_reached = 1;
10065 						break;
10066 					}
10067 				}
10068 				if (selector->left_edge) {
10069 					mergeable = 1;
10070 				}
10071 			}
10072 			if (limit_reached) {
10073 				/* Reached the limit stop */
10074 				break;
10075 			}
10076 			offset += 8;
10077 		}
10078 	}
10079 	if ((type == SCTP_NR_SELECTIVE_ACK) &&
10080 	    (limit_reached == 0)) {
10081 
10082 		mergeable = 0;
10083 
10084 		if (asoc->highest_tsn_inside_nr_map > asoc->mapping_array_base_tsn) {
10085 			siz = (((asoc->highest_tsn_inside_nr_map - asoc->mapping_array_base_tsn) + 1) + 7) / 8;
10086 		} else {
10087 			siz = (((MAX_TSN - asoc->mapping_array_base_tsn) + 1) + asoc->highest_tsn_inside_nr_map + 7) / 8;
10088 		}
10089 
10090 		if (SCTP_TSN_GT(asoc->mapping_array_base_tsn, asoc->cumulative_tsn)) {
10091 			offset = 1;
10092 		} else {
10093 			offset = asoc->mapping_array_base_tsn - asoc->cumulative_tsn;
10094 		}
10095 		if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->cumulative_tsn)) {
10096 			/* we have a gap .. maybe */
10097 			for (i = 0; i < siz; i++) {
10098 				tsn_map = asoc->nr_mapping_array[i];
10099 				if (i == 0) {
10100 					/*
10101 					 * Clear all bits corresponding to
10102 					 * TSNs smaller or equal to the
10103 					 * cumulative TSN.
10104 					 */
10105 					tsn_map &= (~0 << (1 - offset));
10106 				}
10107 				selector = &sack_array[tsn_map];
10108 				if (mergeable && selector->right_edge) {
10109 					/*
10110 					 * Backup, left and right edges were
10111 					 * ok to merge.
10112 					 */
10113 					num_nr_gap_blocks--;
10114 					gap_descriptor--;
10115 				}
10116 				if (selector->num_entries == 0)
10117 					mergeable = 0;
10118 				else {
10119 					for (j = 0; j < selector->num_entries; j++) {
10120 						if (mergeable && selector->right_edge) {
10121 							/*
10122 							 * do a merge by NOT
10123 							 * setting the left
10124 							 * side
10125 							 */
10126 							mergeable = 0;
10127 						} else {
10128 							/*
10129 							 * no merge, set the
10130 							 * left side
10131 							 */
10132 							mergeable = 0;
10133 							gap_descriptor->start = htons((selector->gaps[j].start + offset));
10134 						}
10135 						gap_descriptor->end = htons((selector->gaps[j].end + offset));
10136 						num_nr_gap_blocks++;
10137 						gap_descriptor++;
10138 						if (((caddr_t)gap_descriptor + sizeof(struct sctp_gap_ack_block)) > limit) {
10139 							/* no more room */
10140 							limit_reached = 1;
10141 							break;
10142 						}
10143 					}
10144 					if (selector->left_edge) {
10145 						mergeable = 1;
10146 					}
10147 				}
10148 				if (limit_reached) {
10149 					/* Reached the limit stop */
10150 					break;
10151 				}
10152 				offset += 8;
10153 			}
10154 		}
10155 	}
10156 	/* now we must add any dups we are going to report. */
10157 	if ((limit_reached == 0) && (asoc->numduptsns)) {
10158 		dup = (uint32_t *) gap_descriptor;
10159 		for (i = 0; i < asoc->numduptsns; i++) {
10160 			*dup = htonl(asoc->dup_tsns[i]);
10161 			dup++;
10162 			num_dups++;
10163 			if (((caddr_t)dup + sizeof(uint32_t)) > limit) {
10164 				/* no more room */
10165 				break;
10166 			}
10167 		}
10168 		asoc->numduptsns = 0;
10169 	}
10170 	/*
10171 	 * now that the chunk is prepared queue it to the control chunk
10172 	 * queue.
10173 	 */
10174 	if (type == SCTP_SELECTIVE_ACK) {
10175 		a_chk->send_size = sizeof(struct sctp_sack_chunk) +
10176 		    (num_gap_blocks + num_nr_gap_blocks) * sizeof(struct sctp_gap_ack_block) +
10177 		    num_dups * sizeof(int32_t);
10178 		SCTP_BUF_LEN(a_chk->data) = a_chk->send_size;
10179 		sack->sack.cum_tsn_ack = htonl(asoc->cumulative_tsn);
10180 		sack->sack.a_rwnd = htonl(asoc->my_rwnd);
10181 		sack->sack.num_gap_ack_blks = htons(num_gap_blocks);
10182 		sack->sack.num_dup_tsns = htons(num_dups);
10183 		sack->ch.chunk_type = type;
10184 		sack->ch.chunk_flags = flags;
10185 		sack->ch.chunk_length = htons(a_chk->send_size);
10186 	} else {
10187 		a_chk->send_size = sizeof(struct sctp_nr_sack_chunk) +
10188 		    (num_gap_blocks + num_nr_gap_blocks) * sizeof(struct sctp_gap_ack_block) +
10189 		    num_dups * sizeof(int32_t);
10190 		SCTP_BUF_LEN(a_chk->data) = a_chk->send_size;
10191 		nr_sack->nr_sack.cum_tsn_ack = htonl(asoc->cumulative_tsn);
10192 		nr_sack->nr_sack.a_rwnd = htonl(asoc->my_rwnd);
10193 		nr_sack->nr_sack.num_gap_ack_blks = htons(num_gap_blocks);
10194 		nr_sack->nr_sack.num_nr_gap_ack_blks = htons(num_nr_gap_blocks);
10195 		nr_sack->nr_sack.num_dup_tsns = htons(num_dups);
10196 		nr_sack->nr_sack.reserved = 0;
10197 		nr_sack->ch.chunk_type = type;
10198 		nr_sack->ch.chunk_flags = flags;
10199 		nr_sack->ch.chunk_length = htons(a_chk->send_size);
10200 	}
10201 	TAILQ_INSERT_TAIL(&asoc->control_send_queue, a_chk, sctp_next);
10202 	asoc->my_last_reported_rwnd = asoc->my_rwnd;
10203 	asoc->ctrl_queue_cnt++;
10204 	asoc->send_sack = 0;
10205 	SCTP_STAT_INCR(sctps_sendsacks);
10206 	return;
10207 }
10208 
10209 void
10210 sctp_send_abort_tcb(struct sctp_tcb *stcb, struct mbuf *operr, int so_locked
10211 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
10212     SCTP_UNUSED
10213 #endif
10214 )
10215 {
10216 	struct mbuf *m_abort;
10217 	struct mbuf *m_out = NULL, *m_end = NULL;
10218 	struct sctp_abort_chunk *abort = NULL;
10219 	int sz;
10220 	uint32_t auth_offset = 0;
10221 	struct sctp_auth_chunk *auth = NULL;
10222 
10223 	/*-
10224 	 * Add an AUTH chunk, if chunk requires it and save the offset into
10225 	 * the chain for AUTH
10226 	 */
10227 	if (sctp_auth_is_required_chunk(SCTP_ABORT_ASSOCIATION,
10228 	    stcb->asoc.peer_auth_chunks)) {
10229 		m_out = sctp_add_auth_chunk(m_out, &m_end, &auth, &auth_offset,
10230 		    stcb, SCTP_ABORT_ASSOCIATION);
10231 		SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
10232 	}
10233 	SCTP_TCB_LOCK_ASSERT(stcb);
10234 	m_abort = sctp_get_mbuf_for_msg(sizeof(struct sctp_abort_chunk), 0, M_DONTWAIT, 1, MT_HEADER);
10235 	if (m_abort == NULL) {
10236 		/* no mbuf's */
10237 		if (m_out)
10238 			sctp_m_freem(m_out);
10239 		return;
10240 	}
10241 	/* link in any error */
10242 	SCTP_BUF_NEXT(m_abort) = operr;
10243 	sz = 0;
10244 	if (operr) {
10245 		struct mbuf *n;
10246 
10247 		n = operr;
10248 		while (n) {
10249 			sz += SCTP_BUF_LEN(n);
10250 			n = SCTP_BUF_NEXT(n);
10251 		}
10252 	}
10253 	SCTP_BUF_LEN(m_abort) = sizeof(*abort);
10254 	if (m_out == NULL) {
10255 		/* NO Auth chunk prepended, so reserve space in front */
10256 		SCTP_BUF_RESV_UF(m_abort, SCTP_MIN_OVERHEAD);
10257 		m_out = m_abort;
10258 	} else {
10259 		/* Put AUTH chunk at the front of the chain */
10260 		SCTP_BUF_NEXT(m_end) = m_abort;
10261 	}
10262 
10263 	/* fill in the ABORT chunk */
10264 	abort = mtod(m_abort, struct sctp_abort_chunk *);
10265 	abort->ch.chunk_type = SCTP_ABORT_ASSOCIATION;
10266 	abort->ch.chunk_flags = 0;
10267 	abort->ch.chunk_length = htons(sizeof(*abort) + sz);
10268 
10269 	(void)sctp_lowlevel_chunk_output(stcb->sctp_ep, stcb,
10270 	    stcb->asoc.primary_destination,
10271 	    (struct sockaddr *)&stcb->asoc.primary_destination->ro._l_addr,
10272 	    m_out, auth_offset, auth, stcb->asoc.authinfo.active_keyid, 1, 0, NULL, 0,
10273 	    stcb->sctp_ep->sctp_lport, stcb->rport, htonl(stcb->asoc.peer_vtag),
10274 	    stcb->asoc.primary_destination->port, so_locked, NULL, NULL);
10275 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
10276 }
10277 
10278 void
10279 sctp_send_shutdown_complete(struct sctp_tcb *stcb,
10280     struct sctp_nets *net,
10281     int reflect_vtag)
10282 {
10283 	/* formulate and SEND a SHUTDOWN-COMPLETE */
10284 	struct mbuf *m_shutdown_comp;
10285 	struct sctp_shutdown_complete_chunk *shutdown_complete;
10286 	uint32_t vtag;
10287 	uint8_t flags;
10288 
10289 	m_shutdown_comp = sctp_get_mbuf_for_msg(sizeof(struct sctp_chunkhdr), 0, M_DONTWAIT, 1, MT_HEADER);
10290 	if (m_shutdown_comp == NULL) {
10291 		/* no mbuf's */
10292 		return;
10293 	}
10294 	if (reflect_vtag) {
10295 		flags = SCTP_HAD_NO_TCB;
10296 		vtag = stcb->asoc.my_vtag;
10297 	} else {
10298 		flags = 0;
10299 		vtag = stcb->asoc.peer_vtag;
10300 	}
10301 	shutdown_complete = mtod(m_shutdown_comp, struct sctp_shutdown_complete_chunk *);
10302 	shutdown_complete->ch.chunk_type = SCTP_SHUTDOWN_COMPLETE;
10303 	shutdown_complete->ch.chunk_flags = flags;
10304 	shutdown_complete->ch.chunk_length = htons(sizeof(struct sctp_shutdown_complete_chunk));
10305 	SCTP_BUF_LEN(m_shutdown_comp) = sizeof(struct sctp_shutdown_complete_chunk);
10306 	(void)sctp_lowlevel_chunk_output(stcb->sctp_ep, stcb, net,
10307 	    (struct sockaddr *)&net->ro._l_addr,
10308 	    m_shutdown_comp, 0, NULL, 0, 1, 0, NULL, 0,
10309 	    stcb->sctp_ep->sctp_lport, stcb->rport,
10310 	    htonl(vtag),
10311 	    net->port, SCTP_SO_NOT_LOCKED, NULL, NULL);
10312 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
10313 	return;
10314 }
10315 
10316 void
10317 sctp_send_shutdown_complete2(struct mbuf *m, int iphlen, struct sctphdr *sh,
10318     uint32_t vrf_id, uint16_t port)
10319 {
10320 	/* formulate and SEND a SHUTDOWN-COMPLETE */
10321 	struct mbuf *o_pak;
10322 	struct mbuf *mout;
10323 	struct ip *iph, *iph_out;
10324 	struct udphdr *udp = NULL;
10325 
10326 #ifdef INET6
10327 	struct ip6_hdr *ip6, *ip6_out;
10328 
10329 #endif
10330 	int offset_out, len, mlen;
10331 	struct sctp_shutdown_complete_msg *comp_cp;
10332 
10333 	iph = mtod(m, struct ip *);
10334 	switch (iph->ip_v) {
10335 	case IPVERSION:
10336 		len = (sizeof(struct ip) + sizeof(struct sctp_shutdown_complete_msg));
10337 		break;
10338 #ifdef INET6
10339 	case IPV6_VERSION >> 4:
10340 		len = (sizeof(struct ip6_hdr) + sizeof(struct sctp_shutdown_complete_msg));
10341 		break;
10342 #endif
10343 	default:
10344 		return;
10345 	}
10346 	if (port) {
10347 		len += sizeof(struct udphdr);
10348 	}
10349 	mout = sctp_get_mbuf_for_msg(len + max_linkhdr, 1, M_DONTWAIT, 1, MT_DATA);
10350 	if (mout == NULL) {
10351 		return;
10352 	}
10353 	SCTP_BUF_RESV_UF(mout, max_linkhdr);
10354 	SCTP_BUF_LEN(mout) = len;
10355 	SCTP_BUF_NEXT(mout) = NULL;
10356 	if (m->m_flags & M_FLOWID) {
10357 		mout->m_pkthdr.flowid = m->m_pkthdr.flowid;
10358 		mout->m_flags |= M_FLOWID;
10359 	}
10360 	iph_out = NULL;
10361 #ifdef INET6
10362 	ip6_out = NULL;
10363 #endif
10364 	offset_out = 0;
10365 
10366 	switch (iph->ip_v) {
10367 	case IPVERSION:
10368 		iph_out = mtod(mout, struct ip *);
10369 
10370 		/* Fill in the IP header for the ABORT */
10371 		iph_out->ip_v = IPVERSION;
10372 		iph_out->ip_hl = (sizeof(struct ip) / 4);
10373 		iph_out->ip_tos = (u_char)0;
10374 		iph_out->ip_id = 0;
10375 		iph_out->ip_off = 0;
10376 		iph_out->ip_ttl = MAXTTL;
10377 		if (port) {
10378 			iph_out->ip_p = IPPROTO_UDP;
10379 		} else {
10380 			iph_out->ip_p = IPPROTO_SCTP;
10381 		}
10382 		iph_out->ip_src.s_addr = iph->ip_dst.s_addr;
10383 		iph_out->ip_dst.s_addr = iph->ip_src.s_addr;
10384 
10385 		/* let IP layer calculate this */
10386 		iph_out->ip_sum = 0;
10387 		offset_out += sizeof(*iph_out);
10388 		comp_cp = (struct sctp_shutdown_complete_msg *)(
10389 		    (caddr_t)iph_out + offset_out);
10390 		break;
10391 #ifdef INET6
10392 	case IPV6_VERSION >> 4:
10393 		ip6 = (struct ip6_hdr *)iph;
10394 		ip6_out = mtod(mout, struct ip6_hdr *);
10395 
10396 		/* Fill in the IPv6 header for the ABORT */
10397 		ip6_out->ip6_flow = ip6->ip6_flow;
10398 		ip6_out->ip6_hlim = MODULE_GLOBAL(ip6_defhlim);
10399 		if (port) {
10400 			ip6_out->ip6_nxt = IPPROTO_UDP;
10401 		} else {
10402 			ip6_out->ip6_nxt = IPPROTO_SCTP;
10403 		}
10404 		ip6_out->ip6_src = ip6->ip6_dst;
10405 		ip6_out->ip6_dst = ip6->ip6_src;
10406 		/*
10407 		 * ?? The old code had both the iph len + payload, I think
10408 		 * this is wrong and would never have worked
10409 		 */
10410 		ip6_out->ip6_plen = sizeof(struct sctp_shutdown_complete_msg);
10411 		offset_out += sizeof(*ip6_out);
10412 		comp_cp = (struct sctp_shutdown_complete_msg *)(
10413 		    (caddr_t)ip6_out + offset_out);
10414 		break;
10415 #endif				/* INET6 */
10416 	default:
10417 		/* Currently not supported. */
10418 		sctp_m_freem(mout);
10419 		return;
10420 	}
10421 	if (port) {
10422 		udp = (struct udphdr *)comp_cp;
10423 		udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
10424 		udp->uh_dport = port;
10425 		udp->uh_ulen = htons(sizeof(struct sctp_shutdown_complete_msg) + sizeof(struct udphdr));
10426 		if (iph_out)
10427 			udp->uh_sum = in_pseudo(iph_out->ip_src.s_addr, iph_out->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
10428 		offset_out += sizeof(struct udphdr);
10429 		comp_cp = (struct sctp_shutdown_complete_msg *)((caddr_t)comp_cp + sizeof(struct udphdr));
10430 	}
10431 	if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
10432 		/* no mbuf's */
10433 		sctp_m_freem(mout);
10434 		return;
10435 	}
10436 	/* Now copy in and fill in the ABORT tags etc. */
10437 	comp_cp->sh.src_port = sh->dest_port;
10438 	comp_cp->sh.dest_port = sh->src_port;
10439 	comp_cp->sh.checksum = 0;
10440 	comp_cp->sh.v_tag = sh->v_tag;
10441 	comp_cp->shut_cmp.ch.chunk_flags = SCTP_HAD_NO_TCB;
10442 	comp_cp->shut_cmp.ch.chunk_type = SCTP_SHUTDOWN_COMPLETE;
10443 	comp_cp->shut_cmp.ch.chunk_length = htons(sizeof(struct sctp_shutdown_complete_chunk));
10444 
10445 	if (iph_out != NULL) {
10446 		sctp_route_t ro;
10447 		int ret;
10448 
10449 		mlen = SCTP_BUF_LEN(mout);
10450 		bzero(&ro, sizeof ro);
10451 		/* set IPv4 length */
10452 		iph_out->ip_len = mlen;
10453 #ifdef  SCTP_PACKET_LOGGING
10454 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
10455 			sctp_packet_log(mout, mlen);
10456 #endif
10457 		if (port) {
10458 #if defined(SCTP_WITH_NO_CSUM)
10459 			SCTP_STAT_INCR(sctps_sendnocrc);
10460 #else
10461 			comp_cp->sh.checksum = sctp_calculate_cksum(mout, offset_out);
10462 			SCTP_STAT_INCR(sctps_sendswcrc);
10463 #endif
10464 			SCTP_ENABLE_UDP_CSUM(mout);
10465 		} else {
10466 #if defined(SCTP_WITH_NO_CSUM)
10467 			SCTP_STAT_INCR(sctps_sendnocrc);
10468 #else
10469 			mout->m_pkthdr.csum_flags = CSUM_SCTP;
10470 			mout->m_pkthdr.csum_data = 0;
10471 			SCTP_STAT_INCR(sctps_sendhwcrc);
10472 #endif
10473 		}
10474 		SCTP_ATTACH_CHAIN(o_pak, mout, mlen);
10475 		/* out it goes */
10476 		SCTP_IP_OUTPUT(ret, o_pak, &ro, NULL, vrf_id);
10477 
10478 		/* Free the route if we got one back */
10479 		if (ro.ro_rt)
10480 			RTFREE(ro.ro_rt);
10481 	}
10482 #ifdef INET6
10483 	if (ip6_out != NULL) {
10484 		struct route_in6 ro;
10485 		int ret;
10486 		struct ifnet *ifp = NULL;
10487 
10488 		bzero(&ro, sizeof(ro));
10489 		mlen = SCTP_BUF_LEN(mout);
10490 #ifdef  SCTP_PACKET_LOGGING
10491 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
10492 			sctp_packet_log(mout, mlen);
10493 #endif
10494 		SCTP_ATTACH_CHAIN(o_pak, mout, mlen);
10495 		if (port) {
10496 #if defined(SCTP_WITH_NO_CSUM)
10497 			SCTP_STAT_INCR(sctps_sendnocrc);
10498 #else
10499 			comp_cp->sh.checksum = sctp_calculate_cksum(mout, sizeof(struct ip6_hdr) + sizeof(struct udphdr));
10500 			SCTP_STAT_INCR(sctps_sendswcrc);
10501 #endif
10502 			if ((udp->uh_sum = in6_cksum(o_pak, IPPROTO_UDP, sizeof(struct ip6_hdr), mlen - sizeof(struct ip6_hdr))) == 0) {
10503 				udp->uh_sum = 0xffff;
10504 			}
10505 		} else {
10506 #if defined(SCTP_WITH_NO_CSUM)
10507 			SCTP_STAT_INCR(sctps_sendnocrc);
10508 #else
10509 			mout->m_pkthdr.csum_flags = CSUM_SCTP;
10510 			mout->m_pkthdr.csum_data = 0;
10511 			SCTP_STAT_INCR(sctps_sendhwcrc);
10512 #endif
10513 		}
10514 		SCTP_IP6_OUTPUT(ret, o_pak, &ro, &ifp, NULL, vrf_id);
10515 
10516 		/* Free the route if we got one back */
10517 		if (ro.ro_rt)
10518 			RTFREE(ro.ro_rt);
10519 	}
10520 #endif
10521 	SCTP_STAT_INCR(sctps_sendpackets);
10522 	SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
10523 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
10524 	return;
10525 
10526 }
10527 
10528 static struct sctp_nets *
10529 sctp_select_hb_destination(struct sctp_tcb *stcb, struct timeval *now)
10530 {
10531 	struct sctp_nets *net, *hnet;
10532 	int ms_goneby, highest_ms, state_overide = 0;
10533 
10534 	(void)SCTP_GETTIME_TIMEVAL(now);
10535 	highest_ms = 0;
10536 	hnet = NULL;
10537 	SCTP_TCB_LOCK_ASSERT(stcb);
10538 	TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
10539 		if (
10540 		    ((net->dest_state & SCTP_ADDR_NOHB) && ((net->dest_state & SCTP_ADDR_UNCONFIRMED) == 0)) ||
10541 		    (net->dest_state & SCTP_ADDR_OUT_OF_SCOPE)
10542 		    ) {
10543 			/*
10544 			 * Skip this guy from consideration if HB is off AND
10545 			 * its confirmed
10546 			 */
10547 			continue;
10548 		}
10549 		if (sctp_destination_is_reachable(stcb, (struct sockaddr *)&net->ro._l_addr) == 0) {
10550 			/* skip this dest net from consideration */
10551 			continue;
10552 		}
10553 		if (net->last_sent_time.tv_sec) {
10554 			/* Sent to so we subtract */
10555 			ms_goneby = (now->tv_sec - net->last_sent_time.tv_sec) * 1000;
10556 		} else
10557 			/* Never been sent to */
10558 			ms_goneby = 0x7fffffff;
10559 		/*-
10560 		 * When the address state is unconfirmed but still
10561 		 * considered reachable, we HB at a higher rate. Once it
10562 		 * goes confirmed OR reaches the "unreachable" state, thenw
10563 		 * we cut it back to HB at a more normal pace.
