xref: /illumos-gate/usr/src/uts/common/inet/sctp/sctp_output.c (revision ab82c29b)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
 */

#include <sys/types.h>
#include <sys/systm.h>
#include <sys/stream.h>
#include <sys/cmn_err.h>
#define	_SUN_TPI_VERSION 2
#include <sys/tihdr.h>
#include <sys/socket.h>
#include <sys/stropts.h>
#include <sys/strsun.h>
#include <sys/strsubr.h>
#include <sys/socketvar.h>
#include <inet/common.h>
#include <inet/mi.h>
#include <inet/ip.h>
#include <inet/ip_ire.h>
#include <inet/ip6.h>
#include <inet/sctp_ip.h>
#include <inet/ipclassifier.h>

/*
 * PR-SCTP comments.
 *
 * A message can expire before it gets to the transmit list (i.e. it is still
 * in the unsent list - unchunked), after it gets to the transmit list, but
 * before transmission has actually started, or after transmission has begun.
 * Accordingly, we check for the status of a message in sctp_chunkify() when
 * the message is being transferred from the unsent list to the transmit list;
 * in sctp_get_msg_to_send(), when we get the next chunk from the transmit
 * list and in sctp_rexmit() when we get the next chunk to be (re)transmitted.
 * When we nuke a message in sctp_chunkify(), all we need to do is take it
 * out of the unsent list and update sctp_unsent; when a message is deemed
 * timed-out in sctp_get_msg_to_send() we can just take it out of the transmit
 * list, update sctp_unsent IFF transmission for the message has not yet begun
 * (i.e. !SCTP_CHUNK_ISSENT(meta->b_cont)). However, if transmission for the
 * message has started, then we cannot just take it out of the list, we need
 * to send Forward TSN chunk to the peer so that the peer can clear its
 * fragment list for this message. However, we cannot just send the Forward
 * TSN in sctp_get_msg_to_send() because there might be unacked chunks for
 * messages preceeding this abandoned message. So, we send a Forward TSN
 * IFF all messages prior to this abandoned message has been SACKd, if not
 * we defer sending the Forward TSN to sctp_cumack(), which will check for
 * this condition and send the Forward TSN via sctp_check_abandoned_msg(). In
 * sctp_rexmit() when we check for retransmissions, we need to determine if
 * the advanced peer ack point can be moved ahead, and if so, send a Forward
 * TSN to the peer instead of retransmitting the chunk. Note that when
 * we send a Forward TSN for a message, there may be yet unsent chunks for
 * this message; we need to mark all such chunks as abandoned, so that
 * sctp_cumack() can take the message out of the transmit list, additionally
 * sctp_unsent need to be adjusted. Whenever sctp_unsent is updated (i.e.
 * decremented when a message/chunk is deemed abandoned), sockfs needs to
 * be notified so that it can adjust its idea of the queued message.
 */

#include "sctp_impl.h"

static struct kmem_cache	*sctp_kmem_ftsn_set_cache;
static mblk_t			*sctp_chunkify(sctp_t *, int, int, int);

#ifdef	DEBUG
static boolean_t	sctp_verify_chain(mblk_t *, mblk_t *);
#endif

/*
 * Called to allocate a header mblk when sending data to SCTP.
 * Data will follow in b_cont of this mblk.
 */
mblk_t *
sctp_alloc_hdr(const char *name, int nlen, const char *control, int clen,
    int flags)
{
	mblk_t *mp;
	struct T_unitdata_req *tudr;
	size_t size;
	int error;

	size = sizeof (*tudr) + _TPI_ALIGN_TOPT(nlen) + clen;
	size = MAX(size, sizeof (sctp_msg_hdr_t));
	if (flags & SCTP_CAN_BLOCK) {
		mp = allocb_wait(size, BPRI_MED, 0, &error);
	} else {
		mp = allocb(size, BPRI_MED);
	}
	if (mp) {
		tudr = (struct T_unitdata_req *)mp->b_rptr;
		tudr->PRIM_type = T_UNITDATA_REQ;
		tudr->DEST_length = nlen;
		tudr->DEST_offset = sizeof (*tudr);
		tudr->OPT_length = clen;
		tudr->OPT_offset = (t_scalar_t)(sizeof (*tudr) +
		    _TPI_ALIGN_TOPT(nlen));
		if (nlen > 0)
			bcopy(name, tudr + 1, nlen);
		if (clen > 0)
			bcopy(control, (char *)tudr + tudr->OPT_offset, clen);
		mp->b_wptr += (tudr ->OPT_offset + clen);
		mp->b_datap->db_type = M_PROTO;
	}
	return (mp);
}

