libpeer/third_party/usrsctp/usrsctplib/netinet/sctp_input.c

/*-
 * SPDX-License-Identifier: BSD-3-Clause
 *
 * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved.
 * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved.
 * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * a) Redistributions of source code must retain the above copyright notice,
 *    this list of conditions and the following disclaimer.
 *
 * b) Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the distribution.
 *
 * c) Neither the name of Cisco Systems, Inc. nor the names of its
 *    contributors may be used to endorse or promote products derived
 *    from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
 * THE POSSIBILITY OF SUCH DAMAGE.
 */

#if defined(__FreeBSD__) && !defined(__Userspace__)
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#endif

#include <netinet/sctp_os.h>
#include <netinet/sctp_var.h>
#include <netinet/sctp_sysctl.h>
#include <netinet/sctp_pcb.h>
#include <netinet/sctp_header.h>
#include <netinet/sctputil.h>
#include <netinet/sctp_output.h>
#include <netinet/sctp_input.h>
#include <netinet/sctp_auth.h>
#include <netinet/sctp_indata.h>
#include <netinet/sctp_asconf.h>
#include <netinet/sctp_bsd_addr.h>
#include <netinet/sctp_timer.h>
#include <netinet/sctp_crc32.h>
#if defined(__FreeBSD__) && !defined(__Userspace__)
#include <netinet/sctp_kdtrace.h>
#endif
#if defined(INET) || defined(INET6)
#if !defined(_WIN32)
#include <netinet/udp.h>
#endif
#endif
#if defined(__FreeBSD__) && !defined(__Userspace__)
#include <sys/smp.h>
#endif

static void
sctp_stop_all_cookie_timers(struct sctp_tcb *stcb)
{
	struct sctp_nets *net;

	/* This now not only stops all cookie timers
	 * it also stops any INIT timers as well. This
	 * will make sure that the timers are stopped in
	 * all collision cases.
	 */
	SCTP_TCB_LOCK_ASSERT(stcb);
	TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
		if (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE) {
			sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE,
					stcb->sctp_ep,
					stcb,
					net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_1);
		} else if (net->rxt_timer.type == SCTP_TIMER_TYPE_INIT) {
			sctp_timer_stop(SCTP_TIMER_TYPE_INIT,
					stcb->sctp_ep,
					stcb,
					net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_2);
		}
	}
}

/* INIT handler */
static void
sctp_handle_init(struct mbuf *m, int iphlen, int offset,
                 struct sockaddr *src, struct sockaddr *dst, struct sctphdr *sh,
                 struct sctp_init_chunk *cp, struct sctp_inpcb *inp,
                 struct sctp_tcb *stcb, struct sctp_nets *net,
#if defined(__FreeBSD__) && !defined(__Userspace__)
                 uint8_t mflowtype, uint32_t mflowid,
#endif
                 uint32_t vrf_id, uint16_t port)
{
	struct sctp_init *init;
	struct mbuf *op_err;

	SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_init: handling INIT tcb:%p\n",
		(void *)stcb);
	if (stcb == NULL) {
		SCTP_INP_RLOCK(inp);
	}
	/* Validate parameters */
	init = &cp->init;
	if (ntohl(init->initiate_tag) == 0) {
		goto outnow;
	}
	if ((ntohl(init->a_rwnd) < SCTP_MIN_RWND) ||
	    (ntohs(init->num_inbound_streams) == 0) ||
	    (ntohs(init->num_outbound_streams) == 0)) {
		/* protocol error... send abort */
		op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
		sctp_send_abort(m, iphlen, src, dst, sh, init->initiate_tag, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
		                mflowtype, mflowid, inp->fibnum,
#endif
		                vrf_id, port);
		goto outnow;
	}
	if (sctp_validate_init_auth_params(m, offset + sizeof(*cp),
					   offset + ntohs(cp->ch.chunk_length))) {
		/* auth parameter(s) error... send abort */
		op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
		                             "Problem with AUTH parameters");
		sctp_send_abort(m, iphlen, src, dst, sh, init->initiate_tag, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
		                mflowtype, mflowid, inp->fibnum,
#endif
		                vrf_id, port);
		goto outnow;
	}
	/* We are only accepting if we have a listening socket.*/
	if ((stcb == NULL) &&
	    ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
	     (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) ||
	     (!SCTP_IS_LISTENING(inp)))) {
		/*
		 * FIX ME ?? What about TCP model and we have a
		 * match/restart case? Actually no fix is needed.
		 * the lookup will always find the existing assoc so stcb
		 * would not be NULL. It may be questionable to do this
		 * since we COULD just send back the INIT-ACK and hope that
		 * the app did accept()'s by the time the COOKIE was sent. But
		 * there is a price to pay for COOKIE generation and I don't
		 * want to pay it on the chance that the app will actually do
		 * some accepts(). The App just looses and should NOT be in
		 * this state :-)
		 */
		if (SCTP_BASE_SYSCTL(sctp_blackhole) == 0) {
			op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
			                             "No listener");
			sctp_send_abort(m, iphlen, src, dst, sh, 0, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
			                mflowtype, mflowid, inp->fibnum,
#endif
			                vrf_id, port);
		}
		goto outnow;
	}
	if ((stcb != NULL) &&
	    (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_ACK_SENT)) {
		SCTPDBG(SCTP_DEBUG_INPUT3, "sctp_handle_init: sending SHUTDOWN-ACK\n");
		sctp_send_shutdown_ack(stcb, NULL);
		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
	} else {
		SCTPDBG(SCTP_DEBUG_INPUT3, "sctp_handle_init: sending INIT-ACK\n");
		sctp_send_initiate_ack(inp, stcb, net, m, iphlen, offset,
		                       src, dst, sh, cp,
#if defined(__FreeBSD__) && !defined(__Userspace__)
		                       mflowtype, mflowid,
#endif
		                       vrf_id, port);
	}
 outnow:
	if (stcb == NULL) {
		SCTP_INP_RUNLOCK(inp);
	}
}

/*
 * process peer "INIT/INIT-ACK" chunk returns value < 0 on error
 */

int
sctp_is_there_unsent_data(struct sctp_tcb *stcb, int so_locked)
{
	int unsent_data;
	unsigned int i;
	struct sctp_stream_queue_pending *sp;
	struct sctp_association *asoc;

	SCTP_TCB_LOCK_ASSERT(stcb);

	/* This function returns if any stream has true unsent data on it.
	 * Note that as it looks through it will clean up any places that
	 * have old data that has been sent but left at top of stream queue.
	 */
	asoc = &stcb->asoc;
	unsent_data = 0;
	if (!stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) {
		/* Check to see if some data queued */
		for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
			/*sa_ignore FREED_MEMORY*/
			sp = TAILQ_FIRST(&stcb->asoc.strmout[i].outqueue);
			if (sp == NULL) {
				continue;
			}
			if ((sp->msg_is_complete) &&
			    (sp->length == 0) &&
			    (sp->sender_all_done)) {
				/* We are doing differed cleanup. Last
				 * time through when we took all the data
				 * the sender_all_done was not set.
				 */
				if (sp->put_last_out == 0) {
					SCTP_PRINTF("Gak, put out entire msg with NO end!-1\n");
					SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d\n",
					            sp->sender_all_done,
					            sp->length,
					            sp->msg_is_complete,
					            sp->put_last_out);
				}
				atomic_subtract_int(&stcb->asoc.stream_queue_cnt, 1);
				TAILQ_REMOVE(&stcb->asoc.strmout[i].outqueue, sp, next);
				stcb->asoc.ss_functions.sctp_ss_remove_from_stream(stcb, asoc, &asoc->strmout[i], sp);
				if (sp->net) {
					sctp_free_remote_addr(sp->net);
					sp->net = NULL;
				}
				if (sp->data) {
					sctp_m_freem(sp->data);
					sp->data = NULL;
				}
				sctp_free_a_strmoq(stcb, sp, so_locked);
				if (!TAILQ_EMPTY(&stcb->asoc.strmout[i].outqueue)) {
					unsent_data++;
				}
			} else {
				unsent_data++;
			}
			if (unsent_data > 0) {
				break;
			}
		}
	}
	return (unsent_data);
}

static int
sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb)
{
	struct sctp_init *init;
	struct sctp_association *asoc;
	struct sctp_nets *lnet;
	unsigned int i;

	SCTP_TCB_LOCK_ASSERT(stcb);

	init = &cp->init;
	asoc = &stcb->asoc;
	/* save off parameters */
	asoc->peer_vtag = ntohl(init->initiate_tag);
	asoc->peers_rwnd = ntohl(init->a_rwnd);
	/* init tsn's */
	asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1;

	if (!TAILQ_EMPTY(&asoc->nets)) {
		/* update any ssthresh's that may have a default */
		TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) {
			lnet->ssthresh = asoc->peers_rwnd;
			if (SCTP_BASE_SYSCTL(sctp_logging_level) & (SCTP_CWND_MONITOR_ENABLE|SCTP_CWND_LOGGING_ENABLE)) {
				sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION);
			}
		}
	}
	if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) {
		unsigned int newcnt;
		struct sctp_stream_out *outs;
		struct sctp_stream_queue_pending *sp, *nsp;
		struct sctp_tmit_chunk *chk, *nchk;

		/* abandon the upper streams */
		newcnt = ntohs(init->num_inbound_streams);
		TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
			if (chk->rec.data.sid >= newcnt) {
				TAILQ_REMOVE(&asoc->send_queue, chk, sctp_next);
				asoc->send_queue_cnt--;
				if (asoc->strmout[chk->rec.data.sid].chunks_on_queues > 0) {
					asoc->strmout[chk->rec.data.sid].chunks_on_queues--;
#ifdef INVARIANTS
				} else {
					panic("No chunks on the queues for sid %u.", chk->rec.data.sid);
#endif
				}
				if (chk->data != NULL) {
					sctp_free_bufspace(stcb, asoc, chk, 1);
					sctp_ulp_notify(SCTP_NOTIFY_UNSENT_DG_FAIL, stcb,
					                0, chk, SCTP_SO_NOT_LOCKED);
					if (chk->data) {
						sctp_m_freem(chk->data);
						chk->data = NULL;
					}
				}
				sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
				/*sa_ignore FREED_MEMORY*/
			}
		}
		if (asoc->strmout) {
			for (i = newcnt; i < asoc->pre_open_streams; i++) {
				outs = &asoc->strmout[i];
				TAILQ_FOREACH_SAFE(sp, &outs->outqueue, next, nsp) {
					atomic_subtract_int(&stcb->asoc.stream_queue_cnt, 1);
					TAILQ_REMOVE(&outs->outqueue, sp, next);
					stcb->asoc.ss_functions.sctp_ss_remove_from_stream(stcb, asoc, outs, sp);
					sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL,
					    stcb, 0, sp, SCTP_SO_NOT_LOCKED);
					if (sp->data) {
						sctp_m_freem(sp->data);
						sp->data = NULL;
					}
					if (sp->net) {
						sctp_free_remote_addr(sp->net);
						sp->net = NULL;
					}
					/* Free the chunk */
					sctp_free_a_strmoq(stcb, sp, SCTP_SO_NOT_LOCKED);
					/*sa_ignore FREED_MEMORY*/
				}
				outs->state = SCTP_STREAM_CLOSED;
			}
		}
		/* cut back the count */
		asoc->pre_open_streams = newcnt;
	}
	asoc->streamoutcnt = asoc->pre_open_streams;
	if (asoc->strmout) {
		for (i = 0; i < asoc->streamoutcnt; i++) {
			asoc->strmout[i].state = SCTP_STREAM_OPEN;
		}
	}
	/* EY - nr_sack: initialize highest tsn in nr_mapping_array */
	asoc->highest_tsn_inside_nr_map = asoc->highest_tsn_inside_map;
	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
		sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
	}
	/* This is the next one we expect */
	asoc->str_reset_seq_in = asoc->asconf_seq_in + 1;

	asoc->mapping_array_base_tsn = ntohl(init->initial_tsn);
	asoc->tsn_last_delivered = asoc->cumulative_tsn = asoc->asconf_seq_in;

	asoc->advanced_peer_ack_point = asoc->last_acked_seq;
	/* open the requested streams */

	if (asoc->strmin != NULL) {
		/* Free the old ones */
		for (i = 0; i < asoc->streamincnt; i++) {
			sctp_clean_up_stream(stcb, &asoc->strmin[i].inqueue);
			sctp_clean_up_stream(stcb, &asoc->strmin[i].uno_inqueue);
		}
		SCTP_FREE(asoc->strmin, SCTP_M_STRMI);
	}
	if (asoc->max_inbound_streams > ntohs(init->num_outbound_streams)) {
		asoc->streamincnt = ntohs(init->num_outbound_streams);
	} else {
		asoc->streamincnt = asoc->max_inbound_streams;
	}
	SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt *
		    sizeof(struct sctp_stream_in), SCTP_M_STRMI);
	if (asoc->strmin == NULL) {
		/* we didn't get memory for the streams! */
		SCTPDBG(SCTP_DEBUG_INPUT2, "process_init: couldn't get memory for the streams!\n");
		return (-1);
	}
	for (i = 0; i < asoc->streamincnt; i++) {
		asoc->strmin[i].sid = i;
		asoc->strmin[i].last_mid_delivered = 0xffffffff;
		TAILQ_INIT(&asoc->strmin[i].inqueue);
		TAILQ_INIT(&asoc->strmin[i].uno_inqueue);
		asoc->strmin[i].pd_api_started = 0;
		asoc->strmin[i].delivery_started = 0;
	}
	/*
	 * load_address_from_init will put the addresses into the
	 * association when the COOKIE is processed or the INIT-ACK is
	 * processed. Both types of COOKIE's existing and new call this
	 * routine. It will remove addresses that are no longer in the
	 * association (for the restarting case where addresses are
	 * removed). Up front when the INIT arrives we will discard it if it
	 * is a restart and new addresses have been added.
	 */
	/* sa_ignore MEMLEAK */
	return (0);
}

/*
 * INIT-ACK message processing/consumption returns value < 0 on error
 */
static int
sctp_process_init_ack(struct mbuf *m, int iphlen, int offset,
                      struct sockaddr *src, struct sockaddr *dst, struct sctphdr *sh,
                      struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
                      struct sctp_nets *net, int *abort_no_unlock,
#if defined(__FreeBSD__) && !defined(__Userspace__)
		      uint8_t mflowtype, uint32_t mflowid,
#endif
                      uint32_t vrf_id)
{
	struct sctp_association *asoc;
	struct mbuf *op_err;
	int retval, abort_flag, cookie_found;
	int initack_limit;
	int nat_friendly = 0;

	/* First verify that we have no illegal param's */
	abort_flag = 0;
	cookie_found = 0;

	op_err = sctp_arethere_unrecognized_parameters(m,
						       (offset + sizeof(struct sctp_init_chunk)),
						       &abort_flag, (struct sctp_chunkhdr *)cp,
						       &nat_friendly, &cookie_found);
	if (abort_flag) {
		/* Send an abort and notify peer */
		sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, false, SCTP_SO_NOT_LOCKED);
		*abort_no_unlock = 1;
		return (-1);
	}
	if (!cookie_found) {
		uint16_t len;

		/* Only report the missing cookie parameter */
		if (op_err != NULL) {
			sctp_m_freem(op_err);
		}
		len = (uint16_t)(sizeof(struct sctp_error_missing_param) + sizeof(uint16_t));
		/* We abort with an error of missing mandatory param */
		op_err = sctp_get_mbuf_for_msg(len, 0, M_NOWAIT, 1, MT_DATA);
		if (op_err != NULL) {
			struct sctp_error_missing_param *cause;

			SCTP_BUF_LEN(op_err) = len;
			cause = mtod(op_err, struct sctp_error_missing_param *);
			/* Subtract the reserved param */
			cause->cause.code = htons(SCTP_CAUSE_MISSING_PARAM);
			cause->cause.length = htons(len);
			cause->num_missing_params = htonl(1);
			cause->type[0] = htons(SCTP_STATE_COOKIE);
		}
		sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
				       src, dst, sh, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
				       mflowtype, mflowid,
#endif
				       vrf_id, net->port);
		*abort_no_unlock = 1;
		return (-3);
	}
	asoc = &stcb->asoc;
	asoc->peer_supports_nat = (uint8_t)nat_friendly;
	/* process the peer's parameters in the INIT-ACK */
	if (sctp_process_init((struct sctp_init_chunk *)cp, stcb) < 0) {
		if (op_err != NULL) {
			sctp_m_freem(op_err);
		}
		op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
		SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_init() failed\n");
		sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
		                       src, dst, sh, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
		                       mflowtype, mflowid,
#endif
		                       vrf_id, net->port);
		*abort_no_unlock = 1;
		return (-1);
	}
	initack_limit = offset + ntohs(cp->ch.chunk_length);
	/* load all addresses */
	if ((retval = sctp_load_addresses_from_init(stcb, m,
	                                            offset + sizeof(struct sctp_init_chunk),
	                                            initack_limit, src, dst, NULL, stcb->asoc.port)) < 0) {
		if (op_err != NULL) {
			sctp_m_freem(op_err);
		}
		op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
		                             "Problem with address parameters");
		SCTPDBG(SCTP_DEBUG_INPUT1,
		        "Load addresses from INIT causes an abort %d\n",
		        retval);
		sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
		                       src, dst, sh, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
		                       mflowtype, mflowid,
#endif
		                       vrf_id, net->port);
		*abort_no_unlock = 1;
		return (-1);
	}
	/* if the peer doesn't support asconf, flush the asconf queue */
	if (asoc->asconf_supported == 0) {
		struct sctp_asconf_addr *param, *nparam;

		TAILQ_FOREACH_SAFE(param, &asoc->asconf_queue, next, nparam) {
			TAILQ_REMOVE(&asoc->asconf_queue, param, next);
			SCTP_FREE(param, SCTP_M_ASC_ADDR);
		}
	}

	stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs,
	    stcb->asoc.local_hmacs);
	if (op_err) {
		sctp_queue_op_err(stcb, op_err);
		/* queuing will steal away the mbuf chain to the out queue */
		op_err = NULL;
	}
	/* extract the cookie and queue it to "echo" it back... */
	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
		sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
			       stcb->asoc.overall_error_count,
			       0,
			       SCTP_FROM_SCTP_INPUT,
			       __LINE__);
	}
	stcb->asoc.overall_error_count = 0;
	net->error_count = 0;

	/*
	 * Cancel the INIT timer, We do this first before queueing the
	 * cookie. We always cancel at the primary to assume that we are
	 * canceling the timer started by the INIT which always goes to the
	 * primary.
	 */
	sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb,
	    asoc->primary_destination, SCTP_FROM_SCTP_INPUT + SCTP_LOC_3);

	/* calculate the RTO */
	sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered,
	                   SCTP_RTT_FROM_NON_DATA);
#if defined(__Userspace__)
	if (stcb->sctp_ep->recv_callback) {
		if (stcb->sctp_socket) {
			uint32_t inqueue_bytes, sb_free_now;
			struct sctp_inpcb *inp;

			inp = stcb->sctp_ep;
			inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
			sb_free_now = SCTP_SB_LIMIT_SND(stcb->sctp_socket) - (inqueue_bytes + stcb->asoc.sb_send_resv);

			/* check if the amount free in the send socket buffer crossed the threshold */
			if (inp->send_callback &&
			    (((inp->send_sb_threshold > 0) &&
			      (sb_free_now >= inp->send_sb_threshold) &&
			      (stcb->asoc.chunks_on_out_queue <= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) ||
			     (inp->send_sb_threshold == 0))) {
				atomic_add_int(&stcb->asoc.refcnt, 1);
				SCTP_TCB_UNLOCK(stcb);
				inp->send_callback(stcb->sctp_socket, sb_free_now, inp->ulp_info);
				SCTP_TCB_LOCK(stcb);
				atomic_subtract_int(&stcb->asoc.refcnt, 1);
			}
		}
	}
#endif
	retval = sctp_send_cookie_echo(m, offset, initack_limit, stcb, net);
	return (retval);
}

static void
sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp,
    struct sctp_tcb *stcb, struct sctp_nets *net)
{
	union sctp_sockstore store;
	struct sctp_nets *r_net, *f_net;
	struct timeval tv;
	int req_prim = 0;
	uint16_t old_error_counter;

	if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) {
		/* Invalid length */
		return;
	}

	memset(&store, 0, sizeof(store));
	switch (cp->heartbeat.hb_info.addr_family) {
#ifdef INET
	case AF_INET:
		if (cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) {
			store.sin.sin_family = cp->heartbeat.hb_info.addr_family;
#ifdef HAVE_SIN_LEN
			store.sin.sin_len = cp->heartbeat.hb_info.addr_len;
#endif
			store.sin.sin_port = stcb->rport;
			memcpy(&store.sin.sin_addr, cp->heartbeat.hb_info.address,
			       sizeof(store.sin.sin_addr));
		} else {
			return;
		}
		break;
#endif
#ifdef INET6
	case AF_INET6:
		if (cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) {
			store.sin6.sin6_family = cp->heartbeat.hb_info.addr_family;
#ifdef HAVE_SIN6_LEN
			store.sin6.sin6_len = cp->heartbeat.hb_info.addr_len;
#endif
			store.sin6.sin6_port = stcb->rport;
			memcpy(&store.sin6.sin6_addr, cp->heartbeat.hb_info.address, sizeof(struct in6_addr));
		} else {
			return;
		}
		break;
#endif
#if defined(__Userspace__)
	case AF_CONN:
		if (cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_conn)) {
			store.sconn.sconn_family = cp->heartbeat.hb_info.addr_family;
#ifdef HAVE_SCONN_LEN
			store.sconn.sconn_len = cp->heartbeat.hb_info.addr_len;
#endif
			store.sconn.sconn_port = stcb->rport;
			memcpy(&store.sconn.sconn_addr, cp->heartbeat.hb_info.address, sizeof(void *));
		} else {
			return;
		}
		break;
#endif
	default:
		return;
	}
	r_net = sctp_findnet(stcb, &store.sa);
	if (r_net == NULL) {
		SCTPDBG(SCTP_DEBUG_INPUT1, "Huh? I can't find the address I sent it to, discard\n");
		return;
	}
	if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) &&
	    (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) &&
	    (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) {
		/*
		 * If the its a HB and it's random value is correct when can
		 * confirm the destination.
		 */
		r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
		if (r_net->dest_state & SCTP_ADDR_REQ_PRIMARY) {
			stcb->asoc.primary_destination = r_net;
			r_net->dest_state &= ~SCTP_ADDR_REQ_PRIMARY;
			f_net = TAILQ_FIRST(&stcb->asoc.nets);
			if (f_net != r_net) {
				/* first one on the list is NOT the primary
				 * sctp_cmpaddr() is much more efficient if
				 * the primary is the first on the list, make it
				 * so.
				 */
				TAILQ_REMOVE(&stcb->asoc.nets, r_net, sctp_next);
				TAILQ_INSERT_HEAD(&stcb->asoc.nets, r_net, sctp_next);
			}
			req_prim = 1;
		}
		sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
		    stcb, 0, (void *)r_net, SCTP_SO_NOT_LOCKED);
		sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb,
		                r_net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_4);
		sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, r_net);
	}
	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
		sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
			       stcb->asoc.overall_error_count,
			       0,
			       SCTP_FROM_SCTP_INPUT,
			       __LINE__);
	}
	stcb->asoc.overall_error_count = 0;
	old_error_counter = r_net->error_count;
	r_net->error_count = 0;
	r_net->hb_responded = 1;
	tv.tv_sec = cp->heartbeat.hb_info.time_value_1;
	tv.tv_usec = cp->heartbeat.hb_info.time_value_2;
	/* Now lets do a RTO with this */
	sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv,
	                   SCTP_RTT_FROM_NON_DATA);
	if ((r_net->dest_state & SCTP_ADDR_REACHABLE) == 0) {
		r_net->dest_state |= SCTP_ADDR_REACHABLE;
		sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb,
				0, (void *)r_net, SCTP_SO_NOT_LOCKED);
	}
	if (r_net->dest_state & SCTP_ADDR_PF) {
		r_net->dest_state &= ~SCTP_ADDR_PF;
		stcb->asoc.cc_functions.sctp_cwnd_update_exit_pf(stcb, net);
	}
	if (old_error_counter > 0) {
		sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep,
		                stcb, r_net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_5);
		sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, r_net);
	}
	if (r_net == stcb->asoc.primary_destination) {
		if (stcb->asoc.alternate) {
			/* release the alternate, primary is good */
			sctp_free_remote_addr(stcb->asoc.alternate);
			stcb->asoc.alternate = NULL;
		}
	}
	/* Mobility adaptation */
	if (req_prim) {
		if ((sctp_is_mobility_feature_on(stcb->sctp_ep,
		                                 SCTP_MOBILITY_BASE) ||
		    sctp_is_mobility_feature_on(stcb->sctp_ep,
		                                SCTP_MOBILITY_FASTHANDOFF)) &&
		    sctp_is_mobility_feature_on(stcb->sctp_ep,
		                                SCTP_MOBILITY_PRIM_DELETED)) {
			sctp_timer_stop(SCTP_TIMER_TYPE_PRIM_DELETED,
			                stcb->sctp_ep, stcb, NULL,
			                SCTP_FROM_SCTP_INPUT + SCTP_LOC_6);
			if (sctp_is_mobility_feature_on(stcb->sctp_ep,
			                                SCTP_MOBILITY_FASTHANDOFF)) {
				sctp_assoc_immediate_retrans(stcb,
				                             stcb->asoc.primary_destination);
			}
			if (sctp_is_mobility_feature_on(stcb->sctp_ep,
				                        SCTP_MOBILITY_BASE)) {
				sctp_move_chunks_from_net(stcb,
				                          stcb->asoc.deleted_primary);
			}
			sctp_delete_prim_timer(stcb->sctp_ep, stcb);
		}
	}
}

static int
sctp_handle_nat_colliding_state(struct sctp_tcb *stcb)
{
	/*
	 * Return 0 means we want you to proceed with the abort
	 * non-zero means no abort processing.
	 */
	uint32_t new_vtag;
	struct sctpasochead *head;

	if ((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) ||
	    (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) {
		atomic_add_int(&stcb->asoc.refcnt, 1);
		SCTP_TCB_UNLOCK(stcb);
		SCTP_INP_INFO_WLOCK();
		SCTP_TCB_LOCK(stcb);
		atomic_subtract_int(&stcb->asoc.refcnt, 1);
	} else {
		return (0);
	}
	new_vtag = sctp_select_a_tag(stcb->sctp_ep, stcb->sctp_ep->sctp_lport, stcb->rport, 1);
	if (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) {
		/* generate a new vtag and send init */
		LIST_REMOVE(stcb, sctp_asocs);
		stcb->asoc.my_vtag = new_vtag;
		head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))];
		/* put it in the bucket in the vtag hash of assoc's for the system */
		LIST_INSERT_HEAD(head, stcb, sctp_asocs);
		SCTP_INP_INFO_WUNLOCK();
		sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
		return (1);
	} else {
		/* treat like a case where the cookie expired i.e.:
		* - dump current cookie.
		* - generate a new vtag.
		* - resend init.
		*/
		/* generate a new vtag and send init */
		LIST_REMOVE(stcb, sctp_asocs);
		SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_WAIT);
		sctp_stop_all_cookie_timers(stcb);
		sctp_toss_old_cookies(stcb, &stcb->asoc);
		stcb->asoc.my_vtag = new_vtag;
		head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))];
		/* put it in the bucket in the vtag hash of assoc's for the system */
		LIST_INSERT_HEAD(head, stcb, sctp_asocs);
		SCTP_INP_INFO_WUNLOCK();
		sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
		return (1);
	}
	return (0);
}

static int
sctp_handle_nat_missing_state(struct sctp_tcb *stcb,
			      struct sctp_nets *net)
{
	/* return 0 means we want you to proceed with the abort
	 * non-zero means no abort processing
	 */
	if (stcb->asoc.auth_supported == 0) {
		SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_nat_missing_state: Peer does not support AUTH, cannot send an asconf\n");
		return (0);
	}
	sctp_asconf_send_nat_state_update(stcb, net);
	return (1);
}

/* Returns 1 if the stcb was aborted, 0 otherwise */
static int
sctp_handle_abort(struct sctp_abort_chunk *abort,
    struct sctp_tcb *stcb, struct sctp_nets *net)
{
#if defined(__APPLE__) && !defined(__Userspace__)
	struct socket *so;
#endif
	uint16_t len;
	uint16_t error;

	SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: handling ABORT\n");
	if (stcb == NULL)
		return (0);

	len = ntohs(abort->ch.chunk_length);
	if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_error_cause)) {
		/* Need to check the cause codes for our
		 * two magic nat aborts which don't kill the assoc
		 * necessarily.
		 */
		struct sctp_error_cause *cause;

		cause = (struct sctp_error_cause *)(abort + 1);
		error = ntohs(cause->code);
		if (error == SCTP_CAUSE_NAT_COLLIDING_STATE) {
			SCTPDBG(SCTP_DEBUG_INPUT2, "Received Colliding state, ABORT flags:%x\n",
			                           abort->ch.chunk_flags);
			if (sctp_handle_nat_colliding_state(stcb)) {
				return (0);
			}
		} else if (error == SCTP_CAUSE_NAT_MISSING_STATE) {
			SCTPDBG(SCTP_DEBUG_INPUT2, "Received missing state, ABORT flags:%x\n",
			                           abort->ch.chunk_flags);
			if (sctp_handle_nat_missing_state(stcb, net)) {
				return (0);
			}
		}
	} else {
		error = 0;
	}
	/* stop any receive timers */
	sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, NULL,
	                SCTP_FROM_SCTP_INPUT + SCTP_LOC_7);
	/* notify user of the abort and clean up... */
	sctp_abort_notification(stcb, true, false, error, abort, SCTP_SO_NOT_LOCKED);
	/* free the tcb */
	SCTP_STAT_INCR_COUNTER32(sctps_aborted);
	if ((SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) ||
	    (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
		SCTP_STAT_DECR_GAUGE32(sctps_currestab);
	}
#ifdef SCTP_ASOCLOG_OF_TSNS
	sctp_print_out_track_log(stcb);
#endif
#if defined(__APPLE__) && !defined(__Userspace__)
	so = SCTP_INP_SO(stcb->sctp_ep);
	atomic_add_int(&stcb->asoc.refcnt, 1);
	SCTP_TCB_UNLOCK(stcb);
	SCTP_SOCKET_LOCK(so, 1);
	SCTP_TCB_LOCK(stcb);
	atomic_subtract_int(&stcb->asoc.refcnt, 1);
#endif
	(void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
			      SCTP_FROM_SCTP_INPUT + SCTP_LOC_8);
#if defined(__APPLE__) && !defined(__Userspace__)
	SCTP_SOCKET_UNLOCK(so, 1);
#endif
	SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: finished\n");
	return (1);
}

static void
sctp_start_net_timers(struct sctp_tcb *stcb)
{
	uint32_t cnt_hb_sent;
	struct sctp_nets *net;

	cnt_hb_sent = 0;
	TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
		/* For each network start:
		 * 1) A pmtu timer.
		 * 2) A HB timer
		 * 3) If the dest in unconfirmed send
		 *    a hb as well if under max_hb_burst have
		 *    been sent.
		 */
		sctp_timer_start(SCTP_TIMER_TYPE_PATHMTURAISE, stcb->sctp_ep, stcb, net);
		sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, net);
		if ((net->dest_state & SCTP_ADDR_UNCONFIRMED) &&
		    (cnt_hb_sent < SCTP_BASE_SYSCTL(sctp_hb_maxburst))) {
			sctp_send_hb(stcb, net, SCTP_SO_NOT_LOCKED);
			cnt_hb_sent++;
		}
	}
	if (cnt_hb_sent) {
		sctp_chunk_output(stcb->sctp_ep, stcb,
				  SCTP_OUTPUT_FROM_COOKIE_ACK,
				  SCTP_SO_NOT_LOCKED);
	}
}

static void
sctp_handle_shutdown(struct sctp_shutdown_chunk *cp,
    struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag)
{
	struct sctp_association *asoc;
	int some_on_streamwheel;
	int old_state;
#if defined(__APPLE__) && !defined(__Userspace__)
	struct socket *so;
#endif

	SCTPDBG(SCTP_DEBUG_INPUT2,
		"sctp_handle_shutdown: handling SHUTDOWN\n");
	if (stcb == NULL)
		return;
	asoc = &stcb->asoc;
	if ((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) ||
	    (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) {
		return;
	}
	if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) {
		/* Shutdown NOT the expected size */
		return;
	}
	old_state = SCTP_GET_STATE(stcb);
	sctp_update_acked(stcb, cp, abort_flag);
	if (*abort_flag) {
		return;
	}
	if (asoc->control_pdapi) {
		/* With a normal shutdown
		 * we assume the end of last record.
		 */
		SCTP_INP_READ_LOCK(stcb->sctp_ep);
		if (asoc->control_pdapi->on_strm_q) {
			struct sctp_stream_in *strm;

			strm = &asoc->strmin[asoc->control_pdapi->sinfo_stream];
			if (asoc->control_pdapi->on_strm_q == SCTP_ON_UNORDERED) {
				/* Unordered */
				TAILQ_REMOVE(&strm->uno_inqueue, asoc->control_pdapi, next_instrm);
				asoc->control_pdapi->on_strm_q = 0;
			} else if (asoc->control_pdapi->on_strm_q == SCTP_ON_ORDERED) {
				/* Ordered */
				TAILQ_REMOVE(&strm->inqueue, asoc->control_pdapi, next_instrm);
				asoc->control_pdapi->on_strm_q = 0;
#ifdef INVARIANTS
			} else {
				panic("Unknown state on ctrl:%p on_strm_q:%d",
				      asoc->control_pdapi,
				      asoc->control_pdapi->on_strm_q);
#endif
			}
		}
		asoc->control_pdapi->end_added = 1;
		asoc->control_pdapi->pdapi_aborted = 1;
		asoc->control_pdapi = NULL;
		SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
#if defined(__APPLE__) && !defined(__Userspace__)
		so = SCTP_INP_SO(stcb->sctp_ep);
		atomic_add_int(&stcb->asoc.refcnt, 1);
		SCTP_TCB_UNLOCK(stcb);
		SCTP_SOCKET_LOCK(so, 1);
		SCTP_TCB_LOCK(stcb);
		atomic_subtract_int(&stcb->asoc.refcnt, 1);
		if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
			/* assoc was freed while we were unlocked */
			SCTP_SOCKET_UNLOCK(so, 1);
			return;
		}
#endif
		if (stcb->sctp_socket) {
			sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
		}
#if defined(__APPLE__) && !defined(__Userspace__)
		SCTP_SOCKET_UNLOCK(so, 1);
#endif
	}
	/* goto SHUTDOWN_RECEIVED state to block new requests */
	if (stcb->sctp_socket) {
		if ((SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
		    (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_ACK_SENT) &&
		    (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT)) {
			SCTP_SET_STATE(stcb, SCTP_STATE_SHUTDOWN_RECEIVED);
			/* notify upper layer that peer has initiated a shutdown */
			sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);

			/* reset time */
			(void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
		}
	}
	if (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_SENT) {
		/*
		 * stop the shutdown timer, since we WILL move to
		 * SHUTDOWN-ACK-SENT.
		 */
		sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb,
		                net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_9);
	}
	/* Now is there unsent data on a stream somewhere? */
	some_on_streamwheel = sctp_is_there_unsent_data(stcb, SCTP_SO_NOT_LOCKED);

	if (!TAILQ_EMPTY(&asoc->send_queue) ||
	    !TAILQ_EMPTY(&asoc->sent_queue) ||
	    some_on_streamwheel) {
		/* By returning we will push more data out */
		return;
	} else {
		/* no outstanding data to send, so move on... */
		/* send SHUTDOWN-ACK */
		/* move to SHUTDOWN-ACK-SENT state */
		if ((SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) ||
		    (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
			SCTP_STAT_DECR_GAUGE32(sctps_currestab);
		}
		if (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_ACK_SENT) {
			SCTP_SET_STATE(stcb, SCTP_STATE_SHUTDOWN_ACK_SENT);
			sctp_stop_timers_for_shutdown(stcb);
			sctp_send_shutdown_ack(stcb, net);
			sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK,
			                 stcb->sctp_ep, stcb, net);
		} else if (old_state == SCTP_STATE_SHUTDOWN_ACK_SENT) {
			sctp_send_shutdown_ack(stcb, net);
		}
	}
}

static void
sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp SCTP_UNUSED,
                         struct sctp_tcb *stcb,
                         struct sctp_nets *net)
{
	struct sctp_association *asoc;
#if defined(__APPLE__) && !defined(__Userspace__)
	struct socket *so;

	so = SCTP_INP_SO(stcb->sctp_ep);
#endif
	SCTPDBG(SCTP_DEBUG_INPUT2,
		"sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n");
	if (stcb == NULL)
		return;

	asoc = &stcb->asoc;
	/* process according to association state */
	if ((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) ||
	    (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) {
		/* unexpected SHUTDOWN-ACK... do OOTB handling... */
		sctp_send_shutdown_complete(stcb, net, 1);
		SCTP_TCB_UNLOCK(stcb);
		return;
	}
	if ((SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT) &&
	    (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
		/* unexpected SHUTDOWN-ACK... so ignore... */
		SCTP_TCB_UNLOCK(stcb);
		return;
	}
	if (asoc->control_pdapi) {
		/* With a normal shutdown
		 * we assume the end of last record.
		 */
		SCTP_INP_READ_LOCK(stcb->sctp_ep);
		asoc->control_pdapi->end_added = 1;
		asoc->control_pdapi->pdapi_aborted = 1;
		asoc->control_pdapi = NULL;
		SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
#if defined(__APPLE__) && !defined(__Userspace__)
		atomic_add_int(&stcb->asoc.refcnt, 1);
		SCTP_TCB_UNLOCK(stcb);
		SCTP_SOCKET_LOCK(so, 1);
		SCTP_TCB_LOCK(stcb);
		atomic_subtract_int(&stcb->asoc.refcnt, 1);
		if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
			/* assoc was freed while we were unlocked */
			SCTP_SOCKET_UNLOCK(so, 1);
			return;
		}
#endif
		sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
#if defined(__APPLE__) && !defined(__Userspace__)
		SCTP_SOCKET_UNLOCK(so, 1);
#endif
	}
#ifdef INVARIANTS
	if (!TAILQ_EMPTY(&asoc->send_queue) ||
	    !TAILQ_EMPTY(&asoc->sent_queue) ||
	    sctp_is_there_unsent_data(stcb, SCTP_SO_NOT_LOCKED)) {
		panic("Queues are not empty when handling SHUTDOWN-ACK");
	}
#endif
	/* stop the timer */
	sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net,
	                SCTP_FROM_SCTP_INPUT + SCTP_LOC_10);
	/* send SHUTDOWN-COMPLETE */
	sctp_send_shutdown_complete(stcb, net, 0);
	/* notify upper layer protocol */
	if (stcb->sctp_socket) {
		if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
		    (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
			SCTP_SB_CLEAR(stcb->sctp_socket->so_snd);
		}
		sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
	}
	SCTP_STAT_INCR_COUNTER32(sctps_shutdown);
	/* free the TCB but first save off the ep */
#if defined(__APPLE__) && !defined(__Userspace__)
	atomic_add_int(&stcb->asoc.refcnt, 1);
	SCTP_TCB_UNLOCK(stcb);
	SCTP_SOCKET_LOCK(so, 1);
	SCTP_TCB_LOCK(stcb);
	atomic_subtract_int(&stcb->asoc.refcnt, 1);
#endif
	(void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
			      SCTP_FROM_SCTP_INPUT + SCTP_LOC_11);
#if defined(__APPLE__) && !defined(__Userspace__)
	SCTP_SOCKET_UNLOCK(so, 1);
#endif
}

static void
sctp_process_unrecog_chunk(struct sctp_tcb *stcb, uint8_t chunk_type)
{
	switch (chunk_type) {
	case SCTP_ASCONF_ACK:
	case SCTP_ASCONF:
		sctp_asconf_cleanup(stcb);
		break;
	case SCTP_IFORWARD_CUM_TSN:
	case SCTP_FORWARD_CUM_TSN:
		stcb->asoc.prsctp_supported = 0;
		break;
	default:
		SCTPDBG(SCTP_DEBUG_INPUT2,
			"Peer does not support chunk type %d (0x%x).\n",
			chunk_type, chunk_type);
		break;
	}
}

/*
 * Skip past the param header and then we will find the param that caused the
 * problem.  There are a number of param's in a ASCONF OR the prsctp param
 * these will turn of specific features.
 * XXX: Is this the right thing to do?
 */
static void
sctp_process_unrecog_param(struct sctp_tcb *stcb, uint16_t parameter_type)
{
	switch (parameter_type) {
		/* pr-sctp draft */
	case SCTP_PRSCTP_SUPPORTED:
		stcb->asoc.prsctp_supported = 0;
		break;
	case SCTP_SUPPORTED_CHUNK_EXT:
		break;
		/* draft-ietf-tsvwg-addip-sctp */
	case SCTP_HAS_NAT_SUPPORT:
	        stcb->asoc.peer_supports_nat = 0;
	        break;
	case SCTP_ADD_IP_ADDRESS:
	case SCTP_DEL_IP_ADDRESS:
	case SCTP_SET_PRIM_ADDR:
		stcb->asoc.asconf_supported = 0;
		break;
	case SCTP_SUCCESS_REPORT:
	case SCTP_ERROR_CAUSE_IND:
		SCTPDBG(SCTP_DEBUG_INPUT2, "Huh, the peer does not support success? or error cause?\n");
		SCTPDBG(SCTP_DEBUG_INPUT2,
			"Turning off ASCONF to this strange peer\n");
		stcb->asoc.asconf_supported = 0;
		break;
	default:
		SCTPDBG(SCTP_DEBUG_INPUT2,
			"Peer does not support param type %d (0x%x)??\n",
			parameter_type, parameter_type);
		break;
	}
}

static int
sctp_handle_error(struct sctp_chunkhdr *ch,
                  struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t limit)
{
	struct sctp_error_cause *cause;
	struct sctp_association *asoc;
	uint32_t remaining_length, adjust;
	uint16_t code, cause_code, cause_length;
#if defined(__APPLE__) && !defined(__Userspace__)
	struct socket *so;
#endif

	/* parse through all of the errors and process */
	asoc = &stcb->asoc;
	cause = (struct sctp_error_cause *)((caddr_t)ch +
	    sizeof(struct sctp_chunkhdr));
	remaining_length = ntohs(ch->chunk_length);
	if (remaining_length > limit) {
		remaining_length = limit;
	}
	if (remaining_length >= sizeof(struct sctp_chunkhdr)) {
		remaining_length -= sizeof(struct sctp_chunkhdr);
	} else {
		remaining_length = 0;
	}
	code = 0;
	while (remaining_length >= sizeof(struct sctp_error_cause)) {
		/* Process an Error Cause */
		cause_code = ntohs(cause->code);
		cause_length = ntohs(cause->length);
		if ((cause_length > remaining_length) || (cause_length == 0)) {
			/* Invalid cause length, possibly due to truncation. */
			SCTPDBG(SCTP_DEBUG_INPUT1, "Bogus length in cause - bytes left: %u cause length: %u\n",
				remaining_length, cause_length);
			return (0);
		}
		if (code == 0) {
			/* report the first error cause */
			code = cause_code;
		}
		switch (cause_code) {
		case SCTP_CAUSE_INVALID_STREAM:
		case SCTP_CAUSE_MISSING_PARAM:
		case SCTP_CAUSE_INVALID_PARAM:
		case SCTP_CAUSE_NO_USER_DATA:
			SCTPDBG(SCTP_DEBUG_INPUT1, "Software error we got a %u back? We have a bug :/ (or do they?)\n",
				cause_code);
			break;
		case SCTP_CAUSE_NAT_COLLIDING_STATE:
			SCTPDBG(SCTP_DEBUG_INPUT2, "Received Colliding state, ERROR flags: %x\n",
				ch->chunk_flags);
			if (sctp_handle_nat_colliding_state(stcb)) {
				return (0);
			}
			break;
		case SCTP_CAUSE_NAT_MISSING_STATE:
			SCTPDBG(SCTP_DEBUG_INPUT2, "Received missing state, ERROR flags: %x\n",
			                           ch->chunk_flags);
			if (sctp_handle_nat_missing_state(stcb, net)) {
				return (0);
			}
			break;
		case SCTP_CAUSE_STALE_COOKIE:
			/*
			 * We only act if we have echoed a cookie and are
			 * waiting.
			 */
			if ((cause_length >= sizeof(struct sctp_error_stale_cookie)) &&
			    (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) {
				struct sctp_error_stale_cookie *stale_cookie;

				stale_cookie = (struct sctp_error_stale_cookie *)cause;
				/* stable_time is in usec, convert to msec. */
				asoc->cookie_preserve_req = ntohl(stale_cookie->stale_time) / 1000;
				/* Double it to be more robust on RTX. */
				asoc->cookie_preserve_req *= 2;
				asoc->stale_cookie_count++;
				if (asoc->stale_cookie_count >
				    asoc->max_init_times) {
					sctp_abort_notification(stcb, false, true, 0, NULL, SCTP_SO_NOT_LOCKED);
					/* now free the asoc */
#if defined(__APPLE__) && !defined(__Userspace__)
					so = SCTP_INP_SO(stcb->sctp_ep);
					atomic_add_int(&stcb->asoc.refcnt, 1);
					SCTP_TCB_UNLOCK(stcb);
					SCTP_SOCKET_LOCK(so, 1);
					SCTP_TCB_LOCK(stcb);
					atomic_subtract_int(&stcb->asoc.refcnt, 1);
#endif
					(void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
							      SCTP_FROM_SCTP_INPUT + SCTP_LOC_12);
#if defined(__APPLE__) && !defined(__Userspace__)
					SCTP_SOCKET_UNLOCK(so, 1);
#endif
					return (-1);
				}
				/* blast back to INIT state */
				sctp_toss_old_cookies(stcb, &stcb->asoc);
				SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_WAIT);
				sctp_stop_all_cookie_timers(stcb);
				sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
			}
			break;
		case SCTP_CAUSE_UNRESOLVABLE_ADDR:
			/*
			 * Nothing we can do here, we don't do hostname
			 * addresses so if the peer does not like my IPv6
			 * (or IPv4 for that matter) it does not matter. If
			 * they don't support that type of address, they can
			 * NOT possibly get that packet type... i.e. with no
			 * IPv6 you can't receive a IPv6 packet. so we can
			 * safely ignore this one. If we ever added support
			 * for HOSTNAME Addresses, then we would need to do
			 * something here.
			 */
			break;
		case SCTP_CAUSE_UNRECOG_CHUNK:
			if (cause_length >= sizeof(struct sctp_error_unrecognized_chunk)) {
				struct sctp_error_unrecognized_chunk *unrec_chunk;

				unrec_chunk = (struct sctp_error_unrecognized_chunk *)cause;
				sctp_process_unrecog_chunk(stcb, unrec_chunk->ch.chunk_type);
			}
			break;
		case SCTP_CAUSE_UNRECOG_PARAM:
			/* XXX: We only consider the first parameter */
			if (cause_length >= sizeof(struct sctp_error_cause) + sizeof(struct sctp_paramhdr)) {
				struct sctp_paramhdr *unrec_parameter;

				unrec_parameter = (struct sctp_paramhdr *)(cause + 1);
				sctp_process_unrecog_param(stcb, ntohs(unrec_parameter->param_type));
			}
			break;
		case SCTP_CAUSE_COOKIE_IN_SHUTDOWN:
			/*
			 * We ignore this since the timer will drive out a
			 * new cookie anyway and there timer will drive us
			 * to send a SHUTDOWN_COMPLETE. We can't send one
			 * here since we don't have their tag.
			 */
			break;
		case SCTP_CAUSE_DELETING_LAST_ADDR:
		case SCTP_CAUSE_RESOURCE_SHORTAGE:
		case SCTP_CAUSE_DELETING_SRC_ADDR:
			/*
			 * We should NOT get these here, but in a
			 * ASCONF-ACK.
			 */
			SCTPDBG(SCTP_DEBUG_INPUT2, "Peer sends ASCONF errors in a error cause with code %u.\n",
				cause_code);
			break;
		case SCTP_CAUSE_OUT_OF_RESC:
			/*
			 * And what, pray tell do we do with the fact that
			 * the peer is out of resources? Not really sure we
			 * could do anything but abort. I suspect this
			 * should have came WITH an abort instead of in a
			 * OP-ERROR.
			 */
			break;
		default:
			SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_handle_error: unknown code 0x%x\n",
				cause_code);
			break;
		}
		adjust = SCTP_SIZE32(cause_length);
		if (remaining_length >= adjust) {
			remaining_length -= adjust;
		} else {
			remaining_length = 0;
		}
		cause = (struct sctp_error_cause *)((caddr_t)cause + adjust);
	}
	sctp_ulp_notify(SCTP_NOTIFY_REMOTE_ERROR, stcb, code, ch, SCTP_SO_NOT_LOCKED);
	return (0);
}

static int
sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset,
                     struct sockaddr *src, struct sockaddr *dst, struct sctphdr *sh,
                     struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
                     struct sctp_nets *net, int *abort_no_unlock,
#if defined(__FreeBSD__) && !defined(__Userspace__)
                     uint8_t mflowtype, uint32_t mflowid,
#endif
                     uint32_t vrf_id)
{
	struct sctp_init_ack *init_ack;
	struct mbuf *op_err;

	SCTPDBG(SCTP_DEBUG_INPUT2,
		"sctp_handle_init_ack: handling INIT-ACK\n");

	if (stcb == NULL) {
		SCTPDBG(SCTP_DEBUG_INPUT2,
			"sctp_handle_init_ack: TCB is null\n");
		return (-1);
	}
	/* Only process the INIT-ACK chunk in COOKIE WAIT state.*/
	if (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) {
		init_ack = &cp->init;
		/* Validate parameters. */
		if ((ntohl(init_ack->initiate_tag) == 0) ||
		    (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) ||
		    (ntohs(init_ack->num_inbound_streams) == 0) ||
		    (ntohs(init_ack->num_outbound_streams) == 0)) {
			/* One of the mandatory parameters is illegal. */
			op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
			sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
			                       src, dst, sh, op_err,
	#if defined(__FreeBSD__) && !defined(__Userspace__)
			                       mflowtype, mflowid,
	#endif
			                       vrf_id, net->port);
			*abort_no_unlock = 1;
			return (-1);
		}
		if (stcb->asoc.primary_destination->dest_state &
		    SCTP_ADDR_UNCONFIRMED) {
			/*
			 * The primary is where we sent the INIT, we can
			 * always consider it confirmed when the INIT-ACK is
			 * returned. Do this before we load addresses
			 * though.
			 */
			stcb->asoc.primary_destination->dest_state &=
			    ~SCTP_ADDR_UNCONFIRMED;
			sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
			    stcb, 0, (void *)stcb->asoc.primary_destination, SCTP_SO_NOT_LOCKED);
		}
		if (sctp_process_init_ack(m, iphlen, offset, src, dst, sh, cp, stcb,
		                          net, abort_no_unlock,
#if defined(__FreeBSD__) && !defined(__Userspace__)
		                          mflowtype, mflowid,
#endif
		                          vrf_id) < 0) {
			/* error in parsing parameters */
			return (-1);
		}
		/* Update our state. */
		SCTPDBG(SCTP_DEBUG_INPUT2, "moving to COOKIE-ECHOED state\n");
		SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_ECHOED);

		/* Reset the RTO calculation. */
		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
			sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
			               stcb->asoc.overall_error_count,
			               0,
			               SCTP_FROM_SCTP_INPUT,
			               __LINE__);
		}
		stcb->asoc.overall_error_count = 0;
		(void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
		/*
		 * Collapse the init timer back in case of a exponential
		 * backoff.
		 */
		sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep,
		    stcb, net);
		/*
		 * The output routine at the end of the inbound data processing
		 * will cause the cookie to be sent.
		 */
		SCTPDBG(SCTP_DEBUG_INPUT1, "Leaving handle-init-ack end\n");
		return (0);
	} else {
		return (-1);
	}
}

static struct sctp_tcb *
sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
    struct sockaddr *src, struct sockaddr *dst,
    struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
    struct sctp_inpcb *inp, struct sctp_nets **netp,
    struct sockaddr *init_src, int *notification,
    int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
#if defined(__FreeBSD__) && !defined(__Userspace__)
    uint8_t mflowtype, uint32_t mflowid,
#endif
    uint32_t vrf_id, uint16_t port);

/*
 * handle a state cookie for an existing association m: input packet mbuf
 * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a
 * "split" mbuf and the cookie signature does not exist offset: offset into
 * mbuf to the cookie-echo chunk
 */
static struct sctp_tcb *
sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
    struct sockaddr *src, struct sockaddr *dst,
    struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
    struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets **netp,
    struct sockaddr *init_src, int *notification,
    int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
#if defined(__FreeBSD__) && !defined(__Userspace__)
    uint8_t mflowtype, uint32_t mflowid,
#endif
    uint32_t vrf_id, uint16_t port)
{
	struct sctp_association *asoc;
	struct sctp_init_chunk *init_cp, init_buf;
	struct sctp_init_ack_chunk *initack_cp, initack_buf;
	struct sctp_asconf_addr *aparam, *naparam;
	struct sctp_asconf_ack *aack, *naack;
	struct sctp_tmit_chunk *chk, *nchk;
	struct sctp_stream_reset_list *strrst, *nstrrst;
	struct sctp_queued_to_read *sq, *nsq;
	struct sctp_nets *net;
	struct mbuf *op_err;
	struct timeval old;
	int init_offset, initack_offset, i;
	int retval;
	int spec_flag = 0;
	uint32_t how_indx;
#if defined(SCTP_DETAILED_STR_STATS)
	int j;
#endif

	net = *netp;
	/* I know that the TCB is non-NULL from the caller */
	asoc = &stcb->asoc;
	for (how_indx = 0; how_indx  < sizeof(asoc->cookie_how); how_indx++) {
		if (asoc->cookie_how[how_indx] == 0)
			break;
	}
	if (how_indx < sizeof(asoc->cookie_how)) {
		asoc->cookie_how[how_indx] = 1;
	}
	if (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
		/* SHUTDOWN came in after sending INIT-ACK */
		sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination);
		op_err = sctp_generate_cause(SCTP_CAUSE_COOKIE_IN_SHUTDOWN, "");
		sctp_send_operr_to(src, dst, sh, cookie->peers_vtag, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
		                   mflowtype, mflowid, inp->fibnum,
#endif
		                   vrf_id, net->port);
		if (how_indx < sizeof(asoc->cookie_how))
			asoc->cookie_how[how_indx] = 2;
		SCTP_TCB_UNLOCK(stcb);
		return (NULL);
	}
	/*
	 * find and validate the INIT chunk in the cookie (peer's info) the
	 * INIT should start after the cookie-echo header struct (chunk
	 * header, state cookie header struct)
	 */
	init_offset = offset += sizeof(struct sctp_cookie_echo_chunk);

	init_cp = (struct sctp_init_chunk *)
		sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
			      (uint8_t *) & init_buf);
	if (init_cp == NULL) {
		/* could not pull a INIT chunk in cookie */
		SCTP_TCB_UNLOCK(stcb);
		return (NULL);
	}
	if (init_cp->ch.chunk_type != SCTP_INITIATION) {
		SCTP_TCB_UNLOCK(stcb);
		return (NULL);
	}
	/*
	 * find and validate the INIT-ACK chunk in the cookie (my info) the
	 * INIT-ACK follows the INIT chunk
	 */
	initack_offset = init_offset + SCTP_SIZE32(ntohs(init_cp->ch.chunk_length));
	initack_cp = (struct sctp_init_ack_chunk *)
		sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
			      (uint8_t *) & initack_buf);
	if (initack_cp == NULL) {
		/* could not pull INIT-ACK chunk in cookie */
		SCTP_TCB_UNLOCK(stcb);
		return (NULL);
	}
	if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
		SCTP_TCB_UNLOCK(stcb);
		return (NULL);
	}
	if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
	    (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) {
		/*
		 * case D in Section 5.2.4 Table 2: MMAA process accordingly
		 * to get into the OPEN state
		 */
		if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) {
			/*-
			 * Opps, this means that we somehow generated two vtag's
			 * the same. I.e. we did:
			 *  Us               Peer
			 *   <---INIT(tag=a)------
			 *   ----INIT-ACK(tag=t)-->
			 *   ----INIT(tag=t)------> *1
			 *   <---INIT-ACK(tag=a)---
			 *   <----CE(tag=t)------------- *2
			 *
			 * At point *1 we should be generating a different
			 * tag t'. Which means we would throw away the CE and send
			 * ours instead. Basically this is case C (throw away side).
			 */
			if (how_indx < sizeof(asoc->cookie_how))
				asoc->cookie_how[how_indx] = 17;
			SCTP_TCB_UNLOCK(stcb);
			return (NULL);
		}
		switch (SCTP_GET_STATE(stcb)) {
			case SCTP_STATE_COOKIE_WAIT:
			case SCTP_STATE_COOKIE_ECHOED:
				/*
				 * INIT was sent but got a COOKIE_ECHO with the
				 * correct tags... just accept it...but we must
				 * process the init so that we can make sure we
				 * have the right seq no's.
				 */
				/* First we must process the INIT !! */
				if (sctp_process_init(init_cp, stcb) < 0) {
					if (how_indx < sizeof(asoc->cookie_how))
						asoc->cookie_how[how_indx] = 3;
					op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
					SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_init() failed\n");
					sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
					                       src, dst, sh, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
					                       mflowtype, mflowid,
#endif
					                       vrf_id, net->port);
					return (NULL);
				}
				/* we have already processed the INIT so no problem */
				sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp,
				                stcb, net,
				                SCTP_FROM_SCTP_INPUT + SCTP_LOC_13);
				sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp,
				                stcb, net,
				                SCTP_FROM_SCTP_INPUT + SCTP_LOC_14);
				/* update current state */
				if (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)
					SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
				else
					SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);

