Print this page
3903 DTrace SCTP Provider
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/inet/sctp/sctp_bind.c
+++ new/usr/src/uts/common/inet/sctp/sctp_bind.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21
22 22 /*
23 23 * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
24 24 */
25 25
26 26 #include <sys/types.h>
27 27 #include <sys/systm.h>
28 28 #include <sys/stream.h>
29 29 #include <sys/cmn_err.h>
30 30 #include <sys/kmem.h>
31 31 #define _SUN_TPI_VERSION 2
32 32 #include <sys/tihdr.h>
33 33 #include <sys/stropts.h>
34 34 #include <sys/socket.h>
35 35 #include <sys/random.h>
36 36 #include <sys/policy.h>
37 37 #include <sys/tsol/tndb.h>
38 38 #include <sys/tsol/tnet.h>
39 39
40 40 #include <netinet/in.h>
41 41 #include <netinet/ip6.h>
42 42
43 43 #include <inet/common.h>
44 44 #include <inet/ip.h>
45 45 #include <inet/ip6.h>
46 46 #include <inet/ipclassifier.h>
47 47 #include "sctp_impl.h"
48 48 #include "sctp_asconf.h"
49 49 #include "sctp_addr.h"
50 50
51 51 /*
52 52 * Minimum number of associations which can be created per listener. Used
53 53 * when the listener association count is in effect.
54 54 */
55 55 static uint32_t sctp_min_assoc_listener = 2;
56 56
57 57 /*
58 58 * Returns 0 on success, EACCES on permission failure.
59 59 */
60 60 static int
61 61 sctp_select_port(sctp_t *sctp, in_port_t *requested_port, int *user_specified)
62 62 {
63 63 sctp_stack_t *sctps = sctp->sctp_sctps;
64 64 conn_t *connp = sctp->sctp_connp;
65 65
66 66 /*
67 67 * Get a valid port (within the anonymous range and should not
68 68 * be a privileged one) to use if the user has not given a port.
69 69 * If multiple threads are here, they may all start with
70 70 * with the same initial port. But, it should be fine as long as
71 71 * sctp_bindi will ensure that no two threads will be assigned
72 72 * the same port.
73 73 */
74 74 if (*requested_port == 0) {
75 75 *requested_port = sctp_update_next_port(
76 76 sctps->sctps_next_port_to_try,
77 77 crgetzone(connp->conn_cred), sctps);
78 78 if (*requested_port == 0)
79 79 return (EACCES);
80 80 *user_specified = 0;
81 81 } else {
82 82 int i;
83 83 boolean_t priv = B_FALSE;
84 84
85 85 /*
86 86 * If the requested_port is in the well-known privileged range,
87 87 * verify that the stream was opened by a privileged user.
88 88 * Note: No locks are held when inspecting sctp_g_*epriv_ports
89 89 * but instead the code relies on:
90 90 * - the fact that the address of the array and its size never
91 91 * changes
92 92 * - the atomic assignment of the elements of the array
93 93 */
94 94 if (*requested_port < sctps->sctps_smallest_nonpriv_port) {
95 95 priv = B_TRUE;
96 96 } else {
97 97 for (i = 0; i < sctps->sctps_g_num_epriv_ports; i++) {
98 98 if (*requested_port ==
99 99 sctps->sctps_g_epriv_ports[i]) {
100 100 priv = B_TRUE;
101 101 break;
102 102 }
103 103 }
104 104 }
105 105 if (priv) {
106 106 /*
107 107 * sctp_bind() should take a cred_t argument so that
108 108 * we can use it here.