/*ARGSUSED2*/
int
sctp_sendmsg(sctp_t *sctp, mblk_t *mp, int flags)
{
	sctp_faddr_t	*fp = NULL;
	struct T_unitdata_req	*tudr;
	int		error = 0;
	mblk_t		*mproto = mp;
	in6_addr_t	*addr;
	in6_addr_t	tmpaddr;
	uint16_t	sid = sctp->sctp_def_stream;
	uint32_t	ppid = sctp->sctp_def_ppid;
	uint32_t	context = sctp->sctp_def_context;
	uint16_t	msg_flags = sctp->sctp_def_flags;
	sctp_msg_hdr_t	*sctp_msg_hdr;
	uint32_t	msg_len = 0;
	uint32_t	timetolive = sctp->sctp_def_timetolive;
	conn_t		*connp = sctp->sctp_connp;

	ASSERT(DB_TYPE(mproto) == M_PROTO);

	mp = mp->b_cont;
	ASSERT(mp == NULL || DB_TYPE(mp) == M_DATA);

	tudr = (struct T_unitdata_req *)mproto->b_rptr;
	ASSERT(tudr->PRIM_type == T_UNITDATA_REQ);

	/* Get destination address, if specified */
	if (tudr->DEST_length > 0) {
		sin_t *sin;
		sin6_t *sin6;

		sin = (struct sockaddr_in *)
		    (mproto->b_rptr + tudr->DEST_offset);
		switch (sin->sin_family) {
		case AF_INET:
			if (tudr->DEST_length < sizeof (*sin)) {
				return (EINVAL);
			}
			IN6_IPADDR_TO_V4MAPPED(sin->sin_addr.s_addr, &tmpaddr);
			addr = &tmpaddr;
			break;
		case AF_INET6:
			if (tudr->DEST_length < sizeof (*sin6)) {
				return (EINVAL);
			}
			sin6 = (struct sockaddr_in6 *)
			    (mproto->b_rptr + tudr->DEST_offset);
			addr = &sin6->sin6_addr;
			break;
		default:
			return (EAFNOSUPPORT);
		}
		fp = sctp_lookup_faddr(sctp, addr);
		if (fp == NULL) {
			return (EINVAL);
		}
	}
	/* Ancillary Data? */
	if (tudr->OPT_length > 0) {
		struct cmsghdr		*cmsg;
		char			*cend;
		struct sctp_sndrcvinfo	*sndrcv;

		cmsg = (struct cmsghdr *)(mproto->b_rptr + tudr->OPT_offset);
		cend = ((char *)cmsg + tudr->OPT_length);
		ASSERT(cend <= (char *)mproto->b_wptr);

		for (;;) {
			if ((char *)(cmsg + 1) > cend ||
			    ((char *)cmsg + cmsg->cmsg_len) > cend) {
				break;
			}
			if ((cmsg->cmsg_level == IPPROTO_SCTP) &&
			    (cmsg->cmsg_type == SCTP_SNDRCV)) {
				if (cmsg->cmsg_len <
				    (sizeof (*sndrcv) + sizeof (*cmsg))) {
					return (EINVAL);
				}
				sndrcv = (struct sctp_sndrcvinfo *)(cmsg + 1);
				sid = sndrcv->sinfo_stream;
				msg_flags = sndrcv->sinfo_flags;
				ppid = sndrcv->sinfo_ppid;
				context = sndrcv->sinfo_context;
				timetolive = sndrcv->sinfo_timetolive;
				break;
			}
			if (cmsg->cmsg_len > 0)
				cmsg = CMSG_NEXT(cmsg);
			else
				break;
		}
	}
	if (msg_flags & MSG_ABORT) {
		if (mp && mp->b_cont) {
			mblk_t *pump = msgpullup(mp, -1);
			if (!pump) {
				return (ENOMEM);
			}
			freemsg(mp);
			mp = pump;
			mproto->b_cont = mp;
		}
		RUN_SCTP(sctp);
		sctp_user_abort(sctp, mp);
		freemsg(mproto);
		goto done2;
	}
	if (mp == NULL)
		goto done;

