1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 
  22 /*
  23  * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
  24  */
  25 
  26 #include <sys/types.h>
  27 #include <sys/systm.h>
  28 #include <sys/stream.h>
  29 #include <sys/cmn_err.h>
  30 #include <sys/kmem.h>
  31 #define _SUN_TPI_VERSION 2
  32 #include <sys/tihdr.h>
  33 #include <sys/stropts.h>
  34 #include <sys/socket.h>
  35 #include <sys/random.h>
  36 #include <sys/policy.h>
  37 #include <sys/tsol/tndb.h>
  38 #include <sys/tsol/tnet.h>
  39 
  40 #include <netinet/in.h>
  41 #include <netinet/ip6.h>
  42 
  43 #include <inet/common.h>
  44 #include <inet/ip.h>
  45 #include <inet/ip6.h>
  46 #include <inet/ipclassifier.h>
  47 #include "sctp_impl.h"
  48 #include "sctp_asconf.h"
  49 #include "sctp_addr.h"
  50 
  51 /*
  52  * Minimum number of associations which can be created per listener.  Used
  53  * when the listener association count is in effect.
  54  */
  55 static uint32_t sctp_min_assoc_listener = 2;
  56 
  57 /*
  58  * Returns 0 on success, EACCES on permission failure.
  59  */
  60 static int
  61 sctp_select_port(sctp_t *sctp, in_port_t *requested_port, int *user_specified)
  62 {
  63         sctp_stack_t    *sctps = sctp->sctp_sctps;
  64         conn_t          *connp = sctp->sctp_connp;
  65 
  66         /*
  67          * Get a valid port (within the anonymous range and should not
  68          * be a privileged one) to use if the user has not given a port.
  69          * If multiple threads are here, they may all start with
  70          * with the same initial port. But, it should be fine as long as
  71          * sctp_bindi will ensure that no two threads will be assigned
  72          * the same port.
  73          */
  74         if (*requested_port == 0) {
  75                 *requested_port = sctp_update_next_port(
  76                     sctps->sctps_next_port_to_try,
  77                     crgetzone(connp->conn_cred), sctps);
  78                 if (*requested_port == 0)
  79                         return (EACCES);
  80                 *user_specified = 0;
  81         } else {
  82                 int i;
  83                 boolean_t priv = B_FALSE;
  84 
  85                 /*
  86                  * If the requested_port is in the well-known privileged range,
  87                  * verify that the stream was opened by a privileged user.
  88                  * Note: No locks are held when inspecting sctp_g_*epriv_ports
  89                  * but instead the code relies on:
  90                  * - the fact that the address of the array and its size never
  91                  *   changes
  92                  * - the atomic assignment of the elements of the array
  93                  */
  94                 if (*requested_port < sctps->sctps_smallest_nonpriv_port) {
  95                         priv = B_TRUE;
  96                 } else {
  97                         for (i = 0; i < sctps->sctps_g_num_epriv_ports; i++) {
  98                                 if (*requested_port ==
  99                                     sctps->sctps_g_epriv_ports[i]) {
 100                                         priv = B_TRUE;
 101                                         break;
 102                                 }
 103                         }
 104                 }
 105                 if (priv) {
 106                         /*
 107                          * sctp_bind() should take a cred_t argument so that
 108                          * we can use it here.
