1/*-
2 * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved.
3 * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved.
4 * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
8 *
9 * a) Redistributions of source code must retain the above copyright notice,
10 *    this list of conditions and the following disclaimer.
11 *
12 * b) Redistributions in binary form must reproduce the above copyright
13 *    notice, this list of conditions and the following disclaimer in
14 *    the documentation and/or other materials provided with the distribution.
15 *
16 * c) Neither the name of Cisco Systems, Inc. nor the names of its
17 *    contributors may be used to endorse or promote products derived
18 *    from this software without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
30 * THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33#ifdef __FreeBSD__
34#include <sys/cdefs.h>
35__FBSDID("$FreeBSD: head/sys/netinet/sctp_output.c 271230 2014-09-07 18:05:37Z tuexen $");
36#endif
37
38#include <netinet/sctp_os.h>
39#ifdef __FreeBSD__
40#include <sys/proc.h>
41#endif
42#include <netinet/sctp_var.h>
43#include <netinet/sctp_sysctl.h>
44#include <netinet/sctp_header.h>
45#include <netinet/sctp_pcb.h>
46#include <netinet/sctputil.h>
47#include <netinet/sctp_output.h>
48#include <netinet/sctp_uio.h>
49#include <netinet/sctputil.h>
50#include <netinet/sctp_auth.h>
51#include <netinet/sctp_timer.h>
52#include <netinet/sctp_asconf.h>
53#include <netinet/sctp_indata.h>
54#include <netinet/sctp_bsd_addr.h>
55#include <netinet/sctp_input.h>
56#include <netinet/sctp_crc32.h>
57#if defined(__Userspace_os_Linux)
58#define __FAVOR_BSD    /* (on Ubuntu at least) enables UDP header field names like BSD in RFC 768 */
59#endif
60#if defined(INET) || defined(INET6)
61#if !defined(__Userspace_os_Windows)
62#include <netinet/udp.h>
63#endif
64#endif
65#if defined(__APPLE__)
66#include <netinet/in.h>
67#endif
68#if defined(__FreeBSD__)
69#if defined(__FreeBSD__) && __FreeBSD_version >= 800000
70#include <netinet/udp_var.h>
71#endif
72#include <machine/in_cksum.h>
73#endif
74#if defined(__Userspace__) && defined(INET6)
75#include <netinet6/sctp6_var.h>
76#endif
77
78#if defined(__APPLE__)
79#define APPLE_FILE_NO 3
80#endif
81
82#if defined(__APPLE__)
83#if !(defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD))
84#define SCTP_MAX_LINKHDR 16
85#endif
86#endif
87
88#define SCTP_MAX_GAPS_INARRAY 4
89struct sack_track {
90	uint8_t right_edge;	/* mergable on the right edge */
91	uint8_t left_edge;	/* mergable on the left edge */
92	uint8_t num_entries;
93	uint8_t spare;
94	struct sctp_gap_ack_block gaps[SCTP_MAX_GAPS_INARRAY];
95};
96
97struct sack_track sack_array[256] = {
98	{0, 0, 0, 0,		/* 0x00 */
99		{{0, 0},
100		{0, 0},
101		{0, 0},
102		{0, 0}
103		}
104	},
105	{1, 0, 1, 0,		/* 0x01 */
106		{{0, 0},
107		{0, 0},
108		{0, 0},
109		{0, 0}
110		}
111	},
112	{0, 0, 1, 0,		/* 0x02 */
113		{{1, 1},
114		{0, 0},
115		{0, 0},
116		{0, 0}
117		}
118	},
119	{1, 0, 1, 0,		/* 0x03 */
120		{{0, 1},
121		{0, 0},
122		{0, 0},
123		{0, 0}
124		}
125	},
126	{0, 0, 1, 0,		/* 0x04 */
127		{{2, 2},
128		{0, 0},
129		{0, 0},
130		{0, 0}
131		}
132	},
133	{1, 0, 2, 0,		/* 0x05 */
134		{{0, 0},
135		{2, 2},
136		{0, 0},
137		{0, 0}
138		}
139	},
140	{0, 0, 1, 0,		/* 0x06 */
141		{{1, 2},
142		{0, 0},
143		{0, 0},
144		{0, 0}
145		}
146	},
147	{1, 0, 1, 0,		/* 0x07 */
148		{{0, 2},
149		{0, 0},
150		{0, 0},
151		{0, 0}
152		}
153	},
154	{0, 0, 1, 0,		/* 0x08 */
155		{{3, 3},
156		{0, 0},
157		{0, 0},
158		{0, 0}
159		}
160	},
161	{1, 0, 2, 0,		/* 0x09 */
162		{{0, 0},
163		{3, 3},
164		{0, 0},
165		{0, 0}
166		}
167	},
168	{0, 0, 2, 0,		/* 0x0a */
169		{{1, 1},
170		{3, 3},
171		{0, 0},
172		{0, 0}
173		}
174	},
175	{1, 0, 2, 0,		/* 0x0b */
176		{{0, 1},
177		{3, 3},
178		{0, 0},
179		{0, 0}
180		}
181	},
182	{0, 0, 1, 0,		/* 0x0c */
183		{{2, 3},
184		{0, 0},
185		{0, 0},
186		{0, 0}
187		}
188	},
189	{1, 0, 2, 0,		/* 0x0d */
190		{{0, 0},
191		{2, 3},
192		{0, 0},
193		{0, 0}
194		}
195	},
196	{0, 0, 1, 0,		/* 0x0e */
197		{{1, 3},
198		{0, 0},
199		{0, 0},
200		{0, 0}
201		}
202	},
203	{1, 0, 1, 0,		/* 0x0f */
204		{{0, 3},
205		{0, 0},
206		{0, 0},
207		{0, 0}
208		}
209	},
210	{0, 0, 1, 0,		/* 0x10 */
211		{{4, 4},
212		{0, 0},
213		{0, 0},
214		{0, 0}
215		}
216	},
217	{1, 0, 2, 0,		/* 0x11 */
218		{{0, 0},
219		{4, 4},
220		{0, 0},
221		{0, 0}
222		}
223	},
224	{0, 0, 2, 0,		/* 0x12 */
225		{{1, 1},
226		{4, 4},
227		{0, 0},
228		{0, 0}
229		}
230	},
231	{1, 0, 2, 0,		/* 0x13 */
232		{{0, 1},
233		{4, 4},
234		{0, 0},
235		{0, 0}
236		}
237	},
238	{0, 0, 2, 0,		/* 0x14 */
239		{{2, 2},
240		{4, 4},
241		{0, 0},
242		{0, 0}
243		}
244	},
245	{1, 0, 3, 0,		/* 0x15 */
246		{{0, 0},
247		{2, 2},
248		{4, 4},
249		{0, 0}
250		}
251	},
252	{0, 0, 2, 0,		/* 0x16 */
253		{{1, 2},
254		{4, 4},
255		{0, 0},
256		{0, 0}
257		}
258	},
259	{1, 0, 2, 0,		/* 0x17 */
260		{{0, 2},
261		{4, 4},
262		{0, 0},
263		{0, 0}
264		}
265	},
266	{0, 0, 1, 0,		/* 0x18 */
267		{{3, 4},
268		{0, 0},
269		{0, 0},
270		{0, 0}
271		}
272	},
273	{1, 0, 2, 0,		/* 0x19 */
274		{{0, 0},
275		{3, 4},
276		{0, 0},
277		{0, 0}
278		}
279	},
280	{0, 0, 2, 0,		/* 0x1a */
281		{{1, 1},
282		{3, 4},
283		{0, 0},
284		{0, 0}
285		}
286	},
287	{1, 0, 2, 0,		/* 0x1b */
288		{{0, 1},
289		{3, 4},
290		{0, 0},
291		{0, 0}
292		}
293	},
294	{0, 0, 1, 0,		/* 0x1c */
295		{{2, 4},
296		{0, 0},
297		{0, 0},
298		{0, 0}
299		}
300	},
301	{1, 0, 2, 0,		/* 0x1d */
302		{{0, 0},
303		{2, 4},
304		{0, 0},
305		{0, 0}
306		}
307	},
308	{0, 0, 1, 0,		/* 0x1e */
309		{{1, 4},
310		{0, 0},
311		{0, 0},
312		{0, 0}
313		}
314	},
315	{1, 0, 1, 0,		/* 0x1f */
316		{{0, 4},
317		{0, 0},
318		{0, 0},
319		{0, 0}
320		}
321	},
322	{0, 0, 1, 0,		/* 0x20 */
323		{{5, 5},
324		{0, 0},
325		{0, 0},
326		{0, 0}
327		}
328	},
329	{1, 0, 2, 0,		/* 0x21 */
330		{{0, 0},
331		{5, 5},
332		{0, 0},
333		{0, 0}
334		}
335	},
336	{0, 0, 2, 0,		/* 0x22 */
337		{{1, 1},
338		{5, 5},
339		{0, 0},
340		{0, 0}
341		}
342	},
343	{1, 0, 2, 0,		/* 0x23 */
344		{{0, 1},
345		{5, 5},
346		{0, 0},
347		{0, 0}
348		}
349	},
350	{0, 0, 2, 0,		/* 0x24 */
351		{{2, 2},
352		{5, 5},
353		{0, 0},
354		{0, 0}
355		}
356	},
357	{1, 0, 3, 0,		/* 0x25 */
358		{{0, 0},
359		{2, 2},
360		{5, 5},
361		{0, 0}
362		}
363	},
364	{0, 0, 2, 0,		/* 0x26 */
365		{{1, 2},
366		{5, 5},
367		{0, 0},
368		{0, 0}
369		}
370	},
371	{1, 0, 2, 0,		/* 0x27 */
372		{{0, 2},
373		{5, 5},
374		{0, 0},
375		{0, 0}
376		}
377	},
378	{0, 0, 2, 0,		/* 0x28 */
379		{{3, 3},
380		{5, 5},
381		{0, 0},
382		{0, 0}
383		}
384	},
385	{1, 0, 3, 0,		/* 0x29 */
386		{{0, 0},
387		{3, 3},
388		{5, 5},
389		{0, 0}
390		}
391	},
392	{0, 0, 3, 0,		/* 0x2a */
393		{{1, 1},
394		{3, 3},
395		{5, 5},
396		{0, 0}
397		}
398	},
399	{1, 0, 3, 0,		/* 0x2b */
400		{{0, 1},
401		{3, 3},
402		{5, 5},
403		{0, 0}
404		}
405	},
406	{0, 0, 2, 0,		/* 0x2c */
407		{{2, 3},
408		{5, 5},
409		{0, 0},
410		{0, 0}
411		}
412	},
413	{1, 0, 3, 0,		/* 0x2d */
414		{{0, 0},
415		{2, 3},
416		{5, 5},
417		{0, 0}
418		}
419	},
420	{0, 0, 2, 0,		/* 0x2e */
421		{{1, 3},
422		{5, 5},
423		{0, 0},
424		{0, 0}
425		}
426	},
427	{1, 0, 2, 0,		/* 0x2f */
428		{{0, 3},
429		{5, 5},
430		{0, 0},
431		{0, 0}
432		}
433	},
434	{0, 0, 1, 0,		/* 0x30 */
435		{{4, 5},
436		{0, 0},
437		{0, 0},
438		{0, 0}
439		}
440	},
441	{1, 0, 2, 0,		/* 0x31 */
442		{{0, 0},
443		{4, 5},
444		{0, 0},
445		{0, 0}
446		}
447	},
448	{0, 0, 2, 0,		/* 0x32 */
449		{{1, 1},
450		{4, 5},
451		{0, 0},
452		{0, 0}
453		}
454	},
455	{1, 0, 2, 0,		/* 0x33 */
456		{{0, 1},
457		{4, 5},
458		{0, 0},
459		{0, 0}
460		}
461	},
462	{0, 0, 2, 0,		/* 0x34 */
463		{{2, 2},
464		{4, 5},
465		{0, 0},
466		{0, 0}
467		}
468	},
469	{1, 0, 3, 0,		/* 0x35 */
470		{{0, 0},
471		{2, 2},
472		{4, 5},
473		{0, 0}
474		}
475	},
476	{0, 0, 2, 0,		/* 0x36 */
477		{{1, 2},
478		{4, 5},
479		{0, 0},
480		{0, 0}
481		}
482	},
483	{1, 0, 2, 0,		/* 0x37 */
484		{{0, 2},
485		{4, 5},
486		{0, 0},
487		{0, 0}
488		}
489	},
490	{0, 0, 1, 0,		/* 0x38 */
491		{{3, 5},
492		{0, 0},
493		{0, 0},
494		{0, 0}
495		}
496	},
497	{1, 0, 2, 0,		/* 0x39 */
498		{{0, 0},
499		{3, 5},
500		{0, 0},
501		{0, 0}
502		}
503	},
504	{0, 0, 2, 0,		/* 0x3a */
505		{{1, 1},
506		{3, 5},
507		{0, 0},
508		{0, 0}
509		}
510	},
511	{1, 0, 2, 0,		/* 0x3b */
512		{{0, 1},
513		{3, 5},
514		{0, 0},
515		{0, 0}
516		}
517	},
518	{0, 0, 1, 0,		/* 0x3c */
519		{{2, 5},
520		{0, 0},
521		{0, 0},
522		{0, 0}
523		}
524	},
525	{1, 0, 2, 0,		/* 0x3d */
526		{{0, 0},
527		{2, 5},
528		{0, 0},
529		{0, 0}
530		}
531	},
532	{0, 0, 1, 0,		/* 0x3e */
533		{{1, 5},
534		{0, 0},
535		{0, 0},
536		{0, 0}
537		}
538	},
539	{1, 0, 1, 0,		/* 0x3f */
540		{{0, 5},
541		{0, 0},
542		{0, 0},
543		{0, 0}
544		}
545	},
546	{0, 0, 1, 0,		/* 0x40 */
547		{{6, 6},
548		{0, 0},
549		{0, 0},
550		{0, 0}
551		}
552	},
553	{1, 0, 2, 0,		/* 0x41 */
554		{{0, 0},
555		{6, 6},
556		{0, 0},
557		{0, 0}
558		}
559	},
560	{0, 0, 2, 0,		/* 0x42 */
561		{{1, 1},
562		{6, 6},
563		{0, 0},
564		{0, 0}
565		}
566	},
567	{1, 0, 2, 0,		/* 0x43 */
568		{{0, 1},
569		{6, 6},
570		{0, 0},
571		{0, 0}
572		}
573	},
574	{0, 0, 2, 0,		/* 0x44 */
575		{{2, 2},
576		{6, 6},
577		{0, 0},
578		{0, 0}
579		}
580	},
581	{1, 0, 3, 0,		/* 0x45 */
582		{{0, 0},
583		{2, 2},
584		{6, 6},
585		{0, 0}
586		}
587	},
588	{0, 0, 2, 0,		/* 0x46 */
589		{{1, 2},
590		{6, 6},
591		{0, 0},
592		{0, 0}
593		}
594	},
595	{1, 0, 2, 0,		/* 0x47 */
596		{{0, 2},
597		{6, 6},
598		{0, 0},
599		{0, 0}
600		}
601	},
602	{0, 0, 2, 0,		/* 0x48 */
603		{{3, 3},
604		{6, 6},
605		{0, 0},
606		{0, 0}
607		}
608	},
609	{1, 0, 3, 0,		/* 0x49 */
610		{{0, 0},
611		{3, 3},
612		{6, 6},
613		{0, 0}
614		}
615	},
616	{0, 0, 3, 0,		/* 0x4a */
617		{{1, 1},
618		{3, 3},
619		{6, 6},
620		{0, 0}
621		}
622	},
623	{1, 0, 3, 0,		/* 0x4b */
624		{{0, 1},
625		{3, 3},
626		{6, 6},
627		{0, 0}
628		}
629	},
630	{0, 0, 2, 0,		/* 0x4c */
631		{{2, 3},
632		{6, 6},
633		{0, 0},
634		{0, 0}
635		}
636	},
637	{1, 0, 3, 0,		/* 0x4d */
638		{{0, 0},
639		{2, 3},
640		{6, 6},
641		{0, 0}
642		}
643	},
644	{0, 0, 2, 0,		/* 0x4e */
645		{{1, 3},
646		{6, 6},
647		{0, 0},
648		{0, 0}
649		}
650	},
651	{1, 0, 2, 0,		/* 0x4f */
652		{{0, 3},
653		{6, 6},
654		{0, 0},
655		{0, 0}
656		}
657	},
658	{0, 0, 2, 0,		/* 0x50 */
659		{{4, 4},
660		{6, 6},
661		{0, 0},
662		{0, 0}
663		}
664	},
665	{1, 0, 3, 0,		/* 0x51 */
666		{{0, 0},
667		{4, 4},
668		{6, 6},
669		{0, 0}
670		}
671	},
672	{0, 0, 3, 0,		/* 0x52 */
673		{{1, 1},
674		{4, 4},
675		{6, 6},
676		{0, 0}
677		}
678	},
679	{1, 0, 3, 0,		/* 0x53 */
680		{{0, 1},
681		{4, 4},
682		{6, 6},
683		{0, 0}
684		}
685	},
686	{0, 0, 3, 0,		/* 0x54 */
687		{{2, 2},
688		{4, 4},
689		{6, 6},
690		{0, 0}
691		}
692	},
693	{1, 0, 4, 0,		/* 0x55 */
694		{{0, 0},
695		{2, 2},
696		{4, 4},
697		{6, 6}
698		}
699	},
700	{0, 0, 3, 0,		/* 0x56 */
701		{{1, 2},
702		{4, 4},
703		{6, 6},
704		{0, 0}
705		}
706	},
707	{1, 0, 3, 0,		/* 0x57 */
708		{{0, 2},
709		{4, 4},
710		{6, 6},
711		{0, 0}
712		}
713	},
714	{0, 0, 2, 0,		/* 0x58 */
715		{{3, 4},
716		{6, 6},
717		{0, 0},
718		{0, 0}
719		}
720	},
721	{1, 0, 3, 0,		/* 0x59 */
722		{{0, 0},
723		{3, 4},
724		{6, 6},
725		{0, 0}
726		}
727	},
728	{0, 0, 3, 0,		/* 0x5a */
729		{{1, 1},
730		{3, 4},
731		{6, 6},
732		{0, 0}
733		}
734	},
735	{1, 0, 3, 0,		/* 0x5b */
736		{{0, 1},
737		{3, 4},
738		{6, 6},
739		{0, 0}
740		}
741	},
742	{0, 0, 2, 0,		/* 0x5c */
743		{{2, 4},
744		{6, 6},
745		{0, 0},
746		{0, 0}
747		}
748	},
749	{1, 0, 3, 0,		/* 0x5d */
750		{{0, 0},
751		{2, 4},
752		{6, 6},
753		{0, 0}
754		}
755	},
756	{0, 0, 2, 0,		/* 0x5e */
757		{{1, 4},
758		{6, 6},
759		{0, 0},
760		{0, 0}
761		}
762	},
763	{1, 0, 2, 0,		/* 0x5f */
764		{{0, 4},
765		{6, 6},
766		{0, 0},
767		{0, 0}
768		}
769	},
770	{0, 0, 1, 0,		/* 0x60 */
771		{{5, 6},
772		{0, 0},
773		{0, 0},
774		{0, 0}
775		}
776	},
777	{1, 0, 2, 0,		/* 0x61 */
778		{{0, 0},
779		{5, 6},
780		{0, 0},
781		{0, 0}
782		}
783	},
784	{0, 0, 2, 0,		/* 0x62 */
785		{{1, 1},
786		{5, 6},
787		{0, 0},
788		{0, 0}
789		}
790	},
791	{1, 0, 2, 0,		/* 0x63 */
792		{{0, 1},
793		{5, 6},
794		{0, 0},
795		{0, 0}
796		}
797	},
798	{0, 0, 2, 0,		/* 0x64 */
799		{{2, 2},
800		{5, 6},
801		{0, 0},
802		{0, 0}
803		}
804	},
805	{1, 0, 3, 0,		/* 0x65 */
806		{{0, 0},
807		{2, 2},
808		{5, 6},
809		{0, 0}
810		}
811	},
812	{0, 0, 2, 0,		/* 0x66 */
813		{{1, 2},
814		{5, 6},
815		{0, 0},
816		{0, 0}
817		}
818	},
819	{1, 0, 2, 0,		/* 0x67 */
820		{{0, 2},
821		{5, 6},
822		{0, 0},
823		{0, 0}
824		}
825	},
826	{0, 0, 2, 0,		/* 0x68 */
827		{{3, 3},
828		{5, 6},
829		{0, 0},
830		{0, 0}
831		}
832	},
833	{1, 0, 3, 0,		/* 0x69 */
834		{{0, 0},
835		{3, 3},
836		{5, 6},
837		{0, 0}
838		}
839	},
840	{0, 0, 3, 0,		/* 0x6a */
841		{{1, 1},
842		{3, 3},
843		{5, 6},
844		{0, 0}
845		}
846	},
847	{1, 0, 3, 0,		/* 0x6b */
848		{{0, 1},
849		{3, 3},
850		{5, 6},
851		{0, 0}
852		}
853	},
854	{0, 0, 2, 0,		/* 0x6c */
855		{{2, 3},
856		{5, 6},
857		{0, 0},
858		{0, 0}
859		}
860	},
861	{1, 0, 3, 0,		/* 0x6d */
862		{{0, 0},
863		{2, 3},
864		{5, 6},
865		{0, 0}
866		}
867	},
868	{0, 0, 2, 0,		/* 0x6e */
869		{{1, 3},
870		{5, 6},
871		{0, 0},
872		{0, 0}
873		}
874	},
875	{1, 0, 2, 0,		/* 0x6f */
876		{{0, 3},
877		{5, 6},
878		{0, 0},
879		{0, 0}
880		}
881	},
882	{0, 0, 1, 0,		/* 0x70 */
883		{{4, 6},
884		{0, 0},
885		{0, 0},
886		{0, 0}
887		}
888	},
889	{1, 0, 2, 0,		/* 0x71 */
890		{{0, 0},
891		{4, 6},
892		{0, 0},
893		{0, 0}
894		}
895	},
896	{0, 0, 2, 0,		/* 0x72 */
897		{{1, 1},
898		{4, 6},
899		{0, 0},
900		{0, 0}
901		}
902	},
903	{1, 0, 2, 0,		/* 0x73 */
904		{{0, 1},
905		{4, 6},
906		{0, 0},
907		{0, 0}
908		}
909	},
910	{0, 0, 2, 0,		/* 0x74 */
911		{{2, 2},
912		{4, 6},
913		{0, 0},
914		{0, 0}
915		}
916	},
917	{1, 0, 3, 0,		/* 0x75 */
918		{{0, 0},
919		{2, 2},
920		{4, 6},
921		{0, 0}
922		}
923	},
924	{0, 0, 2, 0,		/* 0x76 */
925		{{1, 2},
926		{4, 6},
927		{0, 0},
928		{0, 0}
929		}
930	},
931	{1, 0, 2, 0,		/* 0x77 */
932		{{0, 2},
933		{4, 6},
934		{0, 0},
935		{0, 0}
936		}
937	},
938	{0, 0, 1, 0,		/* 0x78 */
939		{{3, 6},
940		{0, 0},
941		{0, 0},
942		{0, 0}
943		}
944	},
945	{1, 0, 2, 0,		/* 0x79 */
946		{{0, 0},
947		{3, 6},
948		{0, 0},
949		{0, 0}
950		}
951	},
952	{0, 0, 2, 0,		/* 0x7a */
953		{{1, 1},
954		{3, 6},
955		{0, 0},
956		{0, 0}
957		}
958	},
959	{1, 0, 2, 0,		/* 0x7b */
960		{{0, 1},
961		{3, 6},
962		{0, 0},
963		{0, 0}
964		}
965	},
966	{0, 0, 1, 0,		/* 0x7c */
967		{{2, 6},
968		{0, 0},
969		{0, 0},
970		{0, 0}
971		}
972	},
973	{1, 0, 2, 0,		/* 0x7d */
974		{{0, 0},
975		{2, 6},
976		{0, 0},
977		{0, 0}
978		}
979	},
980	{0, 0, 1, 0,		/* 0x7e */
981		{{1, 6},
982		{0, 0},
983		{0, 0},
984		{0, 0}
985		}
986	},
987	{1, 0, 1, 0,		/* 0x7f */
988		{{0, 6},
989		{0, 0},
990		{0, 0},
991		{0, 0}
992		}
993	},
994	{0, 1, 1, 0,		/* 0x80 */
995		{{7, 7},
996		{0, 0},
997		{0, 0},
998		{0, 0}
999		}
1000	},
1001	{1, 1, 2, 0,		/* 0x81 */
1002		{{0, 0},
1003		{7, 7},
1004		{0, 0},
1005		{0, 0}
1006		}
1007	},
1008	{0, 1, 2, 0,		/* 0x82 */
1009		{{1, 1},
1010		{7, 7},
1011		{0, 0},
1012		{0, 0}
1013		}
1014	},
1015	{1, 1, 2, 0,		/* 0x83 */
1016		{{0, 1},
1017		{7, 7},
1018		{0, 0},
1019		{0, 0}
1020		}
1021	},
1022	{0, 1, 2, 0,		/* 0x84 */
1023		{{2, 2},
1024		{7, 7},
1025		{0, 0},
1026		{0, 0}
1027		}
1028	},
1029	{1, 1, 3, 0,		/* 0x85 */
1030		{{0, 0},
1031		{2, 2},
1032		{7, 7},
1033		{0, 0}
1034		}
1035	},
1036	{0, 1, 2, 0,		/* 0x86 */
1037		{{1, 2},
1038		{7, 7},
1039		{0, 0},
1040		{0, 0}
1041		}
1042	},
1043	{1, 1, 2, 0,		/* 0x87 */
1044		{{0, 2},
1045		{7, 7},
1046		{0, 0},
1047		{0, 0}
1048		}
1049	},
1050	{0, 1, 2, 0,		/* 0x88 */
1051		{{3, 3},
1052		{7, 7},
1053		{0, 0},
1054		{0, 0}
1055		}
1056	},
1057	{1, 1, 3, 0,		/* 0x89 */
1058		{{0, 0},
1059		{3, 3},
1060		{7, 7},
1061		{0, 0}
1062		}
1063	},
1064	{0, 1, 3, 0,		/* 0x8a */
1065		{{1, 1},
1066		{3, 3},
1067		{7, 7},
1068		{0, 0}
1069		}
1070	},
1071	{1, 1, 3, 0,		/* 0x8b */
1072		{{0, 1},
1073		{3, 3},
1074		{7, 7},
1075		{0, 0}
1076		}
1077	},
1078	{0, 1, 2, 0,		/* 0x8c */
1079		{{2, 3},
1080		{7, 7},
1081		{0, 0},
1082		{0, 0}
1083		}
1084	},
1085	{1, 1, 3, 0,		/* 0x8d */
1086		{{0, 0},
1087		{2, 3},
1088		{7, 7},
1089		{0, 0}
1090		}
1091	},
1092	{0, 1, 2, 0,		/* 0x8e */
1093		{{1, 3},
1094		{7, 7},
1095		{0, 0},
1096		{0, 0}
1097		}
1098	},
1099	{1, 1, 2, 0,		/* 0x8f */
1100		{{0, 3},
1101		{7, 7},
1102		{0, 0},
1103		{0, 0}
1104		}
1105	},
1106	{0, 1, 2, 0,		/* 0x90 */
1107		{{4, 4},
1108		{7, 7},
1109		{0, 0},
1110		{0, 0}
1111		}
1112	},
1113	{1, 1, 3, 0,		/* 0x91 */
1114		{{0, 0},
1115		{4, 4},
1116		{7, 7},
1117		{0, 0}
1118		}
1119	},
1120	{0, 1, 3, 0,		/* 0x92 */
1121		{{1, 1},
1122		{4, 4},
1123		{7, 7},
1124		{0, 0}
1125		}
1126	},
1127	{1, 1, 3, 0,		/* 0x93 */
1128		{{0, 1},
1129		{4, 4},
1130		{7, 7},
1131		{0, 0}
1132		}
1133	},
1134	{0, 1, 3, 0,		/* 0x94 */
1135		{{2, 2},
1136		{4, 4},
1137		{7, 7},
1138		{0, 0}
1139		}
1140	},
1141	{1, 1, 4, 0,		/* 0x95 */
1142		{{0, 0},
1143		{2, 2},
1144		{4, 4},
1145		{7, 7}
1146		}
1147	},
1148	{0, 1, 3, 0,		/* 0x96 */
1149		{{1, 2},
1150		{4, 4},
1151		{7, 7},
1152		{0, 0}
1153		}
1154	},
1155	{1, 1, 3, 0,		/* 0x97 */
1156		{{0, 2},
1157		{4, 4},
1158		{7, 7},
1159		{0, 0}
1160		}
1161	},
1162	{0, 1, 2, 0,		/* 0x98 */
1163		{{3, 4},
1164		{7, 7},
1165		{0, 0},
1166		{0, 0}
1167		}
1168	},
1169	{1, 1, 3, 0,		/* 0x99 */
1170		{{0, 0},
1171		{3, 4},
1172		{7, 7},
1173		{0, 0}
1174		}
1175	},
1176	{0, 1, 3, 0,		/* 0x9a */
1177		{{1, 1},
1178		{3, 4},
1179		{7, 7},
1180		{0, 0}
1181		}
1182	},
1183	{1, 1, 3, 0,		/* 0x9b */
1184		{{0, 1},
1185		{3, 4},
1186		{7, 7},
1187		{0, 0}
1188		}
1189	},
1190	{0, 1, 2, 0,		/* 0x9c */
1191		{{2, 4},
1192		{7, 7},
1193		{0, 0},
1194		{0, 0}
1195		}
1196	},
1197	{1, 1, 3, 0,		/* 0x9d */
1198		{{0, 0},
1199		{2, 4},
1200		{7, 7},
1201		{0, 0}
1202		}
1203	},
1204	{0, 1, 2, 0,		/* 0x9e */
1205		{{1, 4},
1206		{7, 7},
1207		{0, 0},
1208		{0, 0}
1209		}
1210	},
1211	{1, 1, 2, 0,		/* 0x9f */
1212		{{0, 4},
1213		{7, 7},
1214		{0, 0},
1215		{0, 0}
1216		}
1217	},
1218	{0, 1, 2, 0,		/* 0xa0 */
1219		{{5, 5},
1220		{7, 7},
1221		{0, 0},
1222		{0, 0}
1223		}
1224	},
1225	{1, 1, 3, 0,		/* 0xa1 */
1226		{{0, 0},
1227		{5, 5},
1228		{7, 7},
1229		{0, 0}
1230		}
1231	},
1232	{0, 1, 3, 0,		/* 0xa2 */
1233		{{1, 1},
1234		{5, 5},
1235		{7, 7},
1236		{0, 0}
1237		}
1238	},
1239	{1, 1, 3, 0,		/* 0xa3 */
1240		{{0, 1},
1241		{5, 5},
1242		{7, 7},
1243		{0, 0}
1244		}
1245	},
1246	{0, 1, 3, 0,		/* 0xa4 */
1247		{{2, 2},
1248		{5, 5},
1249		{7, 7},
1250		{0, 0}
1251		}
1252	},
1253	{1, 1, 4, 0,		/* 0xa5 */
1254		{{0, 0},
1255		{2, 2},
1256		{5, 5},
1257		{7, 7}
1258		}
1259	},
1260	{0, 1, 3, 0,		/* 0xa6 */
1261		{{1, 2},
1262		{5, 5},
1263		{7, 7},
1264		{0, 0}
1265		}
1266	},
1267	{1, 1, 3, 0,		/* 0xa7 */
1268		{{0, 2},
1269		{5, 5},
1270		{7, 7},
1271		{0, 0}
1272		}
1273	},
1274	{0, 1, 3, 0,		/* 0xa8 */
1275		{{3, 3},
1276		{5, 5},
1277		{7, 7},
1278		{0, 0}
1279		}
1280	},
1281	{1, 1, 4, 0,		/* 0xa9 */
1282		{{0, 0},
1283		{3, 3},
1284		{5, 5},
1285		{7, 7}
1286		}
1287	},
1288	{0, 1, 4, 0,		/* 0xaa */
1289		{{1, 1},
1290		{3, 3},
1291		{5, 5},
1292		{7, 7}
1293		}
1294	},
1295	{1, 1, 4, 0,		/* 0xab */
1296		{{0, 1},
1297		{3, 3},
1298		{5, 5},
1299		{7, 7}
1300		}
1301	},
1302	{0, 1, 3, 0,		/* 0xac */
1303		{{2, 3},
1304		{5, 5},
1305		{7, 7},
1306		{0, 0}
1307		}
1308	},
1309	{1, 1, 4, 0,		/* 0xad */
1310		{{0, 0},
1311		{2, 3},
1312		{5, 5},
1313		{7, 7}
1314		}
1315	},
1316	{0, 1, 3, 0,		/* 0xae */
1317		{{1, 3},
1318		{5, 5},