				SCTP_SET_STATE(stcb, SCTP_STATE_OPEN);
				if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
					sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
					                 stcb->sctp_ep, stcb, NULL);
				}
				SCTP_STAT_INCR_GAUGE32(sctps_currestab);
				sctp_stop_all_cookie_timers(stcb);
				if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
				     (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
				    (!SCTP_IS_LISTENING(inp))) {
#if defined(__APPLE__) && !defined(__Userspace__)
					struct socket *so;
#endif
					/*
					 * Here is where collision would go if we
					 * did a connect() and instead got a
					 * init/init-ack/cookie done before the
					 * init-ack came back..
					 */
					sctp_pcb_add_flags(stcb->sctp_ep, SCTP_PCB_FLAGS_CONNECTED);
#if defined(__APPLE__) && !defined(__Userspace__)
					so = SCTP_INP_SO(stcb->sctp_ep);
					atomic_add_int(&stcb->asoc.refcnt, 1);
					SCTP_TCB_UNLOCK(stcb);
					SCTP_SOCKET_LOCK(so, 1);
					SCTP_TCB_LOCK(stcb);
					atomic_subtract_int(&stcb->asoc.refcnt, 1);
					if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
						SCTP_TCB_UNLOCK(stcb);
						SCTP_SOCKET_UNLOCK(so, 1);
						return (NULL);
					}
#endif
					soisconnected(stcb->sctp_socket);
#if defined(__APPLE__) && !defined(__Userspace__)
					SCTP_SOCKET_UNLOCK(so, 1);
#endif
				}
				/* notify upper layer */
				*notification = SCTP_NOTIFY_ASSOC_UP;
				/*
				 * since we did not send a HB make sure we
				 * don't double things
				 */
				old.tv_sec = cookie->time_entered.tv_sec;
				old.tv_usec = cookie->time_entered.tv_usec;
				net->hb_responded = 1;
				sctp_calculate_rto(stcb, asoc, net, &old,
				                   SCTP_RTT_FROM_NON_DATA);

				if (stcb->asoc.sctp_autoclose_ticks &&
				    (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) {
					sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
					                 inp, stcb, NULL);
				}
				break;
			default:
				/*
				 * we're in the OPEN state (or beyond), so
				 * peer must have simply lost the COOKIE-ACK
				 */
				break;
		}	/* end switch */
		sctp_stop_all_cookie_timers(stcb);
		if ((retval = sctp_load_addresses_from_init(stcb, m,
			                                    init_offset + sizeof(struct sctp_init_chunk),
			                                    initack_offset, src, dst, init_src, stcb->asoc.port)) < 0) {
			if (how_indx < sizeof(asoc->cookie_how))
				asoc->cookie_how[how_indx] = 4;
			op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
			                             "Problem with address parameters");
			SCTPDBG(SCTP_DEBUG_INPUT1,
			        "Load addresses from INIT causes an abort %d\n",
			        retval);
			sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
			                       src, dst, sh, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
			                       mflowtype, mflowid,
#endif
			                       vrf_id, net->port);
			return (NULL);
		}
		/* respond with a COOKIE-ACK */
		sctp_toss_old_cookies(stcb, asoc);
		sctp_send_cookie_ack(stcb);
		if (how_indx < sizeof(asoc->cookie_how))
			asoc->cookie_how[how_indx] = 5;
		return (stcb);
	}

	if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
	    ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag &&
	    cookie->tie_tag_my_vtag == 0 &&
	    cookie->tie_tag_peer_vtag == 0) {
		/*
		 * case C in Section 5.2.4 Table 2: XMOO silently discard
		 */
		if (how_indx < sizeof(asoc->cookie_how))
			asoc->cookie_how[how_indx] = 6;
		SCTP_TCB_UNLOCK(stcb);
		return (NULL);
	}
	/* If nat support, and the below and stcb is established,
	 * send back a ABORT(colliding state) if we are established.
	 */
	if ((SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) &&
	    (asoc->peer_supports_nat) &&
	    ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
	    ((ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) ||
	     (asoc->peer_vtag == 0)))) {
		/* Special case - Peer's support nat. We may have
		 * two init's that we gave out the same tag on since
		 * one was not established.. i.e. we get INIT from host-1
		 * behind the nat and we respond tag-a, we get a INIT from
		 * host-2 behind the nat and we get tag-a again. Then we
		 * bring up host-1 (or 2's) assoc, Then comes the cookie
		 * from hsot-2 (or 1). Now we have colliding state. We must
		 * send an abort here with colliding state indication.
		 */
		op_err = sctp_generate_cause(SCTP_CAUSE_NAT_COLLIDING_STATE, "");
		sctp_send_abort(m, iphlen,  src, dst, sh, 0, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
		                mflowtype, mflowid, inp->fibnum,
#endif
		                vrf_id, port);
		SCTP_TCB_UNLOCK(stcb);
		return (NULL);
	}
	if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
	    ((ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) ||
	     (asoc->peer_vtag == 0))) {
		/*
		 * case B in Section 5.2.4 Table 2: MXAA or MOAA my info
		 * should be ok, re-accept peer info
		 */
		if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) {
			/* Extension of case C.
			 * If we hit this, then the random number
			 * generator returned the same vtag when we
			 * first sent our INIT-ACK and when we later sent
			 * our INIT. The side with the seq numbers that are
			 * different will be the one that normally would
			 * have hit case C. This in effect "extends" our vtags
			 * in this collision case to be 64 bits. The same collision
			 * could occur aka you get both vtag and seq number the
			 * same twice in a row.. but is much less likely. If it
			 * did happen then we would proceed through and bring
			 * up the assoc.. we may end up with the wrong stream
			 * setup however.. which would be bad.. but there is
			 * no way to tell.. until we send on a stream that does
			 * not exist :-)
			 */
			if (how_indx < sizeof(asoc->cookie_how))
				asoc->cookie_how[how_indx] = 7;

			SCTP_TCB_UNLOCK(stcb);
			return (NULL);
		}
		if (how_indx < sizeof(asoc->cookie_how))
			asoc->cookie_how[how_indx] = 8;
		sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net,
		                SCTP_FROM_SCTP_INPUT + SCTP_LOC_15);
		sctp_stop_all_cookie_timers(stcb);
		/*
		 * since we did not send a HB make sure we don't double
		 * things
		 */
		net->hb_responded = 1;
		if (stcb->asoc.sctp_autoclose_ticks &&
		    sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) {
			sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb,
			                 NULL);
		}
		asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
		if (asoc->pre_open_streams < asoc->streamoutcnt) {
			asoc->pre_open_streams = asoc->streamoutcnt;
		}

		if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) {
			/* Ok the peer probably discarded our
			 * data (if we echoed a cookie+data). So anything
			 * on the sent_queue should be marked for
			 * retransmit, we may not get something to
			 * kick us so it COULD still take a timeout
			 * to move these.. but it can't hurt to mark them.
			 */

			TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) {
				if (chk->sent < SCTP_DATAGRAM_RESEND) {
					chk->sent = SCTP_DATAGRAM_RESEND;
					sctp_flight_size_decrease(chk);
					sctp_total_flight_decrease(stcb, chk);
					sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
					spec_flag++;
				}
			}
		}
		/* process the INIT info (peer's info) */
		if (sctp_process_init(init_cp, stcb) < 0) {
			if (how_indx < sizeof(asoc->cookie_how))
				asoc->cookie_how[how_indx] = 9;
			op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
			SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_init() failed\n");
			sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
			                       src, dst, sh, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
			                       mflowtype, mflowid,
#endif
			                       vrf_id, net->port);
			return (NULL);
		}
		if ((retval = sctp_load_addresses_from_init(stcb, m,
		                                            init_offset + sizeof(struct sctp_init_chunk),
		                                            initack_offset, src, dst, init_src, stcb->asoc.port)) < 0) {
			if (how_indx < sizeof(asoc->cookie_how))
				asoc->cookie_how[how_indx] = 10;
			op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
			                             "Problem with address parameters");
			SCTPDBG(SCTP_DEBUG_INPUT1,
			        "Load addresses from INIT causes an abort %d\n",
			        retval);
			sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
			                       src, dst, sh, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
			                       mflowtype, mflowid,
#endif
			                       vrf_id, net->port);
			return (NULL);
		}
		if ((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) ||
		    (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) {
			*notification = SCTP_NOTIFY_ASSOC_UP;

			if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
			     (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
			    (!SCTP_IS_LISTENING(inp))) {
#if defined(__APPLE__) && !defined(__Userspace__)
				struct socket *so;
#endif
				sctp_pcb_add_flags(stcb->sctp_ep, SCTP_PCB_FLAGS_CONNECTED);
#if defined(__APPLE__) && !defined(__Userspace__)
				so = SCTP_INP_SO(stcb->sctp_ep);
				atomic_add_int(&stcb->asoc.refcnt, 1);
				SCTP_TCB_UNLOCK(stcb);
				SCTP_SOCKET_LOCK(so, 1);
				SCTP_TCB_LOCK(stcb);
				atomic_subtract_int(&stcb->asoc.refcnt, 1);
				if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
					SCTP_TCB_UNLOCK(stcb);
					SCTP_SOCKET_UNLOCK(so, 1);
					return (NULL);
				}
#endif
				soisconnected(stcb->sctp_socket);
#if defined(__APPLE__) && !defined(__Userspace__)
				SCTP_SOCKET_UNLOCK(so, 1);
#endif
			}
			if (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)
				SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
			else
				SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
			SCTP_STAT_INCR_GAUGE32(sctps_currestab);
		} else if (SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) {
			SCTP_STAT_INCR_COUNTER32(sctps_restartestab);
		} else {
			SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
		}
		SCTP_SET_STATE(stcb, SCTP_STATE_OPEN);
		if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
			sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
			                 stcb->sctp_ep, stcb, NULL);
		}
		sctp_stop_all_cookie_timers(stcb);
		sctp_toss_old_cookies(stcb, asoc);
		sctp_send_cookie_ack(stcb);
		if (spec_flag) {
			/* only if we have retrans set do we do this. What
			 * this call does is get only the COOKIE-ACK out
			 * and then when we return the normal call to
			 * sctp_chunk_output will get the retrans out
			 * behind this.
			 */
			sctp_chunk_output(inp,stcb, SCTP_OUTPUT_FROM_COOKIE_ACK, SCTP_SO_NOT_LOCKED);
		}
		if (how_indx < sizeof(asoc->cookie_how))
			asoc->cookie_how[how_indx] = 11;

		return (stcb);
	}
	if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
	     ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) &&
	    cookie->tie_tag_my_vtag == asoc->my_vtag_nonce &&
	    cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce &&
	    cookie->tie_tag_peer_vtag != 0) {
		struct sctpasochead *head;
#if defined(__APPLE__) && !defined(__Userspace__)
		struct socket *so;
#endif

		if (asoc->peer_supports_nat) {
			struct sctp_tcb *local_stcb;

			/* This is a gross gross hack.
			 * Just call the cookie_new code since we
			 * are allowing a duplicate association.
			 * I hope this works...
			 */
			local_stcb = sctp_process_cookie_new(m, iphlen, offset, src, dst,
			                                     sh, cookie, cookie_len,
			                                     inp, netp, init_src,notification,
			                                     auth_skipped, auth_offset, auth_len,
#if defined(__FreeBSD__) && !defined(__Userspace__)
			                                     mflowtype, mflowid,
#endif
			                                     vrf_id, port);
			if (local_stcb == NULL) {
				SCTP_TCB_UNLOCK(stcb);
			}
			return (local_stcb);
		}
		/*
		 * case A in Section 5.2.4 Table 2: XXMM (peer restarted)
		 */
		/* temp code */
		if (how_indx < sizeof(asoc->cookie_how))
			asoc->cookie_how[how_indx] = 12;
		sctp_stop_association_timers(stcb, false);
		/* notify upper layer */
		*notification = SCTP_NOTIFY_ASSOC_RESTART;
		atomic_add_int(&stcb->asoc.refcnt, 1);
		if ((SCTP_GET_STATE(stcb) != SCTP_STATE_OPEN) &&
		    (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
		    (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT)) {
			SCTP_STAT_INCR_GAUGE32(sctps_currestab);
		}
		if (SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) {
			SCTP_STAT_INCR_GAUGE32(sctps_restartestab);
		} else if (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT) {
			SCTP_STAT_INCR_GAUGE32(sctps_collisionestab);
		}
		if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
			SCTP_SET_STATE(stcb, SCTP_STATE_OPEN);
			sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
			                 stcb->sctp_ep, stcb, NULL);

		} else if (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT) {
			/* move to OPEN state, if not in SHUTDOWN_SENT */
			SCTP_SET_STATE(stcb, SCTP_STATE_OPEN);
		}
		if (asoc->pre_open_streams < asoc->streamoutcnt) {
			asoc->pre_open_streams = asoc->streamoutcnt;
		}
		asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
		asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number;
		asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1;
		asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
		asoc->str_reset_seq_in = asoc->init_seq_number;
		asoc->advanced_peer_ack_point = asoc->last_acked_seq;
		asoc->send_sack = 1;
		asoc->data_pkts_seen = 0;
		asoc->last_data_chunk_from = NULL;
		asoc->last_control_chunk_from = NULL;
		asoc->last_net_cmt_send_started = NULL;
		if (asoc->mapping_array) {
			memset(asoc->mapping_array, 0,
			       asoc->mapping_array_size);
		}
		if (asoc->nr_mapping_array) {
			memset(asoc->nr_mapping_array, 0,
			    asoc->mapping_array_size);
		}
		SCTP_TCB_UNLOCK(stcb);
#if defined(__APPLE__) && !defined(__Userspace__)
		so = SCTP_INP_SO(stcb->sctp_ep);
		SCTP_SOCKET_LOCK(so, 1);
#endif
		SCTP_INP_INFO_WLOCK();
		SCTP_INP_WLOCK(stcb->sctp_ep);
		SCTP_TCB_LOCK(stcb);
		atomic_subtract_int(&stcb->asoc.refcnt, 1);
		/* send up all the data */
		sctp_report_all_outbound(stcb, 0, SCTP_SO_LOCKED);
		for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
			stcb->asoc.strmout[i].chunks_on_queues = 0;
#if defined(SCTP_DETAILED_STR_STATS)
			for (j = 0; j < SCTP_PR_SCTP_MAX + 1; j++) {
				asoc->strmout[i].abandoned_sent[j] = 0;
				asoc->strmout[i].abandoned_unsent[j] = 0;
			}
#else
			asoc->strmout[i].abandoned_sent[0] = 0;
			asoc->strmout[i].abandoned_unsent[0] = 0;
#endif
			stcb->asoc.strmout[i].next_mid_ordered = 0;
			stcb->asoc.strmout[i].next_mid_unordered = 0;
			stcb->asoc.strmout[i].sid = i;
			stcb->asoc.strmout[i].last_msg_incomplete = 0;
		}
		TAILQ_FOREACH_SAFE(strrst, &asoc->resetHead, next_resp, nstrrst) {
			TAILQ_REMOVE(&asoc->resetHead, strrst, next_resp);
			SCTP_FREE(strrst, SCTP_M_STRESET);
		}
		TAILQ_FOREACH_SAFE(sq, &asoc->pending_reply_queue, next, nsq) {
			TAILQ_REMOVE(&asoc->pending_reply_queue, sq, next);
			if (sq->data) {
				sctp_m_freem(sq->data);
				sq->data = NULL;
			}
			sctp_free_remote_addr(sq->whoFrom);
			sq->whoFrom = NULL;
			sq->stcb = NULL;
			sctp_free_a_readq(stcb, sq);
		}
		TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
			TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
			if (chk->data) {
				sctp_m_freem(chk->data);
				chk->data = NULL;
			}
			if (chk->holds_key_ref)
				sctp_auth_key_release(stcb, chk->auth_keyid, SCTP_SO_LOCKED);
			sctp_free_remote_addr(chk->whoTo);
			SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_chunk), chk);
			SCTP_DECR_CHK_COUNT();
		}
		asoc->ctrl_queue_cnt = 0;
		asoc->str_reset = NULL;
		asoc->stream_reset_outstanding = 0;
		TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) {
			TAILQ_REMOVE(&asoc->asconf_send_queue, chk, sctp_next);
			if (chk->data) {
				sctp_m_freem(chk->data);
				chk->data = NULL;
			}
			if (chk->holds_key_ref)
				sctp_auth_key_release(stcb, chk->auth_keyid, SCTP_SO_LOCKED);
			sctp_free_remote_addr(chk->whoTo);
			SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_chunk), chk);
			SCTP_DECR_CHK_COUNT();
		}
		TAILQ_FOREACH_SAFE(aparam, &asoc->asconf_queue, next, naparam) {
			TAILQ_REMOVE(&asoc->asconf_queue, aparam, next);
			SCTP_FREE(aparam,SCTP_M_ASC_ADDR);
		}
		TAILQ_FOREACH_SAFE(aack, &asoc->asconf_ack_sent, next, naack) {
			TAILQ_REMOVE(&asoc->asconf_ack_sent, aack, next);
			if (aack->data != NULL) {
				sctp_m_freem(aack->data);
			}
			SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_asconf_ack), aack);
		}

		/* process the INIT-ACK info (my info) */
		asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
		asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);

		/* pull from vtag hash */
		LIST_REMOVE(stcb, sctp_asocs);
		/* re-insert to new vtag position */
		head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag,
		                                                        SCTP_BASE_INFO(hashasocmark))];
		/*
		 * put it in the bucket in the vtag hash of assoc's for the
		 * system
		 */
		LIST_INSERT_HEAD(head, stcb, sctp_asocs);

		SCTP_INP_WUNLOCK(stcb->sctp_ep);
		SCTP_INP_INFO_WUNLOCK();
#if defined(__APPLE__) && !defined(__Userspace__)
		SCTP_SOCKET_UNLOCK(so, 1);
#endif
		asoc->total_flight = 0;
		asoc->total_flight_count = 0;
		/* process the INIT info (peer's info) */
		if (sctp_process_init(init_cp, stcb) < 0) {
			if (how_indx < sizeof(asoc->cookie_how))
				asoc->cookie_how[how_indx] = 13;
			op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
			SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_init() failed\n");
			sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
			                       src, dst, sh, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
			                       mflowtype, mflowid,
#endif
			                       vrf_id, net->port);
			return (NULL);
		}
		/*
		 * since we did not send a HB make sure we don't double
		 * things
		 */
		net->hb_responded = 1;

		if ((retval = sctp_load_addresses_from_init(stcb, m,
		                                            init_offset + sizeof(struct sctp_init_chunk),
		                                            initack_offset, src, dst, init_src, stcb->asoc.port)) < 0) {
			if (how_indx < sizeof(asoc->cookie_how))
				asoc->cookie_how[how_indx] = 14;
			op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
			                             "Problem with address parameters");
			SCTPDBG(SCTP_DEBUG_INPUT1,
			        "Load addresses from INIT causes an abort %d\n",
			        retval);
			sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
			                       src, dst, sh, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
			                       mflowtype, mflowid,
#endif
			                       vrf_id, net->port);
			return (NULL);
		}
		/* respond with a COOKIE-ACK */
		sctp_send_cookie_ack(stcb);
		if (how_indx < sizeof(asoc->cookie_how))
			asoc->cookie_how[how_indx] = 15;
		if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE) &&
		    (asoc->sctp_autoclose_ticks > 0)) {
			sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL);
		}
		return (stcb);
	}
	if (how_indx < sizeof(asoc->cookie_how))
		asoc->cookie_how[how_indx] = 16;
	/* all other cases... */
	SCTP_TCB_UNLOCK(stcb);
	return (NULL);
}

/*
 * handle a state cookie for a new association m: input packet mbuf chain--
 * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf
 * and the cookie signature does not exist offset: offset into mbuf to the
 * cookie-echo chunk length: length of the cookie chunk to: where the init
 * was from returns a new TCB
 */
static struct sctp_tcb *
sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
    struct sockaddr *src, struct sockaddr *dst,
    struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
    struct sctp_inpcb *inp, struct sctp_nets **netp,
    struct sockaddr *init_src, int *notification,
    int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
#if defined(__FreeBSD__) && !defined(__Userspace__)
    uint8_t mflowtype, uint32_t mflowid,
#endif
    uint32_t vrf_id, uint16_t port)
{
	struct sctp_tcb *stcb;
	struct sctp_init_chunk *init_cp, init_buf;
	struct sctp_init_ack_chunk *initack_cp, initack_buf;
	union sctp_sockstore store;
	struct sctp_association *asoc;
	int init_offset, initack_offset, initack_limit;
	int error = 0;
	uint8_t auth_chunk_buf[SCTP_CHUNK_BUFFER_SIZE];
#if defined(__APPLE__) && !defined(__Userspace__)
	struct socket *so;

	so = SCTP_INP_SO(inp);
#endif

	/*
	 * find and validate the INIT chunk in the cookie (peer's info) the
	 * INIT should start after the cookie-echo header struct (chunk
	 * header, state cookie header struct)
	 */
	init_offset = offset + sizeof(struct sctp_cookie_echo_chunk);
	init_cp = (struct sctp_init_chunk *)
	    sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
	    (uint8_t *) & init_buf);
	if (init_cp == NULL) {
		/* could not pull a INIT chunk in cookie */
		SCTPDBG(SCTP_DEBUG_INPUT1,
			"process_cookie_new: could not pull INIT chunk hdr\n");
		return (NULL);
	}
	if (init_cp->ch.chunk_type != SCTP_INITIATION) {
		SCTPDBG(SCTP_DEBUG_INPUT1, "HUH? process_cookie_new: could not find INIT chunk!\n");
		return (NULL);
	}
	initack_offset = init_offset + SCTP_SIZE32(ntohs(init_cp->ch.chunk_length));
	/*
	 * find and validate the INIT-ACK chunk in the cookie (my info) the
	 * INIT-ACK follows the INIT chunk
	 */
	initack_cp = (struct sctp_init_ack_chunk *)
	    sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
	    (uint8_t *) & initack_buf);
	if (initack_cp == NULL) {
		/* could not pull INIT-ACK chunk in cookie */
		SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: could not pull INIT-ACK chunk hdr\n");
		return (NULL);
	}
	if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
		return (NULL);
	}
	/*
	 * NOTE: We can't use the INIT_ACK's chk_length to determine the
	 * "initack_limit" value.  This is because the chk_length field
	 * includes the length of the cookie, but the cookie is omitted when
	 * the INIT and INIT_ACK are tacked onto the cookie...
	 */
	initack_limit = offset + cookie_len;

	/*
	 * now that we know the INIT/INIT-ACK are in place, create a new TCB
	 * and populate
	 */

	/*
	 * Here we do a trick, we set in NULL for the proc/thread argument. We
	 * do this since in effect we only use the p argument when
	 * the socket is unbound and we must do an implicit bind.
	 * Since we are getting a cookie, we cannot be unbound.
	 */
	stcb = sctp_aloc_assoc(inp, init_src, &error,
	                       ntohl(initack_cp->init.initiate_tag),
	                       ntohl(initack_cp->init.initial_tsn), vrf_id,
	                       ntohs(initack_cp->init.num_outbound_streams),
	                       port,
#if defined(__FreeBSD__) && !defined(__Userspace__)
	                       (struct thread *)NULL,
#elif defined(_WIN32) && !defined(__Userspace__)
	                       (PKTHREAD)NULL,
#else
	                       (struct proc *)NULL,
#endif
	                       SCTP_DONT_INITIALIZE_AUTH_PARAMS);
	if (stcb == NULL) {
		struct mbuf *op_err;

		/* memory problem? */
		SCTPDBG(SCTP_DEBUG_INPUT1,
			"process_cookie_new: no room for another TCB!\n");
		op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
		sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen,
		                       src, dst, sh, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
		                       mflowtype, mflowid,
#endif
		                       vrf_id, port);
		return (NULL);
	}
	asoc = &stcb->asoc;
	/* get scope variables out of cookie */
	asoc->scope.ipv4_local_scope = cookie->ipv4_scope;
	asoc->scope.site_scope = cookie->site_scope;
	asoc->scope.local_scope = cookie->local_scope;
	asoc->scope.loopback_scope = cookie->loopback_scope;

#if defined(__Userspace__)
	if ((asoc->scope.ipv4_addr_legal != cookie->ipv4_addr_legal) ||
	    (asoc->scope.ipv6_addr_legal != cookie->ipv6_addr_legal) ||
	    (asoc->scope.conn_addr_legal != cookie->conn_addr_legal)) {
#else
	if ((asoc->scope.ipv4_addr_legal != cookie->ipv4_addr_legal) ||
	    (asoc->scope.ipv6_addr_legal != cookie->ipv6_addr_legal)) {
#endif
		struct mbuf *op_err;

		/*
		 * Houston we have a problem. The EP changed while the
		 * cookie was in flight. Only recourse is to abort the
		 * association.
		 */
		op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
		sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen,
				       src, dst, sh, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
		                       mflowtype, mflowid,
#endif
		                       vrf_id, port);
#if defined(__APPLE__) && !defined(__Userspace__)
		atomic_add_int(&stcb->asoc.refcnt, 1);
		SCTP_TCB_UNLOCK(stcb);
		SCTP_SOCKET_LOCK(so, 1);
		SCTP_TCB_LOCK(stcb);
		atomic_subtract_int(&stcb->asoc.refcnt, 1);
#endif
		(void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
				      SCTP_FROM_SCTP_INPUT + SCTP_LOC_18);
#if defined(__APPLE__) && !defined(__Userspace__)
		SCTP_SOCKET_UNLOCK(so, 1);
#endif
		return (NULL);
	}
	/* process the INIT-ACK info (my info) */
	asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);

	/* process the INIT info (peer's info) */
	if (sctp_process_init(init_cp, stcb) < 0) {
#if defined(__APPLE__) && !defined(__Userspace__)
		atomic_add_int(&stcb->asoc.refcnt, 1);
		SCTP_TCB_UNLOCK(stcb);
		SCTP_SOCKET_LOCK(so, 1);
		SCTP_TCB_LOCK(stcb);
		atomic_subtract_int(&stcb->asoc.refcnt, 1);
#endif
		(void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
		                      SCTP_FROM_SCTP_INPUT + SCTP_LOC_19);
#if defined(__APPLE__) && !defined(__Userspace__)
		SCTP_SOCKET_UNLOCK(so, 1);
#endif
		return (NULL);
	}
	/* load all addresses */
	if (sctp_load_addresses_from_init(stcb, m,
	                                  init_offset + sizeof(struct sctp_init_chunk),
	                                  initack_offset, src, dst, init_src, port) < 0) {
#if defined(__APPLE__) && !defined(__Userspace__)
		atomic_add_int(&stcb->asoc.refcnt, 1);
		SCTP_TCB_UNLOCK(stcb);
		SCTP_SOCKET_LOCK(so, 1);
		SCTP_TCB_LOCK(stcb);
		atomic_subtract_int(&stcb->asoc.refcnt, 1);
#endif
		(void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
		                      SCTP_FROM_SCTP_INPUT + SCTP_LOC_20);
#if defined(__APPLE__) && !defined(__Userspace__)
		SCTP_SOCKET_UNLOCK(so, 1);
#endif
		return (NULL);
	}
	/*
	 * verify any preceding AUTH chunk that was skipped
	 */
	/* pull the local authentication parameters from the cookie/init-ack */
	sctp_auth_get_cookie_params(stcb, m,
	    initack_offset + sizeof(struct sctp_init_ack_chunk),
	    initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)));
	if (auth_skipped) {
		struct sctp_auth_chunk *auth;

		if (auth_len <= SCTP_CHUNK_BUFFER_SIZE) {
			auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf);
		} else {
			auth = NULL;
		}
		if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) {
			/* auth HMAC failed, dump the assoc and packet */
			SCTPDBG(SCTP_DEBUG_AUTH1,
				"COOKIE-ECHO: AUTH failed\n");
#if defined(__APPLE__) && !defined(__Userspace__)
			atomic_add_int(&stcb->asoc.refcnt, 1);
			SCTP_TCB_UNLOCK(stcb);
			SCTP_SOCKET_LOCK(so, 1);
			SCTP_TCB_LOCK(stcb);
			atomic_subtract_int(&stcb->asoc.refcnt, 1);
#endif
			(void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
			                      SCTP_FROM_SCTP_INPUT + SCTP_LOC_21);
#if defined(__APPLE__) && !defined(__Userspace__)
			SCTP_SOCKET_UNLOCK(so, 1);
#endif
			return (NULL);
		} else {
			/* remaining chunks checked... good to go */
			stcb->asoc.authenticated = 1;
		}
	}