 109                          */
 110                         if (secpolicy_net_privaddr(connp->conn_cred,
 111                             *requested_port, IPPROTO_SCTP) != 0) {
 112                                 dprint(1,
 113                                     ("sctp_bind(x): no prive for port %d",
 114                                     *requested_port));
 115                                 return (EACCES);
 116                         }
 117                 }
 118                 *user_specified = 1;
 119         }
 120 
 121         return (0);
 122 }
 123 
 124 int
 125 sctp_listen(sctp_t *sctp)
 126 {
 127         sctp_tf_t       *tf;
 128         sctp_stack_t    *sctps = sctp->sctp_sctps;
 129         conn_t          *connp = sctp->sctp_connp;
 130 
 131         RUN_SCTP(sctp);
 132         /*
 133          * TCP handles listen() increasing the backlog, need to check
 134          * if it should be handled here too
 135          */
 136         if (sctp->sctp_state > SCTPS_BOUND ||
 137             (sctp->sctp_connp->conn_state_flags & CONN_CLOSING)) {
 138                 WAKE_SCTP(sctp);
 139                 return (EINVAL);
 140         }
 141 
 142         /* Do an anonymous bind for unbound socket doing listen(). */
 143         if (sctp->sctp_nsaddrs == 0) {
 144                 struct sockaddr_storage ss;
 145                 int ret;
 146 
 147                 bzero(&ss, sizeof (ss));
 148                 ss.ss_family = connp->conn_family;
 149 
 150                 WAKE_SCTP(sctp);
 151                 if ((ret = sctp_bind(sctp, (struct sockaddr *)&ss,
 152                     sizeof (ss))) != 0)
 153                         return (ret);
 154                 RUN_SCTP(sctp)
 155         }
 156 
 157         /* Cache things in the ixa without any refhold */
 158         ASSERT(!(connp->conn_ixa->ixa_free_flags & IXA_FREE_CRED));
 159         connp->conn_ixa->ixa_cred = connp->conn_cred;
 160         connp->conn_ixa->ixa_cpid = connp->conn_cpid;
 161         if (is_system_labeled())
 162                 connp->conn_ixa->ixa_tsl = crgetlabel(connp->conn_cred);
 163 
 164         sctp->sctp_state = SCTPS_LISTEN;
 165         (void) random_get_pseudo_bytes(sctp->sctp_secret, SCTP_SECRET_LEN);
 166         sctp->sctp_last_secret_update = ddi_get_lbolt64();
 167         bzero(sctp->sctp_old_secret, SCTP_SECRET_LEN);
 168 
 169         /*
 170          * If there is an association limit, allocate and initialize
 171          * the counter struct.  Note that since listen can be called
 172          * multiple times, the struct may have been allready allocated.
 173          */
 174         if (!list_is_empty(&sctps->sctps_listener_conf) &&
 175             sctp->sctp_listen_cnt == NULL) {
 176                 sctp_listen_cnt_t *slc;
 177                 uint32_t ratio;
 178 
 179                 ratio = sctp_find_listener_conf(sctps,
 180                     ntohs(connp->conn_lport));
 181                 if (ratio != 0) {
 182                         uint32_t mem_ratio, tot_buf;
 183 
 184                         slc = kmem_alloc(sizeof (sctp_listen_cnt_t), KM_SLEEP);
 185                         /*
 186                          * Calculate the connection limit based on
 187                          * the configured ratio and maxusers.  Maxusers
 188                          * are calculated based on memory size,
 189                          * ~ 1 user per MB.  Note that the conn_rcvbuf
 190                          * and conn_sndbuf may change after a
 191                          * connection is accepted.  So what we have
 192                          * is only an approximation.
 193                          */
 194                         if ((tot_buf = connp->conn_rcvbuf +
 195                             connp->conn_sndbuf) < MB) {
 196                                 mem_ratio = MB / tot_buf;
 197                                 slc->slc_max = maxusers / ratio * mem_ratio;
 198                         } else {
 199                                 mem_ratio = tot_buf / MB;
 200                                 slc->slc_max = maxusers / ratio / mem_ratio;
 201                         }
 202                         /* At least we should allow some associations! */
 203                         if (slc->slc_max < sctp_min_assoc_listener)
 204                                 slc->slc_max = sctp_min_assoc_listener;
 205                         slc->slc_cnt = 1;
 206                         slc->slc_drop = 0;
 207                         sctp->sctp_listen_cnt = slc;
 208                 }
 209         }
 210 
 211 
 212         tf = &sctps->sctps_listen_fanout[SCTP_LISTEN_HASH(
 213             ntohs(connp->conn_lport))];
 214         sctp_listen_hash_insert(tf, sctp);
 215 
 216         WAKE_SCTP(sctp);
 217         return (0);
 218 }
 219 
 220 /*
 221  * Bind the sctp_t to a sockaddr, which includes an address and other
 222  * information, such as port or flowinfo.