10564 		 */
10565 		if ((net->dest_state & (SCTP_ADDR_UNCONFIRMED | SCTP_ADDR_NOT_REACHABLE)) == SCTP_ADDR_UNCONFIRMED) {
10566 			state_overide = 1;
10567 		} else {
10568 			state_overide = 0;
10569 		}
10570 
10571 		if ((((unsigned int)ms_goneby >= net->RTO) || (state_overide)) &&
10572 		    (ms_goneby > highest_ms)) {
10573 			highest_ms = ms_goneby;
10574 			hnet = net;
10575 		}
10576 	}
10577 	if (hnet &&
10578 	    ((hnet->dest_state & (SCTP_ADDR_UNCONFIRMED | SCTP_ADDR_NOT_REACHABLE)) == SCTP_ADDR_UNCONFIRMED)) {
10579 		state_overide = 1;
10580 	} else {
10581 		state_overide = 0;
10582 	}
10583 
10584 	if (hnet && highest_ms && (((unsigned int)highest_ms >= hnet->RTO) || state_overide)) {
10585 		/*-
10586 		 * Found the one with longest delay bounds OR it is
10587 		 * unconfirmed and still not marked unreachable.
10588 		 */
10589 		SCTPDBG(SCTP_DEBUG_OUTPUT4, "net:%p is the hb winner -", hnet);
10590 #ifdef SCTP_DEBUG
10591 		if (hnet) {
10592 			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT4,
10593 			    (struct sockaddr *)&hnet->ro._l_addr);
10594 		} else {
10595 			SCTPDBG(SCTP_DEBUG_OUTPUT4, " none\n");
10596 		}
10597 #endif
10598 		/* update the timer now */
10599 		hnet->last_sent_time = *now;
10600 		return (hnet);
10601 	}
10602 	/* Nothing to HB */
10603 	return (NULL);
10604 }
10605 
10606 int
10607 sctp_send_hb(struct sctp_tcb *stcb, int user_req, struct sctp_nets *u_net)
10608 {
10609 	struct sctp_tmit_chunk *chk;
10610 	struct sctp_nets *net;
10611 	struct sctp_heartbeat_chunk *hb;
10612 	struct timeval now;
10613 	struct sockaddr_in *sin;
10614 	struct sockaddr_in6 *sin6;
10615 
10616 	SCTP_TCB_LOCK_ASSERT(stcb);
10617 	if (user_req == 0) {
10618 		net = sctp_select_hb_destination(stcb, &now);
10619 		if (net == NULL) {
10620 			/*-
10621 			 * All our busy none to send to, just start the
10622 			 * timer again.
10623 			 */
10624 			if (stcb->asoc.state == 0) {
10625 				return (0);
10626 			}
10627 			sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT,
10628 			    stcb->sctp_ep,
10629 			    stcb,
10630 			    net);
10631 			return (0);
10632 		}
10633 	} else {
10634 		net = u_net;
10635 		if (net == NULL) {
10636 			return (0);
10637 		}
10638 		(void)SCTP_GETTIME_TIMEVAL(&now);
10639 	}
10640 	sin = (struct sockaddr_in *)&net->ro._l_addr;
10641 	if (sin->sin_family != AF_INET) {
10642 		if (sin->sin_family != AF_INET6) {
10643 			/* huh */
10644 			return (0);
10645 		}
10646 	}
10647 	sctp_alloc_a_chunk(stcb, chk);
10648 	if (chk == NULL) {
10649 		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Gak, can't get a chunk for hb\n");
10650 		return (0);
10651 	}
10652 	chk->copy_by_ref = 0;
10653 	chk->rec.chunk_id.id = SCTP_HEARTBEAT_REQUEST;
10654 	chk->rec.chunk_id.can_take_data = 1;
10655 	chk->asoc = &stcb->asoc;
10656 	chk->send_size = sizeof(struct sctp_heartbeat_chunk);
10657 
10658 	chk->data = sctp_get_mbuf_for_msg(chk->send_size, 0, M_DONTWAIT, 1, MT_HEADER);
10659 	if (chk->data == NULL) {
10660 		sctp_free_a_chunk(stcb, chk);
10661 		return (0);
10662 	}
10663 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
10664 	SCTP_BUF_LEN(chk->data) = chk->send_size;
10665 	chk->sent = SCTP_DATAGRAM_UNSENT;
10666 	chk->snd_count = 0;
10667 	chk->whoTo = net;
10668 	atomic_add_int(&chk->whoTo->ref_count, 1);
10669 	/* Now we have a mbuf that we can fill in with the details */
10670 	hb = mtod(chk->data, struct sctp_heartbeat_chunk *);
10671 	memset(hb, 0, sizeof(struct sctp_heartbeat_chunk));
10672 	/* fill out chunk header */
10673 	hb->ch.chunk_type = SCTP_HEARTBEAT_REQUEST;
10674 	hb->ch.chunk_flags = 0;
10675 	hb->ch.chunk_length = htons(chk->send_size);
10676 	/* Fill out hb parameter */
10677 	hb->heartbeat.hb_info.ph.param_type = htons(SCTP_HEARTBEAT_INFO);
10678 	hb->heartbeat.hb_info.ph.param_length = htons(sizeof(struct sctp_heartbeat_info_param));
10679 	hb->heartbeat.hb_info.time_value_1 = now.tv_sec;
10680 	hb->heartbeat.hb_info.time_value_2 = now.tv_usec;
10681 	/* Did our user request this one, put it in */
10682 	hb->heartbeat.hb_info.user_req = user_req;
10683 	hb->heartbeat.hb_info.addr_family = sin->sin_family;
10684 	hb->heartbeat.hb_info.addr_len = sin->sin_len;
10685 	if (net->dest_state & SCTP_ADDR_UNCONFIRMED) {
10686 		/*
10687 		 * we only take from the entropy pool if the address is not
10688 		 * confirmed.
10689 		 */
10690 		net->heartbeat_random1 = hb->heartbeat.hb_info.random_value1 = sctp_select_initial_TSN(&stcb->sctp_ep->sctp_ep);
10691 		net->heartbeat_random2 = hb->heartbeat.hb_info.random_value2 = sctp_select_initial_TSN(&stcb->sctp_ep->sctp_ep);
10692 	} else {
10693 		net->heartbeat_random1 = hb->heartbeat.hb_info.random_value1 = 0;
10694 		net->heartbeat_random2 = hb->heartbeat.hb_info.random_value2 = 0;
10695 	}
10696 	if (sin->sin_family == AF_INET) {
10697 		memcpy(hb->heartbeat.hb_info.address, &sin->sin_addr, sizeof(sin->sin_addr));
10698 	} else if (sin->sin_family == AF_INET6) {
10699 		/* We leave the scope the way it is in our lookup table. */
10700 		sin6 = (struct sockaddr_in6 *)&net->ro._l_addr;
10701 		memcpy(hb->heartbeat.hb_info.address, &sin6->sin6_addr, sizeof(sin6->sin6_addr));
10702 	} else {
10703 		/* huh compiler bug */
10704 		return (0);
10705 	}
10706 
10707 	/*
10708 	 * JRS 5/14/07 - In CMT PF, the T3 timer is used to track
10709 	 * PF-heartbeats.  Because of this, threshold management is done by
10710 	 * the t3 timer handler, and does not need to be done upon the send
10711 	 * of a PF-heartbeat. If CMT PF is on and the destination to which a
10712 	 * heartbeat is being sent is in PF state, do NOT do threshold
10713 	 * management.
10714 	 */
10715 	if ((stcb->asoc.sctp_cmt_pf == 0) ||
10716 	    ((net->dest_state & SCTP_ADDR_PF) != SCTP_ADDR_PF)) {
10717 		/* ok we have a destination that needs a beat */
10718 		/* lets do the theshold management Qiaobing style */
10719 		if (sctp_threshold_management(stcb->sctp_ep, stcb, net,
10720 		    stcb->asoc.max_send_times)) {
10721 			/*-
10722 			 * we have lost the association, in a way this is
10723 			 * quite bad since we really are one less time since
10724 			 * we really did not send yet. This is the down side
10725 			 * to the Q's style as defined in the RFC and not my
10726 			 * alternate style defined in the RFC.
10727 			 */
10728 			if (chk->data != NULL) {
10729 				sctp_m_freem(chk->data);
10730 				chk->data = NULL;
10731 			}
10732 			/*
10733 			 * Here we do NOT use the macro since the
10734 			 * association is now gone.
10735 			 */
10736 			if (chk->whoTo) {
10737 				sctp_free_remote_addr(chk->whoTo);
10738 				chk->whoTo = NULL;
10739 			}
10740 			sctp_free_a_chunk((struct sctp_tcb *)NULL, chk);
10741 			return (-1);
10742 		}
10743 	}
10744 	net->hb_responded = 0;
10745 	TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, chk, sctp_next);
10746 	stcb->asoc.ctrl_queue_cnt++;
10747 	SCTP_STAT_INCR(sctps_sendheartbeat);
10748 	/*-
10749 	 * Call directly med level routine to put out the chunk. It will
10750 	 * always tumble out control chunks aka HB but it may even tumble
10751 	 * out data too.
10752 	 */
10753 	return (1);
10754 }
10755 
10756 void
10757 sctp_send_ecn_echo(struct sctp_tcb *stcb, struct sctp_nets *net,
10758     uint32_t high_tsn)
10759 {
10760 	struct sctp_association *asoc;
10761 	struct sctp_ecne_chunk *ecne;
10762 	struct sctp_tmit_chunk *chk;
10763 
10764 	asoc = &stcb->asoc;
10765 	SCTP_TCB_LOCK_ASSERT(stcb);
10766 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
10767 		if ((chk->rec.chunk_id.id == SCTP_ECN_ECHO) && (net == chk->whoTo)) {
10768 			/* found a previous ECN_ECHO update it if needed */
10769 			uint32_t cnt, ctsn;
10770 
10771 			ecne = mtod(chk->data, struct sctp_ecne_chunk *);
10772 			ctsn = ntohl(ecne->tsn);
10773 			if (SCTP_TSN_GT(high_tsn, ctsn)) {
10774 				ecne->tsn = htonl(high_tsn);
10775 				SCTP_STAT_INCR(sctps_queue_upd_ecne);
10776 			}
10777 			cnt = ntohl(ecne->num_pkts_since_cwr);
10778 			cnt++;
10779 			ecne->num_pkts_since_cwr = htonl(cnt);
10780 			return;
10781 		}
10782 	}
10783 	/* nope could not find one to update so we must build one */
10784 	sctp_alloc_a_chunk(stcb, chk);
10785 	if (chk == NULL) {
10786 		return;
10787 	}
10788 	chk->copy_by_ref = 0;
10789 	SCTP_STAT_INCR(sctps_queue_upd_ecne);
10790 	chk->rec.chunk_id.id = SCTP_ECN_ECHO;
10791 	chk->rec.chunk_id.can_take_data = 0;
10792 	chk->asoc = &stcb->asoc;
10793 	chk->send_size = sizeof(struct sctp_ecne_chunk);
10794 	chk->data = sctp_get_mbuf_for_msg(chk->send_size, 0, M_DONTWAIT, 1, MT_HEADER);
10795 	if (chk->data == NULL) {
10796 		sctp_free_a_chunk(stcb, chk);
10797 		return;
10798 	}
10799 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
10800 	SCTP_BUF_LEN(chk->data) = chk->send_size;
10801 	chk->sent = SCTP_DATAGRAM_UNSENT;
10802 	chk->snd_count = 0;
10803 	chk->whoTo = net;
10804 	atomic_add_int(&chk->whoTo->ref_count, 1);
10805 	stcb->asoc.ecn_echo_cnt_onq++;
10806 	ecne = mtod(chk->data, struct sctp_ecne_chunk *);
10807 	ecne->ch.chunk_type = SCTP_ECN_ECHO;
10808 	ecne->ch.chunk_flags = 0;
10809 	ecne->ch.chunk_length = htons(sizeof(struct sctp_ecne_chunk));
10810 	ecne->tsn = htonl(high_tsn);
10811 	ecne->num_pkts_since_cwr = htonl(1);
10812 	TAILQ_INSERT_HEAD(&stcb->asoc.control_send_queue, chk, sctp_next);
10813 	asoc->ctrl_queue_cnt++;
10814 }
10815 
10816 void
10817 sctp_send_packet_dropped(struct sctp_tcb *stcb, struct sctp_nets *net,
10818     struct mbuf *m, int iphlen, int bad_crc)
10819 {
10820 	struct sctp_association *asoc;
10821 	struct sctp_pktdrop_chunk *drp;
10822 	struct sctp_tmit_chunk *chk;
10823 	uint8_t *datap;
10824 	int len;
10825 	int was_trunc = 0;
10826 	struct ip *iph;
10827 
10828 #ifdef INET6
10829 	struct ip6_hdr *ip6h;
10830 
10831 #endif
10832 	int fullsz = 0, extra = 0;
10833 	long spc;
10834 	int offset;
10835 	struct sctp_chunkhdr *ch, chunk_buf;
10836 	unsigned int chk_length;
10837 
10838 	if (!stcb) {
10839 		return;
10840 	}
10841 	asoc = &stcb->asoc;
10842 	SCTP_TCB_LOCK_ASSERT(stcb);
10843 	if (asoc->peer_supports_pktdrop == 0) {
10844 		/*-
10845 		 * peer must declare support before I send one.
