1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 
  22 /*
  23  * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
  24  */
  25 
  26 #include <sys/types.h>
  27 #include <sys/systm.h>
  28 #include <sys/stream.h>
  29 #include <sys/cmn_err.h>
  30 #include <sys/kmem.h>
  31 #define _SUN_TPI_VERSION 2
  32 #include <sys/tihdr.h>
  33 #include <sys/stropts.h>
  34 #include <sys/socket.h>
  35 #include <sys/random.h>
  36 #include <sys/policy.h>
  37 #include <sys/tsol/tndb.h>
  38 #include <sys/tsol/tnet.h>
  39 
  40 #include <netinet/in.h>
  41 #include <netinet/ip6.h>
  42 
  43 #include <inet/common.h>
  44 #include <inet/ip.h>
  45 #include <inet/ip6.h>
  46 #include <inet/ipclassifier.h>
  47 #include "sctp_impl.h"
  48 #include "sctp_asconf.h"
  49 #include "sctp_addr.h"
  50 
  51 /*
  52  * Minimum number of associations which can be created per listener.  Used
  53  * when the listener association count is in effect.
  54  */
  55 static uint32_t sctp_min_assoc_listener = 2;
  56 
  57 /*
  58  * Returns 0 on success, EACCES on permission failure.
  59  */
  60 static int
  61 sctp_select_port(sctp_t *sctp, in_port_t *requested_port, int *user_specified)
  62 {
  63         sctp_stack_t    *sctps = sctp->sctp_sctps;
  64         conn_t          *connp = sctp->sctp_connp;
  65 
  66         /*
  67          * Get a valid port (within the anonymous range and should not
  68          * be a privileged one) to use if the user has not given a port.
  69          * If multiple threads are here, they may all start with
  70          * with the same initial port. But, it should be fine as long as
  71          * sctp_bindi will ensure that no two threads will be assigned
  72          * the same port.
  73          */
  74         if (*requested_port == 0) {
  75                 *requested_port = sctp_update_next_port(
  76                     sctps->sctps_next_port_to_try,
  77                     crgetzone(connp->conn_cred), sctps);
  78                 if (*requested_port == 0)
  79                         return (EACCES);
  80                 *user_specified = 0;
  81         } else {
  82                 int i;
  83                 boolean_t priv = B_FALSE;
  84 
  85                 /*
  86                  * If the requested_port is in the well-known privileged range,
  87                  * verify that the stream was opened by a privileged user.
  88                  * Note: No locks are held when inspecting sctp_g_*epriv_ports
  89                  * but instead the code relies on:
  90                  * - the fact that the address of the array and its size never
  91                  *   changes
  92                  * - the atomic assignment of the elements of the array
  93                  */
  94                 if (*requested_port < sctps->sctps_smallest_nonpriv_port) {
  95                         priv = B_TRUE;
  96                 } else {
  97                         for (i = 0; i < sctps->sctps_g_num_epriv_ports; i++) {
  98                                 if (*requested_port ==
  99                                     sctps->sctps_g_epriv_ports[i]) {
 100                                         priv = B_TRUE;
 101                                         break;
 102                                 }
 103                         }
 104                 }
 105                 if (priv) {
 106                         /*
 107                          * sctp_bind() should take a cred_t argument so that
 108                          * we can use it here.