 223  */
 224 int
 225 sctp_bind(sctp_t *sctp, struct sockaddr *sa, socklen_t len)
 226 {
 227         int             user_specified;
 228         boolean_t       bind_to_req_port_only;
 229         in_port_t       requested_port;
 230         in_port_t       allocated_port;
 231         int             err = 0;
 232         conn_t          *connp = sctp->sctp_connp;
 233         uint_t          scope_id;
 234         sin_t           *sin;
 235         sin6_t          *sin6;
 236 
 237         ASSERT(sctp != NULL);
 238 
 239         RUN_SCTP(sctp);
 240 
 241         if ((sctp->sctp_state >= SCTPS_BOUND) ||
 242             (sctp->sctp_connp->conn_state_flags & CONN_CLOSING) ||
 243             (sa == NULL || len == 0)) {
 244                 /*
 245                  * Multiple binds not allowed for any SCTP socket
 246                  * Also binding with null address is not supported.
 247                  */
 248                 err = EINVAL;
 249                 goto done;
 250         }
 251 
 252         switch (sa->sa_family) {
 253         case AF_INET:
 254                 sin = (sin_t *)sa;
 255                 if (len < sizeof (struct sockaddr_in) ||
 256                     connp->conn_family == AF_INET6) {
 257                         err = EINVAL;
 258                         goto done;
 259                 }
 260                 requested_port = ntohs(sin->sin_port);
 261                 break;
 262         case AF_INET6:
 263                 sin6 = (sin6_t *)sa;
 264                 if (len < sizeof (struct sockaddr_in6) ||
 265                     connp->conn_family == AF_INET) {
 266                         err = EINVAL;
 267                         goto done;
 268                 }
 269                 requested_port = ntohs(sin6->sin6_port);
 270                 /* Set the flowinfo. */
 271                 connp->conn_flowinfo =
 272                     sin6->sin6_flowinfo & ~IPV6_VERS_AND_FLOW_MASK;
 273 
 274                 scope_id = sin6->sin6_scope_id;
 275                 if (scope_id != 0 && IN6_IS_ADDR_LINKSCOPE(&sin6->sin6_addr)) {
 276                         connp->conn_ixa->ixa_flags |= IXAF_SCOPEID_SET;
 277                         connp->conn_ixa->ixa_scopeid = scope_id;
 278                         connp->conn_incoming_ifindex = scope_id;
 279                 } else {
 280                         connp->conn_ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
 281                         connp->conn_incoming_ifindex = connp->conn_bound_if;
 282                 }
 283                 break;
 284         default:
 285                 err = EAFNOSUPPORT;
 286                 goto done;
 287         }
 288         bind_to_req_port_only = requested_port == 0 ? B_FALSE : B_TRUE;
 289 
 290         err = sctp_select_port(sctp, &requested_port, &user_specified);
 291         if (err != 0)
 292                 goto done;
 293 
 294         if ((err = sctp_bind_add(sctp, sa, 1, B_TRUE,
 295             user_specified == 1 ? htons(requested_port) : 0)) != 0) {
 296                 goto done;
 297         }
 298         err = sctp_bindi(sctp, requested_port, bind_to_req_port_only,
 299             user_specified, &allocated_port);
 300         if (err != 0) {
 301                 sctp_free_saddrs(sctp);
 302         } else {
 303                 ASSERT(sctp->sctp_state == SCTPS_BOUND);
 304         }
 305 done:
 306         WAKE_SCTP(sctp);
 307         return (err);
 308 }
 309 
 310 /*
 311  * Perform bind/unbind operation of a list of addresses on a sctp_t
 312  */
 313 int
 314 sctp_bindx(sctp_t *sctp, const void *addrs, int addrcnt, int bindop)
 315 {
 316         ASSERT(sctp != NULL);
 317         ASSERT(addrs != NULL);
 318         ASSERT(addrcnt > 0);
 319 
 320         switch (bindop) {
 321         case SCTP_BINDX_ADD_ADDR:
 322                 return (sctp_bind_add(sctp, addrs, addrcnt, B_FALSE,
 323                     sctp->sctp_connp->conn_lport));
 324         case SCTP_BINDX_REM_ADDR:
 325                 return (sctp_bind_del(sctp, addrs, addrcnt, B_FALSE));
 326         default:
 327                 return (EINVAL);
 328         }
 329 }
 330 
 331 /*
 332  * Add a list of addresses to a sctp_t.