10846 		 */
10847 		return;
10848 	}
10849 	if (stcb->sctp_socket == NULL) {
10850 		return;
10851 	}
10852 	sctp_alloc_a_chunk(stcb, chk);
10853 	if (chk == NULL) {
10854 		return;
10855 	}
10856 	chk->copy_by_ref = 0;
10857 	iph = mtod(m, struct ip *);
10858 	if (iph == NULL) {
10859 		sctp_free_a_chunk(stcb, chk);
10860 		return;
10861 	}
10862 	switch (iph->ip_v) {
10863 	case IPVERSION:
10864 		/* IPv4 */
10865 		len = chk->send_size = iph->ip_len;
10866 		break;
10867 #ifdef INET6
10868 	case IPV6_VERSION >> 4:
10869 		/* IPv6 */
10870 		ip6h = mtod(m, struct ip6_hdr *);
10871 		len = chk->send_size = htons(ip6h->ip6_plen);
10872 		break;
10873 #endif
10874 	default:
10875 		return;
10876 	}
10877 	/* Validate that we do not have an ABORT in here. */
10878 	offset = iphlen + sizeof(struct sctphdr);
10879 	ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, offset,
10880 	    sizeof(*ch), (uint8_t *) & chunk_buf);
10881 	while (ch != NULL) {
10882 		chk_length = ntohs(ch->chunk_length);
10883 		if (chk_length < sizeof(*ch)) {
10884 			/* break to abort land */
10885 			break;
10886 		}
10887 		switch (ch->chunk_type) {
10888 		case SCTP_PACKET_DROPPED:
10889 		case SCTP_ABORT_ASSOCIATION:
10890 		case SCTP_INITIATION_ACK:
10891 			/**
10892 			 * We don't respond with an PKT-DROP to an ABORT
10893 			 * or PKT-DROP. We also do not respond to an
10894 			 * INIT-ACK, because we can't know if the initiation
10895 			 * tag is correct or not.
10896 			 */
10897 			sctp_free_a_chunk(stcb, chk);
10898 			return;
10899 		default:
10900 			break;
10901 		}
10902 		offset += SCTP_SIZE32(chk_length);
10903 		ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, offset,
10904 		    sizeof(*ch), (uint8_t *) & chunk_buf);
10905 	}
10906 
10907 	if ((len + SCTP_MAX_OVERHEAD + sizeof(struct sctp_pktdrop_chunk)) >
10908 	    min(stcb->asoc.smallest_mtu, MCLBYTES)) {
10909 		/*
10910 		 * only send 1 mtu worth, trim off the excess on the end.
10911 		 */
10912 		fullsz = len - extra;
10913 		len = min(stcb->asoc.smallest_mtu, MCLBYTES) - SCTP_MAX_OVERHEAD;
10914 		was_trunc = 1;
10915 	}
10916 	chk->asoc = &stcb->asoc;
10917 	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
10918 	if (chk->data == NULL) {
10919 jump_out:
10920 		sctp_free_a_chunk(stcb, chk);
10921 		return;
10922 	}
10923 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
10924 	drp = mtod(chk->data, struct sctp_pktdrop_chunk *);
10925 	if (drp == NULL) {
10926 		sctp_m_freem(chk->data);
10927 		chk->data = NULL;
10928 		goto jump_out;
10929 	}
10930 	chk->book_size = SCTP_SIZE32((chk->send_size + sizeof(struct sctp_pktdrop_chunk) +
10931 	    sizeof(struct sctphdr) + SCTP_MED_OVERHEAD));
10932 	chk->book_size_scale = 0;
10933 	if (was_trunc) {
10934 		drp->ch.chunk_flags = SCTP_PACKET_TRUNCATED;
10935 		drp->trunc_len = htons(fullsz);
10936 		/*
10937 		 * Len is already adjusted to size minus overhead above take
10938 		 * out the pkt_drop chunk itself from it.
10939 		 */
10940 		chk->send_size = len - sizeof(struct sctp_pktdrop_chunk);
10941 		len = chk->send_size;
10942 	} else {
10943 		/* no truncation needed */
10944 		drp->ch.chunk_flags = 0;
10945 		drp->trunc_len = htons(0);
10946 	}
10947 	if (bad_crc) {
10948 		drp->ch.chunk_flags |= SCTP_BADCRC;
10949 	}
10950 	chk->send_size += sizeof(struct sctp_pktdrop_chunk);
10951 	SCTP_BUF_LEN(chk->data) = chk->send_size;
10952 	chk->sent = SCTP_DATAGRAM_UNSENT;
10953 	chk->snd_count = 0;
10954 	if (net) {
10955 		/* we should hit here */
10956 		chk->whoTo = net;
10957 	} else {
10958 		chk->whoTo = asoc->primary_destination;
10959 	}
10960 	atomic_add_int(&chk->whoTo->ref_count, 1);
10961 	chk->rec.chunk_id.id = SCTP_PACKET_DROPPED;
10962 	chk->rec.chunk_id.can_take_data = 1;
10963 	drp->ch.chunk_type = SCTP_PACKET_DROPPED;
10964 	drp->ch.chunk_length = htons(chk->send_size);
10965 	spc = SCTP_SB_LIMIT_RCV(stcb->sctp_socket);
10966 	if (spc < 0) {
10967 		spc = 0;
10968 	}
10969 	drp->bottle_bw = htonl(spc);
10970 	if (asoc->my_rwnd) {
10971 		drp->current_onq = htonl(asoc->size_on_reasm_queue +
10972 		    asoc->size_on_all_streams +
10973 		    asoc->my_rwnd_control_len +
10974 		    stcb->sctp_socket->so_rcv.sb_cc);
10975 	} else {
10976 		/*-
10977 		 * If my rwnd is 0, possibly from mbuf depletion as well as
10978 		 * space used, tell the peer there is NO space aka onq == bw
10979 		 */
10980 		drp->current_onq = htonl(spc);
10981 	}
10982 	drp->reserved = 0;
10983 	datap = drp->data;
10984 	m_copydata(m, iphlen, len, (caddr_t)datap);
10985 	TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, chk, sctp_next);
10986 	asoc->ctrl_queue_cnt++;
10987 }
10988 
10989 void
10990 sctp_send_cwr(struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t high_tsn, uint8_t override)
10991 {
10992 	struct sctp_association *asoc;
10993 	struct sctp_cwr_chunk *cwr;
10994 	struct sctp_tmit_chunk *chk;
10995 
10996 	asoc = &stcb->asoc;
10997 	SCTP_TCB_LOCK_ASSERT(stcb);
10998 
10999 
11000 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
11001 		if ((chk->rec.chunk_id.id == SCTP_ECN_CWR) && (net == chk->whoTo)) {
11002 			/*
11003 			 * found a previous CWR queued to same destination
11004 			 * update it if needed
11005 			 */
11006 			uint32_t ctsn;
11007 
11008 			cwr = mtod(chk->data, struct sctp_cwr_chunk *);
11009 			ctsn = ntohl(cwr->tsn);
11010 			if (SCTP_TSN_GT(high_tsn, ctsn)) {
11011 				cwr->tsn = htonl(high_tsn);
11012 			}
11013 			if (override & SCTP_CWR_REDUCE_OVERRIDE) {
11014 				/* Make sure override is carried */
11015 				cwr->ch.chunk_flags |= SCTP_CWR_REDUCE_OVERRIDE;
11016 			}
11017 			return;
11018 		}
11019 	}
11020 	sctp_alloc_a_chunk(stcb, chk);
11021 	if (chk == NULL) {
11022 		return;
11023 	}
11024 	chk->copy_by_ref = 0;
11025 	chk->rec.chunk_id.id = SCTP_ECN_CWR;
11026 	chk->rec.chunk_id.can_take_data = 1;
11027 	chk->asoc = &stcb->asoc;
11028 	chk->send_size = sizeof(struct sctp_cwr_chunk);
11029 	chk->data = sctp_get_mbuf_for_msg(chk->send_size, 0, M_DONTWAIT, 1, MT_HEADER);
11030 	if (chk->data == NULL) {
11031 		sctp_free_a_chunk(stcb, chk);
11032 		return;
11033 	}
11034 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11035 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11036 	chk->sent = SCTP_DATAGRAM_UNSENT;
11037 	chk->snd_count = 0;
11038 	chk->whoTo = net;
11039 	atomic_add_int(&chk->whoTo->ref_count, 1);
11040 	cwr = mtod(chk->data, struct sctp_cwr_chunk *);
11041 	cwr->ch.chunk_type = SCTP_ECN_CWR;
11042 	cwr->ch.chunk_flags = override;
11043 	cwr->ch.chunk_length = htons(sizeof(struct sctp_cwr_chunk));
11044 	cwr->tsn = htonl(high_tsn);
11045 	TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, chk, sctp_next);
11046 	asoc->ctrl_queue_cnt++;
11047 }
11048 
11049 void
11050 sctp_add_stream_reset_out(struct sctp_tmit_chunk *chk,
11051     int number_entries, uint16_t * list,
11052     uint32_t seq, uint32_t resp_seq, uint32_t last_sent)
11053 {
11054 	int len, old_len, i;
11055 	struct sctp_stream_reset_out_request *req_out;
11056 	struct sctp_chunkhdr *ch;
11057 
11058 	ch = mtod(chk->data, struct sctp_chunkhdr *);
11059 
11060 
11061 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11062 
11063 	/* get to new offset for the param. */
11064 	req_out = (struct sctp_stream_reset_out_request *)((caddr_t)ch + len);
11065 	/* now how long will this param be? */
11066 	len = (sizeof(struct sctp_stream_reset_out_request) + (sizeof(uint16_t) * number_entries));
11067 	req_out->ph.param_type = htons(SCTP_STR_RESET_OUT_REQUEST);
11068 	req_out->ph.param_length = htons(len);
11069 	req_out->request_seq = htonl(seq);
11070 	req_out->response_seq = htonl(resp_seq);
11071 	req_out->send_reset_at_tsn = htonl(last_sent);
11072 	if (number_entries) {
11073 		for (i = 0; i < number_entries; i++) {
11074 			req_out->list_of_streams[i] = htons(list[i]);
11075 		}
11076 	}
11077 	if (SCTP_SIZE32(len) > len) {
11078 		/*-
11079 		 * Need to worry about the pad we may end up adding to the
11080 		 * end. This is easy since the struct is either aligned to 4
11081 		 * bytes or 2 bytes off.
11082 		 */
11083 		req_out->list_of_streams[number_entries] = 0;
11084 	}
11085 	/* now fix the chunk length */
11086 	ch->chunk_length = htons(len + old_len);
11087 	chk->book_size = len + old_len;
11088 	chk->book_size_scale = 0;
11089 	chk->send_size = SCTP_SIZE32(chk->book_size);
11090 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11091 	return;
11092 }
11093 
11094 
11095 void
11096 sctp_add_stream_reset_in(struct sctp_tmit_chunk *chk,
11097     int number_entries, uint16_t * list,
11098     uint32_t seq)
11099 {
11100 	int len, old_len, i;
11101 	struct sctp_stream_reset_in_request *req_in;
11102 	struct sctp_chunkhdr *ch;
11103 
11104 	ch = mtod(chk->data, struct sctp_chunkhdr *);
11105 
11106 
11107 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11108 
11109 	/* get to new offset for the param. */
11110 	req_in = (struct sctp_stream_reset_in_request *)((caddr_t)ch + len);
11111 	/* now how long will this param be? */
11112 	len = (sizeof(struct sctp_stream_reset_in_request) + (sizeof(uint16_t) * number_entries));
11113 	req_in->ph.param_type = htons(SCTP_STR_RESET_IN_REQUEST);
11114 	req_in->ph.param_length = htons(len);
11115 	req_in->request_seq = htonl(seq);
11116 	if (number_entries) {
11117 		for (i = 0; i < number_entries; i++) {
11118 			req_in->list_of_streams[i] = htons(list[i]);
11119 		}
11120 	}
11121 	if (SCTP_SIZE32(len) > len) {
11122 		/*-
11123 		 * Need to worry about the pad we may end up adding to the
11124 		 * end. This is easy since the struct is either aligned to 4
11125 		 * bytes or 2 bytes off.
11126 		 */
11127 		req_in->list_of_streams[number_entries] = 0;
11128 	}
11129 	/* now fix the chunk length */
11130 	ch->chunk_length = htons(len + old_len);
11131 	chk->book_size = len + old_len;
11132 	chk->book_size_scale = 0;
11133 	chk->send_size = SCTP_SIZE32(chk->book_size);
11134 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11135 	return;
11136 }
11137 
11138 
11139 void
11140 sctp_add_stream_reset_tsn(struct sctp_tmit_chunk *chk,
11141     uint32_t seq)
11142 {
11143 	int len, old_len;
11144 	struct sctp_stream_reset_tsn_request *req_tsn;
11145 	struct sctp_chunkhdr *ch;
11146 
11147 	ch = mtod(chk->data, struct sctp_chunkhdr *);
11148 
11149 
11150 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11151 
11152 	/* get to new offset for the param. */
11153 	req_tsn = (struct sctp_stream_reset_tsn_request *)((caddr_t)ch + len);
11154 	/* now how long will this param be? */
11155 	len = sizeof(struct sctp_stream_reset_tsn_request);
11156 	req_tsn->ph.param_type = htons(SCTP_STR_RESET_TSN_REQUEST);
11157 	req_tsn->ph.param_length = htons(len);
11158 	req_tsn->request_seq = htonl(seq);
11159 
11160 	/* now fix the chunk length */
11161 	ch->chunk_length = htons(len + old_len);
11162 	chk->send_size = len + old_len;
11163 	chk->book_size = SCTP_SIZE32(chk->send_size);
11164 	chk->book_size_scale = 0;
11165 	SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
11166 	return;
11167 }
11168 
11169 void
11170 sctp_add_stream_reset_result(struct sctp_tmit_chunk *chk,
11171     uint32_t resp_seq, uint32_t result)
11172 {
11173 	int len, old_len;
11174 	struct sctp_stream_reset_response *resp;
11175 	struct sctp_chunkhdr *ch;
11176 
11177 	ch = mtod(chk->data, struct sctp_chunkhdr *);
11178 
11179 
11180 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11181 
11182 	/* get to new offset for the param. */
11183 	resp = (struct sctp_stream_reset_response *)((caddr_t)ch + len);
11184 	/* now how long will this param be? */
11185 	len = sizeof(struct sctp_stream_reset_response);
11186 	resp->ph.param_type = htons(SCTP_STR_RESET_RESPONSE);
11187 	resp->ph.param_length = htons(len);
11188 	resp->response_seq = htonl(resp_seq);
11189 	resp->result = ntohl(result);
11190 
11191 	/* now fix the chunk length */
11192 	ch->chunk_length = htons(len + old_len);
11193 	chk->book_size = len + old_len;
11194 	chk->book_size_scale = 0;
11195 	chk->send_size = SCTP_SIZE32(chk->book_size);
11196 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11197 	return;
11198 
11199 }
11200 
11201 
11202 void
11203 sctp_add_stream_reset_result_tsn(struct sctp_tmit_chunk *chk,
11204     uint32_t resp_seq, uint32_t result,
11205     uint32_t send_una, uint32_t recv_next)
11206 {
11207 	int len, old_len;
11208 	struct sctp_stream_reset_response_tsn *resp;
11209 	struct sctp_chunkhdr *ch;
11210 
11211 	ch = mtod(chk->data, struct sctp_chunkhdr *);
11212 
11213 
11214 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11215 
11216 	/* get to new offset for the param. */
11217 	resp = (struct sctp_stream_reset_response_tsn *)((caddr_t)ch + len);
11218 	/* now how long will this param be? */
11219 	len = sizeof(struct sctp_stream_reset_response_tsn);
11220 	resp->ph.param_type = htons(SCTP_STR_RESET_RESPONSE);
11221 	resp->ph.param_length = htons(len);
11222 	resp->response_seq = htonl(resp_seq);
11223 	resp->result = htonl(result);
11224 	resp->senders_next_tsn = htonl(send_una);
11225 	resp->receivers_next_tsn = htonl(recv_next);
11226 
11227 	/* now fix the chunk length */
11228 	ch->chunk_length = htons(len + old_len);
11229 	chk->book_size = len + old_len;
11230 	chk->send_size = SCTP_SIZE32(chk->book_size);
11231 	chk->book_size_scale = 0;
11232 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11233 	return;
11234 }
11235 
11236 static void
11237 sctp_add_a_stream(struct sctp_tmit_chunk *chk,
11238     uint32_t seq,
11239     uint16_t adding)
11240 {
11241 	int len, old_len;
11242 	struct sctp_chunkhdr *ch;
11243 	struct sctp_stream_reset_add_strm *addstr;
11244 
11245 	ch = mtod(chk->data, struct sctp_chunkhdr *);
11246 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11247 
11248 	/* get to new offset for the param. */
11249 	addstr = (struct sctp_stream_reset_add_strm *)((caddr_t)ch + len);
11250 	/* now how long will this param be? */
11251 	len = sizeof(struct sctp_stream_reset_add_strm);
11252 
11253 	/* Fill it out. */
11254 	addstr->ph.param_type = htons(SCTP_STR_RESET_ADD_STREAMS);
11255 	addstr->ph.param_length = htons(len);
11256 	addstr->request_seq = htonl(seq);
11257 	addstr->number_of_streams = htons(adding);
11258 	addstr->reserved = 0;
11259 
11260 	/* now fix the chunk length */
11261 	ch->chunk_length = htons(len + old_len);
11262 	chk->send_size = len + old_len;
11263 	chk->book_size = SCTP_SIZE32(chk->send_size);
11264 	chk->book_size_scale = 0;
11265 	SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
11266 	return;
11267 }
11268 
11269 int
11270 sctp_send_str_reset_req(struct sctp_tcb *stcb,
11271     int number_entries, uint16_t * list,
11272     uint8_t send_out_req,
11273     uint32_t resp_seq,
11274     uint8_t send_in_req,
11275     uint8_t send_tsn_req,
11276     uint8_t add_stream,
11277     uint16_t adding
11278 )
11279 {
11280 
11281 	struct sctp_association *asoc;
11282 	struct sctp_tmit_chunk *chk;
11283 	struct sctp_chunkhdr *ch;
11284 	uint32_t seq;
11285 
11286 	asoc = &stcb->asoc;
11287 	if (asoc->stream_reset_outstanding) {
11288 		/*-
11289 		 * Already one pending, must get ACK back to clear the flag.