	RUN_SCTP(sctp);

	/* Reject any new data requests if we are shutting down */
	if (sctp->sctp_state > SCTPS_ESTABLISHED ||
	    (sctp->sctp_connp->conn_state_flags & CONN_CLOSING)) {
		error = EPIPE;
		goto unlock_done;
	}

	/* Re-use the mproto to store relevant info. */
	ASSERT(MBLKSIZE(mproto) >= sizeof (*sctp_msg_hdr));

	mproto->b_rptr = mproto->b_datap->db_base;
	mproto->b_wptr = mproto->b_rptr + sizeof (*sctp_msg_hdr);

	sctp_msg_hdr = (sctp_msg_hdr_t *)mproto->b_rptr;
	bzero(sctp_msg_hdr, sizeof (*sctp_msg_hdr));
	sctp_msg_hdr->smh_context = context;
	sctp_msg_hdr->smh_sid = sid;
	sctp_msg_hdr->smh_ppid = ppid;
	sctp_msg_hdr->smh_flags = msg_flags;
	sctp_msg_hdr->smh_ttl = MSEC_TO_TICK(timetolive);
	sctp_msg_hdr->smh_tob = ddi_get_lbolt64();
	for (; mp != NULL; mp = mp->b_cont)
		msg_len += MBLKL(mp);
	sctp_msg_hdr->smh_msglen = msg_len;

	/* User requested specific destination */
	SCTP_SET_CHUNK_DEST(mproto, fp);

	if (sctp->sctp_state >= SCTPS_COOKIE_ECHOED &&
	    sid >= sctp->sctp_num_ostr) {
		/* Send sendfail event */
		sctp_sendfail_event(sctp, dupmsg(mproto), SCTP_ERR_BAD_SID,
		    B_FALSE);
		error = EINVAL;
		goto unlock_done;
	}

	/* no data */
	if (msg_len == 0) {
		sctp_sendfail_event(sctp, dupmsg(mproto),
		    SCTP_ERR_NO_USR_DATA, B_FALSE);
		error = EINVAL;
		goto unlock_done;
	}

	/* Add it to the unsent list */
	if (sctp->sctp_xmit_unsent == NULL) {
		sctp->sctp_xmit_unsent = sctp->sctp_xmit_unsent_tail = mproto;
	} else {
		sctp->sctp_xmit_unsent_tail->b_next = mproto;
		sctp->sctp_xmit_unsent_tail = mproto;
	}
	sctp->sctp_unsent += msg_len;
	BUMP_LOCAL(sctp->sctp_msgcount);
	/*
	 * Notify sockfs if the tx queue is full.
	 */
	if (SCTP_TXQ_LEN(sctp) >= connp->conn_sndbuf) {
		sctp->sctp_txq_full = 1;
		sctp->sctp_ulp_txq_full(sctp->sctp_ulpd, B_TRUE);
	}
	if (sctp->sctp_state == SCTPS_ESTABLISHED)
		sctp_output(sctp, UINT_MAX);
done2:
	WAKE_SCTP(sctp);
	return (0);
unlock_done:
	WAKE_SCTP(sctp);
done:
	return (error);
}

/*
 * While there are messages on sctp_xmit_unsent, detach each one. For each:
 * allocate space for the chunk header, fill in the data chunk, and fill in
 * the chunk header. Then append it to sctp_xmit_tail.
 * Return after appending as many bytes as required (bytes_to_send).
 * We also return if we've appended one or more chunks, and find a subsequent
 * unsent message is too big to fit in the segment.
 */
mblk_t *
sctp_chunkify(sctp_t *sctp, int mss, int firstseg_len, int bytes_to_send)
{
	mblk_t			*mp;
	mblk_t			*chunk_mp;
	mblk_t			*chunk_head;
	mblk_t			*chunk_hdr;
	mblk_t			*chunk_tail = NULL;
	int			count;
	int			chunksize;
	sctp_data_hdr_t		*sdc;
	mblk_t			*mdblk = sctp->sctp_xmit_unsent;
	sctp_faddr_t		*fp;
	sctp_faddr_t		*fp1;
	size_t			xtralen;
	sctp_msg_hdr_t		*msg_hdr;
	sctp_stack_t		*sctps = sctp->sctp_sctps;
	sctp_msg_hdr_t		*next_msg_hdr;
	size_t			nextlen;
	int			remaining_len = mss - firstseg_len;