1319		{7, 7},
1320		{0, 0}
1321		}
1322	},
1323	{1, 1, 3, 0,		/* 0xaf */
1324		{{0, 3},
1325		{5, 5},
1326		{7, 7},
1327		{0, 0}
1328		}
1329	},
1330	{0, 1, 2, 0,		/* 0xb0 */
1331		{{4, 5},
1332		{7, 7},
1333		{0, 0},
1334		{0, 0}
1335		}
1336	},
1337	{1, 1, 3, 0,		/* 0xb1 */
1338		{{0, 0},
1339		{4, 5},
1340		{7, 7},
1341		{0, 0}
1342		}
1343	},
1344	{0, 1, 3, 0,		/* 0xb2 */
1345		{{1, 1},
1346		{4, 5},
1347		{7, 7},
1348		{0, 0}
1349		}
1350	},
1351	{1, 1, 3, 0,		/* 0xb3 */
1352		{{0, 1},
1353		{4, 5},
1354		{7, 7},
1355		{0, 0}
1356		}
1357	},
1358	{0, 1, 3, 0,		/* 0xb4 */
1359		{{2, 2},
1360		{4, 5},
1361		{7, 7},
1362		{0, 0}
1363		}
1364	},
1365	{1, 1, 4, 0,		/* 0xb5 */
1366		{{0, 0},
1367		{2, 2},
1368		{4, 5},
1369		{7, 7}
1370		}
1371	},
1372	{0, 1, 3, 0,		/* 0xb6 */
1373		{{1, 2},
1374		{4, 5},
1375		{7, 7},
1376		{0, 0}
1377		}
1378	},
1379	{1, 1, 3, 0,		/* 0xb7 */
1380		{{0, 2},
1381		{4, 5},
1382		{7, 7},
1383		{0, 0}
1384		}
1385	},
1386	{0, 1, 2, 0,		/* 0xb8 */
1387		{{3, 5},
1388		{7, 7},
1389		{0, 0},
1390		{0, 0}
1391		}
1392	},
1393	{1, 1, 3, 0,		/* 0xb9 */
1394		{{0, 0},
1395		{3, 5},
1396		{7, 7},
1397		{0, 0}
1398		}
1399	},
1400	{0, 1, 3, 0,		/* 0xba */
1401		{{1, 1},
1402		{3, 5},
1403		{7, 7},
1404		{0, 0}
1405		}
1406	},
1407	{1, 1, 3, 0,		/* 0xbb */
1408		{{0, 1},
1409		{3, 5},
1410		{7, 7},
1411		{0, 0}
1412		}
1413	},
1414	{0, 1, 2, 0,		/* 0xbc */
1415		{{2, 5},
1416		{7, 7},
1417		{0, 0},
1418		{0, 0}
1419		}
1420	},
1421	{1, 1, 3, 0,		/* 0xbd */
1422		{{0, 0},
1423		{2, 5},
1424		{7, 7},
1425		{0, 0}
1426		}
1427	},
1428	{0, 1, 2, 0,		/* 0xbe */
1429		{{1, 5},
1430		{7, 7},
1431		{0, 0},
1432		{0, 0}
1433		}
1434	},
1435	{1, 1, 2, 0,		/* 0xbf */
1436		{{0, 5},
1437		{7, 7},
1438		{0, 0},
1439		{0, 0}
1440		}
1441	},
1442	{0, 1, 1, 0,		/* 0xc0 */
1443		{{6, 7},
1444		{0, 0},
1445		{0, 0},
1446		{0, 0}
1447		}
1448	},
1449	{1, 1, 2, 0,		/* 0xc1 */
1450		{{0, 0},
1451		{6, 7},
1452		{0, 0},
1453		{0, 0}
1454		}
1455	},
1456	{0, 1, 2, 0,		/* 0xc2 */
1457		{{1, 1},
1458		{6, 7},
1459		{0, 0},
1460		{0, 0}
1461		}
1462	},
1463	{1, 1, 2, 0,		/* 0xc3 */
1464		{{0, 1},
1465		{6, 7},
1466		{0, 0},
1467		{0, 0}
1468		}
1469	},
1470	{0, 1, 2, 0,		/* 0xc4 */
1471		{{2, 2},
1472		{6, 7},
1473		{0, 0},
1474		{0, 0}
1475		}
1476	},
1477	{1, 1, 3, 0,		/* 0xc5 */
1478		{{0, 0},
1479		{2, 2},
1480		{6, 7},
1481		{0, 0}
1482		}
1483	},
1484	{0, 1, 2, 0,		/* 0xc6 */
1485		{{1, 2},
1486		{6, 7},
1487		{0, 0},
1488		{0, 0}
1489		}
1490	},
1491	{1, 1, 2, 0,		/* 0xc7 */
1492		{{0, 2},
1493		{6, 7},
1494		{0, 0},
1495		{0, 0}
1496		}
1497	},
1498	{0, 1, 2, 0,		/* 0xc8 */
1499		{{3, 3},
1500		{6, 7},
1501		{0, 0},
1502		{0, 0}
1503		}
1504	},
1505	{1, 1, 3, 0,		/* 0xc9 */
1506		{{0, 0},
1507		{3, 3},
1508		{6, 7},
1509		{0, 0}
1510		}
1511	},
1512	{0, 1, 3, 0,		/* 0xca */
1513		{{1, 1},
1514		{3, 3},
1515		{6, 7},
1516		{0, 0}
1517		}
1518	},
1519	{1, 1, 3, 0,		/* 0xcb */
1520		{{0, 1},
1521		{3, 3},
1522		{6, 7},
1523		{0, 0}
1524		}
1525	},
1526	{0, 1, 2, 0,		/* 0xcc */
1527		{{2, 3},
1528		{6, 7},
1529		{0, 0},
1530		{0, 0}
1531		}
1532	},
1533	{1, 1, 3, 0,		/* 0xcd */
1534		{{0, 0},
1535		{2, 3},
1536		{6, 7},
1537		{0, 0}
1538		}
1539	},
1540	{0, 1, 2, 0,		/* 0xce */
1541		{{1, 3},
1542		{6, 7},
1543		{0, 0},
1544		{0, 0}
1545		}
1546	},
1547	{1, 1, 2, 0,		/* 0xcf */
1548		{{0, 3},
1549		{6, 7},
1550		{0, 0},
1551		{0, 0}
1552		}
1553	},
1554	{0, 1, 2, 0,		/* 0xd0 */
1555		{{4, 4},
1556		{6, 7},
1557		{0, 0},
1558		{0, 0}
1559		}
1560	},
1561	{1, 1, 3, 0,		/* 0xd1 */
1562		{{0, 0},
1563		{4, 4},
1564		{6, 7},
1565		{0, 0}
1566		}
1567	},
1568	{0, 1, 3, 0,		/* 0xd2 */
1569		{{1, 1},
1570		{4, 4},
1571		{6, 7},
1572		{0, 0}
1573		}
1574	},
1575	{1, 1, 3, 0,		/* 0xd3 */
1576		{{0, 1},
1577		{4, 4},
1578		{6, 7},
1579		{0, 0}
1580		}
1581	},
1582	{0, 1, 3, 0,		/* 0xd4 */
1583		{{2, 2},
1584		{4, 4},
1585		{6, 7},
1586		{0, 0}
1587		}
1588	},
1589	{1, 1, 4, 0,		/* 0xd5 */
1590		{{0, 0},
1591		{2, 2},
1592		{4, 4},
1593		{6, 7}
1594		}
1595	},
1596	{0, 1, 3, 0,		/* 0xd6 */
1597		{{1, 2},
1598		{4, 4},
1599		{6, 7},
1600		{0, 0}
1601		}
1602	},
1603	{1, 1, 3, 0,		/* 0xd7 */
1604		{{0, 2},
1605		{4, 4},
1606		{6, 7},
1607		{0, 0}
1608		}
1609	},
1610	{0, 1, 2, 0,		/* 0xd8 */
1611		{{3, 4},
1612		{6, 7},
1613		{0, 0},
1614		{0, 0}
1615		}
1616	},
1617	{1, 1, 3, 0,		/* 0xd9 */
1618		{{0, 0},
1619		{3, 4},
1620		{6, 7},
1621		{0, 0}
1622		}
1623	},
1624	{0, 1, 3, 0,		/* 0xda */
1625		{{1, 1},
1626		{3, 4},
1627		{6, 7},
1628		{0, 0}
1629		}
1630	},
1631	{1, 1, 3, 0,		/* 0xdb */
1632		{{0, 1},
1633		{3, 4},
1634		{6, 7},
1635		{0, 0}
1636		}
1637	},
1638	{0, 1, 2, 0,		/* 0xdc */
1639		{{2, 4},
1640		{6, 7},
1641		{0, 0},
1642		{0, 0}
1643		}
1644	},
1645	{1, 1, 3, 0,		/* 0xdd */
1646		{{0, 0},
1647		{2, 4},
1648		{6, 7},
1649		{0, 0}
1650		}
1651	},
1652	{0, 1, 2, 0,		/* 0xde */
1653		{{1, 4},
1654		{6, 7},
1655		{0, 0},
1656		{0, 0}
1657		}
1658	},
1659	{1, 1, 2, 0,		/* 0xdf */
1660		{{0, 4},
1661		{6, 7},
1662		{0, 0},
1663		{0, 0}
1664		}
1665	},
1666	{0, 1, 1, 0,		/* 0xe0 */
1667		{{5, 7},
1668		{0, 0},
1669		{0, 0},
1670		{0, 0}
1671		}
1672	},
1673	{1, 1, 2, 0,		/* 0xe1 */
1674		{{0, 0},
1675		{5, 7},
1676		{0, 0},
1677		{0, 0}
1678		}
1679	},
1680	{0, 1, 2, 0,		/* 0xe2 */
1681		{{1, 1},
1682		{5, 7},
1683		{0, 0},
1684		{0, 0}
1685		}
1686	},
1687	{1, 1, 2, 0,		/* 0xe3 */
1688		{{0, 1},
1689		{5, 7},
1690		{0, 0},
1691		{0, 0}
1692		}
1693	},
1694	{0, 1, 2, 0,		/* 0xe4 */
1695		{{2, 2},
1696		{5, 7},
1697		{0, 0},
1698		{0, 0}
1699		}
1700	},
1701	{1, 1, 3, 0,		/* 0xe5 */
1702		{{0, 0},
1703		{2, 2},
1704		{5, 7},
1705		{0, 0}
1706		}
1707	},
1708	{0, 1, 2, 0,		/* 0xe6 */
1709		{{1, 2},
1710		{5, 7},
1711		{0, 0},
1712		{0, 0}
1713		}
1714	},
1715	{1, 1, 2, 0,		/* 0xe7 */
1716		{{0, 2},
1717		{5, 7},
1718		{0, 0},
1719		{0, 0}
1720		}
1721	},
1722	{0, 1, 2, 0,		/* 0xe8 */
1723		{{3, 3},
1724		{5, 7},
1725		{0, 0},
1726		{0, 0}
1727		}
1728	},
1729	{1, 1, 3, 0,		/* 0xe9 */
1730		{{0, 0},
1731		{3, 3},
1732		{5, 7},
1733		{0, 0}
1734		}
1735	},
1736	{0, 1, 3, 0,		/* 0xea */
1737		{{1, 1},
1738		{3, 3},
1739		{5, 7},
1740		{0, 0}
1741		}
1742	},
1743	{1, 1, 3, 0,		/* 0xeb */
1744		{{0, 1},
1745		{3, 3},
1746		{5, 7},
1747		{0, 0}
1748		}
1749	},
1750	{0, 1, 2, 0,		/* 0xec */
1751		{{2, 3},
1752		{5, 7},
1753		{0, 0},
1754		{0, 0}
1755		}
1756	},
1757	{1, 1, 3, 0,		/* 0xed */
1758		{{0, 0},
1759		{2, 3},
1760		{5, 7},
1761		{0, 0}
1762		}
1763	},
1764	{0, 1, 2, 0,		/* 0xee */
1765		{{1, 3},
1766		{5, 7},
1767		{0, 0},
1768		{0, 0}
1769		}
1770	},
1771	{1, 1, 2, 0,		/* 0xef */
1772		{{0, 3},
1773		{5, 7},
1774		{0, 0},
1775		{0, 0}
1776		}
1777	},
1778	{0, 1, 1, 0,		/* 0xf0 */
1779		{{4, 7},
1780		{0, 0},
1781		{0, 0},
1782		{0, 0}
1783		}
1784	},
1785	{1, 1, 2, 0,		/* 0xf1 */
1786		{{0, 0},
1787		{4, 7},
1788		{0, 0},
1789		{0, 0}
1790		}
1791	},
1792	{0, 1, 2, 0,		/* 0xf2 */
1793		{{1, 1},
1794		{4, 7},
1795		{0, 0},
1796		{0, 0}
1797		}
1798	},
1799	{1, 1, 2, 0,		/* 0xf3 */
1800		{{0, 1},
1801		{4, 7},
1802		{0, 0},
1803		{0, 0}
1804		}
1805	},
1806	{0, 1, 2, 0,		/* 0xf4 */
1807		{{2, 2},
1808		{4, 7},
1809		{0, 0},
1810		{0, 0}
1811		}
1812	},
1813	{1, 1, 3, 0,		/* 0xf5 */
1814		{{0, 0},
1815		{2, 2},
1816		{4, 7},
1817		{0, 0}
1818		}
1819	},
1820	{0, 1, 2, 0,		/* 0xf6 */
1821		{{1, 2},
1822		{4, 7},
1823		{0, 0},
1824		{0, 0}
1825		}
1826	},
1827	{1, 1, 2, 0,		/* 0xf7 */
1828		{{0, 2},
1829		{4, 7},
1830		{0, 0},
1831		{0, 0}
1832		}
1833	},
1834	{0, 1, 1, 0,		/* 0xf8 */
1835		{{3, 7},
1836		{0, 0},
1837		{0, 0},
1838		{0, 0}
1839		}
1840	},
1841	{1, 1, 2, 0,		/* 0xf9 */
1842		{{0, 0},
1843		{3, 7},
1844		{0, 0},
1845		{0, 0}
1846		}
1847	},
1848	{0, 1, 2, 0,		/* 0xfa */
1849		{{1, 1},
1850		{3, 7},
1851		{0, 0},
1852		{0, 0}
1853		}
1854	},
1855	{1, 1, 2, 0,		/* 0xfb */
1856		{{0, 1},
1857		{3, 7},
1858		{0, 0},
1859		{0, 0}
1860		}
1861	},
1862	{0, 1, 1, 0,		/* 0xfc */
1863		{{2, 7},
1864		{0, 0},
1865		{0, 0},
1866		{0, 0}
1867		}
1868	},
1869	{1, 1, 2, 0,		/* 0xfd */
1870		{{0, 0},
1871		{2, 7},
1872		{0, 0},
1873		{0, 0}
1874		}
1875	},
1876	{0, 1, 1, 0,		/* 0xfe */
1877		{{1, 7},
1878		{0, 0},
1879		{0, 0},
1880		{0, 0}
1881		}
1882	},
1883	{1, 1, 1, 0,		/* 0xff */
1884		{{0, 7},
1885		{0, 0},
1886		{0, 0},
1887		{0, 0}
1888		}
1889	}
1890};
1891
1892
1893int
1894sctp_is_address_in_scope(struct sctp_ifa *ifa,
1895                         struct sctp_scoping *scope,
1896                         int do_update)
1897{
1898	if ((scope->loopback_scope == 0) &&
1899	    (ifa->ifn_p) && SCTP_IFN_IS_IFT_LOOP(ifa->ifn_p)) {
1900		/*
1901		 * skip loopback if not in scope *
1902		 */
1903		return (0);
1904	}
1905	switch (ifa->address.sa.sa_family) {
1906#ifdef INET
1907	case AF_INET:
1908		if (scope->ipv4_addr_legal) {
1909			struct sockaddr_in *sin;
1910
1911			sin = &ifa->address.sin;
1912			if (sin->sin_addr.s_addr == 0) {
1913				/* not in scope , unspecified */
1914				return (0);
1915			}
1916			if ((scope->ipv4_local_scope == 0) &&
1917			    (IN4_ISPRIVATE_ADDRESS(&sin->sin_addr))) {
1918				/* private address not in scope */
1919				return (0);
1920			}
1921		} else {
1922			return (0);
1923		}
1924		break;
1925#endif
1926#ifdef INET6
1927	case AF_INET6:
1928		if (scope->ipv6_addr_legal) {
1929			struct sockaddr_in6 *sin6;
1930
1931#if !defined(__Panda__)
1932			/* Must update the flags,  bummer, which
1933			 * means any IFA locks must now be applied HERE <->
1934			 */
1935			if (do_update) {
1936				sctp_gather_internal_ifa_flags(ifa);
1937			}
1938#endif
1939			if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
1940				return (0);
1941			}
1942			/* ok to use deprecated addresses? */
1943			sin6 = &ifa->address.sin6;
1944			if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) {
1945				/* skip unspecifed addresses */
1946				return (0);
1947			}
1948			if (		/* (local_scope == 0) && */
1949			    (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))) {
1950				return (0);
1951			}
1952			if ((scope->site_scope == 0) &&
1953			    (IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr))) {
1954				return (0);
1955			}
1956		} else {
1957			return (0);
1958		}
1959		break;
1960#endif
1961#if defined(__Userspace__)
1962	case AF_CONN:
1963		if (!scope->conn_addr_legal) {
1964			return (0);
1965		}
1966		break;
1967#endif
1968	default:
1969		return (0);
1970	}
1971	return (1);
1972}
1973
1974static struct mbuf *
1975sctp_add_addr_to_mbuf(struct mbuf *m, struct sctp_ifa *ifa, uint16_t *len)
1976{
1977#if defined(INET) || defined(INET6)
1978	struct sctp_paramhdr *parmh;
1979	struct mbuf *mret;
1980	uint16_t plen;
1981#endif
1982
1983	switch (ifa->address.sa.sa_family) {
1984#ifdef INET
1985	case AF_INET:
1986		plen = (uint16_t)sizeof(struct sctp_ipv4addr_param);
1987		break;
1988#endif
1989#ifdef INET6
1990	case AF_INET6:
1991		plen = (uint16_t)sizeof(struct sctp_ipv6addr_param);
1992		break;
1993#endif
1994	default:
1995		return (m);
1996	}
1997#if defined(INET) || defined(INET6)
1998	if (M_TRAILINGSPACE(m) >= plen) {
1999		/* easy side we just drop it on the end */
2000		parmh = (struct sctp_paramhdr *)(SCTP_BUF_AT(m, SCTP_BUF_LEN(m)));
2001		mret = m;
2002	} else {
2003		/* Need more space */
2004		mret = m;
2005		while (SCTP_BUF_NEXT(mret) != NULL) {
2006			mret = SCTP_BUF_NEXT(mret);
2007		}
2008		SCTP_BUF_NEXT(mret) = sctp_get_mbuf_for_msg(plen, 0, M_NOWAIT, 1, MT_DATA);
2009		if (SCTP_BUF_NEXT(mret) == NULL) {
2010			/* We are hosed, can't add more addresses */
2011			return (m);
2012		}
2013		mret = SCTP_BUF_NEXT(mret);
2014		parmh = mtod(mret, struct sctp_paramhdr *);
2015	}
2016	/* now add the parameter */
2017	switch (ifa->address.sa.sa_family) {
2018#ifdef INET
2019	case AF_INET:
2020	{
2021		struct sctp_ipv4addr_param *ipv4p;
2022		struct sockaddr_in *sin;
2023
2024		sin = &ifa->address.sin;
2025		ipv4p = (struct sctp_ipv4addr_param *)parmh;
2026		parmh->param_type = htons(SCTP_IPV4_ADDRESS);
2027		parmh->param_length = htons(plen);
2028		ipv4p->addr = sin->sin_addr.s_addr;
2029		SCTP_BUF_LEN(mret) += plen;
2030		break;
2031	}
2032#endif
2033#ifdef INET6
2034	case AF_INET6:
2035	{
2036		struct sctp_ipv6addr_param *ipv6p;
2037		struct sockaddr_in6 *sin6;
2038
2039		sin6 = &ifa->address.sin6;
2040		ipv6p = (struct sctp_ipv6addr_param *)parmh;
2041		parmh->param_type = htons(SCTP_IPV6_ADDRESS);
2042		parmh->param_length = htons(plen);
2043		memcpy(ipv6p->addr, &sin6->sin6_addr,
2044		    sizeof(ipv6p->addr));
2045#if defined(SCTP_EMBEDDED_V6_SCOPE)
2046		/* clear embedded scope in the address */
2047		in6_clearscope((struct in6_addr *)ipv6p->addr);
2048#endif
2049		SCTP_BUF_LEN(mret) += plen;
2050		break;
2051	}
2052#endif
2053	default:
2054		return (m);
2055	}
2056	if (len != NULL) {
2057		*len += plen;
2058	}
2059	return (mret);
2060#endif
2061}
2062
2063
2064struct mbuf *
2065sctp_add_addresses_to_i_ia(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
2066                           struct sctp_scoping *scope,
2067			   struct mbuf *m_at, int cnt_inits_to,
2068			   uint16_t *padding_len, uint16_t *chunk_len)
2069{
2070	struct sctp_vrf *vrf = NULL;
2071	int cnt, limit_out = 0, total_count;
2072	uint32_t vrf_id;
2073
2074	vrf_id = inp->def_vrf_id;
2075	SCTP_IPI_ADDR_RLOCK();
2076	vrf = sctp_find_vrf(vrf_id);
2077	if (vrf == NULL) {
2078		SCTP_IPI_ADDR_RUNLOCK();
2079		return (m_at);
2080	}
2081	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) {
2082		struct sctp_ifa *sctp_ifap;
2083		struct sctp_ifn *sctp_ifnp;
2084
2085		cnt = cnt_inits_to;
2086		if (vrf->total_ifa_count > SCTP_COUNT_LIMIT) {
2087			limit_out = 1;
2088			cnt = SCTP_ADDRESS_LIMIT;
2089			goto skip_count;
2090		}
2091		LIST_FOREACH(sctp_ifnp, &vrf->ifnlist, next_ifn) {
2092			if ((scope->loopback_scope == 0) &&
2093			    SCTP_IFN_IS_IFT_LOOP(sctp_ifnp)) {
2094				/*
2095				 * Skip loopback devices if loopback_scope
2096				 * not set
2097				 */
2098				continue;
2099			}
2100			LIST_FOREACH(sctp_ifap, &sctp_ifnp->ifalist, next_ifa) {
2101#if defined(__FreeBSD__)
2102#ifdef INET
2103				if ((sctp_ifap->address.sa.sa_family == AF_INET) &&
2104				    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2105				                      &sctp_ifap->address.sin.sin_addr) != 0)) {
2106					continue;
2107				}
2108#endif
2109#ifdef INET6
2110				if ((sctp_ifap->address.sa.sa_family == AF_INET6) &&
2111				    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2112				                      &sctp_ifap->address.sin6.sin6_addr) != 0)) {
2113					continue;
2114				}
2115#endif
2116#endif
2117				if (sctp_is_addr_restricted(stcb, sctp_ifap)) {
2118					continue;
2119				}
2120#if defined(__Userspace__)
2121				if (sctp_ifap->address.sa.sa_family == AF_CONN) {
2122					continue;
2123				}
2124#endif
2125				if (sctp_is_address_in_scope(sctp_ifap, scope, 1) == 0) {
2126					continue;
2127				}
2128				cnt++;
2129				if (cnt > SCTP_ADDRESS_LIMIT) {
2130					break;
2131				}
2132			}
2133			if (cnt > SCTP_ADDRESS_LIMIT) {
2134				break;
2135			}
2136		}
2137	skip_count:
2138		if (cnt > 1) {
2139			total_count = 0;
2140			LIST_FOREACH(sctp_ifnp, &vrf->ifnlist, next_ifn) {
2141				cnt = 0;
2142				if ((scope->loopback_scope == 0) &&
2143				    SCTP_IFN_IS_IFT_LOOP(sctp_ifnp)) {
2144					/*
2145					 * Skip loopback devices if
2146					 * loopback_scope not set
2147					 */
2148					continue;
2149				}
2150				LIST_FOREACH(sctp_ifap, &sctp_ifnp->ifalist, next_ifa) {
2151#if defined(__FreeBSD__)
2152#ifdef INET
2153					if ((sctp_ifap->address.sa.sa_family == AF_INET) &&
2154					    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2155					                      &sctp_ifap->address.sin.sin_addr) != 0)) {
2156						continue;
2157					}
2158#endif
2159#ifdef INET6
2160					if ((sctp_ifap->address.sa.sa_family == AF_INET6) &&
2161					    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2162					                      &sctp_ifap->address.sin6.sin6_addr) != 0)) {
2163						continue;
2164					}
2165#endif
2166#endif
2167					if (sctp_is_addr_restricted(stcb, sctp_ifap)) {
2168						continue;
2169					}
2170#if defined(__Userspace__)
2171					if (sctp_ifap->address.sa.sa_family == AF_CONN) {
2172						continue;
2173					}
2174#endif
2175					if (sctp_is_address_in_scope(sctp_ifap,
2176								     scope, 0) == 0) {
2177						continue;
2178					}
2179					if ((chunk_len != NULL) &&
2180					    (padding_len != NULL) &&
2181					    (*padding_len > 0)) {
2182						memset(mtod(m_at, caddr_t) + *chunk_len, 0, *padding_len);
2183						SCTP_BUF_LEN(m_at) += *padding_len;
2184						*chunk_len += *padding_len;
2185						*padding_len = 0;
2186					}
2187					m_at = sctp_add_addr_to_mbuf(m_at, sctp_ifap, chunk_len);
2188					if (limit_out) {
2189						cnt++;
2190						total_count++;
2191						if (cnt >= 2) {
2192							/* two from each address */
2193							break;
2194						}
2195						if (total_count > SCTP_ADDRESS_LIMIT) {
2196							/* No more addresses */
2197							break;
2198						}
2199					}
2200				}
2201			}
2202		}
2203	} else {
2204		struct sctp_laddr *laddr;
2205
2206		cnt = cnt_inits_to;
2207		/* First, how many ? */
2208		LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2209			if (laddr->ifa == NULL) {
2210				continue;
2211			}
2212			if (laddr->ifa->localifa_flags & SCTP_BEING_DELETED)
2213				/* Address being deleted by the system, dont
2214				 * list.
2215				 */
2216				continue;
2217			if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2218				/* Address being deleted on this ep
2219				 * don't list.
2220				 */
2221				continue;
2222			}
2223#if defined(__Userspace__)
2224			if (laddr->ifa->address.sa.sa_family == AF_CONN) {
2225				continue;
2226			}
2227#endif
2228			if (sctp_is_address_in_scope(laddr->ifa,
2229						     scope, 1) == 0) {
2230				continue;
2231			}
2232			cnt++;
2233		}
2234		/*
2235		 * To get through a NAT we only list addresses if we have
2236		 * more than one. That way if you just bind a single address
2237		 * we let the source of the init dictate our address.
2238		 */
2239		if (cnt > 1) {
2240			cnt = cnt_inits_to;
2241			LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2242				if (laddr->ifa == NULL) {
2243					continue;
2244				}
2245				if (laddr->ifa->localifa_flags & SCTP_BEING_DELETED) {
2246					continue;
2247				}
2248#if defined(__Userspace__)
2249				if (laddr->ifa->address.sa.sa_family == AF_CONN) {
2250					continue;
2251				}
2252#endif
2253				if (sctp_is_address_in_scope(laddr->ifa,
2254							     scope, 0) == 0) {
2255					continue;
2256				}
2257				if ((chunk_len != NULL) &&
2258				    (padding_len != NULL) &&
2259				    (*padding_len > 0)) {
2260					memset(mtod(m_at, caddr_t) + *chunk_len, 0, *padding_len);
2261					SCTP_BUF_LEN(m_at) += *padding_len;
2262					*chunk_len += *padding_len;
2263					*padding_len = 0;
2264				}
2265				m_at = sctp_add_addr_to_mbuf(m_at, laddr->ifa, chunk_len);
2266				cnt++;
2267				if (cnt >= SCTP_ADDRESS_LIMIT) {
2268					break;
2269				}
2270			}
2271		}
2272	}
2273	SCTP_IPI_ADDR_RUNLOCK();
2274	return (m_at);
2275}
2276
2277static struct sctp_ifa *
2278sctp_is_ifa_addr_preferred(struct sctp_ifa *ifa,
2279			   uint8_t dest_is_loop,
2280			   uint8_t dest_is_priv,
2281			   sa_family_t fam)
2282{
2283	uint8_t dest_is_global = 0;
2284	/* dest_is_priv is true if destination is a private address */
2285	/* dest_is_loop is true if destination is a loopback addresses */
2286
2287	/**
2288	 * Here we determine if its a preferred address. A preferred address
2289	 * means it is the same scope or higher scope then the destination.