	/*
	 * if we're doing ASCONFs, check to see if we have any new local
	 * addresses that need to get added to the peer (eg. addresses
	 * changed while cookie echo in flight).  This needs to be done
	 * after we go to the OPEN state to do the correct asconf
	 * processing. else, make sure we have the correct addresses in our
	 * lists
	 */

	/* warning, we re-use sin, sin6, sa_store here! */
	/* pull in local_address (our "from" address) */
	switch (cookie->laddr_type) {
#ifdef INET
	case SCTP_IPV4_ADDRESS:
		/* source addr is IPv4 */
		memset(&store.sin, 0, sizeof(struct sockaddr_in));
		store.sin.sin_family = AF_INET;
#ifdef HAVE_SIN_LEN
		store.sin.sin_len = sizeof(struct sockaddr_in);
#endif
		store.sin.sin_addr.s_addr = cookie->laddress[0];
		break;
#endif
#ifdef INET6
	case SCTP_IPV6_ADDRESS:
		/* source addr is IPv6 */
		memset(&store.sin6, 0, sizeof(struct sockaddr_in6));
		store.sin6.sin6_family = AF_INET6;
#ifdef HAVE_SIN6_LEN
		store.sin6.sin6_len = sizeof(struct sockaddr_in6);
#endif
		store.sin6.sin6_scope_id = cookie->scope_id;
		memcpy(&store.sin6.sin6_addr, cookie->laddress, sizeof(struct in6_addr));
		break;
#endif
#if defined(__Userspace__)
	case SCTP_CONN_ADDRESS:
		/* source addr is conn */
		memset(&store.sconn, 0, sizeof(struct sockaddr_conn));
		store.sconn.sconn_family = AF_CONN;
#ifdef HAVE_SCONN_LEN
		store.sconn.sconn_len = sizeof(struct sockaddr_conn);
#endif
		memcpy(&store.sconn.sconn_addr, cookie->laddress, sizeof(void *));
		break;
#endif
	default:
#if defined(__APPLE__) && !defined(__Userspace__)
		atomic_add_int(&stcb->asoc.refcnt, 1);
		SCTP_TCB_UNLOCK(stcb);
		SCTP_SOCKET_LOCK(so, 1);
		SCTP_TCB_LOCK(stcb);
		atomic_subtract_int(&stcb->asoc.refcnt, 1);
#endif
		(void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
		                      SCTP_FROM_SCTP_INPUT + SCTP_LOC_22);
#if defined(__APPLE__) && !defined(__Userspace__)
		SCTP_SOCKET_UNLOCK(so, 1);
#endif
		return (NULL);
	}

	/* update current state */
	SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n");
	SCTP_SET_STATE(stcb, SCTP_STATE_OPEN);
	if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
		sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
		                 stcb->sctp_ep, stcb, NULL);
	}
	sctp_stop_all_cookie_timers(stcb);
	SCTP_STAT_INCR_COUNTER32(sctps_passiveestab);
	SCTP_STAT_INCR_GAUGE32(sctps_currestab);

	/* set up to notify upper layer */
	*notification = SCTP_NOTIFY_ASSOC_UP;
	if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
	    (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
	    (!SCTP_IS_LISTENING(inp))) {
		/*
		 * This is an endpoint that called connect() how it got a
		 * cookie that is NEW is a bit of a mystery. It must be that
		 * the INIT was sent, but before it got there.. a complete
		 * INIT/INIT-ACK/COOKIE arrived. But of course then it
		 * should have went to the other code.. not here.. oh well..
		 * a bit of protection is worth having..
		 *
		 * XXXMJ unlocked
		 */
		sctp_pcb_add_flags(stcb->sctp_ep, SCTP_PCB_FLAGS_CONNECTED);
#if defined(__APPLE__) && !defined(__Userspace__)
		atomic_add_int(&stcb->asoc.refcnt, 1);
		SCTP_TCB_UNLOCK(stcb);
		SCTP_SOCKET_LOCK(so, 1);
		SCTP_TCB_LOCK(stcb);
		atomic_subtract_int(&stcb->asoc.refcnt, 1);
		if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
			SCTP_SOCKET_UNLOCK(so, 1);
			return (NULL);
		}
#endif
		soisconnected(stcb->sctp_socket);
#if defined(__APPLE__) && !defined(__Userspace__)
		SCTP_SOCKET_UNLOCK(so, 1);
#endif
	} else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
	           (SCTP_IS_LISTENING(inp))) {
		/*
		 * We don't want to do anything with this one. Since it is
		 * the listening guy. The timer will get started for
		 * accepted connections in the caller.
		 */
		;
	}
	if (stcb->asoc.sctp_autoclose_ticks &&
	    sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) {
		sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL);
	}
	(void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
	*netp = sctp_findnet(stcb, init_src);
	if (*netp != NULL) {
		struct timeval old;

		/*
		 * Since we did not send a HB, make sure we don't double
		 * things.
		 */
		(*netp)->hb_responded = 1;
		/* Calculate the RTT. */
		old.tv_sec = cookie->time_entered.tv_sec;
		old.tv_usec = cookie->time_entered.tv_usec;
		sctp_calculate_rto(stcb, asoc, *netp, &old, SCTP_RTT_FROM_NON_DATA);
	}
	/* respond with a COOKIE-ACK */
	sctp_send_cookie_ack(stcb);

	/*
	 * check the address lists for any ASCONFs that need to be sent
	 * AFTER the cookie-ack is sent
	 */
	sctp_check_address_list(stcb, m,
	    initack_offset + sizeof(struct sctp_init_ack_chunk),
	    initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)),
	    &store.sa, cookie->local_scope, cookie->site_scope,
	    cookie->ipv4_scope, cookie->loopback_scope);

	return (stcb);
}

/*
 * CODE LIKE THIS NEEDS TO RUN IF the peer supports the NAT extension, i.e
 * we NEED to make sure we are not already using the vtag. If so we
 * need to send back an ABORT-TRY-AGAIN-WITH-NEW-TAG No middle box bit!
	head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(tag,
							    SCTP_BASE_INFO(hashasocmark))];
	LIST_FOREACH(stcb, head, sctp_asocs) {
	        if ((stcb->asoc.my_vtag == tag) && (stcb->rport == rport) && (inp == stcb->sctp_ep)) {
		       -- SEND ABORT - TRY AGAIN --
		}
	}
*/

/*
 * handles a COOKIE-ECHO message stcb: modified to either a new or left as
 * existing (non-NULL) TCB
 */
static struct mbuf *
sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset,
    struct sockaddr *src, struct sockaddr *dst,
    struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp,
    struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp,
    int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
    struct sctp_tcb **locked_tcb,
#if defined(__FreeBSD__) && !defined(__Userspace__)
    uint8_t mflowtype, uint32_t mflowid,
#endif
    uint32_t vrf_id, uint16_t port)
{
	struct sctp_state_cookie *cookie;
	struct sctp_tcb *l_stcb = *stcb;
	struct sctp_inpcb *l_inp;
	struct sockaddr *to;
	struct sctp_pcb *ep;
	struct mbuf *m_sig;
	uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE];
	uint8_t *sig;
#if defined(__Userspace__) && defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
	uint8_t cookie_ok = 1;
#else
	uint8_t cookie_ok = 0;
#endif
	unsigned int sig_offset, cookie_offset;
	unsigned int cookie_len;
	struct timeval now;
	struct timeval time_entered, time_expires;
	int notification = 0;
	struct sctp_nets *netl;
	int had_a_existing_tcb = 0;
	int send_int_conf = 0;
#ifdef INET
	struct sockaddr_in sin;
#endif
#ifdef INET6
	struct sockaddr_in6 sin6;
#endif
#if defined(__Userspace__)
	struct sockaddr_conn sconn;
#endif

	SCTPDBG(SCTP_DEBUG_INPUT2,
		"sctp_handle_cookie: handling COOKIE-ECHO\n");

	if (inp_p == NULL) {
		return (NULL);
	}
	cookie = &cp->cookie;
	cookie_offset = offset + sizeof(struct sctp_chunkhdr);
	cookie_len = ntohs(cp->ch.chunk_length);

	if (cookie_len < sizeof(struct sctp_cookie_echo_chunk) +
	    sizeof(struct sctp_init_chunk) +
	    sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) {
		/* cookie too small */
		return (NULL);
	}
	if ((cookie->peerport != sh->src_port) ||
	    (cookie->myport != sh->dest_port) ||
	    (cookie->my_vtag != sh->v_tag)) {
		/*
		 * invalid ports or bad tag.  Note that we always leave the
		 * v_tag in the header in network order and when we stored
		 * it in the my_vtag slot we also left it in network order.
		 * This maintains the match even though it may be in the
		 * opposite byte order of the machine :->
		 */
		return (NULL);
	}
#if defined(__Userspace__)
	/*
	 * Recover the AF_CONN addresses within the cookie.
	 * This needs to be done in the buffer provided for later processing
	 * of the cookie and in the mbuf chain for HMAC validation.
	 */
	if ((cookie->addr_type == SCTP_CONN_ADDRESS) && (src->sa_family == AF_CONN)) {
		struct sockaddr_conn *sconnp = (struct sockaddr_conn *)src;

		memcpy(cookie->address, &sconnp->sconn_addr , sizeof(void *));
		m_copyback(m, cookie_offset + offsetof(struct sctp_state_cookie, address),
		           (int)sizeof(void *), (caddr_t)&sconnp->sconn_addr);
	}
	if ((cookie->laddr_type == SCTP_CONN_ADDRESS) && (dst->sa_family == AF_CONN)) {
		struct sockaddr_conn *sconnp = (struct sockaddr_conn *)dst;

		memcpy(cookie->laddress, &sconnp->sconn_addr , sizeof(void *));
		m_copyback(m, cookie_offset + offsetof(struct sctp_state_cookie, laddress),
		           (int)sizeof(void *), (caddr_t)&sconnp->sconn_addr);
	}
#endif
	/*
	 * split off the signature into its own mbuf (since it should not be
	 * calculated in the sctp_hmac_m() call).
	 */
	sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE;
	m_sig = m_split(m, sig_offset, M_NOWAIT);
	if (m_sig == NULL) {
		/* out of memory or ?? */
		return (NULL);
	}
#ifdef SCTP_MBUF_LOGGING
	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
		sctp_log_mbc(m_sig, SCTP_MBUF_SPLIT);
	}
#endif

	/*
	 * compute the signature/digest for the cookie
	 */
	if (l_stcb != NULL) {
		atomic_add_int(&l_stcb->asoc.refcnt, 1);
		SCTP_TCB_UNLOCK(l_stcb);
	}
	l_inp = *inp_p;
	SCTP_INP_RLOCK(l_inp);
	if (l_stcb != NULL) {
		SCTP_TCB_LOCK(l_stcb);
		atomic_subtract_int(&l_stcb->asoc.refcnt, 1);
	}
	if (l_inp->sctp_flags & (SCTP_PCB_FLAGS_SOCKET_GONE | SCTP_PCB_FLAGS_SOCKET_ALLGONE)) {
		SCTP_INP_RUNLOCK(l_inp);
		sctp_m_freem(m_sig);
		return (NULL);
	}
	ep = &(*inp_p)->sctp_ep;
	/* which cookie is it? */
	if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) &&
	    (ep->current_secret_number != ep->last_secret_number)) {
		/* it's the old cookie */
		(void)sctp_hmac_m(SCTP_HMAC,
		    (uint8_t *)ep->secret_key[(int)ep->last_secret_number],
		    SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
	} else {
		/* it's the current cookie */
		(void)sctp_hmac_m(SCTP_HMAC,
		    (uint8_t *)ep->secret_key[(int)ep->current_secret_number],
		    SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
	}
	/* get the signature */
	SCTP_INP_RUNLOCK(l_inp);
	sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig);
	if (sig == NULL) {
		/* couldn't find signature */
		sctp_m_freem(m_sig);
		return (NULL);
	}
	/* compare the received digest with the computed digest */
	if (timingsafe_bcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) {
		/* try the old cookie? */
		if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) &&
		    (ep->current_secret_number != ep->last_secret_number)) {
			/* compute digest with old */
			(void)sctp_hmac_m(SCTP_HMAC,
			    (uint8_t *)ep->secret_key[(int)ep->last_secret_number],
			    SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
			/* compare */
			if (timingsafe_bcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0)
				cookie_ok = 1;
		}
	} else {
		cookie_ok = 1;
	}

	/*
	 * Now before we continue we must reconstruct our mbuf so that
	 * normal processing of any other chunks will work.
	 */
	{
		struct mbuf *m_at;

		m_at = m;
		while (SCTP_BUF_NEXT(m_at) != NULL) {
			m_at = SCTP_BUF_NEXT(m_at);
		}
		SCTP_BUF_NEXT(m_at) = m_sig;
	}

	if (cookie_ok == 0) {
		SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: cookie signature validation failed!\n");
		SCTPDBG(SCTP_DEBUG_INPUT2,
			"offset = %u, cookie_offset = %u, sig_offset = %u\n",
			(uint32_t) offset, cookie_offset, sig_offset);
		return (NULL);
	}

	if (sctp_ticks_to_msecs(cookie->cookie_life) > SCTP_MAX_COOKIE_LIFE) {
		SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: Invalid cookie lifetime\n");
		return (NULL);
	}
	time_entered.tv_sec = cookie->time_entered.tv_sec;
	time_entered.tv_usec = cookie->time_entered.tv_usec;
	if ((time_entered.tv_sec < 0) ||
	    (time_entered.tv_usec < 0) ||
	    (time_entered.tv_usec >= 1000000)) {
		/* Invalid time stamp. Cookie must have been modified. */
		SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: Invalid time stamp\n");
		return (NULL);
	}
	(void)SCTP_GETTIME_TIMEVAL(&now);
#if !(defined(__FreeBSD__) && !defined(__Userspace__))
	if (timercmp(&now, &time_entered, <)) {
#else
	if (timevalcmp(&now, &time_entered, <)) {
#endif
		SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: cookie generated in the future!\n");
		return (NULL);
	}
	/*
	 * Check the cookie timestamps to be sure it's not stale.
	 * cookie_life is in ticks, so we convert to seconds.
	 */
	time_expires.tv_sec = time_entered.tv_sec + sctp_ticks_to_secs(cookie->cookie_life);
	time_expires.tv_usec = time_entered.tv_usec;
#if !(defined(__FreeBSD__) && !defined(__Userspace__))
	if (timercmp(&now, &time_expires, >))
#else
	if (timevalcmp(&now, &time_expires, >))
#endif
	{
		/* cookie is stale! */
		struct mbuf *op_err;
		struct sctp_error_stale_cookie *cause;
		struct timeval diff;
		uint32_t staleness;

		op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_error_stale_cookie),
		                               0, M_NOWAIT, 1, MT_DATA);
		if (op_err == NULL) {
			/* FOOBAR */
			return (NULL);
		}
		/* Set the len */
		SCTP_BUF_LEN(op_err) = sizeof(struct sctp_error_stale_cookie);
		cause = mtod(op_err, struct sctp_error_stale_cookie *);
		cause->cause.code = htons(SCTP_CAUSE_STALE_COOKIE);
		cause->cause.length = htons(sizeof(struct sctp_error_stale_cookie));
#if !(defined(__FreeBSD__) && !defined(__Userspace__))
		timersub(&now, &time_expires, &diff);
#else
		diff = now;
		timevalsub(&diff, &time_expires);
#endif
		if ((uint32_t)diff.tv_sec > UINT32_MAX / 1000000) {
			staleness = UINT32_MAX;
		} else {
			staleness = (uint32_t)diff.tv_sec * 1000000;
		}
		if (UINT32_MAX - staleness >= (uint32_t)diff.tv_usec) {
			staleness += (uint32_t)diff.tv_usec;
		} else {
			staleness = UINT32_MAX;
		}
		cause->stale_time = htonl(staleness);
		sctp_send_operr_to(src, dst, sh, cookie->peers_vtag, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
		                   mflowtype, mflowid, l_inp->fibnum,
#endif
		                   vrf_id, port);
		return (NULL);
	}
	/*
	 * Now we must see with the lookup address if we have an existing
	 * asoc. This will only happen if we were in the COOKIE-WAIT state
	 * and a INIT collided with us and somewhere the peer sent the
	 * cookie on another address besides the single address our assoc
	 * had for him. In this case we will have one of the tie-tags set at
	 * least AND the address field in the cookie can be used to look it
	 * up.
	 */
	to = NULL;
	switch (cookie->addr_type) {
#ifdef INET6
	case SCTP_IPV6_ADDRESS:
		memset(&sin6, 0, sizeof(sin6));
		sin6.sin6_family = AF_INET6;
#ifdef HAVE_SIN6_LEN
		sin6.sin6_len = sizeof(sin6);
#endif
		sin6.sin6_port = sh->src_port;
		sin6.sin6_scope_id = cookie->scope_id;
		memcpy(&sin6.sin6_addr.s6_addr, cookie->address,
		    sizeof(sin6.sin6_addr.s6_addr));
		to = (struct sockaddr *)&sin6;
		break;
#endif
#ifdef INET
	case SCTP_IPV4_ADDRESS:
		memset(&sin, 0, sizeof(sin));
		sin.sin_family = AF_INET;
#ifdef HAVE_SIN_LEN
		sin.sin_len = sizeof(sin);
#endif
		sin.sin_port = sh->src_port;
		sin.sin_addr.s_addr = cookie->address[0];
		to = (struct sockaddr *)&sin;
		break;
#endif
#if defined(__Userspace__)
	case SCTP_CONN_ADDRESS:
		memset(&sconn, 0, sizeof(struct sockaddr_conn));
		sconn.sconn_family = AF_CONN;
#ifdef HAVE_SCONN_LEN
		sconn.sconn_len = sizeof(struct sockaddr_conn);
#endif
		sconn.sconn_port = sh->src_port;
		memcpy(&sconn.sconn_addr, cookie->address, sizeof(void *));
		to = (struct sockaddr *)&sconn;
		break;
#endif
	default:
		/* This should not happen */
		return (NULL);
	}
	if (*stcb == NULL) {
		/* Yep, lets check */
		*stcb = sctp_findassociation_ep_addr(inp_p, to, netp, dst, NULL);
		if (*stcb == NULL) {
			/*
			 * We should have only got back the same inp. If we
			 * got back a different ep we have a problem. The
			 * original findep got back l_inp and now
			 */
			if (l_inp != *inp_p) {
				SCTP_PRINTF("Bad problem find_ep got a diff inp then special_locate?\n");
			}
		} else {
			if (*locked_tcb == NULL) {
				/* In this case we found the assoc only
				 * after we locked the create lock. This means
				 * we are in a colliding case and we must make
				 * sure that we unlock the tcb if its one of the
				 * cases where we throw away the incoming packets.
				 */
				*locked_tcb = *stcb;

				/* We must also increment the inp ref count
				 * since the ref_count flags was set when we
				 * did not find the TCB, now we found it which
				 * reduces the refcount.. we must raise it back
				 * out to balance it all :-)
				 */
				SCTP_INP_INCR_REF((*stcb)->sctp_ep);
				if ((*stcb)->sctp_ep != l_inp) {
					SCTP_PRINTF("Huh? ep:%p diff then l_inp:%p?\n",
						    (void *)(*stcb)->sctp_ep, (void *)l_inp);
				}
			}
		}
	}

	cookie_len -= SCTP_SIGNATURE_SIZE;
	if (*stcb == NULL) {
		/* this is the "normal" case... get a new TCB */
		*stcb = sctp_process_cookie_new(m, iphlen, offset, src, dst, sh,
		                                cookie, cookie_len, *inp_p,
		                                netp, to, &notification,
		                                auth_skipped, auth_offset, auth_len,
#if defined(__FreeBSD__) && !defined(__Userspace__)
		                                mflowtype, mflowid,
#endif
		                                vrf_id, port);
	} else {
		/* this is abnormal... cookie-echo on existing TCB */
		had_a_existing_tcb = 1;
		*stcb = sctp_process_cookie_existing(m, iphlen, offset,
		                                     src, dst, sh,
		                                     cookie, cookie_len, *inp_p, *stcb, netp, to,
		                                     &notification, auth_skipped, auth_offset, auth_len,
#if defined(__FreeBSD__) && !defined(__Userspace__)
		                                     mflowtype, mflowid,
#endif
		                                     vrf_id, port);
		if (*stcb == NULL) {
			*locked_tcb = NULL;
		}
	}

	if (*stcb == NULL) {
		/* still no TCB... must be bad cookie-echo */
		return (NULL);
	}
#if defined(__FreeBSD__) && !defined(__Userspace__)
	if (*netp != NULL) {
		(*netp)->flowtype = mflowtype;
		(*netp)->flowid = mflowid;
	}
#endif
	/*
	 * Ok, we built an association so confirm the address we sent the
	 * INIT-ACK to.
	 */
	netl = sctp_findnet(*stcb, to);
	/*
	 * This code should in theory NOT run but
	 */
	if (netl == NULL) {
		/* TSNH! Huh, why do I need to add this address here? */
		if (sctp_add_remote_addr(*stcb, to, NULL, port,
		                         SCTP_DONOT_SETSCOPE, SCTP_IN_COOKIE_PROC)) {
			return (NULL);
		}
		netl = sctp_findnet(*stcb, to);
	}
	if (netl) {
		if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) {
			netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
			(void)sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL,
			    netl);
			send_int_conf = 1;
		}
	}
	sctp_start_net_timers(*stcb);
	if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) {
		if (!had_a_existing_tcb ||
		    (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) {
			/*
			 * If we have a NEW cookie or the connect never
			 * reached the connected state during collision we
			 * must do the TCP accept thing.
			 */
			struct socket *so, *oso;
			struct sctp_inpcb *inp;

			if (notification == SCTP_NOTIFY_ASSOC_RESTART) {
				/*
				 * For a restart we will keep the same
				 * socket, no need to do anything. I THINK!!
				 */
				sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
				if (send_int_conf) {
					sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
					                (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED);
				}
				return (m);
			}
			oso = (*inp_p)->sctp_socket;
			atomic_add_int(&(*stcb)->asoc.refcnt, 1);
			SCTP_TCB_UNLOCK((*stcb));
#if defined(__FreeBSD__) && !defined(__Userspace__)
			CURVNET_SET(oso->so_vnet);
#endif
#if defined(__APPLE__) && !defined(__Userspace__)
			SCTP_SOCKET_LOCK(oso, 1);
#endif
			so = sonewconn(oso, 0
#if defined(__APPLE__) && !defined(__Userspace__)
			    ,NULL
#endif
			    );
#if defined(__APPLE__) && !defined(__Userspace__)
			SCTP_SOCKET_UNLOCK(oso, 1);
#endif
#if defined(__FreeBSD__) && !defined(__Userspace__)
			CURVNET_RESTORE();
#endif
			SCTP_TCB_LOCK((*stcb));
			atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);

			if (so == NULL) {
				struct mbuf *op_err;
#if defined(__APPLE__) && !defined(__Userspace__)
				struct socket *pcb_so;
#endif
				/* Too many sockets */
				SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: no room for another socket!\n");
				op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
				sctp_abort_association(*inp_p, NULL, m, iphlen,
						       src, dst, sh, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
				                       mflowtype, mflowid,
#endif
				                       vrf_id, port);
#if defined(__APPLE__) && !defined(__Userspace__)
				pcb_so = SCTP_INP_SO(*inp_p);
				atomic_add_int(&(*stcb)->asoc.refcnt, 1);
				SCTP_TCB_UNLOCK((*stcb));
				SCTP_SOCKET_LOCK(pcb_so, 1);
				SCTP_TCB_LOCK((*stcb));
				atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
#endif
				(void)sctp_free_assoc(*inp_p, *stcb, SCTP_NORMAL_PROC,
				                      SCTP_FROM_SCTP_INPUT + SCTP_LOC_23);
#if defined(__APPLE__) && !defined(__Userspace__)
				SCTP_SOCKET_UNLOCK(pcb_so, 1);
#endif
				return (NULL);
			}
			inp = (struct sctp_inpcb *)so->so_pcb;
			SCTP_INP_INCR_REF(inp);
			/*
			 * We add the unbound flag here so that
			 * if we get an soabort() before we get the
			 * move_pcb done, we will properly cleanup.
			 */
			inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE |
			    SCTP_PCB_FLAGS_CONNECTED |
			    SCTP_PCB_FLAGS_IN_TCPPOOL |
			    SCTP_PCB_FLAGS_UNBOUND |
			    (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) |
			    SCTP_PCB_FLAGS_DONT_WAKE);
			inp->sctp_features = (*inp_p)->sctp_features;
			inp->sctp_mobility_features = (*inp_p)->sctp_mobility_features;
			inp->sctp_socket = so;
			inp->sctp_frag_point = (*inp_p)->sctp_frag_point;
			inp->max_cwnd = (*inp_p)->max_cwnd;
			inp->sctp_cmt_on_off = (*inp_p)->sctp_cmt_on_off;
			inp->ecn_supported = (*inp_p)->ecn_supported;
			inp->prsctp_supported = (*inp_p)->prsctp_supported;
			inp->auth_supported = (*inp_p)->auth_supported;
			inp->asconf_supported = (*inp_p)->asconf_supported;
			inp->reconfig_supported = (*inp_p)->reconfig_supported;
			inp->nrsack_supported = (*inp_p)->nrsack_supported;
			inp->pktdrop_supported = (*inp_p)->pktdrop_supported;
			inp->partial_delivery_point = (*inp_p)->partial_delivery_point;
			inp->sctp_context = (*inp_p)->sctp_context;
			inp->local_strreset_support = (*inp_p)->local_strreset_support;
			inp->fibnum = (*inp_p)->fibnum;
#if defined(__Userspace__)
			inp->ulp_info = (*inp_p)->ulp_info;
			inp->recv_callback = (*inp_p)->recv_callback;
			inp->send_callback = (*inp_p)->send_callback;
			inp->send_sb_threshold = (*inp_p)->send_sb_threshold;
#endif
			/*
			 * copy in the authentication parameters from the
			 * original endpoint
			 */
			if (inp->sctp_ep.local_hmacs)
				sctp_free_hmaclist(inp->sctp_ep.local_hmacs);
			inp->sctp_ep.local_hmacs =
			    sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs);
			if (inp->sctp_ep.local_auth_chunks)
				sctp_free_chunklist(inp->sctp_ep.local_auth_chunks);
			inp->sctp_ep.local_auth_chunks =
			    sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks);

			/*
			 * Now we must move it from one hash table to
			 * another and get the tcb in the right place.
			 */

			/* This is where the one-2-one socket is put into
			 * the accept state waiting for the accept!
			 */
			if (*stcb) {
				SCTP_ADD_SUBSTATE(*stcb, SCTP_STATE_IN_ACCEPT_QUEUE);
			}
			sctp_move_pcb_and_assoc(*inp_p, inp, *stcb);

			atomic_add_int(&(*stcb)->asoc.refcnt, 1);
			SCTP_TCB_UNLOCK((*stcb));

#if defined(__FreeBSD__) && !defined(__Userspace__)
			sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb,
			    0);
#else
			sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb, M_NOWAIT);
#endif
			SCTP_TCB_LOCK((*stcb));
			atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);

			/* now we must check to see if we were aborted while
			 * the move was going on and the lock/unlock happened.
			 */
			if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
				/* yep it was, we leave the
				 * assoc attached to the socket since
				 * the sctp_inpcb_free() call will send
				 * an abort for us.
				 */
				SCTP_INP_DECR_REF(inp);
				return (NULL);
			}
			SCTP_INP_DECR_REF(inp);
			/* Switch over to the new guy */
			*inp_p = inp;
			sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
			if (send_int_conf) {
				sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
				                (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED);
			}

			/* Pull it from the incomplete queue and wake the guy */
#if defined(__APPLE__) && !defined(__Userspace__)
			atomic_add_int(&(*stcb)->asoc.refcnt, 1);
			SCTP_TCB_UNLOCK((*stcb));
			SCTP_SOCKET_LOCK(so, 1);
#endif
			soisconnected(so);
#if defined(__APPLE__) && !defined(__Userspace__)
			SCTP_TCB_LOCK((*stcb));
			atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
			SCTP_SOCKET_UNLOCK(so, 1);
#endif
			return (m);
		}
	}
	if (notification) {
		sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
	}
	if (send_int_conf) {
		sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
		                (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED);
	}
	return (m);
}

static void
sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp SCTP_UNUSED,
    struct sctp_tcb *stcb, struct sctp_nets *net)
{
	/* cp must not be used, others call this without a c-ack :-) */
	struct sctp_association *asoc;
	struct sctp_tmit_chunk *chk;