11290 		 */
11291 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EBUSY);
11292 		return (EBUSY);
11293 	}
11294 	if ((send_out_req == 0) && (send_in_req == 0) && (send_tsn_req == 0) &&
11295 	    (add_stream == 0)) {
11296 		/* nothing to do */
11297 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
11298 		return (EINVAL);
11299 	}
11300 	if (send_tsn_req && (send_out_req || send_in_req)) {
11301 		/* error, can't do that */
11302 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
11303 		return (EINVAL);
11304 	}
11305 	sctp_alloc_a_chunk(stcb, chk);
11306 	if (chk == NULL) {
11307 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
11308 		return (ENOMEM);
11309 	}
11310 	chk->copy_by_ref = 0;
11311 	chk->rec.chunk_id.id = SCTP_STREAM_RESET;
11312 	chk->rec.chunk_id.can_take_data = 0;
11313 	chk->asoc = &stcb->asoc;
11314 	chk->book_size = sizeof(struct sctp_chunkhdr);
11315 	chk->send_size = SCTP_SIZE32(chk->book_size);
11316 	chk->book_size_scale = 0;
11317 
11318 	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
11319 	if (chk->data == NULL) {
11320 		sctp_free_a_chunk(stcb, chk);
11321 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
11322 		return (ENOMEM);
11323 	}
11324 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11325 
11326 	/* setup chunk parameters */
11327 	chk->sent = SCTP_DATAGRAM_UNSENT;
11328 	chk->snd_count = 0;
11329 	chk->whoTo = asoc->primary_destination;
11330 	atomic_add_int(&chk->whoTo->ref_count, 1);
11331 
11332 	ch = mtod(chk->data, struct sctp_chunkhdr *);
11333 	ch->chunk_type = SCTP_STREAM_RESET;
11334 	ch->chunk_flags = 0;
11335 	ch->chunk_length = htons(chk->book_size);
11336 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11337 
11338 	seq = stcb->asoc.str_reset_seq_out;
11339 	if (send_out_req) {
11340 		sctp_add_stream_reset_out(chk, number_entries, list,
11341 		    seq, resp_seq, (stcb->asoc.sending_seq - 1));
11342 		asoc->stream_reset_out_is_outstanding = 1;
11343 		seq++;
11344 		asoc->stream_reset_outstanding++;
11345 	}
11346 	if (add_stream) {
11347 		sctp_add_a_stream(chk, seq, adding);
11348 		seq++;
11349 		asoc->stream_reset_outstanding++;
11350 	}
11351 	if (send_in_req) {
11352 		sctp_add_stream_reset_in(chk, number_entries, list, seq);
11353 		asoc->stream_reset_outstanding++;
11354 	}
11355 	if (send_tsn_req) {
11356 		sctp_add_stream_reset_tsn(chk, seq);
11357 		asoc->stream_reset_outstanding++;
11358 	}
11359 	asoc->str_reset = chk;
11360 
11361 	/* insert the chunk for sending */
11362 	TAILQ_INSERT_TAIL(&asoc->control_send_queue,
11363 	    chk,
11364 	    sctp_next);
11365 	asoc->ctrl_queue_cnt++;
11366 	sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo);
11367 	return (0);
11368 }
11369 
11370 void
11371 sctp_send_abort(struct mbuf *m, int iphlen, struct sctphdr *sh, uint32_t vtag,
11372     struct mbuf *err_cause, uint32_t vrf_id, uint16_t port)
11373 {
11374 	/*-
11375 	 * Formulate the abort message, and send it back down.
11376 	 */
11377 	struct mbuf *o_pak;
11378 	struct mbuf *mout;
11379 	struct sctp_abort_msg *abm;
11380 	struct ip *iph, *iph_out;
11381 	struct udphdr *udp;
11382 
11383 #ifdef INET6
11384 	struct ip6_hdr *ip6, *ip6_out;
11385 
11386 #endif
11387 	int iphlen_out, len;
11388 
11389 	/* don't respond to ABORT with ABORT */
11390 	if (sctp_is_there_an_abort_here(m, iphlen, &vtag)) {
11391 		if (err_cause)
11392 			sctp_m_freem(err_cause);
11393 		return;
11394 	}
11395 	iph = mtod(m, struct ip *);
11396 	switch (iph->ip_v) {
11397 	case IPVERSION:
11398 		len = (sizeof(struct ip) + sizeof(struct sctp_abort_msg));
11399 		break;
11400 #ifdef INET6
11401 	case IPV6_VERSION >> 4:
11402 		len = (sizeof(struct ip6_hdr) + sizeof(struct sctp_abort_msg));
11403 		break;
11404 #endif
11405 	default:
11406 		if (err_cause) {
11407 			sctp_m_freem(err_cause);
11408 		}
11409 		return;
11410 	}
11411 	if (port) {
11412 		len += sizeof(struct udphdr);
11413 	}
11414 	mout = sctp_get_mbuf_for_msg(len + max_linkhdr, 1, M_DONTWAIT, 1, MT_DATA);
11415 	if (mout == NULL) {
11416 		if (err_cause) {
11417 			sctp_m_freem(err_cause);
11418 		}
11419 		return;
11420 	}
11421 	SCTP_BUF_RESV_UF(mout, max_linkhdr);
11422 	SCTP_BUF_LEN(mout) = len;
11423 	SCTP_BUF_NEXT(mout) = err_cause;
11424 	if (m->m_flags & M_FLOWID) {
11425 		mout->m_pkthdr.flowid = m->m_pkthdr.flowid;
11426 		mout->m_flags |= M_FLOWID;
11427 	}
11428 	iph_out = NULL;
11429 #ifdef INET6
11430 	ip6_out = NULL;
11431 #endif
11432 	switch (iph->ip_v) {
11433 	case IPVERSION:
11434 		iph_out = mtod(mout, struct ip *);
11435 
11436 		/* Fill in the IP header for the ABORT */
11437 		iph_out->ip_v = IPVERSION;
11438 		iph_out->ip_hl = (sizeof(struct ip) / 4);
11439 		iph_out->ip_tos = (u_char)0;
11440 		iph_out->ip_id = 0;
11441 		iph_out->ip_off = 0;
11442 		iph_out->ip_ttl = MAXTTL;
11443 		if (port) {
11444 			iph_out->ip_p = IPPROTO_UDP;
11445 		} else {
11446 			iph_out->ip_p = IPPROTO_SCTP;
11447 		}
11448 		iph_out->ip_src.s_addr = iph->ip_dst.s_addr;
11449 		iph_out->ip_dst.s_addr = iph->ip_src.s_addr;
11450 		/* let IP layer calculate this */
11451 		iph_out->ip_sum = 0;
11452 
11453 		iphlen_out = sizeof(*iph_out);
11454 		abm = (struct sctp_abort_msg *)((caddr_t)iph_out + iphlen_out);
11455 		break;
11456 #ifdef INET6
11457 	case IPV6_VERSION >> 4:
11458 		ip6 = (struct ip6_hdr *)iph;
11459 		ip6_out = mtod(mout, struct ip6_hdr *);
11460 
11461 		/* Fill in the IP6 header for the ABORT */
11462 		ip6_out->ip6_flow = ip6->ip6_flow;
11463 		ip6_out->ip6_hlim = MODULE_GLOBAL(ip6_defhlim);
11464 		if (port) {
11465 			ip6_out->ip6_nxt = IPPROTO_UDP;
11466 		} else {
11467 			ip6_out->ip6_nxt = IPPROTO_SCTP;
11468 		}
11469 		ip6_out->ip6_src = ip6->ip6_dst;
11470 		ip6_out->ip6_dst = ip6->ip6_src;
11471 
11472 		iphlen_out = sizeof(*ip6_out);
11473 		abm = (struct sctp_abort_msg *)((caddr_t)ip6_out + iphlen_out);
11474 		break;
11475 #endif				/* INET6 */
11476 	default:
11477 		/* Currently not supported */
11478 		sctp_m_freem(mout);
11479 		return;
11480 	}
11481 
11482 	udp = (struct udphdr *)abm;
11483 	if (port) {
11484 		udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
11485 		udp->uh_dport = port;
11486 		/* set udp->uh_ulen later */
11487 		udp->uh_sum = 0;
11488 		iphlen_out += sizeof(struct udphdr);
11489 		abm = (struct sctp_abort_msg *)((caddr_t)abm + sizeof(struct udphdr));
11490 	}
11491 	abm->sh.src_port = sh->dest_port;
11492 	abm->sh.dest_port = sh->src_port;
11493 	abm->sh.checksum = 0;
11494 	if (vtag == 0) {
11495 		abm->sh.v_tag = sh->v_tag;
11496 		abm->msg.ch.chunk_flags = SCTP_HAD_NO_TCB;
11497 	} else {
11498 		abm->sh.v_tag = htonl(vtag);
11499 		abm->msg.ch.chunk_flags = 0;
11500 	}
11501 	abm->msg.ch.chunk_type = SCTP_ABORT_ASSOCIATION;
11502 
11503 	if (err_cause) {
11504 		struct mbuf *m_tmp = err_cause;
11505 		int err_len = 0;
11506 
11507 		/* get length of the err_cause chain */
11508 		while (m_tmp != NULL) {
11509 			err_len += SCTP_BUF_LEN(m_tmp);
11510 			m_tmp = SCTP_BUF_NEXT(m_tmp);
11511 		}
11512 		len = SCTP_BUF_LEN(mout) + err_len;
11513 		if (err_len % 4) {
11514 			/* need pad at end of chunk */
11515 			uint32_t cpthis = 0;
11516 			int padlen;
11517 
11518 			padlen = 4 - (len % 4);
11519 			m_copyback(mout, len, padlen, (caddr_t)&cpthis);
11520 			len += padlen;
11521 		}
11522 		abm->msg.ch.chunk_length = htons(sizeof(abm->msg.ch) + err_len);
11523 	} else {
11524 		len = SCTP_BUF_LEN(mout);
11525 		abm->msg.ch.chunk_length = htons(sizeof(abm->msg.ch));
11526 	}
11527 
11528 	if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
11529 		/* no mbuf's */
11530 		sctp_m_freem(mout);
11531 		return;
11532 	}
11533 	if (iph_out != NULL) {
11534 		sctp_route_t ro;
11535 		int ret;
11536 
11537 		/* zap the stack pointer to the route */
11538 		bzero(&ro, sizeof ro);
11539 		if (port) {
11540 			udp->uh_ulen = htons(len - sizeof(struct ip));
11541 			udp->uh_sum = in_pseudo(iph_out->ip_src.s_addr, iph_out->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
11542 		}
11543 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "sctp_send_abort calling ip_output:\n");
11544 		SCTPDBG_PKT(SCTP_DEBUG_OUTPUT2, iph_out, &abm->sh);
11545 		/* set IPv4 length */
11546 		iph_out->ip_len = len;
11547 		/* out it goes */
11548 #ifdef  SCTP_PACKET_LOGGING
11549 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
11550 			sctp_packet_log(mout, len);
11551 #endif
11552 		SCTP_ATTACH_CHAIN(o_pak, mout, len);
11553 		if (port) {
11554 #if defined(SCTP_WITH_NO_CSUM)
11555 			SCTP_STAT_INCR(sctps_sendnocrc);
11556 #else
11557 			abm->sh.checksum = sctp_calculate_cksum(mout, iphlen_out);
11558 			SCTP_STAT_INCR(sctps_sendswcrc);
11559 #endif
11560 			SCTP_ENABLE_UDP_CSUM(o_pak);
11561 		} else {
11562 #if defined(SCTP_WITH_NO_CSUM)
11563 			SCTP_STAT_INCR(sctps_sendnocrc);
11564 #else
11565 			mout->m_pkthdr.csum_flags = CSUM_SCTP;
11566 			mout->m_pkthdr.csum_data = 0;
11567 			SCTP_STAT_INCR(sctps_sendhwcrc);
11568 #endif
11569 		}
11570 		SCTP_IP_OUTPUT(ret, o_pak, &ro, NULL, vrf_id);
11571 
11572 		/* Free the route if we got one back */
11573 		if (ro.ro_rt)
11574 			RTFREE(ro.ro_rt);
11575 	}
11576 #ifdef INET6
11577 	if (ip6_out != NULL) {
11578 		struct route_in6 ro;
11579 		int ret;
11580 		struct ifnet *ifp = NULL;
11581 
11582 		/* zap the stack pointer to the route */
11583 		bzero(&ro, sizeof(ro));
11584 		if (port) {
11585 			udp->uh_ulen = htons(len - sizeof(struct ip6_hdr));
11586 		}
11587 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "sctp_send_abort calling ip6_output:\n");
11588 		SCTPDBG_PKT(SCTP_DEBUG_OUTPUT2, (struct ip *)ip6_out, &abm->sh);
11589 		ip6_out->ip6_plen = len - sizeof(*ip6_out);
11590 #ifdef  SCTP_PACKET_LOGGING
11591 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
11592 			sctp_packet_log(mout, len);
11593 #endif
11594 		SCTP_ATTACH_CHAIN(o_pak, mout, len);
11595 		if (port) {
11596 #if defined(SCTP_WITH_NO_CSUM)
11597 			SCTP_STAT_INCR(sctps_sendnocrc);
11598 #else
11599 			abm->sh.checksum = sctp_calculate_cksum(mout, sizeof(struct ip6_hdr) + sizeof(struct udphdr));
11600 			SCTP_STAT_INCR(sctps_sendswcrc);
11601 #endif
11602 			if ((udp->uh_sum = in6_cksum(o_pak, IPPROTO_UDP, sizeof(struct ip6_hdr), len - sizeof(struct ip6_hdr))) == 0) {
11603 				udp->uh_sum = 0xffff;
11604 			}
11605 		} else {
11606 #if defined(SCTP_WITH_NO_CSUM)
11607 			SCTP_STAT_INCR(sctps_sendnocrc);
11608 #else
11609 			mout->m_pkthdr.csum_flags = CSUM_SCTP;
11610 			mout->m_pkthdr.csum_data = 0;
11611 			SCTP_STAT_INCR(sctps_sendhwcrc);
11612 #endif
11613 		}
11614 		SCTP_IP6_OUTPUT(ret, o_pak, &ro, &ifp, NULL, vrf_id);
11615 
11616 		/* Free the route if we got one back */
11617 		if (ro.ro_rt)
11618 			RTFREE(ro.ro_rt);
11619 	}
11620 #endif
11621 	SCTP_STAT_INCR(sctps_sendpackets);
11622 	SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
11623 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
11624 }
11625 
11626 void
11627 sctp_send_operr_to(struct mbuf *m, int iphlen, struct mbuf *scm, uint32_t vtag,
11628     uint32_t vrf_id, uint16_t port)
11629 {
11630 	struct mbuf *o_pak;
11631 	struct sctphdr *sh, *sh_out;
11632 	struct sctp_chunkhdr *ch;
11633 	struct ip *iph, *iph_out;
11634 	struct udphdr *udp = NULL;
11635 	struct mbuf *mout;
11636 
11637 #ifdef INET6
11638 	struct ip6_hdr *ip6, *ip6_out;
11639 
11640 #endif
11641 	int iphlen_out, len;
11642 
11643 	iph = mtod(m, struct ip *);
11644 	sh = (struct sctphdr *)((caddr_t)iph + iphlen);
11645 	switch (iph->ip_v) {
11646 	case IPVERSION:
11647 		len = (sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr));
11648 		break;
11649 #ifdef INET6
11650 	case IPV6_VERSION >> 4:
11651 		len = (sizeof(struct ip6_hdr) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr));
11652 		break;
11653 #endif
11654 	default:
11655 		if (scm) {
11656 			sctp_m_freem(scm);
11657 		}
11658 		return;
11659 	}
11660 	if (port) {
11661 		len += sizeof(struct udphdr);
11662 	}
11663 	mout = sctp_get_mbuf_for_msg(len + max_linkhdr, 1, M_DONTWAIT, 1, MT_DATA);
11664 	if (mout == NULL) {
11665 		if (scm) {
11666 			sctp_m_freem(scm);
11667 		}
11668 		return;
11669 	}
11670 	SCTP_BUF_RESV_UF(mout, max_linkhdr);
11671 	SCTP_BUF_LEN(mout) = len;
11672 	SCTP_BUF_NEXT(mout) = scm;
11673 	if (m->m_flags & M_FLOWID) {
11674 		mout->m_pkthdr.flowid = m->m_pkthdr.flowid;
11675 		mout->m_flags |= M_FLOWID;
11676 	}
11677 	iph_out = NULL;
11678 #ifdef INET6
11679 	ip6_out = NULL;
11680 #endif
11681 	switch (iph->ip_v) {
11682 	case IPVERSION:
11683 		iph_out = mtod(mout, struct ip *);
11684 
11685 		/* Fill in the IP header for the ABORT */
11686 		iph_out->ip_v = IPVERSION;
11687 		iph_out->ip_hl = (sizeof(struct ip) / 4);
11688 		iph_out->ip_tos = (u_char)0;
11689 		iph_out->ip_id = 0;
11690 		iph_out->ip_off = 0;
11691 		iph_out->ip_ttl = MAXTTL;
11692 		if (port) {
11693 			iph_out->ip_p = IPPROTO_UDP;
11694 		} else {
11695 			iph_out->ip_p = IPPROTO_SCTP;
11696 		}
11697 		iph_out->ip_src.s_addr = iph->ip_dst.s_addr;
11698 		iph_out->ip_dst.s_addr = iph->ip_src.s_addr;
11699 		/* let IP layer calculate this */
11700 		iph_out->ip_sum = 0;
11701 
11702 		iphlen_out = sizeof(struct ip);
11703 		sh_out = (struct sctphdr *)((caddr_t)iph_out + iphlen_out);
11704 		break;
11705 #ifdef INET6
11706 	case IPV6_VERSION >> 4:
11707 		ip6 = (struct ip6_hdr *)iph;