2290	 * L = loopback, P = private, G = global
2291	 * -----------------------------------------
2292	 *    src    |  dest | result
2293	 *  ----------------------------------------
2294	 *     L     |    L  |    yes
2295	 *  -----------------------------------------
2296	 *     P     |    L  |    yes-v4 no-v6
2297	 *  -----------------------------------------
2298	 *     G     |    L  |    yes-v4 no-v6
2299	 *  -----------------------------------------
2300	 *     L     |    P  |    no
2301	 *  -----------------------------------------
2302	 *     P     |    P  |    yes
2303	 *  -----------------------------------------
2304	 *     G     |    P  |    no
2305	 *   -----------------------------------------
2306	 *     L     |    G  |    no
2307	 *   -----------------------------------------
2308	 *     P     |    G  |    no
2309	 *    -----------------------------------------
2310	 *     G     |    G  |    yes
2311	 *    -----------------------------------------
2312	 */
2313
2314	if (ifa->address.sa.sa_family != fam) {
2315		/* forget mis-matched family */
2316		return (NULL);
2317	}
2318	if ((dest_is_priv == 0) && (dest_is_loop == 0)) {
2319		dest_is_global = 1;
2320	}
2321	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Is destination preferred:");
2322	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &ifa->address.sa);
2323	/* Ok the address may be ok */
2324#ifdef INET6
2325	if (fam == AF_INET6) {
2326		/* ok to use deprecated addresses? no lets not! */
2327		if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
2328			SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:1\n");
2329			return (NULL);
2330		}
2331		if (ifa->src_is_priv && !ifa->src_is_loop) {
2332			if (dest_is_loop) {
2333				SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:2\n");
2334				return (NULL);
2335			}
2336		}
2337		if (ifa->src_is_glob) {
2338			if (dest_is_loop) {
2339				SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:3\n");
2340				return (NULL);
2341			}
2342		}
2343	}
2344#endif
2345	/* Now that we know what is what, implement or table
2346	 * this could in theory be done slicker (it used to be), but this
2347	 * is straightforward and easier to validate :-)
2348	 */
2349	SCTPDBG(SCTP_DEBUG_OUTPUT3, "src_loop:%d src_priv:%d src_glob:%d\n",
2350		ifa->src_is_loop, ifa->src_is_priv, ifa->src_is_glob);
2351	SCTPDBG(SCTP_DEBUG_OUTPUT3, "dest_loop:%d dest_priv:%d dest_glob:%d\n",
2352		dest_is_loop, dest_is_priv, dest_is_global);
2353
2354	if ((ifa->src_is_loop) && (dest_is_priv)) {
2355		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:4\n");
2356		return (NULL);
2357	}
2358	if ((ifa->src_is_glob) && (dest_is_priv)) {
2359		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:5\n");
2360		return (NULL);
2361	}
2362	if ((ifa->src_is_loop) && (dest_is_global)) {
2363		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:6\n");
2364		return (NULL);
2365	}
2366	if ((ifa->src_is_priv) && (dest_is_global)) {
2367		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:7\n");
2368		return (NULL);
2369	}
2370	SCTPDBG(SCTP_DEBUG_OUTPUT3, "YES\n");
2371	/* its a preferred address */
2372	return (ifa);
2373}
2374
2375static struct sctp_ifa *
2376sctp_is_ifa_addr_acceptable(struct sctp_ifa *ifa,
2377			    uint8_t dest_is_loop,
2378			    uint8_t dest_is_priv,
2379			    sa_family_t fam)
2380{
2381	uint8_t dest_is_global = 0;
2382
2383	/**
2384	 * Here we determine if its a acceptable address. A acceptable
2385	 * address means it is the same scope or higher scope but we can
2386	 * allow for NAT which means its ok to have a global dest and a
2387	 * private src.
2388	 *
2389	 * L = loopback, P = private, G = global
2390	 * -----------------------------------------
2391	 *  src    |  dest | result
2392	 * -----------------------------------------
2393	 *   L     |   L   |    yes
2394	 *  -----------------------------------------
2395	 *   P     |   L   |    yes-v4 no-v6
2396	 *  -----------------------------------------
2397	 *   G     |   L   |    yes
2398	 * -----------------------------------------
2399	 *   L     |   P   |    no
2400	 * -----------------------------------------
2401	 *   P     |   P   |    yes
2402	 * -----------------------------------------
2403	 *   G     |   P   |    yes - May not work
2404	 * -----------------------------------------
2405	 *   L     |   G   |    no
2406	 * -----------------------------------------
2407	 *   P     |   G   |    yes - May not work
2408	 * -----------------------------------------
2409	 *   G     |   G   |    yes
2410	 * -----------------------------------------
2411	 */
2412
2413	if (ifa->address.sa.sa_family != fam) {
2414		/* forget non matching family */
2415		SCTPDBG(SCTP_DEBUG_OUTPUT3, "ifa_fam:%d fam:%d\n",
2416			ifa->address.sa.sa_family, fam);
2417		return (NULL);
2418	}
2419	/* Ok the address may be ok */
2420	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT3, &ifa->address.sa);
2421	SCTPDBG(SCTP_DEBUG_OUTPUT3, "dst_is_loop:%d dest_is_priv:%d\n",
2422		dest_is_loop, dest_is_priv);
2423	if ((dest_is_loop == 0) && (dest_is_priv == 0)) {
2424		dest_is_global = 1;
2425	}
2426#ifdef INET6
2427	if (fam == AF_INET6) {
2428		/* ok to use deprecated addresses? */
2429		if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
2430			return (NULL);
2431		}
2432		if (ifa->src_is_priv) {
2433			/* Special case, linklocal to loop */
2434			if (dest_is_loop)
2435				return (NULL);
2436		}
2437	}
2438#endif
2439	/*
2440	 * Now that we know what is what, implement our table.
2441	 * This could in theory be done slicker (it used to be), but this
2442	 * is straightforward and easier to validate :-)
2443	 */
2444	SCTPDBG(SCTP_DEBUG_OUTPUT3, "ifa->src_is_loop:%d dest_is_priv:%d\n",
2445		ifa->src_is_loop,
2446		dest_is_priv);
2447	if ((ifa->src_is_loop == 1) && (dest_is_priv)) {
2448		return (NULL);
2449	}
2450	SCTPDBG(SCTP_DEBUG_OUTPUT3, "ifa->src_is_loop:%d dest_is_glob:%d\n",
2451		ifa->src_is_loop,
2452		dest_is_global);
2453	if ((ifa->src_is_loop == 1) && (dest_is_global)) {
2454		return (NULL);
2455	}
2456	SCTPDBG(SCTP_DEBUG_OUTPUT3, "address is acceptable\n");
2457	/* its an acceptable address */
2458	return (ifa);
2459}
2460
2461int
2462sctp_is_addr_restricted(struct sctp_tcb *stcb, struct sctp_ifa *ifa)
2463{
2464	struct sctp_laddr *laddr;
2465
2466	if (stcb == NULL) {
2467		/* There are no restrictions, no TCB :-) */
2468		return (0);
2469	}
2470	LIST_FOREACH(laddr, &stcb->asoc.sctp_restricted_addrs, sctp_nxt_addr) {
2471		if (laddr->ifa == NULL) {
2472			SCTPDBG(SCTP_DEBUG_OUTPUT1, "%s: NULL ifa\n",
2473				__FUNCTION__);
2474			continue;
2475		}
2476		if (laddr->ifa == ifa) {
2477			/* Yes it is on the list */
2478			return (1);
2479		}
2480	}
2481	return (0);
2482}
2483
2484
2485int
2486sctp_is_addr_in_ep(struct sctp_inpcb *inp, struct sctp_ifa *ifa)
2487{
2488	struct sctp_laddr *laddr;
2489
2490	if (ifa == NULL)
2491		return (0);
2492	LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2493		if (laddr->ifa == NULL) {
2494			SCTPDBG(SCTP_DEBUG_OUTPUT1, "%s: NULL ifa\n",
2495				__FUNCTION__);
2496			continue;
2497		}
2498		if ((laddr->ifa == ifa) && laddr->action == 0)
2499			/* same pointer */
2500			return (1);
2501	}
2502	return (0);
2503}
2504
2505
2506
2507static struct sctp_ifa *
2508sctp_choose_boundspecific_inp(struct sctp_inpcb *inp,
2509			      sctp_route_t *ro,
2510			      uint32_t vrf_id,
2511			      int non_asoc_addr_ok,
2512			      uint8_t dest_is_priv,
2513			      uint8_t dest_is_loop,
2514			      sa_family_t fam)
2515{
2516	struct sctp_laddr *laddr, *starting_point;
2517	void *ifn;
2518	int resettotop = 0;
2519	struct sctp_ifn *sctp_ifn;
2520	struct sctp_ifa *sctp_ifa, *sifa;
2521	struct sctp_vrf *vrf;
2522	uint32_t ifn_index;
2523
2524	vrf = sctp_find_vrf(vrf_id);
2525	if (vrf == NULL)
2526		return (NULL);
2527
2528	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
2529	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
2530	sctp_ifn = sctp_find_ifn(ifn, ifn_index);
2531	/*
2532	 * first question, is the ifn we will emit on in our list, if so, we
2533	 * want such an address. Note that we first looked for a
2534	 * preferred address.
2535	 */
2536	if (sctp_ifn) {
2537		/* is a preferred one on the interface we route out? */
2538		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2539#if defined(__FreeBSD__)
2540#ifdef INET
2541			if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
2542			    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2543			                      &sctp_ifa->address.sin.sin_addr) != 0)) {
2544				continue;
2545			}
2546#endif
2547#ifdef INET6
2548			if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
2549			    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2550			                      &sctp_ifa->address.sin6.sin6_addr) != 0)) {
2551				continue;
2552			}
2553#endif
2554#endif
2555			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2556			    (non_asoc_addr_ok == 0))
2557				continue;
2558			sifa = sctp_is_ifa_addr_preferred(sctp_ifa,
2559							  dest_is_loop,
2560							  dest_is_priv, fam);
2561			if (sifa == NULL)
2562				continue;
2563			if (sctp_is_addr_in_ep(inp, sifa)) {
2564				atomic_add_int(&sifa->refcount, 1);
2565				return (sifa);
2566			}
2567		}
2568	}
2569	/*
2570	 * ok, now we now need to find one on the list of the addresses.
2571	 * We can't get one on the emitting interface so let's find first
2572	 * a preferred one. If not that an acceptable one otherwise...
2573	 * we return NULL.
2574	 */
2575	starting_point = inp->next_addr_touse;
2576 once_again:
2577	if (inp->next_addr_touse == NULL) {
2578		inp->next_addr_touse = LIST_FIRST(&inp->sctp_addr_list);
2579		resettotop = 1;
2580	}
2581	for (laddr = inp->next_addr_touse; laddr;
2582	     laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2583		if (laddr->ifa == NULL) {
2584			/* address has been removed */
2585			continue;
2586		}
2587		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2588			/* address is being deleted */
2589			continue;
2590		}
2591		sifa = sctp_is_ifa_addr_preferred(laddr->ifa, dest_is_loop,
2592						  dest_is_priv, fam);
2593		if (sifa == NULL)
2594			continue;
2595		atomic_add_int(&sifa->refcount, 1);
2596		return (sifa);
2597	}
2598	if (resettotop == 0) {
2599		inp->next_addr_touse = NULL;
2600		goto once_again;
2601	}
2602
2603	inp->next_addr_touse = starting_point;
2604	resettotop = 0;
2605 once_again_too:
2606	if (inp->next_addr_touse == NULL) {
2607		inp->next_addr_touse = LIST_FIRST(&inp->sctp_addr_list);
2608		resettotop = 1;
2609	}
2610
2611	/* ok, what about an acceptable address in the inp */
2612	for (laddr = inp->next_addr_touse; laddr;
2613	     laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2614		if (laddr->ifa == NULL) {
2615			/* address has been removed */
2616			continue;
2617		}
2618		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2619			/* address is being deleted */
2620			continue;
2621		}
2622		sifa = sctp_is_ifa_addr_acceptable(laddr->ifa, dest_is_loop,
2623						   dest_is_priv, fam);
2624		if (sifa == NULL)
2625			continue;
2626		atomic_add_int(&sifa->refcount, 1);
2627		return (sifa);
2628	}
2629	if (resettotop == 0) {
2630		inp->next_addr_touse = NULL;
2631		goto once_again_too;
2632	}
2633
2634	/*
2635	 * no address bound can be a source for the destination we are in
2636	 * trouble
2637	 */
2638	return (NULL);
2639}
2640
2641
2642
2643static struct sctp_ifa *
2644sctp_choose_boundspecific_stcb(struct sctp_inpcb *inp,
2645			       struct sctp_tcb *stcb,
2646			       sctp_route_t *ro,
2647			       uint32_t vrf_id,
2648			       uint8_t dest_is_priv,
2649			       uint8_t dest_is_loop,
2650			       int non_asoc_addr_ok,
2651			       sa_family_t fam)
2652{
2653	struct sctp_laddr *laddr, *starting_point;
2654	void *ifn;
2655	struct sctp_ifn *sctp_ifn;
2656	struct sctp_ifa *sctp_ifa, *sifa;
2657	uint8_t start_at_beginning = 0;
2658	struct sctp_vrf *vrf;
2659	uint32_t ifn_index;
2660
2661	/*
2662	 * first question, is the ifn we will emit on in our list, if so, we
2663	 * want that one.
2664	 */
2665	vrf = sctp_find_vrf(vrf_id);
2666	if (vrf == NULL)
2667		return (NULL);
2668
2669	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
2670	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
2671	sctp_ifn = sctp_find_ifn( ifn, ifn_index);
2672
2673	/*
2674	 * first question, is the ifn we will emit on in our list?  If so,
2675	 * we want that one. First we look for a preferred. Second, we go
2676	 * for an acceptable.
2677	 */
2678	if (sctp_ifn) {
2679		/* first try for a preferred address on the ep */
2680		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2681#if defined(__FreeBSD__)
2682#ifdef INET
2683			if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
2684			    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2685			                      &sctp_ifa->address.sin.sin_addr) != 0)) {
2686				continue;
2687			}
2688#endif
2689#ifdef INET6
2690			if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
2691			    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2692			                      &sctp_ifa->address.sin6.sin6_addr) != 0)) {
2693				continue;
2694			}
2695#endif
2696#endif
2697			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) && (non_asoc_addr_ok == 0))
2698				continue;
2699			if (sctp_is_addr_in_ep(inp, sctp_ifa)) {
2700				sifa = sctp_is_ifa_addr_preferred(sctp_ifa, dest_is_loop, dest_is_priv, fam);
2701				if (sifa == NULL)
2702					continue;
2703				if (((non_asoc_addr_ok == 0) &&
2704				     (sctp_is_addr_restricted(stcb, sifa))) ||
2705				    (non_asoc_addr_ok &&
2706				     (sctp_is_addr_restricted(stcb, sifa)) &&
2707				     (!sctp_is_addr_pending(stcb, sifa)))) {
2708					/* on the no-no list */
2709					continue;
2710				}
2711				atomic_add_int(&sifa->refcount, 1);
2712				return (sifa);
2713			}
2714		}
2715		/* next try for an acceptable address on the ep */
2716		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2717#if defined(__FreeBSD__)
2718#ifdef INET
2719			if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
2720			    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2721			                      &sctp_ifa->address.sin.sin_addr) != 0)) {
2722				continue;
2723			}
2724#endif
2725#ifdef INET6
2726			if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
2727			    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2728			                      &sctp_ifa->address.sin6.sin6_addr) != 0)) {
2729				continue;
2730			}
2731#endif
2732#endif
2733			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) && (non_asoc_addr_ok == 0))
2734				continue;
2735			if (sctp_is_addr_in_ep(inp, sctp_ifa)) {
2736				sifa= sctp_is_ifa_addr_acceptable(sctp_ifa, dest_is_loop, dest_is_priv,fam);
2737				if (sifa == NULL)
2738					continue;
2739				if (((non_asoc_addr_ok == 0) &&
2740				     (sctp_is_addr_restricted(stcb, sifa))) ||
2741				    (non_asoc_addr_ok &&
2742				     (sctp_is_addr_restricted(stcb, sifa)) &&
2743				     (!sctp_is_addr_pending(stcb, sifa)))) {
2744					/* on the no-no list */
2745					continue;
2746				}
2747				atomic_add_int(&sifa->refcount, 1);
2748				return (sifa);
2749			}
2750		}
2751
2752	}
2753	/*
2754	 * if we can't find one like that then we must look at all
2755	 * addresses bound to pick one at first preferable then
2756	 * secondly acceptable.
2757	 */
2758	starting_point = stcb->asoc.last_used_address;
2759 sctp_from_the_top:
2760	if (stcb->asoc.last_used_address == NULL) {
2761		start_at_beginning = 1;
2762		stcb->asoc.last_used_address = LIST_FIRST(&inp->sctp_addr_list);
2763	}
2764	/* search beginning with the last used address */
2765	for (laddr = stcb->asoc.last_used_address; laddr;
2766	     laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2767		if (laddr->ifa == NULL) {
2768			/* address has been removed */
2769			continue;
2770		}
2771		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2772			/* address is being deleted */
2773			continue;
2774		}
2775		sifa = sctp_is_ifa_addr_preferred(laddr->ifa, dest_is_loop, dest_is_priv, fam);
2776		if (sifa == NULL)
2777			continue;
2778		if (((non_asoc_addr_ok == 0) &&
2779		     (sctp_is_addr_restricted(stcb, sifa))) ||
2780		    (non_asoc_addr_ok &&
2781		     (sctp_is_addr_restricted(stcb, sifa)) &&
2782		     (!sctp_is_addr_pending(stcb, sifa)))) {
2783			/* on the no-no list */
2784			continue;
2785		}
2786		stcb->asoc.last_used_address = laddr;
2787		atomic_add_int(&sifa->refcount, 1);
2788		return (sifa);
2789	}
2790	if (start_at_beginning == 0) {
2791		stcb->asoc.last_used_address = NULL;
2792		goto sctp_from_the_top;
2793	}
2794	/* now try for any higher scope than the destination */
2795	stcb->asoc.last_used_address = starting_point;
2796	start_at_beginning = 0;
2797 sctp_from_the_top2:
2798	if (stcb->asoc.last_used_address == NULL) {
2799		start_at_beginning = 1;
2800		stcb->asoc.last_used_address = LIST_FIRST(&inp->sctp_addr_list);
2801	}
2802	/* search beginning with the last used address */
2803	for (laddr = stcb->asoc.last_used_address; laddr;
2804	     laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2805		if (laddr->ifa == NULL) {
2806			/* address has been removed */
2807			continue;
2808		}
2809		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2810			/* address is being deleted */
2811			continue;
2812		}
2813		sifa = sctp_is_ifa_addr_acceptable(laddr->ifa, dest_is_loop,
2814						   dest_is_priv, fam);
2815		if (sifa == NULL)
2816			continue;
2817		if (((non_asoc_addr_ok == 0) &&
2818		     (sctp_is_addr_restricted(stcb, sifa))) ||
2819		    (non_asoc_addr_ok &&
2820		     (sctp_is_addr_restricted(stcb, sifa)) &&
2821		     (!sctp_is_addr_pending(stcb, sifa)))) {
2822			/* on the no-no list */
2823			continue;
2824		}
2825		stcb->asoc.last_used_address = laddr;
2826		atomic_add_int(&sifa->refcount, 1);
2827		return (sifa);
2828	}
2829	if (start_at_beginning == 0) {
2830		stcb->asoc.last_used_address = NULL;
2831		goto sctp_from_the_top2;
2832	}
2833	return (NULL);
2834}
2835
2836static struct sctp_ifa *
2837sctp_select_nth_preferred_addr_from_ifn_boundall(struct sctp_ifn *ifn,
2838#if defined(__FreeBSD__)
2839                                                 struct sctp_inpcb *inp,
2840#else
2841                                                 struct sctp_inpcb *inp SCTP_UNUSED,
2842#endif
2843						 struct sctp_tcb *stcb,
2844						 int non_asoc_addr_ok,
2845						 uint8_t dest_is_loop,
2846						 uint8_t dest_is_priv,
2847						 int addr_wanted,
2848						 sa_family_t fam,
2849						 sctp_route_t *ro
2850						 )
2851{
2852	struct sctp_ifa *ifa, *sifa;
2853	int num_eligible_addr = 0;
2854#ifdef INET6
2855#ifdef SCTP_EMBEDDED_V6_SCOPE
2856	struct sockaddr_in6 sin6, lsa6;
2857
2858	if (fam == AF_INET6) {
2859		memcpy(&sin6, &ro->ro_dst, sizeof(struct sockaddr_in6));
2860#ifdef SCTP_KAME
2861		(void)sa6_recoverscope(&sin6);
2862#else
2863		(void)in6_recoverscope(&sin6, &sin6.sin6_addr, NULL);
2864#endif  /* SCTP_KAME */
2865	}
2866#endif  /* SCTP_EMBEDDED_V6_SCOPE */
2867#endif	/* INET6 */
2868	LIST_FOREACH(ifa, &ifn->ifalist, next_ifa) {
2869#if defined(__FreeBSD__)
2870#ifdef INET
2871		if ((ifa->address.sa.sa_family == AF_INET) &&
2872		    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2873		                      &ifa->address.sin.sin_addr) != 0)) {
2874			continue;
2875		}
2876#endif
2877#ifdef INET6
2878		if ((ifa->address.sa.sa_family == AF_INET6) &&
2879		    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2880		                      &ifa->address.sin6.sin6_addr) != 0)) {
2881			continue;
2882		}
2883#endif
2884#endif
2885		if ((ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2886		    (non_asoc_addr_ok == 0))
2887			continue;
2888		sifa = sctp_is_ifa_addr_preferred(ifa, dest_is_loop,
2889						  dest_is_priv, fam);
2890		if (sifa == NULL)
2891			continue;
2892#ifdef INET6
2893		if (fam == AF_INET6 &&
2894		    dest_is_loop &&
2895		    sifa->src_is_loop && sifa->src_is_priv) {
2896			/* don't allow fe80::1 to be a src on loop ::1, we don't list it
2897			 * to the peer so we will get an abort.
2898			 */
2899			continue;
2900		}
2901#ifdef SCTP_EMBEDDED_V6_SCOPE
2902		if (fam == AF_INET6 &&
2903		    IN6_IS_ADDR_LINKLOCAL(&sifa->address.sin6.sin6_addr) &&
2904		    IN6_IS_ADDR_LINKLOCAL(&sin6.sin6_addr)) {
2905			/* link-local <-> link-local must belong to the same scope. */
2906			memcpy(&lsa6, &sifa->address.sin6, sizeof(struct sockaddr_in6));
2907#ifdef SCTP_KAME
2908			(void)sa6_recoverscope(&lsa6);
2909#else
2910			(void)in6_recoverscope(&lsa6, &lsa6.sin6_addr, NULL);
2911#endif  /* SCTP_KAME */
2912			if (sin6.sin6_scope_id != lsa6.sin6_scope_id) {
2913				continue;
2914			}
2915		}
2916#endif  /* SCTP_EMBEDDED_V6_SCOPE */
2917#endif	/* INET6 */
2918
2919#if defined(__FreeBSD__) || defined(__APPLE__) || defined(__Userspace__)
2920		/* Check if the IPv6 address matches to next-hop.
2921		   In the mobile case, old IPv6 address may be not deleted
2922		   from the interface. Then, the interface has previous and
2923		   new addresses.  We should use one corresponding to the
2924		   next-hop.  (by micchie)
2925		 */
2926#ifdef INET6
2927		if (stcb && fam == AF_INET6 &&
2928		    sctp_is_mobility_feature_on(stcb->sctp_ep, SCTP_MOBILITY_BASE)) {
2929			if (sctp_v6src_match_nexthop(&sifa->address.sin6, ro)
2930			    == 0) {
2931				continue;
2932			}
2933		}
2934#endif
2935#ifdef INET
2936		/* Avoid topologically incorrect IPv4 address */
2937		if (stcb && fam == AF_INET &&
2938		    sctp_is_mobility_feature_on(stcb->sctp_ep, SCTP_MOBILITY_BASE)) {
2939			if (sctp_v4src_match_nexthop(sifa, ro) == 0) {
2940				continue;
2941			}
2942		}
2943#endif
2944#endif
2945		if (stcb) {
2946			if (sctp_is_address_in_scope(ifa, &stcb->asoc.scope, 0) == 0) {
2947				continue;
2948			}
2949			if (((non_asoc_addr_ok == 0) &&
2950			     (sctp_is_addr_restricted(stcb, sifa))) ||
2951			    (non_asoc_addr_ok &&
2952			     (sctp_is_addr_restricted(stcb, sifa)) &&
2953			     (!sctp_is_addr_pending(stcb, sifa)))) {
2954				/*
2955				 * It is restricted for some reason..
2956				 * probably not yet added.
2957				 */
2958				continue;
2959			}
2960		}
2961		if (num_eligible_addr >= addr_wanted) {
2962			return (sifa);
2963		}
2964		num_eligible_addr++;
2965	}
2966	return (NULL);
2967}
2968
2969
2970static int
2971sctp_count_num_preferred_boundall(struct sctp_ifn *ifn,
2972#if defined(__FreeBSD__)
2973                                  struct sctp_inpcb *inp,
2974#else
2975                                  struct sctp_inpcb *inp SCTP_UNUSED,
2976#endif
2977				  struct sctp_tcb *stcb,
2978				  int non_asoc_addr_ok,
2979				  uint8_t dest_is_loop,
2980				  uint8_t dest_is_priv,
2981				  sa_family_t fam)
2982{
2983	struct sctp_ifa *ifa, *sifa;
2984	int num_eligible_addr = 0;
2985
2986	LIST_FOREACH(ifa, &ifn->ifalist, next_ifa) {
2987#if defined(__FreeBSD__)
2988#ifdef INET
2989		if ((ifa->address.sa.sa_family == AF_INET) &&
2990		    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2991		                      &ifa->address.sin.sin_addr) != 0)) {
2992			continue;
2993		}
2994#endif
2995#ifdef INET6
2996		if ((ifa->address.sa.sa_family == AF_INET6) &&
2997		    (stcb != NULL) &&
2998		    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2999		                      &ifa->address.sin6.sin6_addr) != 0)) {
3000			continue;
3001		}
3002#endif
3003#endif
3004		if ((ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
3005		    (non_asoc_addr_ok == 0)) {
3006			continue;
3007		}
3008		sifa = sctp_is_ifa_addr_preferred(ifa, dest_is_loop,
3009						  dest_is_priv, fam);
3010		if (sifa == NULL) {
3011			continue;
3012		}
3013		if (stcb) {
3014			if (sctp_is_address_in_scope(ifa, &stcb->asoc.scope, 0) == 0) {
3015				continue;
3016			}
3017			if (((non_asoc_addr_ok == 0) &&
3018			     (sctp_is_addr_restricted(stcb, sifa))) ||
3019			    (non_asoc_addr_ok &&
3020			     (sctp_is_addr_restricted(stcb, sifa)) &&
3021			     (!sctp_is_addr_pending(stcb, sifa)))) {
3022				/*
3023				 * It is restricted for some reason..
3024				 * probably not yet added.
3025				 */
3026				continue;
3027			}
3028		}
3029		num_eligible_addr++;
3030	}
3031	return (num_eligible_addr);
3032}
3033
3034static struct sctp_ifa *
3035sctp_choose_boundall(struct sctp_inpcb *inp,
3036                     struct sctp_tcb *stcb,
3037		     struct sctp_nets *net,
3038		     sctp_route_t *ro,
3039		     uint32_t vrf_id,
3040		     uint8_t dest_is_priv,
3041		     uint8_t dest_is_loop,
3042		     int non_asoc_addr_ok,
3043		     sa_family_t fam)
3044{
3045	int cur_addr_num = 0, num_preferred = 0;
3046	void *ifn;
3047	struct sctp_ifn *sctp_ifn, *looked_at = NULL, *emit_ifn;
3048	struct sctp_ifa *sctp_ifa, *sifa;
3049	uint32_t ifn_index;
3050	struct sctp_vrf *vrf;
3051#ifdef INET
3052	int retried = 0;
3053#endif
3054
3055	/*-
3056	 * For boundall we can use any address in the association.
3057	 * If non_asoc_addr_ok is set we can use any address (at least in
3058	 * theory). So we look for preferred addresses first. If we find one,
3059	 * we use it. Otherwise we next try to get an address on the
3060	 * interface, which we should be able to do (unless non_asoc_addr_ok
3061	 * is false and we are routed out that way). In these cases where we
3062	 * can't use the address of the interface we go through all the
3063	 * ifn's looking for an address we can use and fill that in. Punting
3064	 * means we send back address 0, which will probably cause problems
3065	 * actually since then IP will fill in the address of the route ifn,
3066	 * which means we probably already rejected it.. i.e. here comes an
3067	 * abort :-<.
3068	 */
3069	vrf = sctp_find_vrf(vrf_id);
3070	if (vrf == NULL)
3071		return (NULL);
3072
3073	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
3074	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
3075	SCTPDBG(SCTP_DEBUG_OUTPUT2,"ifn from route:%p ifn_index:%d\n", ifn, ifn_index);
3076	emit_ifn = looked_at = sctp_ifn = sctp_find_ifn(ifn, ifn_index);
3077	if (sctp_ifn == NULL) {
3078		/* ?? We don't have this guy ?? */
3079		SCTPDBG(SCTP_DEBUG_OUTPUT2,"No ifn emit interface?\n");
3080		goto bound_all_plan_b;
3081	}
3082	SCTPDBG(SCTP_DEBUG_OUTPUT2,"ifn_index:%d name:%s is emit interface\n",
3083		ifn_index, sctp_ifn->ifn_name);
3084
3085	if (net) {
3086		cur_addr_num = net->indx_of_eligible_next_to_use;
3087	}
3088	num_preferred = sctp_count_num_preferred_boundall(sctp_ifn,
3089							  inp, stcb,
3090							  non_asoc_addr_ok,
3091							  dest_is_loop,
3092							  dest_is_priv, fam);
3093	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Found %d preferred source addresses for intf:%s\n",
3094		num_preferred, sctp_ifn->ifn_name);
3095	if (num_preferred == 0) {
3096		/*
3097		 * no eligible addresses, we must use some other interface
3098		 * address if we can find one.