 109                          */
 110                         if (secpolicy_net_privaddr(connp->conn_cred,
 111                             *requested_port, IPPROTO_SCTP) != 0) {
 112                                 dprint(1,
 113                                     ("sctp_bind(x): no prive for port %d",
 114                                     *requested_port));
 115                                 return (EACCES);
 116                         }
 117                 }
 118                 *user_specified = 1;
 119         }
 120 
 121         return (0);
 122 }
 123 
 124 int
 125 sctp_listen(sctp_t *sctp)
 126 {
 127         sctp_tf_t       *tf;
 128         sctp_stack_t    *sctps = sctp->sctp_sctps;
 129         conn_t          *connp = sctp->sctp_connp;
 130 
 131         RUN_SCTP(sctp);
 132         /*
 133          * TCP handles listen() increasing the backlog, need to check
 134          * if it should be handled here too
 135          */
 136         if (sctp->sctp_state > SCTPS_BOUND ||
 137             (sctp->sctp_connp->conn_state_flags & CONN_CLOSING)) {
 138                 WAKE_SCTP(sctp);
 139                 return (EINVAL);
 140         }
 141 
 142         /* Do an anonymous bind for unbound socket doing listen(). */
 143         if (sctp->sctp_nsaddrs == 0) {
 144                 struct sockaddr_storage ss;
 145                 int ret;
 146 
 147                 bzero(&ss, sizeof (ss));
 148                 ss.ss_family = connp->conn_family;
 149 
 150                 WAKE_SCTP(sctp);
 151                 if ((ret = sctp_bind(sctp, (struct sockaddr *)&ss,
 152                     sizeof (ss))) != 0)
 153                         return (ret);
 154                 RUN_SCTP(sctp)
 155         }
 156 
 157         /* Cache things in the ixa without any refhold */
 158         ASSERT(!(connp->conn_ixa->ixa_free_flags & IXA_FREE_CRED));
 159         connp->conn_ixa->ixa_cred = connp->conn_cred;
 160         connp->conn_ixa->ixa_cpid = connp->conn_cpid;
 161         if (is_system_labeled())
 162                 connp->conn_ixa->ixa_tsl = crgetlabel(connp->conn_cred);
 163 
 164         sctp->sctp_state = SCTPS_LISTEN;
 165         DTRACE_SCTP6(state__change, void, NULL, ip_xmit_attr_t *,
 166             connp->conn_ixa, void, NULL, sctp_t *, sctp, void, NULL,
 167             int32_t, SCTPS_BOUND);
 168         (void) random_get_pseudo_bytes(sctp->sctp_secret, SCTP_SECRET_LEN);
 169         sctp->sctp_last_secret_update = ddi_get_lbolt64();
 170         bzero(sctp->sctp_old_secret, SCTP_SECRET_LEN);
 171 
 172         /*
 173          * If there is an association limit, allocate and initialize
 174          * the counter struct.  Note that since listen can be called
 175          * multiple times, the struct may have been allready allocated.
 176          */
 177         if (!list_is_empty(&sctps->sctps_listener_conf) &&
 178             sctp->sctp_listen_cnt == NULL) {
 179                 sctp_listen_cnt_t *slc;
 180                 uint32_t ratio;
 181 
 182                 ratio = sctp_find_listener_conf(sctps,
 183                     ntohs(connp->conn_lport));
 184                 if (ratio != 0) {
 185                         uint32_t mem_ratio, tot_buf;
 186 
 187                         slc = kmem_alloc(sizeof (sctp_listen_cnt_t), KM_SLEEP);
 188                         /*
 189                          * Calculate the connection limit based on
 190                          * the configured ratio and maxusers.  Maxusers
 191                          * are calculated based on memory size,
 192                          * ~ 1 user per MB.  Note that the conn_rcvbuf
 193                          * and conn_sndbuf may change after a
 194                          * connection is accepted.  So what we have
 195                          * is only an approximation.
 196                          */
 197                         if ((tot_buf = connp->conn_rcvbuf +
 198                             connp->conn_sndbuf) < MB) {
 199                                 mem_ratio = MB / tot_buf;
 200                                 slc->slc_max = maxusers / ratio * mem_ratio;
 201                         } else {
 202                                 mem_ratio = tot_buf / MB;
 203                                 slc->slc_max = maxusers / ratio / mem_ratio;
 204                         }
 205                         /* At least we should allow some associations! */
 206                         if (slc->slc_max < sctp_min_assoc_listener)
 207                                 slc->slc_max = sctp_min_assoc_listener;
 208                         slc->slc_cnt = 1;
 209                         slc->slc_drop = 0;
 210                         sctp->sctp_listen_cnt = slc;
 211                 }
 212         }
 213 
 214 
 215         tf = &sctps->sctps_listen_fanout[SCTP_LISTEN_HASH(
 216             ntohs(connp->conn_lport))];
 217         sctp_listen_hash_insert(tf, sctp);
 218 
 219         WAKE_SCTP(sctp);
 220         return (0);
 221 }
 222 
 223 /*
 224  * Bind the sctp_t to a sockaddr, which includes an address and other
 225  * information, such as port or flowinfo.