11708 		ip6_out = mtod(mout, struct ip6_hdr *);
11709 
11710 		/* Fill in the IP6 header for the ABORT */
11711 		ip6_out->ip6_flow = ip6->ip6_flow;
11712 		ip6_out->ip6_hlim = MODULE_GLOBAL(ip6_defhlim);
11713 		if (port) {
11714 			ip6_out->ip6_nxt = IPPROTO_UDP;
11715 		} else {
11716 			ip6_out->ip6_nxt = IPPROTO_SCTP;
11717 		}
11718 		ip6_out->ip6_src = ip6->ip6_dst;
11719 		ip6_out->ip6_dst = ip6->ip6_src;
11720 
11721 		iphlen_out = sizeof(struct ip6_hdr);
11722 		sh_out = (struct sctphdr *)((caddr_t)ip6_out + iphlen_out);
11723 		break;
11724 #endif				/* INET6 */
11725 	default:
11726 		/* Currently not supported */
11727 		sctp_m_freem(mout);
11728 		return;
11729 	}
11730 
11731 	udp = (struct udphdr *)sh_out;
11732 	if (port) {
11733 		udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
11734 		udp->uh_dport = port;
11735 		/* set udp->uh_ulen later */
11736 		udp->uh_sum = 0;
11737 		iphlen_out += sizeof(struct udphdr);
11738 		sh_out = (struct sctphdr *)((caddr_t)udp + sizeof(struct udphdr));
11739 	}
11740 	sh_out->src_port = sh->dest_port;
11741 	sh_out->dest_port = sh->src_port;
11742 	sh_out->v_tag = vtag;
11743 	sh_out->checksum = 0;
11744 
11745 	ch = (struct sctp_chunkhdr *)((caddr_t)sh_out + sizeof(struct sctphdr));
11746 	ch->chunk_type = SCTP_OPERATION_ERROR;
11747 	ch->chunk_flags = 0;
11748 
11749 	if (scm) {
11750 		struct mbuf *m_tmp = scm;
11751 		int cause_len = 0;
11752 
11753 		/* get length of the err_cause chain */
11754 		while (m_tmp != NULL) {
11755 			cause_len += SCTP_BUF_LEN(m_tmp);
11756 			m_tmp = SCTP_BUF_NEXT(m_tmp);
11757 		}
11758 		len = SCTP_BUF_LEN(mout) + cause_len;
11759 		if (cause_len % 4) {
11760 			/* need pad at end of chunk */
11761 			uint32_t cpthis = 0;
11762 			int padlen;
11763 
11764 			padlen = 4 - (len % 4);
11765 			m_copyback(mout, len, padlen, (caddr_t)&cpthis);
11766 			len += padlen;
11767 		}
11768 		ch->chunk_length = htons(sizeof(struct sctp_chunkhdr) + cause_len);
11769 	} else {
11770 		len = SCTP_BUF_LEN(mout);
11771 		ch->chunk_length = htons(sizeof(struct sctp_chunkhdr));
11772 	}
11773 
11774 	if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
11775 		/* no mbuf's */
11776 		sctp_m_freem(mout);
11777 		return;
11778 	}
11779 	if (iph_out != NULL) {
11780 		sctp_route_t ro;
11781 		int ret;
11782 
11783 		/* zap the stack pointer to the route */
11784 		bzero(&ro, sizeof ro);
11785 		if (port) {
11786 			udp->uh_ulen = htons(len - sizeof(struct ip));
11787 			udp->uh_sum = in_pseudo(iph_out->ip_src.s_addr, iph_out->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
11788 		}
11789 		/* set IPv4 length */
11790 		iph_out->ip_len = len;
11791 		/* out it goes */
11792 #ifdef  SCTP_PACKET_LOGGING
11793 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
11794 			sctp_packet_log(mout, len);
11795 #endif
11796 		SCTP_ATTACH_CHAIN(o_pak, mout, len);
11797 		if (port) {
11798 #if defined(SCTP_WITH_NO_CSUM)
11799 			SCTP_STAT_INCR(sctps_sendnocrc);
11800 #else
11801 			sh_out->checksum = sctp_calculate_cksum(mout, iphlen_out);
11802 			SCTP_STAT_INCR(sctps_sendswcrc);
11803 #endif
11804 			SCTP_ENABLE_UDP_CSUM(o_pak);
11805 		} else {
11806 #if defined(SCTP_WITH_NO_CSUM)
11807 			SCTP_STAT_INCR(sctps_sendnocrc);
11808 #else
11809 			mout->m_pkthdr.csum_flags = CSUM_SCTP;
11810 			mout->m_pkthdr.csum_data = 0;
11811 			SCTP_STAT_INCR(sctps_sendhwcrc);
11812 #endif
11813 		}
11814 		SCTP_IP_OUTPUT(ret, o_pak, &ro, NULL, vrf_id);
11815 
11816 		/* Free the route if we got one back */
11817 		if (ro.ro_rt)
11818 			RTFREE(ro.ro_rt);
11819 	}
11820 #ifdef INET6
11821 	if (ip6_out != NULL) {
11822 		struct route_in6 ro;
11823 		int ret;
11824 		struct ifnet *ifp = NULL;
11825 
11826 		/* zap the stack pointer to the route */
11827 		bzero(&ro, sizeof(ro));
11828 		if (port) {
11829 			udp->uh_ulen = htons(len - sizeof(struct ip6_hdr));
11830 		}
11831 		ip6_out->ip6_plen = len - sizeof(*ip6_out);
11832 #ifdef  SCTP_PACKET_LOGGING
11833 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
11834 			sctp_packet_log(mout, len);
11835 #endif
11836 		SCTP_ATTACH_CHAIN(o_pak, mout, len);
11837 		if (port) {
11838 #if defined(SCTP_WITH_NO_CSUM)
11839 			SCTP_STAT_INCR(sctps_sendnocrc);
11840 #else
11841 			sh_out->checksum = sctp_calculate_cksum(mout, sizeof(struct ip6_hdr) + sizeof(struct udphdr));
11842 			SCTP_STAT_INCR(sctps_sendswcrc);
11843 #endif
11844 			if ((udp->uh_sum = in6_cksum(o_pak, IPPROTO_UDP, sizeof(struct ip6_hdr), len - sizeof(struct ip6_hdr))) == 0) {
11845 				udp->uh_sum = 0xffff;
11846 			}
11847 		} else {
11848 #if defined(SCTP_WITH_NO_CSUM)
11849 			SCTP_STAT_INCR(sctps_sendnocrc);
11850 #else
11851 			mout->m_pkthdr.csum_flags = CSUM_SCTP;
11852 			mout->m_pkthdr.csum_data = 0;
11853 			SCTP_STAT_INCR(sctps_sendhwcrc);
11854 #endif
11855 		}
11856 		SCTP_IP6_OUTPUT(ret, o_pak, &ro, &ifp, NULL, vrf_id);
11857 
11858 		/* Free the route if we got one back */
11859 		if (ro.ro_rt)
11860 			RTFREE(ro.ro_rt);
11861 	}
11862 #endif
11863 	SCTP_STAT_INCR(sctps_sendpackets);
11864 	SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
11865 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
11866 }
11867 
11868 static struct mbuf *
11869 sctp_copy_resume(struct sctp_stream_queue_pending *sp,
11870     struct uio *uio,
11871     struct sctp_sndrcvinfo *srcv,
11872     int max_send_len,
11873     int user_marks_eor,
11874     int *error,
11875     uint32_t * sndout,
11876     struct mbuf **new_tail)
11877 {
11878 	struct mbuf *m;
11879 
11880 	m = m_uiotombuf(uio, M_WAITOK, max_send_len, 0,
11881 	    (M_PKTHDR | (user_marks_eor ? M_EOR : 0)));
11882 	if (m == NULL) {
11883 		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
11884 		*error = ENOMEM;
11885 	} else {
11886 		*sndout = m_length(m, NULL);
11887 		*new_tail = m_last(m);
11888 	}
11889 	return (m);
11890 }
11891 
11892 static int
11893 sctp_copy_one(struct sctp_stream_queue_pending *sp,
11894     struct uio *uio,
11895     int resv_upfront)
11896 {
11897 	int left;
11898 
11899 	left = sp->length;
11900 	sp->data = m_uiotombuf(uio, M_WAITOK, sp->length,
11901 	    resv_upfront, 0);
11902 	if (sp->data == NULL) {
11903 		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
11904 		return (ENOMEM);
11905 	}
11906 	sp->tail_mbuf = m_last(sp->data);
11907 	return (0);
11908 }
11909 
11910 
11911 
11912 static struct sctp_stream_queue_pending *
11913 sctp_copy_it_in(struct sctp_tcb *stcb,
11914     struct sctp_association *asoc,
11915     struct sctp_sndrcvinfo *srcv,
11916     struct uio *uio,
11917     struct sctp_nets *net,
11918     int max_send_len,
11919     int user_marks_eor,
11920     int *error,
11921     int non_blocking)
11922 {
11923 	/*-
11924 	 * This routine must be very careful in its work. Protocol
11925 	 * processing is up and running so care must be taken to spl...()
11926 	 * when you need to do something that may effect the stcb/asoc. The
11927 	 * sb is locked however. When data is copied the protocol processing
11928 	 * should be enabled since this is a slower operation...
11929 	 */
11930 	struct sctp_stream_queue_pending *sp = NULL;
11931 	int resv_in_first;
11932 
11933 	*error = 0;
11934 	/* Now can we send this? */
11935 	if ((SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) ||
11936 	    (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
11937 	    (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
11938 	    (asoc->state & SCTP_STATE_SHUTDOWN_PENDING)) {
11939 		/* got data while shutting down */
11940 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
11941 		*error = ECONNRESET;
11942 		goto out_now;
11943 	}
11944 	sctp_alloc_a_strmoq(stcb, sp);
11945 	if (sp == NULL) {
11946 		SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
11947 		*error = ENOMEM;
11948 		goto out_now;
11949 	}
11950 	sp->act_flags = 0;
11951 	sp->sender_all_done = 0;
11952 	sp->sinfo_flags = srcv->sinfo_flags;
11953 	sp->timetolive = srcv->sinfo_timetolive;
11954 	sp->ppid = srcv->sinfo_ppid;
11955 	sp->context = srcv->sinfo_context;
11956 	sp->strseq = 0;
11957 	(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
11958 
11959 	sp->stream = srcv->sinfo_stream;
11960 	sp->length = min(uio->uio_resid, max_send_len);
11961 	if ((sp->length == (uint32_t) uio->uio_resid) &&
11962 	    ((user_marks_eor == 0) ||
11963 	    (srcv->sinfo_flags & SCTP_EOF) ||
11964 	    (user_marks_eor && (srcv->sinfo_flags & SCTP_EOR)))) {
11965 		sp->msg_is_complete = 1;
11966 	} else {
11967 		sp->msg_is_complete = 0;
11968 	}
11969 	sp->sender_all_done = 0;
11970 	sp->some_taken = 0;
11971 	sp->put_last_out = 0;
11972 	resv_in_first = sizeof(struct sctp_data_chunk);
11973 	sp->data = sp->tail_mbuf = NULL;
11974 	if (sp->length == 0) {
11975 		*error = 0;
11976 		goto skip_copy;
11977 	}
11978 	sp->auth_keyid = stcb->asoc.authinfo.active_keyid;
11979 	if (sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks)) {
11980 		sctp_auth_key_acquire(stcb, stcb->asoc.authinfo.active_keyid);
11981 		sp->holds_key_ref = 1;
11982 	}
11983 	*error = sctp_copy_one(sp, uio, resv_in_first);
11984 skip_copy:
11985 	if (*error) {
11986 		sctp_free_a_strmoq(stcb, sp);
11987 		sp = NULL;
11988 	} else {
11989 		if (sp->sinfo_flags & SCTP_ADDR_OVER) {
11990 			sp->net = net;
11991 			atomic_add_int(&sp->net->ref_count, 1);
11992 		} else {
11993 			sp->net = NULL;
11994 		}
11995 		sctp_set_prsctp_policy(sp);
11996 	}
11997 out_now:
11998 	return (sp);
11999 }
12000 
12001 
12002 int
12003 sctp_sosend(struct socket *so,
12004     struct sockaddr *addr,
12005     struct uio *uio,
12006     struct mbuf *top,
12007     struct mbuf *control,
12008     int flags,
12009     struct thread *p
12010 )
12011 {
12012 	int error, use_rcvinfo = 0;
12013 	struct sctp_sndrcvinfo srcv;
12014 	struct sockaddr *addr_to_use;
12015 
12016 #if defined(INET) && defined(INET6)
12017 	struct sockaddr_in sin;
12018 
12019 #endif
12020 
12021 	if (control) {
12022 		/* process cmsg snd/rcv info (maybe a assoc-id) */
12023 		if (sctp_find_cmsg(SCTP_SNDRCV, (void *)&srcv, control,
12024 		    sizeof(srcv))) {
12025 			/* got one */
12026 			use_rcvinfo = 1;
12027 		}
12028 	}
12029 	addr_to_use = addr;
12030 #if defined(INET) && defined(INET6)
12031 	if ((addr) && (addr->sa_family == AF_INET6)) {
12032 		struct sockaddr_in6 *sin6;
12033 
12034 		sin6 = (struct sockaddr_in6 *)addr;
12035 		if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
12036 			in6_sin6_2_sin(&sin, sin6);
12037 			addr_to_use = (struct sockaddr *)&sin;
12038 		}
12039 	}
12040 #endif
12041 	error = sctp_lower_sosend(so, addr_to_use, uio, top,
12042 	    control,
12043 	    flags,
12044 	    use_rcvinfo ? &srcv : NULL
12045 	    ,p
12046 	    );
12047 	return (error);
12048 }
12049 
12050 
12051 int
12052 sctp_lower_sosend(struct socket *so,
12053     struct sockaddr *addr,
12054     struct uio *uio,
12055     struct mbuf *i_pak,
12056     struct mbuf *control,
12057     int flags,
12058     struct sctp_sndrcvinfo *srcv
12059     ,
12060     struct thread *p
12061 )
12062 {
12063 	unsigned int sndlen = 0, max_len;
12064 	int error, len;
12065 	struct mbuf *top = NULL;
12066 	int queue_only = 0, queue_only_for_init = 0;
12067 	int free_cnt_applied = 0;
12068 	int un_sent;
12069 	int now_filled = 0;
12070 	unsigned int inqueue_bytes = 0;
12071 	struct sctp_block_entry be;
12072 	struct sctp_inpcb *inp;
12073 	struct sctp_tcb *stcb = NULL;
12074 	struct timeval now;
12075 	struct sctp_nets *net;
12076 	struct sctp_association *asoc;
12077 	struct sctp_inpcb *t_inp;
12078 	int user_marks_eor;
12079 	int create_lock_applied = 0;
12080 	int nagle_applies = 0;
12081 	int some_on_control = 0;
12082 	int got_all_of_the_send = 0;
12083 	int hold_tcblock = 0;
12084 	int non_blocking = 0;
12085 	uint32_t local_add_more, local_soresv = 0;
12086 	uint16_t port;
12087 	uint16_t sinfo_flags;
12088 	sctp_assoc_t sinfo_assoc_id;
12089 
12090 	error = 0;
12091 	net = NULL;
12092 	stcb = NULL;
12093 	asoc = NULL;
12094 
12095 	t_inp = inp = (struct sctp_inpcb *)so->so_pcb;
12096 	if (inp == NULL) {
12097 		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12098 		error = EINVAL;
12099 		if (i_pak) {
12100 			SCTP_RELEASE_PKT(i_pak);
12101 		}
12102 		return (error);
12103 	}
12104 	if ((uio == NULL) && (i_pak == NULL)) {
12105 		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12106 		return (EINVAL);
12107 	}
12108 	user_marks_eor = sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXPLICIT_EOR);
12109 	atomic_add_int(&inp->total_sends, 1);
12110 	if (uio) {
12111 		if (uio->uio_resid < 0) {
12112 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12113 			return (EINVAL);
12114 		}
12115 		sndlen = uio->uio_resid;
12116 	} else {
12117 		top = SCTP_HEADER_TO_CHAIN(i_pak);
12118 		sndlen = SCTP_HEADER_LEN(i_pak);
12119 	}
12120 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "Send called addr:%p send length %d\n",
12121 	    addr,
12122 	    sndlen);
12123 	if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
12124 	    (inp->sctp_socket->so_qlimit)) {
12125 		/* The listener can NOT send */
12126 		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOTCONN);
12127 		error = ENOTCONN;
12128 		goto out_unlocked;
12129 	}
12130 	/**
12131 	 * Pre-screen address, if one is given the sin-len
12132 	 * must be set correctly!