 333  */
 334 int
 335 sctp_bind_add(sctp_t *sctp, const void *addrs, uint32_t addrcnt,
 336     boolean_t caller_hold_lock, in_port_t port)
 337 {
 338         int             err = 0;
 339         boolean_t       do_asconf = B_FALSE;
 340         sctp_stack_t    *sctps = sctp->sctp_sctps;
 341         conn_t          *connp = sctp->sctp_connp;
 342 
 343         if (!caller_hold_lock)
 344                 RUN_SCTP(sctp);
 345 
 346         if (sctp->sctp_state > SCTPS_ESTABLISHED ||
 347             (sctp->sctp_connp->conn_state_flags & CONN_CLOSING)) {
 348                 if (!caller_hold_lock)
 349                         WAKE_SCTP(sctp);
 350                 return (EINVAL);
 351         }
 352 
 353         if (sctp->sctp_state > SCTPS_LISTEN) {
 354                 /*
 355                  * Let's do some checking here rather than undoing the
 356                  * add later (for these reasons).
 357                  */
 358                 if (!sctps->sctps_addip_enabled ||
 359                     !sctp->sctp_understands_asconf ||
 360                     !sctp->sctp_understands_addip) {
 361                         if (!caller_hold_lock)
 362                                 WAKE_SCTP(sctp);
 363                         return (EINVAL);
 364                 }
 365                 do_asconf = B_TRUE;
 366         }
 367         /*
 368          * On a clustered node, for an inaddr_any bind, we will pass the list
 369          * of all the addresses in the global list, minus any address on the
 370          * loopback interface, and expect the clustering susbsystem to give us
 371          * the correct list for the 'port'. For explicit binds we give the
 372          * list of addresses  and the clustering module validates it for the
 373          * 'port'.
 374          *
 375          * On a non-clustered node, cl_sctp_check_addrs will be NULL and
 376          * we proceed as usual.
 377          */
 378         if (cl_sctp_check_addrs != NULL) {
 379                 uchar_t         *addrlist = NULL;
 380                 size_t          size = 0;
 381                 int             unspec = 0;
 382                 boolean_t       do_listen;
 383                 uchar_t         *llist = NULL;
 384                 size_t          lsize = 0;
 385 
 386                 /*
 387                  * If we are adding addresses after listening, but before
 388                  * an association is established, we need to update the
 389                  * clustering module with this info.