109 109 */
110 110 if (secpolicy_net_privaddr(connp->conn_cred,
111 111 *requested_port, IPPROTO_SCTP) != 0) {
112 112 dprint(1,
113 113 ("sctp_bind(x): no prive for port %d",
114 114 *requested_port));
115 115 return (EACCES);
116 116 }
117 117 }
118 118 *user_specified = 1;
119 119 }
120 120
121 121 return (0);
122 122 }
123 123
124 124 int
125 125 sctp_listen(sctp_t *sctp)
126 126 {
127 127 sctp_tf_t *tf;
128 128 sctp_stack_t *sctps = sctp->sctp_sctps;
129 129 conn_t *connp = sctp->sctp_connp;
130 130
131 131 RUN_SCTP(sctp);
132 132 /*
133 133 * TCP handles listen() increasing the backlog, need to check
134 134 * if it should be handled here too
135 135 */
136 136 if (sctp->sctp_state > SCTPS_BOUND ||
137 137 (sctp->sctp_connp->conn_state_flags & CONN_CLOSING)) {
138 138 WAKE_SCTP(sctp);
139 139 return (EINVAL);
140 140 }
141 141
142 142 /* Do an anonymous bind for unbound socket doing listen(). */
143 143 if (sctp->sctp_nsaddrs == 0) {
144 144 struct sockaddr_storage ss;
145 145 int ret;
146 146
147 147 bzero(&ss, sizeof (ss));
148 148 ss.ss_family = connp->conn_family;
149 149
150 150 WAKE_SCTP(sctp);
151 151 if ((ret = sctp_bind(sctp, (struct sockaddr *)&ss,
152 152 sizeof (ss))) != 0)
153 153 return (ret);
154 154 RUN_SCTP(sctp)
|
↓ open down ↓ |
154 lines elided |
↑ open up ↑ |
155 155 }
156 156
157 157 /* Cache things in the ixa without any refhold */
158 158 ASSERT(!(connp->conn_ixa->ixa_free_flags & IXA_FREE_CRED));
159 159 connp->conn_ixa->ixa_cred = connp->conn_cred;
160 160 connp->conn_ixa->ixa_cpid = connp->conn_cpid;
161 161 if (is_system_labeled())
162 162 connp->conn_ixa->ixa_tsl = crgetlabel(connp->conn_cred);
163 163
164 164 sctp->sctp_state = SCTPS_LISTEN;
165 + DTRACE_SCTP6(state__change, void, NULL, ip_xmit_attr_t *,
166 + connp->conn_ixa, void, NULL, sctp_t *, sctp, void, NULL,
167 + int32_t, SCTPS_BOUND);
165 168 (void) random_get_pseudo_bytes(sctp->sctp_secret, SCTP_SECRET_LEN);
166 169 sctp->sctp_last_secret_update = ddi_get_lbolt64();
167 170 bzero(sctp->sctp_old_secret, SCTP_SECRET_LEN);
168 171
169 172 /*
170 173 * If there is an association limit, allocate and initialize
171 174 * the counter struct. Note that since listen can be called
172 175 * multiple times, the struct may have been allready allocated.
173 176 */
174 177 if (!list_is_empty(&sctps->sctps_listener_conf) &&
175 178 sctp->sctp_listen_cnt == NULL) {
176 179 sctp_listen_cnt_t *slc;
177 180 uint32_t ratio;
178 181
179 182 ratio = sctp_find_listener_conf(sctps,
180 183 ntohs(connp->conn_lport));
181 184 if (ratio != 0) {
182 185 uint32_t mem_ratio, tot_buf;
183 186
184 187 slc = kmem_alloc(sizeof (sctp_listen_cnt_t), KM_SLEEP);
185 188 /*
186 189 * Calculate the connection limit based on
187 190 * the configured ratio and maxusers. Maxusers
188 191 * are calculated based on memory size,
189 192 * ~ 1 user per MB. Note that the conn_rcvbuf
190 193 * and conn_sndbuf may change after a
191 194 * connection is accepted. So what we have
192 195 * is only an approximation.
193 196 */
194 197 if ((tot_buf = connp->conn_rcvbuf +
195 198 connp->conn_sndbuf) < MB) {
196 199 mem_ratio = MB / tot_buf;
197 200 slc->slc_max = maxusers / ratio * mem_ratio;
198 201 } else {
199 202 mem_ratio = tot_buf / MB;
200 203 slc->slc_max = maxusers / ratio / mem_ratio;
201 204 }
202 205 /* At least we should allow some associations! */
203 206 if (slc->slc_max < sctp_min_assoc_listener)
204 207 slc->slc_max = sctp_min_assoc_listener;
205 208 slc->slc_cnt = 1;
206 209 slc->slc_drop = 0;
207 210 sctp->sctp_listen_cnt = slc;
208 211 }
209 212 }
210 213
211 214
212 215 tf = &sctps->sctps_listen_fanout[SCTP_LISTEN_HASH(
213 216 ntohs(connp->conn_lport))];
214 217 sctp_listen_hash_insert(tf, sctp);
215 218
216 219 WAKE_SCTP(sctp);
217 220 return (0);
218 221 }
219 222
220 223 /*
221 224 * Bind the sctp_t to a sockaddr, which includes an address and other
222 225 * information, such as port or flowinfo.