12133 	 */
12134 	if (addr) {
12135 		union sctp_sockstore *raddr = (union sctp_sockstore *)addr;
12136 
12137 		switch (raddr->sa.sa_family) {
12138 #if defined(INET)
12139 		case AF_INET:
12140 			if (raddr->sin.sin_len != sizeof(struct sockaddr_in)) {
12141 				SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12142 				error = EINVAL;
12143 				goto out_unlocked;
12144 			}
12145 			port = raddr->sin.sin_port;
12146 			break;
12147 #endif
12148 #if defined(INET6)
12149 		case AF_INET6:
12150 			if (raddr->sin6.sin6_len != sizeof(struct sockaddr_in6)) {
12151 				SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12152 				error = EINVAL;
12153 				goto out_unlocked;
12154 			}
12155 			port = raddr->sin6.sin6_port;
12156 			break;
12157 #endif
12158 		default:
12159 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EAFNOSUPPORT);
12160 			error = EAFNOSUPPORT;
12161 			goto out_unlocked;
12162 		}
12163 	} else
12164 		port = 0;
12165 
12166 	if (srcv) {
12167 		sinfo_flags = srcv->sinfo_flags;
12168 		sinfo_assoc_id = srcv->sinfo_assoc_id;
12169 		if (INVALID_SINFO_FLAG(sinfo_flags) ||
12170 		    PR_SCTP_INVALID_POLICY(sinfo_flags)) {
12171 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12172 			error = EINVAL;
12173 			goto out_unlocked;
12174 		}
12175 		if (srcv->sinfo_flags)
12176 			SCTP_STAT_INCR(sctps_sends_with_flags);
12177 	} else {
12178 		sinfo_flags = inp->def_send.sinfo_flags;
12179 		sinfo_assoc_id = inp->def_send.sinfo_assoc_id;
12180 	}
12181 	if (sinfo_flags & SCTP_SENDALL) {
12182 		/* its a sendall */
12183 		error = sctp_sendall(inp, uio, top, srcv);
12184 		top = NULL;
12185 		goto out_unlocked;
12186 	}
12187 	if ((sinfo_flags & SCTP_ADDR_OVER) && (addr == NULL)) {
12188 		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12189 		error = EINVAL;
12190 		goto out_unlocked;
12191 	}
12192 	/* now we must find the assoc */
12193 	if ((inp->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) ||
12194 	    (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
12195 		SCTP_INP_RLOCK(inp);
12196 		stcb = LIST_FIRST(&inp->sctp_asoc_list);
12197 		if (stcb == NULL) {
12198 			SCTP_INP_RUNLOCK(inp);
12199 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOTCONN);
12200 			error = ENOTCONN;
12201 			goto out_unlocked;
12202 		}
12203 		SCTP_TCB_LOCK(stcb);
12204 		hold_tcblock = 1;
12205 		SCTP_INP_RUNLOCK(inp);
12206 	} else if (sinfo_assoc_id) {
12207 		stcb = sctp_findassociation_ep_asocid(inp, sinfo_assoc_id, 0);
12208 	} else if (addr) {
12209 		/*-
12210 		 * Since we did not use findep we must
12211 		 * increment it, and if we don't find a tcb
12212 		 * decrement it.
12213 		 */
12214 		SCTP_INP_WLOCK(inp);
12215 		SCTP_INP_INCR_REF(inp);
12216 		SCTP_INP_WUNLOCK(inp);
12217 		stcb = sctp_findassociation_ep_addr(&t_inp, addr, &net, NULL, NULL);
12218 		if (stcb == NULL) {
12219 			SCTP_INP_WLOCK(inp);
12220 			SCTP_INP_DECR_REF(inp);
12221 			SCTP_INP_WUNLOCK(inp);
12222 		} else {
12223 			hold_tcblock = 1;
12224 		}
12225 	}
12226 	if ((stcb == NULL) && (addr)) {
12227 		/* Possible implicit send? */
12228 		SCTP_ASOC_CREATE_LOCK(inp);
12229 		create_lock_applied = 1;
12230 		if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
12231 		    (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE)) {
12232 			/* Should I really unlock ? */
12233 			SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12234 			error = EINVAL;
12235 			goto out_unlocked;
12236 
12237 		}
12238 		if (((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) == 0) &&
12239 		    (addr->sa_family == AF_INET6)) {
12240 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12241 			error = EINVAL;
12242 			goto out_unlocked;
12243 		}
12244 		SCTP_INP_WLOCK(inp);
12245 		SCTP_INP_INCR_REF(inp);
12246 		SCTP_INP_WUNLOCK(inp);
12247 		/* With the lock applied look again */
12248 		stcb = sctp_findassociation_ep_addr(&t_inp, addr, &net, NULL, NULL);
12249 		if (stcb == NULL) {
12250 			SCTP_INP_WLOCK(inp);
12251 			SCTP_INP_DECR_REF(inp);
12252 			SCTP_INP_WUNLOCK(inp);
12253 		} else {
12254 			hold_tcblock = 1;
12255 		}
12256 		if (t_inp != inp) {
12257 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOTCONN);
12258 			error = ENOTCONN;
12259 			goto out_unlocked;
12260 		}
12261 	}
12262 	if (stcb == NULL) {
12263 		if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
12264 		    (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
12265 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOTCONN);
12266 			error = ENOTCONN;
12267 			goto out_unlocked;
12268 		}
12269 		if (addr == NULL) {
12270 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOENT);
12271 			error = ENOENT;
12272 			goto out_unlocked;
12273 		} else {
12274 			/*
12275 			 * UDP style, we must go ahead and start the INIT
12276 			 * process
12277 			 */
12278 			uint32_t vrf_id;
12279 
12280 			if ((sinfo_flags & SCTP_ABORT) ||
12281 			    ((sinfo_flags & SCTP_EOF) && (sndlen == 0))) {
12282 				/*-
12283 				 * User asks to abort a non-existant assoc,
12284 				 * or EOF a non-existant assoc with no data
12285 				 */
12286 				SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOENT);
12287 				error = ENOENT;
12288 				goto out_unlocked;
12289 			}
12290 			/* get an asoc/stcb struct */
12291 			vrf_id = inp->def_vrf_id;
12292 #ifdef INVARIANTS
12293 			if (create_lock_applied == 0) {
12294 				panic("Error, should hold create lock and I don't?");
12295 			}
12296 #endif
12297 			stcb = sctp_aloc_assoc(inp, addr, &error, 0, vrf_id,
12298 			    p
12299 			    );
12300 			if (stcb == NULL) {
12301 				/* Error is setup for us in the call */
12302 				goto out_unlocked;
12303 			}
12304 			if (create_lock_applied) {
12305 				SCTP_ASOC_CREATE_UNLOCK(inp);
12306 				create_lock_applied = 0;
12307 			} else {
12308 				SCTP_PRINTF("Huh-3? create lock should have been on??\n");
12309 			}
12310 			/*
12311 			 * Turn on queue only flag to prevent data from
12312 			 * being sent
12313 			 */
12314 			queue_only = 1;
12315 			asoc = &stcb->asoc;
12316 			SCTP_SET_STATE(asoc, SCTP_STATE_COOKIE_WAIT);
12317 			(void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
12318 
12319 			/* initialize authentication params for the assoc */
12320 			sctp_initialize_auth_params(inp, stcb);
12321 
12322 			if (control) {
12323 				/*
12324 				 * see if a init structure exists in cmsg
12325 				 * headers
12326 				 */
12327 				struct sctp_initmsg initm;
12328 				int i;
12329 
12330 				if (sctp_find_cmsg(SCTP_INIT, (void *)&initm, control,
12331 				    sizeof(initm))) {
12332 					/*
12333 					 * we have an INIT override of the
12334 					 * default
12335 					 */
12336 					if (initm.sinit_max_attempts)
12337 						asoc->max_init_times = initm.sinit_max_attempts;
12338 					if (initm.sinit_num_ostreams)
12339 						asoc->pre_open_streams = initm.sinit_num_ostreams;
12340 					if (initm.sinit_max_instreams)
12341 						asoc->max_inbound_streams = initm.sinit_max_instreams;
12342 					if (initm.sinit_max_init_timeo)
12343 						asoc->initial_init_rto_max = initm.sinit_max_init_timeo;
12344 					if (asoc->streamoutcnt < asoc->pre_open_streams) {
12345 						struct sctp_stream_out *tmp_str;
12346 						int had_lock = 0;
12347 
12348 						/* Default is NOT correct */
12349 						SCTPDBG(SCTP_DEBUG_OUTPUT1, "Ok, defout:%d pre_open:%d\n",
12350 						    asoc->streamoutcnt, asoc->pre_open_streams);
12351 						/*
12352 						 * What happens if this
12353 						 * fails? we panic ...
12354 						 */
12355 
12356 						if (hold_tcblock) {
12357 							had_lock = 1;
12358 							SCTP_TCB_UNLOCK(stcb);
12359 						}
12360 						SCTP_MALLOC(tmp_str,
12361 						    struct sctp_stream_out *,
12362 						    (asoc->pre_open_streams *
12363 						    sizeof(struct sctp_stream_out)),
12364 						    SCTP_M_STRMO);
12365 						if (had_lock) {
12366 							SCTP_TCB_LOCK(stcb);
12367 						}
12368 						if (tmp_str != NULL) {
12369 							SCTP_FREE(asoc->strmout, SCTP_M_STRMO);
12370 							asoc->strmout = tmp_str;
12371 							asoc->strm_realoutsize = asoc->streamoutcnt = asoc->pre_open_streams;
12372 						} else {
12373 							asoc->pre_open_streams = asoc->streamoutcnt;
12374 						}
12375 						for (i = 0; i < asoc->streamoutcnt; i++) {
12376 							/*-
12377 							 * inbound side must be set
12378 							 * to 0xffff, also NOTE when
12379 							 * we get the INIT-ACK back
12380 							 * (for INIT sender) we MUST
12381 							 * reduce the count
12382 							 * (streamoutcnt) but first
12383 							 * check if we sent to any
12384 							 * of the upper streams that
12385 							 * were dropped (if some
12386 							 * were). Those that were
12387 							 * dropped must be notified
12388 							 * to the upper layer as
12389 							 * failed to send.
12390 							 */
12391 							asoc->strmout[i].next_sequence_sent = 0x0;
12392 							TAILQ_INIT(&asoc->strmout[i].outqueue);
12393 							asoc->strmout[i].stream_no = i;
12394 							asoc->strmout[i].last_msg_incomplete = 0;
12395 							asoc->ss_functions.sctp_ss_init_stream(&asoc->strmout[i], NULL);
12396 						}
12397 					}
12398 				}
12399 			}
12400 			hold_tcblock = 1;
12401 			/* out with the INIT */
12402 			queue_only_for_init = 1;
12403 			/*-
12404 			 * we may want to dig in after this call and adjust the MTU
12405 			 * value. It defaulted to 1500 (constant) but the ro
12406 			 * structure may now have an update and thus we may need to
12407 			 * change it BEFORE we append the message.
12408 			 */
12409 		}
12410 	} else
12411 		asoc = &stcb->asoc;
12412 	if (srcv == NULL)
12413 		srcv = (struct sctp_sndrcvinfo *)&asoc->def_send;
12414 	if (srcv->sinfo_flags & SCTP_ADDR_OVER) {
12415 		if (addr)
12416 			net = sctp_findnet(stcb, addr);
12417 		else
12418 			net = NULL;
12419 		if ((net == NULL) ||
12420 		    ((port != 0) && (port != stcb->rport))) {
12421 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12422 			error = EINVAL;
12423 			goto out_unlocked;
12424 		}
12425 	} else {
12426 		net = stcb->asoc.primary_destination;
12427 	}
12428 	atomic_add_int(&stcb->total_sends, 1);
12429 	/* Keep the stcb from being freed under our feet */
12430 	atomic_add_int(&asoc->refcnt, 1);
12431 	free_cnt_applied = 1;
12432 
12433 	if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_NO_FRAGMENT)) {
12434 		if (sndlen > asoc->smallest_mtu) {
12435 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EMSGSIZE);
12436 			error = EMSGSIZE;
12437 			goto out_unlocked;
12438 		}
12439 	}
12440 	if ((SCTP_SO_IS_NBIO(so)
12441 	    || (flags & MSG_NBIO)
12442 	    )) {
12443 		non_blocking = 1;
12444 	}
12445 	/* would we block? */
12446 	if (non_blocking) {
12447 		if (hold_tcblock == 0) {
12448 			SCTP_TCB_LOCK(stcb);
12449 			hold_tcblock = 1;
12450 		}
12451 		inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
12452 		if ((SCTP_SB_LIMIT_SND(so) < (sndlen + inqueue_bytes + stcb->asoc.sb_send_resv)) ||
12453 		    (stcb->asoc.chunks_on_out_queue >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
12454 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EWOULDBLOCK);
12455 			if (sndlen > SCTP_SB_LIMIT_SND(so))
12456 				error = EMSGSIZE;
12457 			else
12458 				error = EWOULDBLOCK;
12459 			goto out_unlocked;
12460 		}
12461 		stcb->asoc.sb_send_resv += sndlen;
12462 		SCTP_TCB_UNLOCK(stcb);
12463 		hold_tcblock = 0;
12464 	} else {
12465 		atomic_add_int(&stcb->asoc.sb_send_resv, sndlen);
12466 	}
12467 	local_soresv = sndlen;
12468 	if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
12469 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
12470 		error = ECONNRESET;
12471 		goto out_unlocked;
12472 	}
12473 	if (create_lock_applied) {
12474 		SCTP_ASOC_CREATE_UNLOCK(inp);
12475 		create_lock_applied = 0;
12476 	}
12477 	if (asoc->stream_reset_outstanding) {
12478 		/*
12479 		 * Can't queue any data while stream reset is underway.
12480 		 */
12481 		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EAGAIN);
12482 		error = EAGAIN;
12483 		goto out_unlocked;
12484 	}
12485 	if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
12486 	    (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) {
12487 		queue_only = 1;
12488 	}
12489 	/* we are now done with all control */
12490 	if (control) {
12491 		sctp_m_freem(control);
12492 		control = NULL;
12493 	}
12494 	if ((SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) ||
12495 	    (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
12496 	    (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
12497 	    (asoc->state & SCTP_STATE_SHUTDOWN_PENDING)) {
12498 		if (srcv->sinfo_flags & SCTP_ABORT) {
12499 			;
12500 		} else {
12501 			SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
12502 			error = ECONNRESET;
12503 			goto out_unlocked;
12504 		}
12505 	}
12506 	/* Ok, we will attempt a msgsnd :> */
12507 	if (p) {
12508 		p->td_ru.ru_msgsnd++;
12509 	}
12510 	/* Are we aborting? */
12511 	if (srcv->sinfo_flags & SCTP_ABORT) {
12512 		struct mbuf *mm;
12513 		int tot_demand, tot_out = 0, max_out;
12514 
12515 		SCTP_STAT_INCR(sctps_sends_with_abort);
12516 		if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
12517 		    (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) {
12518 			/* It has to be up before we abort */
12519 			/* how big is the user initiated abort? */
12520 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12521 			error = EINVAL;
12522 			goto out;
12523 		}
12524 		if (hold_tcblock) {
12525 			SCTP_TCB_UNLOCK(stcb);
12526 			hold_tcblock = 0;
12527 		}
12528 		if (top) {
12529 			struct mbuf *cntm = NULL;
12530 
12531 			mm = sctp_get_mbuf_for_msg(1, 0, M_WAIT, 1, MT_DATA);
12532 			if (sndlen != 0) {
12533 				cntm = top;
12534 				while (cntm) {
12535 					tot_out += SCTP_BUF_LEN(cntm);
12536 					cntm = SCTP_BUF_NEXT(cntm);
12537 				}
12538 			}
12539 			tot_demand = (tot_out + sizeof(struct sctp_paramhdr));
12540 		} else {
12541 			/* Must fit in a MTU */
12542 			tot_out = sndlen;
12543 			tot_demand = (tot_out + sizeof(struct sctp_paramhdr));
12544 			if (tot_demand > SCTP_DEFAULT_ADD_MORE) {
12545 				/* To big */
12546 				SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EMSGSIZE);
12547 				error = EMSGSIZE;
12548 				goto out;
12549 			}
12550 			mm = sctp_get_mbuf_for_msg(tot_demand, 0, M_WAIT, 1, MT_DATA);
12551 		}
12552 		if (mm == NULL) {
12553 			SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12554 			error = ENOMEM;
12555 			goto out;
12556 		}
12557 		max_out = asoc->smallest_mtu - sizeof(struct sctp_paramhdr);
12558 		max_out -= sizeof(struct sctp_abort_msg);
12559 		if (tot_out > max_out) {
12560 			tot_out = max_out;
12561 		}
12562 		if (mm) {
12563 			struct sctp_paramhdr *ph;
12564 
12565 			/* now move forward the data pointer */
12566 			ph = mtod(mm, struct sctp_paramhdr *);
12567 			ph->param_type = htons(SCTP_CAUSE_USER_INITIATED_ABT);
12568 			ph->param_length = htons((sizeof(struct sctp_paramhdr) + tot_out));
12569 			ph++;
12570 			SCTP_BUF_LEN(mm) = tot_out + sizeof(struct sctp_paramhdr);
12571 			if (top == NULL) {
12572 				error = uiomove((caddr_t)ph, (int)tot_out, uio);
12573 				if (error) {
12574 					/*-
12575 					 * Here if we can't get his data we
12576 					 * still abort we just don't get to
12577 					 * send the users note :-0
12578 					 */
12579 					sctp_m_freem(mm);
12580 					mm = NULL;
12581 				}
12582 			} else {
12583 				if (sndlen != 0) {
12584 					SCTP_BUF_NEXT(mm) = top;
12585 				}
12586 			}
12587 		}
12588 		if (hold_tcblock == 0) {
12589 			SCTP_TCB_LOCK(stcb);
12590 			hold_tcblock = 1;
12591 		}
12592 		atomic_add_int(&stcb->asoc.refcnt, -1);
12593 		free_cnt_applied = 0;
12594 		/* release this lock, otherwise we hang on ourselves */
12595 		sctp_abort_an_association(stcb->sctp_ep, stcb,
12596 		    SCTP_RESPONSE_TO_USER_REQ,
12597 		    mm, SCTP_SO_LOCKED);
12598 		/* now relock the stcb so everything is sane */
12599 		hold_tcblock = 0;
12600 		stcb = NULL;
12601 		/*
12602 		 * In this case top is already chained to mm avoid double
12603 		 * free, since we free it below if top != NULL and driver
12604 		 * would free it after sending the packet out
12605 		 */
12606 		if (sndlen != 0) {
12607 			top = NULL;
12608 		}
12609 		goto out_unlocked;
12610 	}
12611 	/* Calculate the maximum we can send */
12612 	inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
12613 	if (SCTP_SB_LIMIT_SND(so) > inqueue_bytes) {
12614 		if (non_blocking) {
12615 			/* we already checked for non-blocking above. */
12616 			max_len = sndlen;
12617 		} else {
12618 			max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes;
12619 		}
12620 	} else {
12621 		max_len = 0;
12622 	}
12623 	if (hold_tcblock) {
12624 		SCTP_TCB_UNLOCK(stcb);
12625 		hold_tcblock = 0;
12626 	}
12627 	/* Is the stream no. valid? */
12628 	if (srcv->sinfo_stream >= asoc->streamoutcnt) {
12629 		/* Invalid stream number */
12630 		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12631 		error = EINVAL;
12632 		goto out_unlocked;
12633 	}
12634 	if (asoc->strmout == NULL) {
12635 		/* huh? software error */
12636 		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EFAULT);
12637 		error = EFAULT;
12638 		goto out_unlocked;
12639 	}
12640 	/* Unless E_EOR mode is on, we must make a send FIT in one call. */
12641 	if ((user_marks_eor == 0) &&
12642 	    (sndlen > SCTP_SB_LIMIT_SND(stcb->sctp_socket))) {
12643 		/* It will NEVER fit */
12644 		SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EMSGSIZE);
12645 		error = EMSGSIZE;
12646 		goto out_unlocked;
12647 	}
12648 	if ((uio == NULL) && user_marks_eor) {
12649 		/*-
12650 		 * We do not support eeor mode for
12651 		 * sending with mbuf chains (like sendfile).