 390                  */
 391                 do_listen = !do_asconf && sctp->sctp_state > SCTPS_BOUND &&
 392                     cl_sctp_listen != NULL;
 393 
 394                 err = sctp_get_addrlist(sctp, addrs, &addrcnt, &addrlist,
 395                     &unspec, &size);
 396                 if (err != 0) {
 397                         ASSERT(addrlist == NULL);
 398                         ASSERT(addrcnt == 0);
 399                         ASSERT(size == 0);
 400                         if (!caller_hold_lock)
 401                                 WAKE_SCTP(sctp);
 402                         SCTP_KSTAT(sctps, sctp_cl_check_addrs);
 403                         return (err);
 404                 }
 405                 ASSERT(addrlist != NULL);
 406                 (*cl_sctp_check_addrs)(connp->conn_family, port, &addrlist,
 407                     size, &addrcnt, unspec == 1);
 408                 if (addrcnt == 0) {
 409                         /* We free the list */
 410                         kmem_free(addrlist, size);
 411                         if (!caller_hold_lock)
 412                                 WAKE_SCTP(sctp);
 413                         return (EINVAL);
 414                 }
 415                 if (do_listen) {
 416                         lsize = sizeof (in6_addr_t) * addrcnt;
 417                         llist = kmem_alloc(lsize, KM_SLEEP);
 418                 }
 419                 err = sctp_valid_addr_list(sctp, addrlist, addrcnt, llist,
 420                     lsize);
 421                 if (err == 0 && do_listen) {
 422                         (*cl_sctp_listen)(connp->conn_family, llist,
 423                             addrcnt, connp->conn_lport);
 424                         /* list will be freed by the clustering module */
 425                 } else if (err != 0 && llist != NULL) {
 426                         kmem_free(llist, lsize);
 427                 }
 428                 /* free the list we allocated */
 429                 kmem_free(addrlist, size);
 430         } else {
 431                 err = sctp_valid_addr_list(sctp, addrs, addrcnt, NULL, 0);
 432         }
 433         if (err != 0) {
 434                 if (!caller_hold_lock)
 435                         WAKE_SCTP(sctp);
 436                 return (err);
 437         }
 438         /* Need to send  ASCONF messages */
 439         if (do_asconf) {
 440                 err = sctp_add_ip(sctp, addrs, addrcnt);
 441                 if (err != 0) {
 442                         sctp_del_saddr_list(sctp, addrs, addrcnt, B_FALSE);
 443                         if (!caller_hold_lock)
 444                                 WAKE_SCTP(sctp);
 445                         return (err);
 446                 }
 447         }
 448         if (!caller_hold_lock)
 449                 WAKE_SCTP(sctp);
 450         return (0);
 451 }
 452 
 453 /*
 454  * Remove one or more addresses bound to the sctp_t.
 455  */
 456 int
 457 sctp_bind_del(sctp_t *sctp, const void *addrs, uint32_t addrcnt,
 458     boolean_t caller_hold_lock)
 459 {
 460         int             error = 0;
 461         boolean_t       do_asconf = B_FALSE;
 462         uchar_t         *ulist = NULL;
 463         size_t          usize = 0;
 464         sctp_stack_t    *sctps = sctp->sctp_sctps;
 465         conn_t          *connp = sctp->sctp_connp;
 466 
 467         if (!caller_hold_lock)
 468                 RUN_SCTP(sctp);
 469 
 470         if (sctp->sctp_state > SCTPS_ESTABLISHED ||
 471             (sctp->sctp_connp->conn_state_flags & CONN_CLOSING)) {
 472                 if (!caller_hold_lock)
 473                         WAKE_SCTP(sctp);
 474                 return (EINVAL);
 475         }
 476         /*
 477          * Fail the remove if we are beyond listen, but can't send this
 478          * to the peer.
 479          */
 480         if (sctp->sctp_state > SCTPS_LISTEN) {
 481                 if (!sctps->sctps_addip_enabled ||
 482                     !sctp->sctp_understands_asconf ||
 483                     !sctp->sctp_understands_addip) {
 484                         if (!caller_hold_lock)
 485                                 WAKE_SCTP(sctp);
 486                         return (EINVAL);
 487                 }
 488                 do_asconf = B_TRUE;
 489         }
 490 
 491         /* Can't delete the last address nor all of the addresses */
 492         if (sctp->sctp_nsaddrs == 1 || addrcnt >= sctp->sctp_nsaddrs) {
 493                 if (!caller_hold_lock)
 494                         WAKE_SCTP(sctp);
 495                 return (EINVAL);
 496         }
 497 
 498         if (cl_sctp_unlisten != NULL && !do_asconf &&
 499             sctp->sctp_state > SCTPS_BOUND) {
 500                 usize = sizeof (in6_addr_t) * addrcnt;
 501                 ulist = kmem_alloc(usize, KM_SLEEP);
 502         }
 503 
 504         error = sctp_del_ip(sctp, addrs, addrcnt, ulist, usize);
 505         if (error != 0) {
 506                 if (ulist != NULL)
 507                         kmem_free(ulist, usize);
 508                 if (!caller_hold_lock)
 509                         WAKE_SCTP(sctp);
 510                 return (error);
 511         }
 512         /* ulist will be non-NULL only if cl_sctp_unlisten is non-NULL */
 513         if (ulist != NULL) {
 514                 ASSERT(cl_sctp_unlisten != NULL);
 515                 (*cl_sctp_unlisten)(connp->conn_family, ulist, addrcnt,
 516                     connp->conn_lport);
 517                 /* ulist will be freed by the clustering module */
 518         }
 519         if (!caller_hold_lock)
 520                 WAKE_SCTP(sctp);
 521         return (error);
 522 }
 523 
 524 /*
 525  * Returns 0 for success, errno value otherwise.