223 226 */
224 227 int
225 228 sctp_bind(sctp_t *sctp, struct sockaddr *sa, socklen_t len)
226 229 {
227 230 int user_specified;
228 231 boolean_t bind_to_req_port_only;
229 232 in_port_t requested_port;
230 233 in_port_t allocated_port;
231 234 int err = 0;
232 235 conn_t *connp = sctp->sctp_connp;
233 236 uint_t scope_id;
234 237 sin_t *sin;
235 238 sin6_t *sin6;
236 239
237 240 ASSERT(sctp != NULL);
238 241
239 242 RUN_SCTP(sctp);
240 243
241 244 if ((sctp->sctp_state >= SCTPS_BOUND) ||
242 245 (sctp->sctp_connp->conn_state_flags & CONN_CLOSING) ||
243 246 (sa == NULL || len == 0)) {
244 247 /*
245 248 * Multiple binds not allowed for any SCTP socket
246 249 * Also binding with null address is not supported.
247 250 */
248 251 err = EINVAL;
249 252 goto done;
250 253 }
251 254
252 255 switch (sa->sa_family) {
253 256 case AF_INET:
254 257 sin = (sin_t *)sa;
255 258 if (len < sizeof (struct sockaddr_in) ||
256 259 connp->conn_family == AF_INET6) {
257 260 err = EINVAL;
258 261 goto done;
259 262 }
260 263 requested_port = ntohs(sin->sin_port);
261 264 break;
262 265 case AF_INET6:
263 266 sin6 = (sin6_t *)sa;
264 267 if (len < sizeof (struct sockaddr_in6) ||
265 268 connp->conn_family == AF_INET) {
266 269 err = EINVAL;
267 270 goto done;
268 271 }
269 272 requested_port = ntohs(sin6->sin6_port);
270 273 /* Set the flowinfo. */
271 274 connp->conn_flowinfo =
272 275 sin6->sin6_flowinfo & ~IPV6_VERS_AND_FLOW_MASK;
273 276
274 277 scope_id = sin6->sin6_scope_id;
275 278 if (scope_id != 0 && IN6_IS_ADDR_LINKSCOPE(&sin6->sin6_addr)) {
276 279 connp->conn_ixa->ixa_flags |= IXAF_SCOPEID_SET;
277 280 connp->conn_ixa->ixa_scopeid = scope_id;
278 281 connp->conn_incoming_ifindex = scope_id;
279 282 } else {
280 283 connp->conn_ixa->ixa_flags &= ~IXAF_SCOPEID_SET;
281 284 connp->conn_incoming_ifindex = connp->conn_bound_if;
282 285 }
283 286 break;
284 287 default:
285 288 err = EAFNOSUPPORT;
286 289 goto done;
287 290 }
288 291 bind_to_req_port_only = requested_port == 0 ? B_FALSE : B_TRUE;
289 292
290 293 err = sctp_select_port(sctp, &requested_port, &user_specified);
291 294 if (err != 0)
292 295 goto done;
293 296
294 297 if ((err = sctp_bind_add(sctp, sa, 1, B_TRUE,
295 298 user_specified == 1 ? htons(requested_port) : 0)) != 0) {
296 299 goto done;
297 300 }
298 301 err = sctp_bindi(sctp, requested_port, bind_to_req_port_only,
299 302 user_specified, &allocated_port);
300 303 if (err != 0) {
301 304 sctp_free_saddrs(sctp);
302 305 } else {
303 306 ASSERT(sctp->sctp_state == SCTPS_BOUND);
304 307 }
305 308 done:
306 309 WAKE_SCTP(sctp);
307 310 return (err);
308 311 }
309 312
310 313 /*
311 314 * Perform bind/unbind operation of a list of addresses on a sctp_t
312 315 */
313 316 int
314 317 sctp_bindx(sctp_t *sctp, const void *addrs, int addrcnt, int bindop)
315 318 {
316 319 ASSERT(sctp != NULL);
317 320 ASSERT(addrs != NULL);
318 321 ASSERT(addrcnt > 0);
319 322
320 323 switch (bindop) {
321 324 case SCTP_BINDX_ADD_ADDR:
322 325 return (sctp_bind_add(sctp, addrs, addrcnt, B_FALSE,
323 326 sctp->sctp_connp->conn_lport));
324 327 case SCTP_BINDX_REM_ADDR:
325 328 return (sctp_bind_del(sctp, addrs, addrcnt, B_FALSE));
326 329 default:
327 330 return (EINVAL);
328 331 }
329 332 }
330 333
331 334 /*
332 335 * Add a list of addresses to a sctp_t.