 226  */
 227 int
 228 sctp_bind(sctp_t *sctp, struct sockaddr *sa, socklen_t len)
 229 {
 230         int             user_specified;
 231         boolean_t       bind_to_req_port_only;
 232         in_port_t       requested_port;
 233         in_port_t       allocated_port;
 234         int             err = 0;
 235         conn_t          *connp = sctp->sctp_connp;
 236         uint_t          scope_id;
 237         sin_t           *sin;
 238         sin6_t          *sin6;
 239 
 240         ASSERT(sctp != NULL);
 241 
 242         RUN_SCTP(sctp);
 243 
 244         if ((sctp->sctp_state >= SCTPS_BOUND) ||
 245             (sctp->sctp_connp->conn_state_flags & CONN_CLOSING) ||
 246             (sa == NULL || len == 0)) {
 247                 /*
 248                  * Multiple binds not allowed for any SCTP socket
 249                  * Also binding with null address is not supported.
 250                  */
 251                 err = EINVAL;
 252                 goto done;
 253         }
 254 
 255         switch (sa->sa_family) {
 256         case AF_INET:
 257                 sin = (sin_t *)sa;
 258                 if (len < sizeof (struct sockaddr_in) ||
 259                     connp->conn_family == AF_INET6) {
 260                         err = EINVAL;
 261                         goto done;
 262                 }
 263                 requested_port = ntohs(sin->sin_port);
 264                 break;
 265         case AF_INET6:
 266                 sin6 = (sin6_t *)sa;
 267                 if (len < sizeof (struct sockaddr_in6) ||
 268                     connp->conn_family == AF_INET) {
 269                         err = EINVAL;
 270                         goto done;
 271                 }
 272                 requested_port = ntohs(sin6->sin6_port);
 273                 /* Set the flowinfo. */
 274                 connp->conn_flowinfo =
 275                     sin6->sin6_flowinfo & ~IPV6_VERS_AND_FLOW_MASK;
 276 
 277                 scope_id = sin6->sin6_scope_id;
 278                 if (scope_id != 0 && IN6_IS_ADDR_LINKSCOPE(&sin6->sin6_addr)) {
 279                         connp->conn_ixa->ixa_flags |= IXAF_SCOPEID_SET;
 280                         connp->conn_ixa->ixa_scopeid = scope_id;
 281                         connp->conn_incoming_ifindex = scope_id;
 282                 } else {
 283                         connp->conn_ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
 284                         connp->conn_incoming_ifindex = connp->conn_bound_if;
 285                 }
 286                 break;
 287         default:
 288                 err = EAFNOSUPPORT;
 289                 goto done;
 290         }
 291         bind_to_req_port_only = requested_port == 0 ? B_FALSE : B_TRUE;
 292 
 293         err = sctp_select_port(sctp, &requested_port, &user_specified);
 294         if (err != 0)
 295                 goto done;
 296 
 297         if ((err = sctp_bind_add(sctp, sa, 1, B_TRUE,
 298             user_specified == 1 ? htons(requested_port) : 0)) != 0) {
 299                 goto done;
 300         }
 301         err = sctp_bindi(sctp, requested_port, bind_to_req_port_only,
 302             user_specified, &allocated_port);
 303         if (err != 0) {
 304                 sctp_free_saddrs(sctp);
 305         } else {
 306                 ASSERT(sctp->sctp_state == SCTPS_BOUND);
 307         }
 308 done:
 309         WAKE_SCTP(sctp);
 310         return (err);
 311 }
 312 
 313 /*
 314  * Perform bind/unbind operation of a list of addresses on a sctp_t
 315  */
 316 int
 317 sctp_bindx(sctp_t *sctp, const void *addrs, int addrcnt, int bindop)
 318 {
 319         ASSERT(sctp != NULL);
 320         ASSERT(addrs != NULL);
 321         ASSERT(addrcnt > 0);
 322 
 323         switch (bindop) {
 324         case SCTP_BINDX_ADD_ADDR:
 325                 return (sctp_bind_add(sctp, addrs, addrcnt, B_FALSE,
 326                     sctp->sctp_connp->conn_lport));
 327         case SCTP_BINDX_REM_ADDR:
 328                 return (sctp_bind_del(sctp, addrs, addrcnt, B_FALSE));
 329         default:
 330                 return (EINVAL);
 331         }
 332 }
 333 
 334 /*
 335  * Add a list of addresses to a sctp_t.