	ASSERT(remaining_len >= 0);

	fp = SCTP_CHUNK_DEST(mdblk);
	if (fp == NULL)
		fp = sctp->sctp_current;
	if (fp->sf_isv4)
		xtralen = sctp->sctp_hdr_len + sctps->sctps_wroff_xtra +
		    sizeof (*sdc);
	else
		xtralen = sctp->sctp_hdr6_len + sctps->sctps_wroff_xtra +
		    sizeof (*sdc);
	count = chunksize = remaining_len - sizeof (*sdc);
nextmsg:
	next_msg_hdr = (sctp_msg_hdr_t *)sctp->sctp_xmit_unsent->b_rptr;
	nextlen = next_msg_hdr->smh_msglen;
	/*
	 * Will the entire next message fit in the current packet ?
	 * if not, leave it on the unsent list.
	 */
	if ((firstseg_len != 0) && (nextlen > remaining_len))
		return (NULL);

	chunk_mp = mdblk->b_cont;

	/*
	 * If this partially chunked, we ignore the next one for now and
	 * use the one already present. For the unchunked bits, we use the
	 * length of the last chunk.
	 */
	if (SCTP_IS_MSG_CHUNKED(mdblk)) {
		int	chunk_len;

		ASSERT(chunk_mp->b_next != NULL);
		mdblk->b_cont = chunk_mp->b_next;
		chunk_mp->b_next = NULL;
		SCTP_MSG_CLEAR_CHUNKED(mdblk);
		mp = mdblk->b_cont;
		while (mp->b_next != NULL)
			mp = mp->b_next;
		chunk_len = ntohs(((sctp_data_hdr_t *)mp->b_rptr)->sdh_len);
		if (fp->sf_pmss - chunk_len > sizeof (*sdc))
			count = chunksize = fp->sf_pmss - chunk_len;
		else
			count = chunksize = fp->sf_pmss;
		count = chunksize = count - sizeof (*sdc);
	} else {
		msg_hdr = (sctp_msg_hdr_t *)mdblk->b_rptr;
		if (SCTP_MSG_TO_BE_ABANDONED(mdblk, msg_hdr, sctp)) {
			sctp->sctp_xmit_unsent = mdblk->b_next;
			if (sctp->sctp_xmit_unsent == NULL)
				sctp->sctp_xmit_unsent_tail = NULL;
			ASSERT(sctp->sctp_unsent >= msg_hdr->smh_msglen);
			sctp->sctp_unsent -= msg_hdr->smh_msglen;
			mdblk->b_next = NULL;
			BUMP_LOCAL(sctp->sctp_prsctpdrop);
			/*
			 * Update ULP the amount of queued data, which is
			 * sent-unack'ed + unsent.
			 */
			if (!SCTP_IS_DETACHED(sctp))
				SCTP_TXQ_UPDATE(sctp);
			sctp_sendfail_event(sctp, mdblk, 0, B_FALSE);
			goto try_next;
		}
		mdblk->b_cont = NULL;
	}
	msg_hdr = (sctp_msg_hdr_t *)mdblk->b_rptr;
nextchunk:
	chunk_head = chunk_mp;
	chunk_tail = NULL;

	/* Skip as many mblk's as we need */
	while (chunk_mp != NULL && ((count - MBLKL(chunk_mp)) >= 0)) {
		count -= MBLKL(chunk_mp);
		chunk_tail = chunk_mp;
		chunk_mp = chunk_mp->b_cont;
	}
	/* Split the chain, if needed */
	if (chunk_mp != NULL) {
		if (count > 0) {
			mblk_t	*split_mp = dupb(chunk_mp);