	SCTPDBG(SCTP_DEBUG_INPUT2,
		"sctp_handle_cookie_ack: handling COOKIE-ACK\n");
	if ((stcb == NULL) || (net == NULL)) {
		return;
	}

	asoc = &stcb->asoc;
	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
		sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
			       asoc->overall_error_count,
			       0,
			       SCTP_FROM_SCTP_INPUT,
			       __LINE__);
	}
	asoc->overall_error_count = 0;
	sctp_stop_all_cookie_timers(stcb);
	/* process according to association state */
	if (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED) {
		/* state change only needed when I am in right state */
		SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n");
		SCTP_SET_STATE(stcb, SCTP_STATE_OPEN);
		sctp_start_net_timers(stcb);
		if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
			sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
			                 stcb->sctp_ep, stcb, NULL);
		}
		/* update RTO */
		SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
		SCTP_STAT_INCR_GAUGE32(sctps_currestab);
		if (asoc->overall_error_count == 0) {
			sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered,
			                   SCTP_RTT_FROM_NON_DATA);
		}
		(void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
		sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
		if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
		    (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
#if defined(__APPLE__) && !defined(__Userspace__)
			struct socket *so;

#endif
			sctp_pcb_add_flags(stcb->sctp_ep, SCTP_PCB_FLAGS_CONNECTED);
#if defined(__APPLE__) && !defined(__Userspace__)
			so = SCTP_INP_SO(stcb->sctp_ep);
			atomic_add_int(&stcb->asoc.refcnt, 1);
			SCTP_TCB_UNLOCK(stcb);
			SCTP_SOCKET_LOCK(so, 1);
			SCTP_TCB_LOCK(stcb);
			atomic_subtract_int(&stcb->asoc.refcnt, 1);
#endif
			if ((stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) == 0) {
				soisconnected(stcb->sctp_socket);
			}
#if defined(__APPLE__) && !defined(__Userspace__)
			SCTP_SOCKET_UNLOCK(so, 1);
#endif
		}
		/*
		 * since we did not send a HB make sure we don't double
		 * things
		 */
		net->hb_responded = 1;

		if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
			/* We don't need to do the asconf thing,
			 * nor hb or autoclose if the socket is closed.
			 */
			goto closed_socket;
		}

		sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep,
		    stcb, net);

		if (stcb->asoc.sctp_autoclose_ticks &&
		    sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) {
			sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
			    stcb->sctp_ep, stcb, NULL);
		}
		/*
		 * send ASCONF if parameters are pending and ASCONFs are
		 * allowed (eg. addresses changed when init/cookie echo were
		 * in flight)
		 */
		if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) &&
		    (stcb->asoc.asconf_supported == 1) &&
		    (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) {
#ifdef SCTP_TIMER_BASED_ASCONF
			sctp_timer_start(SCTP_TIMER_TYPE_ASCONF,
					 stcb->sctp_ep, stcb,
					 stcb->asoc.primary_destination);
#else
			sctp_send_asconf(stcb, stcb->asoc.primary_destination,
					 SCTP_ADDR_NOT_LOCKED);
#endif
		}
	}
closed_socket:
	/* Toss the cookie if I can */
	sctp_toss_old_cookies(stcb, asoc);
	/* Restart the timer if we have pending data */
	TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) {
		if (chk->whoTo != NULL) {
			break;
		}
	}
	if (chk != NULL) {
		sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, chk->whoTo);
	}
}

static void
sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp,
		     struct sctp_tcb *stcb)
{
	struct sctp_nets *net;
	struct sctp_tmit_chunk *lchk;
	struct sctp_ecne_chunk bkup;
	uint8_t override_bit;
	uint32_t tsn, window_data_tsn;
	int len;
	unsigned int pkt_cnt;

	len = ntohs(cp->ch.chunk_length);
	if (len == sizeof(struct old_sctp_ecne_chunk)) {
		/* Its the old format */
		memcpy(&bkup, cp, sizeof(struct old_sctp_ecne_chunk));
		bkup.num_pkts_since_cwr = htonl(1);
		cp = &bkup;
	}
	SCTP_STAT_INCR(sctps_recvecne);
	tsn = ntohl(cp->tsn);
	pkt_cnt = ntohl(cp->num_pkts_since_cwr);
	lchk = TAILQ_LAST(&stcb->asoc.send_queue, sctpchunk_listhead);
	if (lchk == NULL) {
		window_data_tsn = stcb->asoc.sending_seq - 1;
	} else {
		window_data_tsn = lchk->rec.data.tsn;
	}

	/* Find where it was sent to if possible. */
	net = NULL;
	TAILQ_FOREACH(lchk, &stcb->asoc.sent_queue, sctp_next) {
		if (lchk->rec.data.tsn == tsn) {
			net = lchk->whoTo;
			net->ecn_prev_cwnd = lchk->rec.data.cwnd_at_send;
			break;
		}
		if (SCTP_TSN_GT(lchk->rec.data.tsn, tsn)) {
			break;
		}
	}
	if (net == NULL) {
		/*
		 * What to do. A previous send of a
		 * CWR was possibly lost. See how old it is, we
		 * may have it marked on the actual net.
		 */
		TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
			if (tsn == net->last_cwr_tsn) {
				/* Found him, send it off */
				break;
			}
		}
		if (net == NULL) {
			/*
			 * If we reach here, we need to send a special
			 * CWR that says hey, we did this a long time
			 * ago and you lost the response.
			 */
			net = TAILQ_FIRST(&stcb->asoc.nets);
			if (net == NULL) {
				/* TSNH */
				return;
			}
			override_bit = SCTP_CWR_REDUCE_OVERRIDE;
		} else {
			override_bit = 0;
		}
	} else {
		override_bit = 0;
	}
	if (SCTP_TSN_GT(tsn, net->cwr_window_tsn) &&
	    ((override_bit&SCTP_CWR_REDUCE_OVERRIDE) == 0)) {
		/* JRS - Use the congestion control given in the pluggable CC module */
		stcb->asoc.cc_functions.sctp_cwnd_update_after_ecn_echo(stcb, net, 0, pkt_cnt);
		/*
		 * We reduce once every RTT. So we will only lower cwnd at
		 * the next sending seq i.e. the window_data_tsn
		 */
		net->cwr_window_tsn = window_data_tsn;
		net->ecn_ce_pkt_cnt += pkt_cnt;
		net->lost_cnt = pkt_cnt;
		net->last_cwr_tsn = tsn;
	} else {
		override_bit |= SCTP_CWR_IN_SAME_WINDOW;
		if (SCTP_TSN_GT(tsn, net->last_cwr_tsn) &&
		    ((override_bit&SCTP_CWR_REDUCE_OVERRIDE) == 0)) {
			/*
			 * Another loss in the same window update how
			 * many marks/packets lost we have had.
			 */
			int cnt = 1;
			if (pkt_cnt > net->lost_cnt) {
				/* Should be the case */
				cnt = (pkt_cnt - net->lost_cnt);
				net->ecn_ce_pkt_cnt += cnt;
			}
			net->lost_cnt = pkt_cnt;
			net->last_cwr_tsn = tsn;
			/*
			 * Most CC functions will ignore this call, since we are in-window
			 * yet of the initial CE the peer saw.
			 */
			stcb->asoc.cc_functions.sctp_cwnd_update_after_ecn_echo(stcb, net, 1, cnt);
		}
	}
	/*
	 * We always send a CWR this way if our previous one was lost our
	 * peer will get an update, or if it is not time again to reduce we
	 * still get the cwr to the peer. Note we set the override when we
	 * could not find the TSN on the chunk or the destination network.
	 */
	sctp_send_cwr(stcb, net, net->last_cwr_tsn, override_bit);
}

static void
sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb, struct sctp_nets *net)
{
	/*
	 * Here we get a CWR from the peer. We must look in the outqueue and
	 * make sure that we have a covered ECNE in the control chunk part.
	 * If so remove it.
	 */
	struct sctp_tmit_chunk *chk, *nchk;
	struct sctp_ecne_chunk *ecne;
	int override;
	uint32_t cwr_tsn;

	cwr_tsn = ntohl(cp->tsn);
	override = cp->ch.chunk_flags & SCTP_CWR_REDUCE_OVERRIDE;
	TAILQ_FOREACH_SAFE(chk, &stcb->asoc.control_send_queue, sctp_next, nchk) {
		if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) {
			continue;
		}
		if ((override == 0) && (chk->whoTo != net)) {
			/* Must be from the right src unless override is set */
			continue;
		}
		ecne = mtod(chk->data, struct sctp_ecne_chunk *);
		if (SCTP_TSN_GE(cwr_tsn, ntohl(ecne->tsn))) {
			/* this covers this ECNE, we can remove it */
			stcb->asoc.ecn_echo_cnt_onq--;
			TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk,
			    sctp_next);
			stcb->asoc.ctrl_queue_cnt--;
			sctp_m_freem(chk->data);
			chk->data = NULL;
			sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
			if (override == 0) {
				break;
			}
		}
	}
}

static void
sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp SCTP_UNUSED,
    struct sctp_tcb *stcb, struct sctp_nets *net)
{
#if defined(__APPLE__) && !defined(__Userspace__)
	struct socket *so;
#endif

	SCTPDBG(SCTP_DEBUG_INPUT2,
		"sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n");
	if (stcb == NULL)
		return;

	/* process according to association state */
	if (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_ACK_SENT) {
		/* unexpected SHUTDOWN-COMPLETE... so ignore... */
		SCTPDBG(SCTP_DEBUG_INPUT2,
			"sctp_handle_shutdown_complete: not in SCTP_STATE_SHUTDOWN_ACK_SENT --- ignore\n");
		SCTP_TCB_UNLOCK(stcb);
		return;
	}
	/* notify upper layer protocol */
	if (stcb->sctp_socket) {
		sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
	}
#ifdef INVARIANTS
	if (!TAILQ_EMPTY(&stcb->asoc.send_queue) ||
	    !TAILQ_EMPTY(&stcb->asoc.sent_queue) ||
	    sctp_is_there_unsent_data(stcb, SCTP_SO_NOT_LOCKED)) {
		panic("Queues are not empty when handling SHUTDOWN-COMPLETE");
	}
#endif
	/* stop the timer */
	sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, stcb, net,
	                SCTP_FROM_SCTP_INPUT + SCTP_LOC_24);
	SCTP_STAT_INCR_COUNTER32(sctps_shutdown);
	/* free the TCB */
	SCTPDBG(SCTP_DEBUG_INPUT2,
		"sctp_handle_shutdown_complete: calls free-asoc\n");
#if defined(__APPLE__) && !defined(__Userspace__)
	so = SCTP_INP_SO(stcb->sctp_ep);
	atomic_add_int(&stcb->asoc.refcnt, 1);
	SCTP_TCB_UNLOCK(stcb);
	SCTP_SOCKET_LOCK(so, 1);
	SCTP_TCB_LOCK(stcb);
	atomic_subtract_int(&stcb->asoc.refcnt, 1);
#endif
	(void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
	                      SCTP_FROM_SCTP_INPUT + SCTP_LOC_25);
#if defined(__APPLE__) && !defined(__Userspace__)
	SCTP_SOCKET_UNLOCK(so, 1);
#endif
	return;
}

static int
process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc,
    struct sctp_nets *net, uint8_t flg)
{
	switch (desc->chunk_type) {
	case SCTP_DATA:
	case SCTP_IDATA:
		/* find the tsn to resend (possibly) */
	{
		uint32_t tsn;
		struct sctp_tmit_chunk *tp1;

		tsn = ntohl(desc->tsn_ifany);
		TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) {
			if (tp1->rec.data.tsn == tsn) {
				/* found it */
				break;
			}
			if (SCTP_TSN_GT(tp1->rec.data.tsn, tsn)) {
				/* not found */
				tp1 = NULL;
				break;
			}
		}
		if (tp1 == NULL) {
			/*
			 * Do it the other way , aka without paying
			 * attention to queue seq order.
			 */
			SCTP_STAT_INCR(sctps_pdrpdnfnd);
			TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) {
				if (tp1->rec.data.tsn == tsn) {
					/* found it */
					break;
				}
			}
		}
		if (tp1 == NULL) {
			SCTP_STAT_INCR(sctps_pdrptsnnf);
		}
		if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) {
			if (((flg & SCTP_BADCRC) == 0) &&
			    ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) {
				return (0);
			}
			if ((stcb->asoc.peers_rwnd == 0) &&
			    ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) {
				SCTP_STAT_INCR(sctps_pdrpdiwnp);
				return (0);
			}
			if (stcb->asoc.peers_rwnd == 0 &&
			    (flg & SCTP_FROM_MIDDLE_BOX)) {
				SCTP_STAT_INCR(sctps_pdrpdizrw);
				return (0);
			}
			if ((uint32_t)SCTP_BUF_LEN(tp1->data) <
			    SCTP_DATA_CHUNK_OVERHEAD(stcb) + SCTP_NUM_DB_TO_VERIFY) {
				/* Payload not matching. */
				SCTP_STAT_INCR(sctps_pdrpbadd);
				return (-1);
			}
			if (memcmp(mtod(tp1->data, caddr_t) + SCTP_DATA_CHUNK_OVERHEAD(stcb),
			           desc->data_bytes, SCTP_NUM_DB_TO_VERIFY) != 0) {
				/* Payload not matching. */
				SCTP_STAT_INCR(sctps_pdrpbadd);
				return (-1);
			}
			if (tp1->do_rtt) {
				/*
				 * this guy had a RTO calculation
				 * pending on it, cancel it
				 */
				if (tp1->whoTo->rto_needed == 0) {
					tp1->whoTo->rto_needed = 1;
				}
				tp1->do_rtt = 0;
			}
			SCTP_STAT_INCR(sctps_pdrpmark);
			if (tp1->sent != SCTP_DATAGRAM_RESEND)
				sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
			/*
			 * mark it as if we were doing a FR, since
			 * we will be getting gap ack reports behind
			 * the info from the router.
			 */
			tp1->rec.data.doing_fast_retransmit = 1;
			/*
			 * mark the tsn with what sequences can
			 * cause a new FR.
			 */
			if (TAILQ_EMPTY(&stcb->asoc.send_queue)) {
				tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq;
			} else {
				tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.tsn;
			}

			/* restart the timer */
			sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
					stcb, tp1->whoTo,
			                SCTP_FROM_SCTP_INPUT + SCTP_LOC_26);
			sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
					 stcb, tp1->whoTo);

			/* fix counts and things */
			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
				sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_PDRP,
					       tp1->whoTo->flight_size,
					       tp1->book_size,
					       (uint32_t)(uintptr_t)stcb,
					       tp1->rec.data.tsn);
			}
			if (tp1->sent < SCTP_DATAGRAM_RESEND) {
				sctp_flight_size_decrease(tp1);
				sctp_total_flight_decrease(stcb, tp1);
			}
			tp1->sent = SCTP_DATAGRAM_RESEND;
		} {
			/* audit code */
			unsigned int audit;

			audit = 0;
			TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) {
				if (tp1->sent == SCTP_DATAGRAM_RESEND)
					audit++;
			}
			TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue,
				      sctp_next) {
				if (tp1->sent == SCTP_DATAGRAM_RESEND)
					audit++;
			}
			if (audit != stcb->asoc.sent_queue_retran_cnt) {
				SCTP_PRINTF("**Local Audit finds cnt:%d asoc cnt:%d\n",
					    audit, stcb->asoc.sent_queue_retran_cnt);
#ifndef SCTP_AUDITING_ENABLED
				stcb->asoc.sent_queue_retran_cnt = audit;
#endif
			}
		}
	}
	break;
	case SCTP_ASCONF:
	{
		struct sctp_tmit_chunk *asconf;

		TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue,
			      sctp_next) {
			if (asconf->rec.chunk_id.id == SCTP_ASCONF) {
				break;
			}
		}
		if (asconf) {
			if (asconf->sent != SCTP_DATAGRAM_RESEND)
				sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
			asconf->sent = SCTP_DATAGRAM_RESEND;
			asconf->snd_count--;
		}
	}
	break;
	case SCTP_INITIATION:
		/* resend the INIT */
		stcb->asoc.dropped_special_cnt++;
		if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) {
			/*
			 * If we can get it in, in a few attempts we do
			 * this, otherwise we let the timer fire.
			 */
			sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep,
					stcb, net,
			                SCTP_FROM_SCTP_INPUT + SCTP_LOC_27);
			sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
		}
		break;
	case SCTP_SELECTIVE_ACK:
	case SCTP_NR_SELECTIVE_ACK:
		/* resend the sack */
		sctp_send_sack(stcb, SCTP_SO_NOT_LOCKED);
		break;
	case SCTP_HEARTBEAT_REQUEST:
		/* resend a demand HB */
		if ((stcb->asoc.overall_error_count + 3) < stcb->asoc.max_send_times) {
			/* Only retransmit if we KNOW we wont destroy the tcb */
			sctp_send_hb(stcb, net, SCTP_SO_NOT_LOCKED);
		}
		break;
	case SCTP_SHUTDOWN:
		sctp_send_shutdown(stcb, net);
		break;
	case SCTP_SHUTDOWN_ACK:
		sctp_send_shutdown_ack(stcb, net);
		break;
	case SCTP_COOKIE_ECHO:
	{
		struct sctp_tmit_chunk *cookie;

		cookie = NULL;
		TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue,
			      sctp_next) {
			if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
				break;
			}
		}
		if (cookie) {
			if (cookie->sent != SCTP_DATAGRAM_RESEND)
				sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
			cookie->sent = SCTP_DATAGRAM_RESEND;
			sctp_stop_all_cookie_timers(stcb);
		}
	}
	break;
	case SCTP_COOKIE_ACK:
		sctp_send_cookie_ack(stcb);
		break;
	case SCTP_ASCONF_ACK:
		/* resend last asconf ack */
		sctp_send_asconf_ack(stcb);
		break;
	case SCTP_IFORWARD_CUM_TSN:
	case SCTP_FORWARD_CUM_TSN:
		send_forward_tsn(stcb, &stcb->asoc);
		break;
		/* can't do anything with these */
	case SCTP_PACKET_DROPPED:
	case SCTP_INITIATION_ACK:	/* this should not happen */
	case SCTP_HEARTBEAT_ACK:
	case SCTP_ABORT_ASSOCIATION:
	case SCTP_OPERATION_ERROR:
	case SCTP_SHUTDOWN_COMPLETE:
	case SCTP_ECN_ECHO:
	case SCTP_ECN_CWR:
	default:
		break;
	}
	return (0);
}

void
sctp_reset_in_stream(struct sctp_tcb *stcb, uint32_t number_entries, uint16_t *list)
{
	uint32_t i;
	uint16_t temp;

	/*
	 * We set things to 0xffffffff since this is the last delivered sequence
	 * and we will be sending in 0 after the reset.
	 */

	if (number_entries) {
		for (i = 0; i < number_entries; i++) {
			temp = ntohs(list[i]);
			if (temp >= stcb->asoc.streamincnt) {
				continue;
			}
			stcb->asoc.strmin[temp].last_mid_delivered = 0xffffffff;
		}
	} else {
		list = NULL;
		for (i = 0; i < stcb->asoc.streamincnt; i++) {
			stcb->asoc.strmin[i].last_mid_delivered = 0xffffffff;
		}
	}
	sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED);
}

static void
sctp_reset_out_streams(struct sctp_tcb *stcb, uint32_t number_entries, uint16_t *list)
{
	uint32_t i;
	uint16_t temp;

	if (number_entries > 0) {
		for (i = 0; i < number_entries; i++) {
			temp = ntohs(list[i]);
			if (temp >= stcb->asoc.streamoutcnt) {
				/* no such stream */
				continue;
			}
			stcb->asoc.strmout[temp].next_mid_ordered = 0;
			stcb->asoc.strmout[temp].next_mid_unordered = 0;
		}
	} else {
		for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
			stcb->asoc.strmout[i].next_mid_ordered = 0;
			stcb->asoc.strmout[i].next_mid_unordered = 0;
		}
	}
	sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED);
}

static void
sctp_reset_clear_pending(struct sctp_tcb *stcb, uint32_t number_entries, uint16_t *list)
{
	uint32_t i;
	uint16_t temp;

	if (number_entries > 0) {
		for (i = 0; i < number_entries; i++) {
			temp = ntohs(list[i]);
			if (temp >= stcb->asoc.streamoutcnt) {
				/* no such stream */
				continue;
			}
			stcb->asoc.strmout[temp].state = SCTP_STREAM_OPEN;
		}
	} else {
		for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
			stcb->asoc.strmout[i].state = SCTP_STREAM_OPEN;
		}
	}
}

struct sctp_stream_reset_request *
sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk)
{
	struct sctp_association *asoc;
	struct sctp_chunkhdr *ch;
	struct sctp_stream_reset_request *r;
	struct sctp_tmit_chunk *chk;
	int len, clen;

	asoc = &stcb->asoc;
	chk = asoc->str_reset;
	if (TAILQ_EMPTY(&asoc->control_send_queue) ||
	    (chk == NULL)) {
		asoc->stream_reset_outstanding = 0;
		return (NULL);
	}
	if (chk->data == NULL) {
		return (NULL);
	}
	if (bchk != NULL) {
		/* he wants a copy of the chk pointer */
		*bchk = chk;
	}
	clen = chk->send_size;
	ch = mtod(chk->data, struct sctp_chunkhdr *);
	r = (struct sctp_stream_reset_request *)(ch + 1);
	if (ntohl(r->request_seq) == seq) {
		/* found it */
		return (r);
	}
	len = SCTP_SIZE32(ntohs(r->ph.param_length));
	if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) {
		/* move to the next one, there can only be a max of two */
		r = (struct sctp_stream_reset_request *)((caddr_t)r + len);
		if (ntohl(r->request_seq) == seq) {
			return (r);
		}
	}
	/* that seq is not here */
	return (NULL);
}

static void
sctp_clean_up_stream_reset(struct sctp_tcb *stcb)
{
	struct sctp_association *asoc;
	struct sctp_tmit_chunk *chk;

	asoc = &stcb->asoc;
	chk = asoc->str_reset;
	if (chk == NULL) {
		return;
	}
	asoc->str_reset = NULL;
	sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb,
	                NULL, SCTP_FROM_SCTP_INPUT + SCTP_LOC_28);
	TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
	asoc->ctrl_queue_cnt--;
	if (chk->data) {
		sctp_m_freem(chk->data);
		chk->data = NULL;
	}
	sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
}

static int
sctp_handle_stream_reset_response(struct sctp_tcb *stcb,
				  uint32_t seq, uint32_t action,
				  struct sctp_stream_reset_response *respin)
{
	uint16_t type;
	int lparam_len;
	struct sctp_association *asoc = &stcb->asoc;
	struct sctp_tmit_chunk *chk;
	struct sctp_stream_reset_request *req_param;
	struct sctp_stream_reset_out_request *req_out_param;
	struct sctp_stream_reset_in_request *req_in_param;
	uint32_t number_entries;

	if (asoc->stream_reset_outstanding == 0) {
		/* duplicate */
		return (0);
	}
	if (seq == stcb->asoc.str_reset_seq_out) {
		req_param = sctp_find_stream_reset(stcb, seq, &chk);
		if (req_param != NULL) {
			stcb->asoc.str_reset_seq_out++;
			type = ntohs(req_param->ph.param_type);
			lparam_len = ntohs(req_param->ph.param_length);
			if (type == SCTP_STR_RESET_OUT_REQUEST) {
				int no_clear = 0;

				req_out_param = (struct sctp_stream_reset_out_request *)req_param;
				number_entries = (lparam_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t);
				asoc->stream_reset_out_is_outstanding = 0;
				if (asoc->stream_reset_outstanding)
					asoc->stream_reset_outstanding--;
				if (action == SCTP_STREAM_RESET_RESULT_PERFORMED) {
					/* do it */
					sctp_reset_out_streams(stcb, number_entries, req_out_param->list_of_streams);
				} else if (action == SCTP_STREAM_RESET_RESULT_DENIED) {
					sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_DENIED_OUT, stcb, number_entries, req_out_param->list_of_streams, SCTP_SO_NOT_LOCKED);
				} else if (action == SCTP_STREAM_RESET_RESULT_IN_PROGRESS) {
					/* Set it up so we don't stop retransmitting */
					asoc->stream_reset_outstanding++;
					stcb->asoc.str_reset_seq_out--;
					asoc->stream_reset_out_is_outstanding = 1;
					no_clear = 1;
				} else {
					sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, req_out_param->list_of_streams, SCTP_SO_NOT_LOCKED);
				}
				if (no_clear == 0) {
					sctp_reset_clear_pending(stcb, number_entries, req_out_param->list_of_streams);
				}
			} else if (type == SCTP_STR_RESET_IN_REQUEST) {
				req_in_param = (struct sctp_stream_reset_in_request *)req_param;
				number_entries = (lparam_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t);
				if (asoc->stream_reset_outstanding)
					asoc->stream_reset_outstanding--;
				if (action == SCTP_STREAM_RESET_RESULT_DENIED) {
					sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_DENIED_IN, stcb,
							number_entries, req_in_param->list_of_streams, SCTP_SO_NOT_LOCKED);
				} else if (action != SCTP_STREAM_RESET_RESULT_PERFORMED) {
					sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb,
							number_entries, req_in_param->list_of_streams, SCTP_SO_NOT_LOCKED);
				}
			} else if (type == SCTP_STR_RESET_ADD_OUT_STREAMS) {
				/* Ok we now may have more streams */
				int num_stream;

				num_stream = stcb->asoc.strm_pending_add_size;
				if (num_stream > (stcb->asoc.strm_realoutsize - stcb->asoc.streamoutcnt)) {
					/* TSNH */
					num_stream = stcb->asoc.strm_realoutsize - stcb->asoc.streamoutcnt;
				}
				stcb->asoc.strm_pending_add_size = 0;
				if (asoc->stream_reset_outstanding)
					asoc->stream_reset_outstanding--;
				if (action == SCTP_STREAM_RESET_RESULT_PERFORMED) {
					/* Put the new streams into effect */
					int i;
					for (i = asoc->streamoutcnt; i < (asoc->streamoutcnt + num_stream); i++) {
						asoc->strmout[i].state = SCTP_STREAM_OPEN;
					}
					asoc->streamoutcnt += num_stream;
					sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt, 0);
				} else if (action == SCTP_STREAM_RESET_RESULT_DENIED) {
					sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt,
								     SCTP_STREAM_CHANGE_DENIED);
				} else {
					sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt,
								     SCTP_STREAM_CHANGE_FAILED);
				}
			} else if (type == SCTP_STR_RESET_ADD_IN_STREAMS) {
				if (asoc->stream_reset_outstanding)
					asoc->stream_reset_outstanding--;
				if (action == SCTP_STREAM_RESET_RESULT_DENIED) {
					sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt,
								     SCTP_STREAM_CHANGE_DENIED);
				} else if (action != SCTP_STREAM_RESET_RESULT_PERFORMED) {
					sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt,
								     SCTP_STREAM_CHANGE_FAILED);
				}
			} else if (type == SCTP_STR_RESET_TSN_REQUEST) {
				/**
				 * a) Adopt the new in tsn.
				 * b) reset the map
				 * c) Adopt the new out-tsn
				 */
				struct sctp_stream_reset_response_tsn *resp;
				struct sctp_forward_tsn_chunk fwdtsn;
				int abort_flag = 0;
				if (respin == NULL) {
					/* huh ? */
					return (0);
				}
				if (ntohs(respin->ph.param_length) < sizeof(struct sctp_stream_reset_response_tsn)) {
					return (0);
				}
				if (action == SCTP_STREAM_RESET_RESULT_PERFORMED) {
					resp = (struct sctp_stream_reset_response_tsn *)respin;
					asoc->stream_reset_outstanding--;
					fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk));
					fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN;
					fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1);
					sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0);
					if (abort_flag) {
						return (1);
					}
					stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1);
					if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
						sctp_log_map(0, 7, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
					}

					stcb->asoc.tsn_last_delivered = stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map;
					stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn);
					memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size);

					stcb->asoc.highest_tsn_inside_nr_map = stcb->asoc.highest_tsn_inside_map;
					memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.mapping_array_size);

					stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn);
					stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn;

					sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL);
					sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL);
					sctp_notify_stream_reset_tsn(stcb, stcb->asoc.sending_seq, (stcb->asoc.mapping_array_base_tsn + 1), 0);
				} else if (action == SCTP_STREAM_RESET_RESULT_DENIED) {
					sctp_notify_stream_reset_tsn(stcb, stcb->asoc.sending_seq, (stcb->asoc.mapping_array_base_tsn + 1),
								     SCTP_ASSOC_RESET_DENIED);
				} else {
					sctp_notify_stream_reset_tsn(stcb, stcb->asoc.sending_seq, (stcb->asoc.mapping_array_base_tsn + 1),
								     SCTP_ASSOC_RESET_FAILED);
				}
			}
			/* get rid of the request and get the request flags */
			if (asoc->stream_reset_outstanding == 0) {
				sctp_clean_up_stream_reset(stcb);
			}
		}
	}
	if (asoc->stream_reset_outstanding == 0) {
		sctp_send_stream_reset_out_if_possible(stcb, SCTP_SO_NOT_LOCKED);
	}
	return (0);
}

static void
sctp_handle_str_reset_request_in(struct sctp_tcb *stcb,
    struct sctp_tmit_chunk *chk,
    struct sctp_stream_reset_in_request *req, int trunc)
{
	uint32_t seq;
	int len, i;
	int number_entries;
	uint16_t temp;