 336  */
 337 int
 338 sctp_bind_add(sctp_t *sctp, const void *addrs, uint32_t addrcnt,
 339     boolean_t caller_hold_lock, in_port_t port)
 340 {
 341         int             err = 0;
 342         boolean_t       do_asconf = B_FALSE;
 343         sctp_stack_t    *sctps = sctp->sctp_sctps;
 344         conn_t          *connp = sctp->sctp_connp;
 345 
 346         if (!caller_hold_lock)
 347                 RUN_SCTP(sctp);
 348 
 349         if (sctp->sctp_state > SCTPS_ESTABLISHED ||
 350             (sctp->sctp_connp->conn_state_flags & CONN_CLOSING)) {
 351                 if (!caller_hold_lock)
 352                         WAKE_SCTP(sctp);
 353                 return (EINVAL);
 354         }
 355 
 356         if (sctp->sctp_state > SCTPS_LISTEN) {
 357                 /*
 358                  * Let's do some checking here rather than undoing the
 359                  * add later (for these reasons).
 360                  */
 361                 if (!sctps->sctps_addip_enabled ||
 362                     !sctp->sctp_understands_asconf ||
 363                     !sctp->sctp_understands_addip) {
 364                         if (!caller_hold_lock)
 365                                 WAKE_SCTP(sctp);
 366                         return (EINVAL);
 367                 }
 368                 do_asconf = B_TRUE;
 369         }
 370         /*
 371          * On a clustered node, for an inaddr_any bind, we will pass the list
 372          * of all the addresses in the global list, minus any address on the
 373          * loopback interface, and expect the clustering susbsystem to give us
 374          * the correct list for the 'port'. For explicit binds we give the
 375          * list of addresses  and the clustering module validates it for the
 376          * 'port'.
 377          *
 378          * On a non-clustered node, cl_sctp_check_addrs will be NULL and
 379          * we proceed as usual.
 380          */
 381         if (cl_sctp_check_addrs != NULL) {
 382                 uchar_t         *addrlist = NULL;
 383                 size_t          size = 0;
 384                 int             unspec = 0;
 385                 boolean_t       do_listen;
 386                 uchar_t         *llist = NULL;
 387                 size_t          lsize = 0;
 388 
 389                 /*
 390                  * If we are adding addresses after listening, but before
 391                  * an association is established, we need to update the
 392                  * clustering module with this info.