3099		 */
3100		goto bound_all_plan_b;
3101	}
3102	/*
3103	 * Ok we have num_eligible_addr set with how many we can use, this
3104	 * may vary from call to call due to addresses being deprecated
3105	 * etc..
3106	 */
3107	if (cur_addr_num >= num_preferred) {
3108		cur_addr_num = 0;
3109	}
3110	/*
3111	 * select the nth address from the list (where cur_addr_num is the
3112	 * nth) and 0 is the first one, 1 is the second one etc...
3113	 */
3114	SCTPDBG(SCTP_DEBUG_OUTPUT2, "cur_addr_num:%d\n", cur_addr_num);
3115
3116	sctp_ifa = sctp_select_nth_preferred_addr_from_ifn_boundall(sctp_ifn, inp, stcb, non_asoc_addr_ok, dest_is_loop,
3117                                                                    dest_is_priv, cur_addr_num, fam, ro);
3118
3119	/* if sctp_ifa is NULL something changed??, fall to plan b. */
3120	if (sctp_ifa) {
3121		atomic_add_int(&sctp_ifa->refcount, 1);
3122		if (net) {
3123			/* save off where the next one we will want */
3124			net->indx_of_eligible_next_to_use = cur_addr_num + 1;
3125		}
3126		return (sctp_ifa);
3127	}
3128	/*
3129	 * plan_b: Look at all interfaces and find a preferred address. If
3130	 * no preferred fall through to plan_c.
3131	 */
3132 bound_all_plan_b:
3133	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Trying Plan B\n");
3134	LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
3135		SCTPDBG(SCTP_DEBUG_OUTPUT2, "Examine interface %s\n",
3136			sctp_ifn->ifn_name);
3137		if (dest_is_loop == 0 && SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
3138			/* wrong base scope */
3139			SCTPDBG(SCTP_DEBUG_OUTPUT2, "skip\n");
3140			continue;
3141		}
3142		if ((sctp_ifn == looked_at) && looked_at) {
3143			/* already looked at this guy */
3144			SCTPDBG(SCTP_DEBUG_OUTPUT2, "already seen\n");
3145			continue;
3146		}
3147		num_preferred = sctp_count_num_preferred_boundall(sctp_ifn, inp, stcb, non_asoc_addr_ok,
3148                                                                  dest_is_loop, dest_is_priv, fam);
3149		SCTPDBG(SCTP_DEBUG_OUTPUT2,
3150			"Found ifn:%p %d preferred source addresses\n",
3151			ifn, num_preferred);
3152		if (num_preferred == 0) {
3153			/* None on this interface. */
3154			SCTPDBG(SCTP_DEBUG_OUTPUT2, "No prefered -- skipping to next\n");
3155			continue;
3156		}
3157		SCTPDBG(SCTP_DEBUG_OUTPUT2,
3158			"num preferred:%d on interface:%p cur_addr_num:%d\n",
3159			num_preferred, (void *)sctp_ifn, cur_addr_num);
3160
3161		/*
3162		 * Ok we have num_eligible_addr set with how many we can
3163		 * use, this may vary from call to call due to addresses
3164		 * being deprecated etc..
3165		 */
3166		if (cur_addr_num >= num_preferred) {
3167			cur_addr_num = 0;
3168		}
3169		sifa = sctp_select_nth_preferred_addr_from_ifn_boundall(sctp_ifn, inp, stcb, non_asoc_addr_ok, dest_is_loop,
3170                                                                        dest_is_priv, cur_addr_num, fam, ro);
3171		if (sifa == NULL)
3172			continue;
3173		if (net) {
3174			net->indx_of_eligible_next_to_use = cur_addr_num + 1;
3175			SCTPDBG(SCTP_DEBUG_OUTPUT2, "we selected %d\n",
3176				cur_addr_num);
3177			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Source:");
3178			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &sifa->address.sa);
3179			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Dest:");
3180			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &net->ro._l_addr.sa);
3181		}
3182		atomic_add_int(&sifa->refcount, 1);
3183		return (sifa);
3184	}
3185#ifdef INET
3186again_with_private_addresses_allowed:
3187#endif
3188	/* plan_c: do we have an acceptable address on the emit interface */
3189	sifa = NULL;
3190	SCTPDBG(SCTP_DEBUG_OUTPUT2,"Trying Plan C: find acceptable on interface\n");
3191	if (emit_ifn == NULL) {
3192		SCTPDBG(SCTP_DEBUG_OUTPUT2,"Jump to Plan D - no emit_ifn\n");
3193		goto plan_d;
3194	}
3195	LIST_FOREACH(sctp_ifa, &emit_ifn->ifalist, next_ifa) {
3196		SCTPDBG(SCTP_DEBUG_OUTPUT2, "ifa:%p\n", (void *)sctp_ifa);
3197#if defined(__FreeBSD__)
3198#ifdef INET
3199		if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
3200		    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
3201		                      &sctp_ifa->address.sin.sin_addr) != 0)) {
3202			SCTPDBG(SCTP_DEBUG_OUTPUT2,"Jailed\n");
3203			continue;
3204		}
3205#endif
3206#ifdef INET6
3207		if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
3208		    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
3209		                      &sctp_ifa->address.sin6.sin6_addr) != 0)) {
3210			SCTPDBG(SCTP_DEBUG_OUTPUT2,"Jailed\n");
3211			continue;
3212		}
3213#endif
3214#endif
3215		if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
3216		    (non_asoc_addr_ok == 0)) {
3217			SCTPDBG(SCTP_DEBUG_OUTPUT2,"Defer\n");
3218			continue;
3219		}
3220		sifa = sctp_is_ifa_addr_acceptable(sctp_ifa, dest_is_loop,
3221						   dest_is_priv, fam);
3222		if (sifa == NULL) {
3223			SCTPDBG(SCTP_DEBUG_OUTPUT2, "IFA not acceptable\n");
3224			continue;
3225		}
3226		if (stcb) {
3227			if (sctp_is_address_in_scope(sifa, &stcb->asoc.scope, 0) == 0) {
3228				SCTPDBG(SCTP_DEBUG_OUTPUT2, "NOT in scope\n");
3229				sifa = NULL;
3230				continue;
3231			}
3232			if (((non_asoc_addr_ok == 0) &&
3233			     (sctp_is_addr_restricted(stcb, sifa))) ||
3234			    (non_asoc_addr_ok &&
3235			     (sctp_is_addr_restricted(stcb, sifa)) &&
3236			     (!sctp_is_addr_pending(stcb, sifa)))) {
3237				/*
3238				 * It is restricted for some
3239				 * reason.. probably not yet added.
3240				 */
3241				SCTPDBG(SCTP_DEBUG_OUTPUT2, "Its resticted\n");
3242				sifa = NULL;
3243				continue;
3244			}
3245		} else {
3246			SCTP_PRINTF("Stcb is null - no print\n");
3247		}
3248		atomic_add_int(&sifa->refcount, 1);
3249		goto out;
3250	}
3251 plan_d:
3252	/*
3253	 * plan_d: We are in trouble. No preferred address on the emit
3254	 * interface. And not even a preferred address on all interfaces.
3255	 * Go out and see if we can find an acceptable address somewhere
3256	 * amongst all interfaces.
3257	 */
3258	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Trying Plan D looked_at is %p\n", (void *)looked_at);
3259	LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
3260		if (dest_is_loop == 0 && SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
3261			/* wrong base scope */
3262			continue;
3263		}
3264		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
3265#if defined(__FreeBSD__)
3266#ifdef INET
3267			if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
3268			    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
3269			                      &sctp_ifa->address.sin.sin_addr) != 0)) {
3270				continue;
3271			}
3272#endif
3273#ifdef INET6
3274			if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
3275			    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
3276			                      &sctp_ifa->address.sin6.sin6_addr) != 0)) {
3277				continue;
3278			}
3279#endif
3280#endif
3281			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
3282			    (non_asoc_addr_ok == 0))
3283				continue;
3284			sifa = sctp_is_ifa_addr_acceptable(sctp_ifa,
3285							   dest_is_loop,
3286							   dest_is_priv, fam);
3287			if (sifa == NULL)
3288				continue;
3289			if (stcb) {
3290				if (sctp_is_address_in_scope(sifa, &stcb->asoc.scope, 0) == 0) {
3291					sifa = NULL;
3292					continue;
3293				}
3294				if (((non_asoc_addr_ok == 0) &&
3295				     (sctp_is_addr_restricted(stcb, sifa))) ||
3296				    (non_asoc_addr_ok &&
3297				     (sctp_is_addr_restricted(stcb, sifa)) &&
3298				     (!sctp_is_addr_pending(stcb, sifa)))) {
3299					/*
3300					 * It is restricted for some
3301					 * reason.. probably not yet added.
3302					 */
3303					sifa = NULL;
3304					continue;
3305				}
3306			}
3307			goto out;
3308		}
3309	}
3310#ifdef INET
3311	if ((retried == 0) && (stcb->asoc.scope.ipv4_local_scope == 0)) {
3312		stcb->asoc.scope.ipv4_local_scope = 1;
3313		retried = 1;
3314		goto again_with_private_addresses_allowed;
3315	} else if (retried == 1) {
3316		stcb->asoc.scope.ipv4_local_scope = 0;
3317	}
3318#endif
3319out:
3320#ifdef INET
3321	if (sifa) {
3322		if (retried == 1) {
3323			LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
3324				if (dest_is_loop == 0 && SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
3325					/* wrong base scope */
3326					continue;
3327				}
3328				LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
3329					struct sctp_ifa *tmp_sifa;
3330
3331#if defined(__FreeBSD__)
3332#ifdef INET
3333					if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
3334					    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
3335					                      &sctp_ifa->address.sin.sin_addr) != 0)) {
3336						continue;
3337					}
3338#endif
3339#ifdef INET6
3340					if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
3341					    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
3342					                      &sctp_ifa->address.sin6.sin6_addr) != 0)) {
3343						continue;
3344					}
3345#endif
3346#endif
3347					if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
3348					    (non_asoc_addr_ok == 0))
3349						continue;
3350					tmp_sifa = sctp_is_ifa_addr_acceptable(sctp_ifa,
3351					                                       dest_is_loop,
3352					                                       dest_is_priv, fam);
3353					if (tmp_sifa == NULL) {
3354						continue;
3355					}
3356					if (tmp_sifa == sifa) {
3357						continue;
3358					}
3359					if (stcb) {
3360						if (sctp_is_address_in_scope(tmp_sifa,
3361						                             &stcb->asoc.scope, 0) == 0) {
3362							continue;
3363						}
3364						if (((non_asoc_addr_ok == 0) &&
3365						     (sctp_is_addr_restricted(stcb, tmp_sifa))) ||
3366						    (non_asoc_addr_ok &&
3367						     (sctp_is_addr_restricted(stcb, tmp_sifa)) &&
3368						     (!sctp_is_addr_pending(stcb, tmp_sifa)))) {
3369							/*
3370							 * It is restricted for some
3371							 * reason.. probably not yet added.
3372							 */
3373							continue;
3374						}
3375					}
3376					if ((tmp_sifa->address.sin.sin_family == AF_INET) &&
3377					    (IN4_ISPRIVATE_ADDRESS(&(tmp_sifa->address.sin.sin_addr)))) {
3378						sctp_add_local_addr_restricted(stcb, tmp_sifa);
3379					}
3380				}
3381			}
3382		}
3383		atomic_add_int(&sifa->refcount, 1);
3384	}
3385#endif
3386	return (sifa);
3387}
3388
3389
3390
3391/* tcb may be NULL */
3392struct sctp_ifa *
3393sctp_source_address_selection(struct sctp_inpcb *inp,
3394			      struct sctp_tcb *stcb,
3395			      sctp_route_t *ro,
3396			      struct sctp_nets *net,
3397			      int non_asoc_addr_ok, uint32_t vrf_id)
3398{
3399	struct sctp_ifa *answer;
3400	uint8_t dest_is_priv, dest_is_loop;
3401	sa_family_t fam;
3402#ifdef INET
3403	struct sockaddr_in *to = (struct sockaddr_in *)&ro->ro_dst;
3404#endif
3405#ifdef INET6
3406	struct sockaddr_in6 *to6 = (struct sockaddr_in6 *)&ro->ro_dst;
3407#endif
3408
3409	/**
3410	 * Rules: - Find the route if needed, cache if I can. - Look at
3411	 * interface address in route, Is it in the bound list. If so we
3412	 * have the best source. - If not we must rotate amongst the
3413	 * addresses.
3414	 *
3415	 * Cavets and issues
3416	 *
3417	 * Do we need to pay attention to scope. We can have a private address
3418	 * or a global address we are sourcing or sending to. So if we draw
3419	 * it out
3420	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3421	 * For V4
3422	 * ------------------------------------------
3423	 *      source     *      dest  *  result
3424	 * -----------------------------------------
3425	 * <a>  Private    *    Global  *  NAT
3426	 * -----------------------------------------
3427	 * <b>  Private    *    Private *  No problem
3428	 * -----------------------------------------
3429	 * <c>  Global     *    Private *  Huh, How will this work?
3430	 * -----------------------------------------
3431	 * <d>  Global     *    Global  *  No Problem
3432	 *------------------------------------------
3433	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3434	 * For V6
3435	 *------------------------------------------
3436	 *      source     *      dest  *  result
3437	 * -----------------------------------------
3438	 * <a>  Linklocal  *    Global  *
3439	 * -----------------------------------------
3440	 * <b>  Linklocal  * Linklocal  *  No problem
3441	 * -----------------------------------------
3442	 * <c>  Global     * Linklocal  *  Huh, How will this work?
3443	 * -----------------------------------------
3444	 * <d>  Global     *    Global  *  No Problem
3445	 *------------------------------------------
3446	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3447	 *
3448	 * And then we add to that what happens if there are multiple addresses
3449	 * assigned to an interface. Remember the ifa on a ifn is a linked
3450	 * list of addresses. So one interface can have more than one IP
3451	 * address. What happens if we have both a private and a global
3452	 * address? Do we then use context of destination to sort out which
3453	 * one is best? And what about NAT's sending P->G may get you a NAT
3454	 * translation, or should you select the G thats on the interface in
3455	 * preference.
3456	 *
3457	 * Decisions:
3458	 *
3459	 * - count the number of addresses on the interface.
3460	 * - if it is one, no problem except case <c>.
3461	 *   For <a> we will assume a NAT out there.
3462	 * - if there are more than one, then we need to worry about scope P
3463	 *   or G. We should prefer G -> G and P -> P if possible.
3464	 *   Then as a secondary fall back to mixed types G->P being a last
3465	 *   ditch one.
3466	 * - The above all works for bound all, but bound specific we need to
3467	 *   use the same concept but instead only consider the bound
3468	 *   addresses. If the bound set is NOT assigned to the interface then
3469	 *   we must use rotation amongst the bound addresses..
3470	 */
3471	if (ro->ro_rt == NULL) {
3472		/*
3473		 * Need a route to cache.
3474		 */
3475		SCTP_RTALLOC(ro, vrf_id);
3476	}
3477	if (ro->ro_rt == NULL) {
3478		return (NULL);
3479	}
3480	fam = ro->ro_dst.sa_family;
3481	dest_is_priv = dest_is_loop = 0;
3482	/* Setup our scopes for the destination */
3483	switch (fam) {
3484#ifdef INET
3485	case AF_INET:
3486		/* Scope based on outbound address */
3487		if (IN4_ISLOOPBACK_ADDRESS(&to->sin_addr)) {
3488			dest_is_loop = 1;
3489			if (net != NULL) {
3490				/* mark it as local */
3491				net->addr_is_local = 1;
3492			}
3493		} else if ((IN4_ISPRIVATE_ADDRESS(&to->sin_addr))) {
3494			dest_is_priv = 1;
3495		}
3496		break;
3497#endif
3498#ifdef INET6
3499	case AF_INET6:
3500		/* Scope based on outbound address */
3501#if defined(__Userspace_os_Windows)
3502		if (IN6_IS_ADDR_LOOPBACK(&to6->sin6_addr)) {
3503#else
3504		if (IN6_IS_ADDR_LOOPBACK(&to6->sin6_addr) ||
3505		    SCTP_ROUTE_IS_REAL_LOOP(ro)) {
3506#endif
3507			/*
3508			 * If the address is a loopback address, which
3509			 * consists of "::1" OR "fe80::1%lo0", we are loopback
3510			 * scope. But we don't use dest_is_priv (link local
3511			 * addresses).
3512			 */
3513			dest_is_loop = 1;
3514			if (net != NULL) {
3515				/* mark it as local */
3516				net->addr_is_local = 1;
3517			}
3518		} else if (IN6_IS_ADDR_LINKLOCAL(&to6->sin6_addr)) {
3519			dest_is_priv = 1;
3520		}
3521		break;
3522#endif
3523	}
3524	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Select source addr for:");
3525	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)&ro->ro_dst);
3526	SCTP_IPI_ADDR_RLOCK();
3527	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) {
3528		/*
3529		 * Bound all case
3530		 */
3531		answer = sctp_choose_boundall(inp, stcb, net, ro, vrf_id,
3532					      dest_is_priv, dest_is_loop,
3533					      non_asoc_addr_ok, fam);
3534		SCTP_IPI_ADDR_RUNLOCK();
3535		return (answer);
3536	}
3537	/*
3538	 * Subset bound case
3539	 */
3540	if (stcb) {
3541		answer = sctp_choose_boundspecific_stcb(inp, stcb, ro,
3542							vrf_id,	dest_is_priv,
3543							dest_is_loop,
3544							non_asoc_addr_ok, fam);
3545	} else {
3546		answer = sctp_choose_boundspecific_inp(inp, ro, vrf_id,
3547						       non_asoc_addr_ok,
3548						       dest_is_priv,
3549						       dest_is_loop, fam);
3550	}
3551	SCTP_IPI_ADDR_RUNLOCK();
3552	return (answer);
3553}
3554
3555static int
3556sctp_find_cmsg(int c_type, void *data, struct mbuf *control, size_t cpsize)
3557{
3558#if defined(__Userspace_os_Windows)
3559	WSACMSGHDR cmh;
3560#else
3561	struct cmsghdr cmh;
3562#endif
3563	int tlen, at, found;
3564	struct sctp_sndinfo sndinfo;
3565	struct sctp_prinfo prinfo;
3566	struct sctp_authinfo authinfo;
3567
3568	tlen = SCTP_BUF_LEN(control);
3569	at = 0;
3570	found = 0;
3571	/*
3572	 * Independent of how many mbufs, find the c_type inside the control
3573	 * structure and copy out the data.
3574	 */
3575	while (at < tlen) {
3576		if ((tlen - at) < (int)CMSG_ALIGN(sizeof(cmh))) {
3577			/* There is not enough room for one more. */
3578			return (found);
3579		}
3580		m_copydata(control, at, sizeof(cmh), (caddr_t)&cmh);
3581		if (cmh.cmsg_len < CMSG_ALIGN(sizeof(cmh))) {
3582			/* We dont't have a complete CMSG header. */
3583			return (found);
3584		}
3585		if (((int)cmh.cmsg_len + at) > tlen) {
3586			/* We don't have the complete CMSG. */
3587			return (found);
3588		}
3589		if ((cmh.cmsg_level == IPPROTO_SCTP) &&
3590		    ((c_type == cmh.cmsg_type) ||
3591		     ((c_type == SCTP_SNDRCV) &&
3592		      ((cmh.cmsg_type == SCTP_SNDINFO) ||
3593		       (cmh.cmsg_type == SCTP_PRINFO) ||
3594		       (cmh.cmsg_type == SCTP_AUTHINFO))))) {
3595			if (c_type == cmh.cmsg_type) {
3596				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < cpsize) {
3597					return (found);
3598				}
3599				/* It is exactly what we want. Copy it out. */
3600				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), cpsize, (caddr_t)data);
3601				return (1);
3602			} else {
3603				struct sctp_sndrcvinfo *sndrcvinfo;
3604
3605				sndrcvinfo = (struct sctp_sndrcvinfo *)data;
3606				if (found == 0) {
3607					if (cpsize < sizeof(struct sctp_sndrcvinfo)) {
3608						return (found);
3609					}
3610					memset(sndrcvinfo, 0, sizeof(struct sctp_sndrcvinfo));
3611				}
3612				switch (cmh.cmsg_type) {
3613				case SCTP_SNDINFO:
3614					if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct sctp_sndinfo)) {
3615						return (found);
3616					}
3617					m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct sctp_sndinfo), (caddr_t)&sndinfo);
3618					sndrcvinfo->sinfo_stream = sndinfo.snd_sid;
3619					sndrcvinfo->sinfo_flags = sndinfo.snd_flags;
3620					sndrcvinfo->sinfo_ppid = sndinfo.snd_ppid;
3621					sndrcvinfo->sinfo_context = sndinfo.snd_context;
3622					sndrcvinfo->sinfo_assoc_id = sndinfo.snd_assoc_id;
3623					break;
3624				case SCTP_PRINFO:
3625					if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct sctp_prinfo)) {
3626						return (found);
3627					}
3628					m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct sctp_prinfo), (caddr_t)&prinfo);
3629					if (prinfo.pr_policy != SCTP_PR_SCTP_NONE) {
3630						sndrcvinfo->sinfo_timetolive = prinfo.pr_value;
3631					} else {
3632						sndrcvinfo->sinfo_timetolive = 0;
3633					}
3634					sndrcvinfo->sinfo_flags |= prinfo.pr_policy;
3635					break;
3636				case SCTP_AUTHINFO:
3637					if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct sctp_authinfo)) {
3638						return (found);
3639					}
3640					m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct sctp_authinfo), (caddr_t)&authinfo);
3641					sndrcvinfo->sinfo_keynumber_valid = 1;
3642					sndrcvinfo->sinfo_keynumber = authinfo.auth_keynumber;
3643					break;
3644				default:
3645					return (found);
3646				}
3647				found = 1;
3648			}
3649		}
3650		at += CMSG_ALIGN(cmh.cmsg_len);
3651	}
3652	return (found);
3653}
3654
3655static int
3656sctp_process_cmsgs_for_init(struct sctp_tcb *stcb, struct mbuf *control, int *error)
3657{
3658#if defined(__Userspace_os_Windows)
3659	WSACMSGHDR cmh;
3660#else
3661	struct cmsghdr cmh;
3662#endif
3663	int tlen, at;
3664	struct sctp_initmsg initmsg;
3665#ifdef INET
3666	struct sockaddr_in sin;
3667#endif
3668#ifdef INET6
3669	struct sockaddr_in6 sin6;
3670#endif
3671
3672	tlen = SCTP_BUF_LEN(control);
3673	at = 0;
3674	while (at < tlen) {
3675		if ((tlen - at) < (int)CMSG_ALIGN(sizeof(cmh))) {
3676			/* There is not enough room for one more. */
3677			*error = EINVAL;
3678			return (1);
3679		}
3680		m_copydata(control, at, sizeof(cmh), (caddr_t)&cmh);
3681		if (cmh.cmsg_len < CMSG_ALIGN(sizeof(cmh))) {
3682			/* We dont't have a complete CMSG header. */
3683			*error = EINVAL;
3684			return (1);
3685		}
3686		if (((int)cmh.cmsg_len + at) > tlen) {
3687			/* We don't have the complete CMSG. */
3688			*error = EINVAL;
3689			return (1);
3690		}
3691		if (cmh.cmsg_level == IPPROTO_SCTP) {
3692			switch (cmh.cmsg_type) {
3693			case SCTP_INIT:
3694				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct sctp_initmsg)) {
3695					*error = EINVAL;
3696					return (1);
3697				}
3698				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct sctp_initmsg), (caddr_t)&initmsg);
3699				if (initmsg.sinit_max_attempts)
3700					stcb->asoc.max_init_times = initmsg.sinit_max_attempts;
3701				if (initmsg.sinit_num_ostreams)
3702					stcb->asoc.pre_open_streams = initmsg.sinit_num_ostreams;
3703				if (initmsg.sinit_max_instreams)
3704					stcb->asoc.max_inbound_streams = initmsg.sinit_max_instreams;
3705				if (initmsg.sinit_max_init_timeo)
3706					stcb->asoc.initial_init_rto_max = initmsg.sinit_max_init_timeo;
3707				if (stcb->asoc.streamoutcnt < stcb->asoc.pre_open_streams) {
3708					struct sctp_stream_out *tmp_str;
3709					unsigned int i;
3710#if defined(SCTP_DETAILED_STR_STATS)
3711					int j;
3712#endif
3713
3714					/* Default is NOT correct */
3715					SCTPDBG(SCTP_DEBUG_OUTPUT1, "Ok, default:%d pre_open:%d\n",
3716						stcb->asoc.streamoutcnt, stcb->asoc.pre_open_streams);
3717					SCTP_TCB_UNLOCK(stcb);
3718					SCTP_MALLOC(tmp_str,
3719					            struct sctp_stream_out *,
3720					            (stcb->asoc.pre_open_streams * sizeof(struct sctp_stream_out)),
3721					            SCTP_M_STRMO);
3722					SCTP_TCB_LOCK(stcb);
3723					if (tmp_str != NULL) {
3724						SCTP_FREE(stcb->asoc.strmout, SCTP_M_STRMO);
3725						stcb->asoc.strmout = tmp_str;
3726						stcb->asoc.strm_realoutsize = stcb->asoc.streamoutcnt = stcb->asoc.pre_open_streams;
3727					} else {
3728						stcb->asoc.pre_open_streams = stcb->asoc.streamoutcnt;
3729					}
3730					for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
3731						TAILQ_INIT(&stcb->asoc.strmout[i].outqueue);
3732						stcb->asoc.strmout[i].chunks_on_queues = 0;
3733						stcb->asoc.strmout[i].next_sequence_send = 0;
3734#if defined(SCTP_DETAILED_STR_STATS)
3735						for (j = 0; j < SCTP_PR_SCTP_MAX + 1; j++) {
3736							stcb->asoc.strmout[i].abandoned_sent[j] = 0;
3737							stcb->asoc.strmout[i].abandoned_unsent[j] = 0;
3738						}
3739#else
3740						stcb->asoc.strmout[i].abandoned_sent[0] = 0;
3741						stcb->asoc.strmout[i].abandoned_unsent[0] = 0;
3742#endif
3743						stcb->asoc.strmout[i].stream_no = i;
3744						stcb->asoc.strmout[i].last_msg_incomplete = 0;
3745						stcb->asoc.ss_functions.sctp_ss_init_stream(&stcb->asoc.strmout[i], NULL);
3746					}
3747				}
3748				break;
3749#ifdef INET
3750			case SCTP_DSTADDRV4:
3751				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct in_addr)) {
3752					*error = EINVAL;
3753					return (1);
3754				}
3755				memset(&sin, 0, sizeof(struct sockaddr_in));
3756				sin.sin_family = AF_INET;
3757#ifdef HAVE_SIN_LEN
3758				sin.sin_len = sizeof(struct sockaddr_in);
3759#endif
3760				sin.sin_port = stcb->rport;
3761				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct in_addr), (caddr_t)&sin.sin_addr);
3762				if ((sin.sin_addr.s_addr == INADDR_ANY) ||
3763				    (sin.sin_addr.s_addr == INADDR_BROADCAST) ||
3764				    IN_MULTICAST(ntohl(sin.sin_addr.s_addr))) {
3765					*error = EINVAL;
3766					return (1);
3767				}
3768				if (sctp_add_remote_addr(stcb, (struct sockaddr *)&sin, NULL,
3769				                         SCTP_DONOT_SETSCOPE, SCTP_ADDR_IS_CONFIRMED)) {
3770					*error = ENOBUFS;
3771					return (1);
3772				}
3773				break;
3774#endif
3775#ifdef INET6
3776			case SCTP_DSTADDRV6:
3777				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct in6_addr)) {
3778					*error = EINVAL;
3779					return (1);
3780				}
3781				memset(&sin6, 0, sizeof(struct sockaddr_in6));
3782				sin6.sin6_family = AF_INET6;
3783#ifdef HAVE_SIN6_LEN
3784				sin6.sin6_len = sizeof(struct sockaddr_in6);
3785#endif
3786				sin6.sin6_port = stcb->rport;
3787				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct in6_addr), (caddr_t)&sin6.sin6_addr);
3788				if (IN6_IS_ADDR_UNSPECIFIED(&sin6.sin6_addr) ||
3789				    IN6_IS_ADDR_MULTICAST(&sin6.sin6_addr)) {
3790					*error = EINVAL;
3791					return (1);
3792				}
3793#ifdef INET
3794				if (IN6_IS_ADDR_V4MAPPED(&sin6.sin6_addr)) {
3795					in6_sin6_2_sin(&sin, &sin6);
3796					if ((sin.sin_addr.s_addr == INADDR_ANY) ||
3797					    (sin.sin_addr.s_addr == INADDR_BROADCAST) ||
3798					    IN_MULTICAST(ntohl(sin.sin_addr.s_addr))) {
3799						*error = EINVAL;
3800						return (1);
3801					}
3802					if (sctp_add_remote_addr(stcb, (struct sockaddr *)&sin, NULL,
3803					                         SCTP_DONOT_SETSCOPE, SCTP_ADDR_IS_CONFIRMED)) {
3804						*error = ENOBUFS;
3805						return (1);
3806					}
3807				} else
3808#endif
3809					if (sctp_add_remote_addr(stcb, (struct sockaddr *)&sin6, NULL,