333 336 */
334 337 int
335 338 sctp_bind_add(sctp_t *sctp, const void *addrs, uint32_t addrcnt,
336 339 boolean_t caller_hold_lock, in_port_t port)
337 340 {
338 341 int err = 0;
339 342 boolean_t do_asconf = B_FALSE;
340 343 sctp_stack_t *sctps = sctp->sctp_sctps;
341 344 conn_t *connp = sctp->sctp_connp;
342 345
343 346 if (!caller_hold_lock)
344 347 RUN_SCTP(sctp);
345 348
346 349 if (sctp->sctp_state > SCTPS_ESTABLISHED ||
347 350 (sctp->sctp_connp->conn_state_flags & CONN_CLOSING)) {
348 351 if (!caller_hold_lock)
349 352 WAKE_SCTP(sctp);
350 353 return (EINVAL);
351 354 }
352 355
353 356 if (sctp->sctp_state > SCTPS_LISTEN) {
354 357 /*
355 358 * Let's do some checking here rather than undoing the
356 359 * add later (for these reasons).
357 360 */
358 361 if (!sctps->sctps_addip_enabled ||
359 362 !sctp->sctp_understands_asconf ||
360 363 !sctp->sctp_understands_addip) {
361 364 if (!caller_hold_lock)
362 365 WAKE_SCTP(sctp);
363 366 return (EINVAL);
364 367 }
365 368 do_asconf = B_TRUE;
366 369 }
367 370 /*
368 371 * On a clustered node, for an inaddr_any bind, we will pass the list
369 372 * of all the addresses in the global list, minus any address on the
370 373 * loopback interface, and expect the clustering susbsystem to give us
371 374 * the correct list for the 'port'. For explicit binds we give the
372 375 * list of addresses and the clustering module validates it for the
373 376 * 'port'.
374 377 *
375 378 * On a non-clustered node, cl_sctp_check_addrs will be NULL and
376 379 * we proceed as usual.
377 380 */
378 381 if (cl_sctp_check_addrs != NULL) {
379 382 uchar_t *addrlist = NULL;
380 383 size_t size = 0;
381 384 int unspec = 0;
382 385 boolean_t do_listen;
383 386 uchar_t *llist = NULL;
384 387 size_t lsize = 0;
385 388
386 389 /*
387 390 * If we are adding addresses after listening, but before
388 391 * an association is established, we need to update the
389 392 * clustering module with this info.