			if (split_mp == NULL) {
				if (mdblk->b_cont == NULL) {
					mdblk->b_cont = chunk_head;
				} else  {
					SCTP_MSG_SET_CHUNKED(mdblk);
					ASSERT(chunk_head->b_next == NULL);
					chunk_head->b_next = mdblk->b_cont;
					mdblk->b_cont = chunk_head;
				}
				return (sctp->sctp_xmit_tail);
			}
			if (chunk_tail != NULL) {
				chunk_tail->b_cont = split_mp;
				chunk_tail = chunk_tail->b_cont;
			} else {
				chunk_head = chunk_tail = split_mp;
			}
			chunk_tail->b_wptr = chunk_tail->b_rptr + count;
			chunk_mp->b_rptr = chunk_tail->b_wptr;
			count = 0;
		} else if (chunk_tail == NULL) {
			goto next;
		} else {
			chunk_tail->b_cont = NULL;
		}
	}
	/* Alloc chunk hdr, if needed */
	if (DB_REF(chunk_head) > 1 ||
	    ((intptr_t)chunk_head->b_rptr) & (SCTP_ALIGN - 1) ||
	    MBLKHEAD(chunk_head) < sizeof (*sdc)) {
		if ((chunk_hdr = allocb(xtralen, BPRI_MED)) == NULL) {
			if (mdblk->b_cont == NULL) {
				if (chunk_mp != NULL)
					linkb(chunk_head, chunk_mp);
				mdblk->b_cont = chunk_head;
			} else {
				SCTP_MSG_SET_CHUNKED(mdblk);
				if (chunk_mp != NULL)
					linkb(chunk_head, chunk_mp);
				ASSERT(chunk_head->b_next == NULL);
				chunk_head->b_next = mdblk->b_cont;
				mdblk->b_cont = chunk_head;
			}
			return (sctp->sctp_xmit_tail);
		}
		chunk_hdr->b_rptr += xtralen - sizeof (*sdc);
		chunk_hdr->b_wptr = chunk_hdr->b_rptr + sizeof (*sdc);
		chunk_hdr->b_cont = chunk_head;
	} else {
		chunk_hdr = chunk_head;
		chunk_hdr->b_rptr -= sizeof (*sdc);
	}
	ASSERT(chunk_hdr->b_datap->db_ref == 1);
	sdc = (sctp_data_hdr_t *)chunk_hdr->b_rptr;
	sdc->sdh_id = CHUNK_DATA;
	sdc->sdh_flags = 0;
	sdc->sdh_len = htons(sizeof (*sdc) + chunksize - count);
	ASSERT(sdc->sdh_len);
	sdc->sdh_sid = htons(msg_hdr->smh_sid);
	/*
	 * We defer assigning the SSN just before sending the chunk, else
	 * if we drop the chunk in sctp_get_msg_to_send(), we would need
	 * to send a Forward TSN to let the peer know. Some more comments
	 * about this in sctp_impl.h for SCTP_CHUNK_SENT.
	 */
	sdc->sdh_payload_id = msg_hdr->smh_ppid;

	if (mdblk->b_cont == NULL) {
		mdblk->b_cont = chunk_hdr;
		SCTP_DATA_SET_BBIT(sdc);
	} else {
		mp = mdblk->b_cont;
		while (mp->b_next != NULL)
			mp = mp->b_next;
		mp->b_next = chunk_hdr;
	}

	bytes_to_send -= (chunksize - count);
	if (chunk_mp != NULL) {
next:
		count = chunksize = fp->sf_pmss - sizeof (*sdc);
		goto nextchunk;
	}
	SCTP_DATA_SET_EBIT(sdc);
	sctp->sctp_xmit_unsent = mdblk->b_next;
	if (mdblk->b_next == NULL) {
		sctp->sctp_xmit_unsent_tail = NULL;
	}
	mdblk->b_next = NULL;

	if (sctp->sctp_xmit_tail == NULL) {
		sctp->sctp_xmit_head = sctp->sctp_xmit_tail = mdblk;
	} else {
		mp = sctp->sctp_xmit_tail;
		while (mp->b_next != NULL)
			mp = mp->b_next;
		mp->b_next = mdblk;
		mdblk->b_prev = mp;
	}
try_next:
	if (bytes_to_send > 0 && sctp->sctp_xmit_unsent != NULL) {
		mdblk = sctp->sctp_xmit_unsent;
		fp1 = SCTP_CHUNK_DEST(mdblk);
		if (fp1 == NULL)
			fp1 = sctp->sctp_current;
		if (fp == fp1) {
			size_t len = MBLKL(mdblk->b_cont);
			if ((count > 0) &&
			    ((len > fp->sf_pmss - sizeof (*sdc)) ||
			    (len <= count))) {
				count -= sizeof (*sdc);
				count = chunksize = count - (count & 0x3);
			} else {
				count = chunksize = fp->sf_pmss -
				    sizeof (*sdc);
			}
		} else {
			if (fp1->sf_isv4)
				xtralen = sctp->sctp_hdr_len;
			else
				xtralen = sctp->sctp_hdr6_len;
			xtralen += sctps->sctps_wroff_xtra + sizeof (*sdc);
			count = chunksize = fp1->sf_pmss - sizeof (*sdc);
			fp = fp1;
		}
		goto nextmsg;
	}
	return (sctp->sctp_xmit_tail);
}