3810					                         SCTP_DONOT_SETSCOPE, SCTP_ADDR_IS_CONFIRMED)) {
3811						*error = ENOBUFS;
3812						return (1);
3813					}
3814				break;
3815#endif
3816			default:
3817				break;
3818			}
3819		}
3820		at += CMSG_ALIGN(cmh.cmsg_len);
3821	}
3822	return (0);
3823}
3824
3825static struct sctp_tcb *
3826sctp_findassociation_cmsgs(struct sctp_inpcb **inp_p,
3827                           uint16_t port,
3828                           struct mbuf *control,
3829                           struct sctp_nets **net_p,
3830                           int *error)
3831{
3832#if defined(__Userspace_os_Windows)
3833	WSACMSGHDR cmh;
3834#else
3835	struct cmsghdr cmh;
3836#endif
3837	int tlen, at;
3838	struct sctp_tcb *stcb;
3839	struct sockaddr *addr;
3840#ifdef INET
3841	struct sockaddr_in sin;
3842#endif
3843#ifdef INET6
3844	struct sockaddr_in6 sin6;
3845#endif
3846
3847	tlen = SCTP_BUF_LEN(control);
3848	at = 0;
3849	while (at < tlen) {
3850		if ((tlen - at) < (int)CMSG_ALIGN(sizeof(cmh))) {
3851			/* There is not enough room for one more. */
3852			*error = EINVAL;
3853			return (NULL);
3854		}
3855		m_copydata(control, at, sizeof(cmh), (caddr_t)&cmh);
3856		if (cmh.cmsg_len < CMSG_ALIGN(sizeof(cmh))) {
3857			/* We dont't have a complete CMSG header. */
3858			*error = EINVAL;
3859			return (NULL);
3860		}
3861		if (((int)cmh.cmsg_len + at) > tlen) {
3862			/* We don't have the complete CMSG. */
3863			*error = EINVAL;
3864			return (NULL);
3865		}
3866		if (cmh.cmsg_level == IPPROTO_SCTP) {
3867			switch (cmh.cmsg_type) {
3868#ifdef INET
3869			case SCTP_DSTADDRV4:
3870				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct in_addr)) {
3871					*error = EINVAL;
3872					return (NULL);
3873				}
3874				memset(&sin, 0, sizeof(struct sockaddr_in));
3875				sin.sin_family = AF_INET;
3876#ifdef HAVE_SIN_LEN
3877				sin.sin_len = sizeof(struct sockaddr_in);
3878#endif
3879				sin.sin_port = port;
3880				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct in_addr), (caddr_t)&sin.sin_addr);
3881				addr = (struct sockaddr *)&sin;
3882				break;
3883#endif
3884#ifdef INET6
3885			case SCTP_DSTADDRV6:
3886				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct in6_addr)) {
3887					*error = EINVAL;
3888					return (NULL);
3889				}
3890				memset(&sin6, 0, sizeof(struct sockaddr_in6));
3891				sin6.sin6_family = AF_INET6;
3892#ifdef HAVE_SIN6_LEN
3893				sin6.sin6_len = sizeof(struct sockaddr_in6);
3894#endif
3895				sin6.sin6_port = port;
3896				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct in6_addr), (caddr_t)&sin6.sin6_addr);
3897#ifdef INET
3898				if (IN6_IS_ADDR_V4MAPPED(&sin6.sin6_addr)) {
3899					in6_sin6_2_sin(&sin, &sin6);
3900					addr = (struct sockaddr *)&sin;
3901				} else
3902#endif
3903					addr = (struct sockaddr *)&sin6;
3904				break;
3905#endif
3906			default:
3907				addr = NULL;
3908				break;
3909			}
3910			if (addr) {
3911				stcb = sctp_findassociation_ep_addr(inp_p, addr, net_p, NULL, NULL);
3912				if (stcb != NULL) {
3913					return (stcb);
3914				}
3915			}
3916		}
3917		at += CMSG_ALIGN(cmh.cmsg_len);
3918	}
3919	return (NULL);
3920}
3921
3922static struct mbuf *
3923sctp_add_cookie(struct mbuf *init, int init_offset,
3924    struct mbuf *initack, int initack_offset, struct sctp_state_cookie *stc_in, uint8_t **signature)
3925{
3926	struct mbuf *copy_init, *copy_initack, *m_at, *sig, *mret;
3927	struct sctp_state_cookie *stc;
3928	struct sctp_paramhdr *ph;
3929	uint8_t *foo;
3930	int sig_offset;
3931	uint16_t cookie_sz;
3932
3933	mret = sctp_get_mbuf_for_msg((sizeof(struct sctp_state_cookie) +
3934				      sizeof(struct sctp_paramhdr)), 0,
3935				     M_NOWAIT, 1, MT_DATA);
3936	if (mret == NULL) {
3937		return (NULL);
3938	}
3939	copy_init = SCTP_M_COPYM(init, init_offset, M_COPYALL, M_NOWAIT);
3940	if (copy_init == NULL) {
3941		sctp_m_freem(mret);
3942		return (NULL);
3943	}
3944#ifdef SCTP_MBUF_LOGGING
3945	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
3946		struct mbuf *mat;
3947
3948		for (mat = copy_init; mat; mat = SCTP_BUF_NEXT(mat)) {
3949			if (SCTP_BUF_IS_EXTENDED(mat)) {
3950				sctp_log_mb(mat, SCTP_MBUF_ICOPY);
3951			}
3952		}
3953	}
3954#endif
3955	copy_initack = SCTP_M_COPYM(initack, initack_offset, M_COPYALL,
3956	    M_NOWAIT);
3957	if (copy_initack == NULL) {
3958		sctp_m_freem(mret);
3959		sctp_m_freem(copy_init);
3960		return (NULL);
3961	}
3962#ifdef SCTP_MBUF_LOGGING
3963	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
3964		struct mbuf *mat;
3965
3966		for (mat = copy_initack; mat; mat = SCTP_BUF_NEXT(mat)) {
3967			if (SCTP_BUF_IS_EXTENDED(mat)) {
3968				sctp_log_mb(mat, SCTP_MBUF_ICOPY);
3969			}
3970		}
3971	}
3972#endif
3973	/* easy side we just drop it on the end */
3974	ph = mtod(mret, struct sctp_paramhdr *);
3975	SCTP_BUF_LEN(mret) = sizeof(struct sctp_state_cookie) +
3976	    sizeof(struct sctp_paramhdr);
3977	stc = (struct sctp_state_cookie *)((caddr_t)ph +
3978	    sizeof(struct sctp_paramhdr));
3979	ph->param_type = htons(SCTP_STATE_COOKIE);
3980	ph->param_length = 0;	/* fill in at the end */
3981	/* Fill in the stc cookie data */
3982	memcpy(stc, stc_in, sizeof(struct sctp_state_cookie));
3983
3984	/* tack the INIT and then the INIT-ACK onto the chain */
3985	cookie_sz = 0;
3986	for (m_at = mret; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
3987		cookie_sz += SCTP_BUF_LEN(m_at);
3988		if (SCTP_BUF_NEXT(m_at) == NULL) {
3989			SCTP_BUF_NEXT(m_at) = copy_init;
3990			break;
3991		}
3992	}
3993	for (m_at = copy_init; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
3994		cookie_sz += SCTP_BUF_LEN(m_at);
3995		if (SCTP_BUF_NEXT(m_at) == NULL) {
3996			SCTP_BUF_NEXT(m_at) = copy_initack;
3997			break;
3998		}
3999	}
4000	for (m_at = copy_initack; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
4001		cookie_sz += SCTP_BUF_LEN(m_at);
4002		if (SCTP_BUF_NEXT(m_at) == NULL) {
4003			break;
4004		}
4005	}
4006	sig = sctp_get_mbuf_for_msg(SCTP_SECRET_SIZE, 0, M_NOWAIT, 1, MT_DATA);
4007	if (sig == NULL) {
4008		/* no space, so free the entire chain */
4009		sctp_m_freem(mret);
4010		return (NULL);
4011	}
4012	SCTP_BUF_LEN(sig) = 0;
4013	SCTP_BUF_NEXT(m_at) = sig;
4014	sig_offset = 0;
4015	foo = (uint8_t *) (mtod(sig, caddr_t) + sig_offset);
4016	memset(foo, 0, SCTP_SIGNATURE_SIZE);
4017	*signature = foo;
4018	SCTP_BUF_LEN(sig) += SCTP_SIGNATURE_SIZE;
4019	cookie_sz += SCTP_SIGNATURE_SIZE;
4020	ph->param_length = htons(cookie_sz);
4021	return (mret);
4022}
4023
4024
4025static uint8_t
4026sctp_get_ect(struct sctp_tcb *stcb)
4027{
4028	if ((stcb != NULL) && (stcb->asoc.ecn_supported == 1)) {
4029		return (SCTP_ECT0_BIT);
4030	} else {
4031		return (0);
4032	}
4033}
4034
4035#if defined(INET) || defined(INET6)
4036static void
4037sctp_handle_no_route(struct sctp_tcb *stcb,
4038                     struct sctp_nets *net,
4039                     int so_locked)
4040{
4041	SCTPDBG(SCTP_DEBUG_OUTPUT1, "dropped packet - no valid source addr\n");
4042
4043	if (net) {
4044		SCTPDBG(SCTP_DEBUG_OUTPUT1, "Destination was ");
4045		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT1, &net->ro._l_addr.sa);
4046		if (net->dest_state & SCTP_ADDR_CONFIRMED) {
4047			if ((net->dest_state & SCTP_ADDR_REACHABLE) && stcb) {
4048				SCTPDBG(SCTP_DEBUG_OUTPUT1, "no route takes interface %p down\n", (void *)net);
4049				sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_DOWN,
4050			                        stcb, 0,
4051			                        (void *)net,
4052			                        so_locked);
4053				net->dest_state &= ~SCTP_ADDR_REACHABLE;
4054				net->dest_state &= ~SCTP_ADDR_PF;
4055			}
4056		}
4057		if (stcb) {
4058			if (net == stcb->asoc.primary_destination) {
4059				/* need a new primary */
4060				struct sctp_nets *alt;
4061
4062				alt = sctp_find_alternate_net(stcb, net, 0);
4063				if (alt != net) {
4064					if (stcb->asoc.alternate) {
4065						sctp_free_remote_addr(stcb->asoc.alternate);
4066					}
4067					stcb->asoc.alternate = alt;
4068					atomic_add_int(&stcb->asoc.alternate->ref_count, 1);
4069					if (net->ro._s_addr) {
4070						sctp_free_ifa(net->ro._s_addr);
4071						net->ro._s_addr = NULL;
4072					}
4073					net->src_addr_selected = 0;
4074				}
4075			}
4076		}
4077	}
4078}
4079#endif
4080
4081static int
4082sctp_lowlevel_chunk_output(struct sctp_inpcb *inp,
4083    struct sctp_tcb *stcb,	/* may be NULL */
4084    struct sctp_nets *net,
4085    struct sockaddr *to,
4086    struct mbuf *m,
4087    uint32_t auth_offset,
4088    struct sctp_auth_chunk *auth,
4089    uint16_t auth_keyid,
4090    int nofragment_flag,
4091    int ecn_ok,
4092    int out_of_asoc_ok,
4093    uint16_t src_port,
4094    uint16_t dest_port,
4095    uint32_t v_tag,
4096    uint16_t port,
4097    union sctp_sockstore *over_addr,
4098#if defined(__FreeBSD__)
4099    uint8_t use_mflowid, uint32_t mflowid,
4100#endif
4101#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
4102    int so_locked SCTP_UNUSED
4103#else
4104    int so_locked
4105#endif
4106    )
4107/* nofragment_flag to tell if IP_DF should be set (IPv4 only) */
4108{
4109	/**
4110	 * Given a mbuf chain (via SCTP_BUF_NEXT()) that holds a packet header
4111	 * WITH an SCTPHDR but no IP header, endpoint inp and sa structure:
4112	 * - fill in the HMAC digest of any AUTH chunk in the packet.
4113	 * - calculate and fill in the SCTP checksum.
4114	 * - prepend an IP address header.
4115	 * - if boundall use INADDR_ANY.
4116	 * - if boundspecific do source address selection.
4117	 * - set fragmentation option for ipV4.
4118	 * - On return from IP output, check/adjust mtu size of output
4119	 *   interface and smallest_mtu size as well.
4120	 */
4121	/* Will need ifdefs around this */
4122#ifdef __Panda__
4123	pakhandle_type o_pak;
4124#endif
4125	struct mbuf *newm;
4126	struct sctphdr *sctphdr;
4127	int packet_length;
4128	int ret;
4129#if defined(INET) || defined(INET6)
4130	uint32_t vrf_id;
4131#endif
4132#if defined(INET) || defined(INET6)
4133#if !defined(__Panda__)
4134	struct mbuf *o_pak;
4135#endif
4136	sctp_route_t *ro = NULL;
4137	struct udphdr *udp = NULL;
4138#endif
4139	uint8_t tos_value;
4140#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4141	struct socket *so = NULL;
4142#endif
4143
4144#if defined(__APPLE__)
4145	if (so_locked) {
4146		sctp_lock_assert(SCTP_INP_SO(inp));
4147		SCTP_TCB_LOCK_ASSERT(stcb);
4148	} else {
4149		sctp_unlock_assert(SCTP_INP_SO(inp));
4150	}
4151#endif
4152	if ((net) && (net->dest_state & SCTP_ADDR_OUT_OF_SCOPE)) {
4153		SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EFAULT);
4154		sctp_m_freem(m);
4155		return (EFAULT);
4156	}
4157#if defined(INET) || defined(INET6)
4158	if (stcb) {
4159		vrf_id = stcb->asoc.vrf_id;
4160	} else {
4161		vrf_id = inp->def_vrf_id;
4162	}
4163#endif
4164	/* fill in the HMAC digest for any AUTH chunk in the packet */
4165	if ((auth != NULL) && (stcb != NULL)) {
4166		sctp_fill_hmac_digest_m(m, auth_offset, auth, stcb, auth_keyid);
4167	}
4168
4169	if (net) {
4170		tos_value = net->dscp;
4171	} else if (stcb) {
4172		tos_value = stcb->asoc.default_dscp;
4173	} else {
4174		tos_value = inp->sctp_ep.default_dscp;
4175	}
4176
4177	switch (to->sa_family) {
4178#ifdef INET
4179	case AF_INET:
4180	{
4181		struct ip *ip = NULL;
4182		sctp_route_t iproute;
4183		int len;
4184
4185		len = sizeof(struct ip) + sizeof(struct sctphdr);
4186		if (port) {
4187			len += sizeof(struct udphdr);
4188		}
4189		newm = sctp_get_mbuf_for_msg(len, 1, M_NOWAIT, 1, MT_DATA);
4190		if (newm == NULL) {
4191			sctp_m_freem(m);
4192			SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4193			return (ENOMEM);
4194		}
4195		SCTP_ALIGN_TO_END(newm, len);
4196		SCTP_BUF_LEN(newm) = len;
4197		SCTP_BUF_NEXT(newm) = m;
4198		m = newm;
4199#if defined(__FreeBSD__)
4200		if (net != NULL) {
4201#ifdef INVARIANTS
4202			if (net->flowidset == 0) {
4203				panic("Flow ID not set");
4204			}
4205#endif
4206			m->m_pkthdr.flowid = net->flowid;
4207			m->m_flags |= M_FLOWID;
4208		} else {
4209			if (use_mflowid != 0) {
4210				m->m_pkthdr.flowid = mflowid;
4211				m->m_flags |= M_FLOWID;
4212			}
4213		}
4214#endif
4215		packet_length = sctp_calculate_len(m);
4216		ip = mtod(m, struct ip *);
4217		ip->ip_v = IPVERSION;
4218		ip->ip_hl = (sizeof(struct ip) >> 2);
4219		if (tos_value == 0) {
4220			/*
4221			 * This means especially, that it is not set at the
4222			 * SCTP layer. So use the value from the IP layer.
4223			 */
4224#if defined(__FreeBSD__) || defined(__APPLE__) || defined(__Panda__) || defined(__Windows__) || defined(__Userspace__)
4225			tos_value = inp->ip_inp.inp.inp_ip_tos;
4226#else
4227			tos_value = inp->inp_ip_tos;
4228#endif
4229		}
4230		tos_value &= 0xfc;
4231		if (ecn_ok) {
4232			tos_value |= sctp_get_ect(stcb);
4233		}
4234                if ((nofragment_flag) && (port == 0)) {
4235#if defined(__FreeBSD__)
4236#if __FreeBSD_version >= 1000000
4237			ip->ip_off = htons(IP_DF);
4238#else
4239			ip->ip_off = IP_DF;
4240#endif
4241#elif defined(WITH_CONVERT_IP_OFF) || defined(__APPLE__) || defined(__Userspace__)
4242			ip->ip_off = IP_DF;
4243#else
4244			ip->ip_off = htons(IP_DF);
4245#endif
4246		} else {
4247#if defined(__FreeBSD__) && __FreeBSD_version >= 1000000
4248			ip->ip_off = htons(0);
4249#else
4250			ip->ip_off = 0;
4251#endif
4252		}
4253#if defined(__FreeBSD__)
4254		/* FreeBSD has a function for ip_id's */
4255		ip->ip_id = ip_newid();
4256#elif defined(RANDOM_IP_ID)
4257		/* Apple has RANDOM_IP_ID switch */
4258		ip->ip_id = htons(ip_randomid());
4259#elif defined(__Userspace__)
4260                ip->ip_id = htons(SCTP_IP_ID(inp)++);
4261#else
4262		ip->ip_id = SCTP_IP_ID(inp)++;
4263#endif
4264
4265#if defined(__FreeBSD__) || defined(__APPLE__) || defined(__Panda__) || defined(__Windows__) || defined(__Userspace__)
4266		ip->ip_ttl = inp->ip_inp.inp.inp_ip_ttl;
4267#else
4268		ip->ip_ttl = inp->inp_ip_ttl;
4269#endif
4270#if defined(__FreeBSD__) && __FreeBSD_version >= 1000000
4271		ip->ip_len = htons(packet_length);
4272#else
4273		ip->ip_len = packet_length;
4274#endif
4275		ip->ip_tos = tos_value;
4276		if (port) {
4277			ip->ip_p = IPPROTO_UDP;
4278		} else {
4279			ip->ip_p = IPPROTO_SCTP;
4280		}
4281		ip->ip_sum = 0;
4282		if (net == NULL) {
4283			ro = &iproute;
4284			memset(&iproute, 0, sizeof(iproute));
4285#ifdef HAVE_SA_LEN
4286			memcpy(&ro->ro_dst, to, to->sa_len);
4287#else
4288			memcpy(&ro->ro_dst, to, sizeof(struct sockaddr_in));
4289#endif
4290		} else {
4291			ro = (sctp_route_t *)&net->ro;
4292		}
4293		/* Now the address selection part */
4294		ip->ip_dst.s_addr = ((struct sockaddr_in *)to)->sin_addr.s_addr;
4295
4296		/* call the routine to select the src address */
4297		if (net && out_of_asoc_ok == 0) {
4298			if (net->ro._s_addr && (net->ro._s_addr->localifa_flags & (SCTP_BEING_DELETED|SCTP_ADDR_IFA_UNUSEABLE))) {
4299				sctp_free_ifa(net->ro._s_addr);
4300				net->ro._s_addr = NULL;
4301				net->src_addr_selected = 0;
4302				if (ro->ro_rt) {
4303					RTFREE(ro->ro_rt);
4304					ro->ro_rt = NULL;
4305				}
4306			}
4307			if (net->src_addr_selected == 0) {
4308				/* Cache the source address */
4309				net->ro._s_addr = sctp_source_address_selection(inp,stcb,
4310										ro, net, 0,
4311										vrf_id);
4312				net->src_addr_selected = 1;
4313			}
4314			if (net->ro._s_addr == NULL) {
4315				/* No route to host */
4316				net->src_addr_selected = 0;
4317				sctp_handle_no_route(stcb, net, so_locked);
4318				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4319				sctp_m_freem(m);
4320				return (EHOSTUNREACH);
4321			}
4322			ip->ip_src = net->ro._s_addr->address.sin.sin_addr;
4323		} else {
4324			if (over_addr == NULL) {
4325				struct sctp_ifa *_lsrc;
4326
4327				_lsrc = sctp_source_address_selection(inp, stcb, ro,
4328				                                      net,
4329				                                      out_of_asoc_ok,
4330				                                      vrf_id);
4331				if (_lsrc == NULL) {
4332					sctp_handle_no_route(stcb, net, so_locked);
4333					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4334					sctp_m_freem(m);
4335					return (EHOSTUNREACH);
4336				}
4337				ip->ip_src = _lsrc->address.sin.sin_addr;
4338				sctp_free_ifa(_lsrc);
4339			} else {
4340				ip->ip_src = over_addr->sin.sin_addr;
4341				SCTP_RTALLOC(ro, vrf_id);
4342			}
4343		}
4344		if (port) {
4345			if (htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port)) == 0) {
4346				sctp_handle_no_route(stcb, net, so_locked);
4347				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4348				sctp_m_freem(m);
4349				return (EHOSTUNREACH);
4350			}
4351			udp = (struct udphdr *)((caddr_t)ip + sizeof(struct ip));
4352			udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
4353			udp->uh_dport = port;
4354			udp->uh_ulen = htons(packet_length - sizeof(struct ip));
4355#if !defined(__Windows__) && !defined(__Userspace__)
4356#if defined(__FreeBSD__) && ((__FreeBSD_version > 803000 && __FreeBSD_version < 900000) || __FreeBSD_version > 900000)
4357			if (V_udp_cksum) {
4358				udp->uh_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
4359			} else {
4360				udp->uh_sum = 0;
4361			}
4362#else
4363			udp->uh_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
4364#endif
4365#else
4366			udp->uh_sum = 0;
4367#endif
4368			sctphdr = (struct sctphdr *)((caddr_t)udp + sizeof(struct udphdr));
4369		} else {
4370			sctphdr = (struct sctphdr *)((caddr_t)ip + sizeof(struct ip));
4371		}
4372
4373		sctphdr->src_port = src_port;
4374		sctphdr->dest_port = dest_port;
4375		sctphdr->v_tag = v_tag;
4376		sctphdr->checksum = 0;
4377
4378		/*
4379		 * If source address selection fails and we find no route
4380		 * then the ip_output should fail as well with a
4381		 * NO_ROUTE_TO_HOST type error. We probably should catch
4382		 * that somewhere and abort the association right away
4383		 * (assuming this is an INIT being sent).
4384		 */
4385		if (ro->ro_rt == NULL) {
4386			/*
4387			 * src addr selection failed to find a route (or
4388			 * valid source addr), so we can't get there from
4389			 * here (yet)!
4390			 */
4391			sctp_handle_no_route(stcb, net, so_locked);
4392			SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4393			sctp_m_freem(m);
4394			return (EHOSTUNREACH);
4395		}
4396		if (ro != &iproute) {
4397			memcpy(&iproute, ro, sizeof(*ro));
4398		}
4399		SCTPDBG(SCTP_DEBUG_OUTPUT3, "Calling ipv4 output routine from low level src addr:%x\n",
4400			(uint32_t) (ntohl(ip->ip_src.s_addr)));
4401		SCTPDBG(SCTP_DEBUG_OUTPUT3, "Destination is %x\n",
4402			(uint32_t)(ntohl(ip->ip_dst.s_addr)));
4403		SCTPDBG(SCTP_DEBUG_OUTPUT3, "RTP route is %p through\n",
4404			(void *)ro->ro_rt);
4405
4406		if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
4407			/* failed to prepend data, give up */
4408			SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4409			sctp_m_freem(m);
4410			return (ENOMEM);
4411		}
4412		SCTP_ATTACH_CHAIN(o_pak, m, packet_length);
4413		if (port) {
4414#if defined(SCTP_WITH_NO_CSUM)
4415			SCTP_STAT_INCR(sctps_sendnocrc);
4416#else
4417			sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip) + sizeof(struct udphdr));
4418			SCTP_STAT_INCR(sctps_sendswcrc);
4419#endif
4420#if defined(__FreeBSD__) && ((__FreeBSD_version > 803000 && __FreeBSD_version < 900000) || __FreeBSD_version > 900000)
4421			if (V_udp_cksum) {
4422				SCTP_ENABLE_UDP_CSUM(o_pak);
4423			}
4424#else
4425			SCTP_ENABLE_UDP_CSUM(o_pak);
4426#endif
4427		} else {
4428#if defined(SCTP_WITH_NO_CSUM)
4429			SCTP_STAT_INCR(sctps_sendnocrc);
4430#else
4431#if defined(__FreeBSD__) && __FreeBSD_version >= 800000
4432			m->m_pkthdr.csum_flags = CSUM_SCTP;
4433			m->m_pkthdr.csum_data = offsetof(struct sctphdr, checksum);
4434			SCTP_STAT_INCR(sctps_sendhwcrc);
4435#else
4436			if (!(SCTP_BASE_SYSCTL(sctp_no_csum_on_loopback) &&
4437			      (stcb) && (stcb->asoc.scope.loopback_scope))) {
4438				sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip));
4439				SCTP_STAT_INCR(sctps_sendswcrc);
4440			} else {
4441				SCTP_STAT_INCR(sctps_sendnocrc);
4442			}
4443#endif
4444#endif
4445		}
4446#ifdef SCTP_PACKET_LOGGING
4447		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
4448			sctp_packet_log(o_pak);
4449#endif
4450		/* send it out.  table id is taken from stcb */
4451#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4452		if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
4453			so = SCTP_INP_SO(inp);
4454			SCTP_SOCKET_UNLOCK(so, 0);
4455		}
4456#endif
4457		SCTP_IP_OUTPUT(ret, o_pak, ro, stcb, vrf_id);
4458#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4459		if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
4460			atomic_add_int(&stcb->asoc.refcnt, 1);
4461			SCTP_TCB_UNLOCK(stcb);
4462			SCTP_SOCKET_LOCK(so, 0);
4463			SCTP_TCB_LOCK(stcb);
4464			atomic_subtract_int(&stcb->asoc.refcnt, 1);
4465		}
4466#endif
4467		SCTP_STAT_INCR(sctps_sendpackets);
4468		SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
4469		if (ret)
4470			SCTP_STAT_INCR(sctps_senderrors);
4471
4472		SCTPDBG(SCTP_DEBUG_OUTPUT3, "IP output returns %d\n", ret);
4473		if (net == NULL) {
4474			/* free tempy routes */
4475#if defined(__FreeBSD__) && __FreeBSD_version > 901000
4476			RO_RTFREE(ro);
4477#else
4478			if (ro->ro_rt) {
4479				RTFREE(ro->ro_rt);
4480				ro->ro_rt = NULL;
4481			}
4482#endif
4483		} else {
4484			/* PMTU check versus smallest asoc MTU goes here */
4485			if ((ro->ro_rt != NULL) &&
4486			    (net->ro._s_addr)) {
4487				uint32_t mtu;
4488				mtu = SCTP_GATHER_MTU_FROM_ROUTE(net->ro._s_addr, &net->ro._l_addr.sa, ro->ro_rt);
4489				if (net->port) {
4490					mtu -= sizeof(struct udphdr);
4491				}
4492				if (mtu && (stcb->asoc.smallest_mtu > mtu)) {
4493					sctp_mtu_size_reset(inp, &stcb->asoc, mtu);
4494					net->mtu = mtu;
4495				}
4496			} else if (ro->ro_rt == NULL) {
4497				/* route was freed */
4498				if (net->ro._s_addr &&
4499				    net->src_addr_selected) {
4500					sctp_free_ifa(net->ro._s_addr);
4501					net->ro._s_addr = NULL;
4502				}
4503				net->src_addr_selected = 0;
4504			}
4505		}
4506		return (ret);
4507	}
4508#endif
4509#ifdef INET6
4510	case AF_INET6:
4511	{
4512		uint32_t flowlabel, flowinfo;
4513		struct ip6_hdr *ip6h;
4514		struct route_in6 ip6route;
4515#if !(defined(__Panda__) || defined(__Userspace__))
4516		struct ifnet *ifp;
4517#endif
4518		struct sockaddr_in6 *sin6, tmp, *lsa6, lsa6_tmp;
4519		int prev_scope = 0;
4520#ifdef SCTP_EMBEDDED_V6_SCOPE
4521		struct sockaddr_in6 lsa6_storage;
4522		int error;
4523#endif
4524		u_short prev_port = 0;
4525		int len;
4526
4527		if (net) {
4528			flowlabel = net->flowlabel;
4529		} else if (stcb) {
4530			flowlabel = stcb->asoc.default_flowlabel;
4531		} else {
4532			flowlabel = inp->sctp_ep.default_flowlabel;
4533		}
4534		if (flowlabel == 0) {
4535			/*
4536			 * This means especially, that it is not set at the
4537			 * SCTP layer. So use the value from the IP layer.
4538			 */
4539#if defined(__APPLE__) && (!defined(APPLE_LEOPARD) && !defined(APPLE_SNOWLEOPARD) && !defined(APPLE_LION) && !defined(APPLE_MOUNTAINLION))
4540			flowlabel = ntohl(inp->ip_inp.inp.inp_flow);
4541#else
4542			flowlabel = ntohl(((struct in6pcb *)inp)->in6p_flowinfo);
4543#endif
4544		}
4545		flowlabel &= 0x000fffff;
4546		len = sizeof(struct ip6_hdr) + sizeof(struct sctphdr);
4547		if (port) {
4548			len += sizeof(struct udphdr);
4549		}
4550		newm = sctp_get_mbuf_for_msg(len, 1, M_NOWAIT, 1, MT_DATA);
4551		if (newm == NULL) {
4552			sctp_m_freem(m);
4553			SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4554			return (ENOMEM);
4555		}
4556		SCTP_ALIGN_TO_END(newm, len);
4557		SCTP_BUF_LEN(newm) = len;
4558		SCTP_BUF_NEXT(newm) = m;
4559		m = newm;
4560#if defined(__FreeBSD__)
4561		if (net != NULL) {
4562#ifdef INVARIANTS
4563			if (net->flowidset == 0) {
4564				panic("Flow ID not set");
4565			}
4566#endif
4567			m->m_pkthdr.flowid = net->flowid;
4568			m->m_flags |= M_FLOWID;
4569		} else {
4570			if (use_mflowid != 0) {
4571				m->m_pkthdr.flowid = mflowid;
4572				m->m_flags |= M_FLOWID;
4573			}
4574		}
4575#endif
4576		packet_length = sctp_calculate_len(m);
4577
4578		ip6h = mtod(m, struct ip6_hdr *);
4579		/* protect *sin6 from overwrite */
4580		sin6 = (struct sockaddr_in6 *)to;
4581		tmp = *sin6;
4582		sin6 = &tmp;
4583
4584#ifdef SCTP_EMBEDDED_V6_SCOPE
4585		/* KAME hack: embed scopeid */
4586#if defined(__APPLE__)
4587#if defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD)
4588		if (in6_embedscope(&sin6->sin6_addr, sin6, NULL, NULL) != 0)
4589#else
4590		if (in6_embedscope(&sin6->sin6_addr, sin6, NULL, NULL, NULL) != 0)
4591#endif
4592#elif defined(SCTP_KAME)
4593		if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0)
4594#else
4595		if (in6_embedscope(&sin6->sin6_addr, sin6) != 0)
4596#endif
4597		{
4598			SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
4599			return (EINVAL);
4600		}
4601#endif /* SCTP_EMBEDDED_V6_SCOPE */
4602		if (net == NULL) {
4603			memset(&ip6route, 0, sizeof(ip6route));
4604			ro = (sctp_route_t *)&ip6route;
4605#ifdef HAVE_SIN6_LEN
4606			memcpy(&ro->ro_dst, sin6, sin6->sin6_len);
4607#else
4608			memcpy(&ro->ro_dst, sin6, sizeof(struct sockaddr_in6));
4609#endif
4610		} else {
4611			ro = (sctp_route_t *)&net->ro;
4612		}
4613		/*
4614		 * We assume here that inp_flow is in host byte order within
4615		 * the TCB!
4616		 */
4617		if (tos_value == 0) {
4618			/*
4619			 * This means especially, that it is not set at the
4620			 * SCTP layer. So use the value from the IP layer.