	/*
	 * peer wants me to send a str-reset to him for my outgoing seq's if
	 * seq_in is right.
	 */
	struct sctp_association *asoc = &stcb->asoc;

	seq = ntohl(req->request_seq);
	if (asoc->str_reset_seq_in == seq) {
		asoc->last_reset_action[1] = asoc->last_reset_action[0];
		if ((asoc->local_strreset_support & SCTP_ENABLE_RESET_STREAM_REQ) == 0) {
			asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
		} else if (trunc) {
			/* Can't do it, since they exceeded our buffer size  */
			asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
		} else if (stcb->asoc.stream_reset_out_is_outstanding == 0) {
			len = ntohs(req->ph.param_length);
			number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t));
			if (number_entries) {
				for (i = 0; i < number_entries; i++) {
					temp = ntohs(req->list_of_streams[i]);
					if (temp >= stcb->asoc.streamoutcnt) {
						asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
						goto bad_boy;
					}
					req->list_of_streams[i] = temp;
				}
				for (i = 0; i < number_entries; i++) {
					if (stcb->asoc.strmout[req->list_of_streams[i]].state == SCTP_STREAM_OPEN) {
						stcb->asoc.strmout[req->list_of_streams[i]].state = SCTP_STREAM_RESET_PENDING;
					}
				}
			} else {
				/* Its all */
				for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
					if (stcb->asoc.strmout[i].state == SCTP_STREAM_OPEN)
						stcb->asoc.strmout[i].state = SCTP_STREAM_RESET_PENDING;
				}
			}
			asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED;
		} else {
			/* Can't do it, since we have sent one out */
			asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_ERR_IN_PROGRESS;
		}
	bad_boy:
		sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
		asoc->str_reset_seq_in++;
	} else if (asoc->str_reset_seq_in - 1 == seq) {
		sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
	} else if (asoc->str_reset_seq_in - 2 == seq) {
		sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
	} else {
		sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO);
	}
	sctp_send_stream_reset_out_if_possible(stcb, SCTP_SO_NOT_LOCKED);
}

static int
sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb,
    struct sctp_tmit_chunk *chk,
    struct sctp_stream_reset_tsn_request *req)
{
	/* reset all in and out and update the tsn */
	/*
	 * A) reset my str-seq's on in and out. B) Select a receive next,
	 * and set cum-ack to it. Also process this selected number as a
	 * fwd-tsn as well. C) set in the response my next sending seq.
	 */
	struct sctp_forward_tsn_chunk fwdtsn;
	struct sctp_association *asoc = &stcb->asoc;
	int abort_flag = 0;
	uint32_t seq;

	seq = ntohl(req->request_seq);
	if (asoc->str_reset_seq_in == seq) {
		asoc->last_reset_action[1] = stcb->asoc.last_reset_action[0];
		if ((asoc->local_strreset_support & SCTP_ENABLE_CHANGE_ASSOC_REQ) == 0) {
			asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
		} else {
			fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk));
			fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN;
			fwdtsn.ch.chunk_flags = 0;
			fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1);
			sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0);
			if (abort_flag) {
				return (1);
			}
			asoc->highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA;
			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
				sctp_log_map(0, 10, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
			}
			asoc->tsn_last_delivered = asoc->cumulative_tsn = asoc->highest_tsn_inside_map;
			asoc->mapping_array_base_tsn = asoc->highest_tsn_inside_map + 1;
			memset(asoc->mapping_array, 0, asoc->mapping_array_size);
			asoc->highest_tsn_inside_nr_map = asoc->highest_tsn_inside_map;
			memset(asoc->nr_mapping_array, 0, asoc->mapping_array_size);
			atomic_add_int(&asoc->sending_seq, 1);
			/* save off historical data for retrans */
			asoc->last_sending_seq[1] = asoc->last_sending_seq[0];
			asoc->last_sending_seq[0] = asoc->sending_seq;
			asoc->last_base_tsnsent[1] = asoc->last_base_tsnsent[0];
			asoc->last_base_tsnsent[0] = asoc->mapping_array_base_tsn;
			sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL);
			sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL);
			asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED;
			sctp_notify_stream_reset_tsn(stcb, asoc->sending_seq, (asoc->mapping_array_base_tsn + 1), 0);
		}
		sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0],
		                                 asoc->last_sending_seq[0], asoc->last_base_tsnsent[0]);
		asoc->str_reset_seq_in++;
	} else if (asoc->str_reset_seq_in - 1 == seq) {
		sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0],
		                                 asoc->last_sending_seq[0], asoc->last_base_tsnsent[0]);
	} else if (asoc->str_reset_seq_in - 2 == seq) {
		sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1],
		                                 asoc->last_sending_seq[1], asoc->last_base_tsnsent[1]);
	} else {
		sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO);
	}
	return (0);
}

static void
sctp_handle_str_reset_request_out(struct sctp_tcb *stcb,
    struct sctp_tmit_chunk *chk,
    struct sctp_stream_reset_out_request *req, int trunc)
{
	uint32_t seq, tsn;
	int number_entries, len;
	struct sctp_association *asoc = &stcb->asoc;

	seq = ntohl(req->request_seq);

	/* now if its not a duplicate we process it */
	if (asoc->str_reset_seq_in == seq) {
		len = ntohs(req->ph.param_length);
		number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t));
		/*
		 * the sender is resetting, handle the list issue.. we must
		 * a) verify if we can do the reset, if so no problem b) If
		 * we can't do the reset we must copy the request. c) queue
		 * it, and setup the data in processor to trigger it off
		 * when needed and dequeue all the queued data.
		 */
		tsn = ntohl(req->send_reset_at_tsn);

		/* move the reset action back one */
		asoc->last_reset_action[1] = asoc->last_reset_action[0];
		if ((asoc->local_strreset_support & SCTP_ENABLE_RESET_STREAM_REQ) == 0) {
			asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
		} else if (trunc) {
			asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
		} else if (SCTP_TSN_GE(asoc->cumulative_tsn, tsn)) {
			/* we can do it now */
			sctp_reset_in_stream(stcb, number_entries, req->list_of_streams);
			asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED;
		} else {
			/*
			 * we must queue it up and thus wait for the TSN's
			 * to arrive that are at or before tsn
			 */
			struct sctp_stream_reset_list *liste;
			int siz;

			siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t));
			SCTP_MALLOC(liste, struct sctp_stream_reset_list *,
				    siz, SCTP_M_STRESET);
			if (liste == NULL) {
				/* gak out of memory */
				asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
				sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
				return;
			}
			liste->seq = seq;
			liste->tsn = tsn;
			liste->number_entries = number_entries;
			memcpy(&liste->list_of_streams, req->list_of_streams, number_entries * sizeof(uint16_t));
			TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp);
			asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_IN_PROGRESS;
		}
		sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
		asoc->str_reset_seq_in++;
	} else if ((asoc->str_reset_seq_in - 1) == seq) {
		/*
		 * one seq back, just echo back last action since my
		 * response was lost.
		 */
		sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
	} else if ((asoc->str_reset_seq_in - 2) == seq) {
		/*
		 * two seq back, just echo back last action since my
		 * response was lost.
		 */
		sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
	} else {
		sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO);
	}
}

static void
sctp_handle_str_reset_add_strm(struct sctp_tcb *stcb, struct sctp_tmit_chunk *chk,
			       struct sctp_stream_reset_add_strm  *str_add)
{
	/*
	 * Peer is requesting to add more streams.
	 * If its within our max-streams we will
	 * allow it.
	 */
	uint32_t num_stream, i;
	uint32_t seq;
	struct sctp_association *asoc = &stcb->asoc;
	struct sctp_queued_to_read *ctl, *nctl;

	/* Get the number. */
	seq = ntohl(str_add->request_seq);
	num_stream = ntohs(str_add->number_of_streams);
	/* Now what would be the new total? */
	if (asoc->str_reset_seq_in == seq) {
		num_stream += stcb->asoc.streamincnt;
		stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0];
		if ((asoc->local_strreset_support & SCTP_ENABLE_CHANGE_ASSOC_REQ) == 0) {
			asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
		} else if ((num_stream > stcb->asoc.max_inbound_streams) ||
		           (num_stream > 0xffff)) {
			/* We must reject it they ask for to many */
  denied:
			stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
		} else {
			/* Ok, we can do that :-) */
			struct sctp_stream_in *oldstrm;

			/* save off the old */
			oldstrm = stcb->asoc.strmin;
			SCTP_MALLOC(stcb->asoc.strmin, struct sctp_stream_in *,
			            (num_stream * sizeof(struct sctp_stream_in)),
			            SCTP_M_STRMI);
			if (stcb->asoc.strmin == NULL) {
				stcb->asoc.strmin = oldstrm;
				goto denied;
			}
			/* copy off the old data */
			for (i = 0; i < stcb->asoc.streamincnt; i++) {
				TAILQ_INIT(&stcb->asoc.strmin[i].inqueue);
				TAILQ_INIT(&stcb->asoc.strmin[i].uno_inqueue);
				stcb->asoc.strmin[i].sid = i;
				stcb->asoc.strmin[i].last_mid_delivered = oldstrm[i].last_mid_delivered;
				stcb->asoc.strmin[i].delivery_started = oldstrm[i].delivery_started;
				stcb->asoc.strmin[i].pd_api_started = oldstrm[i].pd_api_started;
				/* now anything on those queues? */
				TAILQ_FOREACH_SAFE(ctl, &oldstrm[i].inqueue, next_instrm, nctl) {
					TAILQ_REMOVE(&oldstrm[i].inqueue, ctl, next_instrm);
					TAILQ_INSERT_TAIL(&stcb->asoc.strmin[i].inqueue, ctl, next_instrm);
				}
				TAILQ_FOREACH_SAFE(ctl, &oldstrm[i].uno_inqueue, next_instrm, nctl) {
					TAILQ_REMOVE(&oldstrm[i].uno_inqueue, ctl, next_instrm);
					TAILQ_INSERT_TAIL(&stcb->asoc.strmin[i].uno_inqueue, ctl, next_instrm);
				}
			}
			/* Init the new streams */
			for (i = stcb->asoc.streamincnt; i < num_stream; i++) {
				TAILQ_INIT(&stcb->asoc.strmin[i].inqueue);
				TAILQ_INIT(&stcb->asoc.strmin[i].uno_inqueue);
				stcb->asoc.strmin[i].sid = i;
				stcb->asoc.strmin[i].last_mid_delivered = 0xffffffff;
				stcb->asoc.strmin[i].pd_api_started = 0;
				stcb->asoc.strmin[i].delivery_started = 0;
			}
			SCTP_FREE(oldstrm, SCTP_M_STRMI);
			/* update the size */
			stcb->asoc.streamincnt = num_stream;
			stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED;
			sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt, 0);
		}
		sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
		asoc->str_reset_seq_in++;
	} else if ((asoc->str_reset_seq_in - 1) == seq) {
		/*
		 * one seq back, just echo back last action since my
		 * response was lost.
		 */
		sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
	} else if ((asoc->str_reset_seq_in - 2) == seq) {
		/*
		 * two seq back, just echo back last action since my
		 * response was lost.
		 */
		sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
	} else {
		sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO);
	}
}

static void
sctp_handle_str_reset_add_out_strm(struct sctp_tcb *stcb, struct sctp_tmit_chunk *chk,
				   struct sctp_stream_reset_add_strm  *str_add)
{
	/*
	 * Peer is requesting to add more streams.
	 * If its within our max-streams we will
	 * allow it.
	 */
	uint16_t num_stream;
	uint32_t seq;
	struct sctp_association *asoc = &stcb->asoc;

	/* Get the number. */
	seq = ntohl(str_add->request_seq);
	num_stream = ntohs(str_add->number_of_streams);
	/* Now what would be the new total? */
	if (asoc->str_reset_seq_in == seq) {
		stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0];
		if ((asoc->local_strreset_support & SCTP_ENABLE_CHANGE_ASSOC_REQ) == 0) {
			asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
		} else if (stcb->asoc.stream_reset_outstanding) {
			/* We must reject it we have something pending */
			stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_ERR_IN_PROGRESS;
		} else {
			/* Ok, we can do that :-) */
			int mychk;
			mychk = stcb->asoc.streamoutcnt;
			mychk += num_stream;
			if (mychk < 0x10000) {
				stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED;
				if (sctp_send_str_reset_req(stcb, 0, NULL, 0, 0, 1, num_stream, 0, 1)) {
					stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
				}
			} else {
				stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
			}
		}
		sctp_add_stream_reset_result(chk, seq, stcb->asoc.last_reset_action[0]);
		asoc->str_reset_seq_in++;
	} else if ((asoc->str_reset_seq_in - 1) == seq) {
		/*
		 * one seq back, just echo back last action since my
		 * response was lost.
		 */
		sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
	} else if ((asoc->str_reset_seq_in - 2) == seq) {
		/*
		 * two seq back, just echo back last action since my
		 * response was lost.
		 */
		sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
	} else {
		sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO);
	}
}

#ifdef __GNUC__
__attribute__ ((noinline))
#endif
static int
sctp_handle_stream_reset(struct sctp_tcb *stcb, struct mbuf *m, int offset,
			 struct sctp_chunkhdr *ch_req)
{
	uint16_t remaining_length, param_len, ptype;
	struct sctp_paramhdr pstore;
	uint8_t cstore[SCTP_CHUNK_BUFFER_SIZE];
	uint32_t seq = 0;
	int num_req = 0;
	int trunc = 0;
	struct sctp_tmit_chunk *chk;
	struct sctp_chunkhdr *ch;
	struct sctp_paramhdr *ph;
	int ret_code = 0;
	int num_param = 0;

	/* now it may be a reset or a reset-response */
	remaining_length = ntohs(ch_req->chunk_length) - sizeof(struct sctp_chunkhdr);

	/* setup for adding the response */
	sctp_alloc_a_chunk(stcb, chk);
	if (chk == NULL) {
		return (ret_code);
	}
	chk->copy_by_ref = 0;
	chk->rec.chunk_id.id = SCTP_STREAM_RESET;
	chk->rec.chunk_id.can_take_data = 0;
	chk->flags = 0;
	chk->asoc = &stcb->asoc;
	chk->no_fr_allowed = 0;
	chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr);
	chk->book_size_scale = 0;
	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
	if (chk->data == NULL) {
	strres_nochunk:
		if (chk->data) {
			sctp_m_freem(chk->data);
			chk->data = NULL;
		}
		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
		return (ret_code);
	}
	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);

	/* setup chunk parameters */
	chk->sent = SCTP_DATAGRAM_UNSENT;
	chk->snd_count = 0;
	chk->whoTo = NULL;

	ch = mtod(chk->data, struct sctp_chunkhdr *);
	ch->chunk_type = SCTP_STREAM_RESET;
	ch->chunk_flags = 0;
	ch->chunk_length = htons(chk->send_size);
	SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
	offset += sizeof(struct sctp_chunkhdr);
	while (remaining_length >= sizeof(struct sctp_paramhdr)) {
		ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, sizeof(pstore), (uint8_t *)&pstore);
		if (ph == NULL) {
			/* TSNH */
			break;
		}
		param_len = ntohs(ph->param_length);
		if ((param_len > remaining_length) ||
		    (param_len < (sizeof(struct sctp_paramhdr) + sizeof(uint32_t)))) {
			/* bad parameter length */
			break;
		}
		ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, sizeof(cstore)),
							   (uint8_t *)&cstore);
		if (ph == NULL) {
			/* TSNH */
			break;
		}
		ptype = ntohs(ph->param_type);
		num_param++;
		if (param_len > sizeof(cstore)) {
			trunc = 1;
		} else {
			trunc = 0;
		}
		if (num_param > SCTP_MAX_RESET_PARAMS) {
			/* hit the max of parameters already sorry.. */
			break;
		}
		if (ptype == SCTP_STR_RESET_OUT_REQUEST) {
			struct sctp_stream_reset_out_request *req_out;

			if (param_len < sizeof(struct sctp_stream_reset_out_request)) {
				break;
			}
			req_out = (struct sctp_stream_reset_out_request *)ph;
			num_req++;
			if (stcb->asoc.stream_reset_outstanding) {
				seq = ntohl(req_out->response_seq);
				if (seq == stcb->asoc.str_reset_seq_out) {
					/* implicit ack */
					(void)sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_RESULT_PERFORMED, NULL);
				}
			}
			sctp_handle_str_reset_request_out(stcb, chk, req_out, trunc);
		} else if (ptype == SCTP_STR_RESET_ADD_OUT_STREAMS) {
			struct sctp_stream_reset_add_strm  *str_add;

			if (param_len < sizeof(struct sctp_stream_reset_add_strm)) {
				break;
			}
			str_add = (struct sctp_stream_reset_add_strm  *)ph;
			num_req++;
			sctp_handle_str_reset_add_strm(stcb, chk, str_add);
		} else if (ptype == SCTP_STR_RESET_ADD_IN_STREAMS) {
			struct sctp_stream_reset_add_strm  *str_add;

			if (param_len < sizeof(struct sctp_stream_reset_add_strm)) {
				break;
			}
			str_add = (struct sctp_stream_reset_add_strm  *)ph;
			num_req++;
			sctp_handle_str_reset_add_out_strm(stcb, chk, str_add);
		} else if (ptype == SCTP_STR_RESET_IN_REQUEST) {
			struct sctp_stream_reset_in_request *req_in;

			num_req++;
			req_in = (struct sctp_stream_reset_in_request *)ph;
			sctp_handle_str_reset_request_in(stcb, chk, req_in, trunc);
		} else if (ptype == SCTP_STR_RESET_TSN_REQUEST) {
			struct sctp_stream_reset_tsn_request *req_tsn;

			num_req++;
			req_tsn = (struct sctp_stream_reset_tsn_request *)ph;
			if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) {
				ret_code = 1;
				goto strres_nochunk;
			}
			/* no more */
			break;
		} else if (ptype == SCTP_STR_RESET_RESPONSE) {
			struct sctp_stream_reset_response *resp;
			uint32_t result;

			if (param_len < sizeof(struct sctp_stream_reset_response)) {
				break;
			}
			resp = (struct sctp_stream_reset_response *)ph;
			seq = ntohl(resp->response_seq);
			result = ntohl(resp->result);
			if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) {
				ret_code = 1;
				goto strres_nochunk;
			}
		} else {
			break;
		}
		offset += SCTP_SIZE32(param_len);
		if (remaining_length >= SCTP_SIZE32(param_len)) {
			remaining_length -= SCTP_SIZE32(param_len);
		} else {
			remaining_length = 0;
		}
	}
	if (num_req == 0) {
		/* we have no response free the stuff */
		goto strres_nochunk;
	}
	/* ok we have a chunk to link in */
	TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue,
			  chk,
			  sctp_next);
	stcb->asoc.ctrl_queue_cnt++;
	return (ret_code);
}

/*
 * Handle a router or endpoints report of a packet loss, there are two ways
 * to handle this, either we get the whole packet and must disect it
 * ourselves (possibly with truncation and or corruption) or it is a summary
 * from a middle box that did the disecting for us.
 */
static void
sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp,
    struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t limit)
{
	struct sctp_chunk_desc desc;
	struct sctp_chunkhdr *chk_hdr;
	struct sctp_data_chunk *data_chunk;
	struct sctp_idata_chunk *idata_chunk;
	uint32_t bottle_bw, on_queue;
	uint32_t offset, chk_len;
	uint16_t pktdrp_len;
	uint8_t pktdrp_flags;

	KASSERT(sizeof(struct sctp_pktdrop_chunk) <= limit,
	        ("PKTDROP chunk too small"));
	pktdrp_flags = cp->ch.chunk_flags;
	pktdrp_len = ntohs(cp->ch.chunk_length);
	KASSERT(limit <= pktdrp_len, ("Inconsistent limit"));
	if (pktdrp_flags & SCTP_PACKET_TRUNCATED) {
		if (ntohs(cp->trunc_len) <= pktdrp_len - sizeof(struct sctp_pktdrop_chunk)) {
			/* The peer plays games with us. */
			return;
		}
	}
	limit -= sizeof(struct sctp_pktdrop_chunk);
	offset = 0;
	if (offset == limit) {
		if (pktdrp_flags & SCTP_FROM_MIDDLE_BOX) {
			SCTP_STAT_INCR(sctps_pdrpbwrpt);
		}
	} else if (offset + sizeof(struct sctphdr) > limit) {
		/* Only a partial SCTP common header. */
		SCTP_STAT_INCR(sctps_pdrpcrupt);
		offset = limit;
	} else {
		/* XXX: Check embedded SCTP common header. */
		offset += sizeof(struct sctphdr);
	}
	/* Now parse through the chunks themselves. */
	while (offset < limit) {
		if (offset + sizeof(struct sctp_chunkhdr) > limit) {
			SCTP_STAT_INCR(sctps_pdrpcrupt);
			break;
		}
		chk_hdr = (struct sctp_chunkhdr *)(cp->data + offset);
		desc.chunk_type = chk_hdr->chunk_type;
		/* get amount we need to move */
		chk_len = (uint32_t)ntohs(chk_hdr->chunk_length);
		if (chk_len < sizeof(struct sctp_chunkhdr)) {
			/* Someone is lying... */
			break;
		}
		if (desc.chunk_type == SCTP_DATA) {
			if (stcb->asoc.idata_supported) {
				/* Some is playing games with us. */
				break;
			}
			if (chk_len <= sizeof(struct sctp_data_chunk)) {
				/* Some is playing games with us. */
				break;
			}
			if (chk_len < sizeof(struct sctp_data_chunk) + SCTP_NUM_DB_TO_VERIFY) {
				/* Not enough data bytes available in the chunk. */
				SCTP_STAT_INCR(sctps_pdrpnedat);
				goto next_chunk;
			}
			if (offset + sizeof(struct sctp_data_chunk) + SCTP_NUM_DB_TO_VERIFY > limit) {
				/* Not enough data in buffer. */
				break;
			}
			data_chunk = (struct sctp_data_chunk *)(cp->data + offset);
			memcpy(desc.data_bytes, data_chunk + 1, SCTP_NUM_DB_TO_VERIFY);
			desc.tsn_ifany = data_chunk->dp.tsn;
			if (pktdrp_flags & SCTP_FROM_MIDDLE_BOX) {
				SCTP_STAT_INCR(sctps_pdrpmbda);
			}
		} else if (desc.chunk_type == SCTP_IDATA) {
			if (!stcb->asoc.idata_supported) {
				/* Some is playing games with us. */
				break;
			}
			if (chk_len <= sizeof(struct sctp_idata_chunk)) {
				/* Some is playing games with us. */
				break;
			}
			if (chk_len < sizeof(struct sctp_idata_chunk) + SCTP_NUM_DB_TO_VERIFY) {
				/* Not enough data bytes available in the chunk. */
				SCTP_STAT_INCR(sctps_pdrpnedat);
				goto next_chunk;
			}
			if (offset + sizeof(struct sctp_idata_chunk) + SCTP_NUM_DB_TO_VERIFY > limit) {
				/* Not enough data in buffer. */
				break;
			}
			idata_chunk = (struct sctp_idata_chunk *)(cp->data + offset);
			memcpy(desc.data_bytes, idata_chunk + 1, SCTP_NUM_DB_TO_VERIFY);
			desc.tsn_ifany = idata_chunk->dp.tsn;
			if (pktdrp_flags & SCTP_FROM_MIDDLE_BOX) {
				SCTP_STAT_INCR(sctps_pdrpmbda);
			}
		} else {
			if (pktdrp_flags & SCTP_FROM_MIDDLE_BOX) {
				SCTP_STAT_INCR(sctps_pdrpmbct);
			}
		}
		if (process_chunk_drop(stcb, &desc, net, pktdrp_flags)) {
			SCTP_STAT_INCR(sctps_pdrppdbrk);
			break;
		}
next_chunk:
		offset += SCTP_SIZE32(chk_len);
	}
	/* Now update any rwnd --- possibly */
	if ((pktdrp_flags & SCTP_FROM_MIDDLE_BOX) == 0) {
		/* From a peer, we get a rwnd report */
		uint32_t a_rwnd;

		SCTP_STAT_INCR(sctps_pdrpfehos);

		bottle_bw = ntohl(cp->bottle_bw);
		on_queue = ntohl(cp->current_onq);
		if (bottle_bw && on_queue) {
			/* a rwnd report is in here */
			if (bottle_bw > on_queue)
				a_rwnd = bottle_bw - on_queue;
			else
				a_rwnd = 0;

			if (a_rwnd == 0)
				stcb->asoc.peers_rwnd = 0;
			else {
				if (a_rwnd > stcb->asoc.total_flight) {
					stcb->asoc.peers_rwnd =
					    a_rwnd - stcb->asoc.total_flight;
				} else {
					stcb->asoc.peers_rwnd = 0;
				}
				if (stcb->asoc.peers_rwnd <
				    stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
					/* SWS sender side engages */
					stcb->asoc.peers_rwnd = 0;
				}
			}
		}
	} else {
		SCTP_STAT_INCR(sctps_pdrpfmbox);
	}

	/* now middle boxes in sat networks get a cwnd bump */
	if ((pktdrp_flags & SCTP_FROM_MIDDLE_BOX) &&
	    (stcb->asoc.sat_t3_loss_recovery == 0) &&
	    (stcb->asoc.sat_network)) {
		/*
		 * This is debatable but for sat networks it makes sense
		 * Note if a T3 timer has went off, we will prohibit any
		 * changes to cwnd until we exit the t3 loss recovery.
		 */
		stcb->asoc.cc_functions.sctp_cwnd_update_after_packet_dropped(stcb,
			net, cp, &bottle_bw, &on_queue);
	}
}

/*
 * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to
 * still contain IP/SCTP header - stcb: is the tcb found for this packet -
 * offset: offset into the mbuf chain to first chunkhdr - length: is the
 * length of the complete packet outputs: - length: modified to remaining
 * length after control processing - netp: modified to new sctp_nets after
 * cookie-echo processing - return NULL to discard the packet (ie. no asoc,
 * bad packet,...) otherwise return the tcb for this packet
 */
#ifdef __GNUC__
__attribute__ ((noinline))
#endif
static struct sctp_tcb *
sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length,
    struct sockaddr *src, struct sockaddr *dst,
    struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp,
    struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen,
#if defined(__FreeBSD__) && !defined(__Userspace__)
    uint8_t mflowtype, uint32_t mflowid, uint16_t fibnum,
#endif
    uint32_t vrf_id, uint16_t port)
{
	struct sctp_association *asoc;
	struct mbuf *op_err;
	char msg[SCTP_DIAG_INFO_LEN];
	uint32_t vtag_in;
	int num_chunks = 0;	/* number of control chunks processed */
	uint32_t chk_length, contiguous;
	int ret;
	int abort_no_unlock = 0;
	int ecne_seen = 0;
	int abort_flag;
	/*
	 * How big should this be, and should it be alloc'd? Lets try the
	 * d-mtu-ceiling for now (2k) and that should hopefully work ...
	 * until we get into jumbo grams and such..
	 */
	uint8_t chunk_buf[SCTP_CHUNK_BUFFER_SIZE];
	int got_auth = 0;
	uint32_t auth_offset = 0, auth_len = 0;
	int auth_skipped = 0;
	int asconf_cnt = 0;
#if defined(__APPLE__) && !defined(__Userspace__)
	struct socket *so;
#endif

	SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n",
		iphlen, *offset, length, (void *)stcb);

	if (stcb) {
		SCTP_TCB_LOCK_ASSERT(stcb);
	}
	/* validate chunk header length... */
	if (ntohs(ch->chunk_length) < sizeof(*ch)) {
		SCTPDBG(SCTP_DEBUG_INPUT1, "Invalid header length %d\n",
			ntohs(ch->chunk_length));
		*offset = length;
		return (stcb);
	}
	/*
	 * validate the verification tag
	 */
	vtag_in = ntohl(sh->v_tag);

	if (ch->chunk_type == SCTP_INITIATION) {
		SCTPDBG(SCTP_DEBUG_INPUT1, "Its an INIT of len:%d vtag:%x\n",
			ntohs(ch->chunk_length), vtag_in);
		if (vtag_in != 0) {
			/* protocol error- silently discard... */
			SCTP_STAT_INCR(sctps_badvtag);
			if (stcb != NULL) {
				SCTP_TCB_UNLOCK(stcb);
			}
			return (NULL);
		}
	} else if (ch->chunk_type != SCTP_COOKIE_ECHO) {
		/*
		 * If there is no stcb, skip the AUTH chunk and process
		 * later after a stcb is found (to validate the lookup was
		 * valid.
		 */
		if ((ch->chunk_type == SCTP_AUTHENTICATION) &&
		    (stcb == NULL) &&
		    (inp->auth_supported == 1)) {
			/* save this chunk for later processing */
			auth_skipped = 1;
			auth_offset = *offset;
			auth_len = ntohs(ch->chunk_length);