 526  *
 527  * If the "bind_to_req_port_only" parameter is set and the requested port
 528  * number is available, then set allocated_port to it.  If not available,
 529  * return an error.
 530  *
 531  * If the "bind_to_req_port_only" parameter is not set and the requested port
 532  * number is available, then set allocated_port to it.  If not available,
 533  * find the first anonymous port we can and set allocated_port to that.  If no
 534  * anonymous ports are available, return an error.
 535  *
 536  * In either case, when succeeding, update the sctp_t to record the port number
 537  * and insert it in the bind hash table.
 538  */
 539 int
 540 sctp_bindi(sctp_t *sctp, in_port_t port, boolean_t bind_to_req_port_only,
 541     int user_specified, in_port_t *allocated_port)
 542 {
 543         /* number of times we have run around the loop */
 544         int count = 0;
 545         /* maximum number of times to run around the loop */
 546         int loopmax;
 547         sctp_stack_t    *sctps = sctp->sctp_sctps;
 548         conn_t          *connp = sctp->sctp_connp;
 549         zone_t *zone = crgetzone(connp->conn_cred);
 550         zoneid_t zoneid = connp->conn_zoneid;
 551 
 552         /*
 553          * Lookup for free addresses is done in a loop and "loopmax"
 554          * influences how long we spin in the loop
 555          */
 556         if (bind_to_req_port_only) {
 557                 /*
 558                  * If the requested port is busy, don't bother to look
 559                  * for a new one. Setting loop maximum count to 1 has
 560                  * that effect.
 561                  */
 562                 loopmax = 1;
 563         } else {
 564                 /*
 565                  * If the requested port is busy, look for a free one
 566                  * in the anonymous port range.
 567                  * Set loopmax appropriately so that one does not look
 568                  * forever in the case all of the anonymous ports are in use.
 569                  */
 570                 loopmax = (sctps->sctps_largest_anon_port -
 571                     sctps->sctps_smallest_anon_port + 1);
 572         }
 573         do {
 574                 uint16_t        lport;
 575                 sctp_tf_t       *tbf;
 576                 sctp_t          *lsctp;
 577                 int             addrcmp;
 578 
 579                 lport = htons(port);
 580 
 581                 /*
 582                  * Ensure that the sctp_t is not currently in the bind hash.
 583                  * Hold the lock on the hash bucket to ensure that
 584                  * the duplicate check plus the insertion is an atomic
 585                  * operation.
 586                  *
 587                  * This function does an inline lookup on the bind hash list
 588                  * Make sure that we access only members of sctp_t
 589                  * and that we don't look at sctp_sctp, since we are not
 590                  * doing a SCTPB_REFHOLD. For more details please see the notes
 591                  * in sctp_compress()
 592                  */
 593                 sctp_bind_hash_remove(sctp);
 594                 tbf = &sctps->sctps_bind_fanout[SCTP_BIND_HASH(port)];
 595                 mutex_enter(&tbf->tf_lock);
 596                 for (lsctp = tbf->tf_sctp; lsctp != NULL;
 597                     lsctp = lsctp->sctp_bind_hash) {
 598                         conn_t *lconnp = lsctp->sctp_connp;
 599 
 600                         if (lport != lconnp->conn_lport ||
 601                             lsctp->sctp_state < SCTPS_BOUND)
 602                                 continue;
 603 
 604                         /*
 605                          * On a labeled system, we must treat bindings to ports
 606                          * on shared IP addresses by sockets with MAC exemption
 607                          * privilege as being in all zones, as there's
 608                          * otherwise no way to identify the right receiver.