4621			 */
4622#if defined(__FreeBSD__) || defined(__APPLE__) || defined(__Panda__) || defined(__Windows__) || defined(__Userspace__)
4623#if defined(__APPLE__) && (!defined(APPLE_LEOPARD) && !defined(APPLE_SNOWLEOPARD) && !defined(APPLE_LION) && !defined(APPLE_MOUNTAINLION))
4624			tos_value = (ntohl(inp->ip_inp.inp.inp_flow) >> 20) & 0xff;
4625#else
4626			tos_value = (ntohl(((struct in6pcb *)inp)->in6p_flowinfo) >> 20) & 0xff;
4627#endif
4628#endif
4629		}
4630		tos_value &= 0xfc;
4631		if (ecn_ok) {
4632			tos_value |= sctp_get_ect(stcb);
4633		}
4634		flowinfo = 0x06;
4635		flowinfo <<= 8;
4636		flowinfo |= tos_value;
4637		flowinfo <<= 20;
4638		flowinfo |= flowlabel;
4639		ip6h->ip6_flow = htonl(flowinfo);
4640		if (port) {
4641			ip6h->ip6_nxt = IPPROTO_UDP;
4642		} else {
4643			ip6h->ip6_nxt = IPPROTO_SCTP;
4644		}
4645		ip6h->ip6_plen = (packet_length - sizeof(struct ip6_hdr));
4646		ip6h->ip6_dst = sin6->sin6_addr;
4647
4648		/*
4649		 * Add SRC address selection here: we can only reuse to a
4650		 * limited degree the kame src-addr-sel, since we can try
4651		 * their selection but it may not be bound.
4652		 */
4653		bzero(&lsa6_tmp, sizeof(lsa6_tmp));
4654		lsa6_tmp.sin6_family = AF_INET6;
4655#ifdef HAVE_SIN6_LEN
4656		lsa6_tmp.sin6_len = sizeof(lsa6_tmp);
4657#endif
4658		lsa6 = &lsa6_tmp;
4659		if (net && out_of_asoc_ok == 0) {
4660			if (net->ro._s_addr && (net->ro._s_addr->localifa_flags & (SCTP_BEING_DELETED|SCTP_ADDR_IFA_UNUSEABLE))) {
4661				sctp_free_ifa(net->ro._s_addr);
4662				net->ro._s_addr = NULL;
4663				net->src_addr_selected = 0;
4664				if (ro->ro_rt) {
4665					RTFREE(ro->ro_rt);
4666					ro->ro_rt = NULL;
4667				}
4668			}
4669			if (net->src_addr_selected == 0) {
4670#ifdef SCTP_EMBEDDED_V6_SCOPE
4671				sin6 = (struct sockaddr_in6 *)&net->ro._l_addr;
4672				/* KAME hack: embed scopeid */
4673#if defined(__APPLE__)
4674#if defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD)
4675				if (in6_embedscope(&sin6->sin6_addr, sin6, NULL, NULL) != 0)
4676#else
4677				if (in6_embedscope(&sin6->sin6_addr, sin6, NULL, NULL, NULL) != 0)
4678#endif
4679#elif defined(SCTP_KAME)
4680				if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0)
4681#else
4682				if (in6_embedscope(&sin6->sin6_addr, sin6) != 0)
4683#endif
4684				{
4685					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
4686					return (EINVAL);
4687				}
4688#endif /* SCTP_EMBEDDED_V6_SCOPE */
4689				/* Cache the source address */
4690				net->ro._s_addr = sctp_source_address_selection(inp,
4691										stcb,
4692										ro,
4693										net,
4694										0,
4695										vrf_id);
4696#ifdef SCTP_EMBEDDED_V6_SCOPE
4697#ifdef SCTP_KAME
4698				(void)sa6_recoverscope(sin6);
4699#else
4700				(void)in6_recoverscope(sin6, &sin6->sin6_addr, NULL);
4701#endif	/* SCTP_KAME */
4702#endif	/* SCTP_EMBEDDED_V6_SCOPE */
4703				net->src_addr_selected = 1;
4704			}
4705			if (net->ro._s_addr == NULL) {
4706				SCTPDBG(SCTP_DEBUG_OUTPUT3, "V6:No route to host\n");
4707				net->src_addr_selected = 0;
4708				sctp_handle_no_route(stcb, net, so_locked);
4709				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4710				sctp_m_freem(m);
4711				return (EHOSTUNREACH);
4712			}
4713			lsa6->sin6_addr = net->ro._s_addr->address.sin6.sin6_addr;
4714		} else {
4715#ifdef SCTP_EMBEDDED_V6_SCOPE
4716			sin6 = (struct sockaddr_in6 *)&ro->ro_dst;
4717			/* KAME hack: embed scopeid */
4718#if defined(__APPLE__)
4719#if defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD)
4720			if (in6_embedscope(&sin6->sin6_addr, sin6, NULL, NULL) != 0)
4721#else
4722			if (in6_embedscope(&sin6->sin6_addr, sin6, NULL, NULL, NULL) != 0)
4723#endif
4724#elif defined(SCTP_KAME)
4725			if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0)
4726#else
4727			if (in6_embedscope(&sin6->sin6_addr, sin6) != 0)
4728#endif
4729			  {
4730				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
4731				return (EINVAL);
4732			  }
4733#endif /* SCTP_EMBEDDED_V6_SCOPE */
4734			if (over_addr == NULL) {
4735				struct sctp_ifa *_lsrc;
4736
4737				_lsrc = sctp_source_address_selection(inp, stcb, ro,
4738				                                      net,
4739				                                      out_of_asoc_ok,
4740				                                      vrf_id);
4741				if (_lsrc == NULL) {
4742					sctp_handle_no_route(stcb, net, so_locked);
4743					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4744					sctp_m_freem(m);
4745					return (EHOSTUNREACH);
4746				}
4747				lsa6->sin6_addr = _lsrc->address.sin6.sin6_addr;
4748				sctp_free_ifa(_lsrc);
4749			} else {
4750				lsa6->sin6_addr = over_addr->sin6.sin6_addr;
4751				SCTP_RTALLOC(ro, vrf_id);
4752			}
4753#ifdef SCTP_EMBEDDED_V6_SCOPE
4754#ifdef SCTP_KAME
4755			(void)sa6_recoverscope(sin6);
4756#else
4757			(void)in6_recoverscope(sin6, &sin6->sin6_addr, NULL);
4758#endif	/* SCTP_KAME */
4759#endif	/* SCTP_EMBEDDED_V6_SCOPE */
4760		}
4761		lsa6->sin6_port = inp->sctp_lport;
4762
4763		if (ro->ro_rt == NULL) {
4764			/*
4765			 * src addr selection failed to find a route (or
4766			 * valid source addr), so we can't get there from
4767			 * here!
4768			 */
4769			sctp_handle_no_route(stcb, net, so_locked);
4770			SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4771			sctp_m_freem(m);
4772			return (EHOSTUNREACH);
4773		}
4774#ifndef SCOPEDROUTING
4775#ifdef SCTP_EMBEDDED_V6_SCOPE
4776		/*
4777		 * XXX: sa6 may not have a valid sin6_scope_id in the
4778		 * non-SCOPEDROUTING case.
4779		 */
4780		bzero(&lsa6_storage, sizeof(lsa6_storage));
4781		lsa6_storage.sin6_family = AF_INET6;
4782#ifdef HAVE_SIN6_LEN
4783		lsa6_storage.sin6_len = sizeof(lsa6_storage);
4784#endif
4785#ifdef SCTP_KAME
4786		lsa6_storage.sin6_addr = lsa6->sin6_addr;
4787		if ((error = sa6_recoverscope(&lsa6_storage)) != 0) {
4788#else
4789		if ((error = in6_recoverscope(&lsa6_storage, &lsa6->sin6_addr,
4790		    NULL)) != 0) {
4791#endif				/* SCTP_KAME */
4792			SCTPDBG(SCTP_DEBUG_OUTPUT3, "recover scope fails error %d\n", error);
4793			sctp_m_freem(m);
4794			return (error);
4795		}
4796		/* XXX */
4797		lsa6_storage.sin6_addr = lsa6->sin6_addr;
4798		lsa6_storage.sin6_port = inp->sctp_lport;
4799		lsa6 = &lsa6_storage;
4800#endif /* SCTP_EMBEDDED_V6_SCOPE */
4801#endif /* SCOPEDROUTING */
4802		ip6h->ip6_src = lsa6->sin6_addr;
4803
4804		if (port) {
4805			if (htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port)) == 0) {
4806				sctp_handle_no_route(stcb, net, so_locked);
4807				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4808				sctp_m_freem(m);
4809				return (EHOSTUNREACH);
4810			}
4811			udp = (struct udphdr *)((caddr_t)ip6h + sizeof(struct ip6_hdr));
4812			udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
4813			udp->uh_dport = port;
4814			udp->uh_ulen = htons(packet_length - sizeof(struct ip6_hdr));
4815			udp->uh_sum = 0;
4816			sctphdr = (struct sctphdr *)((caddr_t)udp + sizeof(struct udphdr));
4817		} else {
4818			sctphdr = (struct sctphdr *)((caddr_t)ip6h + sizeof(struct ip6_hdr));
4819		}
4820
4821		sctphdr->src_port = src_port;
4822		sctphdr->dest_port = dest_port;
4823		sctphdr->v_tag = v_tag;
4824		sctphdr->checksum = 0;
4825
4826		/*
4827		 * We set the hop limit now since there is a good chance
4828		 * that our ro pointer is now filled
4829		 */
4830		ip6h->ip6_hlim = SCTP_GET_HLIM(inp, ro);
4831#if !(defined(__Panda__) || defined(__Userspace__))
4832		ifp = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
4833#endif
4834
4835#ifdef SCTP_DEBUG
4836		/* Copy to be sure something bad is not happening */
4837		sin6->sin6_addr = ip6h->ip6_dst;
4838		lsa6->sin6_addr = ip6h->ip6_src;
4839#endif
4840
4841		SCTPDBG(SCTP_DEBUG_OUTPUT3, "Calling ipv6 output routine from low level\n");
4842		SCTPDBG(SCTP_DEBUG_OUTPUT3, "src: ");
4843		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT3, (struct sockaddr *)lsa6);
4844		SCTPDBG(SCTP_DEBUG_OUTPUT3, "dst: ");
4845		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT3, (struct sockaddr *)sin6);
4846		if (net) {
4847			sin6 = (struct sockaddr_in6 *)&net->ro._l_addr;
4848			/* preserve the port and scope for link local send */
4849			prev_scope = sin6->sin6_scope_id;
4850			prev_port = sin6->sin6_port;
4851		}
4852
4853		if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
4854			/* failed to prepend data, give up */
4855			sctp_m_freem(m);
4856			SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4857			return (ENOMEM);
4858		}
4859		SCTP_ATTACH_CHAIN(o_pak, m, packet_length);
4860		if (port) {
4861#if defined(SCTP_WITH_NO_CSUM)
4862			SCTP_STAT_INCR(sctps_sendnocrc);
4863#else
4864			sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip6_hdr) + sizeof(struct udphdr));
4865			SCTP_STAT_INCR(sctps_sendswcrc);
4866#endif
4867#if defined(__Windows__)
4868			udp->uh_sum = 0;
4869#elif !defined(__Userspace__)
4870			if ((udp->uh_sum = in6_cksum(o_pak, IPPROTO_UDP, sizeof(struct ip6_hdr), packet_length - sizeof(struct ip6_hdr))) == 0) {
4871				udp->uh_sum = 0xffff;
4872			}
4873#endif
4874		} else {
4875#if defined(SCTP_WITH_NO_CSUM)
4876			SCTP_STAT_INCR(sctps_sendnocrc);
4877#else
4878#if defined(__FreeBSD__) && __FreeBSD_version >= 800000
4879#if __FreeBSD_version < 900000
4880			sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip6_hdr));
4881			SCTP_STAT_INCR(sctps_sendswcrc);
4882#else
4883#if __FreeBSD_version > 901000
4884			m->m_pkthdr.csum_flags = CSUM_SCTP_IPV6;
4885#else
4886			m->m_pkthdr.csum_flags = CSUM_SCTP;
4887#endif
4888			m->m_pkthdr.csum_data = offsetof(struct sctphdr, checksum);
4889			SCTP_STAT_INCR(sctps_sendhwcrc);
4890#endif
4891#else
4892			if (!(SCTP_BASE_SYSCTL(sctp_no_csum_on_loopback) &&
4893			      (stcb) && (stcb->asoc.scope.loopback_scope))) {
4894				sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip6_hdr));
4895				SCTP_STAT_INCR(sctps_sendswcrc);
4896			} else {
4897				SCTP_STAT_INCR(sctps_sendnocrc);
4898			}
4899#endif
4900#endif
4901		}
4902		/* send it out. table id is taken from stcb */
4903#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4904		if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
4905			so = SCTP_INP_SO(inp);
4906			SCTP_SOCKET_UNLOCK(so, 0);
4907		}
4908#endif
4909#ifdef SCTP_PACKET_LOGGING
4910		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
4911			sctp_packet_log(o_pak);
4912#endif
4913#if !(defined(__Panda__) || defined(__Userspace__))
4914		SCTP_IP6_OUTPUT(ret, o_pak, (struct route_in6 *)ro, &ifp, stcb, vrf_id);
4915#else
4916		SCTP_IP6_OUTPUT(ret, o_pak, (struct route_in6 *)ro, NULL, stcb, vrf_id);
4917#endif
4918#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4919		if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
4920			atomic_add_int(&stcb->asoc.refcnt, 1);
4921			SCTP_TCB_UNLOCK(stcb);
4922			SCTP_SOCKET_LOCK(so, 0);
4923			SCTP_TCB_LOCK(stcb);
4924			atomic_subtract_int(&stcb->asoc.refcnt, 1);
4925		}
4926#endif
4927		if (net) {
4928			/* for link local this must be done */
4929			sin6->sin6_scope_id = prev_scope;
4930			sin6->sin6_port = prev_port;
4931		}
4932		SCTPDBG(SCTP_DEBUG_OUTPUT3, "return from send is %d\n", ret);
4933		SCTP_STAT_INCR(sctps_sendpackets);
4934		SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
4935		if (ret) {
4936			SCTP_STAT_INCR(sctps_senderrors);
4937		}
4938		if (net == NULL) {
4939			/* Now if we had a temp route free it */
4940#if defined(__FreeBSD__) && __FreeBSD_version > 901000
4941			RO_RTFREE(ro);
4942#else
4943			if (ro->ro_rt) {
4944				RTFREE(ro->ro_rt);
4945				ro->ro_rt = NULL;
4946			}
4947#endif
4948		} else {
4949			/* PMTU check versus smallest asoc MTU goes here */
4950			if (ro->ro_rt == NULL) {
4951				/* Route was freed */
4952				if (net->ro._s_addr &&
4953				    net->src_addr_selected) {
4954					sctp_free_ifa(net->ro._s_addr);
4955					net->ro._s_addr = NULL;
4956				}
4957				net->src_addr_selected = 0;
4958			}
4959			if ((ro->ro_rt != NULL) &&
4960			    (net->ro._s_addr)) {
4961				uint32_t mtu;
4962				mtu = SCTP_GATHER_MTU_FROM_ROUTE(net->ro._s_addr, &net->ro._l_addr.sa, ro->ro_rt);
4963				if (mtu &&
4964				    (stcb->asoc.smallest_mtu > mtu)) {
4965					sctp_mtu_size_reset(inp, &stcb->asoc, mtu);
4966					net->mtu = mtu;
4967					if (net->port) {
4968						net->mtu -= sizeof(struct udphdr);
4969					}
4970				}
4971			}
4972#if !defined(__Panda__) && !defined(__Userspace__)
4973			else if (ifp) {
4974#if defined(__Windows__)
4975#define ND_IFINFO(ifp)	(ifp)
4976#define linkmtu		if_mtu
4977#endif
4978				if (ND_IFINFO(ifp)->linkmtu &&
4979				    (stcb->asoc.smallest_mtu > ND_IFINFO(ifp)->linkmtu)) {
4980					sctp_mtu_size_reset(inp,
4981					    &stcb->asoc,
4982					    ND_IFINFO(ifp)->linkmtu);
4983				}
4984			}
4985#endif
4986		}
4987		return (ret);
4988	}
4989#endif
4990#if defined(__Userspace__)
4991	case AF_CONN:
4992	{
4993		char *buffer;
4994		struct sockaddr_conn *sconn;
4995		int len;
4996
4997		sconn = (struct sockaddr_conn *)to;
4998		len = sizeof(struct sctphdr);
4999		newm = sctp_get_mbuf_for_msg(len, 1, M_NOWAIT, 1, MT_DATA);
5000		if (newm == NULL) {
5001			sctp_m_freem(m);
5002			SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
5003			return (ENOMEM);
5004		}
5005		SCTP_ALIGN_TO_END(newm, len);
5006		SCTP_BUF_LEN(newm) = len;
5007		SCTP_BUF_NEXT(newm) = m;
5008		m = newm;
5009		packet_length = sctp_calculate_len(m);
5010		sctphdr = mtod(m, struct sctphdr *);
5011		sctphdr->src_port = src_port;
5012		sctphdr->dest_port = dest_port;
5013		sctphdr->v_tag = v_tag;
5014		sctphdr->checksum = 0;
5015#if defined(SCTP_WITH_NO_CSUM)
5016		SCTP_STAT_INCR(sctps_sendnocrc);
5017#else
5018		sctphdr->checksum = sctp_calculate_cksum(m, 0);
5019		SCTP_STAT_INCR(sctps_sendswcrc);
5020#endif
5021		if (tos_value == 0) {
5022			tos_value = inp->ip_inp.inp.inp_ip_tos;
5023		}
5024		tos_value &= 0xfc;
5025		if (ecn_ok) {
5026			tos_value |= sctp_get_ect(stcb);
5027		}
5028		/* Don't alloc/free for each packet */
5029		if ((buffer = malloc(packet_length)) != NULL) {
5030			m_copydata(m, 0, packet_length, buffer);
5031			ret = SCTP_BASE_VAR(conn_output)(sconn->sconn_addr, buffer, packet_length, tos_value, nofragment_flag);
5032			free(buffer);
5033		} else {
5034			ret = ENOMEM;
5035		}
5036		sctp_m_freem(m);
5037		return (ret);
5038	}
5039#endif
5040	default:
5041		SCTPDBG(SCTP_DEBUG_OUTPUT1, "Unknown protocol (TSNH) type %d\n",
5042		        ((struct sockaddr *)to)->sa_family);
5043		sctp_m_freem(m);
5044		SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EFAULT);
5045		return (EFAULT);
5046	}
5047}
5048
5049
5050void
5051sctp_send_initiate(struct sctp_inpcb *inp, struct sctp_tcb *stcb, int so_locked
5052#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
5053    SCTP_UNUSED
5054#endif
5055    )
5056{
5057	struct mbuf *m, *m_last;
5058	struct sctp_nets *net;
5059	struct sctp_init_chunk *init;
5060	struct sctp_supported_addr_param *sup_addr;
5061	struct sctp_adaptation_layer_indication *ali;
5062	struct sctp_supported_chunk_types_param *pr_supported;
5063	struct sctp_paramhdr *ph;
5064	int cnt_inits_to = 0;
5065	int ret;
5066	uint16_t num_ext, chunk_len, padding_len, parameter_len;
5067
5068#if defined(__APPLE__)
5069	if (so_locked) {
5070		sctp_lock_assert(SCTP_INP_SO(inp));
5071	} else {
5072		sctp_unlock_assert(SCTP_INP_SO(inp));
5073	}
5074#endif
5075	/* INIT's always go to the primary (and usually ONLY address) */
5076	net = stcb->asoc.primary_destination;
5077	if (net == NULL) {
5078		net = TAILQ_FIRST(&stcb->asoc.nets);
5079		if (net == NULL) {
5080			/* TSNH */
5081			return;
5082		}
5083		/* we confirm any address we send an INIT to */
5084		net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
5085		(void)sctp_set_primary_addr(stcb, NULL, net);
5086	} else {
5087		/* we confirm any address we send an INIT to */
5088		net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
5089	}
5090	SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT\n");
5091#ifdef INET6
5092	if (net->ro._l_addr.sa.sa_family == AF_INET6) {
5093		/*
5094		 * special hook, if we are sending to link local it will not
5095		 * show up in our private address count.
5096		 */
5097		if (IN6_IS_ADDR_LINKLOCAL(&net->ro._l_addr.sin6.sin6_addr))
5098			cnt_inits_to = 1;
5099	}
5100#endif
5101	if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
5102		/* This case should not happen */
5103		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - failed timer?\n");
5104		return;
5105	}
5106	/* start the INIT timer */
5107	sctp_timer_start(SCTP_TIMER_TYPE_INIT, inp, stcb, net);
5108
5109	m = sctp_get_mbuf_for_msg(MCLBYTES, 1, M_NOWAIT, 1, MT_DATA);
5110	if (m == NULL) {
5111		/* No memory, INIT timer will re-attempt. */
5112		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - mbuf?\n");
5113		return;
5114	}
5115	chunk_len = (uint16_t)sizeof(struct sctp_init_chunk);
5116	padding_len = 0;
5117	/* Now lets put the chunk header in place */
5118	init = mtod(m, struct sctp_init_chunk *);
5119	/* now the chunk header */
5120	init->ch.chunk_type = SCTP_INITIATION;
5121	init->ch.chunk_flags = 0;
5122	/* fill in later from mbuf we build */
5123	init->ch.chunk_length = 0;
5124	/* place in my tag */
5125	init->init.initiate_tag = htonl(stcb->asoc.my_vtag);
5126	/* set up some of the credits. */
5127	init->init.a_rwnd = htonl(max(inp->sctp_socket?SCTP_SB_LIMIT_RCV(inp->sctp_socket):0,
5128	                              SCTP_MINIMAL_RWND));
5129	init->init.num_outbound_streams = htons(stcb->asoc.pre_open_streams);
5130	init->init.num_inbound_streams = htons(stcb->asoc.max_inbound_streams);
5131	init->init.initial_tsn = htonl(stcb->asoc.init_seq_number);
5132
5133	/* Adaptation layer indication parameter */
5134	if (inp->sctp_ep.adaptation_layer_indicator_provided) {
5135		parameter_len = (uint16_t)sizeof(struct sctp_adaptation_layer_indication);
5136		ali = (struct sctp_adaptation_layer_indication *)(mtod(m, caddr_t) + chunk_len);
5137		ali->ph.param_type = htons(SCTP_ULP_ADAPTATION);
5138		ali->ph.param_length = htons(parameter_len);
5139		ali->indication = htonl(inp->sctp_ep.adaptation_layer_indicator);
5140		chunk_len += parameter_len;
5141	}
5142
5143	/* ECN parameter */
5144	if (stcb->asoc.ecn_supported == 1) {
5145		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
5146		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t) + chunk_len);
5147		ph->param_type = htons(SCTP_ECN_CAPABLE);
5148		ph->param_length = htons(parameter_len);
5149		chunk_len += parameter_len;
5150	}
5151
5152	/* PR-SCTP supported parameter */
5153	if (stcb->asoc.prsctp_supported == 1) {
5154		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
5155		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t) + chunk_len);
5156		ph->param_type = htons(SCTP_PRSCTP_SUPPORTED);
5157		ph->param_length = htons(parameter_len);
5158		chunk_len += parameter_len;
5159	}
5160
5161	/* Add NAT friendly parameter. */
5162	if (SCTP_BASE_SYSCTL(sctp_inits_include_nat_friendly)) {
5163		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
5164		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t) + chunk_len);
5165		ph->param_type = htons(SCTP_HAS_NAT_SUPPORT);
5166		ph->param_length = htons(parameter_len);
5167		chunk_len += parameter_len;
5168	}
5169
5170	/* And now tell the peer which extensions we support */
5171	num_ext = 0;
5172	pr_supported = (struct sctp_supported_chunk_types_param *)(mtod(m, caddr_t) + chunk_len);
5173	if (stcb->asoc.prsctp_supported == 1) {
5174		pr_supported->chunk_types[num_ext++] = SCTP_FORWARD_CUM_TSN;
5175	}
5176	if (stcb->asoc.auth_supported == 1) {
5177		pr_supported->chunk_types[num_ext++] = SCTP_AUTHENTICATION;
5178	}
5179	if (stcb->asoc.asconf_supported == 1) {
5180		pr_supported->chunk_types[num_ext++] = SCTP_ASCONF;
5181		pr_supported->chunk_types[num_ext++] = SCTP_ASCONF_ACK;
5182	}
5183	if (stcb->asoc.reconfig_supported == 1) {
5184		pr_supported->chunk_types[num_ext++] = SCTP_STREAM_RESET;
5185	}
5186	if (stcb->asoc.nrsack_supported == 1) {
5187		pr_supported->chunk_types[num_ext++] = SCTP_NR_SELECTIVE_ACK;
5188	}
5189	if (stcb->asoc.pktdrop_supported == 1) {
5190		pr_supported->chunk_types[num_ext++] = SCTP_PACKET_DROPPED;
5191	}
5192	if (num_ext > 0) {
5193		parameter_len = (uint16_t)sizeof(struct sctp_supported_chunk_types_param) + num_ext;
5194		pr_supported->ph.param_type = htons(SCTP_SUPPORTED_CHUNK_EXT);
5195		pr_supported->ph.param_length = htons(parameter_len);
5196		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
5197		chunk_len += parameter_len;
5198	}
5199	/* add authentication parameters */
5200	if (stcb->asoc.auth_supported) {
5201		/* attach RANDOM parameter, if available */
5202		if (stcb->asoc.authinfo.random != NULL) {
5203			struct sctp_auth_random *randp;
5204
5205			if (padding_len > 0) {
5206				memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
5207				chunk_len += padding_len;
5208				padding_len = 0;
5209			}
5210			randp = (struct sctp_auth_random *)(mtod(m, caddr_t) + chunk_len);
5211			parameter_len = (uint16_t)sizeof(struct sctp_auth_random) + stcb->asoc.authinfo.random_len;
5212			/* random key already contains the header */
5213			memcpy(randp, stcb->asoc.authinfo.random->key, parameter_len);
5214			padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
5215			chunk_len += parameter_len;
5216		}
5217		/* add HMAC_ALGO parameter */
5218		if (stcb->asoc.local_hmacs != NULL) {
5219			struct sctp_auth_hmac_algo *hmacs;
5220
5221			if (padding_len > 0) {
5222				memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
5223				chunk_len += padding_len;
5224				padding_len = 0;
5225			}
5226			hmacs = (struct sctp_auth_hmac_algo *)(mtod(m, caddr_t) + chunk_len);
5227			parameter_len = (uint16_t)(sizeof(struct sctp_auth_hmac_algo) +
5228			                           stcb->asoc.local_hmacs->num_algo * sizeof(uint16_t));
5229			hmacs->ph.param_type = htons(SCTP_HMAC_LIST);
5230			hmacs->ph.param_length = htons(parameter_len);
5231			sctp_serialize_hmaclist(stcb->asoc.local_hmacs, (uint8_t *)hmacs->hmac_ids);
5232			padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
5233			chunk_len += parameter_len;
5234		}
5235		/* add CHUNKS parameter */
5236		if (stcb->asoc.local_auth_chunks != NULL) {
5237			struct sctp_auth_chunk_list *chunks;
5238
5239			if (padding_len > 0) {
5240				memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
5241				chunk_len += padding_len;
5242				padding_len = 0;
5243			}
5244			chunks = (struct sctp_auth_chunk_list *)(mtod(m, caddr_t) + chunk_len);
5245			parameter_len = (uint16_t)(sizeof(struct sctp_auth_chunk_list) +
5246			                           sctp_auth_get_chklist_size(stcb->asoc.local_auth_chunks));
5247			chunks->ph.param_type = htons(SCTP_CHUNK_LIST);
5248			chunks->ph.param_length = htons(parameter_len);
5249			sctp_serialize_auth_chunks(stcb->asoc.local_auth_chunks, chunks->chunk_types);
5250			padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
5251			chunk_len += parameter_len;
5252		}
5253	}
5254
5255	/* now any cookie time extensions */
5256	if (stcb->asoc.cookie_preserve_req) {
5257		struct sctp_cookie_perserve_param *cookie_preserve;
5258
5259		if (padding_len > 0) {
5260			memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
5261			chunk_len += padding_len;
5262			padding_len = 0;
5263		}
5264		parameter_len = (uint16_t)sizeof(struct sctp_cookie_perserve_param);
5265		cookie_preserve = (struct sctp_cookie_perserve_param *)(mtod(m, caddr_t) + chunk_len);
5266		cookie_preserve->ph.param_type = htons(SCTP_COOKIE_PRESERVE);
5267		cookie_preserve->ph.param_length = htons(parameter_len);
5268		cookie_preserve->time = htonl(stcb->asoc.cookie_preserve_req);
5269		stcb->asoc.cookie_preserve_req = 0;
5270		chunk_len += parameter_len;
5271	}
5272
5273	if (stcb->asoc.scope.ipv4_addr_legal || stcb->asoc.scope.ipv6_addr_legal) {
5274		uint8_t i;
5275
5276		if (padding_len > 0) {
5277			memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
5278			chunk_len += padding_len;
5279			padding_len = 0;
5280		}
5281		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
5282		if (stcb->asoc.scope.ipv4_addr_legal) {
5283			parameter_len += (uint16_t)sizeof(uint16_t);
5284		}
5285		if (stcb->asoc.scope.ipv6_addr_legal) {
5286			parameter_len += (uint16_t)sizeof(uint16_t);
5287		}
5288		sup_addr = (struct sctp_supported_addr_param *)(mtod(m, caddr_t) + chunk_len);
5289		sup_addr->ph.param_type = htons(SCTP_SUPPORTED_ADDRTYPE);
5290		sup_addr->ph.param_length = htons(parameter_len);
5291		i = 0;
5292		if (stcb->asoc.scope.ipv4_addr_legal) {
5293			sup_addr->addr_type[i++] = htons(SCTP_IPV4_ADDRESS);
5294		}
5295		if (stcb->asoc.scope.ipv6_addr_legal) {
5296			sup_addr->addr_type[i++] = htons(SCTP_IPV6_ADDRESS);
5297		}
5298		padding_len = 4 - 2 * i;
5299		chunk_len += parameter_len;
5300	}
5301
5302	SCTP_BUF_LEN(m) = chunk_len;
5303	/* now the addresses */
5304	/* To optimize this we could put the scoping stuff
5305	 * into a structure and remove the individual uint8's from
5306	 * the assoc structure. Then we could just sifa in the
5307	 * address within the stcb. But for now this is a quick
5308	 * hack to get the address stuff teased apart.