			/* (temporarily) move past this chunk */
			*offset += SCTP_SIZE32(auth_len);
			if (*offset >= length) {
				/* no more data left in the mbuf chain */
				*offset = length;
				return (NULL);
			}
			ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
								   sizeof(struct sctp_chunkhdr), chunk_buf);
		}
		if (ch == NULL) {
			/* Help */
			*offset = length;
			return (stcb);
		}
		if (ch->chunk_type == SCTP_COOKIE_ECHO) {
			goto process_control_chunks;
		}
		/*
		 * first check if it's an ASCONF with an unknown src addr we
		 * need to look inside to find the association
		 */
		if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) {
			struct sctp_chunkhdr *asconf_ch = ch;
			uint32_t asconf_offset = 0, asconf_len = 0;

			/* inp's refcount may be reduced */
			SCTP_INP_INCR_REF(inp);

			asconf_offset = *offset;
			do {
				asconf_len = ntohs(asconf_ch->chunk_length);
				if (asconf_len < sizeof(struct sctp_asconf_paramhdr))
					break;
				stcb = sctp_findassociation_ep_asconf(m,
				                                      *offset,
				                                      dst,
				                                      sh, &inp, netp, vrf_id);
				if (stcb != NULL)
					break;
				asconf_offset += SCTP_SIZE32(asconf_len);
				asconf_ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, asconf_offset,
										  sizeof(struct sctp_chunkhdr), chunk_buf);
			} while (asconf_ch != NULL && asconf_ch->chunk_type == SCTP_ASCONF);
			if (stcb == NULL) {
				/*
				 * reduce inp's refcount if not reduced in
				 * sctp_findassociation_ep_asconf().
				 */
				SCTP_INP_DECR_REF(inp);
			}

			/* now go back and verify any auth chunk to be sure */
			if (auth_skipped && (stcb != NULL)) {
				struct sctp_auth_chunk *auth;

				if (auth_len <= SCTP_CHUNK_BUFFER_SIZE) {
					auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, auth_offset, auth_len, chunk_buf);
					got_auth = 1;
					auth_skipped = 0;
				} else {
					auth = NULL;
				}
				if ((auth == NULL) || sctp_handle_auth(stcb, auth, m,
								       auth_offset)) {
					/* auth HMAC failed so dump it */
					*offset = length;
					return (stcb);
				} else {
					/* remaining chunks are HMAC checked */
					stcb->asoc.authenticated = 1;
				}
			}
		}
		if (stcb == NULL) {
			SCTP_SNPRINTF(msg, sizeof(msg), "OOTB, %s:%d at %s", __FILE__, __LINE__, __func__);
			op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
			                             msg);
			/* no association, so it's out of the blue... */
			sctp_handle_ootb(m, iphlen, *offset, src, dst, sh, inp, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
			                 mflowtype, mflowid, inp->fibnum,
#endif
					 vrf_id, port);
			*offset = length;
			return (NULL);
		}
		asoc = &stcb->asoc;
		/* ABORT and SHUTDOWN can use either v_tag... */
		if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) ||
		    (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) ||
		    (ch->chunk_type == SCTP_PACKET_DROPPED)) {
			/* Take the T-bit always into account. */
			if ((((ch->chunk_flags & SCTP_HAD_NO_TCB) == 0) &&
			     (vtag_in == asoc->my_vtag)) ||
			    (((ch->chunk_flags & SCTP_HAD_NO_TCB) == SCTP_HAD_NO_TCB) &&
			     (asoc->peer_vtag != htonl(0)) &&
			     (vtag_in == asoc->peer_vtag))) {
				/* this is valid */
			} else {
				/* drop this packet... */
				SCTP_STAT_INCR(sctps_badvtag);
				if (stcb != NULL) {
					SCTP_TCB_UNLOCK(stcb);
				}
				return (NULL);
			}
		} else {
			/* for all other chunks, vtag must match */
			if (vtag_in != asoc->my_vtag) {
				/* invalid vtag... */
				SCTPDBG(SCTP_DEBUG_INPUT3,
					"invalid vtag: %xh, expect %xh\n",
					vtag_in, asoc->my_vtag);
				SCTP_STAT_INCR(sctps_badvtag);
				if (stcb != NULL) {
					SCTP_TCB_UNLOCK(stcb);
				}
				*offset = length;
				return (NULL);
			}
		}
	}			/* end if !SCTP_COOKIE_ECHO */
	/*
	 * process all control chunks...
	 */
	if (((ch->chunk_type == SCTP_SELECTIVE_ACK) ||
	     (ch->chunk_type == SCTP_NR_SELECTIVE_ACK) ||
	     (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) &&
	    (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) {
		/* implied cookie-ack.. we must have lost the ack */
		sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb,
				       *netp);
	}

 process_control_chunks:
	while (IS_SCTP_CONTROL(ch)) {
		/* validate chunk length */
		chk_length = ntohs(ch->chunk_length);
		SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_process_control: processing a chunk type=%u, len=%u\n",
			ch->chunk_type, chk_length);
		SCTP_LTRACE_CHK(inp, stcb, ch->chunk_type, chk_length);
		if (chk_length < sizeof(*ch) ||
		    (*offset + (int)chk_length) > length) {
			*offset = length;
			return (stcb);
		}
		SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks);
		/*
		 * INIT and INIT-ACK only gets the init ack "header" portion
		 * only because we don't have to process the peer's COOKIE.
		 * All others get a complete chunk.
		 */
		switch (ch->chunk_type) {
		case SCTP_INITIATION:
			contiguous = sizeof(struct sctp_init_chunk);
			break;
		case SCTP_INITIATION_ACK:
			contiguous = sizeof(struct sctp_init_ack_chunk);
			break;
		default:
			contiguous = min(chk_length, sizeof(chunk_buf));
			break;
		}
		ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
		                                           contiguous,
		                                           chunk_buf);
		if (ch == NULL) {
			*offset = length;
			return (stcb);
		}

		num_chunks++;
		/* Save off the last place we got a control from */
		if (stcb != NULL) {
			if (((netp != NULL) && (*netp != NULL)) || (ch->chunk_type == SCTP_ASCONF)) {
				/*
				 * allow last_control to be NULL if
				 * ASCONF... ASCONF processing will find the
				 * right net later
				 */
				if ((netp != NULL) && (*netp != NULL))
					stcb->asoc.last_control_chunk_from = *netp;
			}
		}
#ifdef SCTP_AUDITING_ENABLED
		sctp_audit_log(0xB0, ch->chunk_type);
#endif

		/* check to see if this chunk required auth, but isn't */
		if ((stcb != NULL) &&
		    sctp_auth_is_required_chunk(ch->chunk_type, stcb->asoc.local_auth_chunks) &&
		    !stcb->asoc.authenticated) {
			/* "silently" ignore */
			SCTP_STAT_INCR(sctps_recvauthmissing);
			goto next_chunk;
		}
		switch (ch->chunk_type) {
		case SCTP_INITIATION:
			SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT\n");
			/* The INIT chunk must be the only chunk. */
			if ((num_chunks > 1) ||
			    (length - *offset > (int)SCTP_SIZE32(chk_length))) {
				/*
				 * RFC 4960bis requires stopping the
				 * processing of the packet.
				 */
				*offset = length;
				return (stcb);
			}
			/* Honor our resource limit. */
			if (chk_length > SCTP_LARGEST_INIT_ACCEPTED) {
				op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
				sctp_send_abort(m, iphlen, src, dst, sh, 0, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
				                mflowtype, mflowid, inp->fibnum,
#endif
				                vrf_id, port);
				*offset = length;
				if (stcb != NULL) {
					SCTP_TCB_UNLOCK(stcb);
				}
				return (NULL);
			}
			sctp_handle_init(m, iphlen, *offset, src, dst, sh,
			                 (struct sctp_init_chunk *)ch, inp,
			                 stcb, *netp,
#if defined(__FreeBSD__) && !defined(__Userspace__)
			                 mflowtype, mflowid,
#endif
			                 vrf_id, port);
			*offset = length;
			if (stcb != NULL) {
				SCTP_TCB_UNLOCK(stcb);
			}
			return (NULL);
			break;
		case SCTP_PAD_CHUNK:
			break;
		case SCTP_INITIATION_ACK:
			SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT_ACK\n");
			if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
				/* We are not interested anymore */
				if ((stcb != NULL) && (stcb->asoc.total_output_queue_size)) {
					;
				} else {
					*offset = length;
					if (stcb != NULL) {
#if defined(__APPLE__) && !defined(__Userspace__)
						so = SCTP_INP_SO(inp);
						atomic_add_int(&stcb->asoc.refcnt, 1);
						SCTP_TCB_UNLOCK(stcb);
						SCTP_SOCKET_LOCK(so, 1);
						SCTP_TCB_LOCK(stcb);
						atomic_subtract_int(&stcb->asoc.refcnt, 1);
#endif
						(void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
						                      SCTP_FROM_SCTP_INPUT + SCTP_LOC_29);
#if defined(__APPLE__) && !defined(__Userspace__)
						SCTP_SOCKET_UNLOCK(so, 1);
#endif
					}
					return (NULL);
				}
			}
			/* The INIT-ACK chunk must be the only chunk. */
			if ((num_chunks > 1) ||
			    (length - *offset > (int)SCTP_SIZE32(chk_length))) {
				*offset = length;
				return (stcb);
			}
			if ((netp != NULL) && (*netp != NULL)) {
				ret = sctp_handle_init_ack(m, iphlen, *offset,
				                           src, dst, sh,
				                           (struct sctp_init_ack_chunk *)ch,
				                           stcb, *netp,
				                           &abort_no_unlock,
#if defined(__FreeBSD__) && !defined(__Userspace__)
				                           mflowtype, mflowid,
#endif
				                           vrf_id);
			} else {
				ret = -1;
			}
			*offset = length;
			if (abort_no_unlock) {
				return (NULL);
			}
			/*
			 * Special case, I must call the output routine to
			 * get the cookie echoed
			 */
			if ((stcb != NULL) && (ret == 0)) {
				sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
			}
			return (stcb);
			break;
		case SCTP_SELECTIVE_ACK:
		case SCTP_NR_SELECTIVE_ACK:
		{
			int abort_now = 0;
			uint32_t a_rwnd, cum_ack;
			uint16_t num_seg, num_nr_seg, num_dup;
			uint8_t flags;
			int offset_seg, offset_dup;

			SCTPDBG(SCTP_DEBUG_INPUT3, "%s\n",
				ch->chunk_type == SCTP_SELECTIVE_ACK ? "SCTP_SACK" : "SCTP_NR_SACK");
			SCTP_STAT_INCR(sctps_recvsacks);
			if (stcb == NULL) {
				SCTPDBG(SCTP_DEBUG_INDATA1, "No stcb when processing %s chunk\n",
				        (ch->chunk_type == SCTP_SELECTIVE_ACK) ? "SCTP_SACK" : "SCTP_NR_SACK");
				break;
			}
			if (ch->chunk_type == SCTP_SELECTIVE_ACK) {
				if (chk_length < sizeof(struct sctp_sack_chunk)) {
					SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on SACK chunk, too small\n");
					break;
				}
			} else {
				if (stcb->asoc.nrsack_supported == 0) {
					goto unknown_chunk;
				}
				if (chk_length < sizeof(struct sctp_nr_sack_chunk)) {
					SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on NR_SACK chunk, too small\n");
					break;
				}
			}
			if (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
				/*-
				 * If we have sent a shutdown-ack, we will pay no
				 * attention to a sack sent in to us since
				 * we don't care anymore.
				 */
				break;
			}
			flags = ch->chunk_flags;
			if (ch->chunk_type == SCTP_SELECTIVE_ACK) {
				struct sctp_sack_chunk *sack;

				sack = (struct sctp_sack_chunk *)ch;
				cum_ack = ntohl(sack->sack.cum_tsn_ack);
				num_seg = ntohs(sack->sack.num_gap_ack_blks);
				num_nr_seg = 0;
				num_dup = ntohs(sack->sack.num_dup_tsns);
				a_rwnd = ntohl(sack->sack.a_rwnd);
				if (sizeof(struct sctp_sack_chunk) +
				    num_seg * sizeof(struct sctp_gap_ack_block) +
				    num_dup * sizeof(uint32_t) != chk_length) {
					SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size of SACK chunk\n");
					break;
				}
				offset_seg = *offset + sizeof(struct sctp_sack_chunk);
				offset_dup = offset_seg + num_seg * sizeof(struct sctp_gap_ack_block);
			} else {
				struct sctp_nr_sack_chunk *nr_sack;

				nr_sack = (struct sctp_nr_sack_chunk *)ch;
				cum_ack = ntohl(nr_sack->nr_sack.cum_tsn_ack);
				num_seg = ntohs(nr_sack->nr_sack.num_gap_ack_blks);
				num_nr_seg = ntohs(nr_sack->nr_sack.num_nr_gap_ack_blks);
				num_dup = ntohs(nr_sack->nr_sack.num_dup_tsns);
				a_rwnd = ntohl(nr_sack->nr_sack.a_rwnd);
				if (sizeof(struct sctp_nr_sack_chunk) +
				    (num_seg + num_nr_seg) * sizeof(struct sctp_gap_ack_block) +
				    num_dup * sizeof(uint32_t) != chk_length) {
					SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size of NR_SACK chunk\n");
					break;
				}
				offset_seg = *offset + sizeof(struct sctp_nr_sack_chunk);
				offset_dup = offset_seg + (num_seg + num_nr_seg) * sizeof(struct sctp_gap_ack_block);
			}
			SCTPDBG(SCTP_DEBUG_INPUT3, "%s process cum_ack:%x num_seg:%d a_rwnd:%d\n",
				(ch->chunk_type == SCTP_SELECTIVE_ACK) ? "SCTP_SACK" : "SCTP_NR_SACK",
			        cum_ack, num_seg, a_rwnd);
			stcb->asoc.seen_a_sack_this_pkt = 1;
			if ((stcb->asoc.pr_sctp_cnt == 0) &&
			    (num_seg == 0) && (num_nr_seg == 0) &&
			    SCTP_TSN_GE(cum_ack, stcb->asoc.last_acked_seq) &&
			    (stcb->asoc.saw_sack_with_frags == 0) &&
			    (stcb->asoc.saw_sack_with_nr_frags == 0) &&
			    (!TAILQ_EMPTY(&stcb->asoc.sent_queue))) {
				/*
				 * We have a SIMPLE sack having no
				 * prior segments and data on sent
				 * queue to be acked. Use the
				 * faster path sack processing. We
				 * also allow window update sacks
				 * with no missing segments to go
				 * this way too.
				 */
				sctp_express_handle_sack(stcb, cum_ack, a_rwnd,
				                         &abort_now, ecne_seen);
			} else {
				if ((netp != NULL) && (*netp != NULL)) {
					sctp_handle_sack(m, offset_seg, offset_dup, stcb,
					                 num_seg, num_nr_seg, num_dup, &abort_now, flags,
					                 cum_ack, a_rwnd, ecne_seen);
				}
			}
			if (abort_now) {
				/* ABORT signal from sack processing */
				*offset = length;
				return (NULL);
			}
			if (TAILQ_EMPTY(&stcb->asoc.send_queue) &&
			    TAILQ_EMPTY(&stcb->asoc.sent_queue) &&
			    (stcb->asoc.stream_queue_cnt == 0)) {
				sctp_ulp_notify(SCTP_NOTIFY_SENDER_DRY, stcb,  0, NULL, SCTP_SO_NOT_LOCKED);
			}
			break;
		}
		case SCTP_HEARTBEAT_REQUEST:
			SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT\n");
			if ((stcb != NULL) && (netp != NULL) && (*netp != NULL)) {
				SCTP_STAT_INCR(sctps_recvheartbeat);
				sctp_send_heartbeat_ack(stcb, m, *offset,
				                        chk_length, *netp);
			}
			break;
		case SCTP_HEARTBEAT_ACK:
			SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT_ACK\n");
			if ((stcb == NULL) || (chk_length != sizeof(struct sctp_heartbeat_chunk))) {
				/* Its not ours */
				break;
			}
			SCTP_STAT_INCR(sctps_recvheartbeatack);
			if ((netp != NULL) && (*netp != NULL)) {
				sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch,
				                          stcb, *netp);
			}
			break;
		case SCTP_ABORT_ASSOCIATION:
			SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ABORT, stcb %p\n",
				(void *)stcb);
			*offset = length;
			if ((stcb != NULL) && (netp != NULL) && (*netp != NULL)) {
				if (sctp_handle_abort((struct sctp_abort_chunk *)ch, stcb, *netp)) {
					return (NULL);
				} else {
					return (stcb);
				}
			} else {
				return (NULL);
			}
			break;
		case SCTP_SHUTDOWN:
			SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN, stcb %p\n",
				(void *)stcb);
			if ((stcb == NULL) || (chk_length != sizeof(struct sctp_shutdown_chunk))) {
				break;
			}
			if ((netp != NULL) && (*netp != NULL)) {
				abort_flag = 0;
				sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch,
				                     stcb, *netp, &abort_flag);
				if (abort_flag) {
					*offset = length;
					return (NULL);
				}
			}
			break;
		case SCTP_SHUTDOWN_ACK:
			SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN_ACK, stcb %p\n", (void *)stcb);
			if ((chk_length == sizeof(struct sctp_shutdown_ack_chunk)) &&
			    (stcb != NULL) && (netp != NULL) && (*netp != NULL)) {
				sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp);
				*offset = length;
				return (NULL);
			}
			break;
		case SCTP_OPERATION_ERROR:
			SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_OP_ERR\n");
			if ((stcb != NULL) && (netp != NULL) && (*netp != NULL) &&
			    sctp_handle_error(ch, stcb, *netp, contiguous) < 0) {
				*offset = length;
				return (NULL);
			}
			break;
		case SCTP_COOKIE_ECHO:
			SCTPDBG(SCTP_DEBUG_INPUT3,
				"SCTP_COOKIE_ECHO, stcb %p\n", (void *)stcb);
			if ((stcb != NULL) && (stcb->asoc.total_output_queue_size > 0)) {
				;
			} else {
				if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
					/* We are not interested anymore */
				abend:
					if (stcb != NULL) {
						SCTP_TCB_UNLOCK(stcb);
					}
					*offset = length;
					return (NULL);
				}
			}
			/*-
			 * First are we accepting? We do this again here
			 * since it is possible that a previous endpoint WAS
			 * listening responded to a INIT-ACK and then
			 * closed. We opened and bound.. and are now no
			 * longer listening.
			 *
			 * XXXGL: notes on checking listen queue length.
			 * 1) SCTP_IS_LISTENING() doesn't necessarily mean
			 *    SOLISTENING(), because a listening "UDP type"
			 *    socket isn't listening in terms of the socket
			 *    layer.  It is a normal data flow socket, that
			 *    can fork off new connections.  Thus, we should
			 *    look into sol_qlen only in case we are !UDP.
			 * 2) Checking sol_qlen in general requires locking
			 *    the socket, and this code lacks that.
			 */
			if ((stcb == NULL) &&
			    (!SCTP_IS_LISTENING(inp) ||
			     (((inp->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE) == 0) &&
#if defined(__FreeBSD__) && !defined(__Userspace__)
			      inp->sctp_socket->sol_qlen >= inp->sctp_socket->sol_qlimit))) {
#else
			      inp->sctp_socket->so_qlen >= inp->sctp_socket->so_qlimit))) {
#endif
				if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
				    (SCTP_BASE_SYSCTL(sctp_abort_if_one_2_one_hits_limit))) {
					op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
					sctp_abort_association(inp, stcb, m, iphlen,
					                       src, dst, sh, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
					                       mflowtype, mflowid,
#endif
					                       vrf_id, port);
				}
				*offset = length;
				return (NULL);
			} else {
				struct mbuf *ret_buf;
				struct sctp_inpcb *linp;
				struct sctp_tmit_chunk *chk;

				if (inp->sctp_flags & (SCTP_PCB_FLAGS_SOCKET_GONE |
				    SCTP_PCB_FLAGS_SOCKET_ALLGONE)) {
					goto abend;
				}

				if (stcb) {
					linp = NULL;
				} else {
					linp = inp;
				}

				if (linp != NULL) {
					SCTP_ASOC_CREATE_LOCK(linp);
				}

				if (netp != NULL) {
					struct sctp_tcb *locked_stcb;

					locked_stcb = stcb;
					ret_buf =
						sctp_handle_cookie_echo(m, iphlen,
						                        *offset,
						                        src, dst,
						                        sh,
						                        (struct sctp_cookie_echo_chunk *)ch,
						                        &inp, &stcb, netp,
						                        auth_skipped,
						                        auth_offset,
						                        auth_len,
						                        &locked_stcb,
#if defined(__FreeBSD__) && !defined(__Userspace__)
						                        mflowtype,
						                        mflowid,
#endif
						                        vrf_id,
						                        port);
					if ((locked_stcb != NULL) && (locked_stcb != stcb)) {
						SCTP_TCB_UNLOCK(locked_stcb);
					}
					if (stcb != NULL) {
						SCTP_TCB_LOCK_ASSERT(stcb);
					}
				} else {
					ret_buf = NULL;
				}
				if (linp != NULL) {
					SCTP_ASOC_CREATE_UNLOCK(linp);
				}
				if (ret_buf == NULL) {
					if (stcb != NULL) {
						SCTP_TCB_UNLOCK(stcb);
					}
					SCTPDBG(SCTP_DEBUG_INPUT3,
						"GAK, null buffer\n");
					*offset = length;
					return (NULL);
				}
				/* if AUTH skipped, see if it verified... */
				if (auth_skipped) {
					got_auth = 1;
					auth_skipped = 0;
				}
				/* Restart the timer if we have pending data */
				TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) {
					if (chk->whoTo != NULL) {
						break;
					}
				}
				if (chk != NULL) {
					sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, chk->whoTo);
				}
			}
			break;
		case SCTP_COOKIE_ACK:
			SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_COOKIE_ACK, stcb %p\n", (void *)stcb);
			if ((stcb == NULL) || chk_length != sizeof(struct sctp_cookie_ack_chunk)) {
				break;
			}
			if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
				/* We are not interested anymore */
				if ((stcb) && (stcb->asoc.total_output_queue_size)) {
					;
				} else if (stcb) {
#if defined(__APPLE__) && !defined(__Userspace__)
					so = SCTP_INP_SO(inp);
					atomic_add_int(&stcb->asoc.refcnt, 1);
					SCTP_TCB_UNLOCK(stcb);
					SCTP_SOCKET_LOCK(so, 1);
					SCTP_TCB_LOCK(stcb);
					atomic_subtract_int(&stcb->asoc.refcnt, 1);
#endif
					(void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
					                      SCTP_FROM_SCTP_INPUT + SCTP_LOC_30);
#if defined(__APPLE__) && !defined(__Userspace__)
					SCTP_SOCKET_UNLOCK(so, 1);
#endif
					*offset = length;
					return (NULL);
				}
			}
			if ((netp != NULL) && (*netp != NULL)) {
				sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp);
			}
			break;
		case SCTP_ECN_ECHO:
			SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN_ECHO\n");
			if (stcb == NULL) {
				break;
			}
			if (stcb->asoc.ecn_supported == 0) {
				goto unknown_chunk;
			}
			if ((chk_length != sizeof(struct sctp_ecne_chunk)) &&
			    (chk_length != sizeof(struct old_sctp_ecne_chunk))) {
				break;
			}
			sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, stcb);
			ecne_seen = 1;
			break;
		case SCTP_ECN_CWR:
			SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN_CWR\n");
			if (stcb == NULL) {
				break;
			}
			if (stcb->asoc.ecn_supported == 0) {
				goto unknown_chunk;
			}
			if (chk_length != sizeof(struct sctp_cwr_chunk)) {
				break;
			}
			sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb, *netp);
			break;
		case SCTP_SHUTDOWN_COMPLETE:
			SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN_COMPLETE, stcb %p\n", (void *)stcb);
			/* must be first and only chunk */
			if ((num_chunks > 1) ||
			    (length - *offset > (int)SCTP_SIZE32(chk_length))) {
				*offset = length;
				return (stcb);
			}
			if ((chk_length == sizeof(struct sctp_shutdown_complete_chunk)) &&
			    (stcb != NULL) && (netp != NULL) && (*netp != NULL)) {
				sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch,
				                              stcb, *netp);
				*offset = length;
				return (NULL);
			}
			break;
		case SCTP_ASCONF:
			SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF\n");
			if (stcb != NULL) {
				if (stcb->asoc.asconf_supported == 0) {
					goto unknown_chunk;
				}
				sctp_handle_asconf(m, *offset, src,
				                   (struct sctp_asconf_chunk *)ch, stcb, asconf_cnt == 0);
				asconf_cnt++;
			}
			break;
		case SCTP_ASCONF_ACK:
			SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF_ACK\n");
			if (stcb == NULL) {
				break;
			}
			if (stcb->asoc.asconf_supported == 0) {
				goto unknown_chunk;
			}
			if (chk_length < sizeof(struct sctp_asconf_ack_chunk)) {
				break;
			}
			if ((netp != NULL) && (*netp != NULL)) {
				/* He's alive so give him credit */
				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
					sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
					               stcb->asoc.overall_error_count,
					               0,
					               SCTP_FROM_SCTP_INPUT,
					               __LINE__);
				}
				stcb->asoc.overall_error_count = 0;
				sctp_handle_asconf_ack(m, *offset,
				                       (struct sctp_asconf_ack_chunk *)ch, stcb, *netp, &abort_no_unlock);
				if (abort_no_unlock)
					return (NULL);
			}
			break;
		case SCTP_FORWARD_CUM_TSN:
		case SCTP_IFORWARD_CUM_TSN:
			SCTPDBG(SCTP_DEBUG_INPUT3, "%s\n",
				ch->chunk_type == SCTP_FORWARD_CUM_TSN ? "FORWARD_TSN" : "I_FORWARD_TSN");
			if (stcb == NULL) {
				break;
			}
			if (stcb->asoc.prsctp_supported == 0) {
				goto unknown_chunk;
			}
			if (chk_length < sizeof(struct sctp_forward_tsn_chunk)) {
				break;
			}
			if (((stcb->asoc.idata_supported == 1) && (ch->chunk_type == SCTP_FORWARD_CUM_TSN)) ||
			    ((stcb->asoc.idata_supported == 0) && (ch->chunk_type == SCTP_IFORWARD_CUM_TSN))) {
				if (ch->chunk_type == SCTP_FORWARD_CUM_TSN) {
					SCTP_SNPRINTF(msg, sizeof(msg), "%s", "FORWARD-TSN chunk received when I-FORWARD-TSN was negotiated");
				} else {
					SCTP_SNPRINTF(msg, sizeof(msg), "%s", "I-FORWARD-TSN chunk received when FORWARD-TSN was negotiated");
				}
				op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
				sctp_abort_an_association(inp, stcb, op_err, false, SCTP_SO_NOT_LOCKED);
				*offset = length;
				return (NULL);
			}
			*fwd_tsn_seen = 1;
			if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
				/* We are not interested anymore */
#if defined(__APPLE__) && !defined(__Userspace__)
				so = SCTP_INP_SO(inp);
				atomic_add_int(&stcb->asoc.refcnt, 1);
				SCTP_TCB_UNLOCK(stcb);
				SCTP_SOCKET_LOCK(so, 1);
				SCTP_TCB_LOCK(stcb);
				atomic_subtract_int(&stcb->asoc.refcnt, 1);
#endif
				(void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
				                      SCTP_FROM_SCTP_INPUT + SCTP_LOC_31);
#if defined(__APPLE__) && !defined(__Userspace__)
				SCTP_SOCKET_UNLOCK(so, 1);
#endif
				*offset = length;
				return (NULL);
			}
			/*
			 * For sending a SACK this looks like DATA
			 * chunks.
			 */
			stcb->asoc.last_data_chunk_from = stcb->asoc.last_control_chunk_from;
			abort_flag = 0;
			sctp_handle_forward_tsn(stcb,
			                        (struct sctp_forward_tsn_chunk *)ch, &abort_flag, m, *offset);
			if (abort_flag) {
				*offset = length;
				return (NULL);
			}
			break;
		case SCTP_STREAM_RESET:
			SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_STREAM_RESET\n");
			if (stcb == NULL) {
				break;
			}
			if (stcb->asoc.reconfig_supported == 0) {
				goto unknown_chunk;
			}
			if (chk_length < sizeof(struct sctp_stream_reset_tsn_req)) {
				break;
			}
			if (sctp_handle_stream_reset(stcb, m, *offset, ch)) {
				/* stop processing */
				*offset = length;
				return (NULL);
			}
			break;
		case SCTP_PACKET_DROPPED:
			SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_PACKET_DROPPED\n");
			if (stcb == NULL) {
				break;
			}
			if (stcb->asoc.pktdrop_supported == 0) {
				goto unknown_chunk;
			}
			if (chk_length < sizeof(struct sctp_pktdrop_chunk)) {
				break;
			}
			if ((netp != NULL) && (*netp != NULL)) {
				sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch,
				                           stcb, *netp,
				                           min(chk_length, contiguous));
			}
			break;
		case SCTP_AUTHENTICATION:
			SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_AUTHENTICATION\n");
			if (stcb == NULL) {
				/* save the first AUTH for later processing */
				if (auth_skipped == 0) {
					auth_offset = *offset;
					auth_len = chk_length;
					auth_skipped = 1;
				}
				/* skip this chunk (temporarily) */
				break;
			}
			if (stcb->asoc.auth_supported == 0) {
				goto unknown_chunk;
			}
			if ((chk_length < (sizeof(struct sctp_auth_chunk))) ||
			    (chk_length > (sizeof(struct sctp_auth_chunk) +
			                  SCTP_AUTH_DIGEST_LEN_MAX))) {
				/* Its not ours */
				*offset = length;
				return (stcb);
			}
			if (got_auth == 1) {
				/* skip this chunk... it's already auth'd */
				break;
			}
			got_auth = 1;
			if (sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch, m, *offset)) {
				/* auth HMAC failed so dump the packet */
				*offset = length;
				return (stcb);
			} else {
				/* remaining chunks are HMAC checked */
				stcb->asoc.authenticated = 1;
			}
			break;

		default:
		unknown_chunk:
			/* it's an unknown chunk! */
			if ((ch->chunk_type & 0x40) &&
			    (stcb != NULL) &&
			    (SCTP_GET_STATE(stcb) != SCTP_STATE_EMPTY) &&
			    (SCTP_GET_STATE(stcb) != SCTP_STATE_INUSE) &&
			    (SCTP_GET_STATE(stcb) != SCTP_STATE_COOKIE_WAIT)) {
				struct sctp_gen_error_cause *cause;
				int len;

				op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_gen_error_cause),
				                               0, M_NOWAIT, 1, MT_DATA);
				if (op_err != NULL) {
					len = min(SCTP_SIZE32(chk_length), (uint32_t)(length - *offset));
					cause = mtod(op_err, struct sctp_gen_error_cause *);
					cause->code = htons(SCTP_CAUSE_UNRECOG_CHUNK);
					cause->length = htons((uint16_t)(len + sizeof(struct sctp_gen_error_cause)));
					SCTP_BUF_LEN(op_err) = sizeof(struct sctp_gen_error_cause);
					SCTP_BUF_NEXT(op_err) = SCTP_M_COPYM(m, *offset, len, M_NOWAIT);
					if (SCTP_BUF_NEXT(op_err) != NULL) {
#ifdef SCTP_MBUF_LOGGING
						if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
							sctp_log_mbc(SCTP_BUF_NEXT(op_err), SCTP_MBUF_ICOPY);
						}
#endif
						sctp_queue_op_err(stcb, op_err);
					} else {
						sctp_m_freem(op_err);
					}
				}
			}
			if ((ch->chunk_type & 0x80) == 0) {
				/* discard this packet */
				*offset = length;
				return (stcb);
			}	/* else skip this bad chunk and continue... */
			break;
		}		/* switch (ch->chunk_type) */

	next_chunk:
		/* get the next chunk */
		*offset += SCTP_SIZE32(chk_length);
		if (*offset >= length) {
			/* no more data left in the mbuf chain */
			break;
		}
		ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
		                                           sizeof(struct sctp_chunkhdr), chunk_buf);
		if (ch == NULL) {
			*offset = length;
			return (stcb);
		}
	}			/* while */

	if ((asconf_cnt > 0) && (stcb != NULL)) {
		sctp_send_asconf_ack(stcb);
	}
	return (stcb);
}