390 393 */
391 394 do_listen = !do_asconf && sctp->sctp_state > SCTPS_BOUND &&
392 395 cl_sctp_listen != NULL;
393 396
394 397 err = sctp_get_addrlist(sctp, addrs, &addrcnt, &addrlist,
395 398 &unspec, &size);
396 399 if (err != 0) {
397 400 ASSERT(addrlist == NULL);
398 401 ASSERT(addrcnt == 0);
399 402 ASSERT(size == 0);
400 403 if (!caller_hold_lock)
401 404 WAKE_SCTP(sctp);
402 405 SCTP_KSTAT(sctps, sctp_cl_check_addrs);
403 406 return (err);
404 407 }
405 408 ASSERT(addrlist != NULL);
406 409 (*cl_sctp_check_addrs)(connp->conn_family, port, &addrlist,
407 410 size, &addrcnt, unspec == 1);
408 411 if (addrcnt == 0) {
409 412 /* We free the list */
410 413 kmem_free(addrlist, size);
411 414 if (!caller_hold_lock)
412 415 WAKE_SCTP(sctp);
413 416 return (EINVAL);
414 417 }
415 418 if (do_listen) {
416 419 lsize = sizeof (in6_addr_t) * addrcnt;
417 420 llist = kmem_alloc(lsize, KM_SLEEP);
418 421 }
419 422 err = sctp_valid_addr_list(sctp, addrlist, addrcnt, llist,
420 423 lsize);
421 424 if (err == 0 && do_listen) {
422 425 (*cl_sctp_listen)(connp->conn_family, llist,
423 426 addrcnt, connp->conn_lport);
424 427 /* list will be freed by the clustering module */
425 428 } else if (err != 0 && llist != NULL) {
426 429 kmem_free(llist, lsize);
427 430 }
428 431 /* free the list we allocated */
429 432 kmem_free(addrlist, size);
430 433 } else {
431 434 err = sctp_valid_addr_list(sctp, addrs, addrcnt, NULL, 0);
432 435 }
433 436 if (err != 0) {
434 437 if (!caller_hold_lock)
435 438 WAKE_SCTP(sctp);
436 439 return (err);
437 440 }
438 441 /* Need to send ASCONF messages */
439 442 if (do_asconf) {
440 443 err = sctp_add_ip(sctp, addrs, addrcnt);
441 444 if (err != 0) {
442 445 sctp_del_saddr_list(sctp, addrs, addrcnt, B_FALSE);
443 446 if (!caller_hold_lock)
444 447 WAKE_SCTP(sctp);
445 448 return (err);
446 449 }
447 450 }
448 451 if (!caller_hold_lock)
449 452 WAKE_SCTP(sctp);
450 453 return (0);
451 454 }
452 455
453 456 /*
454 457 * Remove one or more addresses bound to the sctp_t.
455 458 */
456 459 int
457 460 sctp_bind_del(sctp_t *sctp, const void *addrs, uint32_t addrcnt,
458 461 boolean_t caller_hold_lock)
459 462 {
460 463 int error = 0;
461 464 boolean_t do_asconf = B_FALSE;
462 465 uchar_t *ulist = NULL;
463 466 size_t usize = 0;
464 467 sctp_stack_t *sctps = sctp->sctp_sctps;
465 468 conn_t *connp = sctp->sctp_connp;
466 469
467 470 if (!caller_hold_lock)
468 471 RUN_SCTP(sctp);
469 472
470 473 if (sctp->sctp_state > SCTPS_ESTABLISHED ||
471 474 (sctp->sctp_connp->conn_state_flags & CONN_CLOSING)) {
472 475 if (!caller_hold_lock)
473 476 WAKE_SCTP(sctp);
474 477 return (EINVAL);
475 478 }
476 479 /*
477 480 * Fail the remove if we are beyond listen, but can't send this
478 481 * to the peer.
479 482 */
480 483 if (sctp->sctp_state > SCTPS_LISTEN) {
481 484 if (!sctps->sctps_addip_enabled ||
482 485 !sctp->sctp_understands_asconf ||
483 486 !sctp->sctp_understands_addip) {
484 487 if (!caller_hold_lock)
485 488 WAKE_SCTP(sctp);
486 489 return (EINVAL);
487 490 }
488 491 do_asconf = B_TRUE;
489 492 }
490 493
491 494 /* Can't delete the last address nor all of the addresses */
492 495 if (sctp->sctp_nsaddrs == 1 || addrcnt >= sctp->sctp_nsaddrs) {
493 496 if (!caller_hold_lock)
494 497 WAKE_SCTP(sctp);
495 498 return (EINVAL);
496 499 }
497 500
498 501 if (cl_sctp_unlisten != NULL && !do_asconf &&
499 502 sctp->sctp_state > SCTPS_BOUND) {
500 503 usize = sizeof (in6_addr_t) * addrcnt;
501 504 ulist = kmem_alloc(usize, KM_SLEEP);
502 505 }
503 506
504 507 error = sctp_del_ip(sctp, addrs, addrcnt, ulist, usize);
505 508 if (error != 0) {
506 509 if (ulist != NULL)
507 510 kmem_free(ulist, usize);
508 511 if (!caller_hold_lock)
509 512 WAKE_SCTP(sctp);
510 513 return (error);
511 514 }
512 515 /* ulist will be non-NULL only if cl_sctp_unlisten is non-NULL */
513 516 if (ulist != NULL) {
514 517 ASSERT(cl_sctp_unlisten != NULL);
515 518 (*cl_sctp_unlisten)(connp->conn_family, ulist, addrcnt,
516 519 connp->conn_lport);
517 520 /* ulist will be freed by the clustering module */
518 521 }
519 522 if (!caller_hold_lock)
520 523 WAKE_SCTP(sctp);
521 524 return (error);
522 525 }
523 526
524 527 /*
525 528 * Returns 0 for success, errno value otherwise.