 393                  */
 394                 do_listen = !do_asconf && sctp->sctp_state > SCTPS_BOUND &&
 395                     cl_sctp_listen != NULL;
 396 
 397                 err = sctp_get_addrlist(sctp, addrs, &addrcnt, &addrlist,
 398                     &unspec, &size);
 399                 if (err != 0) {
 400                         ASSERT(addrlist == NULL);
 401                         ASSERT(addrcnt == 0);
 402                         ASSERT(size == 0);
 403                         if (!caller_hold_lock)
 404                                 WAKE_SCTP(sctp);
 405                         SCTP_KSTAT(sctps, sctp_cl_check_addrs);
 406                         return (err);
 407                 }
 408                 ASSERT(addrlist != NULL);
 409                 (*cl_sctp_check_addrs)(connp->conn_family, port, &addrlist,
 410                     size, &addrcnt, unspec == 1);
 411                 if (addrcnt == 0) {
 412                         /* We free the list */
 413                         kmem_free(addrlist, size);
 414                         if (!caller_hold_lock)
 415                                 WAKE_SCTP(sctp);
 416                         return (EINVAL);
 417                 }
 418                 if (do_listen) {
 419                         lsize = sizeof (in6_addr_t) * addrcnt;
 420                         llist = kmem_alloc(lsize, KM_SLEEP);
 421                 }
 422                 err = sctp_valid_addr_list(sctp, addrlist, addrcnt, llist,
 423                     lsize);
 424                 if (err == 0 && do_listen) {
 425                         (*cl_sctp_listen)(connp->conn_family, llist,
 426                             addrcnt, connp->conn_lport);
 427                         /* list will be freed by the clustering module */
 428                 } else if (err != 0 && llist != NULL) {
 429                         kmem_free(llist, lsize);
 430                 }
 431                 /* free the list we allocated */
 432                 kmem_free(addrlist, size);
 433         } else {
 434                 err = sctp_valid_addr_list(sctp, addrs, addrcnt, NULL, 0);
 435         }
 436         if (err != 0) {
 437                 if (!caller_hold_lock)
 438                         WAKE_SCTP(sctp);
 439                 return (err);
 440         }
 441         /* Need to send  ASCONF messages */
 442         if (do_asconf) {
 443                 err = sctp_add_ip(sctp, addrs, addrcnt);
 444                 if (err != 0) {
 445                         sctp_del_saddr_list(sctp, addrs, addrcnt, B_FALSE);
 446                         if (!caller_hold_lock)
 447                                 WAKE_SCTP(sctp);
 448                         return (err);
 449                 }
 450         }
 451         if (!caller_hold_lock)
 452                 WAKE_SCTP(sctp);
 453         return (0);
 454 }
 455 
 456 /*
 457  * Remove one or more addresses bound to the sctp_t.
 458  */
 459 int
 460 sctp_bind_del(sctp_t *sctp, const void *addrs, uint32_t addrcnt,
 461     boolean_t caller_hold_lock)
 462 {
 463         int             error = 0;
 464         boolean_t       do_asconf = B_FALSE;
 465         uchar_t         *ulist = NULL;
 466         size_t          usize = 0;
 467         sctp_stack_t    *sctps = sctp->sctp_sctps;
 468         conn_t          *connp = sctp->sctp_connp;
 469 
 470         if (!caller_hold_lock)
 471                 RUN_SCTP(sctp);
 472 
 473         if (sctp->sctp_state > SCTPS_ESTABLISHED ||
 474             (sctp->sctp_connp->conn_state_flags & CONN_CLOSING)) {
 475                 if (!caller_hold_lock)
 476                         WAKE_SCTP(sctp);
 477                 return (EINVAL);
 478         }
 479         /*
 480          * Fail the remove if we are beyond listen, but can't send this
 481          * to the peer.
 482          */
 483         if (sctp->sctp_state > SCTPS_LISTEN) {
 484                 if (!sctps->sctps_addip_enabled ||
 485                     !sctp->sctp_understands_asconf ||
 486                     !sctp->sctp_understands_addip) {
 487                         if (!caller_hold_lock)
 488                                 WAKE_SCTP(sctp);
 489                         return (EINVAL);
 490                 }
 491                 do_asconf = B_TRUE;
 492         }
 493 
 494         /* Can't delete the last address nor all of the addresses */
 495         if (sctp->sctp_nsaddrs == 1 || addrcnt >= sctp->sctp_nsaddrs) {
 496                 if (!caller_hold_lock)
 497                         WAKE_SCTP(sctp);
 498                 return (EINVAL);
 499         }
 500 
 501         if (cl_sctp_unlisten != NULL && !do_asconf &&
 502             sctp->sctp_state > SCTPS_BOUND) {
 503                 usize = sizeof (in6_addr_t) * addrcnt;
 504                 ulist = kmem_alloc(usize, KM_SLEEP);
 505         }
 506 
 507         error = sctp_del_ip(sctp, addrs, addrcnt, ulist, usize);
 508         if (error != 0) {
 509                 if (ulist != NULL)
 510                         kmem_free(ulist, usize);
 511                 if (!caller_hold_lock)
 512                         WAKE_SCTP(sctp);
 513                 return (error);
 514         }
 515         /* ulist will be non-NULL only if cl_sctp_unlisten is non-NULL */
 516         if (ulist != NULL) {
 517                 ASSERT(cl_sctp_unlisten != NULL);
 518                 (*cl_sctp_unlisten)(connp->conn_family, ulist, addrcnt,
 519                     connp->conn_lport);
 520                 /* ulist will be freed by the clustering module */
 521         }
 522         if (!caller_hold_lock)
 523                 WAKE_SCTP(sctp);
 524         return (error);
 525 }
 526 
 527 /*
 528  * Returns 0 for success, errno value otherwise.