void
sctp_free_msg(mblk_t *ump)
{
	mblk_t *mp, *nmp;

	for (mp = ump->b_cont; mp; mp = nmp) {
		nmp = mp->b_next;
		mp->b_next = mp->b_prev = NULL;
		freemsg(mp);
	}
	ASSERT(!ump->b_prev);
	ump->b_next = NULL;
	freeb(ump);
}

mblk_t *
sctp_add_proto_hdr(sctp_t *sctp, sctp_faddr_t *fp, mblk_t *mp, int sacklen,
    int *error)
{
	int hdrlen;
	uchar_t *hdr;
	int isv4 = fp->sf_isv4;
	sctp_stack_t	*sctps = sctp->sctp_sctps;

	if (error != NULL)
		*error = 0;

	if (isv4) {
		hdrlen = sctp->sctp_hdr_len;
		hdr = sctp->sctp_iphc;
	} else {
		hdrlen = sctp->sctp_hdr6_len;
		hdr = sctp->sctp_iphc6;
	}
	/*
	 * A reject|blackhole could mean that the address is 'down'. Similarly,
	 * it is possible that the address went down, we tried to send an
	 * heartbeat and ended up setting fp->sf_saddr as unspec because we
	 * didn't have any usable source address.  In either case
	 * sctp_get_dest() will try find an IRE, if available, and set
	 * the source address, if needed.  If we still don't have any
	 * usable source address, fp->sf_state will be SCTP_FADDRS_UNREACH and
	 * we return EHOSTUNREACH.
	 */
	ASSERT(fp->sf_ixa->ixa_ire != NULL);
	if ((fp->sf_ixa->ixa_ire->ire_flags & (RTF_REJECT|RTF_BLACKHOLE)) ||
	    SCTP_IS_ADDR_UNSPEC(fp->sf_isv4, fp->sf_saddr)) {
		sctp_get_dest(sctp, fp);
		if (fp->sf_state == SCTP_FADDRS_UNREACH) {
			if (error != NULL)
				*error = EHOSTUNREACH;
			return (NULL);
		}
	}
	/* Copy in IP header. */
	if ((mp->b_rptr - mp->b_datap->db_base) <
	    (sctps->sctps_wroff_xtra + hdrlen + sacklen) || DB_REF(mp) > 2) {
		mblk_t *nmp;

		/*
		 * This can happen if IP headers are adjusted after
		 * data was moved into chunks, or during retransmission,
		 * or things like snoop is running.
		 */
		nmp = allocb(sctps->sctps_wroff_xtra + hdrlen + sacklen,
		    BPRI_MED);
		if (nmp == NULL) {
			if (error !=  NULL)
				*error = ENOMEM;
			return (NULL);
		}
		nmp->b_rptr += sctps->sctps_wroff_xtra;
		nmp->b_wptr = nmp->b_rptr + hdrlen + sacklen;
		nmp->b_cont = mp;
		mp = nmp;
	} else {
		mp->b_rptr -= (hdrlen + sacklen);
	}
	bcopy(hdr, mp->b_rptr, hdrlen);
	if (sacklen) {
		sctp_fill_sack(sctp, mp->b_rptr + hdrlen, sacklen);
	}
	if (fp != sctp->sctp_current) {
		/* change addresses in header */
		if (isv4) {
			ipha_t *iph = (ipha_t *)mp->b_rptr;