/*
 * common input chunk processing (v4 and v6)
 */
void
sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, int length,
                             struct sockaddr *src, struct sockaddr *dst,
                             struct sctphdr *sh, struct sctp_chunkhdr *ch,
                             uint8_t compute_crc,
                             uint8_t ecn_bits,
#if defined(__FreeBSD__) && !defined(__Userspace__)
                             uint8_t mflowtype, uint32_t mflowid, uint16_t fibnum,
#endif
                             uint32_t vrf_id, uint16_t port)
{
	uint32_t high_tsn;
	int fwd_tsn_seen = 0, data_processed = 0;
	struct mbuf *m = *mm, *op_err;
	char msg[SCTP_DIAG_INFO_LEN];
	int un_sent;
	int cnt_ctrl_ready = 0;
	struct sctp_inpcb *inp = NULL, *inp_decr = NULL;
	struct sctp_tcb *stcb = NULL;
	struct sctp_nets *net = NULL;
#if defined(__Userspace__)
	struct socket *upcall_socket = NULL;
#endif

	SCTP_STAT_INCR(sctps_recvdatagrams);
#ifdef SCTP_AUDITING_ENABLED
	sctp_audit_log(0xE0, 1);
	sctp_auditing(0, inp, stcb, net);
#endif
	if (compute_crc != 0) {
		uint32_t check, calc_check;

		check = sh->checksum;
		sh->checksum = 0;
		calc_check = sctp_calculate_cksum(m, iphlen);
		sh->checksum = check;
		if (calc_check != check) {
			SCTPDBG(SCTP_DEBUG_INPUT1, "Bad CSUM on SCTP packet calc_check:%x check:%x  m:%p mlen:%d iphlen:%d\n",
			        calc_check, check, (void *)m, length, iphlen);
			stcb = sctp_findassociation_addr(m, offset, src, dst,
			                                 sh, ch, &inp, &net, vrf_id);
#if defined(INET) || defined(INET6)
			if ((ch->chunk_type != SCTP_INITIATION) &&
			    (net != NULL) && (net->port != port)) {
				if (net->port == 0) {
					/* UDP encapsulation turned on. */
					net->mtu -= sizeof(struct udphdr);
					if (stcb->asoc.smallest_mtu > net->mtu) {
						sctp_pathmtu_adjustment(stcb, net->mtu, true);
					}
				} else if (port == 0) {
					/* UDP encapsulation turned off. */
					net->mtu += sizeof(struct udphdr);
					/* XXX Update smallest_mtu */
				}
				net->port = port;
			}
#endif
#if defined(__FreeBSD__) && !defined(__Userspace__)
			if (net != NULL) {
				net->flowtype = mflowtype;
				net->flowid = mflowid;
			}
			SCTP_PROBE5(receive, NULL, stcb, m, stcb, sh);
#endif
			if ((inp != NULL) && (stcb != NULL)) {
				sctp_send_packet_dropped(stcb, net, m, length, iphlen, 1);
				sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR, SCTP_SO_NOT_LOCKED);
			} else if ((inp != NULL) && (stcb == NULL)) {
				inp_decr = inp;
			}
			SCTP_STAT_INCR(sctps_badsum);
			SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors);
			goto out;
		}
	}
	/* Destination port of 0 is illegal, based on RFC4960. */
	if (sh->dest_port == 0) {
		SCTP_STAT_INCR(sctps_hdrops);
		goto out;
	}
	stcb = sctp_findassociation_addr(m, offset, src, dst,
	                                 sh, ch, &inp, &net, vrf_id);
#if defined(INET) || defined(INET6)
	if ((ch->chunk_type != SCTP_INITIATION) &&
	    (net != NULL) && (net->port != port)) {
		if (net->port == 0) {
			/* UDP encapsulation turned on. */
			net->mtu -= sizeof(struct udphdr);
			if (stcb->asoc.smallest_mtu > net->mtu) {
				sctp_pathmtu_adjustment(stcb, net->mtu, true);
			}
		} else if (port == 0) {
			/* UDP encapsulation turned off. */
			net->mtu += sizeof(struct udphdr);
			/* XXX Update smallest_mtu */
		}
		net->port = port;
	}
#endif
#if defined(__FreeBSD__) && !defined(__Userspace__)
	if (net != NULL) {
		net->flowtype = mflowtype;
		net->flowid = mflowid;
	}
#endif
	if (inp == NULL) {
#if defined(__FreeBSD__) && !defined(__Userspace__)
		SCTP_PROBE5(receive, NULL, stcb, m, stcb, sh);
#endif
		SCTP_STAT_INCR(sctps_noport);
#if defined(__FreeBSD__) && !defined(__Userspace__)
		if (badport_bandlim(BANDLIM_SCTP_OOTB) < 0) {
			goto out;
		}
#endif
		if (ch->chunk_type == SCTP_SHUTDOWN_ACK) {
			SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks);
			sctp_send_shutdown_complete2(src, dst, sh,
#if defined(__FreeBSD__) && !defined(__Userspace__)
			                             mflowtype, mflowid, fibnum,
#endif
			                             vrf_id, port);
			goto out;
		}
		if (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) {
			SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks);
			goto out;
		}
		if (ch->chunk_type != SCTP_ABORT_ASSOCIATION) {
			if ((SCTP_BASE_SYSCTL(sctp_blackhole) == 0) ||
			    ((SCTP_BASE_SYSCTL(sctp_blackhole) == 1) &&
			     (ch->chunk_type != SCTP_INIT))) {
				op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
				                             "Out of the blue");
				sctp_send_abort(m, iphlen, src, dst,
				                sh, 0, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
				                mflowtype, mflowid, fibnum,
#endif
				                vrf_id, port);
			}
		}
		goto out;
	} else if (stcb == NULL) {
		inp_decr = inp;
	}
	SCTPDBG(SCTP_DEBUG_INPUT1, "Ok, Common input processing called, m:%p iphlen:%d offset:%d length:%d stcb:%p\n",
		(void *)m, iphlen, offset, length, (void *)stcb);
	if (stcb) {
		/* always clear this before beginning a packet */
		stcb->asoc.authenticated = 0;
		stcb->asoc.seen_a_sack_this_pkt = 0;
		SCTPDBG(SCTP_DEBUG_INPUT1, "stcb:%p state:%x\n",
			(void *)stcb, stcb->asoc.state);

		if ((stcb->asoc.state & SCTP_STATE_WAS_ABORTED) ||
		    (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED)) {
			/*-
			 * If we hit here, we had a ref count
			 * up when the assoc was aborted and the
			 * timer is clearing out the assoc, we should
			 * NOT respond to any packet.. its OOTB.
			 */
			SCTP_TCB_UNLOCK(stcb);
			stcb = NULL;
#if defined(__FreeBSD__) && !defined(__Userspace__)
			SCTP_PROBE5(receive, NULL, stcb, m, stcb, sh);
#endif
			SCTP_SNPRINTF(msg, sizeof(msg), "OOTB, %s:%d at %s", __FILE__, __LINE__, __func__);
			op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
			                             msg);
			sctp_handle_ootb(m, iphlen, offset, src, dst, sh, inp, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
			                 mflowtype, mflowid, inp->fibnum,
#endif
			                 vrf_id, port);
			goto out;
		}
	}
#if defined(__Userspace__)
	if ((stcb != NULL) &&
	    ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) == 0) &&
	    (stcb->sctp_socket != NULL)) {
		if (stcb->sctp_socket->so_head != NULL) {
			upcall_socket = stcb->sctp_socket->so_head;
		} else {
			upcall_socket = stcb->sctp_socket;
		}
		SOCK_LOCK(upcall_socket);
		soref(upcall_socket);
		SOCK_UNLOCK(upcall_socket);
	}
#endif
	if (IS_SCTP_CONTROL(ch)) {
		/* process the control portion of the SCTP packet */
		/* sa_ignore NO_NULL_CHK */
		stcb = sctp_process_control(m, iphlen, &offset, length,
		                            src, dst, sh, ch,
		                            inp, stcb, &net, &fwd_tsn_seen,
#if defined(__FreeBSD__) && !defined(__Userspace__)
		                            mflowtype, mflowid, fibnum,
#endif
		                            vrf_id, port);
		if (stcb) {
			/* This covers us if the cookie-echo was there
			 * and it changes our INP.
			 */
			inp = stcb->sctp_ep;
#if defined(INET) || defined(INET6)
			if ((ch->chunk_type != SCTP_INITIATION) &&
			    (net != NULL) && (net->port != port)) {
				if (net->port == 0) {
					/* UDP encapsulation turned on. */
					net->mtu -= sizeof(struct udphdr);
					if (stcb->asoc.smallest_mtu > net->mtu) {
						sctp_pathmtu_adjustment(stcb, net->mtu, true);
					}
				} else if (port == 0) {
					/* UDP encapsulation turned off. */
					net->mtu += sizeof(struct udphdr);
					/* XXX Update smallest_mtu */
				}
				net->port = port;
			}
#endif
		}
	} else {
		/*
		 * no control chunks, so pre-process DATA chunks (these
		 * checks are taken care of by control processing)
		 */

		/*
		 * if DATA only packet, and auth is required, then punt...
		 * can't have authenticated without any AUTH (control)
		 * chunks
		 */
		if ((stcb != NULL) &&
		    sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks)) {
			/* "silently" ignore */
#if defined(__FreeBSD__) && !defined(__Userspace__)
			SCTP_PROBE5(receive, NULL, stcb, m, stcb, sh);
#endif
			SCTP_STAT_INCR(sctps_recvauthmissing);
			goto out;
		}
		if (stcb == NULL) {
			/* out of the blue DATA chunk */
#if defined(__FreeBSD__) && !defined(__Userspace__)
			SCTP_PROBE5(receive, NULL, NULL, m, NULL, sh);
#endif
			SCTP_SNPRINTF(msg, sizeof(msg), "OOTB, %s:%d at %s", __FILE__, __LINE__, __func__);
			op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
			                             msg);
			sctp_handle_ootb(m, iphlen, offset, src, dst, sh, inp, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
			                 mflowtype, mflowid, fibnum,
#endif
					 vrf_id, port);
			goto out;
		}
		if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) {
			/* v_tag mismatch! */
#if defined(__FreeBSD__) && !defined(__Userspace__)
			SCTP_PROBE5(receive, NULL, stcb, m, stcb, sh);
#endif
			SCTP_STAT_INCR(sctps_badvtag);
			goto out;
		}
	}

#if defined(__FreeBSD__) && !defined(__Userspace__)
	SCTP_PROBE5(receive, NULL, stcb, m, stcb, sh);
#endif
	if (stcb == NULL) {
		/*
		 * no valid TCB for this packet, or we found it's a bad
		 * packet while processing control, or we're done with this
		 * packet (done or skip rest of data), so we drop it...
		 */
		goto out;
	}
#if defined(__Userspace__)
	if ((upcall_socket == NULL) &&
	    ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) == 0) &&
	    (stcb->sctp_socket != NULL)) {
		if (stcb->sctp_socket->so_head != NULL) {
			upcall_socket = stcb->sctp_socket->so_head;
		} else {
			upcall_socket = stcb->sctp_socket;
		}
		SOCK_LOCK(upcall_socket);
		soref(upcall_socket);
		SOCK_UNLOCK(upcall_socket);
	}
#endif

	/*
	 * DATA chunk processing
	 */
	/* plow through the data chunks while length > offset */

	/*
	 * Rest should be DATA only.  Check authentication state if AUTH for
	 * DATA is required.
	 */
	if ((length > offset) &&
	    (stcb != NULL) &&
	    sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks) &&
	    !stcb->asoc.authenticated) {
		/* "silently" ignore */
		SCTP_STAT_INCR(sctps_recvauthmissing);
		SCTPDBG(SCTP_DEBUG_AUTH1,
			"Data chunk requires AUTH, skipped\n");
		goto trigger_send;
	}
	if (length > offset) {
		int retval;

		/*
		 * First check to make sure our state is correct. We would
		 * not get here unless we really did have a tag, so we don't
		 * abort if this happens, just dump the chunk silently.
		 */
		switch (SCTP_GET_STATE(stcb)) {
		case SCTP_STATE_COOKIE_ECHOED:
			/*
			 * we consider data with valid tags in this state
			 * shows us the cookie-ack was lost. Imply it was
			 * there.
			 */
			sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net);
			break;
		case SCTP_STATE_COOKIE_WAIT:
			/*
			 * We consider OOTB any data sent during asoc setup.
			 */
			SCTP_SNPRINTF(msg, sizeof(msg), "OOTB, %s:%d at %s", __FILE__, __LINE__, __func__);
			op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
			                             msg);
			sctp_handle_ootb(m, iphlen, offset, src, dst, sh, inp, op_err,
#if defined(__FreeBSD__) && !defined(__Userspace__)
			                 mflowtype, mflowid, inp->fibnum,
#endif
					 vrf_id, port);
			goto out;
			/*sa_ignore NOTREACHED*/
			break;
		case SCTP_STATE_EMPTY:	/* should not happen */
		case SCTP_STATE_INUSE:	/* should not happen */
		case SCTP_STATE_SHUTDOWN_RECEIVED:	/* This is a peer error */
		case SCTP_STATE_SHUTDOWN_ACK_SENT:
		default:
			goto out;
			/*sa_ignore NOTREACHED*/
			break;
		case SCTP_STATE_OPEN:
		case SCTP_STATE_SHUTDOWN_SENT:
			break;
		}
		/* plow through the data chunks while length > offset */
		retval = sctp_process_data(mm, iphlen, &offset, length,
		                           inp, stcb, net, &high_tsn);
		if (retval == 2) {
			/*
			 * The association aborted, NO UNLOCK needed since
			 * the association is destroyed.
			 */
			stcb = NULL;
			goto out;
		}
		if (retval == 0) {
			data_processed = 1;
		}
		/*
		 * Anything important needs to have been m_copy'ed in
		 * process_data
		 */
	}

	/* take care of ecn */
	if ((data_processed == 1) &&
	    (stcb->asoc.ecn_supported == 1) &&
	    ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS)) {
		/* Yep, we need to add a ECNE */
		sctp_send_ecn_echo(stcb, net, high_tsn);
	}

	if ((data_processed == 0) && (fwd_tsn_seen)) {
		int was_a_gap;
		uint32_t highest_tsn;

		if (SCTP_TSN_GT(stcb->asoc.highest_tsn_inside_nr_map, stcb->asoc.highest_tsn_inside_map)) {
			highest_tsn = stcb->asoc.highest_tsn_inside_nr_map;
		} else {
			highest_tsn = stcb->asoc.highest_tsn_inside_map;
		}
		was_a_gap = SCTP_TSN_GT(highest_tsn, stcb->asoc.cumulative_tsn);
		stcb->asoc.send_sack = 1;
		sctp_sack_check(stcb, was_a_gap);
	} else if (fwd_tsn_seen) {
		stcb->asoc.send_sack = 1;
	}
	/* trigger send of any chunks in queue... */
trigger_send:
#ifdef SCTP_AUDITING_ENABLED
	sctp_audit_log(0xE0, 2);
	sctp_auditing(1, inp, stcb, net);
#endif
	SCTPDBG(SCTP_DEBUG_INPUT1,
		"Check for chunk output prw:%d tqe:%d tf=%d\n",
		stcb->asoc.peers_rwnd,
		TAILQ_EMPTY(&stcb->asoc.control_send_queue),
		stcb->asoc.total_flight);
	un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight);
	if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue)) {
		cnt_ctrl_ready = stcb->asoc.ctrl_queue_cnt - stcb->asoc.ecn_echo_cnt_onq;
	}
	if (!TAILQ_EMPTY(&stcb->asoc.asconf_send_queue) ||
	    cnt_ctrl_ready ||
	    stcb->asoc.trigger_reset ||
	    ((un_sent > 0) &&
	     (stcb->asoc.peers_rwnd > 0 || stcb->asoc.total_flight == 0))) {
		SCTPDBG(SCTP_DEBUG_INPUT3, "Calling chunk OUTPUT\n");
		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
		SCTPDBG(SCTP_DEBUG_INPUT3, "chunk OUTPUT returns\n");
	}
#ifdef SCTP_AUDITING_ENABLED
	sctp_audit_log(0xE0, 3);
	sctp_auditing(2, inp, stcb, net);
#endif
 out:
	if (stcb != NULL) {
		SCTP_TCB_UNLOCK(stcb);
	}
#if defined(__Userspace__)
	if (upcall_socket != NULL) {
		if (upcall_socket->so_upcall != NULL) {
			if (soreadable(upcall_socket) ||
			    sowriteable(upcall_socket) ||
			    upcall_socket->so_error) {
				(*upcall_socket->so_upcall)(upcall_socket, upcall_socket->so_upcallarg, M_NOWAIT);
			}
		}
		ACCEPT_LOCK();
		SOCK_LOCK(upcall_socket);
		sorele(upcall_socket);
	}
#endif
	if (inp_decr != NULL) {
		/* reduce ref-count */
		SCTP_INP_WLOCK(inp_decr);
		SCTP_INP_DECR_REF(inp_decr);
		SCTP_INP_WUNLOCK(inp_decr);
	}
	return;
}

#ifdef INET
#if !defined(__Userspace__)
void
sctp_input_with_port(struct mbuf *i_pak, int off, uint16_t port)
{
	struct mbuf *m;
	int iphlen;
	uint32_t vrf_id = 0;
	uint8_t ecn_bits;
	struct sockaddr_in src, dst;
	struct ip *ip;
	struct sctphdr *sh;
	struct sctp_chunkhdr *ch;
	int length, offset;
	uint8_t compute_crc;
#if defined(__FreeBSD__) && !defined(__Userspace__)
	uint32_t mflowid;
	uint8_t mflowtype;
	uint16_t fibnum;
#endif
#if defined(__Userspace__)
	uint16_t port = 0;
#endif

	iphlen = off;
	if (SCTP_GET_PKT_VRFID(i_pak, vrf_id)) {
		SCTP_RELEASE_PKT(i_pak);
		return;
	}
	m = SCTP_HEADER_TO_CHAIN(i_pak);
#ifdef SCTP_MBUF_LOGGING
	/* Log in any input mbufs */
	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
		sctp_log_mbc(m, SCTP_MBUF_INPUT);
	}
#endif
#ifdef SCTP_PACKET_LOGGING
	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING) {
		sctp_packet_log(m);
	}
#endif
#if defined(__FreeBSD__) && !defined(__Userspace__)
	SCTPDBG(SCTP_DEBUG_CRCOFFLOAD,
	        "sctp_input(): Packet of length %d received on %s with csum_flags 0x%b.\n",
	        m->m_pkthdr.len,
	        if_name(m->m_pkthdr.rcvif),
	        (int)m->m_pkthdr.csum_flags, CSUM_BITS);
#endif
#if defined(__APPLE__) && !defined(__Userspace__)
	SCTPDBG(SCTP_DEBUG_CRCOFFLOAD,
	        "sctp_input(): Packet of length %d received on %s%d with csum_flags 0x%x.\n",
	        m->m_pkthdr.len,
	        m->m_pkthdr.rcvif->if_name,
	        m->m_pkthdr.rcvif->if_unit,
	        m->m_pkthdr.csum_flags);
#endif
#if defined(_WIN32) && !defined(__Userspace__)
	SCTPDBG(SCTP_DEBUG_CRCOFFLOAD,
	        "sctp_input(): Packet of length %d received on %s with csum_flags 0x%x.\n",
	        m->m_pkthdr.len,
	        m->m_pkthdr.rcvif->if_xname,
	        m->m_pkthdr.csum_flags);
#endif
#if defined(__FreeBSD__) && !defined(__Userspace__)
	mflowid = m->m_pkthdr.flowid;
	mflowtype = M_HASHTYPE_GET(m);
	fibnum = M_GETFIB(m);
#endif
	SCTP_STAT_INCR(sctps_recvpackets);
	SCTP_STAT_INCR_COUNTER64(sctps_inpackets);
	/* Get IP, SCTP, and first chunk header together in the first mbuf. */
	offset = iphlen + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
	if (SCTP_BUF_LEN(m) < offset) {
		if ((m = m_pullup(m, offset)) == NULL) {
			SCTP_STAT_INCR(sctps_hdrops);
			return;
		}
	}
	ip = mtod(m, struct ip *);
	sh = (struct sctphdr *)((caddr_t)ip + iphlen);
	ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(struct sctphdr));
	offset -= sizeof(struct sctp_chunkhdr);
	memset(&src, 0, sizeof(struct sockaddr_in));
	src.sin_family = AF_INET;
#ifdef HAVE_SIN_LEN
	src.sin_len = sizeof(struct sockaddr_in);
#endif
	src.sin_port = sh->src_port;
	src.sin_addr = ip->ip_src;
	memset(&dst, 0, sizeof(struct sockaddr_in));
	dst.sin_family = AF_INET;
#ifdef HAVE_SIN_LEN
	dst.sin_len = sizeof(struct sockaddr_in);
#endif
	dst.sin_port = sh->dest_port;
	dst.sin_addr = ip->ip_dst;
#if defined(_WIN32) && !defined(__Userspace__)
	NTOHS(ip->ip_len);
#endif
#if defined(__linux__) || (defined(_WIN32) && defined(__Userspace__))
	ip->ip_len = ntohs(ip->ip_len);
#endif
#if defined(__Userspace__)
#if defined(__linux__) || defined(_WIN32)
	length = ip->ip_len;
#else
	length = ip->ip_len + iphlen;
#endif
#elif defined(__FreeBSD__)
	length = ntohs(ip->ip_len);
#elif defined(__APPLE__)
	length = ip->ip_len + iphlen;
#else
	length = ip->ip_len;
#endif
	/* Validate mbuf chain length with IP payload length. */
	if (SCTP_HEADER_LEN(m) != length) {
		SCTPDBG(SCTP_DEBUG_INPUT1,
		        "sctp_input() length:%d reported length:%d\n", length, SCTP_HEADER_LEN(m));
		SCTP_STAT_INCR(sctps_hdrops);
		goto out;
	}
	/* SCTP does not allow broadcasts or multicasts */
	if (IN_MULTICAST(ntohl(dst.sin_addr.s_addr))) {
		goto out;
	}
	if (SCTP_IS_IT_BROADCAST(dst.sin_addr, m)) {
		goto out;
	}
	ecn_bits = ip->ip_tos;
#if defined(__FreeBSD__) && !defined(__Userspace__)
	if (m->m_pkthdr.csum_flags & CSUM_SCTP_VALID) {
		SCTP_STAT_INCR(sctps_recvhwcrc);
		compute_crc = 0;
	} else {
#else
	if (SCTP_BASE_SYSCTL(sctp_no_csum_on_loopback) &&
	    ((src.sin_addr.s_addr == dst.sin_addr.s_addr) ||
	     (SCTP_IS_IT_LOOPBACK(m)))) {
		SCTP_STAT_INCR(sctps_recvhwcrc);
		compute_crc = 0;
	} else {
#endif
		SCTP_STAT_INCR(sctps_recvswcrc);
		compute_crc = 1;
	}
	sctp_common_input_processing(&m, iphlen, offset, length,
	                             (struct sockaddr *)&src,
	                             (struct sockaddr *)&dst,
	                             sh, ch,
	                             compute_crc,
	                             ecn_bits,
#if defined(__FreeBSD__) && !defined(__Userspace__)
	                             mflowtype, mflowid, fibnum,
#endif
	                             vrf_id, port);
 out:
	if (m) {
		sctp_m_freem(m);
	}
	return;
}

#if defined(__FreeBSD__) && !defined(__Userspace__)
#if defined(SCTP_MCORE_INPUT) && defined(SMP)
extern int *sctp_cpuarry;
#endif
#endif

#if defined(__FreeBSD__) && !defined(__Userspace__)
int
sctp_input(struct mbuf **mp, int *offp, int proto SCTP_UNUSED)
{
	struct mbuf *m;
	int off;

	m = *mp;
	off = *offp;
#else
void
sctp_input(struct mbuf *m, int off)
{
#endif
#if defined(__FreeBSD__) && !defined(__Userspace__)
#if defined(SCTP_MCORE_INPUT) && defined(SMP)
	if (mp_ncpus > 1) {
		struct ip *ip;
		struct sctphdr *sh;
		int offset;
		int cpu_to_use;
		uint32_t flowid, tag;

		if (M_HASHTYPE_GET(m) != M_HASHTYPE_NONE) {
			flowid = m->m_pkthdr.flowid;
		} else {
			/* No flow id built by lower layers
			 * fix it so we create one.
			 */
			offset = off + sizeof(struct sctphdr);
			if (SCTP_BUF_LEN(m) < offset) {
				if ((m = m_pullup(m, offset)) == NULL) {
					SCTP_STAT_INCR(sctps_hdrops);
					return (IPPROTO_DONE);
				}
			}
			ip = mtod(m, struct ip *);
			sh = (struct sctphdr *)((caddr_t)ip + off);
			tag = htonl(sh->v_tag);
			flowid = tag ^ ntohs(sh->dest_port) ^ ntohs(sh->src_port);
			m->m_pkthdr.flowid = flowid;
			M_HASHTYPE_SET(m, M_HASHTYPE_OPAQUE_HASH);
		}
		cpu_to_use = sctp_cpuarry[flowid % mp_ncpus];
		sctp_queue_to_mcore(m, off, cpu_to_use);
		return (IPPROTO_DONE);
	}
#endif
#endif
	sctp_input_with_port(m, off, 0);
#if defined(__FreeBSD__) && !defined(__Userspace__)
	return (IPPROTO_DONE);
#endif
}
#endif
#endif