12652 		 */
12653 		SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12654 		error = EINVAL;
12655 		goto out_unlocked;
12656 	}
12657 	if (user_marks_eor) {
12658 		local_add_more = min(SCTP_SB_LIMIT_SND(so), SCTP_BASE_SYSCTL(sctp_add_more_threshold));
12659 	} else {
12660 		/*-
12661 		 * For non-eeor the whole message must fit in
12662 		 * the socket send buffer.
12663 		 */
12664 		local_add_more = sndlen;
12665 	}
12666 	len = 0;
12667 	if (non_blocking) {
12668 		goto skip_preblock;
12669 	}
12670 	if (((max_len <= local_add_more) &&
12671 	    (SCTP_SB_LIMIT_SND(so) >= local_add_more)) ||
12672 	    (max_len == 0) ||
12673 	    ((stcb->asoc.chunks_on_out_queue + stcb->asoc.stream_queue_cnt) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
12674 		/* No room right now ! */
12675 		SOCKBUF_LOCK(&so->so_snd);
12676 		inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
12677 		while ((SCTP_SB_LIMIT_SND(so) < (inqueue_bytes + local_add_more)) ||
12678 		    ((stcb->asoc.stream_queue_cnt + stcb->asoc.chunks_on_out_queue) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
12679 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "pre_block limit:%u <(inq:%d + %d) || (%d+%d > %d)\n",
12680 			    (unsigned int)SCTP_SB_LIMIT_SND(so),
12681 			    inqueue_bytes,
12682 			    local_add_more,
12683 			    stcb->asoc.stream_queue_cnt,
12684 			    stcb->asoc.chunks_on_out_queue,
12685 			    SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue));
12686 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
12687 				sctp_log_block(SCTP_BLOCK_LOG_INTO_BLKA, so, asoc, sndlen);
12688 			}
12689 			be.error = 0;
12690 			stcb->block_entry = &be;
12691 			error = sbwait(&so->so_snd);
12692 			stcb->block_entry = NULL;
12693 			if (error || so->so_error || be.error) {
12694 				if (error == 0) {
12695 					if (so->so_error)
12696 						error = so->so_error;
12697 					if (be.error) {
12698 						error = be.error;
12699 					}
12700 				}
12701 				SOCKBUF_UNLOCK(&so->so_snd);
12702 				goto out_unlocked;
12703 			}
12704 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
12705 				sctp_log_block(SCTP_BLOCK_LOG_OUTOF_BLK,
12706 				    so, asoc, stcb->asoc.total_output_queue_size);
12707 			}
12708 			if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
12709 				goto out_unlocked;
12710 			}
12711 			inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
12712 		}
12713 		if (SCTP_SB_LIMIT_SND(so) > inqueue_bytes) {
12714 			max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes;
12715 		} else {
12716 			max_len = 0;
12717 		}
12718 		SOCKBUF_UNLOCK(&so->so_snd);
12719 	}
12720 skip_preblock:
12721 	if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
12722 		goto out_unlocked;
12723 	}
12724 	/*
12725 	 * sndlen covers for mbuf case uio_resid covers for the non-mbuf
12726 	 * case NOTE: uio will be null when top/mbuf is passed
12727 	 */
12728 	if (sndlen == 0) {
12729 		if (srcv->sinfo_flags & SCTP_EOF) {
12730 			got_all_of_the_send = 1;
12731 			goto dataless_eof;
12732 		} else {
12733 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12734 			error = EINVAL;
12735 			goto out;
12736 		}
12737 	}
12738 	if (top == NULL) {
12739 		struct sctp_stream_queue_pending *sp;
12740 		struct sctp_stream_out *strm;
12741 		uint32_t sndout;
12742 
12743 		SCTP_TCB_SEND_LOCK(stcb);
12744 		if ((asoc->stream_locked) &&
12745 		    (asoc->stream_locked_on != srcv->sinfo_stream)) {
12746 			SCTP_TCB_SEND_UNLOCK(stcb);
12747 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12748 			error = EINVAL;
12749 			goto out;
12750 		}
12751 		SCTP_TCB_SEND_UNLOCK(stcb);
12752 
12753 		strm = &stcb->asoc.strmout[srcv->sinfo_stream];
12754 		if (strm->last_msg_incomplete == 0) {
12755 	do_a_copy_in:
12756 			sp = sctp_copy_it_in(stcb, asoc, srcv, uio, net, max_len, user_marks_eor, &error, non_blocking);
12757 			if ((sp == NULL) || (error)) {
12758 				goto out;
12759 			}
12760 			SCTP_TCB_SEND_LOCK(stcb);
12761 			if (sp->msg_is_complete) {
12762 				strm->last_msg_incomplete = 0;
12763 				asoc->stream_locked = 0;
12764 			} else {
12765 				/*
12766 				 * Just got locked to this guy in case of an
12767 				 * interrupt.
12768 				 */
12769 				strm->last_msg_incomplete = 1;
12770 				asoc->stream_locked = 1;
12771 				asoc->stream_locked_on = srcv->sinfo_stream;
12772 				sp->sender_all_done = 0;
12773 			}
12774 			sctp_snd_sb_alloc(stcb, sp->length);
12775 			atomic_add_int(&asoc->stream_queue_cnt, 1);
12776 			if ((srcv->sinfo_flags & SCTP_UNORDERED) == 0) {
12777 				sp->strseq = strm->next_sequence_sent;
12778 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_AT_SEND_2_SCTP) {
12779 					sctp_misc_ints(SCTP_STRMOUT_LOG_ASSIGN,
12780 					    (uintptr_t) stcb, sp->length,
12781 					    (uint32_t) ((srcv->sinfo_stream << 16) | sp->strseq), 0);
12782 				}
12783 				strm->next_sequence_sent++;
12784 			} else {
12785 				SCTP_STAT_INCR(sctps_sends_with_unord);
12786 			}
12787 			TAILQ_INSERT_TAIL(&strm->outqueue, sp, next);
12788 			stcb->asoc.ss_functions.sctp_ss_add_to_stream(stcb, asoc, strm, sp, 1);
12789 			SCTP_TCB_SEND_UNLOCK(stcb);
12790 		} else {
12791 			SCTP_TCB_SEND_LOCK(stcb);
12792 			sp = TAILQ_LAST(&strm->outqueue, sctp_streamhead);
12793 			SCTP_TCB_SEND_UNLOCK(stcb);
12794 			if (sp == NULL) {
12795 				/* ???? Huh ??? last msg is gone */
12796 #ifdef INVARIANTS
12797 				panic("Warning: Last msg marked incomplete, yet nothing left?");
12798 #else
12799 				SCTP_PRINTF("Warning: Last msg marked incomplete, yet nothing left?\n");
12800 				strm->last_msg_incomplete = 0;
12801 #endif
12802 				goto do_a_copy_in;
12803 
12804 			}
12805 		}
12806 		while (uio->uio_resid > 0) {
12807 			/* How much room do we have? */
12808 			struct mbuf *new_tail, *mm;
12809 
12810 			if (SCTP_SB_LIMIT_SND(so) > stcb->asoc.total_output_queue_size)
12811 				max_len = SCTP_SB_LIMIT_SND(so) - stcb->asoc.total_output_queue_size;
12812 			else
12813 				max_len = 0;
12814 
12815 			if ((max_len > SCTP_BASE_SYSCTL(sctp_add_more_threshold)) ||
12816 			    (max_len && (SCTP_SB_LIMIT_SND(so) < SCTP_BASE_SYSCTL(sctp_add_more_threshold))) ||
12817 			    (uio->uio_resid && (uio->uio_resid <= (int)max_len))) {
12818 				sndout = 0;
12819 				new_tail = NULL;
12820 				if (hold_tcblock) {
12821 					SCTP_TCB_UNLOCK(stcb);
12822 					hold_tcblock = 0;
12823 				}
12824 				mm = sctp_copy_resume(sp, uio, srcv, max_len, user_marks_eor, &error, &sndout, &new_tail);
12825 				if ((mm == NULL) || error) {
12826 					if (mm) {
12827 						sctp_m_freem(mm);
12828 					}
12829 					goto out;
12830 				}
12831 				/* Update the mbuf and count */
12832 				SCTP_TCB_SEND_LOCK(stcb);
12833 				if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
12834 					/*
12835 					 * we need to get out. Peer probably
12836 					 * aborted.
12837 					 */
12838 					sctp_m_freem(mm);
12839 					if (stcb->asoc.state & SCTP_PCB_FLAGS_WAS_ABORTED) {
12840 						SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
12841 						error = ECONNRESET;
12842 					}
12843 					SCTP_TCB_SEND_UNLOCK(stcb);
12844 					goto out;
12845 				}
12846 				if (sp->tail_mbuf) {
12847 					/* tack it to the end */
12848 					SCTP_BUF_NEXT(sp->tail_mbuf) = mm;
12849 					sp->tail_mbuf = new_tail;
12850 				} else {
12851 					/* A stolen mbuf */
12852 					sp->data = mm;
12853 					sp->tail_mbuf = new_tail;
12854 				}
12855 				sctp_snd_sb_alloc(stcb, sndout);
12856 				atomic_add_int(&sp->length, sndout);
12857 				len += sndout;
12858 
12859 				/* Did we reach EOR? */
12860 				if ((uio->uio_resid == 0) &&
12861 				    ((user_marks_eor == 0) ||
12862 				    (srcv->sinfo_flags & SCTP_EOF) ||
12863 				    (user_marks_eor && (srcv->sinfo_flags & SCTP_EOR)))) {
12864 					sp->msg_is_complete = 1;
12865 				} else {
12866 					sp->msg_is_complete = 0;
12867 				}
12868 				SCTP_TCB_SEND_UNLOCK(stcb);
12869 			}
12870 			if (uio->uio_resid == 0) {
12871 				/* got it all? */
12872 				continue;
12873 			}
12874 			/* PR-SCTP? */
12875 			if ((asoc->peer_supports_prsctp) && (asoc->sent_queue_cnt_removeable > 0)) {
12876 				/*
12877 				 * This is ugly but we must assure locking
12878 				 * order
12879 				 */
12880 				if (hold_tcblock == 0) {
12881 					SCTP_TCB_LOCK(stcb);
12882 					hold_tcblock = 1;
12883 				}
12884 				sctp_prune_prsctp(stcb, asoc, srcv, sndlen);
12885 				inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
12886 				if (SCTP_SB_LIMIT_SND(so) > stcb->asoc.total_output_queue_size)
12887 					max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes;
12888 				else
12889 					max_len = 0;
12890 				if (max_len > 0) {
12891 					continue;
12892 				}
12893 				SCTP_TCB_UNLOCK(stcb);
12894 				hold_tcblock = 0;
12895 			}
12896 			/* wait for space now */
12897 			if (non_blocking) {
12898 				/* Non-blocking io in place out */
12899 				goto skip_out_eof;
12900 			}
12901 			/* What about the INIT, send it maybe */
12902 			if (queue_only_for_init) {
12903 				if (hold_tcblock == 0) {
12904 					SCTP_TCB_LOCK(stcb);
12905 					hold_tcblock = 1;
12906 				}
12907 				if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) {
12908 					/* a collision took us forward? */
12909 					queue_only = 0;
12910 				} else {
12911 					sctp_send_initiate(inp, stcb, SCTP_SO_LOCKED);
12912 					SCTP_SET_STATE(asoc, SCTP_STATE_COOKIE_WAIT);
12913 					queue_only = 1;
12914 				}
12915 			}
12916 			if ((net->flight_size > net->cwnd) &&
12917 			    (asoc->sctp_cmt_on_off == 0)) {
12918 				SCTP_STAT_INCR(sctps_send_cwnd_avoid);
12919 				queue_only = 1;
12920 			} else if (asoc->ifp_had_enobuf) {
12921 				SCTP_STAT_INCR(sctps_ifnomemqueued);
12922 				if (net->flight_size > (2 * net->mtu)) {
12923 					queue_only = 1;
12924 				}
12925 				asoc->ifp_had_enobuf = 0;
12926 			}
12927 			un_sent = ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) +
12928 			    (stcb->asoc.stream_queue_cnt * sizeof(struct sctp_data_chunk)));
12929 			if ((sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY)) &&
12930 			    (stcb->asoc.total_flight > 0) &&
12931 			    (stcb->asoc.stream_queue_cnt < SCTP_MAX_DATA_BUNDLING) &&
12932 			    (un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD))) {
12933 
12934 				/*-
12935 				 * Ok, Nagle is set on and we have data outstanding.
12936 				 * Don't send anything and let SACKs drive out the
12937 				 * data unless wen have a "full" segment to send.
12938 				 */
12939 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
12940 					sctp_log_nagle_event(stcb, SCTP_NAGLE_APPLIED);
12941 				}
12942 				SCTP_STAT_INCR(sctps_naglequeued);
12943 				nagle_applies = 1;
12944 			} else {
12945 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
12946 					if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY))
12947 						sctp_log_nagle_event(stcb, SCTP_NAGLE_SKIPPED);
12948 				}
12949 				SCTP_STAT_INCR(sctps_naglesent);
12950 				nagle_applies = 0;
12951 			}
12952 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
12953 
12954 				sctp_misc_ints(SCTP_CWNDLOG_PRESEND, queue_only_for_init, queue_only,
12955 				    nagle_applies, un_sent);
12956 				sctp_misc_ints(SCTP_CWNDLOG_PRESEND, stcb->asoc.total_output_queue_size,
12957 				    stcb->asoc.total_flight,
12958 				    stcb->asoc.chunks_on_out_queue, stcb->asoc.total_flight_count);
12959 			}
12960 			if (queue_only_for_init)
12961 				queue_only_for_init = 0;
12962 			if ((queue_only == 0) && (nagle_applies == 0)) {
12963 				/*-
12964 				 * need to start chunk output
12965 				 * before blocking.. note that if
12966 				 * a lock is already applied, then
12967 				 * the input via the net is happening
12968 				 * and I don't need to start output :-D
12969 				 */
12970 				if (hold_tcblock == 0) {
12971 					if (SCTP_TCB_TRYLOCK(stcb)) {
12972 						hold_tcblock = 1;
12973 						sctp_chunk_output(inp,
12974 						    stcb,
12975 						    SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
12976 					}
12977 				} else {
12978 					sctp_chunk_output(inp,
12979 					    stcb,
12980 					    SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
12981 				}
12982 				if (hold_tcblock == 1) {
12983 					SCTP_TCB_UNLOCK(stcb);
12984 					hold_tcblock = 0;
12985 				}
12986 			}
12987 			SOCKBUF_LOCK(&so->so_snd);
12988 			/*-
12989 			 * This is a bit strange, but I think it will
12990 			 * work. The total_output_queue_size is locked and
12991 			 * protected by the TCB_LOCK, which we just released.
12992 			 * There is a race that can occur between releasing it
12993 			 * above, and me getting the socket lock, where sacks
12994 			 * come in but we have not put the SB_WAIT on the
12995 			 * so_snd buffer to get the wakeup. After the LOCK
12996 			 * is applied the sack_processing will also need to
12997 			 * LOCK the so->so_snd to do the actual sowwakeup(). So
12998 			 * once we have the socket buffer lock if we recheck the
12999 			 * size we KNOW we will get to sleep safely with the
13000 			 * wakeup flag in place.
13001 			 */
13002 			if (SCTP_SB_LIMIT_SND(so) <= (stcb->asoc.total_output_queue_size +
13003 			    min(SCTP_BASE_SYSCTL(sctp_add_more_threshold), SCTP_SB_LIMIT_SND(so)))) {
13004 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13005 					sctp_log_block(SCTP_BLOCK_LOG_INTO_BLK,
13006 					    so, asoc, uio->uio_resid);
13007 				}
13008 				be.error = 0;
13009 				stcb->block_entry = &be;
13010 				error = sbwait(&so->so_snd);
13011 				stcb->block_entry = NULL;
13012 
13013 				if (error || so->so_error || be.error) {
13014 					if (error == 0) {
13015 						if (so->so_error)
13016 							error = so->so_error;
13017 						if (be.error) {
13018 							error = be.error;
13019 						}
13020 					}
13021 					SOCKBUF_UNLOCK(&so->so_snd);
13022 					goto out_unlocked;
13023 				}
13024 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13025 					sctp_log_block(SCTP_BLOCK_LOG_OUTOF_BLK,
13026 					    so, asoc, stcb->asoc.total_output_queue_size);
13027 				}
13028 			}
13029 			SOCKBUF_UNLOCK(&so->so_snd);
13030 			if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
13031 				goto out_unlocked;
13032 			}
13033 		}
13034 		SCTP_TCB_SEND_LOCK(stcb);
13035 		if (sp) {
13036 			if (sp->msg_is_complete == 0) {
13037 				strm->last_msg_incomplete = 1;
13038 				asoc->stream_locked = 1;
13039 				asoc->stream_locked_on = srcv->sinfo_stream;
13040 			} else {
13041 				sp->sender_all_done = 1;
13042 				strm->last_msg_incomplete = 0;
13043 				asoc->stream_locked = 0;
13044 			}
13045 		} else {
13046 			SCTP_PRINTF("Huh no sp TSNH?\n");
13047 			strm->last_msg_incomplete = 0;
13048 			asoc->stream_locked = 0;
13049 		}
13050 		SCTP_TCB_SEND_UNLOCK(stcb);
13051 		if (uio->uio_resid == 0) {
13052 			got_all_of_the_send = 1;
13053 		}
13054 	} else {
13055 		/* We send in a 0, since we do NOT have any locks */
13056 		error = sctp_msg_append(stcb, net, top, srcv, 0);
13057 		top = NULL;
13058 		if (srcv->sinfo_flags & SCTP_EOF) {
13059 			/*
13060 			 * This should only happen for Panda for the mbuf
13061 			 * send case, which does NOT yet support EEOR mode.