			IN6_V4MAPPED_TO_IPADDR(&fp->sf_faddr, iph->ipha_dst);
			if (!IN6_IS_ADDR_V4MAPPED_ANY(&fp->sf_saddr)) {
				IN6_V4MAPPED_TO_IPADDR(&fp->sf_saddr,
				    iph->ipha_src);
			} else if (sctp->sctp_bound_to_all) {
				iph->ipha_src = INADDR_ANY;
			}
		} else {
			ip6_t *ip6h = (ip6_t *)mp->b_rptr;

			ip6h->ip6_dst = fp->sf_faddr;
			if (!IN6_IS_ADDR_UNSPECIFIED(&fp->sf_saddr)) {
				ip6h->ip6_src = fp->sf_saddr;
			} else if (sctp->sctp_bound_to_all) {
				ip6h->ip6_src = ipv6_all_zeros;
			}
		}
	}
	return (mp);
}

/*
 * SCTP requires every chunk to be padded so that the total length
 * is a multiple of SCTP_ALIGN.  This function returns a mblk with
 * the specified pad length.
 */
static mblk_t *
sctp_get_padding(sctp_t *sctp, int pad)
{
	mblk_t *fill;

	ASSERT(pad < SCTP_ALIGN);
	ASSERT(sctp->sctp_pad_mp != NULL);
	if ((fill = dupb(sctp->sctp_pad_mp)) != NULL) {
		fill->b_wptr += pad;
		return (fill);
	}

	/*
	 * The memory saving path of reusing the sctp_pad_mp
	 * fails may be because it has been dupb() too
	 * many times (DBLK_REFMAX).  Use the memory consuming
	 * path of allocating the pad mblk.
	 */
	if ((fill = allocb(SCTP_ALIGN, BPRI_MED)) != NULL) {
		/* Zero it out.  SCTP_ALIGN is sizeof (int32_t) */
		*(int32_t *)fill->b_rptr = 0;
		fill->b_wptr += pad;
	}
	return (fill);
}

static mblk_t *
sctp_find_fast_rexmit_mblks(sctp_t *sctp, int *total, sctp_faddr_t **fp)
{
	mblk_t		*meta;
	mblk_t		*start_mp = NULL;
	mblk_t		*end_mp = NULL;
	mblk_t		*mp, *nmp;
	mblk_t		*fill;
	sctp_data_hdr_t	*sdh;
	int		msglen;
	int		extra;
	sctp_msg_hdr_t	*msg_hdr;
	sctp_faddr_t	*old_fp = NULL;
	sctp_faddr_t	*chunk_fp;
	sctp_stack_t	*sctps = sctp->sctp_sctps;

	for (meta = sctp->sctp_xmit_head; meta != NULL; meta = meta->b_next) {
		msg_hdr = (sctp_msg_hdr_t *)meta->b_rptr;
		if (SCTP_IS_MSG_ABANDONED(meta) ||
		    SCTP_MSG_TO_BE_ABANDONED(meta, msg_hdr, sctp)) {
			continue;
		}
		for (mp = meta->b_cont; mp != NULL; mp = mp->b_next) {
			if (SCTP_CHUNK_WANT_REXMIT(mp)) {
				/*
				 * Use the same peer address to do fast
				 * retransmission.  If the original peer
				 * address is dead, switch to the current
				 * one.  Record the old one so that we
				 * will pick the chunks sent to the old
				 * one for fast retransmission.
				 */
				chunk_fp = SCTP_CHUNK_DEST(mp);
				if (*fp == NULL) {
					*fp = chunk_fp;
					if ((*fp)->sf_state !=
					    SCTP_FADDRS_ALIVE) {
						old_fp = *fp;
						*fp = sctp->sctp_current;
					}
				} else if (old_fp == NULL && *fp != chunk_fp) {
					continue;
				} else if (old_fp != NULL &&
				    old_fp != chunk_fp) {
					continue;
				}

				sdh = (sctp_data_hdr_t *)mp->b_rptr;
				msglen = ntohs(sdh->sdh_len);
				if ((extra = msglen & (SCTP_ALIGN - 1)) != 0) {
					extra = SCTP_ALIGN - extra;
				}

				/*
				 * We still return at least the first message
				 * even if that message cannot fit in as
				 * PMTU may have changed.
				 */
				if (*total + msglen + extra >
				    (*fp)->sf_pmss && start_mp != NULL) {
					return (start_mp);
				}
				if ((nmp = dupmsg(mp)) == NULL)
					return (start_mp);
				if (extra > 0) {
					fill = sctp_get_padding(sctp, extra);
					if (fill != NULL) {
						linkb(nmp, fill);
					} else {
						return (start_mp);
					}
				}