526 529 *
527 530 * If the "bind_to_req_port_only" parameter is set and the requested port
528 531 * number is available, then set allocated_port to it. If not available,
529 532 * return an error.
530 533 *
531 534 * If the "bind_to_req_port_only" parameter is not set and the requested port
532 535 * number is available, then set allocated_port to it. If not available,
533 536 * find the first anonymous port we can and set allocated_port to that. If no
534 537 * anonymous ports are available, return an error.
535 538 *
536 539 * In either case, when succeeding, update the sctp_t to record the port number
537 540 * and insert it in the bind hash table.
538 541 */
539 542 int
540 543 sctp_bindi(sctp_t *sctp, in_port_t port, boolean_t bind_to_req_port_only,
541 544 int user_specified, in_port_t *allocated_port)
542 545 {
543 546 /* number of times we have run around the loop */
544 547 int count = 0;
545 548 /* maximum number of times to run around the loop */
546 549 int loopmax;
547 550 sctp_stack_t *sctps = sctp->sctp_sctps;
548 551 conn_t *connp = sctp->sctp_connp;
549 552 zone_t *zone = crgetzone(connp->conn_cred);
550 553 zoneid_t zoneid = connp->conn_zoneid;
551 554
552 555 /*
553 556 * Lookup for free addresses is done in a loop and "loopmax"
554 557 * influences how long we spin in the loop
555 558 */
556 559 if (bind_to_req_port_only) {
557 560 /*
558 561 * If the requested port is busy, don't bother to look
559 562 * for a new one. Setting loop maximum count to 1 has
560 563 * that effect.
561 564 */
562 565 loopmax = 1;
563 566 } else {
564 567 /*
565 568 * If the requested port is busy, look for a free one
566 569 * in the anonymous port range.
567 570 * Set loopmax appropriately so that one does not look
568 571 * forever in the case all of the anonymous ports are in use.
569 572 */
570 573 loopmax = (sctps->sctps_largest_anon_port -
571 574 sctps->sctps_smallest_anon_port + 1);
572 575 }
573 576 do {
574 577 uint16_t lport;
575 578 sctp_tf_t *tbf;
576 579 sctp_t *lsctp;
577 580 int addrcmp;
578 581
579 582 lport = htons(port);
580 583
581 584 /*
582 585 * Ensure that the sctp_t is not currently in the bind hash.
583 586 * Hold the lock on the hash bucket to ensure that
584 587 * the duplicate check plus the insertion is an atomic
585 588 * operation.
586 589 *
587 590 * This function does an inline lookup on the bind hash list
588 591 * Make sure that we access only members of sctp_t
589 592 * and that we don't look at sctp_sctp, since we are not
590 593 * doing a SCTPB_REFHOLD. For more details please see the notes
591 594 * in sctp_compress()
592 595 */
593 596 sctp_bind_hash_remove(sctp);
594 597 tbf = &sctps->sctps_bind_fanout[SCTP_BIND_HASH(port)];
595 598 mutex_enter(&tbf->tf_lock);
596 599 for (lsctp = tbf->tf_sctp; lsctp != NULL;
597 600 lsctp = lsctp->sctp_bind_hash) {
598 601 conn_t *lconnp = lsctp->sctp_connp;
599 602
600 603 if (lport != lconnp->conn_lport ||
601 604 lsctp->sctp_state < SCTPS_BOUND)
602 605 continue;
603 606
604 607 /*
605 608 * On a labeled system, we must treat bindings to ports
606 609 * on shared IP addresses by sockets with MAC exemption
607 610 * privilege as being in all zones, as there's
608 611 * otherwise no way to identify the right receiver.