 529  *
 530  * If the "bind_to_req_port_only" parameter is set and the requested port
 531  * number is available, then set allocated_port to it.  If not available,
 532  * return an error.
 533  *
 534  * If the "bind_to_req_port_only" parameter is not set and the requested port
 535  * number is available, then set allocated_port to it.  If not available,
 536  * find the first anonymous port we can and set allocated_port to that.  If no
 537  * anonymous ports are available, return an error.
 538  *
 539  * In either case, when succeeding, update the sctp_t to record the port number
 540  * and insert it in the bind hash table.
 541  */
 542 int
 543 sctp_bindi(sctp_t *sctp, in_port_t port, boolean_t bind_to_req_port_only,
 544     int user_specified, in_port_t *allocated_port)
 545 {
 546         /* number of times we have run around the loop */
 547         int count = 0;
 548         /* maximum number of times to run around the loop */
 549         int loopmax;
 550         sctp_stack_t    *sctps = sctp->sctp_sctps;
 551         conn_t          *connp = sctp->sctp_connp;
 552         zone_t *zone = crgetzone(connp->conn_cred);
 553         zoneid_t zoneid = connp->conn_zoneid;
 554 
 555         /*
 556          * Lookup for free addresses is done in a loop and "loopmax"
 557          * influences how long we spin in the loop
 558          */
 559         if (bind_to_req_port_only) {
 560                 /*
 561                  * If the requested port is busy, don't bother to look
 562                  * for a new one. Setting loop maximum count to 1 has
 563                  * that effect.
 564                  */
 565                 loopmax = 1;
 566         } else {
 567                 /*
 568                  * If the requested port is busy, look for a free one
 569                  * in the anonymous port range.
 570                  * Set loopmax appropriately so that one does not look
 571                  * forever in the case all of the anonymous ports are in use.
 572                  */
 573                 loopmax = (sctps->sctps_largest_anon_port -
 574                     sctps->sctps_smallest_anon_port + 1);
 575         }
 576         do {
 577                 uint16_t        lport;
 578                 sctp_tf_t       *tbf;
 579                 sctp_t          *lsctp;
 580                 int             addrcmp;
 581 
 582                 lport = htons(port);
 583 
 584                 /*
 585                  * Ensure that the sctp_t is not currently in the bind hash.
 586                  * Hold the lock on the hash bucket to ensure that
 587                  * the duplicate check plus the insertion is an atomic
 588                  * operation.
 589                  *
 590                  * This function does an inline lookup on the bind hash list
 591                  * Make sure that we access only members of sctp_t
 592                  * and that we don't look at sctp_sctp, since we are not
 593                  * doing a SCTPB_REFHOLD. For more details please see the notes
 594                  * in sctp_compress()
 595                  */
 596                 sctp_bind_hash_remove(sctp);
 597                 tbf = &sctps->sctps_bind_fanout[SCTP_BIND_HASH(port)];
 598                 mutex_enter(&tbf->tf_lock);
 599                 for (lsctp = tbf->tf_sctp; lsctp != NULL;
 600                     lsctp = lsctp->sctp_bind_hash) {
 601                         conn_t *lconnp = lsctp->sctp_connp;
 602 
 603                         if (lport != lconnp->conn_lport ||
 604                             lsctp->sctp_state < SCTPS_BOUND)
 605                                 continue;
 606 
 607                         /*
 608                          * On a labeled system, we must treat bindings to ports
 609                          * on shared IP addresses by sockets with MAC exemption
 610                          * privilege as being in all zones, as there's
 611                          * otherwise no way to identify the right receiver.