5309	 */
5310	m_last = sctp_add_addresses_to_i_ia(inp, stcb, &stcb->asoc.scope,
5311	                                    m, cnt_inits_to,
5312	                                    &padding_len, &chunk_len);
5313
5314	init->ch.chunk_length = htons(chunk_len);
5315	if (padding_len > 0) {
5316		if (sctp_add_pad_tombuf(m_last, padding_len) == NULL) {
5317			sctp_m_freem(m);
5318			return;
5319		}
5320	}
5321	SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - calls lowlevel_output\n");
5322	ret = sctp_lowlevel_chunk_output(inp, stcb, net,
5323	                                 (struct sockaddr *)&net->ro._l_addr,
5324	                                 m, 0, NULL, 0, 0, 0, 0,
5325	                                 inp->sctp_lport, stcb->rport, htonl(0),
5326	                                 net->port, NULL,
5327#if defined(__FreeBSD__)
5328	                                 0, 0,
5329#endif
5330	                                 so_locked);
5331	SCTPDBG(SCTP_DEBUG_OUTPUT4, "lowlevel_output - %d\n", ret);
5332	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
5333	(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
5334}
5335
5336struct mbuf *
5337sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt,
5338	int param_offset, int *abort_processing, struct sctp_chunkhdr *cp, int *nat_friendly)
5339{
5340	/*
5341	 * Given a mbuf containing an INIT or INIT-ACK with the param_offset
5342	 * being equal to the beginning of the params i.e. (iphlen +
5343	 * sizeof(struct sctp_init_msg) parse through the parameters to the
5344	 * end of the mbuf verifying that all parameters are known.
5345	 *
5346	 * For unknown parameters build and return a mbuf with
5347	 * UNRECOGNIZED_PARAMETER errors. If the flags indicate to stop
5348	 * processing this chunk stop, and set *abort_processing to 1.
5349	 *
5350	 * By having param_offset be pre-set to where parameters begin it is
5351	 * hoped that this routine may be reused in the future by new
5352	 * features.
5353	 */
5354	struct sctp_paramhdr *phdr, params;
5355
5356	struct mbuf *mat, *op_err;
5357	char tempbuf[SCTP_PARAM_BUFFER_SIZE];
5358	int at, limit, pad_needed;
5359	uint16_t ptype, plen, padded_size;
5360	int err_at;
5361
5362	*abort_processing = 0;
5363	mat = in_initpkt;
5364	err_at = 0;
5365	limit = ntohs(cp->chunk_length) - sizeof(struct sctp_init_chunk);
5366	at = param_offset;
5367	op_err = NULL;
5368	SCTPDBG(SCTP_DEBUG_OUTPUT1, "Check for unrecognized param's\n");
5369	phdr = sctp_get_next_param(mat, at, &params, sizeof(params));
5370	while ((phdr != NULL) && ((size_t)limit >= sizeof(struct sctp_paramhdr))) {
5371		ptype = ntohs(phdr->param_type);
5372		plen = ntohs(phdr->param_length);
5373		if ((plen > limit) || (plen < sizeof(struct sctp_paramhdr))) {
5374			/* wacked parameter */
5375			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error %d\n", plen);
5376			goto invalid_size;
5377		}
5378		limit -= SCTP_SIZE32(plen);
5379		/*-
5380		 * All parameters for all chunks that we know/understand are
5381		 * listed here. We process them other places and make
5382		 * appropriate stop actions per the upper bits. However this
5383		 * is the generic routine processor's can call to get back
5384		 * an operr.. to either incorporate (init-ack) or send.
5385		 */
5386		padded_size = SCTP_SIZE32(plen);
5387		switch (ptype) {
5388			/* Param's with variable size */
5389		case SCTP_HEARTBEAT_INFO:
5390		case SCTP_STATE_COOKIE:
5391		case SCTP_UNRECOG_PARAM:
5392		case SCTP_ERROR_CAUSE_IND:
5393			/* ok skip fwd */
5394			at += padded_size;
5395			break;
5396			/* Param's with variable size within a range */
5397		case SCTP_CHUNK_LIST:
5398		case SCTP_SUPPORTED_CHUNK_EXT:
5399			if (padded_size > (sizeof(struct sctp_supported_chunk_types_param) + (sizeof(uint8_t) * SCTP_MAX_SUPPORTED_EXT))) {
5400				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error chklist %d\n", plen);
5401				goto invalid_size;
5402			}
5403			at += padded_size;
5404			break;
5405		case SCTP_SUPPORTED_ADDRTYPE:
5406			if (padded_size > SCTP_MAX_ADDR_PARAMS_SIZE) {
5407				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error supaddrtype %d\n", plen);
5408				goto invalid_size;
5409			}
5410			at += padded_size;
5411			break;
5412		case SCTP_RANDOM:
5413			if (padded_size > (sizeof(struct sctp_auth_random) + SCTP_RANDOM_MAX_SIZE)) {
5414				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error random %d\n", plen);
5415				goto invalid_size;
5416			}
5417			at += padded_size;
5418			break;
5419		case SCTP_SET_PRIM_ADDR:
5420		case SCTP_DEL_IP_ADDRESS:
5421		case SCTP_ADD_IP_ADDRESS:
5422			if ((padded_size != sizeof(struct sctp_asconf_addrv4_param)) &&
5423			    (padded_size != sizeof(struct sctp_asconf_addr_param))) {
5424				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error setprim %d\n", plen);
5425				goto invalid_size;
5426			}
5427			at += padded_size;
5428			break;
5429			/* Param's with a fixed size */
5430		case SCTP_IPV4_ADDRESS:
5431			if (padded_size != sizeof(struct sctp_ipv4addr_param)) {
5432				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ipv4 addr %d\n", plen);
5433				goto invalid_size;
5434			}
5435			at += padded_size;
5436			break;
5437		case SCTP_IPV6_ADDRESS:
5438			if (padded_size != sizeof(struct sctp_ipv6addr_param)) {
5439				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ipv6 addr %d\n", plen);
5440				goto invalid_size;
5441			}
5442			at += padded_size;
5443			break;
5444		case SCTP_COOKIE_PRESERVE:
5445			if (padded_size != sizeof(struct sctp_cookie_perserve_param)) {
5446				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error cookie-preserve %d\n", plen);
5447				goto invalid_size;
5448			}
5449			at += padded_size;
5450			break;
5451		case SCTP_HAS_NAT_SUPPORT:
5452			*nat_friendly = 1;
5453			/* fall through */
5454		case SCTP_PRSCTP_SUPPORTED:
5455			if (padded_size != sizeof(struct sctp_paramhdr)) {
5456				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error prsctp/nat support %d\n", plen);
5457				goto invalid_size;
5458			}
5459			at += padded_size;
5460			break;
5461		case SCTP_ECN_CAPABLE:
5462			if (padded_size != sizeof(struct sctp_paramhdr)) {
5463				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ecn %d\n", plen);
5464				goto invalid_size;
5465			}
5466			at += padded_size;
5467			break;
5468		case SCTP_ULP_ADAPTATION:
5469			if (padded_size != sizeof(struct sctp_adaptation_layer_indication)) {
5470				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error adapatation %d\n", plen);
5471				goto invalid_size;
5472			}
5473			at += padded_size;
5474			break;
5475		case SCTP_SUCCESS_REPORT:
5476			if (padded_size != sizeof(struct sctp_asconf_paramhdr)) {
5477				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error success %d\n", plen);
5478				goto invalid_size;
5479			}
5480			at += padded_size;
5481			break;
5482		case SCTP_HOSTNAME_ADDRESS:
5483		{
5484			/* We can NOT handle HOST NAME addresses!! */
5485			int l_len;
5486
5487			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Can't handle hostname addresses.. abort processing\n");
5488			*abort_processing = 1;
5489			if (op_err == NULL) {
5490				/* Ok need to try to get a mbuf */
5491#ifdef INET6
5492				l_len = sizeof(struct ip6_hdr) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
5493#else
5494				l_len = sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
5495#endif
5496				l_len += plen;
5497				l_len += sizeof(struct sctp_paramhdr);
5498				op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
5499				if (op_err) {
5500					SCTP_BUF_LEN(op_err) = 0;
5501					/*
5502					 * pre-reserve space for ip and sctp
5503					 * header  and chunk hdr
5504					 */
5505#ifdef INET6
5506					SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
5507#else
5508					SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
5509#endif
5510					SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
5511					SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
5512				}
5513			}
5514			if (op_err) {
5515				/* If we have space */
5516				struct sctp_paramhdr s;
5517
5518				if (err_at % 4) {
5519					uint32_t cpthis = 0;
5520
5521					pad_needed = 4 - (err_at % 4);
5522					m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
5523					err_at += pad_needed;
5524				}
5525				s.param_type = htons(SCTP_CAUSE_UNRESOLVABLE_ADDR);
5526				s.param_length = htons(sizeof(s) + plen);
5527				m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s);
5528				err_at += sizeof(s);
5529				phdr = sctp_get_next_param(mat, at, (struct sctp_paramhdr *)tempbuf, min(sizeof(tempbuf),plen));
5530				if (phdr == NULL) {
5531					sctp_m_freem(op_err);
5532					/*
5533					 * we are out of memory but we still
5534					 * need to have a look at what to do
5535					 * (the system is in trouble
5536					 * though).
5537					 */
5538					return (NULL);
5539				}
5540				m_copyback(op_err, err_at, plen, (caddr_t)phdr);
5541			}
5542			return (op_err);
5543			break;
5544		}
5545		default:
5546			/*
5547			 * we do not recognize the parameter figure out what
5548			 * we do.
5549			 */
5550			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Hit default param %x\n", ptype);
5551			if ((ptype & 0x4000) == 0x4000) {
5552				/* Report bit is set?? */
5553				SCTPDBG(SCTP_DEBUG_OUTPUT1, "report op err\n");
5554				if (op_err == NULL) {
5555					int l_len;
5556					/* Ok need to try to get an mbuf */
5557#ifdef INET6
5558					l_len = sizeof(struct ip6_hdr) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
5559#else
5560					l_len = sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
5561#endif
5562					l_len += plen;
5563					l_len += sizeof(struct sctp_paramhdr);
5564					op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
5565					if (op_err) {
5566						SCTP_BUF_LEN(op_err) = 0;
5567#ifdef INET6
5568						SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
5569#else
5570						SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
5571#endif
5572						SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
5573						SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
5574					}
5575				}
5576				if (op_err) {
5577					/* If we have space */
5578					struct sctp_paramhdr s;
5579
5580					if (err_at % 4) {
5581						uint32_t cpthis = 0;
5582
5583						pad_needed = 4 - (err_at % 4);
5584						m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
5585						err_at += pad_needed;
5586					}
5587					s.param_type = htons(SCTP_UNRECOG_PARAM);
5588					s.param_length = htons(sizeof(s) + plen);
5589					m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s);
5590					err_at += sizeof(s);
5591					if (plen > sizeof(tempbuf)) {
5592						plen = sizeof(tempbuf);
5593					}
5594					phdr = sctp_get_next_param(mat, at, (struct sctp_paramhdr *)tempbuf, min(sizeof(tempbuf),plen));
5595					if (phdr == NULL) {
5596						sctp_m_freem(op_err);
5597						/*
5598						 * we are out of memory but
5599						 * we still need to have a
5600						 * look at what to do (the
5601						 * system is in trouble
5602						 * though).
5603						 */
5604						op_err = NULL;
5605						goto more_processing;
5606					}
5607					m_copyback(op_err, err_at, plen, (caddr_t)phdr);
5608					err_at += plen;
5609				}
5610			}
5611		more_processing:
5612			if ((ptype & 0x8000) == 0x0000) {
5613				SCTPDBG(SCTP_DEBUG_OUTPUT1, "stop proc\n");
5614				return (op_err);
5615			} else {
5616				/* skip this chunk and continue processing */
5617				SCTPDBG(SCTP_DEBUG_OUTPUT1, "move on\n");
5618				at += SCTP_SIZE32(plen);
5619			}
5620			break;
5621
5622		}
5623		phdr = sctp_get_next_param(mat, at, &params, sizeof(params));
5624	}
5625	return (op_err);
5626 invalid_size:
5627	SCTPDBG(SCTP_DEBUG_OUTPUT1, "abort flag set\n");
5628	*abort_processing = 1;
5629	if ((op_err == NULL) && phdr) {
5630		int l_len;
5631#ifdef INET6
5632		l_len = sizeof(struct ip6_hdr) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
5633#else
5634		l_len = sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
5635#endif
5636		l_len += (2 * sizeof(struct sctp_paramhdr));
5637		op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
5638		if (op_err) {
5639			SCTP_BUF_LEN(op_err) = 0;
5640#ifdef INET6
5641			SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
5642#else
5643			SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
5644#endif
5645			SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
5646			SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
5647		}
5648	}
5649	if ((op_err) && phdr) {
5650		struct sctp_paramhdr s;
5651
5652		if (err_at % 4) {
5653			uint32_t cpthis = 0;
5654
5655			pad_needed = 4 - (err_at % 4);
5656			m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
5657			err_at += pad_needed;
5658		}
5659		s.param_type = htons(SCTP_CAUSE_PROTOCOL_VIOLATION);
5660		s.param_length = htons(sizeof(s) + sizeof(struct sctp_paramhdr));
5661		m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s);
5662		err_at += sizeof(s);
5663		/* Only copy back the p-hdr that caused the issue */
5664		m_copyback(op_err, err_at, sizeof(struct sctp_paramhdr), (caddr_t)phdr);
5665	}
5666	return (op_err);
5667}
5668
5669static int
5670sctp_are_there_new_addresses(struct sctp_association *asoc,
5671    struct mbuf *in_initpkt, int offset, struct sockaddr *src)
5672{
5673	/*
5674	 * Given a INIT packet, look through the packet to verify that there
5675	 * are NO new addresses. As we go through the parameters add reports
5676	 * of any un-understood parameters that require an error.  Also we
5677	 * must return (1) to drop the packet if we see a un-understood
5678	 * parameter that tells us to drop the chunk.
5679	 */
5680	struct sockaddr *sa_touse;
5681	struct sockaddr *sa;
5682	struct sctp_paramhdr *phdr, params;
5683	uint16_t ptype, plen;
5684	uint8_t fnd;
5685	struct sctp_nets *net;
5686#ifdef INET
5687	struct sockaddr_in sin4, *sa4;
5688#endif
5689#ifdef INET6
5690	struct sockaddr_in6 sin6, *sa6;
5691#endif
5692
5693#ifdef INET
5694	memset(&sin4, 0, sizeof(sin4));
5695	sin4.sin_family = AF_INET;
5696#ifdef HAVE_SIN_LEN
5697	sin4.sin_len = sizeof(sin4);
5698#endif
5699#endif
5700#ifdef INET6
5701	memset(&sin6, 0, sizeof(sin6));
5702	sin6.sin6_family = AF_INET6;
5703#ifdef HAVE_SIN6_LEN
5704	sin6.sin6_len = sizeof(sin6);
5705#endif
5706#endif
5707	/* First what about the src address of the pkt ? */
5708	fnd = 0;
5709	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
5710		sa = (struct sockaddr *)&net->ro._l_addr;
5711		if (sa->sa_family == src->sa_family) {
5712#ifdef INET
5713			if (sa->sa_family == AF_INET) {
5714				struct sockaddr_in *src4;
5715
5716				sa4 = (struct sockaddr_in *)sa;
5717				src4 = (struct sockaddr_in *)src;
5718				if (sa4->sin_addr.s_addr == src4->sin_addr.s_addr) {
5719					fnd = 1;
5720					break;
5721				}
5722			}
5723#endif
5724#ifdef INET6
5725			if (sa->sa_family == AF_INET6) {
5726				struct sockaddr_in6 *src6;
5727
5728				sa6 = (struct sockaddr_in6 *)sa;
5729				src6 = (struct sockaddr_in6 *)src;
5730				if (SCTP6_ARE_ADDR_EQUAL(sa6, src6)) {
5731					fnd = 1;
5732					break;
5733				}
5734			}
5735#endif
5736		}
5737	}
5738	if (fnd == 0) {
5739		/* New address added! no need to look futher. */
5740		return (1);
5741	}
5742	/* Ok so far lets munge through the rest of the packet */
5743	offset += sizeof(struct sctp_init_chunk);
5744	phdr = sctp_get_next_param(in_initpkt, offset, &params, sizeof(params));
5745	while (phdr) {
5746		sa_touse = NULL;
5747		ptype = ntohs(phdr->param_type);
5748		plen = ntohs(phdr->param_length);
5749		switch (ptype) {
5750#ifdef INET
5751		case SCTP_IPV4_ADDRESS:
5752		{
5753			struct sctp_ipv4addr_param *p4, p4_buf;
5754
5755			phdr = sctp_get_next_param(in_initpkt, offset,
5756			    (struct sctp_paramhdr *)&p4_buf, sizeof(p4_buf));
5757			if (plen != sizeof(struct sctp_ipv4addr_param) ||
5758			    phdr == NULL) {
5759				return (1);
5760			}
5761			p4 = (struct sctp_ipv4addr_param *)phdr;
5762			sin4.sin_addr.s_addr = p4->addr;
5763			sa_touse = (struct sockaddr *)&sin4;
5764			break;
5765		}
5766#endif
5767#ifdef INET6
5768		case SCTP_IPV6_ADDRESS:
5769		{
5770			struct sctp_ipv6addr_param *p6, p6_buf;
5771
5772			phdr = sctp_get_next_param(in_initpkt, offset,
5773			    (struct sctp_paramhdr *)&p6_buf, sizeof(p6_buf));
5774			if (plen != sizeof(struct sctp_ipv6addr_param) ||
5775			    phdr == NULL) {
5776				return (1);
5777			}
5778			p6 = (struct sctp_ipv6addr_param *)phdr;
5779			memcpy((caddr_t)&sin6.sin6_addr, p6->addr,
5780			    sizeof(p6->addr));
5781			sa_touse = (struct sockaddr *)&sin6;
5782			break;
5783		}
5784#endif
5785		default:
5786			sa_touse = NULL;
5787			break;
5788		}
5789		if (sa_touse) {
5790			/* ok, sa_touse points to one to check */
5791			fnd = 0;
5792			TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
5793				sa = (struct sockaddr *)&net->ro._l_addr;
5794				if (sa->sa_family != sa_touse->sa_family) {
5795					continue;
5796				}
5797#ifdef INET
5798				if (sa->sa_family == AF_INET) {
5799					sa4 = (struct sockaddr_in *)sa;
5800					if (sa4->sin_addr.s_addr ==
5801					    sin4.sin_addr.s_addr) {
5802						fnd = 1;
5803						break;
5804					}
5805				}
5806#endif
5807#ifdef INET6
5808				if (sa->sa_family == AF_INET6) {
5809					sa6 = (struct sockaddr_in6 *)sa;
5810					if (SCTP6_ARE_ADDR_EQUAL(
5811					    sa6, &sin6)) {
5812						fnd = 1;
5813						break;
5814					}
5815				}
5816#endif
5817			}
5818			if (!fnd) {
5819				/* New addr added! no need to look further */
5820				return (1);
5821			}
5822		}
5823		offset += SCTP_SIZE32(plen);
5824		phdr = sctp_get_next_param(in_initpkt, offset, &params, sizeof(params));
5825	}
5826	return (0);
5827}
5828
5829/*
5830 * Given a MBUF chain that was sent into us containing an INIT. Build a
5831 * INIT-ACK with COOKIE and send back. We assume that the in_initpkt has done
5832 * a pullup to include IPv6/4header, SCTP header and initial part of INIT
5833 * message (i.e. the struct sctp_init_msg).
5834 */
5835void
5836sctp_send_initiate_ack(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
5837                       struct mbuf *init_pkt, int iphlen, int offset,
5838                       struct sockaddr *src, struct sockaddr *dst,
5839                       struct sctphdr *sh, struct sctp_init_chunk *init_chk,
5840#if defined(__FreeBSD__)
5841		       uint8_t use_mflowid, uint32_t mflowid,
5842#endif
5843                       uint32_t vrf_id, uint16_t port, int hold_inp_lock)
5844{
5845	struct sctp_association *asoc;
5846	struct mbuf *m, *m_tmp, *m_last, *m_cookie, *op_err;
5847	struct sctp_init_ack_chunk *initack;
5848	struct sctp_adaptation_layer_indication *ali;
5849	struct sctp_supported_chunk_types_param *pr_supported;
5850	struct sctp_paramhdr *ph;
5851	union sctp_sockstore *over_addr;
5852	struct sctp_scoping scp;
5853#ifdef INET
5854	struct sockaddr_in *dst4 = (struct sockaddr_in *)dst;
5855	struct sockaddr_in *src4 = (struct sockaddr_in *)src;
5856	struct sockaddr_in *sin;
5857#endif
5858#ifdef INET6
5859	struct sockaddr_in6 *dst6 = (struct sockaddr_in6 *)dst;
5860	struct sockaddr_in6 *src6 = (struct sockaddr_in6 *)src;
5861	struct sockaddr_in6 *sin6;
5862#endif
5863#if defined(__Userspace__)
5864	struct sockaddr_conn *dstconn = (struct sockaddr_conn *)dst;
5865	struct sockaddr_conn *srcconn = (struct sockaddr_conn *)src;
5866	struct sockaddr_conn *sconn;
5867#endif
5868	struct sockaddr *to;
5869	struct sctp_state_cookie stc;
5870	struct sctp_nets *net = NULL;
5871	uint8_t *signature = NULL;
5872	int cnt_inits_to = 0;
5873	uint16_t his_limit, i_want;
5874	int abort_flag;
5875	int nat_friendly = 0;
5876	struct socket *so;
5877	uint16_t num_ext, chunk_len, padding_len, parameter_len;
5878
5879	if (stcb) {
5880		asoc = &stcb->asoc;
5881	} else {
5882		asoc = NULL;
5883	}
5884	if ((asoc != NULL) &&
5885	    (SCTP_GET_STATE(asoc) != SCTP_STATE_COOKIE_WAIT) &&
5886	    (sctp_are_there_new_addresses(asoc, init_pkt, offset, src))) {
5887		/* new addresses, out of here in non-cookie-wait states */
5888		/*
5889		 * Send a ABORT, we don't add the new address error clause
5890		 * though we even set the T bit and copy in the 0 tag.. this
5891		 * looks no different than if no listener was present.
5892		 */
5893		op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5894		                             "Address added");
5895		sctp_send_abort(init_pkt, iphlen, src, dst, sh, 0, op_err,
5896#if defined(__FreeBSD__)
5897		                use_mflowid, mflowid,
5898#endif
5899		                vrf_id, port);
5900		return;
5901	}
5902	abort_flag = 0;
5903	op_err = sctp_arethere_unrecognized_parameters(init_pkt,
5904						       (offset + sizeof(struct sctp_init_chunk)),
5905						       &abort_flag, (struct sctp_chunkhdr *)init_chk, &nat_friendly);
5906	if (abort_flag) {
5907	do_a_abort:
5908		if (op_err == NULL) {
5909			char msg[SCTP_DIAG_INFO_LEN];
5910
5911			snprintf(msg, sizeof(msg), "%s:%d at %s\n", __FILE__, __LINE__, __FUNCTION__);
5912			op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5913			                             msg);
5914		}
5915		sctp_send_abort(init_pkt, iphlen, src, dst, sh,
5916				init_chk->init.initiate_tag, op_err,
5917#if defined(__FreeBSD__)
5918		                use_mflowid, mflowid,
5919#endif
5920		                vrf_id, port);
5921		return;
5922	}
5923	m = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
5924	if (m == NULL) {
5925		/* No memory, INIT timer will re-attempt. */
5926		if (op_err)
5927			sctp_m_freem(op_err);
5928		return;
5929	}
5930	chunk_len = (uint16_t)sizeof(struct sctp_init_ack_chunk);
5931	padding_len = 0;
5932
5933	/*
5934	 * We might not overwrite the identification[] completely and on
5935	 * some platforms time_entered will contain some padding.
5936	 * Therefore zero out the cookie to avoid putting
5937	 * uninitialized memory on the wire.
5938	 */
5939	memset(&stc, 0, sizeof(struct sctp_state_cookie));
5940
5941	/* the time I built cookie */
5942	(void)SCTP_GETTIME_TIMEVAL(&stc.time_entered);
5943
5944	/* populate any tie tags */
5945	if (asoc != NULL) {
5946		/* unlock before tag selections */
5947		stc.tie_tag_my_vtag = asoc->my_vtag_nonce;
5948		stc.tie_tag_peer_vtag = asoc->peer_vtag_nonce;
5949		stc.cookie_life = asoc->cookie_life;
5950		net = asoc->primary_destination;
5951	} else {
5952		stc.tie_tag_my_vtag = 0;
5953		stc.tie_tag_peer_vtag = 0;
5954		/* life I will award this cookie */
5955		stc.cookie_life = inp->sctp_ep.def_cookie_life;
5956	}
5957
5958	/* copy in the ports for later check */
5959	stc.myport = sh->dest_port;
5960	stc.peerport = sh->src_port;
5961
5962	/*
5963	 * If we wanted to honor cookie life extentions, we would add to
5964	 * stc.cookie_life. For now we should NOT honor any extension
5965	 */
5966	stc.site_scope = stc.local_scope = stc.loopback_scope = 0;
5967	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
5968		stc.ipv6_addr_legal = 1;
5969		if (SCTP_IPV6_V6ONLY(inp)) {
5970			stc.ipv4_addr_legal = 0;
5971		} else {
5972			stc.ipv4_addr_legal = 1;
5973		}
5974#if defined(__Userspace__)
5975		stc.conn_addr_legal = 0;
5976#endif
5977	} else {
5978		stc.ipv6_addr_legal = 0;
5979#if defined(__Userspace__)
5980		if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_CONN) {
5981			stc.conn_addr_legal = 1;
5982			stc.ipv4_addr_legal = 0;
5983		} else {
5984			stc.conn_addr_legal = 0;
5985			stc.ipv4_addr_legal = 1;
5986		}
5987#else
5988		stc.ipv4_addr_legal = 1;
5989#endif
5990	}
5991#ifdef SCTP_DONT_DO_PRIVADDR_SCOPE
5992	stc.ipv4_scope = 1;
5993#else
5994	stc.ipv4_scope = 0;
5995#endif
5996	if (net == NULL) {
5997		to = src;
5998		switch (dst->sa_family) {
5999#ifdef INET
6000		case AF_INET:
6001		{
6002			/* lookup address */
6003			stc.address[0] = src4->sin_addr.s_addr;
6004			stc.address[1] = 0;
6005			stc.address[2] = 0;
6006			stc.address[3] = 0;
6007			stc.addr_type = SCTP_IPV4_ADDRESS;
6008			/* local from address */
6009			stc.laddress[0] = dst4->sin_addr.s_addr;
6010			stc.laddress[1] = 0;
6011			stc.laddress[2] = 0;
6012			stc.laddress[3] = 0;
6013			stc.laddr_type = SCTP_IPV4_ADDRESS;
6014			/* scope_id is only for v6 */
6015			stc.scope_id = 0;
6016#ifndef SCTP_DONT_DO_PRIVADDR_SCOPE
6017			if (IN4_ISPRIVATE_ADDRESS(&src4->sin_addr)) {
6018				stc.ipv4_scope = 1;
6019			}
6020#else
6021			stc.ipv4_scope = 1;
6022#endif				/* SCTP_DONT_DO_PRIVADDR_SCOPE */
6023			/* Must use the address in this case */
6024			if (sctp_is_address_on_local_host(src, vrf_id)) {
6025				stc.loopback_scope = 1;
6026				stc.ipv4_scope = 1;
6027				stc.site_scope = 1;
6028				stc.local_scope = 0;
6029			}
6030			break;
6031		}
6032#endif
6033#ifdef INET6
6034		case AF_INET6:
6035		{
6036			stc.addr_type = SCTP_IPV6_ADDRESS;
6037			memcpy(&stc.address, &src6->sin6_addr, sizeof(struct in6_addr));
6038#if defined(__FreeBSD__) && (((__FreeBSD_version < 900000) && (__FreeBSD_version >= 804000)) || (__FreeBSD_version > 900000))
6039			stc.scope_id = in6_getscope(&src6->sin6_addr);
6040#else
6041			stc.scope_id = 0;
6042#endif
6043			if (sctp_is_address_on_local_host(src, vrf_id)) {
6044				stc.loopback_scope = 1;
6045				stc.local_scope = 0;
6046				stc.site_scope = 1;
6047				stc.ipv4_scope = 1;
6048			} else if (IN6_IS_ADDR_LINKLOCAL(&src6->sin6_addr)) {
6049				/*
6050				 * If the new destination is a LINK_LOCAL we
6051				 * must have common both site and local
6052				 * scope. Don't set local scope though since
6053				 * we must depend on the source to be added
6054				 * implicitly. We cannot assure just because
6055				 * we share one link that all links are
6056				 * common.
6057				 */
6058#if defined(__APPLE__)
6059				/* Mac OS X currently doesn't have in6_getscope() */
6060				stc.scope_id = src6->sin6_addr.s6_addr16[1];
6061#endif
6062				stc.local_scope = 0;
6063				stc.site_scope = 1;
6064				stc.ipv4_scope = 1;
6065				/*
6066				 * we start counting for the private address
6067				 * stuff at 1. since the link local we
6068				 * source from won't show up in our scoped
6069				 * count.
6070				 */
6071				cnt_inits_to = 1;
6072				/* pull out the scope_id from incoming pkt */
6073			} else if (IN6_IS_ADDR_SITELOCAL(&src6->sin6_addr)) {
6074				/*
6075				 * If the new destination is SITE_LOCAL then
6076				 * we must have site scope in common.
6077				 */
6078				stc.site_scope = 1;
6079			}
6080			memcpy(&stc.laddress, &dst6->sin6_addr, sizeof(struct in6_addr));
6081			stc.laddr_type = SCTP_IPV6_ADDRESS;
6082			break;
6083		}
6084#endif
6085#if defined(__Userspace__)
6086		case AF_CONN:
6087		{
6088			/* lookup address */
6089			stc.address[0] = 0;
6090			stc.address[1] = 0;
6091			stc.address[2] = 0;
6092			stc.address[3] = 0;
6093			memcpy(&stc.address, &srcconn->sconn_addr, sizeof(void *));
6094			stc.addr_type = SCTP_CONN_ADDRESS;
6095			/* local from address */
6096			stc.laddress[0] = 0;
6097			stc.laddress[1] = 0;
6098			stc.laddress[2] = 0;
6099			stc.laddress[3] = 0;
6100			memcpy(&stc.laddress, &dstconn->sconn_addr, sizeof(void *));
6101			stc.laddr_type = SCTP_CONN_ADDRESS;
6102			/* scope_id is only for v6 */
6103			stc.scope_id = 0;
6104			break;
6105		}
6106#endif
6107		default:
6108			/* TSNH */
6109			goto do_a_abort;
6110			break;
6111		}
6112	} else {
6113		/* set the scope per the existing tcb */
6114
6115#ifdef INET6
6116		struct sctp_nets *lnet;
6117#endif
6118
6119		stc.loopback_scope = asoc->scope.loopback_scope;
6120		stc.ipv4_scope = asoc->scope.ipv4_local_scope;
6121		stc.site_scope = asoc->scope.site_scope;
6122		stc.local_scope = asoc->scope.local_scope;
6123#ifdef INET6
6124		/* Why do we not consider IPv4 LL addresses? */
6125		TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) {
6126			if (lnet->ro._l_addr.sin6.sin6_family == AF_INET6) {
6127				if (IN6_IS_ADDR_LINKLOCAL(&lnet->ro._l_addr.sin6.sin6_addr)) {
6128					/*
6129					 * if we have a LL address, start
6130					 * counting at 1.