 609                          */
 610                         if (lconnp->conn_zoneid != zoneid &&
 611                             lconnp->conn_mac_mode == CONN_MAC_DEFAULT &&
 612                             connp->conn_mac_mode == CONN_MAC_DEFAULT)
 613                                 continue;
 614 
 615                         addrcmp = sctp_compare_saddrs(sctp, lsctp);
 616                         if (addrcmp != SCTP_ADDR_DISJOINT) {
 617                                 if (!connp->conn_reuseaddr) {
 618                                         /* in use */
 619                                         break;
 620                                 } else if (lsctp->sctp_state == SCTPS_BOUND ||
 621                                     lsctp->sctp_state == SCTPS_LISTEN) {
 622                                         /*
 623                                          * socket option SO_REUSEADDR is set
 624                                          * on the binding sctp_t.
 625                                          *
 626                                          * We have found a match of IP source
 627                                          * address and source port, which is
 628                                          * refused regardless of the
 629                                          * SO_REUSEADDR setting, so we break.
 630                                          */
 631                                         break;
 632                                 }
 633                         }
 634                 }
 635                 if (lsctp != NULL) {
 636                         /* The port number is busy */
 637                         mutex_exit(&tbf->tf_lock);
 638                 } else {
 639                         if (is_system_labeled()) {
 640                                 mlp_type_t addrtype, mlptype;
 641                                 uint_t ipversion;
 642 
 643                                 /*
 644                                  * On a labeled system we must check the type
 645                                  * of the binding requested by the user (either
 646                                  * MLP or SLP on shared and private addresses),
 647                                  * and that the user's requested binding
 648                                  * is permitted.
 649                                  */
 650                                 if (connp->conn_family == AF_INET)
 651                                         ipversion = IPV4_VERSION;
 652                                 else
 653                                         ipversion = IPV6_VERSION;
 654 
 655                                 addrtype = tsol_mlp_addr_type(
 656                                     connp->conn_allzones ? ALL_ZONES :
 657                                     zone->zone_id,
 658                                     ipversion,
 659                                     connp->conn_family == AF_INET ?
 660                                     (void *)&sctp->sctp_ipha->ipha_src :
 661                                     (void *)&sctp->sctp_ip6h->ip6_src,
 662                                     sctps->sctps_netstack->netstack_ip);
 663 
 664                                 /*
 665                                  * tsol_mlp_addr_type returns the possibilities
 666                                  * for the selected address.  Since all local
 667                                  * addresses are either private or shared, the
 668                                  * return value mlptSingle means "local address
 669                                  * not valid (interface not present)."
 670                                  */
 671                                 if (addrtype == mlptSingle) {
 672                                         mutex_exit(&tbf->tf_lock);
 673                                         return (EADDRNOTAVAIL);
 674                                 }
 675                                 mlptype = tsol_mlp_port_type(zone, IPPROTO_SCTP,
 676                                     port, addrtype);
 677                                 if (mlptype != mlptSingle) {
 678                                         if (secpolicy_net_bindmlp(connp->
 679                                             conn_cred) != 0) {
 680                                                 mutex_exit(&tbf->tf_lock);
 681                                                 return (EACCES);
 682                                         }
 683                                         /*
 684                                          * If we're binding a shared MLP, then
 685                                          * make sure that this zone is the one
 686                                          * that owns that MLP.  Shared MLPs can
 687                                          * be owned by at most one zone.
 688                                          *
 689                                          * No need to handle exclusive-stack
 690                                          * zones since ALL_ZONES only applies
 691                                          * to the shared stack.
 692                                          */
 693 
 694                                         if (mlptype == mlptShared &&
 695                                             addrtype == mlptShared &&
 696                                             connp->conn_zoneid !=
 697                                             tsol_mlp_findzone(IPPROTO_SCTP,
 698                                             lport)) {
 699                                                 mutex_exit(&tbf->tf_lock);
 700                                                 return (EACCES);
 701                                         }
 702                                         connp->conn_mlp_type = mlptype;
 703                                 }
 704                         }
 705                         /*
 706                          * This port is ours. Insert in fanout and mark as
 707                          * bound to prevent others from getting the port
 708                          * number.