 612                          */
 613                         if (lconnp->conn_zoneid != zoneid &&
 614                             lconnp->conn_mac_mode == CONN_MAC_DEFAULT &&
 615                             connp->conn_mac_mode == CONN_MAC_DEFAULT)
 616                                 continue;
 617 
 618                         addrcmp = sctp_compare_saddrs(sctp, lsctp);
 619                         if (addrcmp != SCTP_ADDR_DISJOINT) {
 620                                 if (!connp->conn_reuseaddr) {
 621                                         /* in use */
 622                                         break;
 623                                 } else if (lsctp->sctp_state == SCTPS_BOUND ||
 624                                     lsctp->sctp_state == SCTPS_LISTEN) {
 625                                         /*
 626                                          * socket option SO_REUSEADDR is set
 627                                          * on the binding sctp_t.
 628                                          *
 629                                          * We have found a match of IP source
 630                                          * address and source port, which is
 631                                          * refused regardless of the
 632                                          * SO_REUSEADDR setting, so we break.
 633                                          */
 634                                         break;
 635                                 }
 636                         }
 637                 }
 638                 if (lsctp != NULL) {
 639                         /* The port number is busy */
 640                         mutex_exit(&tbf->tf_lock);
 641                 } else {
 642                         if (is_system_labeled()) {
 643                                 mlp_type_t addrtype, mlptype;
 644                                 uint_t ipversion;
 645 
 646                                 /*
 647                                  * On a labeled system we must check the type
 648                                  * of the binding requested by the user (either
 649                                  * MLP or SLP on shared and private addresses),
 650                                  * and that the user's requested binding
 651                                  * is permitted.
 652                                  */
 653                                 if (connp->conn_family == AF_INET)
 654                                         ipversion = IPV4_VERSION;
 655                                 else
 656                                         ipversion = IPV6_VERSION;
 657 
 658                                 addrtype = tsol_mlp_addr_type(
 659                                     connp->conn_allzones ? ALL_ZONES :
 660                                     zone->zone_id,
 661                                     ipversion,
 662                                     connp->conn_family == AF_INET ?
 663                                     (void *)&sctp->sctp_ipha->ipha_src :
 664                                     (void *)&sctp->sctp_ip6h->ip6_src,
 665                                     sctps->sctps_netstack->netstack_ip);
 666 
 667                                 /*
 668                                  * tsol_mlp_addr_type returns the possibilities
 669                                  * for the selected address.  Since all local
 670                                  * addresses are either private or shared, the
 671                                  * return value mlptSingle means "local address
 672                                  * not valid (interface not present)."
 673                                  */
 674                                 if (addrtype == mlptSingle) {
 675                                         mutex_exit(&tbf->tf_lock);
 676                                         return (EADDRNOTAVAIL);
 677                                 }
 678                                 mlptype = tsol_mlp_port_type(zone, IPPROTO_SCTP,
 679                                     port, addrtype);
 680                                 if (mlptype != mlptSingle) {
 681                                         if (secpolicy_net_bindmlp(connp->
 682                                             conn_cred) != 0) {
 683                                                 mutex_exit(&tbf->tf_lock);
 684                                                 return (EACCES);
 685                                         }
 686                                         /*
 687                                          * If we're binding a shared MLP, then
 688                                          * make sure that this zone is the one
 689                                          * that owns that MLP.  Shared MLPs can
 690                                          * be owned by at most one zone.
 691                                          *
 692                                          * No need to handle exclusive-stack
 693                                          * zones since ALL_ZONES only applies
 694                                          * to the shared stack.
 695                                          */
 696 
 697                                         if (mlptype == mlptShared &&
 698                                             addrtype == mlptShared &&
 699                                             connp->conn_zoneid !=
 700                                             tsol_mlp_findzone(IPPROTO_SCTP,
 701                                             lport)) {
 702                                                 mutex_exit(&tbf->tf_lock);
 703                                                 return (EACCES);
 704                                         }
 705                                         connp->conn_mlp_type = mlptype;
 706                                 }
 707                         }
 708                         /*
 709                          * This port is ours. Insert in fanout and mark as
 710                          * bound to prevent others from getting the port
 711                          * number.
 712                          */
 713                         sctp->sctp_state = SCTPS_BOUND;
 714                         DTRACE_SCTP6(state__change, void, NULL,
 715                             ip_xmit_attr_t *, connp->conn_ixa, void, NULL,
 716                             scpt_t *, sctp, void, NULL,
 717                             int32_t, SCTPS_IDLE);
 718                         connp->conn_lport = lport;
 719 
 720                         ASSERT(&sctps->sctps_bind_fanout[
 721                             SCTP_BIND_HASH(port)] == tbf);
 722                         sctp_bind_hash_insert(tbf, sctp, 1);
 723 
 724                         mutex_exit(&tbf->tf_lock);
 725 
 726                         /*
 727                          * We don't want sctp_next_port_to_try to "inherit"
 728                          * a port number supplied by the user in a bind.
 729                          *
 730                          * This is the only place where sctp_next_port_to_try
 731                          * is updated. After the update, it may or may not
 732                          * be in the valid range.
 733                          */
 734                         if (user_specified == 0)
 735                                 sctps->sctps_next_port_to_try = port + 1;
 736 
 737                         *allocated_port = port;
 738 
 739                         return (0);
 740                 }
 741 
 742                 if ((count == 0) && (user_specified)) {
 743                         /*
 744                          * We may have to return an anonymous port. So
 745                          * get one to start with.
 746                          */
 747                         port = sctp_update_next_port(
 748                             sctps->sctps_next_port_to_try,
 749                             zone, sctps);
 750                         user_specified = 0;
 751                 } else {
 752                         port = sctp_update_next_port(port + 1, zone, sctps);
 753                 }
 754                 if (port == 0)
 755                         break;
 756 
 757                 /*
 758                  * Don't let this loop run forever in the case where
 759                  * all of the anonymous ports are in use.
 760                  */
 761         } while (++count < loopmax);
 762 
 763         return (bind_to_req_port_only ? EADDRINUSE : EADDRNOTAVAIL);
 764 }
 765 
 766 /*
 767  * Don't let port fall into the privileged range.
 768  * Since the extra privileged ports can be arbitrary we also
 769  * ensure that we exclude those from consideration.
 770  * sctp_g_epriv_ports is not sorted thus we loop over it until
 771  * there are no changes.
 772  *
 773  * Note: No locks are held when inspecting sctp_g_*epriv_ports
 774  * but instead the code relies on:
 775  * - the fact that the address of the array and its size never changes
 776  * - the atomic assignment of the elements of the array
 777  */
 778 in_port_t
 779 sctp_update_next_port(in_port_t port, zone_t *zone, sctp_stack_t *sctps)
 780 {
 781         int i;
 782         boolean_t restart = B_FALSE;
 783 
 784 retry:
 785         if (port < sctps->sctps_smallest_anon_port)
 786                 port = sctps->sctps_smallest_anon_port;
 787 
 788         if (port > sctps->sctps_largest_anon_port) {
 789                 if (restart)
 790                         return (0);
 791                 restart = B_TRUE;
 792                 port = sctps->sctps_smallest_anon_port;
 793         }
 794 
 795         if (port < sctps->sctps_smallest_nonpriv_port)
 796                 port = sctps->sctps_smallest_nonpriv_port;
 797 
 798         for (i = 0; i < sctps->sctps_g_num_epriv_ports; i++) {
 799                 if (port == sctps->sctps_g_epriv_ports[i]) {
 800                         port++;
 801                         /*
 802                          * Make sure whether the port is in the
 803                          * valid range.
 804                          *
 805                          * XXX Note that if sctp_g_epriv_ports contains
 806                          * all the anonymous ports this will be an
 807                          * infinite loop.
 808                          */
 809                         goto retry;
 810                 }
 811         }
 812 
 813         if (is_system_labeled() &&
 814             (i = tsol_next_port(zone, port, IPPROTO_SCTP, B_TRUE)) != 0) {
 815                 port = i;
 816                 goto retry;
 817         }
 818 
 819         return (port);
 820 }