6131					 */
6132					cnt_inits_to = 1;
6133				}
6134			}
6135		}
6136#endif
6137		/* use the net pointer */
6138		to = (struct sockaddr *)&net->ro._l_addr;
6139		switch (to->sa_family) {
6140#ifdef INET
6141		case AF_INET:
6142			sin = (struct sockaddr_in *)to;
6143			stc.address[0] = sin->sin_addr.s_addr;
6144			stc.address[1] = 0;
6145			stc.address[2] = 0;
6146			stc.address[3] = 0;
6147			stc.addr_type = SCTP_IPV4_ADDRESS;
6148			if (net->src_addr_selected == 0) {
6149				/*
6150				 * strange case here, the INIT should have
6151				 * did the selection.
6152				 */
6153				net->ro._s_addr = sctp_source_address_selection(inp,
6154										stcb, (sctp_route_t *)&net->ro,
6155										net, 0, vrf_id);
6156				if (net->ro._s_addr == NULL)
6157					return;
6158
6159				net->src_addr_selected = 1;
6160
6161			}
6162			stc.laddress[0] = net->ro._s_addr->address.sin.sin_addr.s_addr;
6163			stc.laddress[1] = 0;
6164			stc.laddress[2] = 0;
6165			stc.laddress[3] = 0;
6166			stc.laddr_type = SCTP_IPV4_ADDRESS;
6167			/* scope_id is only for v6 */
6168			stc.scope_id = 0;
6169			break;
6170#endif
6171#ifdef INET6
6172		case AF_INET6:
6173			sin6 = (struct sockaddr_in6 *)to;
6174			memcpy(&stc.address, &sin6->sin6_addr,
6175			       sizeof(struct in6_addr));
6176			stc.addr_type = SCTP_IPV6_ADDRESS;
6177			stc.scope_id = sin6->sin6_scope_id;
6178			if (net->src_addr_selected == 0) {
6179				/*
6180				 * strange case here, the INIT should have
6181				 * done the selection.
6182				 */
6183				net->ro._s_addr = sctp_source_address_selection(inp,
6184										stcb, (sctp_route_t *)&net->ro,
6185										net, 0, vrf_id);
6186				if (net->ro._s_addr == NULL)
6187					return;
6188
6189				net->src_addr_selected = 1;
6190			}
6191			memcpy(&stc.laddress, &net->ro._s_addr->address.sin6.sin6_addr,
6192			       sizeof(struct in6_addr));
6193			stc.laddr_type = SCTP_IPV6_ADDRESS;
6194			break;
6195#endif
6196#if defined(__Userspace__)
6197		case AF_CONN:
6198			sconn = (struct sockaddr_conn *)to;
6199			stc.address[0] = 0;
6200			stc.address[1] = 0;
6201			stc.address[2] = 0;
6202			stc.address[3] = 0;
6203			memcpy(&stc.address, &sconn->sconn_addr, sizeof(void *));
6204			stc.addr_type = SCTP_CONN_ADDRESS;
6205			stc.laddress[0] = 0;
6206			stc.laddress[1] = 0;
6207			stc.laddress[2] = 0;
6208			stc.laddress[3] = 0;
6209			memcpy(&stc.laddress, &sconn->sconn_addr, sizeof(void *));
6210			stc.laddr_type = SCTP_CONN_ADDRESS;
6211			stc.scope_id = 0;
6212			break;
6213#endif
6214		}
6215	}
6216	/* Now lets put the SCTP header in place */
6217	initack = mtod(m, struct sctp_init_ack_chunk *);
6218	/* Save it off for quick ref */
6219	stc.peers_vtag = init_chk->init.initiate_tag;
6220	/* who are we */
6221	memcpy(stc.identification, SCTP_VERSION_STRING,
6222	       min(strlen(SCTP_VERSION_STRING), sizeof(stc.identification)));
6223	memset(stc.reserved, 0, SCTP_RESERVE_SPACE);
6224	/* now the chunk header */
6225	initack->ch.chunk_type = SCTP_INITIATION_ACK;
6226	initack->ch.chunk_flags = 0;
6227	/* fill in later from mbuf we build */
6228	initack->ch.chunk_length = 0;
6229	/* place in my tag */
6230	if ((asoc != NULL) &&
6231	    ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
6232	     (SCTP_GET_STATE(asoc) == SCTP_STATE_INUSE) ||
6233	     (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED))) {
6234		/* re-use the v-tags and init-seq here */
6235		initack->init.initiate_tag = htonl(asoc->my_vtag);
6236		initack->init.initial_tsn = htonl(asoc->init_seq_number);
6237	} else {
6238		uint32_t vtag, itsn;
6239		if (hold_inp_lock) {
6240			SCTP_INP_INCR_REF(inp);
6241			SCTP_INP_RUNLOCK(inp);
6242		}
6243		if (asoc) {
6244			atomic_add_int(&asoc->refcnt, 1);
6245			SCTP_TCB_UNLOCK(stcb);
6246		new_tag:
6247			vtag = sctp_select_a_tag(inp, inp->sctp_lport, sh->src_port, 1);
6248			if ((asoc->peer_supports_nat)  && (vtag == asoc->my_vtag)) {
6249				/* Got a duplicate vtag on some guy behind a nat
6250				 * make sure we don't use it.
6251				 */
6252				goto new_tag;
6253			}
6254			initack->init.initiate_tag = htonl(vtag);
6255			/* get a TSN to use too */
6256			itsn = sctp_select_initial_TSN(&inp->sctp_ep);
6257			initack->init.initial_tsn = htonl(itsn);
6258			SCTP_TCB_LOCK(stcb);
6259			atomic_add_int(&asoc->refcnt, -1);
6260		} else {
6261			vtag = sctp_select_a_tag(inp, inp->sctp_lport, sh->src_port, 1);
6262			initack->init.initiate_tag = htonl(vtag);
6263			/* get a TSN to use too */
6264			initack->init.initial_tsn = htonl(sctp_select_initial_TSN(&inp->sctp_ep));
6265		}
6266		if (hold_inp_lock) {
6267			SCTP_INP_RLOCK(inp);
6268			SCTP_INP_DECR_REF(inp);
6269		}
6270	}
6271	/* save away my tag to */
6272	stc.my_vtag = initack->init.initiate_tag;
6273
6274	/* set up some of the credits. */
6275	so = inp->sctp_socket;
6276	if (so == NULL) {
6277		/* memory problem */
6278		sctp_m_freem(m);
6279		return;
6280	} else {
6281		initack->init.a_rwnd = htonl(max(SCTP_SB_LIMIT_RCV(so), SCTP_MINIMAL_RWND));
6282	}
6283	/* set what I want */
6284	his_limit = ntohs(init_chk->init.num_inbound_streams);
6285	/* choose what I want */
6286	if (asoc != NULL) {
6287		if (asoc->streamoutcnt > inp->sctp_ep.pre_open_stream_count) {
6288			i_want = asoc->streamoutcnt;
6289		} else {
6290			i_want = inp->sctp_ep.pre_open_stream_count;
6291		}
6292	} else {
6293		i_want = inp->sctp_ep.pre_open_stream_count;
6294	}
6295	if (his_limit < i_want) {
6296		/* I Want more :< */
6297		initack->init.num_outbound_streams = init_chk->init.num_inbound_streams;
6298	} else {
6299		/* I can have what I want :> */
6300		initack->init.num_outbound_streams = htons(i_want);
6301	}
6302	/* tell him his limit. */
6303	initack->init.num_inbound_streams =
6304		htons(inp->sctp_ep.max_open_streams_intome);
6305
6306	/* adaptation layer indication parameter */
6307	if (inp->sctp_ep.adaptation_layer_indicator_provided) {
6308		parameter_len = (uint16_t)sizeof(struct sctp_adaptation_layer_indication);
6309		ali = (struct sctp_adaptation_layer_indication *)(mtod(m, caddr_t) + chunk_len);
6310		ali->ph.param_type = htons(SCTP_ULP_ADAPTATION);
6311		ali->ph.param_length = htons(parameter_len);
6312		ali->indication = htonl(inp->sctp_ep.adaptation_layer_indicator);
6313		chunk_len += parameter_len;
6314	}
6315
6316	/* ECN parameter */
6317	if (((asoc != NULL) && (asoc->ecn_supported == 1)) ||
6318	    ((asoc == NULL) && (inp->ecn_supported == 1))) {
6319		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
6320		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t) + chunk_len);
6321		ph->param_type = htons(SCTP_ECN_CAPABLE);
6322		ph->param_length = htons(parameter_len);
6323		chunk_len += parameter_len;
6324	}
6325
6326	/* PR-SCTP supported parameter */
6327	if (((asoc != NULL) && (asoc->prsctp_supported == 1)) ||
6328	    ((asoc == NULL) && (inp->prsctp_supported == 1))) {
6329		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
6330		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t) + chunk_len);
6331		ph->param_type = htons(SCTP_PRSCTP_SUPPORTED);
6332		ph->param_length = htons(parameter_len);
6333		chunk_len += parameter_len;
6334	}
6335
6336	/* Add NAT friendly parameter */
6337	if (nat_friendly) {
6338		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
6339		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t) + chunk_len);
6340		ph->param_type = htons(SCTP_HAS_NAT_SUPPORT);
6341		ph->param_length = htons(parameter_len);
6342		chunk_len += parameter_len;
6343	}
6344
6345	/* And now tell the peer which extensions we support */
6346	num_ext = 0;
6347	pr_supported = (struct sctp_supported_chunk_types_param *)(mtod(m, caddr_t) + chunk_len);
6348	if (((asoc != NULL) && (asoc->prsctp_supported == 1)) ||
6349	    ((asoc == NULL) && (inp->prsctp_supported == 1))) {
6350		pr_supported->chunk_types[num_ext++] = SCTP_FORWARD_CUM_TSN;
6351	}
6352	if (((asoc != NULL) && (asoc->auth_supported == 1)) ||
6353	    ((asoc == NULL) && (inp->auth_supported == 1))) {
6354		pr_supported->chunk_types[num_ext++] = SCTP_AUTHENTICATION;
6355	}
6356	if (((asoc != NULL) && (asoc->asconf_supported == 1)) ||
6357	    ((asoc == NULL) && (inp->asconf_supported == 1))) {
6358		pr_supported->chunk_types[num_ext++] = SCTP_ASCONF;
6359		pr_supported->chunk_types[num_ext++] = SCTP_ASCONF_ACK;
6360	}
6361	if (((asoc != NULL) && (asoc->reconfig_supported == 1)) ||
6362	    ((asoc == NULL) && (inp->reconfig_supported == 1))) {
6363		pr_supported->chunk_types[num_ext++] = SCTP_STREAM_RESET;
6364	}
6365	if (((asoc != NULL) && (asoc->nrsack_supported == 1)) ||
6366	    ((asoc == NULL) && (inp->nrsack_supported == 1))) {
6367		pr_supported->chunk_types[num_ext++] = SCTP_NR_SELECTIVE_ACK;
6368	}
6369	if (((asoc != NULL) && (asoc->pktdrop_supported == 1)) ||
6370	    ((asoc == NULL) && (inp->pktdrop_supported == 1))) {
6371		pr_supported->chunk_types[num_ext++] = SCTP_PACKET_DROPPED;
6372	}
6373	if (num_ext > 0) {
6374		parameter_len = (uint16_t)sizeof(struct sctp_supported_chunk_types_param) + num_ext;
6375		pr_supported->ph.param_type = htons(SCTP_SUPPORTED_CHUNK_EXT);
6376		pr_supported->ph.param_length = htons(parameter_len);
6377		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6378		chunk_len += parameter_len;
6379	}
6380
6381	/* add authentication parameters */
6382	if (((asoc != NULL) && (asoc->auth_supported == 1)) ||
6383	    ((asoc == NULL) && (inp->auth_supported == 1))) {
6384		struct sctp_auth_random *randp;
6385		struct sctp_auth_hmac_algo *hmacs;
6386		struct sctp_auth_chunk_list *chunks;
6387
6388		if (padding_len > 0) {
6389			memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
6390			chunk_len += padding_len;
6391			padding_len = 0;
6392		}
6393		/* generate and add RANDOM parameter */
6394		randp = (struct sctp_auth_random *)(mtod(m, caddr_t) + chunk_len);
6395		parameter_len = (uint16_t)sizeof(struct sctp_auth_random) +
6396		                SCTP_AUTH_RANDOM_SIZE_DEFAULT;
6397		randp->ph.param_type = htons(SCTP_RANDOM);
6398		randp->ph.param_length = htons(parameter_len);
6399		SCTP_READ_RANDOM(randp->random_data, SCTP_AUTH_RANDOM_SIZE_DEFAULT);
6400		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6401		chunk_len += parameter_len;
6402
6403		if (padding_len > 0) {
6404			memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
6405			chunk_len += padding_len;
6406			padding_len = 0;
6407		}
6408		/* add HMAC_ALGO parameter */
6409		hmacs = (struct sctp_auth_hmac_algo *)(mtod(m, caddr_t) + chunk_len);
6410		parameter_len = (uint16_t)sizeof(struct sctp_auth_hmac_algo) +
6411		                sctp_serialize_hmaclist(inp->sctp_ep.local_hmacs,
6412		                                        (uint8_t *)hmacs->hmac_ids);
6413		hmacs->ph.param_type = htons(SCTP_HMAC_LIST);
6414		hmacs->ph.param_length = htons(parameter_len);
6415		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6416		chunk_len += parameter_len;
6417
6418		if (padding_len > 0) {
6419			memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
6420			chunk_len += padding_len;
6421			padding_len = 0;
6422		}
6423		/* add CHUNKS parameter */
6424		chunks = (struct sctp_auth_chunk_list *)(mtod(m, caddr_t) + chunk_len);
6425		parameter_len = (uint16_t)sizeof(struct sctp_auth_chunk_list) +
6426		                sctp_serialize_auth_chunks(inp->sctp_ep.local_auth_chunks,
6427		                                           chunks->chunk_types);
6428		chunks->ph.param_type = htons(SCTP_CHUNK_LIST);
6429		chunks->ph.param_length = htons(parameter_len);
6430		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6431		chunk_len += parameter_len;
6432	}
6433	SCTP_BUF_LEN(m) = chunk_len;
6434	m_last = m;
6435	/* now the addresses */
6436	/* To optimize this we could put the scoping stuff
6437	 * into a structure and remove the individual uint8's from
6438	 * the stc structure. Then we could just sifa in the
6439	 * address within the stc.. but for now this is a quick
6440	 * hack to get the address stuff teased apart.
6441	 */
6442	scp.ipv4_addr_legal = stc.ipv4_addr_legal;
6443	scp.ipv6_addr_legal = stc.ipv6_addr_legal;
6444#if defined(__Userspace__)
6445	scp.conn_addr_legal = stc.conn_addr_legal;
6446#endif
6447	scp.loopback_scope = stc.loopback_scope;
6448	scp.ipv4_local_scope = stc.ipv4_scope;
6449	scp.local_scope = stc.local_scope;
6450	scp.site_scope = stc.site_scope;
6451	m_last = sctp_add_addresses_to_i_ia(inp, stcb, &scp, m_last,
6452	                                    cnt_inits_to,
6453	                                    &padding_len, &chunk_len);
6454	/* padding_len can only be positive, if no addresses have been added */
6455	if (padding_len > 0) {
6456		memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
6457		chunk_len += padding_len;
6458		SCTP_BUF_LEN(m) += padding_len;
6459		padding_len = 0;
6460	}
6461
6462	/* tack on the operational error if present */
6463	if (op_err) {
6464		parameter_len = 0;
6465		for (m_tmp = op_err; m_tmp != NULL; m_tmp = SCTP_BUF_NEXT(m_tmp)) {
6466			parameter_len += SCTP_BUF_LEN(m_tmp);
6467		}
6468		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6469		SCTP_BUF_NEXT(m_last) = op_err;
6470		while (SCTP_BUF_NEXT(m_last) != NULL) {
6471			m_last = SCTP_BUF_NEXT(m_last);
6472		}
6473		chunk_len += parameter_len;
6474	}
6475	if (padding_len > 0) {
6476		m_last = sctp_add_pad_tombuf(m_last, padding_len);
6477		if (m_last == NULL) {
6478			/* Houston we have a problem, no space */
6479			sctp_m_freem(m);
6480			return;
6481		}
6482		chunk_len += padding_len;
6483		padding_len = 0;
6484	}
6485	/* Now we must build a cookie */
6486	m_cookie = sctp_add_cookie(init_pkt, offset, m, 0, &stc, &signature);
6487	if (m_cookie == NULL) {
6488		/* memory problem */
6489		sctp_m_freem(m);
6490		return;
6491	}
6492	/* Now append the cookie to the end and update the space/size */
6493	SCTP_BUF_NEXT(m_last) = m_cookie;
6494	parameter_len = 0;
6495	for (m_tmp = m_cookie; m_tmp != NULL; m_tmp = SCTP_BUF_NEXT(m_tmp)) {
6496		parameter_len += SCTP_BUF_LEN(m_tmp);
6497		if (SCTP_BUF_NEXT(m_tmp) == NULL) {
6498			m_last = m_tmp;
6499		}
6500	}
6501	padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6502	chunk_len += parameter_len;
6503
6504	/* Place in the size, but we don't include
6505	 * the last pad (if any) in the INIT-ACK.
6506	 */
6507	initack->ch.chunk_length = htons(chunk_len);
6508
6509	/* Time to sign the cookie, we don't sign over the cookie
6510	 * signature though thus we set trailer.
6511	 */
6512	(void)sctp_hmac_m(SCTP_HMAC,
6513			  (uint8_t *)inp->sctp_ep.secret_key[(int)(inp->sctp_ep.current_secret_number)],
6514			  SCTP_SECRET_SIZE, m_cookie, sizeof(struct sctp_paramhdr),
6515			  (uint8_t *)signature, SCTP_SIGNATURE_SIZE);
6516	/*
6517	 * We sifa 0 here to NOT set IP_DF if its IPv4, we ignore the return
6518	 * here since the timer will drive a retranmission.
6519	 */
6520	if (padding_len > 0) {
6521		if (sctp_add_pad_tombuf(m_last, padding_len) == NULL) {
6522			sctp_m_freem(m);
6523			return;
6524		}
6525	}
6526	if (stc.loopback_scope) {
6527		over_addr = (union sctp_sockstore *)dst;
6528	} else {
6529		over_addr = NULL;
6530	}
6531
6532	(void)sctp_lowlevel_chunk_output(inp, NULL, NULL, to, m, 0, NULL, 0, 0,
6533	                                 0, 0,
6534	                                 inp->sctp_lport, sh->src_port, init_chk->init.initiate_tag,
6535	                                 port, over_addr,
6536#if defined(__FreeBSD__)
6537	                                 use_mflowid, mflowid,
6538#endif
6539	                                 SCTP_SO_NOT_LOCKED);
6540	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
6541}
6542
6543
6544static void
6545sctp_prune_prsctp(struct sctp_tcb *stcb,
6546    struct sctp_association *asoc,
6547    struct sctp_sndrcvinfo *srcv,
6548    int dataout)
6549{
6550	int freed_spc = 0;
6551	struct sctp_tmit_chunk *chk, *nchk;
6552
6553	SCTP_TCB_LOCK_ASSERT(stcb);
6554	if ((asoc->prsctp_supported) &&
6555	    (asoc->sent_queue_cnt_removeable > 0)) {
6556		TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) {
6557			/*
6558			 * Look for chunks marked with the PR_SCTP flag AND
6559			 * the buffer space flag. If the one being sent is
6560			 * equal or greater priority then purge the old one
6561			 * and free some space.
6562			 */
6563			if (PR_SCTP_BUF_ENABLED(chk->flags)) {
6564				/*
6565				 * This one is PR-SCTP AND buffer space
6566				 * limited type
6567				 */
6568				if (chk->rec.data.timetodrop.tv_sec >= (long)srcv->sinfo_timetolive) {
6569					/*
6570					 * Lower numbers equates to higher
6571					 * priority so if the one we are
6572					 * looking at has a larger or equal
6573					 * priority we want to drop the data
6574					 * and NOT retransmit it.
6575					 */
6576					if (chk->data) {
6577						/*
6578						 * We release the book_size
6579						 * if the mbuf is here
6580						 */
6581						int ret_spc;
6582						uint8_t sent;
6583
6584						if (chk->sent > SCTP_DATAGRAM_UNSENT)
6585							sent = 1;
6586						else
6587							sent = 0;
6588						ret_spc = sctp_release_pr_sctp_chunk(stcb, chk,
6589						    sent,
6590						    SCTP_SO_LOCKED);
6591						freed_spc += ret_spc;
6592						if (freed_spc >= dataout) {
6593							return;
6594						}
6595					}	/* if chunk was present */
6596				}	/* if of sufficent priority */
6597			}	/* if chunk has enabled */
6598		}		/* tailqforeach */
6599
6600		TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
6601			/* Here we must move to the sent queue and mark */
6602			if (PR_SCTP_BUF_ENABLED(chk->flags)) {
6603				if (chk->rec.data.timetodrop.tv_sec >= (long)srcv->sinfo_timetolive) {
6604					if (chk->data) {
6605						/*
6606						 * We release the book_size
6607						 * if the mbuf is here
6608						 */
6609						int ret_spc;
6610
6611						ret_spc = sctp_release_pr_sctp_chunk(stcb, chk,
6612						    0, SCTP_SO_LOCKED);
6613
6614						freed_spc += ret_spc;
6615						if (freed_spc >= dataout) {
6616							return;
6617						}
6618					}	/* end if chk->data */
6619				}	/* end if right class */
6620			}	/* end if chk pr-sctp */
6621		}		/* tailqforeachsafe (chk) */
6622	}			/* if enabled in asoc */
6623}
6624
6625int
6626sctp_get_frag_point(struct sctp_tcb *stcb,
6627    struct sctp_association *asoc)
6628{
6629	int siz, ovh;
6630
6631	/*
6632	 * For endpoints that have both v6 and v4 addresses we must reserve
6633	 * room for the ipv6 header, for those that are only dealing with V4
6634	 * we use a larger frag point.
6635	 */
6636	if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
6637		ovh = SCTP_MED_OVERHEAD;
6638	} else {
6639		ovh = SCTP_MED_V4_OVERHEAD;
6640	}
6641
6642	if (stcb->asoc.sctp_frag_point > asoc->smallest_mtu)
6643		siz = asoc->smallest_mtu - ovh;
6644	else
6645		siz = (stcb->asoc.sctp_frag_point - ovh);
6646	/*
6647	 * if (siz > (MCLBYTES-sizeof(struct sctp_data_chunk))) {
6648	 */
6649	/* A data chunk MUST fit in a cluster */
6650	/* siz = (MCLBYTES - sizeof(struct sctp_data_chunk)); */
6651	/* } */
6652
6653	/* adjust for an AUTH chunk if DATA requires auth */
6654	if (sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks))
6655		siz -= sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
6656
6657	if (siz % 4) {
6658		/* make it an even word boundary please */
6659		siz -= (siz % 4);
6660	}
6661	return (siz);
6662}
6663
6664static void
6665sctp_set_prsctp_policy(struct sctp_stream_queue_pending *sp)
6666{
6667	/*
6668	 * We assume that the user wants PR_SCTP_TTL if the user
6669	 * provides a positive lifetime but does not specify any
6670	 * PR_SCTP policy.
6671	 */
6672	if (PR_SCTP_ENABLED(sp->sinfo_flags)) {
6673		sp->act_flags |= PR_SCTP_POLICY(sp->sinfo_flags);
6674	} else if (sp->timetolive > 0) {
6675		sp->sinfo_flags |= SCTP_PR_SCTP_TTL;
6676		sp->act_flags |= PR_SCTP_POLICY(sp->sinfo_flags);
6677	} else {
6678		return;
6679	}
6680	switch (PR_SCTP_POLICY(sp->sinfo_flags)) {
6681	case CHUNK_FLAGS_PR_SCTP_BUF:
6682		/*
6683		 * Time to live is a priority stored in tv_sec when
6684		 * doing the buffer drop thing.
6685		 */
6686		sp->ts.tv_sec = sp->timetolive;
6687		sp->ts.tv_usec = 0;
6688		break;
6689	case CHUNK_FLAGS_PR_SCTP_TTL:
6690	{
6691		struct timeval tv;
6692		(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
6693		tv.tv_sec = sp->timetolive / 1000;
6694		tv.tv_usec = (sp->timetolive * 1000) % 1000000;
6695		/* TODO sctp_constants.h needs alternative time macros when
6696		 *  _KERNEL is undefined.
6697		 */
6698#ifndef __FreeBSD__
6699		timeradd(&sp->ts, &tv, &sp->ts);
6700#else
6701		timevaladd(&sp->ts, &tv);
6702#endif
6703	}
6704		break;
6705	case CHUNK_FLAGS_PR_SCTP_RTX:
6706		/*
6707		 * Time to live is a the number or retransmissions
6708		 * stored in tv_sec.
6709		 */
6710		sp->ts.tv_sec = sp->timetolive;
6711		sp->ts.tv_usec = 0;
6712		break;
6713	default:
6714		SCTPDBG(SCTP_DEBUG_USRREQ1,
6715			"Unknown PR_SCTP policy %u.\n",
6716			PR_SCTP_POLICY(sp->sinfo_flags));
6717		break;
6718	}
6719}
6720
6721static int
6722sctp_msg_append(struct sctp_tcb *stcb,
6723		struct sctp_nets *net,
6724		struct mbuf *m,
6725		struct sctp_sndrcvinfo *srcv, int hold_stcb_lock)
6726{
6727	int error = 0;
6728	struct mbuf *at;
6729	struct sctp_stream_queue_pending *sp = NULL;
6730	struct sctp_stream_out *strm;
6731
6732	/* Given an mbuf chain, put it
6733	 * into the association send queue and
6734	 * place it on the wheel
6735	 */
6736	if (srcv->sinfo_stream >= stcb->asoc.streamoutcnt) {
6737		/* Invalid stream number */
6738		SCTP_LTRACE_ERR_RET_PKT(m, NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
6739		error = EINVAL;
6740		goto out_now;
6741	}
6742	if ((stcb->asoc.stream_locked) &&
6743	    (stcb->asoc.stream_locked_on != srcv->sinfo_stream)) {
6744		SCTP_LTRACE_ERR_RET_PKT(m, NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
6745		error = EINVAL;
6746		goto out_now;
6747	}
6748	strm = &stcb->asoc.strmout[srcv->sinfo_stream];
6749	/* Now can we send this? */
6750	if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_SENT) ||
6751	    (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
6752	    (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
6753	    (stcb->asoc.state & SCTP_STATE_SHUTDOWN_PENDING)) {
6754		/* got data while shutting down */
6755		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
6756		error = ECONNRESET;
6757		goto out_now;
6758	}
6759	sctp_alloc_a_strmoq(stcb, sp);
6760	if (sp == NULL) {
6761		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
6762		error = ENOMEM;
6763		goto out_now;
6764	}
6765	sp->sinfo_flags = srcv->sinfo_flags;
6766	sp->timetolive = srcv->sinfo_timetolive;
6767	sp->ppid = srcv->sinfo_ppid;
6768	sp->context = srcv->sinfo_context;
6769	if (sp->sinfo_flags & SCTP_ADDR_OVER) {
6770		sp->net = net;
6771		atomic_add_int(&sp->net->ref_count, 1);
6772	} else {
6773		sp->net = NULL;
6774	}
6775	(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
6776	sp->stream = srcv->sinfo_stream;
6777	sp->msg_is_complete = 1;
6778	sp->sender_all_done = 1;
6779	sp->some_taken = 0;
6780	sp->data = m;
6781	sp->tail_mbuf = NULL;
6782	sctp_set_prsctp_policy(sp);
6783	/* We could in theory (for sendall) sifa the length
6784	 * in, but we would still have to hunt through the
6785	 * chain since we need to setup the tail_mbuf
6786	 */
6787	sp->length = 0;
6788	for (at = m; at; at = SCTP_BUF_NEXT(at)) {
6789		if (SCTP_BUF_NEXT(at) == NULL)
6790			sp->tail_mbuf = at;
6791		sp->length += SCTP_BUF_LEN(at);
6792	}
6793	if (srcv->sinfo_keynumber_valid) {
6794		sp->auth_keyid = srcv->sinfo_keynumber;
6795	} else {
6796		sp->auth_keyid = stcb->asoc.authinfo.active_keyid;
6797	}
6798	if (sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks)) {
6799		sctp_auth_key_acquire(stcb, sp->auth_keyid);
6800		sp->holds_key_ref = 1;
6801	}
6802	if (hold_stcb_lock == 0) {
6803		SCTP_TCB_SEND_LOCK(stcb);
6804	}
6805	sctp_snd_sb_alloc(stcb, sp->length);
6806	atomic_add_int(&stcb->asoc.stream_queue_cnt, 1);
6807	TAILQ_INSERT_TAIL(&strm->outqueue, sp, next);
6808	stcb->asoc.ss_functions.sctp_ss_add_to_stream(stcb, &stcb->asoc, strm, sp, 1);
6809	m = NULL;
6810	if (hold_stcb_lock == 0) {
6811		SCTP_TCB_SEND_UNLOCK(stcb);
6812	}
6813out_now:
6814	if (m) {
6815		sctp_m_freem(m);
6816	}
6817	return (error);
6818}
6819
6820
6821static struct mbuf *
6822sctp_copy_mbufchain(struct mbuf *clonechain,
6823		    struct mbuf *outchain,
6824		    struct mbuf **endofchain,
6825		    int can_take_mbuf,
6826		    int sizeofcpy,
6827		    uint8_t copy_by_ref)
6828{
6829	struct mbuf *m;
6830	struct mbuf *appendchain;
6831	caddr_t cp;
6832	int