 709                          */
 710                         sctp->sctp_state = SCTPS_BOUND;
 711                         connp->conn_lport = lport;
 712 
 713                         ASSERT(&sctps->sctps_bind_fanout[
 714                             SCTP_BIND_HASH(port)] == tbf);
 715                         sctp_bind_hash_insert(tbf, sctp, 1);
 716 
 717                         mutex_exit(&tbf->tf_lock);
 718 
 719                         /*
 720                          * We don't want sctp_next_port_to_try to "inherit"
 721                          * a port number supplied by the user in a bind.
 722                          *
 723                          * This is the only place where sctp_next_port_to_try
 724                          * is updated. After the update, it may or may not
 725                          * be in the valid range.
 726                          */
 727                         if (user_specified == 0)
 728                                 sctps->sctps_next_port_to_try = port + 1;
 729 
 730                         *allocated_port = port;
 731 
 732                         return (0);
 733                 }
 734 
 735                 if ((count == 0) && (user_specified)) {
 736                         /*
 737                          * We may have to return an anonymous port. So
 738                          * get one to start with.
 739                          */
 740                         port = sctp_update_next_port(
 741                             sctps->sctps_next_port_to_try,
 742                             zone, sctps);
 743                         user_specified = 0;
 744                 } else {
 745                         port = sctp_update_next_port(port + 1, zone, sctps);
 746                 }
 747                 if (port == 0)
 748                         break;
 749 
 750                 /*
 751                  * Don't let this loop run forever in the case where
 752                  * all of the anonymous ports are in use.
 753                  */
 754         } while (++count < loopmax);
 755 
 756         return (bind_to_req_port_only ? EADDRINUSE : EADDRNOTAVAIL);
 757 }
 758 
 759 /*
 760  * Don't let port fall into the privileged range.
 761  * Since the extra privileged ports can be arbitrary we also
 762  * ensure that we exclude those from consideration.
 763  * sctp_g_epriv_ports is not sorted thus we loop over it until
 764  * there are no changes.
 765  *
 766  * Note: No locks are held when inspecting sctp_g_*epriv_ports
 767  * but instead the code relies on:
 768  * - the fact that the address of the array and its size never changes
 769  * - the atomic assignment of the elements of the array
 770  */
 771 in_port_t
 772 sctp_update_next_port(in_port_t port, zone_t *zone, sctp_stack_t *sctps)
 773 {
 774         int i;
 775         boolean_t restart = B_FALSE;
 776 
 777 retry:
 778         if (port < sctps->sctps_smallest_anon_port)
 779                 port = sctps->sctps_smallest_anon_port;
 780 
 781         if (port > sctps->sctps_largest_anon_port) {
 782                 if (restart)
 783                         return (0);
 784                 restart = B_TRUE;
 785                 port = sctps->sctps_smallest_anon_port;
 786         }
 787 
 788         if (port < sctps->sctps_smallest_nonpriv_port)
 789                 port = sctps->sctps_smallest_nonpriv_port;
 790 
 791         for (i = 0; i < sctps->sctps_g_num_epriv_ports; i++) {
 792                 if (port == sctps->sctps_g_epriv_ports[i]) {
 793                         port++;
 794                         /*
 795                          * Make sure whether the port is in the
 796                          * valid range.
 797                          *
 798                          * XXX Note that if sctp_g_epriv_ports contains
 799                          * all the anonymous ports this will be an
 800                          * infinite loop.
 801                          */
 802                         goto retry;
 803                 }
 804         }
 805 
 806         if (is_system_labeled() &&
 807             (i = tsol_next_port(zone, port, IPPROTO_SCTP, B_TRUE)) != 0) {
 808                 port = i;
 809                 goto retry;
 810         }
 811 
 812         return (port);
 813 }