609 612 */
610 613 if (lconnp->conn_zoneid != zoneid &&
611 614 lconnp->conn_mac_mode == CONN_MAC_DEFAULT &&
612 615 connp->conn_mac_mode == CONN_MAC_DEFAULT)
613 616 continue;
614 617
615 618 addrcmp = sctp_compare_saddrs(sctp, lsctp);
616 619 if (addrcmp != SCTP_ADDR_DISJOINT) {
617 620 if (!connp->conn_reuseaddr) {
618 621 /* in use */
619 622 break;
620 623 } else if (lsctp->sctp_state == SCTPS_BOUND ||
621 624 lsctp->sctp_state == SCTPS_LISTEN) {
622 625 /*
623 626 * socket option SO_REUSEADDR is set
624 627 * on the binding sctp_t.
625 628 *
626 629 * We have found a match of IP source
627 630 * address and source port, which is
628 631 * refused regardless of the
629 632 * SO_REUSEADDR setting, so we break.
630 633 */
631 634 break;
632 635 }
633 636 }
634 637 }
635 638 if (lsctp != NULL) {
636 639 /* The port number is busy */
637 640 mutex_exit(&tbf->tf_lock);
638 641 } else {
639 642 if (is_system_labeled()) {
640 643 mlp_type_t addrtype, mlptype;
641 644 uint_t ipversion;
642 645
643 646 /*
644 647 * On a labeled system we must check the type
645 648 * of the binding requested by the user (either
646 649 * MLP or SLP on shared and private addresses),
647 650 * and that the user's requested binding
648 651 * is permitted.
649 652 */
650 653 if (connp->conn_family == AF_INET)
651 654 ipversion = IPV4_VERSION;
652 655 else
653 656 ipversion = IPV6_VERSION;
654 657
655 658 addrtype = tsol_mlp_addr_type(
656 659 connp->conn_allzones ? ALL_ZONES :
657 660 zone->zone_id,
658 661 ipversion,
659 662 connp->conn_family == AF_INET ?
660 663 (void *)&sctp->sctp_ipha->ipha_src :
661 664 (void *)&sctp->sctp_ip6h->ip6_src,
662 665 sctps->sctps_netstack->netstack_ip);
663 666
664 667 /*
665 668 * tsol_mlp_addr_type returns the possibilities
666 669 * for the selected address. Since all local
667 670 * addresses are either private or shared, the
668 671 * return value mlptSingle means "local address
669 672 * not valid (interface not present)."
670 673 */
671 674 if (addrtype == mlptSingle) {
672 675 mutex_exit(&tbf->tf_lock);
673 676 return (EADDRNOTAVAIL);
674 677 }
675 678 mlptype = tsol_mlp_port_type(zone, IPPROTO_SCTP,
676 679 port, addrtype);
677 680 if (mlptype != mlptSingle) {
678 681 if (secpolicy_net_bindmlp(connp->
679 682 conn_cred) != 0) {
680 683 mutex_exit(&tbf->tf_lock);
681 684 return (EACCES);
682 685 }
683 686 /*
684 687 * If we're binding a shared MLP, then
685 688 * make sure that this zone is the one
686 689 * that owns that MLP. Shared MLPs can
687 690 * be owned by at most one zone.
688 691 *
689 692 * No need to handle exclusive-stack
690 693 * zones since ALL_ZONES only applies
691 694 * to the shared stack.
692 695 */
693 696
694 697 if (mlptype == mlptShared &&
695 698 addrtype == mlptShared &&
696 699 connp->conn_zoneid !=
697 700 tsol_mlp_findzone(IPPROTO_SCTP,
698 701 lport)) {
699 702 mutex_exit(&tbf->tf_lock);
700 703 return (EACCES);
|
↓ open down ↓ |
526 lines elided |
↑ open up ↑ |
701 704 }
702 705 connp->conn_mlp_type = mlptype;
703 706 }
704 707 }
705 708 /*
706 709 * This port is ours. Insert in fanout and mark as
707 710 * bound to prevent others from getting the port
708 711 * number.