13062 			 * Thus, we can just set this flag to do the proper
13063 			 * EOF handling.
13064 			 */
13065 			got_all_of_the_send = 1;
13066 		}
13067 	}
13068 	if (error) {
13069 		goto out;
13070 	}
13071 dataless_eof:
13072 	/* EOF thing ? */
13073 	if ((srcv->sinfo_flags & SCTP_EOF) &&
13074 	    (got_all_of_the_send == 1) &&
13075 	    (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) {
13076 		int cnt;
13077 
13078 		SCTP_STAT_INCR(sctps_sends_with_eof);
13079 		error = 0;
13080 		if (hold_tcblock == 0) {
13081 			SCTP_TCB_LOCK(stcb);
13082 			hold_tcblock = 1;
13083 		}
13084 		cnt = sctp_is_there_unsent_data(stcb);
13085 		if (TAILQ_EMPTY(&asoc->send_queue) &&
13086 		    TAILQ_EMPTY(&asoc->sent_queue) &&
13087 		    (cnt == 0)) {
13088 			if (asoc->locked_on_sending) {
13089 				goto abort_anyway;
13090 			}
13091 			/* there is nothing queued to send, so I'm done... */
13092 			if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
13093 			    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
13094 			    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
13095 				/* only send SHUTDOWN the first time through */
13096 				sctp_send_shutdown(stcb, stcb->asoc.primary_destination);
13097 				if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) {
13098 					SCTP_STAT_DECR_GAUGE32(sctps_currestab);
13099 				}
13100 				SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_SENT);
13101 				SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
13102 				sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb,
13103 				    asoc->primary_destination);
13104 				sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
13105 				    asoc->primary_destination);
13106 			}
13107 		} else {
13108 			/*-
13109 			 * we still got (or just got) data to send, so set
13110 			 * SHUTDOWN_PENDING
13111 			 */
13112 			/*-
13113 			 * XXX sockets draft says that SCTP_EOF should be
13114 			 * sent with no data.  currently, we will allow user
13115 			 * data to be sent first and move to
13116 			 * SHUTDOWN-PENDING
13117 			 */
13118 			if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
13119 			    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
13120 			    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
13121 				if (hold_tcblock == 0) {
13122 					SCTP_TCB_LOCK(stcb);
13123 					hold_tcblock = 1;
13124 				}
13125 				if (asoc->locked_on_sending) {
13126 					/* Locked to send out the data */
13127 					struct sctp_stream_queue_pending *sp;
13128 
13129 					sp = TAILQ_LAST(&asoc->locked_on_sending->outqueue, sctp_streamhead);
13130 					if (sp) {
13131 						if ((sp->length == 0) && (sp->msg_is_complete == 0))
13132 							asoc->state |= SCTP_STATE_PARTIAL_MSG_LEFT;
13133 					}
13134 				}
13135 				asoc->state |= SCTP_STATE_SHUTDOWN_PENDING;
13136 				if (TAILQ_EMPTY(&asoc->send_queue) &&
13137 				    TAILQ_EMPTY(&asoc->sent_queue) &&
13138 				    (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) {
13139 			abort_anyway:
13140 					if (free_cnt_applied) {
13141 						atomic_add_int(&stcb->asoc.refcnt, -1);
13142 						free_cnt_applied = 0;
13143 					}
13144 					sctp_abort_an_association(stcb->sctp_ep, stcb,
13145 					    SCTP_RESPONSE_TO_USER_REQ,
13146 					    NULL, SCTP_SO_LOCKED);
13147 					/*
13148 					 * now relock the stcb so everything
13149 					 * is sane
13150 					 */
13151 					hold_tcblock = 0;
13152 					stcb = NULL;
13153 					goto out;
13154 				}
13155 				sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
13156 				    asoc->primary_destination);
13157 				sctp_feature_off(inp, SCTP_PCB_FLAGS_NODELAY);
13158 			}
13159 		}
13160 	}
13161 skip_out_eof:
13162 	if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue)) {
13163 		some_on_control = 1;
13164 	}
13165 	if (queue_only_for_init) {
13166 		if (hold_tcblock == 0) {
13167 			SCTP_TCB_LOCK(stcb);
13168 			hold_tcblock = 1;
13169 		}
13170 		if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) {
13171 			/* a collision took us forward? */
13172 			queue_only = 0;
13173 		} else {
13174 			sctp_send_initiate(inp, stcb, SCTP_SO_LOCKED);
13175 			SCTP_SET_STATE(&stcb->asoc, SCTP_STATE_COOKIE_WAIT);
13176 			queue_only = 1;
13177 		}
13178 	}
13179 	if ((net->flight_size > net->cwnd) &&
13180 	    (stcb->asoc.sctp_cmt_on_off == 0)) {
13181 		SCTP_STAT_INCR(sctps_send_cwnd_avoid);
13182 		queue_only = 1;
13183 	} else if (asoc->ifp_had_enobuf) {
13184 		SCTP_STAT_INCR(sctps_ifnomemqueued);
13185 		if (net->flight_size > (2 * net->mtu)) {
13186 			queue_only = 1;
13187 		}
13188 		asoc->ifp_had_enobuf = 0;
13189 	}
13190 	un_sent = ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) +
13191 	    (stcb->asoc.stream_queue_cnt * sizeof(struct sctp_data_chunk)));
13192 	if ((sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY)) &&
13193 	    (stcb->asoc.total_flight > 0) &&
13194 	    (stcb->asoc.stream_queue_cnt < SCTP_MAX_DATA_BUNDLING) &&
13195 	    (un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD))) {
13196 		/*-
13197 		 * Ok, Nagle is set on and we have data outstanding.
13198 		 * Don't send anything and let SACKs drive out the
13199 		 * data unless wen have a "full" segment to send.
13200 		 */
13201 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
13202 			sctp_log_nagle_event(stcb, SCTP_NAGLE_APPLIED);
13203 		}
13204 		SCTP_STAT_INCR(sctps_naglequeued);
13205 		nagle_applies = 1;
13206 	} else {
13207 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
13208 			if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY))
13209 				sctp_log_nagle_event(stcb, SCTP_NAGLE_SKIPPED);
13210 		}
13211 		SCTP_STAT_INCR(sctps_naglesent);
13212 		nagle_applies = 0;
13213 	}
13214 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13215 		sctp_misc_ints(SCTP_CWNDLOG_PRESEND, queue_only_for_init, queue_only,
13216 		    nagle_applies, un_sent);
13217 		sctp_misc_ints(SCTP_CWNDLOG_PRESEND, stcb->asoc.total_output_queue_size,
13218 		    stcb->asoc.total_flight,
13219 		    stcb->asoc.chunks_on_out_queue, stcb->asoc.total_flight_count);
13220 	}
13221 	if (queue_only_for_init)
13222 		queue_only_for_init = 0;
13223 	if ((queue_only == 0) && (nagle_applies == 0) && (stcb->asoc.peers_rwnd && un_sent)) {
13224 		/* we can attempt to send too. */
13225 		if (hold_tcblock == 0) {
13226 			/*
13227 			 * If there is activity recv'ing sacks no need to
13228 			 * send
13229 			 */
13230 			if (SCTP_TCB_TRYLOCK(stcb)) {
13231 				sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
13232 				hold_tcblock = 1;
13233 			}
13234 		} else {
13235 			sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
13236 		}
13237 	} else if ((queue_only == 0) &&
13238 		    (stcb->asoc.peers_rwnd == 0) &&
13239 	    (stcb->asoc.total_flight == 0)) {
13240 		/* We get to have a probe outstanding */
13241 		if (hold_tcblock == 0) {
13242 			hold_tcblock = 1;
13243 			SCTP_TCB_LOCK(stcb);
13244 		}
13245 		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
13246 	} else if (some_on_control) {
13247 		int num_out, reason, frag_point;
13248 
13249 		/* Here we do control only */
13250 		if (hold_tcblock == 0) {
13251 			hold_tcblock = 1;
13252 			SCTP_TCB_LOCK(stcb);
13253 		}
13254 		frag_point = sctp_get_frag_point(stcb, &stcb->asoc);
13255 		(void)sctp_med_chunk_output(inp, stcb, &stcb->asoc, &num_out,
13256 		    &reason, 1, 1, &now, &now_filled, frag_point, SCTP_SO_LOCKED);
13257 	}
13258 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "USR Send complete qo:%d prw:%d unsent:%d tf:%d cooq:%d toqs:%d err:%d\n",
13259 	    queue_only, stcb->asoc.peers_rwnd, un_sent,
13260 	    stcb->asoc.total_flight, stcb->asoc.chunks_on_out_queue,
13261 	    stcb->asoc.total_output_queue_size, error);
13262 
13263 out:
13264 out_unlocked:
13265 
13266 	if (local_soresv && stcb) {
13267 		atomic_subtract_int(&stcb->asoc.sb_send_resv, sndlen);
13268 		local_soresv = 0;
13269 	}
13270 	if (create_lock_applied) {
13271 		SCTP_ASOC_CREATE_UNLOCK(inp);
13272 		create_lock_applied = 0;
13273 	}
13274 	if ((stcb) && hold_tcblock) {
13275 		SCTP_TCB_UNLOCK(stcb);
13276 	}
13277 	if (stcb && free_cnt_applied) {
13278 		atomic_add_int(&stcb->asoc.refcnt, -1);
13279 	}
13280 #ifdef INVARIANTS
13281 	if (stcb) {
13282 		if (mtx_owned(&stcb->tcb_mtx)) {
13283 			panic("Leaving with tcb mtx owned?");
13284 		}
13285 		if (mtx_owned(&stcb->tcb_send_mtx)) {
13286 			panic("Leaving with tcb send mtx owned?");
13287 		}
13288 	}
13289 #endif
13290 #ifdef INVARIANTS
13291 	if (inp) {
13292 		sctp_validate_no_locks(inp);
13293 	} else {
13294 		printf("Warning - inp is NULL so cant validate locks\n");
13295 	}
13296 #endif
13297 	if (top) {
13298 		sctp_m_freem(top);
13299 	}
13300 	if (control) {
13301 		sctp_m_freem(control);
13302 	}
13303 	return (error);
13304 }
13305 
13306 
13307 /*
13308  * generate an AUTHentication chunk, if required
13309  */
13310 struct mbuf *
13311 sctp_add_auth_chunk(struct mbuf *m, struct mbuf **m_end,
13312     struct sctp_auth_chunk **auth_ret, uint32_t * offset,
13313     struct sctp_tcb *stcb, uint8_t chunk)
13314 {
13315 	struct mbuf *m_auth;
13316 	struct sctp_auth_chunk *auth;
13317 	int chunk_len;
13318 
13319 	if ((m_end == NULL) || (auth_ret == NULL) || (offset == NULL) ||
13320 	    (stcb == NULL))
13321 		return (m);
13322 
13323 	/* sysctl disabled auth? */
13324 	if (SCTP_BASE_SYSCTL(sctp_auth_disable))
13325 		return (m);
13326 
13327 	/* peer doesn't do auth... */
13328 	if (!stcb->asoc.peer_supports_auth) {
13329 		return (m);
13330 	}
13331 	/* does the requested chunk require auth? */
13332 	if (!sctp_auth_is_required_chunk(chunk, stcb->asoc.peer_auth_chunks)) {
13333 		return (m);
13334 	}
13335 	m_auth = sctp_get_mbuf_for_msg(sizeof(*auth), 0, M_DONTWAIT, 1, MT_HEADER);
13336 	if (m_auth == NULL) {
13337 		/* no mbuf's */
13338 		return (m);
13339 	}
13340 	/* reserve some space if this will be the first mbuf */
13341 	if (m == NULL)
13342 		SCTP_BUF_RESV_UF(m_auth, SCTP_MIN_OVERHEAD);
13343 	/* fill in the AUTH chunk details */
13344 	auth = mtod(m_auth, struct sctp_auth_chunk *);
13345 	bzero(auth, sizeof(*auth));
13346 	auth->ch.chunk_type = SCTP_AUTHENTICATION;
13347 	auth->ch.chunk_flags = 0;
13348 	chunk_len = sizeof(*auth) +
13349 	    sctp_get_hmac_digest_len(stcb->asoc.peer_hmac_id);
13350 	auth->ch.chunk_length = htons(chunk_len);
13351 	auth->hmac_id = htons(stcb->asoc.peer_hmac_id);
13352 	/* key id and hmac digest will be computed and filled in upon send */
13353 
13354 	/* save the offset where the auth was inserted into the chain */
13355 	if (m != NULL) {
13356 		struct mbuf *cn;
13357 
13358 		*offset = 0;
13359 		cn = m;
13360 		while (cn) {
13361 			*offset += SCTP_BUF_LEN(cn);
13362 			cn = SCTP_BUF_NEXT(cn);
13363 		}
13364 	} else
13365 		*offset = 0;
13366 
13367 	/* update length and return pointer to the auth chunk */
13368 	SCTP_BUF_LEN(m_auth) = chunk_len;
13369 	m = sctp_copy_mbufchain(m_auth, m, m_end, 1, chunk_len, 0);
13370 	if (auth_ret != NULL)
13371 		*auth_ret = auth;
13372 
13373 	return (m);
13374 }
13375 
13376 #ifdef INET6
13377 int
13378 sctp_v6src_match_nexthop(struct sockaddr_in6 *src6, sctp_route_t * ro)
13379 {
13380 	struct nd_prefix *pfx = NULL;
13381 	struct nd_pfxrouter *pfxrtr = NULL;
13382 	struct sockaddr_in6 gw6;
13383 
13384 	if (ro == NULL || ro->ro_rt == NULL || src6->sin6_family != AF_INET6)
13385 		return (0);
13386 
13387 	/* get prefix entry of address */
13388 	LIST_FOREACH(pfx, &MODULE_GLOBAL(nd_prefix), ndpr_entry) {
13389 		if (pfx->ndpr_stateflags & NDPRF_DETACHED)
13390 			continue;
13391 		if (IN6_ARE_MASKED_ADDR_EQUAL(&pfx->ndpr_prefix.sin6_addr,
13392 		    &src6->sin6_addr, &pfx->ndpr_mask))
13393 			break;
13394 	}
13395 	/* no prefix entry in the prefix list */
13396 	if (pfx == NULL) {
13397 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "No prefix entry for ");
13398 		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)src6);
13399 		return (0);
13400 	}
13401 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "v6src_match_nexthop(), Prefix entry is ");
13402 	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)src6);
13403 
13404 	/* search installed gateway from prefix entry */
13405 	for (pfxrtr = pfx->ndpr_advrtrs.lh_first; pfxrtr; pfxrtr =
13406 	    pfxrtr->pfr_next) {
13407 		memset(&gw6, 0, sizeof(struct sockaddr_in6));
13408 		gw6.sin6_family = AF_INET6;
13409 		gw6.sin6_len = sizeof(struct sockaddr_in6);
13410 		memcpy(&gw6.sin6_addr, &pfxrtr->router->rtaddr,
13411 		    sizeof(struct in6_addr));
13412 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "prefix router is ");
13413 		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)&gw6);
13414 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "installed router is ");
13415 		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, ro->ro_rt->rt_gateway);
13416 		if (sctp_cmpaddr((struct sockaddr *)&gw6,
13417 		    ro->ro_rt->rt_gateway)) {
13418 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "pfxrouter is installed\n");
13419 			return (1);
13420 		}
13421 	}
13422 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "pfxrouter is not installed\n");
13423 	return (0);
13424 }
13425 
13426 #endif
13427 
13428 int
13429 sctp_v4src_match_nexthop(struct sctp_ifa *sifa, sctp_route_t * ro)
13430 {
13431 	struct sockaddr_in *sin, *mask;
13432 	struct ifaddr *ifa;
13433 	struct in_addr srcnetaddr, gwnetaddr;
13434 
13435 	if (ro == NULL || ro->ro_rt == NULL ||
13436 	    sifa->address.sa.sa_family != AF_INET) {
13437 		return (0);
13438 	}
13439 	ifa = (struct ifaddr *)sifa->ifa;
13440 	mask = (struct sockaddr_in *)(ifa->ifa_netmask);
13441 	sin = (struct sockaddr_in *)&sifa->address.sin;
13442 	srcnetaddr.s_addr = (sin->sin_addr.s_addr & mask->sin_addr.s_addr);
13443 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "match_nexthop4: src address is ");
13444 	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &sifa->address.sa);
13445 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "network address is %x\n", srcnetaddr.s_addr);
13446 
13447 	sin = (struct sockaddr_in *)ro->ro_rt->rt_gateway;
13448 	gwnetaddr.s_addr = (sin->sin_addr.s_addr & mask->sin_addr.s_addr);
13449 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "match_nexthop4: nexthop is ");
13450 	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, ro->ro_rt->rt_gateway);
13451 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "network address is %x\n", gwnetaddr.s_addr);
13452 	if (srcnetaddr.s_addr == gwnetaddr.s_addr) {
13453 		return (1);
13454 	}
13455 	return (0);
13456 }
13457