709 712 */
710 713 sctp->sctp_state = SCTPS_BOUND;
714 + DTRACE_SCTP6(state__change, void, NULL,
715 + ip_xmit_attr_t *, connp->conn_ixa, void, NULL,
716 + scpt_t *, sctp, void, NULL,
717 + int32_t, SCTPS_IDLE);
711 718 connp->conn_lport = lport;
712 719
713 720 ASSERT(&sctps->sctps_bind_fanout[
714 721 SCTP_BIND_HASH(port)] == tbf);
715 722 sctp_bind_hash_insert(tbf, sctp, 1);
716 723
717 724 mutex_exit(&tbf->tf_lock);
718 725
719 726 /*
720 727 * We don't want sctp_next_port_to_try to "inherit"
721 728 * a port number supplied by the user in a bind.
722 729 *
723 730 * This is the only place where sctp_next_port_to_try
724 731 * is updated. After the update, it may or may not
725 732 * be in the valid range.
726 733 */
727 734 if (user_specified == 0)
728 735 sctps->sctps_next_port_to_try = port + 1;
729 736
730 737 *allocated_port = port;
731 738
732 739 return (0);
733 740 }
734 741
735 742 if ((count == 0) && (user_specified)) {
736 743 /*
737 744 * We may have to return an anonymous port. So
738 745 * get one to start with.
739 746 */
740 747 port = sctp_update_next_port(
741 748 sctps->sctps_next_port_to_try,
742 749 zone, sctps);
743 750 user_specified = 0;
744 751 } else {
745 752 port = sctp_update_next_port(port + 1, zone, sctps);
746 753 }
747 754 if (port == 0)
748 755 break;
749 756
750 757 /*
751 758 * Don't let this loop run forever in the case where
752 759 * all of the anonymous ports are in use.
753 760 */
754 761 } while (++count < loopmax);
755 762
756 763 return (bind_to_req_port_only ? EADDRINUSE : EADDRNOTAVAIL);
757 764 }
758 765
759 766 /*
760 767 * Don't let port fall into the privileged range.
761 768 * Since the extra privileged ports can be arbitrary we also
762 769 * ensure that we exclude those from consideration.
763 770 * sctp_g_epriv_ports is not sorted thus we loop over it until
764 771 * there are no changes.
765 772 *
766 773 * Note: No locks are held when inspecting sctp_g_*epriv_ports
767 774 * but instead the code relies on:
768 775 * - the fact that the address of the array and its size never changes
769 776 * - the atomic assignment of the elements of the array
770 777 */
771 778 in_port_t
772 779 sctp_update_next_port(in_port_t port, zone_t *zone, sctp_stack_t *sctps)
773 780 {
774 781 int i;
775 782 boolean_t restart = B_FALSE;
776 783
777 784 retry:
778 785 if (port < sctps->sctps_smallest_anon_port)
779 786 port = sctps->sctps_smallest_anon_port;
780 787
781 788 if (port > sctps->sctps_largest_anon_port) {
782 789 if (restart)
783 790 return (0);
784 791 restart = B_TRUE;
785 792 port = sctps->sctps_smallest_anon_port;
786 793 }
787 794
788 795 if (port < sctps->sctps_smallest_nonpriv_port)
789 796 port = sctps->sctps_smallest_nonpriv_port;
790 797
791 798 for (i = 0; i < sctps->sctps_g_num_epriv_ports; i++) {
792 799 if (port == sctps->sctps_g_epriv_ports[i]) {
793 800 port++;
794 801 /*
795 802 * Make sure whether the port is in the
796 803 * valid range.
797 804 *
798 805 * XXX Note that if sctp_g_epriv_ports contains
799 806 * all the anonymous ports this will be an
800 807 * infinite loop.
801 808 */
802 809 goto retry;
803 810 }
804 811 }
805 812
806 813 if (is_system_labeled() &&
807 814 (i = tsol_next_port(zone, port, IPPROTO_SCTP, B_TRUE)) != 0) {
808 815 port = i;
809 816 goto retry;
810 817 }
811 818
812 819 return (port);
813 820 }
|
↓ open down ↓ |
93 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX