tor-browser

sctp_indata.c (187965B)

---

/*-
* SPDX-License-Identifier: BSD-3-Clause
*
* Copyright (c) 2001-2007, by Cisco Systems, Inc. All rights reserved.
* Copyright (c) 2008-2012, by Randall Stewart. All rights reserved.
* Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* a) Redistributions of source code must retain the above copyright notice,
*    this list of conditions and the following disclaimer.
*
* b) Redistributions in binary form must reproduce the above copyright
*    notice, this list of conditions and the following disclaimer in
*    the documentation and/or other materials provided with the distribution.
*
* c) Neither the name of Cisco Systems, Inc. nor the names of its
*    contributors may be used to endorse or promote products derived
*    from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
* THE POSSIBILITY OF SUCH DAMAGE.
*/

#include <netinet/sctp_os.h>
#if defined(__FreeBSD__) && !defined(__Userspace__)
#include <sys/proc.h>
#endif
#include <netinet/sctp_var.h>
#include <netinet/sctp_sysctl.h>
#include <netinet/sctp_header.h>
#include <netinet/sctp_pcb.h>
#include <netinet/sctputil.h>
#include <netinet/sctp_output.h>
#include <netinet/sctp_uio.h>
#include <netinet/sctp_auth.h>
#include <netinet/sctp_timer.h>
#include <netinet/sctp_asconf.h>
#include <netinet/sctp_indata.h>
#include <netinet/sctp_bsd_addr.h>
#include <netinet/sctp_input.h>
#include <netinet/sctp_crc32.h>
#if defined(__FreeBSD__) && !defined(__Userspace__)
#include <netinet/sctp_lock_bsd.h>
#endif

#if defined(_WIN32) && !defined(_MSC_VER)
#include <minmax.h>
#endif

/*
* NOTES: On the outbound side of things I need to check the sack timer to
* see if I should generate a sack into the chunk queue (if I have data to
* send that is and will be sending it .. for bundling.
*
* The callback in sctp_usrreq.c will get called when the socket is read from.
* This will cause sctp_service_queues() to get called on the top entry in
* the list.
*/
static uint32_t
sctp_add_chk_to_control(struct sctp_queued_to_read *control,
		struct sctp_stream_in *strm,
		struct sctp_tcb *stcb,
		struct sctp_association *asoc,
		struct sctp_tmit_chunk *chk, int hold_rlock);

void
sctp_set_rwnd(struct sctp_tcb *stcb, struct sctp_association *asoc)
{
asoc->my_rwnd = sctp_calc_rwnd(stcb, asoc);
}

/* Calculate what the rwnd would be */
uint32_t
sctp_calc_rwnd(struct sctp_tcb *stcb, struct sctp_association *asoc)
{
uint32_t calc = 0;

/*
 * This is really set wrong with respect to a 1-2-m socket. Since
 * the sb_cc is the count that everyone as put up. When we re-write
 * sctp_soreceive then we will fix this so that ONLY this
 * associations data is taken into account.
 */
if (stcb->sctp_socket == NULL) {
	return (calc);
}

KASSERT(asoc->cnt_on_reasm_queue > 0 || asoc->size_on_reasm_queue == 0,
        ("size_on_reasm_queue is %u", asoc->size_on_reasm_queue));
KASSERT(asoc->cnt_on_all_streams > 0 || asoc->size_on_all_streams == 0,
        ("size_on_all_streams is %u", asoc->size_on_all_streams));
if (stcb->asoc.sb_cc == 0 &&
    asoc->cnt_on_reasm_queue == 0 &&
    asoc->cnt_on_all_streams == 0) {
	/* Full rwnd granted */
	calc = max(SCTP_SB_LIMIT_RCV(stcb->sctp_socket), SCTP_MINIMAL_RWND);
	return (calc);
}
/* get actual space */
calc = (uint32_t) sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv);
/*
 * take out what has NOT been put on socket queue and we yet hold
 * for putting up.
 */
calc = sctp_sbspace_sub(calc, (uint32_t)(asoc->size_on_reasm_queue +
                                         asoc->cnt_on_reasm_queue * MSIZE));
calc = sctp_sbspace_sub(calc, (uint32_t)(asoc->size_on_all_streams +
                                         asoc->cnt_on_all_streams * MSIZE));
if (calc == 0) {
	/* out of space */
	return (calc);
}

/* what is the overhead of all these rwnd's */
calc = sctp_sbspace_sub(calc, stcb->asoc.my_rwnd_control_len);
/* If the window gets too small due to ctrl-stuff, reduce it
 * to 1, even it is 0. SWS engaged
 */
if (calc < stcb->asoc.my_rwnd_control_len) {
	calc = 1;
}
return (calc);
}

/*
* Build out our readq entry based on the incoming packet.
*/
struct sctp_queued_to_read *
sctp_build_readq_entry(struct sctp_tcb *stcb,
   struct sctp_nets *net,
   uint32_t tsn, uint32_t ppid,
   uint32_t context, uint16_t sid,
   uint32_t mid, uint8_t flags,
   struct mbuf *dm)
{
struct sctp_queued_to_read *read_queue_e = NULL;

sctp_alloc_a_readq(stcb, read_queue_e);
if (read_queue_e == NULL) {
	goto failed_build;
}
memset(read_queue_e, 0, sizeof(struct sctp_queued_to_read));
read_queue_e->sinfo_stream = sid;
read_queue_e->sinfo_flags = (flags << 8);
read_queue_e->sinfo_ppid = ppid;
read_queue_e->sinfo_context = context;
read_queue_e->sinfo_tsn = tsn;
read_queue_e->sinfo_cumtsn = tsn;
read_queue_e->sinfo_assoc_id = sctp_get_associd(stcb);
read_queue_e->mid = mid;
read_queue_e->top_fsn = read_queue_e->fsn_included = 0xffffffff;
TAILQ_INIT(&read_queue_e->reasm);
read_queue_e->whoFrom = net;
atomic_add_int(&net->ref_count, 1);
read_queue_e->data = dm;
read_queue_e->stcb = stcb;
read_queue_e->port_from = stcb->rport;
if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
	read_queue_e->do_not_ref_stcb = 1;
}
failed_build:
return (read_queue_e);
}

struct mbuf *
sctp_build_ctl_nchunk(struct sctp_inpcb *inp, struct sctp_sndrcvinfo *sinfo)
{
struct sctp_extrcvinfo *seinfo;
struct sctp_sndrcvinfo *outinfo;
struct sctp_rcvinfo *rcvinfo;
struct sctp_nxtinfo *nxtinfo;
#if defined(_WIN32)
WSACMSGHDR *cmh;
#else
struct cmsghdr *cmh;
#endif
struct mbuf *ret;
int len;
int use_extended;
int provide_nxt;

if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_RECVDATAIOEVNT) &&
    sctp_is_feature_off(inp, SCTP_PCB_FLAGS_RECVRCVINFO) &&
    sctp_is_feature_off(inp, SCTP_PCB_FLAGS_RECVNXTINFO)) {
	/* user does not want any ancillary data */
	return (NULL);
}

len = 0;
if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
	len += CMSG_SPACE(sizeof(struct sctp_rcvinfo));
}
seinfo = (struct sctp_extrcvinfo *)sinfo;
if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVNXTINFO) &&
    (seinfo->serinfo_next_flags & SCTP_NEXT_MSG_AVAIL)) {
	provide_nxt = 1;
	len += CMSG_SPACE(sizeof(struct sctp_nxtinfo));
} else {
	provide_nxt = 0;
}
if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVDATAIOEVNT)) {
	if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXT_RCVINFO)) {
		use_extended = 1;
		len += CMSG_SPACE(sizeof(struct sctp_extrcvinfo));
	} else {
		use_extended = 0;
		len += CMSG_SPACE(sizeof(struct sctp_sndrcvinfo));
	}
} else {
	use_extended = 0;
}

ret = sctp_get_mbuf_for_msg(len, 0, M_NOWAIT, 1, MT_DATA);
if (ret == NULL) {
	/* No space */
	return (ret);
}
SCTP_BUF_LEN(ret) = 0;

/* We need a CMSG header followed by the struct */
#if defined(_WIN32)
cmh = mtod(ret, WSACMSGHDR *);
#else
cmh = mtod(ret, struct cmsghdr *);
#endif
/*
 * Make sure that there is no un-initialized padding between
 * the cmsg header and cmsg data and after the cmsg data.
 */
memset(cmh, 0, len);
if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
	cmh->cmsg_level = IPPROTO_SCTP;
	cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo));
	cmh->cmsg_type = SCTP_RCVINFO;
	rcvinfo = (struct sctp_rcvinfo *)CMSG_DATA(cmh);
	rcvinfo->rcv_sid = sinfo->sinfo_stream;
	rcvinfo->rcv_ssn = sinfo->sinfo_ssn;
	rcvinfo->rcv_flags = sinfo->sinfo_flags;
	rcvinfo->rcv_ppid = sinfo->sinfo_ppid;
	rcvinfo->rcv_tsn = sinfo->sinfo_tsn;
	rcvinfo->rcv_cumtsn = sinfo->sinfo_cumtsn;
	rcvinfo->rcv_context = sinfo->sinfo_context;
	rcvinfo->rcv_assoc_id = sinfo->sinfo_assoc_id;
#if defined(_WIN32)
	cmh = (WSACMSGHDR *)((caddr_t)cmh + CMSG_SPACE(sizeof(struct sctp_rcvinfo)));
#else
	cmh = (struct cmsghdr *)((caddr_t)cmh + CMSG_SPACE(sizeof(struct sctp_rcvinfo)));
#endif
	SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_rcvinfo));
}
if (provide_nxt) {
	cmh->cmsg_level = IPPROTO_SCTP;
	cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_nxtinfo));
	cmh->cmsg_type = SCTP_NXTINFO;
	nxtinfo = (struct sctp_nxtinfo *)CMSG_DATA(cmh);
	nxtinfo->nxt_sid = seinfo->serinfo_next_stream;
	nxtinfo->nxt_flags = 0;
	if (seinfo->serinfo_next_flags & SCTP_NEXT_MSG_IS_UNORDERED) {
		nxtinfo->nxt_flags |= SCTP_UNORDERED;
	}
	if (seinfo->serinfo_next_flags & SCTP_NEXT_MSG_IS_NOTIFICATION) {
		nxtinfo->nxt_flags |= SCTP_NOTIFICATION;
	}
	if (seinfo->serinfo_next_flags & SCTP_NEXT_MSG_ISCOMPLETE) {
		nxtinfo->nxt_flags |= SCTP_COMPLETE;
	}
	nxtinfo->nxt_ppid = seinfo->serinfo_next_ppid;
	nxtinfo->nxt_length = seinfo->serinfo_next_length;
	nxtinfo->nxt_assoc_id = seinfo->serinfo_next_aid;
#if defined(_WIN32)
	cmh = (WSACMSGHDR *)((caddr_t)cmh + CMSG_SPACE(sizeof(struct sctp_nxtinfo)));
#else
	cmh = (struct cmsghdr *)((caddr_t)cmh + CMSG_SPACE(sizeof(struct sctp_nxtinfo)));
#endif
	SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_nxtinfo));
}
if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVDATAIOEVNT)) {
	cmh->cmsg_level = IPPROTO_SCTP;
	outinfo = (struct sctp_sndrcvinfo *)CMSG_DATA(cmh);
	if (use_extended) {
		cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_extrcvinfo));
		cmh->cmsg_type = SCTP_EXTRCV;
		memcpy(outinfo, sinfo, sizeof(struct sctp_extrcvinfo));
		SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_extrcvinfo));
	} else {
		cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_sndrcvinfo));
		cmh->cmsg_type = SCTP_SNDRCV;
		*outinfo = *sinfo;
		SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_sndrcvinfo));
	}
}
return (ret);
}

static void
sctp_mark_non_revokable(struct sctp_association *asoc, uint32_t tsn)
{
uint32_t gap, i;
int in_r, in_nr;

if (SCTP_BASE_SYSCTL(sctp_do_drain) == 0) {
	return;
}
if (SCTP_TSN_GE(asoc->cumulative_tsn, tsn)) {
	/*
	 * This tsn is behind the cum ack and thus we don't
	 * need to worry about it being moved from one to the other.
	 */
	return;
}
SCTP_CALC_TSN_TO_GAP(gap, tsn, asoc->mapping_array_base_tsn);
in_r = SCTP_IS_TSN_PRESENT(asoc->mapping_array, gap);
in_nr = SCTP_IS_TSN_PRESENT(asoc->nr_mapping_array, gap);
KASSERT(in_r || in_nr, ("%s: Things are really messed up now", __func__));
if (!in_nr) {
	SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap);
	if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) {
		asoc->highest_tsn_inside_nr_map = tsn;
	}
}
if (in_r) {
	SCTP_UNSET_TSN_PRESENT(asoc->mapping_array, gap);
	if (tsn == asoc->highest_tsn_inside_map) {
		/* We must back down to see what the new highest is. */
		for (i = tsn - 1; SCTP_TSN_GE(i, asoc->mapping_array_base_tsn); i--) {
			SCTP_CALC_TSN_TO_GAP(gap, i, asoc->mapping_array_base_tsn);
			if (SCTP_IS_TSN_PRESENT(asoc->mapping_array, gap)) {
				asoc->highest_tsn_inside_map = i;
				break;
			}
		}
		if (!SCTP_TSN_GE(i, asoc->mapping_array_base_tsn)) {
			asoc->highest_tsn_inside_map = asoc->mapping_array_base_tsn - 1;
		}
	}
}
}

static int
sctp_place_control_in_stream(struct sctp_stream_in *strm,
		     struct sctp_association *asoc,
		     struct sctp_queued_to_read *control)
{
struct sctp_queued_to_read *at;
struct sctp_readhead *q;
uint8_t flags, unordered;

flags = (control->sinfo_flags >> 8);
unordered = flags & SCTP_DATA_UNORDERED;
if (unordered) {
	q = &strm->uno_inqueue;
	if (asoc->idata_supported == 0) {
		if (!TAILQ_EMPTY(q)) {
			/* Only one stream can be here in old style  -- abort */
			return (-1);
		}
		TAILQ_INSERT_TAIL(q, control, next_instrm);
		control->on_strm_q = SCTP_ON_UNORDERED;
		return (0);
	}
} else {
	q = &strm->inqueue;
}
if ((flags & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) {
	control->end_added = 1;
	control->first_frag_seen = 1;
	control->last_frag_seen = 1;
}
if (TAILQ_EMPTY(q)) {
	/* Empty queue */
	TAILQ_INSERT_HEAD(q, control, next_instrm);
	if (unordered) {
		control->on_strm_q = SCTP_ON_UNORDERED;
	} else {
		control->on_strm_q = SCTP_ON_ORDERED;
	}
	return (0);
} else {
	TAILQ_FOREACH(at, q, next_instrm) {
		if (SCTP_MID_GT(asoc->idata_supported, at->mid, control->mid)) {
			/*
			 * one in queue is bigger than the
			 * new one, insert before this one
			 */
			TAILQ_INSERT_BEFORE(at, control, next_instrm);
			if (unordered) {
				control->on_strm_q = SCTP_ON_UNORDERED;
			} else {
				control->on_strm_q = SCTP_ON_ORDERED;
			}
			break;
		} else if (SCTP_MID_EQ(asoc->idata_supported, at->mid, control->mid)) {
			/*
			 * Gak, He sent me a duplicate msg
			 * id number?? return -1 to abort.
			 */
			return (-1);
		} else {
			if (TAILQ_NEXT(at, next_instrm) == NULL) {
				/*
				 * We are at the end, insert
				 * it after this one
				 */
				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
					sctp_log_strm_del(control, at,
							  SCTP_STR_LOG_FROM_INSERT_TL);
				}
				TAILQ_INSERT_AFTER(q, at, control, next_instrm);
				if (unordered) {
					control->on_strm_q = SCTP_ON_UNORDERED;
				} else {
					control->on_strm_q = SCTP_ON_ORDERED;
				}
				break;
			}
		}
	}
}
return (0);
}

static void
sctp_abort_in_reasm(struct sctp_tcb *stcb,
                   struct sctp_queued_to_read *control,
                   struct sctp_tmit_chunk *chk,
                   int *abort_flag, int opspot)
{
char msg[SCTP_DIAG_INFO_LEN];
struct mbuf *oper;

if (stcb->asoc.idata_supported) {
	SCTP_SNPRINTF(msg, sizeof(msg),
	              "Reass %x,CF:%x,TSN=%8.8x,SID=%4.4x,FSN=%8.8x,MID:%8.8x",
	              opspot,
	              control->fsn_included,
	              chk->rec.data.tsn,
	              chk->rec.data.sid,
	              chk->rec.data.fsn, chk->rec.data.mid);
} else {
	SCTP_SNPRINTF(msg, sizeof(msg),
	              "Reass %x,CI:%x,TSN=%8.8x,SID=%4.4x,FSN=%4.4x,SSN:%4.4x",
	              opspot,
	              control->fsn_included,
	              chk->rec.data.tsn,
	              chk->rec.data.sid,
	              chk->rec.data.fsn,
	              (uint16_t)chk->rec.data.mid);
}
oper = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
sctp_m_freem(chk->data);
chk->data = NULL;
sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_1;
sctp_abort_an_association(stcb->sctp_ep, stcb, oper, false, SCTP_SO_NOT_LOCKED);
*abort_flag = 1;
}

static void
sctp_clean_up_control(struct sctp_tcb *stcb, struct sctp_queued_to_read *control)
{
/*
 * The control could not be placed and must be cleaned.
 */
struct sctp_tmit_chunk *chk, *nchk;
TAILQ_FOREACH_SAFE(chk, &control->reasm, sctp_next, nchk) {
	TAILQ_REMOVE(&control->reasm, chk, sctp_next);
	if (chk->data)
		sctp_m_freem(chk->data);
	chk->data = NULL;
	sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
}
sctp_free_remote_addr(control->whoFrom);
if (control->data) {
	sctp_m_freem(control->data);
	control->data = NULL;
}
sctp_free_a_readq(stcb, control);
}

/*
* Queue the chunk either right into the socket buffer if it is the next one
* to go OR put it in the correct place in the delivery queue.  If we do
* append to the so_buf, keep doing so until we are out of order as
* long as the control's entered are non-fragmented.
*/
static void
sctp_queue_data_to_stream(struct sctp_tcb *stcb,
   struct sctp_association *asoc,
   struct sctp_queued_to_read *control, int *abort_flag, int *need_reasm)
{
/*
 * FIX-ME maybe? What happens when the ssn wraps? If we are getting
 * all the data in one stream this could happen quite rapidly. One
 * could use the TSN to keep track of things, but this scheme breaks
 * down in the other type of stream usage that could occur. Send a
 * single msg to stream 0, send 4Billion messages to stream 1, now
 * send a message to stream 0. You have a situation where the TSN
 * has wrapped but not in the stream. Is this worth worrying about
 * or should we just change our queue sort at the bottom to be by
 * TSN.
 *
 * Could it also be legal for a peer to send ssn 1 with TSN 2 and ssn 2
 * with TSN 1? If the peer is doing some sort of funky TSN/SSN
 * assignment this could happen... and I don't see how this would be
 * a violation. So for now I am undecided an will leave the sort by
 * SSN alone. Maybe a hybrid approach is the answer
 *
 */
struct sctp_queued_to_read *at;
int queue_needed;
uint32_t nxt_todel;
struct mbuf *op_err;
struct sctp_stream_in *strm;
char msg[SCTP_DIAG_INFO_LEN];

strm = &asoc->strmin[control->sinfo_stream];
if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
	sctp_log_strm_del(control, NULL, SCTP_STR_LOG_FROM_INTO_STRD);
}
if (SCTP_MID_GT((asoc->idata_supported), strm->last_mid_delivered, control->mid)) {
	/* The incoming sseq is behind where we last delivered? */
	SCTPDBG(SCTP_DEBUG_INDATA1, "Duplicate S-SEQ: %u delivered: %u from peer, Abort association\n",
		strm->last_mid_delivered, control->mid);
	/*
	 * throw it in the stream so it gets cleaned up in
	 * association destruction
	 */
	TAILQ_INSERT_HEAD(&strm->inqueue, control, next_instrm);
	if (asoc->idata_supported) {
		SCTP_SNPRINTF(msg, sizeof(msg), "Delivered MID=%8.8x, got TSN=%8.8x, SID=%4.4x, MID=%8.8x",
		              strm->last_mid_delivered, control->sinfo_tsn,
		              control->sinfo_stream, control->mid);
	} else {
		SCTP_SNPRINTF(msg, sizeof(msg), "Delivered SSN=%4.4x, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
		              (uint16_t)strm->last_mid_delivered,
		              control->sinfo_tsn,
		              control->sinfo_stream,
		              (uint16_t)control->mid);
	}
	op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
	stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_2;
	sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, false, SCTP_SO_NOT_LOCKED);
	*abort_flag = 1;
	return;
}
queue_needed = 1;
asoc->size_on_all_streams += control->length;
sctp_ucount_incr(asoc->cnt_on_all_streams);
nxt_todel = strm->last_mid_delivered + 1;
if (SCTP_MID_EQ(asoc->idata_supported, nxt_todel, control->mid)) {
#if defined(__APPLE__) && !defined(__Userspace__)
	struct socket *so;

	so = SCTP_INP_SO(stcb->sctp_ep);
	atomic_add_int(&stcb->asoc.refcnt, 1);
	SCTP_TCB_UNLOCK(stcb);
	SCTP_SOCKET_LOCK(so, 1);
	SCTP_TCB_LOCK(stcb);
	atomic_subtract_int(&stcb->asoc.refcnt, 1);
	if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
		SCTP_SOCKET_UNLOCK(so, 1);
		return;
	}
#endif
	/* can be delivered right away? */
	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
		sctp_log_strm_del(control, NULL, SCTP_STR_LOG_FROM_IMMED_DEL);
	}
	/* EY it wont be queued if it could be delivered directly */
	queue_needed = 0;
	if (asoc->size_on_all_streams >= control->length) {
		asoc->size_on_all_streams -= control->length;
	} else {
#ifdef INVARIANTS
		panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
#else
		asoc->size_on_all_streams = 0;
#endif
	}
	sctp_ucount_decr(asoc->cnt_on_all_streams);
	strm->last_mid_delivered++;
	sctp_mark_non_revokable(asoc, control->sinfo_tsn);
	sctp_add_to_readq(stcb->sctp_ep, stcb,
	                  control,
	                  &stcb->sctp_socket->so_rcv, 1,
	                  SCTP_READ_LOCK_NOT_HELD, SCTP_SO_LOCKED);
	TAILQ_FOREACH_SAFE(control, &strm->inqueue, next_instrm, at) {
		/* all delivered */
		nxt_todel = strm->last_mid_delivered + 1;
		if (SCTP_MID_EQ(asoc->idata_supported, nxt_todel, control->mid) &&
		    (((control->sinfo_flags >> 8) & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG)) {
			if (control->on_strm_q == SCTP_ON_ORDERED) {
				TAILQ_REMOVE(&strm->inqueue, control, next_instrm);
				if (asoc->size_on_all_streams >= control->length) {
					asoc->size_on_all_streams -= control->length;
				} else {
#ifdef INVARIANTS
					panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
#else
					asoc->size_on_all_streams = 0;
#endif
				}
				sctp_ucount_decr(asoc->cnt_on_all_streams);
#ifdef INVARIANTS
			} else {
				panic("Huh control: %p is on_strm_q: %d",
				      control, control->on_strm_q);
#endif
			}
			control->on_strm_q = 0;
			strm->last_mid_delivered++;
			/*
			 * We ignore the return of deliver_data here
			 * since we always can hold the chunk on the
			 * d-queue. And we have a finite number that
			 * can be delivered from the strq.
			 */
			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
				sctp_log_strm_del(control, NULL,
						  SCTP_STR_LOG_FROM_IMMED_DEL);
			}
			sctp_mark_non_revokable(asoc, control->sinfo_tsn);
			sctp_add_to_readq(stcb->sctp_ep, stcb,
			                  control,
			                  &stcb->sctp_socket->so_rcv, 1,
			                  SCTP_READ_LOCK_NOT_HELD,
			                  SCTP_SO_LOCKED);
			continue;
		} else if (SCTP_MID_EQ(asoc->idata_supported, nxt_todel, control->mid)) {
			*need_reasm = 1;
		}
		break;
	}
#if defined(__APPLE__) && !defined(__Userspace__)
	SCTP_SOCKET_UNLOCK(so, 1);
#endif
}
if (queue_needed) {
	/*
	 * Ok, we did not deliver this guy, find the correct place
	 * to put it on the queue.
	 */
	if (sctp_place_control_in_stream(strm, asoc, control)) {
		SCTP_SNPRINTF(msg, sizeof(msg),
		              "Queue to str MID: %u duplicate", control->mid);
		sctp_clean_up_control(stcb, control);
		op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
		stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_3;
		sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, false, SCTP_SO_NOT_LOCKED);
		*abort_flag = 1;
	}
}
}

static void
sctp_setup_tail_pointer(struct sctp_queued_to_read *control)
{
struct mbuf *m, *prev = NULL;
struct sctp_tcb *stcb;

stcb = control->stcb;
control->held_length = 0;
control->length = 0;
m = control->data;
while (m) {
	if (SCTP_BUF_LEN(m) == 0) {
		/* Skip mbufs with NO length */
		if (prev == NULL) {
			/* First one */
			control->data = sctp_m_free(m);
			m = control->data;
		} else {
			SCTP_BUF_NEXT(prev) = sctp_m_free(m);
			m = SCTP_BUF_NEXT(prev);
		}
		if (m == NULL) {
			control->tail_mbuf = prev;
		}
		continue;
	}
	prev = m;
	atomic_add_int(&control->length, SCTP_BUF_LEN(m));
	if (control->on_read_q) {
		/*
		 * On read queue so we must increment the
		 * SB stuff, we assume caller has done any locks of SB.
		 */
		sctp_sballoc(stcb, &stcb->sctp_socket->so_rcv, m);
	}
	m = SCTP_BUF_NEXT(m);
}
if (prev) {
	control->tail_mbuf = prev;
}
}

static void
sctp_add_to_tail_pointer(struct sctp_queued_to_read *control, struct mbuf *m, uint32_t *added)
{
struct mbuf *prev=NULL;
struct sctp_tcb *stcb;

stcb = control->stcb;
if (stcb == NULL) {
#ifdef INVARIANTS
	panic("Control broken");
#else
	return;
#endif
}
if (control->tail_mbuf == NULL) {
	/* TSNH */
	sctp_m_freem(control->data);
	control->data = m;
	sctp_setup_tail_pointer(control);
	return;
}
control->tail_mbuf->m_next = m;
while (m) {
	if (SCTP_BUF_LEN(m) == 0) {
		/* Skip mbufs with NO length */
		if (prev == NULL) {
			/* First one */
			control->tail_mbuf->m_next = sctp_m_free(m);
			m = control->tail_mbuf->m_next;
		} else {
			SCTP_BUF_NEXT(prev) = sctp_m_free(m);
			m = SCTP_BUF_NEXT(prev);
		}
		if (m == NULL) {
			control->tail_mbuf = prev;
		}
		continue;
	}
	prev = m;
	if (control->on_read_q) {
		/*
		 * On read queue so we must increment the
		 * SB stuff, we assume caller has done any locks of SB.
		 */
		sctp_sballoc(stcb, &stcb->sctp_socket->so_rcv, m);
	}
	*added += SCTP_BUF_LEN(m);
	atomic_add_int(&control->length, SCTP_BUF_LEN(m));
	m = SCTP_BUF_NEXT(m);
}
if (prev) {
	control->tail_mbuf = prev;
}
}

static void
sctp_build_readq_entry_from_ctl(struct sctp_queued_to_read *nc, struct sctp_queued_to_read *control)
{
memset(nc, 0, sizeof(struct sctp_queued_to_read));
nc->sinfo_stream = control->sinfo_stream;
nc->mid = control->mid;
TAILQ_INIT(&nc->reasm);
nc->top_fsn = control->top_fsn;
nc->mid = control->mid;
nc->sinfo_flags = control->sinfo_flags;
nc->sinfo_ppid = control->sinfo_ppid;
nc->sinfo_context = control->sinfo_context;
nc->fsn_included = 0xffffffff;
nc->sinfo_tsn = control->sinfo_tsn;
nc->sinfo_cumtsn = control->sinfo_cumtsn;
nc->sinfo_assoc_id = control->sinfo_assoc_id;
nc->whoFrom = control->whoFrom;
atomic_add_int(&nc->whoFrom->ref_count, 1);
nc->stcb = control->stcb;
nc->port_from = control->port_from;
nc->do_not_ref_stcb = control->do_not_ref_stcb;
}

static int
sctp_handle_old_unordered_data(struct sctp_tcb *stcb,
                              struct sctp_association *asoc,
                              struct sctp_stream_in *strm,
                              struct sctp_queued_to_read *control,
                              uint32_t pd_point,
                              int inp_read_lock_held)
{
/* Special handling for the old un-ordered data chunk.
 * All the chunks/TSN's go to mid 0. So
 * we have to do the old style watching to see
 * if we have it all. If you return one, no other
 * control entries on the un-ordered queue will
 * be looked at. In theory there should be no others
 * entries in reality, unless the guy is sending both
 * unordered NDATA and unordered DATA...
 */
struct sctp_tmit_chunk *chk, *lchk, *tchk;
uint32_t fsn;
struct sctp_queued_to_read *nc;
int cnt_added;

if (control->first_frag_seen == 0) {
	/* Nothing we can do, we have not seen the first piece yet */
	return (1);
}
/* Collapse any we can */
cnt_added = 0;
restart:
fsn = control->fsn_included + 1;
/* Now what can we add? */
TAILQ_FOREACH_SAFE(chk, &control->reasm, sctp_next, lchk) {
	if (chk->rec.data.fsn == fsn) {
		/* Ok lets add it */
		sctp_alloc_a_readq(stcb, nc);
		if (nc == NULL) {
			break;
		}
		memset(nc, 0, sizeof(struct sctp_queued_to_read));
		TAILQ_REMOVE(&control->reasm, chk, sctp_next);
		sctp_add_chk_to_control(control, strm, stcb, asoc, chk, inp_read_lock_held);
		fsn++;
		cnt_added++;
		chk = NULL;
		if (control->end_added) {
			/* We are done */
			if (!TAILQ_EMPTY(&control->reasm)) {
				/*
				 * Ok we have to move anything left on
				 * the control queue to a new control.
				 */
				sctp_build_readq_entry_from_ctl(nc, control);
				tchk = TAILQ_FIRST(&control->reasm);
				if (tchk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) {
					TAILQ_REMOVE(&control->reasm, tchk, sctp_next);
					if (asoc->size_on_reasm_queue >= tchk->send_size) {
						asoc->size_on_reasm_queue -= tchk->send_size;
					} else {
#ifdef INVARIANTS
					panic("size_on_reasm_queue = %u smaller than chunk length %u", asoc->size_on_reasm_queue, tchk->send_size);
#else
					asoc->size_on_reasm_queue = 0;
#endif
					}
					sctp_ucount_decr(asoc->cnt_on_reasm_queue);
					nc->first_frag_seen = 1;
					nc->fsn_included = tchk->rec.data.fsn;
					nc->data = tchk->data;
					nc->sinfo_ppid = tchk->rec.data.ppid;
					nc->sinfo_tsn = tchk->rec.data.tsn;
					sctp_mark_non_revokable(asoc, tchk->rec.data.tsn);
					tchk->data = NULL;
					sctp_free_a_chunk(stcb, tchk, SCTP_SO_NOT_LOCKED);
					sctp_setup_tail_pointer(nc);
					tchk = TAILQ_FIRST(&control->reasm);
				}
				/* Spin the rest onto the queue */
				while (tchk) {
					TAILQ_REMOVE(&control->reasm, tchk, sctp_next);
					TAILQ_INSERT_TAIL(&nc->reasm, tchk, sctp_next);
					tchk = TAILQ_FIRST(&control->reasm);
				}
				/* Now lets add it to the queue after removing control */
				TAILQ_INSERT_TAIL(&strm->uno_inqueue, nc, next_instrm);
				nc->on_strm_q = SCTP_ON_UNORDERED;
				if (control->on_strm_q) {
					TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm);
					control->on_strm_q = 0;
				}
			}
			if (control->pdapi_started) {
				strm->pd_api_started = 0;
				control->pdapi_started = 0;
			}
			if (control->on_strm_q) {
				TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm);
				control->on_strm_q = 0;
				SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs);
			}
			if (control->on_read_q == 0) {
				sctp_add_to_readq(stcb->sctp_ep, stcb, control,
						  &stcb->sctp_socket->so_rcv, control->end_added,
						  inp_read_lock_held, SCTP_SO_NOT_LOCKED);
#if defined(__Userspace__)
			} else {
				sctp_invoke_recv_callback(stcb->sctp_ep, stcb, control, inp_read_lock_held);
#endif
			}
			sctp_wakeup_the_read_socket(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
			if ((nc->first_frag_seen) && !TAILQ_EMPTY(&nc->reasm)) {
				/* Switch to the new guy and continue */
				control = nc;
				goto restart;
			} else {
				if (nc->on_strm_q == 0) {
					sctp_free_a_readq(stcb, nc);
				}
			}
			return (1);
		} else {
			sctp_free_a_readq(stcb, nc);
		}
	} else {
		/* Can't add more */
		break;
	}
}
if (cnt_added && strm->pd_api_started) {
#if defined(__Userspace__)
	sctp_invoke_recv_callback(stcb->sctp_ep, stcb, control, inp_read_lock_held);
#endif
	sctp_wakeup_the_read_socket(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
}
if ((control->length > pd_point) && (strm->pd_api_started == 0)) {
	strm->pd_api_started = 1;
	control->pdapi_started = 1;
	sctp_add_to_readq(stcb->sctp_ep, stcb, control,
	                  &stcb->sctp_socket->so_rcv, control->end_added,
	                  inp_read_lock_held, SCTP_SO_NOT_LOCKED);
	sctp_wakeup_the_read_socket(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
	return (0);
} else {
	return (1);
}
}

static void
sctp_inject_old_unordered_data(struct sctp_tcb *stcb,
                              struct sctp_association *asoc,
                              struct sctp_queued_to_read *control,
                              struct sctp_tmit_chunk *chk,
                              int *abort_flag)
{
struct sctp_tmit_chunk *at;
int inserted;
/*
 * Here we need to place the chunk into the control structure
 * sorted in the correct order.
 */
if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) {
	/* Its the very first one. */
	SCTPDBG(SCTP_DEBUG_XXX,
		"chunk is a first fsn: %u becomes fsn_included\n",
		chk->rec.data.fsn);
	at = TAILQ_FIRST(&control->reasm);
	if (at && SCTP_TSN_GT(chk->rec.data.fsn, at->rec.data.fsn)) {
		/*
		 * The first chunk in the reassembly is
		 * a smaller TSN than this one, even though
		 * this has a first, it must be from a subsequent
		 * msg.
		 */
		goto place_chunk;
	}
	if (control->first_frag_seen) {
		/*
		 * In old un-ordered we can reassembly on
		 * one control multiple messages. As long
		 * as the next FIRST is greater then the old
		 * first (TSN i.e. FSN wise)
		 */
		struct mbuf *tdata;
		uint32_t tmp;

		if (SCTP_TSN_GT(chk->rec.data.fsn, control->fsn_included)) {
			/* Easy way the start of a new guy beyond the lowest */
			goto place_chunk;
		}
		if ((chk->rec.data.fsn == control->fsn_included) ||
		    (control->pdapi_started)) {
			/*
			 * Ok this should not happen, if it does
			 * we started the pd-api on the higher TSN (since
			 * the equals part is a TSN failure it must be that).
			 *
			 * We are completely hosed in that case since I have
			 * no way to recover. This really will only happen
			 * if we can get more TSN's higher before the pd-api-point.
			 */
			sctp_abort_in_reasm(stcb, control, chk,
					    abort_flag,
					    SCTP_FROM_SCTP_INDATA + SCTP_LOC_4);

			return;
		}
		/*
		 * Ok we have two firsts and the one we just got
		 * is smaller than the one we previously placed.. yuck!
		 * We must swap them out.
		 */
		/* swap the mbufs */
		tdata = control->data;
		control->data = chk->data;
		chk->data = tdata;
		/* Save the lengths */
		chk->send_size = control->length;
		/* Recompute length of control and tail pointer */
		sctp_setup_tail_pointer(control);
		/* Fix the FSN included */
		tmp = control->fsn_included;
		control->fsn_included = chk->rec.data.fsn;
		chk->rec.data.fsn = tmp;
		/* Fix the TSN included */
		tmp = control->sinfo_tsn;
		control->sinfo_tsn = chk->rec.data.tsn;
		chk->rec.data.tsn = tmp;
		/* Fix the PPID included */
		tmp = control->sinfo_ppid;
		control->sinfo_ppid = chk->rec.data.ppid;
		chk->rec.data.ppid = tmp;
		/* Fix tail pointer */
		goto place_chunk;
	}
	control->first_frag_seen = 1;
	control->fsn_included = chk->rec.data.fsn;
	control->top_fsn = chk->rec.data.fsn;
	control->sinfo_tsn = chk->rec.data.tsn;
	control->sinfo_ppid = chk->rec.data.ppid;
	control->data = chk->data;
	sctp_mark_non_revokable(asoc, chk->rec.data.tsn);
	chk->data = NULL;
	sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
	sctp_setup_tail_pointer(control);
	return;
}
place_chunk:
inserted = 0;
TAILQ_FOREACH(at, &control->reasm, sctp_next) {
	if (SCTP_TSN_GT(at->rec.data.fsn, chk->rec.data.fsn)) {
		/*
		 * This one in queue is bigger than the new one, insert
		 * the new one before at.
		 */
		asoc->size_on_reasm_queue += chk->send_size;
		sctp_ucount_incr(asoc->cnt_on_reasm_queue);
		inserted = 1;
		TAILQ_INSERT_BEFORE(at, chk, sctp_next);
		break;
	} else if (at->rec.data.fsn == chk->rec.data.fsn) {
		/*
		 * They sent a duplicate fsn number. This
		 * really should not happen since the FSN is
		 * a TSN and it should have been dropped earlier.
		 */
		sctp_abort_in_reasm(stcb, control, chk,
		                    abort_flag,
		                    SCTP_FROM_SCTP_INDATA + SCTP_LOC_5);
		return;
	}
}
if (inserted == 0) {
	/* Its at the end */
	asoc->size_on_reasm_queue += chk->send_size;
	sctp_ucount_incr(asoc->cnt_on_reasm_queue);
	control->top_fsn = chk->rec.data.fsn;
	TAILQ_INSERT_TAIL(&control->reasm, chk, sctp_next);
}
}

static int
sctp_deliver_reasm_check(struct sctp_tcb *stcb, struct sctp_association *asoc,
                        struct sctp_stream_in *strm, int inp_read_lock_held)
{
/*
 * Given a stream, strm, see if any of
 * the SSN's on it that are fragmented
 * are ready to deliver. If so go ahead
 * and place them on the read queue. In
 * so placing if we have hit the end, then
 * we need to remove them from the stream's queue.
 */
struct sctp_queued_to_read *control, *nctl = NULL;
uint32_t next_to_del;
uint32_t pd_point;
int ret = 0;

if (stcb->sctp_socket) {
	pd_point = min(SCTP_SB_LIMIT_RCV(stcb->sctp_socket) >> SCTP_PARTIAL_DELIVERY_SHIFT,
		       stcb->sctp_ep->partial_delivery_point);
} else {
	pd_point = stcb->sctp_ep->partial_delivery_point;
}
control = TAILQ_FIRST(&strm->uno_inqueue);

if ((control != NULL) &&
    (asoc->idata_supported == 0)) {
	/* Special handling needed for "old" data format */
	if (sctp_handle_old_unordered_data(stcb, asoc, strm, control, pd_point, inp_read_lock_held)) {
		goto done_un;
	}
}
if (strm->pd_api_started) {
	/* Can't add more */
	return (0);
}
while (control) {
	SCTPDBG(SCTP_DEBUG_XXX, "Looking at control: %p e(%d) ssn: %u top_fsn: %u inc_fsn: %u -uo\n",
		control, control->end_added, control->mid, control->top_fsn, control->fsn_included);
	nctl = TAILQ_NEXT(control, next_instrm);
	if (control->end_added) {
		/* We just put the last bit on */
		if (control->on_strm_q) {
#ifdef INVARIANTS
			if (control->on_strm_q != SCTP_ON_UNORDERED) {
				panic("Huh control: %p on_q: %d -- not unordered?",
				      control, control->on_strm_q);
			}
#endif
			SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs);
			TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm);
			if (asoc->size_on_all_streams >= control->length) {
				asoc->size_on_all_streams -= control->length;
			} else {
#ifdef INVARIANTS
				panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
#else
				asoc->size_on_all_streams = 0;
#endif
			}
			sctp_ucount_decr(asoc->cnt_on_all_streams);
			control->on_strm_q = 0;
		}
		if (control->on_read_q == 0) {
			sctp_add_to_readq(stcb->sctp_ep, stcb,
					  control,
					  &stcb->sctp_socket->so_rcv, control->end_added,
					  inp_read_lock_held, SCTP_SO_NOT_LOCKED);
		}
	} else {
		/* Can we do a PD-API for this un-ordered guy? */
		if ((control->length >= pd_point) && (strm->pd_api_started == 0)) {
			strm->pd_api_started = 1;
			control->pdapi_started = 1;
			sctp_add_to_readq(stcb->sctp_ep, stcb,
					  control,
					  &stcb->sctp_socket->so_rcv, control->end_added,
					  inp_read_lock_held, SCTP_SO_NOT_LOCKED);

			break;
		}
	}
	control = nctl;
}
done_un:
control = TAILQ_FIRST(&strm->inqueue);
if (strm->pd_api_started) {
	/* Can't add more */
	return (0);
}
if (control == NULL) {
	return (ret);
}
if (SCTP_MID_EQ(asoc->idata_supported, strm->last_mid_delivered, control->mid)) {
	/* Ok the guy at the top was being partially delivered
	 * completed, so we remove it. Note
	 * the pd_api flag was taken off when the
	 * chunk was merged on in sctp_queue_data_for_reasm below.
	 */
	nctl = TAILQ_NEXT(control, next_instrm);
	SCTPDBG(SCTP_DEBUG_XXX,
		"Looking at control: %p e(%d) ssn: %u top_fsn: %u inc_fsn: %u (lastdel: %u)- o\n",
		control, control->end_added, control->mid,
		control->top_fsn, control->fsn_included,
		strm->last_mid_delivered);
	if (control->end_added) {
		if (control->on_strm_q) {
#ifdef INVARIANTS
			if (control->on_strm_q != SCTP_ON_ORDERED) {
				panic("Huh control: %p on_q: %d -- not ordered?",
				      control, control->on_strm_q);
			}
#endif
			SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs);
			TAILQ_REMOVE(&strm->inqueue, control, next_instrm);
			if (asoc->size_on_all_streams >= control->length) {
				asoc->size_on_all_streams -= control->length;
			} else {
#ifdef INVARIANTS
				panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
#else
				asoc->size_on_all_streams = 0;
#endif
			}
			sctp_ucount_decr(asoc->cnt_on_all_streams);
			control->on_strm_q = 0;
		}
		if (strm->pd_api_started && control->pdapi_started) {
			control->pdapi_started = 0;
			strm->pd_api_started = 0;
		}
		if (control->on_read_q == 0) {
			sctp_add_to_readq(stcb->sctp_ep, stcb,
					  control,
					  &stcb->sctp_socket->so_rcv, control->end_added,
					  inp_read_lock_held, SCTP_SO_NOT_LOCKED);
		}
		control = nctl;
	}
}
if (strm->pd_api_started) {
	/* Can't add more must have gotten an un-ordered above being partially delivered. */
	return (0);
}
deliver_more:
next_to_del = strm->last_mid_delivered + 1;
if (control) {
	SCTPDBG(SCTP_DEBUG_XXX,
		"Looking at control: %p e(%d) ssn: %u top_fsn: %u inc_fsn: %u (nxtdel: %u)- o\n",
		control, control->end_added, control->mid, control->top_fsn, control->fsn_included,
		next_to_del);
	nctl = TAILQ_NEXT(control, next_instrm);
	if (SCTP_MID_EQ(asoc->idata_supported, control->mid, next_to_del) &&
	    (control->first_frag_seen)) {
		int done;

		/* Ok we can deliver it onto the stream. */
		if (control->end_added) {
			/* We are done with it afterwards */
			if (control->on_strm_q) {
#ifdef INVARIANTS
				if (control->on_strm_q != SCTP_ON_ORDERED) {
					panic("Huh control: %p on_q: %d -- not ordered?",
					      control, control->on_strm_q);
				}
#endif
				SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs);
				TAILQ_REMOVE(&strm->inqueue, control, next_instrm);
				if (asoc->size_on_all_streams >= control->length) {
					asoc->size_on_all_streams -= control->length;
				} else {
#ifdef INVARIANTS
					panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
#else
					asoc->size_on_all_streams = 0;
#endif
				}
				sctp_ucount_decr(asoc->cnt_on_all_streams);
				control->on_strm_q = 0;
			}
			ret++;
		}
		if (((control->sinfo_flags >> 8) & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) {
			/* A singleton now slipping through - mark it non-revokable too */
			sctp_mark_non_revokable(asoc, control->sinfo_tsn);
		} else if (control->end_added == 0) {
			/* Check if we can defer adding until its all there */
			if ((control->length < pd_point) || (strm->pd_api_started)) {
				/* Don't need it or cannot add more (one being delivered that way) */
				goto out;
			}
		}
		done = (control->end_added) && (control->last_frag_seen);
		if (control->on_read_q == 0) {
			if (!done) {
				if (asoc->size_on_all_streams >= control->length) {
					asoc->size_on_all_streams -= control->length;
				} else {
#ifdef INVARIANTS
					panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
#else
					asoc->size_on_all_streams = 0;
#endif
				}
				strm->pd_api_started = 1;
				control->pdapi_started = 1;
			}
			sctp_add_to_readq(stcb->sctp_ep, stcb,
					  control,
					  &stcb->sctp_socket->so_rcv, control->end_added,
					  inp_read_lock_held, SCTP_SO_NOT_LOCKED);
		}
		strm->last_mid_delivered = next_to_del;
		if (done) {
			control = nctl;
			goto deliver_more;
		}
	}
}
out:
return (ret);
}

uint32_t
sctp_add_chk_to_control(struct sctp_queued_to_read *control,
		struct sctp_stream_in *strm,
		struct sctp_tcb *stcb, struct sctp_association *asoc,
		struct sctp_tmit_chunk *chk, int hold_rlock)
{
/*
 * Given a control and a chunk, merge the
 * data from the chk onto the control and free
 * up the chunk resources.
 */
uint32_t added = 0;
bool i_locked = false;

if (control->on_read_q) {
	if (hold_rlock == 0) {
		/* Its being pd-api'd so we must do some locks. */
		SCTP_INP_READ_LOCK(stcb->sctp_ep);
		i_locked = true;
	}
	if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_CANT_READ) {
		goto out;
	}
}
if (control->data == NULL) {
	control->data = chk->data;
	sctp_setup_tail_pointer(control);
} else {
	sctp_add_to_tail_pointer(control, chk->data, &added);
}
control->fsn_included = chk->rec.data.fsn;
asoc->size_on_reasm_queue -= chk->send_size;
sctp_ucount_decr(asoc->cnt_on_reasm_queue);
sctp_mark_non_revokable(asoc, chk->rec.data.tsn);
chk->data = NULL;
if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) {
	control->first_frag_seen = 1;
	control->sinfo_tsn = chk->rec.data.tsn;
	control->sinfo_ppid = chk->rec.data.ppid;
}
if (chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) {
	/* Its complete */
	if ((control->on_strm_q) && (control->on_read_q)) {
		if (control->pdapi_started) {
			control->pdapi_started = 0;
			strm->pd_api_started = 0;
		}
		if (control->on_strm_q == SCTP_ON_UNORDERED) {
			/* Unordered */
			TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm);
			control->on_strm_q = 0;
		} else if (control->on_strm_q == SCTP_ON_ORDERED) {
			/* Ordered */
			TAILQ_REMOVE(&strm->inqueue, control, next_instrm);
			/*
			 * Don't need to decrement size_on_all_streams,
			 * since control is on the read queue.
			 */
			sctp_ucount_decr(asoc->cnt_on_all_streams);
			control->on_strm_q = 0;
#ifdef INVARIANTS
		} else if (control->on_strm_q) {
			panic("Unknown state on ctrl: %p on_strm_q: %d", control,
			      control->on_strm_q);
#endif
		}
	}
	control->end_added = 1;
	control->last_frag_seen = 1;
}
out:
if (i_locked) {
	SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
}
sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
return (added);
}

/*
* Dump onto the re-assembly queue, in its proper place. After dumping on the
* queue, see if anything can be delivered. If so pull it off (or as much as
* we can. If we run out of space then we must dump what we can and set the
* appropriate flag to say we queued what we could.
*/
static void
sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struct sctp_association *asoc,
		  struct sctp_queued_to_read *control,
		  struct sctp_tmit_chunk *chk,
		  int created_control,
		  int *abort_flag, uint32_t tsn)
{
uint32_t next_fsn;
struct sctp_tmit_chunk *at, *nat;
struct sctp_stream_in *strm;
int do_wakeup, unordered;
uint32_t lenadded;

strm = &asoc->strmin[control->sinfo_stream];
/*
 * For old un-ordered data chunks.
 */
if ((control->sinfo_flags >> 8) & SCTP_DATA_UNORDERED) {
	unordered = 1;
} else {
	unordered = 0;
}
/* Must be added to the stream-in queue */
if (created_control) {
	if ((unordered == 0) || (asoc->idata_supported)) {
		sctp_ucount_incr(asoc->cnt_on_all_streams);
	}
	if (sctp_place_control_in_stream(strm, asoc, control)) {
		/* Duplicate SSN? */
		sctp_abort_in_reasm(stcb, control, chk,
				    abort_flag,
				    SCTP_FROM_SCTP_INDATA + SCTP_LOC_6);
		sctp_clean_up_control(stcb, control);
		return;
	}
	if ((tsn == (asoc->cumulative_tsn + 1) && (asoc->idata_supported == 0))) {
		/* Ok we created this control and now
		 * lets validate that its legal i.e. there
		 * is a B bit set, if not and we have
		 * up to the cum-ack then its invalid.
		 */
		if ((chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) == 0) {
			sctp_abort_in_reasm(stcb, control, chk,
			                    abort_flag,
			                    SCTP_FROM_SCTP_INDATA + SCTP_LOC_7);
			return;
		}
	}
}
if ((asoc->idata_supported == 0) && (unordered == 1)) {
	sctp_inject_old_unordered_data(stcb, asoc, control, chk, abort_flag);
	return;
}
/*
 * Ok we must queue the chunk into the reasembly portion:
 *  o if its the first it goes to the control mbuf.
 *  o if its not first but the next in sequence it goes to the control,
 *    and each succeeding one in order also goes.
 *  o if its not in order we place it on the list in its place.
 */
if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) {
	/* Its the very first one. */
	SCTPDBG(SCTP_DEBUG_XXX,
		"chunk is a first fsn: %u becomes fsn_included\n",
		chk->rec.data.fsn);
	if (control->first_frag_seen) {
		/*
		 * Error on senders part, they either
		 * sent us two data chunks with FIRST,
		 * or they sent two un-ordered chunks that
		 * were fragmented at the same time in the same stream.
		 */
		sctp_abort_in_reasm(stcb, control, chk,
		                    abort_flag,
		                    SCTP_FROM_SCTP_INDATA + SCTP_LOC_8);
		return;
	}
	control->first_frag_seen = 1;
	control->sinfo_ppid = chk->rec.data.ppid;
	control->sinfo_tsn = chk->rec.data.tsn;
	control->fsn_included = chk->rec.data.fsn;
	control->data = chk->data;
	sctp_mark_non_revokable(asoc, chk->rec.data.tsn);
	chk->data = NULL;
	sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
	sctp_setup_tail_pointer(control);
	asoc->size_on_all_streams += control->length;
} else {
	/* Place the chunk in our list */
	int inserted=0;
	if (control->last_frag_seen == 0) {
		/* Still willing to raise highest FSN seen */
		if (SCTP_TSN_GT(chk->rec.data.fsn, control->top_fsn)) {
			SCTPDBG(SCTP_DEBUG_XXX,
				"We have a new top_fsn: %u\n",
				chk->rec.data.fsn);
			control->top_fsn = chk->rec.data.fsn;
		}
		if (chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) {
			SCTPDBG(SCTP_DEBUG_XXX,
				"The last fsn is now in place fsn: %u\n",
				chk->rec.data.fsn);
			control->last_frag_seen = 1;
			if (SCTP_TSN_GT(control->top_fsn, chk->rec.data.fsn)) {
				SCTPDBG(SCTP_DEBUG_XXX,
					"New fsn: %u is not at top_fsn: %u -- abort\n",
					chk->rec.data.fsn,
					control->top_fsn);
				sctp_abort_in_reasm(stcb, control, chk,
						    abort_flag,
						    SCTP_FROM_SCTP_INDATA + SCTP_LOC_9);
				return;
			}
		}
		if (asoc->idata_supported || control->first_frag_seen) {
			/*
			 * For IDATA we always check since we know that
			 * the first fragment is 0. For old DATA we have
			 * to receive the first before we know the first FSN
			 * (which is the TSN).
			 */
			if (SCTP_TSN_GE(control->fsn_included, chk->rec.data.fsn)) {
				/* We have already delivered up to this so its a dup */
				sctp_abort_in_reasm(stcb, control, chk,
						    abort_flag,
						    SCTP_FROM_SCTP_INDATA + SCTP_LOC_10);
				return;
			}
		}
	} else {
		if (chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) {
			/* Second last? huh? */
			SCTPDBG(SCTP_DEBUG_XXX,
				"Duplicate last fsn: %u (top: %u) -- abort\n",
				chk->rec.data.fsn, control->top_fsn);
			sctp_abort_in_reasm(stcb, control,
					    chk, abort_flag,
					    SCTP_FROM_SCTP_INDATA + SCTP_LOC_11);
			return;
		}
		if (asoc->idata_supported || control->first_frag_seen) {
			/*
			 * For IDATA we always check since we know that
			 * the first fragment is 0. For old DATA we have
			 * to receive the first before we know the first FSN
			 * (which is the TSN).
			 */

			if (SCTP_TSN_GE(control->fsn_included, chk->rec.data.fsn)) {
				/* We have already delivered up to this so its a dup */
				SCTPDBG(SCTP_DEBUG_XXX,
					"New fsn: %u is already seen in included_fsn: %u -- abort\n",
					chk->rec.data.fsn, control->fsn_included);
				sctp_abort_in_reasm(stcb, control, chk,
						    abort_flag,
						    SCTP_FROM_SCTP_INDATA + SCTP_LOC_12);
				return;
			}
		}
		/* validate not beyond top FSN if we have seen last one */
		if (SCTP_TSN_GT(chk->rec.data.fsn, control->top_fsn)) {
			SCTPDBG(SCTP_DEBUG_XXX,
				"New fsn: %u is beyond or at top_fsn: %u -- abort\n",
				chk->rec.data.fsn,
				control->top_fsn);
			sctp_abort_in_reasm(stcb, control, chk,
					    abort_flag,
					    SCTP_FROM_SCTP_INDATA + SCTP_LOC_13);
			return;
		}
	}
	/*
	 * If we reach here, we need to place the
	 * new chunk in the reassembly for this
	 * control.
	 */
	SCTPDBG(SCTP_DEBUG_XXX,
		"chunk is a not first fsn: %u needs to be inserted\n",
		chk->rec.data.fsn);
	TAILQ_FOREACH(at, &control->reasm, sctp_next) {
		if (SCTP_TSN_GT(at->rec.data.fsn, chk->rec.data.fsn)) {
			if (chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) {
				/* Last not at the end? huh? */
				SCTPDBG(SCTP_DEBUG_XXX,
				        "Last fragment not last in list: -- abort\n");
				sctp_abort_in_reasm(stcb, control,
				                    chk, abort_flag,
				                    SCTP_FROM_SCTP_INDATA + SCTP_LOC_14);
				return;
			}
			/*
			 * This one in queue is bigger than the new one, insert
			 * the new one before at.
			 */
			SCTPDBG(SCTP_DEBUG_XXX,
				"Insert it before fsn: %u\n",
				at->rec.data.fsn);
			asoc->size_on_reasm_queue += chk->send_size;
			sctp_ucount_incr(asoc->cnt_on_reasm_queue);
			TAILQ_INSERT_BEFORE(at, chk, sctp_next);
			inserted = 1;
			break;
		} else if (at->rec.data.fsn == chk->rec.data.fsn) {
			/* Gak, He sent me a duplicate str seq number */
			/*
			 * foo bar, I guess I will just free this new guy,
			 * should we abort too? FIX ME MAYBE? Or it COULD be
			 * that the SSN's have wrapped. Maybe I should
			 * compare to TSN somehow... sigh for now just blow
			 * away the chunk!
			 */
			SCTPDBG(SCTP_DEBUG_XXX,
				"Duplicate to fsn: %u -- abort\n",
				at->rec.data.fsn);
			sctp_abort_in_reasm(stcb, control,
					    chk, abort_flag,
					    SCTP_FROM_SCTP_INDATA + SCTP_LOC_15);
			return;
		}
	}
	if (inserted == 0) {
		/* Goes on the end */
		SCTPDBG(SCTP_DEBUG_XXX, "Inserting at tail of list fsn: %u\n",
			chk->rec.data.fsn);
		asoc->size_on_reasm_queue += chk->send_size;
		sctp_ucount_incr(asoc->cnt_on_reasm_queue);
		TAILQ_INSERT_TAIL(&control->reasm, chk, sctp_next);
	}
}
/*
 * Ok lets see if we can suck any up into the control
 * structure that are in seq if it makes sense.
 */
do_wakeup = 0;
/*
 * If the first fragment has not been
 * seen there is no sense in looking.
 */
if (control->first_frag_seen) {
	next_fsn = control->fsn_included + 1;
	TAILQ_FOREACH_SAFE(at, &control->reasm, sctp_next, nat) {
		if (at->rec.data.fsn == next_fsn) {
			/* We can add this one now to the control */
			SCTPDBG(SCTP_DEBUG_XXX,
				"Adding more to control: %p at: %p fsn: %u next_fsn: %u included: %u\n",
				control, at,
				at->rec.data.fsn,
				next_fsn, control->fsn_included);
			TAILQ_REMOVE(&control->reasm, at, sctp_next);
			lenadded = sctp_add_chk_to_control(control, strm, stcb, asoc, at, SCTP_READ_LOCK_NOT_HELD);
			if (control->on_read_q) {
				do_wakeup = 1;
			} else {
				/*
				 * We only add to the size-on-all-streams
				 * if its not on the read q. The read q
				 * flag will cause a sballoc so its accounted
				 * for there.
				 */
				asoc->size_on_all_streams += lenadded;
			}
			next_fsn++;
			if (control->end_added && control->pdapi_started) {
				if (strm->pd_api_started) {
					strm->pd_api_started = 0;
					control->pdapi_started = 0;
				}
				if (control->on_read_q == 0) {
					sctp_add_to_readq(stcb->sctp_ep, stcb,
							  control,
							  &stcb->sctp_socket->so_rcv, control->end_added,
							  SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED);
				}
				break;
			}
		} else {
			break;
		}
	}
}
if (do_wakeup) {
#if defined(__Userspace__)
	sctp_invoke_recv_callback(stcb->sctp_ep, stcb, control, SCTP_READ_LOCK_NOT_HELD);
#endif
	/* Need to wakeup the reader */
	sctp_wakeup_the_read_socket(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
}
}

static struct sctp_queued_to_read *
sctp_find_reasm_entry(struct sctp_stream_in *strm, uint32_t mid, int ordered, int idata_supported)
{
struct sctp_queued_to_read *control;

if (ordered) {
	TAILQ_FOREACH(control, &strm->inqueue, next_instrm) {
		if (SCTP_MID_EQ(idata_supported, control->mid, mid)) {
			break;
		}
	}
} else {
	if (idata_supported) {
		TAILQ_FOREACH(control, &strm->uno_inqueue, next_instrm) {
			if (SCTP_MID_EQ(idata_supported, control->mid, mid)) {
				break;
			}
		}
	} else {
		control = TAILQ_FIRST(&strm->uno_inqueue);
	}
}
return (control);
}

static int
sctp_process_a_data_chunk(struct sctp_tcb *stcb, struct sctp_association *asoc,
		  struct mbuf **m, int offset,  int chk_length,
		  struct sctp_nets *net, uint32_t *high_tsn, int *abort_flag,
		  int *break_flag, int last_chunk, uint8_t chk_type)
{
struct sctp_tmit_chunk *chk = NULL; /* make gcc happy */
struct sctp_stream_in *strm;
uint32_t tsn, fsn, gap, mid;
struct mbuf *dmbuf;
int the_len;
int need_reasm_check = 0;
uint16_t sid;
struct mbuf *op_err;
char msg[SCTP_DIAG_INFO_LEN];
struct sctp_queued_to_read *control, *ncontrol;
uint32_t ppid;
uint8_t chk_flags;
struct sctp_stream_reset_list *liste;
int ordered;
size_t clen;
int created_control = 0;

if (chk_type == SCTP_IDATA) {
	struct sctp_idata_chunk *chunk, chunk_buf;

	chunk = (struct sctp_idata_chunk *)sctp_m_getptr(*m, offset,
	                                                 sizeof(struct sctp_idata_chunk), (uint8_t *)&chunk_buf);
	chk_flags = chunk->ch.chunk_flags;
	clen = sizeof(struct sctp_idata_chunk);
	tsn = ntohl(chunk->dp.tsn);
	sid = ntohs(chunk->dp.sid);
	mid = ntohl(chunk->dp.mid);
	if (chk_flags & SCTP_DATA_FIRST_FRAG) {
		fsn = 0;
		ppid = chunk->dp.ppid_fsn.ppid;
	} else {
		fsn = ntohl(chunk->dp.ppid_fsn.fsn);
		ppid = 0xffffffff; /* Use as an invalid value. */
	}
} else {
	struct sctp_data_chunk *chunk, chunk_buf;

	chunk = (struct sctp_data_chunk *)sctp_m_getptr(*m, offset,
	                                                sizeof(struct sctp_data_chunk), (uint8_t *)&chunk_buf);
	chk_flags = chunk->ch.chunk_flags;
	clen = sizeof(struct sctp_data_chunk);
	tsn = ntohl(chunk->dp.tsn);
	sid = ntohs(chunk->dp.sid);
	mid = (uint32_t)(ntohs(chunk->dp.ssn));
	fsn = tsn;
	ppid = chunk->dp.ppid;
}
if ((size_t)chk_length == clen) {
	/*
	 * Need to send an abort since we had a
	 * empty data chunk.
	 */
	op_err = sctp_generate_no_user_data_cause(tsn);
	stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_16;
	sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, false, SCTP_SO_NOT_LOCKED);
	*abort_flag = 1;
	return (0);
}
if ((chk_flags & SCTP_DATA_SACK_IMMEDIATELY) == SCTP_DATA_SACK_IMMEDIATELY) {
	asoc->send_sack = 1;
}
ordered = ((chk_flags & SCTP_DATA_UNORDERED) == 0);
if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
	sctp_log_map(tsn, asoc->cumulative_tsn, asoc->highest_tsn_inside_map, SCTP_MAP_TSN_ENTERS);
}
if (stcb == NULL) {
	return (0);
}
SCTP_LTRACE_CHK(stcb->sctp_ep, stcb, chk_type, tsn);
if (SCTP_TSN_GE(asoc->cumulative_tsn, tsn)) {
	/* It is a duplicate */
	SCTP_STAT_INCR(sctps_recvdupdata);
	if (asoc->numduptsns < SCTP_MAX_DUP_TSNS) {
		/* Record a dup for the next outbound sack */
		asoc->dup_tsns[asoc->numduptsns] = tsn;
		asoc->numduptsns++;
	}
	asoc->send_sack = 1;
	return (0);
}
/* Calculate the number of TSN's between the base and this TSN */
SCTP_CALC_TSN_TO_GAP(gap, tsn, asoc->mapping_array_base_tsn);
if (gap >= (SCTP_MAPPING_ARRAY << 3)) {
	/* Can't hold the bit in the mapping at max array, toss it */
	return (0);
}
if (gap >= (uint32_t) (asoc->mapping_array_size << 3)) {
	SCTP_TCB_LOCK_ASSERT(stcb);
	if (sctp_expand_mapping_array(asoc, gap)) {
		/* Can't expand, drop it */
		return (0);
	}
}
if (SCTP_TSN_GT(tsn, *high_tsn)) {
	*high_tsn = tsn;
}
/* See if we have received this one already */
if (SCTP_IS_TSN_PRESENT(asoc->mapping_array, gap) ||
    SCTP_IS_TSN_PRESENT(asoc->nr_mapping_array, gap)) {
	SCTP_STAT_INCR(sctps_recvdupdata);
	if (asoc->numduptsns < SCTP_MAX_DUP_TSNS) {
		/* Record a dup for the next outbound sack */
		asoc->dup_tsns[asoc->numduptsns] = tsn;
		asoc->numduptsns++;
	}
	asoc->send_sack = 1;
	return (0);
}
/*
 * Check to see about the GONE flag, duplicates would cause a sack
 * to be sent up above
 */
if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
     (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) ||
     (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET))) {
	/*
	 * wait a minute, this guy is gone, there is no longer a
	 * receiver. Send peer an ABORT!
	 */
	op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
	sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, false, SCTP_SO_NOT_LOCKED);
	*abort_flag = 1;
	return (0);
}
/*
 * Now before going further we see if there is room. If NOT then we
 * MAY let one through only IF this TSN is the one we are waiting
 * for on a partial delivery API.
 */

/* Is the stream valid? */
if (sid >= asoc->streamincnt) {
	struct sctp_error_invalid_stream *cause;

	op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_error_invalid_stream),
	                               0, M_NOWAIT, 1, MT_DATA);
	if (op_err != NULL) {
		/* add some space up front so prepend will work well */
		SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
		cause = mtod(op_err, struct sctp_error_invalid_stream *);
		/*
		 * Error causes are just param's and this one has
		 * two back to back phdr, one with the error type
		 * and size, the other with the streamid and a rsvd
		 */
		SCTP_BUF_LEN(op_err) = sizeof(struct sctp_error_invalid_stream);
		cause->cause.code = htons(SCTP_CAUSE_INVALID_STREAM);
		cause->cause.length = htons(sizeof(struct sctp_error_invalid_stream));
		cause->stream_id = htons(sid);
		cause->reserved = htons(0);
		sctp_queue_op_err(stcb, op_err);
	}
	SCTP_STAT_INCR(sctps_badsid);
	SCTP_TCB_LOCK_ASSERT(stcb);
	SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap);
	if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) {
		asoc->highest_tsn_inside_nr_map = tsn;
	}
	if (tsn == (asoc->cumulative_tsn + 1)) {
		/* Update cum-ack */
		asoc->cumulative_tsn = tsn;
	}
	return (0);
}
/*
 * If its a fragmented message, lets see if we can
 * find the control on the reassembly queues.
 */
if ((chk_type == SCTP_IDATA) &&
    ((chk_flags & SCTP_DATA_FIRST_FRAG) == 0) &&
    (fsn == 0)) {
	/*
	 *  The first *must* be fsn 0, and other
	 *  (middle/end) pieces can *not* be fsn 0.
	 * XXX: This can happen in case of a wrap around.
	 *      Ignore is for now.
	 */
	SCTP_SNPRINTF(msg, sizeof(msg), "FSN zero for MID=%8.8x, but flags=%2.2x", mid, chk_flags);
	goto err_out;
}
control = sctp_find_reasm_entry(&asoc->strmin[sid], mid, ordered, asoc->idata_supported);
SCTPDBG(SCTP_DEBUG_XXX, "chunk_flags:0x%x look for control on queues %p\n",
	chk_flags, control);
if ((chk_flags & SCTP_DATA_NOT_FRAG) != SCTP_DATA_NOT_FRAG) {
	/* See if we can find the re-assembly entity */
	if (control != NULL) {
		/* We found something, does it belong? */
		if (ordered && (mid != control->mid)) {
			SCTP_SNPRINTF(msg, sizeof(msg), "Reassembly problem (MID=%8.8x)", mid);
		err_out:
			op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
			stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_17;
			sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, false, SCTP_SO_NOT_LOCKED);
			*abort_flag = 1;
			return (0);
		}
		if (ordered && ((control->sinfo_flags >> 8) & SCTP_DATA_UNORDERED)) {
			/* We can't have a switched order with an unordered chunk */
			SCTP_SNPRINTF(msg, sizeof(msg),
			              "All fragments of a user message must be ordered or unordered (TSN=%8.8x)",
			              tsn);
			goto err_out;
		}
		if (!ordered && (((control->sinfo_flags >> 8) & SCTP_DATA_UNORDERED) == 0)) {
			/* We can't have a switched unordered with a ordered chunk */
			SCTP_SNPRINTF(msg, sizeof(msg),
			             "All fragments of a user message must be ordered or unordered (TSN=%8.8x)",
			             tsn);
			goto err_out;
		}
	}
} else {
	/* Its a complete segment. Lets validate we
	 * don't have a re-assembly going on with
	 * the same Stream/Seq (for ordered) or in
	 * the same Stream for unordered.
	 */
	if (control != NULL) {
		if (ordered || asoc->idata_supported) {
			SCTPDBG(SCTP_DEBUG_XXX, "chunk_flags: 0x%x dup detected on MID: %u\n",
				chk_flags, mid);
			SCTP_SNPRINTF(msg, sizeof(msg), "Duplicate MID=%8.8x detected.", mid);
			goto err_out;
		} else {
			if ((control->first_frag_seen) &&
			    (tsn == control->fsn_included + 1) &&
			    (control->end_added == 0)) {
				SCTP_SNPRINTF(msg, sizeof(msg),
				              "Illegal message sequence, missing end for MID: %8.8x",
				              control->fsn_included);
				goto err_out;
			} else {
				control = NULL;
			}
		}
	}
}
/* now do the tests */
if (((asoc->cnt_on_all_streams +
      asoc->cnt_on_reasm_queue +
      asoc->cnt_msg_on_sb) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue)) ||
    (((int)asoc->my_rwnd) <= 0)) {
	/*
	 * When we have NO room in the rwnd we check to make sure
	 * the reader is doing its job...
	 */
	if (SCTP_SBAVAIL(&stcb->sctp_socket->so_rcv) > 0) {
		/* some to read, wake-up */
#if defined(__APPLE__) && !defined(__Userspace__)
		struct socket *so;

		so = SCTP_INP_SO(stcb->sctp_ep);
		atomic_add_int(&stcb->asoc.refcnt, 1);
		SCTP_TCB_UNLOCK(stcb);
		SCTP_SOCKET_LOCK(so, 1);
		SCTP_TCB_LOCK(stcb);
		atomic_subtract_int(&stcb->asoc.refcnt, 1);
		if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
			/* assoc was freed while we were unlocked */
			SCTP_SOCKET_UNLOCK(so, 1);
			return (0);
		}
#endif
		sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
#if defined(__APPLE__) && !defined(__Userspace__)
		SCTP_SOCKET_UNLOCK(so, 1);
#endif
	}
	/* now is it in the mapping array of what we have accepted? */
	if (chk_type == SCTP_DATA) {
		if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_map) &&
		    SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) {
			/* Nope not in the valid range dump it */
		dump_packet:
			sctp_set_rwnd(stcb, asoc);
			if ((asoc->cnt_on_all_streams +
			     asoc->cnt_on_reasm_queue +
			     asoc->cnt_msg_on_sb) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue)) {
				SCTP_STAT_INCR(sctps_datadropchklmt);
			} else {
				SCTP_STAT_INCR(sctps_datadroprwnd);
			}
			*break_flag = 1;
			return (0);
		}
	} else {
		if (control == NULL) {
			goto dump_packet;
		}
		if (SCTP_TSN_GT(fsn, control->top_fsn)) {
			goto dump_packet;
		}
	}
}
#ifdef SCTP_ASOCLOG_OF_TSNS
SCTP_TCB_LOCK_ASSERT(stcb);
if (asoc->tsn_in_at >= SCTP_TSN_LOG_SIZE) {
	asoc->tsn_in_at = 0;
	asoc->tsn_in_wrapped = 1;
}
asoc->in_tsnlog[asoc->tsn_in_at].tsn = tsn;
asoc->in_tsnlog[asoc->tsn_in_at].strm = sid;
asoc->in_tsnlog[asoc->tsn_in_at].seq = mid;
asoc->in_tsnlog[asoc->tsn_in_at].sz = chk_length;
asoc->in_tsnlog[asoc->tsn_in_at].flgs = chunk_flags;
asoc->in_tsnlog[asoc->tsn_in_at].stcb = (void *)stcb;
asoc->in_tsnlog[asoc->tsn_in_at].in_pos = asoc->tsn_in_at;
asoc->in_tsnlog[asoc->tsn_in_at].in_out = 1;
asoc->tsn_in_at++;
#endif
/*
 * Before we continue lets validate that we are not being fooled by
 * an evil attacker. We can only have Nk chunks based on our TSN
 * spread allowed by the mapping array N * 8 bits, so there is no
 * way our stream sequence numbers could have wrapped. We of course
 * only validate the FIRST fragment so the bit must be set.
 */
if ((chk_flags & SCTP_DATA_FIRST_FRAG) &&
    (TAILQ_EMPTY(&asoc->resetHead)) &&
    (chk_flags & SCTP_DATA_UNORDERED) == 0 &&
    SCTP_MID_GE(asoc->idata_supported, asoc->strmin[sid].last_mid_delivered, mid)) {
	/* The incoming sseq is behind where we last delivered? */
	SCTPDBG(SCTP_DEBUG_INDATA1, "EVIL/Broken-Dup S-SEQ: %u delivered: %u from peer, Abort!\n",
		mid, asoc->strmin[sid].last_mid_delivered);

	if (asoc->idata_supported) {
		SCTP_SNPRINTF(msg, sizeof(msg), "Delivered MID=%8.8x, got TSN=%8.8x, SID=%4.4x, MID=%8.8x",
		              asoc->strmin[sid].last_mid_delivered,
		              tsn,
		              sid,
		              mid);
	} else {
		SCTP_SNPRINTF(msg, sizeof(msg), "Delivered SSN=%4.4x, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
		              (uint16_t)asoc->strmin[sid].last_mid_delivered,
		              tsn,
		              sid,
		              (uint16_t)mid);
	}
	op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
	stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_18;
	sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, false, SCTP_SO_NOT_LOCKED);
	*abort_flag = 1;
	return (0);
}
if (chk_type == SCTP_IDATA) {
	the_len = (chk_length - sizeof(struct sctp_idata_chunk));
} else {
	the_len = (chk_length - sizeof(struct sctp_data_chunk));
}
if (last_chunk == 0) {
	if (chk_type == SCTP_IDATA) {
		dmbuf = SCTP_M_COPYM(*m,
				     (offset + sizeof(struct sctp_idata_chunk)),
				     the_len, M_NOWAIT);
	} else {
		dmbuf = SCTP_M_COPYM(*m,
				     (offset + sizeof(struct sctp_data_chunk)),
				     the_len, M_NOWAIT);
	}
#ifdef SCTP_MBUF_LOGGING
	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
		sctp_log_mbc(dmbuf, SCTP_MBUF_ICOPY);
	}
#endif
} else {
	/* We can steal the last chunk */
	int l_len;
	dmbuf = *m;
	/* lop off the top part */
	if (chk_type == SCTP_IDATA) {
		m_adj(dmbuf, (offset + sizeof(struct sctp_idata_chunk)));
	} else {
		m_adj(dmbuf, (offset + sizeof(struct sctp_data_chunk)));
	}
	if (SCTP_BUF_NEXT(dmbuf) == NULL) {
		l_len = SCTP_BUF_LEN(dmbuf);
	} else {
		/* need to count up the size hopefully
		 * does not hit this to often :-0
		 */
		struct mbuf *lat;

		l_len = 0;
		for (lat = dmbuf; lat; lat = SCTP_BUF_NEXT(lat)) {
			l_len += SCTP_BUF_LEN(lat);
		}
	}
	if (l_len > the_len) {
		/* Trim the end round bytes off  too */
		m_adj(dmbuf, -(l_len - the_len));
	}
}
if (dmbuf == NULL) {
	SCTP_STAT_INCR(sctps_nomem);
	return (0);
}
/*
 * Now no matter what, we need a control, get one
 * if we don't have one (we may have gotten it
 * above when we found the message was fragmented
 */
if (control == NULL) {
	sctp_alloc_a_readq(stcb, control);
	sctp_build_readq_entry_mac(control, stcb, asoc->context, net, tsn,
				   ppid,
				   sid,
				   chk_flags,
				   NULL, fsn, mid);
	if (control == NULL) {
		SCTP_STAT_INCR(sctps_nomem);
		return (0);
	}
	if ((chk_flags & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) {
		struct mbuf *mm;

		control->data = dmbuf;
		control->tail_mbuf = NULL;
		for (mm = control->data; mm; mm = mm->m_next) {
			control->length += SCTP_BUF_LEN(mm);
			if (SCTP_BUF_NEXT(mm) == NULL) {
				control->tail_mbuf = mm;
			}
		}
		control->end_added = 1;
		control->last_frag_seen = 1;
		control->first_frag_seen = 1;
		control->fsn_included = fsn;
		control->top_fsn = fsn;
	}
	created_control = 1;
}
SCTPDBG(SCTP_DEBUG_XXX, "chunk_flags: 0x%x ordered: %d MID: %u control: %p\n",
	chk_flags, ordered, mid, control);
if ((chk_flags & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG &&
    TAILQ_EMPTY(&asoc->resetHead) &&
    ((ordered == 0) ||
     (SCTP_MID_EQ(asoc->idata_supported, asoc->strmin[sid].last_mid_delivered + 1, mid) &&
      TAILQ_EMPTY(&asoc->strmin[sid].inqueue)))) {
	/* Candidate for express delivery */
	/*
	 * Its not fragmented, No PD-API is up, Nothing in the
	 * delivery queue, Its un-ordered OR ordered and the next to
	 * deliver AND nothing else is stuck on the stream queue,
	 * And there is room for it in the socket buffer. Lets just
	 * stuff it up the buffer....
	 */
	SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap);
	if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) {
		asoc->highest_tsn_inside_nr_map = tsn;
	}
	SCTPDBG(SCTP_DEBUG_XXX, "Injecting control: %p to be read (MID: %u)\n",
		control, mid);

	sctp_add_to_readq(stcb->sctp_ep, stcb,
	                  control, &stcb->sctp_socket->so_rcv,
	                  1, SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED);

	if ((chk_flags & SCTP_DATA_UNORDERED) == 0) {
		/* for ordered, bump what we delivered */
		asoc->strmin[sid].last_mid_delivered++;
	}
	SCTP_STAT_INCR(sctps_recvexpress);
	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
		sctp_log_strm_del_alt(stcb, tsn, mid, sid,
				      SCTP_STR_LOG_FROM_EXPRS_DEL);
	}
	control = NULL;
	goto finish_express_del;
}

/* Now will we need a chunk too? */
if ((chk_flags & SCTP_DATA_NOT_FRAG) != SCTP_DATA_NOT_FRAG) {
	sctp_alloc_a_chunk(stcb, chk);
	if (chk == NULL) {
		/* No memory so we drop the chunk */
		SCTP_STAT_INCR(sctps_nomem);
		if (last_chunk == 0) {
			/* we copied it, free the copy */
			sctp_m_freem(dmbuf);
		}
		return (0);
	}
	chk->rec.data.tsn = tsn;
	chk->no_fr_allowed = 0;
	chk->rec.data.fsn = fsn;
	chk->rec.data.mid = mid;
	chk->rec.data.sid = sid;
	chk->rec.data.ppid = ppid;
	chk->rec.data.context = stcb->asoc.context;
	chk->rec.data.doing_fast_retransmit = 0;
	chk->rec.data.rcv_flags = chk_flags;
	chk->asoc = asoc;
	chk->send_size = the_len;
	chk->whoTo = net;
	SCTPDBG(SCTP_DEBUG_XXX, "Building ck: %p for control: %p to be read (MID: %u)\n",
		chk,
		control, mid);
	atomic_add_int(&net->ref_count, 1);
	chk->data = dmbuf;
}
/* Set the appropriate TSN mark */
if (SCTP_BASE_SYSCTL(sctp_do_drain) == 0) {
	SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap);
	if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) {
		asoc->highest_tsn_inside_nr_map = tsn;
	}
} else {
	SCTP_SET_TSN_PRESENT(asoc->mapping_array, gap);
	if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_map)) {
		asoc->highest_tsn_inside_map = tsn;
	}
}
/* Now is it complete (i.e. not fragmented)? */
if ((chk_flags & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) {
	/*
	 * Special check for when streams are resetting. We
	 * could be more smart about this and check the
	 * actual stream to see if it is not being reset..
	 * that way we would not create a HOLB when amongst
	 * streams being reset and those not being reset.
	 *
	 */
	if (((liste = TAILQ_FIRST(&asoc->resetHead)) != NULL) &&
	    SCTP_TSN_GT(tsn, liste->tsn)) {
		/*
		 * yep its past where we need to reset... go
		 * ahead and queue it.
		 */
		if (TAILQ_EMPTY(&asoc->pending_reply_queue)) {
			/* first one on */
			TAILQ_INSERT_TAIL(&asoc->pending_reply_queue, control, next);
		} else {
			struct sctp_queued_to_read *lcontrol, *nlcontrol;
			unsigned char inserted = 0;
			TAILQ_FOREACH_SAFE(lcontrol, &asoc->pending_reply_queue, next, nlcontrol) {
				if (SCTP_TSN_GT(control->sinfo_tsn, lcontrol->sinfo_tsn)) {
					continue;
				} else {
					/* found it */
					TAILQ_INSERT_BEFORE(lcontrol, control, next);
					inserted = 1;
					break;
				}
			}
			if (inserted == 0) {
				/*
				 * must be put at end, use
				 * prevP (all setup from
				 * loop) to setup nextP.
				 */
				TAILQ_INSERT_TAIL(&asoc->pending_reply_queue, control, next);
			}
		}
		goto finish_express_del;
	}
	if (chk_flags & SCTP_DATA_UNORDERED) {
		/* queue directly into socket buffer */
		SCTPDBG(SCTP_DEBUG_XXX, "Unordered data to be read control: %p MID: %u\n",
			control, mid);
		sctp_mark_non_revokable(asoc, control->sinfo_tsn);
		sctp_add_to_readq(stcb->sctp_ep, stcb,
		                  control,
		                  &stcb->sctp_socket->so_rcv, 1,
		                  SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED);

	} else {
		SCTPDBG(SCTP_DEBUG_XXX, "Queue control: %p for reordering MID: %u\n", control,
			mid);
		sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check);
		if (*abort_flag) {
			if (last_chunk) {
				*m = NULL;
			}
			return (0);
		}
	}
	goto finish_express_del;
}
/* If we reach here its a reassembly */
need_reasm_check = 1;
SCTPDBG(SCTP_DEBUG_XXX,
	"Queue data to stream for reasm control: %p MID: %u\n",
	control, mid);
sctp_queue_data_for_reasm(stcb, asoc, control, chk, created_control, abort_flag, tsn);
if (*abort_flag) {
	/*
	 * the assoc is now gone and chk was put onto the
	 * reasm queue, which has all been freed.
	 */
	if (last_chunk) {
		*m = NULL;
	}
	return (0);
}
finish_express_del:
/* Here we tidy up things */
if (tsn == (asoc->cumulative_tsn + 1)) {
	/* Update cum-ack */
	asoc->cumulative_tsn = tsn;
}
if (last_chunk) {
	*m = NULL;
}
if (ordered) {
	SCTP_STAT_INCR_COUNTER64(sctps_inorderchunks);
} else {
	SCTP_STAT_INCR_COUNTER64(sctps_inunorderchunks);
}
SCTP_STAT_INCR(sctps_recvdata);
/* Set it present please */
if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
	sctp_log_strm_del_alt(stcb, tsn, mid, sid, SCTP_STR_LOG_FROM_MARK_TSN);
}
if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
	sctp_log_map(asoc->mapping_array_base_tsn, asoc->cumulative_tsn,
		     asoc->highest_tsn_inside_map, SCTP_MAP_PREPARE_SLIDE);
}
if (need_reasm_check) {
	(void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[sid], SCTP_READ_LOCK_NOT_HELD);
	need_reasm_check = 0;
}
/* check the special flag for stream resets */
if (((liste = TAILQ_FIRST(&asoc->resetHead)) != NULL) &&
    SCTP_TSN_GE(asoc->cumulative_tsn, liste->tsn)) {
	/*
	 * we have finished working through the backlogged TSN's now
	 * time to reset streams. 1: call reset function. 2: free
	 * pending_reply space 3: distribute any chunks in
	 * pending_reply_queue.
	 */
	sctp_reset_in_stream(stcb, liste->number_entries, liste->list_of_streams);
	TAILQ_REMOVE(&asoc->resetHead, liste, next_resp);
	sctp_send_deferred_reset_response(stcb, liste, SCTP_STREAM_RESET_RESULT_PERFORMED);
	SCTP_FREE(liste, SCTP_M_STRESET);
	/*sa_ignore FREED_MEMORY*/
	liste = TAILQ_FIRST(&asoc->resetHead);
	if (TAILQ_EMPTY(&asoc->resetHead)) {
		/* All can be removed */
		TAILQ_FOREACH_SAFE(control, &asoc->pending_reply_queue, next, ncontrol) {
			TAILQ_REMOVE(&asoc->pending_reply_queue, control, next);
			strm = &asoc->strmin[control->sinfo_stream];
			sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check);
			if (*abort_flag) {
				return (0);
			}
			if (need_reasm_check) {
				(void)sctp_deliver_reasm_check(stcb, asoc, strm, SCTP_READ_LOCK_NOT_HELD);
				need_reasm_check = 0;
			}
		}
	} else {
		TAILQ_FOREACH_SAFE(control, &asoc->pending_reply_queue, next, ncontrol) {
			if (SCTP_TSN_GT(control->sinfo_tsn, liste->tsn)) {
				break;
			}
			/*
			 * if control->sinfo_tsn is <= liste->tsn we can
			 * process it which is the NOT of
			 * control->sinfo_tsn > liste->tsn
			 */
			TAILQ_REMOVE(&asoc->pending_reply_queue, control, next);
			strm = &asoc->strmin[control->sinfo_stream];
			sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check);
			if (*abort_flag) {
				return (0);
			}
			if (need_reasm_check) {
				(void)sctp_deliver_reasm_check(stcb, asoc, strm, SCTP_READ_LOCK_NOT_HELD);
				need_reasm_check = 0;
			}
		}
	}
}
return (1);
}

static const int8_t sctp_map_lookup_tab[256] = {
 0, 1, 0, 2, 0, 1, 0, 3,
 0, 1, 0, 2, 0, 1, 0, 4,
 0, 1, 0, 2, 0, 1, 0, 3,
 0, 1, 0, 2, 0, 1, 0, 5,
 0, 1, 0, 2, 0, 1, 0, 3,
 0, 1, 0, 2, 0, 1, 0, 4,
 0, 1, 0, 2, 0, 1, 0, 3,
 0, 1, 0, 2, 0, 1, 0, 6,
 0, 1, 0, 2, 0, 1, 0, 3,
 0, 1, 0, 2, 0, 1, 0, 4,
 0, 1, 0, 2, 0, 1, 0, 3,
 0, 1, 0, 2, 0, 1, 0, 5,
 0, 1, 0, 2, 0, 1, 0, 3,
 0, 1, 0, 2, 0, 1, 0, 4,
 0, 1, 0, 2, 0, 1, 0, 3,
 0, 1, 0, 2, 0, 1, 0, 7,
 0, 1, 0, 2, 0, 1, 0, 3,
 0, 1, 0, 2, 0, 1, 0, 4,
 0, 1, 0, 2, 0, 1, 0, 3,
 0, 1, 0, 2, 0, 1, 0, 5,
 0, 1, 0, 2, 0, 1, 0, 3,
 0, 1, 0, 2, 0, 1, 0, 4,
 0, 1, 0, 2, 0, 1, 0, 3,
 0, 1, 0, 2, 0, 1, 0, 6,
 0, 1, 0, 2, 0, 1, 0, 3,
 0, 1, 0, 2, 0, 1, 0, 4,
 0, 1, 0, 2, 0, 1, 0, 3,
 0, 1, 0, 2, 0, 1, 0, 5,
 0, 1, 0, 2, 0, 1, 0, 3,
 0, 1, 0, 2, 0, 1, 0, 4,
 0, 1, 0, 2, 0, 1, 0, 3,
 0, 1, 0, 2, 0, 1, 0, 8
};

void
sctp_slide_mapping_arrays(struct sctp_tcb *stcb)
{
/*
 * Now we also need to check the mapping array in a couple of ways.
 * 1) Did we move the cum-ack point?
 *
 * When you first glance at this you might think
 * that all entries that make up the position
 * of the cum-ack would be in the nr-mapping array
 * only.. i.e. things up to the cum-ack are always
 * deliverable. Thats true with one exception, when
 * its a fragmented message we may not deliver the data
 * until some threshold (or all of it) is in place. So
 * we must OR the nr_mapping_array and mapping_array to
 * get a true picture of the cum-ack.
 */
struct sctp_association *asoc;
int at;
uint8_t val;
int slide_from, slide_end, lgap, distance;
uint32_t old_cumack, old_base, old_highest, highest_tsn;

asoc = &stcb->asoc;

old_cumack = asoc->cumulative_tsn;
old_base = asoc->mapping_array_base_tsn;
old_highest = asoc->highest_tsn_inside_map;
/*
 * We could probably improve this a small bit by calculating the
 * offset of the current cum-ack as the starting point.
 */
at = 0;
for (slide_from = 0; slide_from < stcb->asoc.mapping_array_size; slide_from++) {
	val = asoc->nr_mapping_array[slide_from] | asoc->mapping_array[slide_from];
	if (val == 0xff) {
		at += 8;
	} else {
		/* there is a 0 bit */
		at += sctp_map_lookup_tab[val];
		break;
	}
}
asoc->cumulative_tsn = asoc->mapping_array_base_tsn + (at-1);

if (SCTP_TSN_GT(asoc->cumulative_tsn, asoc->highest_tsn_inside_map) &&
           SCTP_TSN_GT(asoc->cumulative_tsn, asoc->highest_tsn_inside_nr_map)) {
#ifdef INVARIANTS
	panic("huh, cumack 0x%x greater than high-tsn 0x%x in map",
	      asoc->cumulative_tsn, asoc->highest_tsn_inside_map);
#else
	SCTP_PRINTF("huh, cumack 0x%x greater than high-tsn 0x%x in map - should panic?\n",
		    asoc->cumulative_tsn, asoc->highest_tsn_inside_map);
	sctp_print_mapping_array(asoc);
	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
		sctp_log_map(0, 6, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
	}
	asoc->highest_tsn_inside_map = asoc->cumulative_tsn;
	asoc->highest_tsn_inside_nr_map = asoc->cumulative_tsn;
#endif
}
if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->highest_tsn_inside_map)) {
	highest_tsn = asoc->highest_tsn_inside_nr_map;
} else {
	highest_tsn = asoc->highest_tsn_inside_map;
}
if ((asoc->cumulative_tsn == highest_tsn) && (at >= 8)) {
	/* The complete array was completed by a single FR */
	/* highest becomes the cum-ack */
	int clr;
#ifdef INVARIANTS
	unsigned int i;
#endif

	/* clear the array */
	clr = ((at+7) >> 3);
	if (clr > asoc->mapping_array_size) {
		clr = asoc->mapping_array_size;
	}
	memset(asoc->mapping_array, 0, clr);
	memset(asoc->nr_mapping_array, 0, clr);
#ifdef INVARIANTS
	for (i = 0; i < asoc->mapping_array_size; i++) {
		if ((asoc->mapping_array[i]) || (asoc->nr_mapping_array[i])) {
			SCTP_PRINTF("Error Mapping array's not clean at clear\n");
			sctp_print_mapping_array(asoc);
		}
	}
#endif
	asoc->mapping_array_base_tsn = asoc->cumulative_tsn + 1;
	asoc->highest_tsn_inside_nr_map = asoc->highest_tsn_inside_map = asoc->cumulative_tsn;
} else if (at >= 8) {
	/* we can slide the mapping array down */
	/* slide_from holds where we hit the first NON 0xff byte */

	/*
	 * now calculate the ceiling of the move using our highest
	 * TSN value
	 */
	SCTP_CALC_TSN_TO_GAP(lgap, highest_tsn, asoc->mapping_array_base_tsn);
	slide_end = (lgap >> 3);
	if (slide_end < slide_from) {
		sctp_print_mapping_array(asoc);
#ifdef INVARIANTS
		panic("impossible slide");
#else
		SCTP_PRINTF("impossible slide lgap: %x slide_end: %x slide_from: %x? at: %d\n",
		            lgap, slide_end, slide_from, at);
		return;
#endif
	}
	if (slide_end > asoc->mapping_array_size) {
#ifdef INVARIANTS
		panic("would overrun buffer");
#else
		SCTP_PRINTF("Gak, would have overrun map end: %d slide_end: %d\n",
		            asoc->mapping_array_size, slide_end);
		slide_end = asoc->mapping_array_size;
#endif
	}
	distance = (slide_end - slide_from) + 1;
	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
		sctp_log_map(old_base, old_cumack, old_highest,
			     SCTP_MAP_PREPARE_SLIDE);
		sctp_log_map((uint32_t) slide_from, (uint32_t) slide_end,
			     (uint32_t) lgap, SCTP_MAP_SLIDE_FROM);
	}
	if (distance + slide_from > asoc->mapping_array_size ||
	    distance < 0) {
		/*
		 * Here we do NOT slide forward the array so that
		 * hopefully when more data comes in to fill it up
		 * we will be able to slide it forward. Really I
		 * don't think this should happen :-0
		 */
		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
			sctp_log_map((uint32_t) distance, (uint32_t) slide_from,
				     (uint32_t) asoc->mapping_array_size,
				     SCTP_MAP_SLIDE_NONE);
		}
	} else {
		int ii;

		for (ii = 0; ii < distance; ii++) {
			asoc->mapping_array[ii] = asoc->mapping_array[slide_from + ii];
			asoc->nr_mapping_array[ii] = asoc->nr_mapping_array[slide_from + ii];
		}
		for (ii = distance; ii < asoc->mapping_array_size; ii++) {
			asoc->mapping_array[ii] = 0;
			asoc->nr_mapping_array[ii] = 0;
		}
		if (asoc->highest_tsn_inside_map + 1 == asoc->mapping_array_base_tsn) {
			asoc->highest_tsn_inside_map += (slide_from << 3);
		}
		if (asoc->highest_tsn_inside_nr_map + 1 == asoc->mapping_array_base_tsn) {
			asoc->highest_tsn_inside_nr_map += (slide_from << 3);
		}
		asoc->mapping_array_base_tsn += (slide_from << 3);
		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
			sctp_log_map(asoc->mapping_array_base_tsn,
				     asoc->cumulative_tsn, asoc->highest_tsn_inside_map,
				     SCTP_MAP_SLIDE_RESULT);
		}
	}
}
}

void
sctp_sack_check(struct sctp_tcb *stcb, int was_a_gap)
{
struct sctp_association *asoc;
uint32_t highest_tsn;
int is_a_gap;

sctp_slide_mapping_arrays(stcb);
asoc = &stcb->asoc;
if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->highest_tsn_inside_map)) {
	highest_tsn = asoc->highest_tsn_inside_nr_map;
} else {
	highest_tsn = asoc->highest_tsn_inside_map;
}
/* Is there a gap now? */
is_a_gap = SCTP_TSN_GT(highest_tsn, stcb->asoc.cumulative_tsn);

/*
 * Now we need to see if we need to queue a sack or just start the
 * timer (if allowed).
 */
if (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_SENT) {
	/*
	 * Ok special case, in SHUTDOWN-SENT case. here we
	 * maker sure SACK timer is off and instead send a
	 * SHUTDOWN and a SACK
	 */
	if (SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) {
		sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
		                stcb->sctp_ep, stcb, NULL,
		                SCTP_FROM_SCTP_INDATA + SCTP_LOC_19);
	}
	sctp_send_shutdown(stcb,
	                   ((stcb->asoc.alternate) ? stcb->asoc.alternate : stcb->asoc.primary_destination));
	if (is_a_gap) {
		sctp_send_sack(stcb, SCTP_SO_NOT_LOCKED);
	}
} else {
	/*
	 * CMT DAC algorithm: increase number of packets
	 * received since last ack
	 */
	stcb->asoc.cmt_dac_pkts_rcvd++;

	if ((stcb->asoc.send_sack == 1) ||      /* We need to send a SACK */
	    ((was_a_gap) && (is_a_gap == 0)) ||	/* was a gap, but no
	                                         * longer is one */
	    (stcb->asoc.numduptsns) ||          /* we have dup's */
	    (is_a_gap) ||                       /* is still a gap */
	    (stcb->asoc.delayed_ack == 0) ||    /* Delayed sack disabled */
	    (stcb->asoc.data_pkts_seen >= stcb->asoc.sack_freq)) {	/* hit limit of pkts */
		if ((stcb->asoc.sctp_cmt_on_off > 0) &&
		    (SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) &&
		    (stcb->asoc.send_sack == 0) &&
		    (stcb->asoc.numduptsns == 0) &&
		    (stcb->asoc.delayed_ack) &&
		    (!SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer))) {
			/*
			 * CMT DAC algorithm: With CMT,
			 * delay acks even in the face of
			 * reordering. Therefore, if acks
			 * that do not have to be sent
			 * because of the above reasons,
			 * will be delayed. That is, acks
			 * that would have been sent due to
			 * gap reports will be delayed with
			 * DAC. Start the delayed ack timer.
			 */
			sctp_timer_start(SCTP_TIMER_TYPE_RECV,
			                 stcb->sctp_ep, stcb, NULL);
		} else {
			/*
			 * Ok we must build a SACK since the
			 * timer is pending, we got our
			 * first packet OR there are gaps or
			 * duplicates.
			 */
			sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, NULL,
			                SCTP_FROM_SCTP_INDATA + SCTP_LOC_20);
			sctp_send_sack(stcb, SCTP_SO_NOT_LOCKED);
		}
	} else {
		if (!SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) {
			sctp_timer_start(SCTP_TIMER_TYPE_RECV,
			                 stcb->sctp_ep, stcb, NULL);
		}
	}
}
}

int
sctp_process_data(struct mbuf **mm, int iphlen, int *offset, int length,
                 struct sctp_inpcb *inp, struct sctp_tcb *stcb,
                 struct sctp_nets *net, uint32_t *high_tsn)
{
struct sctp_chunkhdr *ch, chunk_buf;
struct sctp_association *asoc;
int num_chunks = 0;	/* number of control chunks processed */
int stop_proc = 0;
int break_flag, last_chunk;
int abort_flag = 0, was_a_gap;
struct mbuf *m;
uint32_t highest_tsn;
uint16_t chk_length;

/* set the rwnd */
sctp_set_rwnd(stcb, &stcb->asoc);

m = *mm;
SCTP_TCB_LOCK_ASSERT(stcb);
asoc = &stcb->asoc;
if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->highest_tsn_inside_map)) {
	highest_tsn = asoc->highest_tsn_inside_nr_map;
} else {
	highest_tsn = asoc->highest_tsn_inside_map;
}
was_a_gap = SCTP_TSN_GT(highest_tsn, stcb->asoc.cumulative_tsn);
/*
 * setup where we got the last DATA packet from for any SACK that
 * may need to go out. Don't bump the net. This is done ONLY when a
 * chunk is assigned.
 */
asoc->last_data_chunk_from = net;

/*-
 * Now before we proceed we must figure out if this is a wasted
 * cluster... i.e. it is a small packet sent in and yet the driver
 * underneath allocated a full cluster for it. If so we must copy it
 * to a smaller mbuf and free up the cluster mbuf. This will help
 * with cluster starvation.
 */
if (SCTP_BUF_LEN(m) < (long)MLEN && SCTP_BUF_NEXT(m) == NULL) {
	/* we only handle mbufs that are singletons.. not chains */
	m = sctp_get_mbuf_for_msg(SCTP_BUF_LEN(m), 0, M_NOWAIT, 1, MT_DATA);
	if (m) {
		/* ok lets see if we can copy the data up */
		caddr_t *from, *to;
		/* get the pointers and copy */
		to = mtod(m, caddr_t *);
		from = mtod((*mm), caddr_t *);
		memcpy(to, from, SCTP_BUF_LEN((*mm)));
		/* copy the length and free up the old */
		SCTP_BUF_LEN(m) = SCTP_BUF_LEN((*mm));
		sctp_m_freem(*mm);
		/* success, back copy */
		*mm = m;
	} else {
		/* We are in trouble in the mbuf world .. yikes */
		m = *mm;
	}
}
/* get pointer to the first chunk header */
ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
                                           sizeof(struct sctp_chunkhdr),
                                           (uint8_t *)&chunk_buf);
if (ch == NULL) {
	return (1);
}
/*
 * process all DATA chunks...
 */
*high_tsn = asoc->cumulative_tsn;
break_flag = 0;
asoc->data_pkts_seen++;
while (stop_proc == 0) {
	/* validate chunk length */
	chk_length = ntohs(ch->chunk_length);
	if (length - *offset < chk_length) {
		/* all done, mutulated chunk */
		stop_proc = 1;
		continue;
	}
	if ((asoc->idata_supported == 1) &&
	    (ch->chunk_type == SCTP_DATA)) {
		struct mbuf *op_err;
		char msg[SCTP_DIAG_INFO_LEN];

		SCTP_SNPRINTF(msg, sizeof(msg), "%s", "DATA chunk received when I-DATA was negotiated");
		op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
		stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_21;
		sctp_abort_an_association(inp, stcb, op_err, false, SCTP_SO_NOT_LOCKED);
		return (2);
	}
	if ((asoc->idata_supported == 0) &&
	    (ch->chunk_type == SCTP_IDATA)) {
		struct mbuf *op_err;
		char msg[SCTP_DIAG_INFO_LEN];

		SCTP_SNPRINTF(msg, sizeof(msg), "%s", "I-DATA chunk received when DATA was negotiated");
		op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
		stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_22;
		sctp_abort_an_association(inp, stcb, op_err, false, SCTP_SO_NOT_LOCKED);
		return (2);
	}
	if ((ch->chunk_type == SCTP_DATA) ||
	    (ch->chunk_type == SCTP_IDATA)) {
		uint16_t clen;

		if (ch->chunk_type == SCTP_DATA) {
			clen = sizeof(struct sctp_data_chunk);
		} else {
			clen = sizeof(struct sctp_idata_chunk);
		}
		if (chk_length < clen) {
			/*
			 * Need to send an abort since we had a
			 * invalid data chunk.
			 */
			struct mbuf *op_err;
			char msg[SCTP_DIAG_INFO_LEN];

			SCTP_SNPRINTF(msg, sizeof(msg), "%s chunk of length %u",
			              ch->chunk_type == SCTP_DATA ? "DATA" : "I-DATA",
			              chk_length);
			op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
			stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_23;
			sctp_abort_an_association(inp, stcb, op_err, false, SCTP_SO_NOT_LOCKED);
			return (2);
		}
#ifdef SCTP_AUDITING_ENABLED
		sctp_audit_log(0xB1, 0);
#endif
		if (SCTP_SIZE32(chk_length) == (length - *offset)) {
			last_chunk = 1;
		} else {
			last_chunk = 0;
		}
		if (sctp_process_a_data_chunk(stcb, asoc, mm, *offset,
					      chk_length, net, high_tsn, &abort_flag, &break_flag,
					      last_chunk, ch->chunk_type)) {
			num_chunks++;
		}
		if (abort_flag)
			return (2);

		if (break_flag) {
			/*
			 * Set because of out of rwnd space and no
			 * drop rep space left.
			 */
			stop_proc = 1;
			continue;
		}
	} else {
		/* not a data chunk in the data region */
		switch (ch->chunk_type) {
		case SCTP_INITIATION:
		case SCTP_INITIATION_ACK:
		case SCTP_SELECTIVE_ACK:
		case SCTP_NR_SELECTIVE_ACK:
		case SCTP_HEARTBEAT_REQUEST:
		case SCTP_HEARTBEAT_ACK:
		case SCTP_ABORT_ASSOCIATION:
		case SCTP_SHUTDOWN:
		case SCTP_SHUTDOWN_ACK:
		case SCTP_OPERATION_ERROR:
		case SCTP_COOKIE_ECHO:
		case SCTP_COOKIE_ACK:
		case SCTP_ECN_ECHO:
		case SCTP_ECN_CWR:
		case SCTP_SHUTDOWN_COMPLETE:
		case SCTP_AUTHENTICATION:
		case SCTP_ASCONF_ACK:
		case SCTP_PACKET_DROPPED:
		case SCTP_STREAM_RESET:
		case SCTP_FORWARD_CUM_TSN:
		case SCTP_ASCONF:
		{
			/*
			 * Now, what do we do with KNOWN chunks that
			 * are NOT in the right place?
			 *
			 * For now, I do nothing but ignore them. We
			 * may later want to add sysctl stuff to
			 * switch out and do either an ABORT() or
			 * possibly process them.
			 */
			struct mbuf *op_err;
			char msg[SCTP_DIAG_INFO_LEN];

			SCTP_SNPRINTF(msg, sizeof(msg), "DATA chunk followed by chunk of type %2.2x",
			              ch->chunk_type);
			op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
			sctp_abort_an_association(inp, stcb, op_err, false, SCTP_SO_NOT_LOCKED);
			return (2);
		}
		default:
			/*
			 * Unknown chunk type: use bit rules after
			 * checking length
			 */
			if (chk_length < sizeof(struct sctp_chunkhdr)) {
				/*
				 * Need to send an abort since we had a
				 * invalid chunk.
				 */
				struct mbuf *op_err;
				char msg[SCTP_DIAG_INFO_LEN];

				SCTP_SNPRINTF(msg, sizeof(msg), "Chunk of length %u", chk_length);
				op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
				stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_24;
				sctp_abort_an_association(inp, stcb, op_err, false, SCTP_SO_NOT_LOCKED);
				return (2);
			}
			if (ch->chunk_type & 0x40) {
				/* Add a error report to the queue */
				struct mbuf *op_err;
				struct sctp_gen_error_cause *cause;

				op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_gen_error_cause),
				                               0, M_NOWAIT, 1, MT_DATA);
				if (op_err != NULL) {
					cause  = mtod(op_err, struct sctp_gen_error_cause *);
					cause->code = htons(SCTP_CAUSE_UNRECOG_CHUNK);
					cause->length = htons((uint16_t)(chk_length + sizeof(struct sctp_gen_error_cause)));
					SCTP_BUF_LEN(op_err) = sizeof(struct sctp_gen_error_cause);
					SCTP_BUF_NEXT(op_err) = SCTP_M_COPYM(m, *offset, chk_length, M_NOWAIT);
					if (SCTP_BUF_NEXT(op_err) != NULL) {
						sctp_queue_op_err(stcb, op_err);
					} else {
						sctp_m_freem(op_err);
					}
				}
			}
			if ((ch->chunk_type & 0x80) == 0) {
				/* discard the rest of this packet */
				stop_proc = 1;
			}	/* else skip this bad chunk and
				 * continue... */
			break;
		}	/* switch of chunk type */
	}
	*offset += SCTP_SIZE32(chk_length);
	if ((*offset >= length) || stop_proc) {
		/* no more data left in the mbuf chain */
		stop_proc = 1;
		continue;
	}
	ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
	                                           sizeof(struct sctp_chunkhdr),
	                                           (uint8_t *)&chunk_buf);
	if (ch == NULL) {
		*offset = length;
		stop_proc = 1;
		continue;
	}
}
if (break_flag) {
	/*
	 * we need to report rwnd overrun drops.
	 */
	sctp_send_packet_dropped(stcb, net, *mm, length, iphlen, 0);
}
if (num_chunks) {
	/*
	 * Did we get data, if so update the time for auto-close and
	 * give peer credit for being alive.
	 */
	SCTP_STAT_INCR(sctps_recvpktwithdata);
	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
		sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
			       stcb->asoc.overall_error_count,
			       0,
			       SCTP_FROM_SCTP_INDATA,
			       __LINE__);
	}
	stcb->asoc.overall_error_count = 0;
	(void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_last_rcvd);
}
/* now service all of the reassm queue if needed */
if (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_SENT) {
	/* Assure that we ack right away */
	stcb->asoc.send_sack = 1;
}
/* Start a sack timer or QUEUE a SACK for sending */
sctp_sack_check(stcb, was_a_gap);
return (0);
}

static int
sctp_process_segment_range(struct sctp_tcb *stcb, struct sctp_tmit_chunk **p_tp1, uint32_t last_tsn,
		   uint16_t frag_strt, uint16_t frag_end, int nr_sacking,
		   int *num_frs,
		   uint32_t *biggest_newly_acked_tsn,
		   uint32_t  *this_sack_lowest_newack,
		   int *rto_ok)
{
struct sctp_tmit_chunk *tp1;
unsigned int theTSN;
int j, wake_him = 0, circled = 0;

/* Recover the tp1 we last saw */
tp1 = *p_tp1;
if (tp1 == NULL) {
	tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
}
for (j = frag_strt; j <= frag_end; j++) {
	theTSN = j + last_tsn;
	while (tp1) {
		if (tp1->rec.data.doing_fast_retransmit)
			(*num_frs) += 1;

		/*-
		 * CMT: CUCv2 algorithm. For each TSN being
		 * processed from the sent queue, track the
		 * next expected pseudo-cumack, or
		 * rtx_pseudo_cumack, if required. Separate
		 * cumack trackers for first transmissions,
		 * and retransmissions.
		 */
		if ((tp1->sent < SCTP_DATAGRAM_RESEND) &&
		    (tp1->whoTo->find_pseudo_cumack == 1) &&
		    (tp1->snd_count == 1)) {
			tp1->whoTo->pseudo_cumack = tp1->rec.data.tsn;
			tp1->whoTo->find_pseudo_cumack = 0;
		}
		if ((tp1->sent < SCTP_DATAGRAM_RESEND) &&
		    (tp1->whoTo->find_rtx_pseudo_cumack == 1) &&
		    (tp1->snd_count > 1)) {
			tp1->whoTo->rtx_pseudo_cumack = tp1->rec.data.tsn;
			tp1->whoTo->find_rtx_pseudo_cumack = 0;
		}
		if (tp1->rec.data.tsn == theTSN) {
			if (tp1->sent != SCTP_DATAGRAM_UNSENT) {
				/*-
				 * must be held until
				 * cum-ack passes
				 */
				if (tp1->sent < SCTP_DATAGRAM_RESEND) {
					/*-
					 * If it is less than RESEND, it is
					 * now no-longer in flight.
					 * Higher values may already be set
					 * via previous Gap Ack Blocks...
					 * i.e. ACKED or RESEND.
					 */
					if (SCTP_TSN_GT(tp1->rec.data.tsn,
					                *biggest_newly_acked_tsn)) {
						*biggest_newly_acked_tsn = tp1->rec.data.tsn;
					}
					/*-
					 * CMT: SFR algo (and HTNA) - set
					 * saw_newack to 1 for dest being
					 * newly acked. update
					 * this_sack_highest_newack if
					 * appropriate.
					 */
					if (tp1->rec.data.chunk_was_revoked == 0)
						tp1->whoTo->saw_newack = 1;

					if (SCTP_TSN_GT(tp1->rec.data.tsn,
					                tp1->whoTo->this_sack_highest_newack)) {
						tp1->whoTo->this_sack_highest_newack =
							tp1->rec.data.tsn;
					}
					/*-
					 * CMT DAC algo: also update
					 * this_sack_lowest_newack
					 */
					if (*this_sack_lowest_newack == 0) {
						if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
							sctp_log_sack(*this_sack_lowest_newack,
								      last_tsn,
								      tp1->rec.data.tsn,
								      0,
								      0,
								      SCTP_LOG_TSN_ACKED);
						}
						*this_sack_lowest_newack = tp1->rec.data.tsn;
					}
					/*-
					 * CMT: CUCv2 algorithm. If (rtx-)pseudo-cumack for corresp
					 * dest is being acked, then we have a new (rtx-)pseudo-cumack. Set
					 * new_(rtx_)pseudo_cumack to TRUE so that the cwnd for this dest can be
					 * updated. Also trigger search for the next expected (rtx-)pseudo-cumack.
					 * Separate pseudo_cumack trackers for first transmissions and
					 * retransmissions.
					 */
					if (tp1->rec.data.tsn == tp1->whoTo->pseudo_cumack) {
						if (tp1->rec.data.chunk_was_revoked == 0) {
							tp1->whoTo->new_pseudo_cumack = 1;
						}
						tp1->whoTo->find_pseudo_cumack = 1;
					}
					if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
						sctp_log_cwnd(stcb, tp1->whoTo, tp1->rec.data.tsn, SCTP_CWND_LOG_FROM_SACK);
					}
					if (tp1->rec.data.tsn == tp1->whoTo->rtx_pseudo_cumack) {
						if (tp1->rec.data.chunk_was_revoked == 0) {
							tp1->whoTo->new_pseudo_cumack = 1;
						}
						tp1->whoTo->find_rtx_pseudo_cumack = 1;
					}
					if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
						sctp_log_sack(*biggest_newly_acked_tsn,
							      last_tsn,
							      tp1->rec.data.tsn,
							      frag_strt,
							      frag_end,
							      SCTP_LOG_TSN_ACKED);
					}
					if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
						sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_GAP,
							       tp1->whoTo->flight_size,
							       tp1->book_size,
							       (uint32_t)(uintptr_t)tp1->whoTo,
							       tp1->rec.data.tsn);
					}
					sctp_flight_size_decrease(tp1);
					if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) {
						(*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged)(tp1->whoTo,
													     tp1);
					}
					sctp_total_flight_decrease(stcb, tp1);

					tp1->whoTo->net_ack += tp1->send_size;
					if (tp1->snd_count < 2) {
						/*-
						 * True non-retransmitted chunk
						 */
						tp1->whoTo->net_ack2 += tp1->send_size;

						/*-
						 * update RTO too ?
						 */
						if (tp1->do_rtt) {
							if (*rto_ok &&
							    sctp_calculate_rto(stcb,
							                       &stcb->asoc,
							                       tp1->whoTo,
							                       &tp1->sent_rcv_time,
							                       SCTP_RTT_FROM_DATA)) {
								*rto_ok = 0;
							}
							if (tp1->whoTo->rto_needed == 0) {
								tp1->whoTo->rto_needed = 1;
							}
							tp1->do_rtt = 0;
						}
					}
				}
				if (tp1->sent <= SCTP_DATAGRAM_RESEND) {
					if (SCTP_TSN_GT(tp1->rec.data.tsn,
					                stcb->asoc.this_sack_highest_gap)) {
						stcb->asoc.this_sack_highest_gap =
							tp1->rec.data.tsn;
					}
					if (tp1->sent == SCTP_DATAGRAM_RESEND) {
						sctp_ucount_decr(stcb->asoc.sent_queue_retran_cnt);
#ifdef SCTP_AUDITING_ENABLED
						sctp_audit_log(0xB2,
							       (stcb->asoc.sent_queue_retran_cnt & 0x000000ff));
#endif
					}
				}
				/*-
				 * All chunks NOT UNSENT fall through here and are marked
				 * (leave PR-SCTP ones that are to skip alone though)
				 */
				if ((tp1->sent != SCTP_FORWARD_TSN_SKIP) &&
				    (tp1->sent != SCTP_DATAGRAM_NR_ACKED)) {
					tp1->sent = SCTP_DATAGRAM_MARKED;
				}
				if (tp1->rec.data.chunk_was_revoked) {
					/* deflate the cwnd */
					tp1->whoTo->cwnd -= tp1->book_size;
					tp1->rec.data.chunk_was_revoked = 0;
				}
				/* NR Sack code here */
				if (nr_sacking &&
				    (tp1->sent != SCTP_DATAGRAM_NR_ACKED)) {
					if (stcb->asoc.strmout[tp1->rec.data.sid].chunks_on_queues > 0) {
						stcb->asoc.strmout[tp1->rec.data.sid].chunks_on_queues--;
#ifdef INVARIANTS
					} else {
						panic("No chunks on the queues for sid %u.", tp1->rec.data.sid);
#endif
					}
					if ((stcb->asoc.strmout[tp1->rec.data.sid].chunks_on_queues == 0) &&
					    (stcb->asoc.strmout[tp1->rec.data.sid].state == SCTP_STREAM_RESET_PENDING) &&
					    TAILQ_EMPTY(&stcb->asoc.strmout[tp1->rec.data.sid].outqueue)) {
						stcb->asoc.trigger_reset = 1;
					}
					tp1->sent = SCTP_DATAGRAM_NR_ACKED;
					if (tp1->data) {
						/* sa_ignore NO_NULL_CHK */
						sctp_free_bufspace(stcb, &stcb->asoc, tp1, 1);
						sctp_m_freem(tp1->data);
						tp1->data = NULL;
					}
					wake_him++;
				}
			}
			break;
		}	/* if (tp1->tsn == theTSN) */
		if (SCTP_TSN_GT(tp1->rec.data.tsn, theTSN)) {
			break;
		}
		tp1 = TAILQ_NEXT(tp1, sctp_next);
		if ((tp1 == NULL) && (circled == 0)) {
			circled++;
			tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
		}
	}	/* end while (tp1) */
	if (tp1 == NULL) {
		circled = 0;
		tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
	}
	/* In case the fragments were not in order we must reset */
} /* end for (j = fragStart */
*p_tp1 = tp1;
return (wake_him);	/* Return value only used for nr-sack */
}

static int
sctp_handle_segments(struct mbuf *m, int *offset, struct sctp_tcb *stcb, struct sctp_association *asoc,
	uint32_t last_tsn, uint32_t *biggest_tsn_acked,
	uint32_t *biggest_newly_acked_tsn, uint32_t *this_sack_lowest_newack,
	int num_seg, int num_nr_seg, int *rto_ok)
{
struct sctp_gap_ack_block *frag, block;
struct sctp_tmit_chunk *tp1;
int i;
int num_frs = 0;
int chunk_freed;
int non_revocable;
uint16_t frag_strt, frag_end, prev_frag_end;

tp1 = TAILQ_FIRST(&asoc->sent_queue);
prev_frag_end = 0;
chunk_freed = 0;

for (i = 0; i < (num_seg + num_nr_seg); i++) {
	if (i == num_seg) {
		prev_frag_end = 0;
		tp1 = TAILQ_FIRST(&asoc->sent_queue);
	}
	frag = (struct sctp_gap_ack_block *)sctp_m_getptr(m, *offset,
	                                                  sizeof(struct sctp_gap_ack_block), (uint8_t *) &block);
	*offset += sizeof(block);
	if (frag == NULL) {
		return (chunk_freed);
	}
	frag_strt = ntohs(frag->start);
	frag_end = ntohs(frag->end);

	if (frag_strt > frag_end) {
		/* This gap report is malformed, skip it. */
		continue;
	}
	if (frag_strt <= prev_frag_end) {
		/* This gap report is not in order, so restart. */
		 tp1 = TAILQ_FIRST(&asoc->sent_queue);
	}
	if (SCTP_TSN_GT((last_tsn + frag_end), *biggest_tsn_acked)) {
		*biggest_tsn_acked = last_tsn + frag_end;
	}
	if (i < num_seg) {
		non_revocable = 0;
	} else {
		non_revocable = 1;
	}
	if (sctp_process_segment_range(stcb, &tp1, last_tsn, frag_strt, frag_end,
	                               non_revocable, &num_frs, biggest_newly_acked_tsn,
	                               this_sack_lowest_newack, rto_ok)) {
		chunk_freed = 1;
	}
	prev_frag_end = frag_end;
}
if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
	if (num_frs)
		sctp_log_fr(*biggest_tsn_acked,
		            *biggest_newly_acked_tsn,
		            last_tsn, SCTP_FR_LOG_BIGGEST_TSNS);
}
return (chunk_freed);
}

static void
sctp_check_for_revoked(struct sctp_tcb *stcb,
	       struct sctp_association *asoc, uint32_t cumack,
	       uint32_t biggest_tsn_acked)
{
struct sctp_tmit_chunk *tp1;

TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
	if (SCTP_TSN_GT(tp1->rec.data.tsn, cumack)) {
		/*
		 * ok this guy is either ACK or MARKED. If it is
		 * ACKED it has been previously acked but not this
		 * time i.e. revoked.  If it is MARKED it was ACK'ed
		 * again.
		 */
		if (SCTP_TSN_GT(tp1->rec.data.tsn, biggest_tsn_acked)) {
			break;
		}
		if (tp1->sent == SCTP_DATAGRAM_ACKED) {
			/* it has been revoked */
			tp1->sent = SCTP_DATAGRAM_SENT;
			tp1->rec.data.chunk_was_revoked = 1;
			/* We must add this stuff back in to
			 * assure timers and such get started.
			 */
			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
				sctp_misc_ints(SCTP_FLIGHT_LOG_UP_REVOKE,
					       tp1->whoTo->flight_size,
					       tp1->book_size,
					       (uint32_t)(uintptr_t)tp1->whoTo,
					       tp1->rec.data.tsn);
			}
			sctp_flight_size_increase(tp1);
			sctp_total_flight_increase(stcb, tp1);
			/* We inflate the cwnd to compensate for our
			 * artificial inflation of the flight_size.
			 */
			tp1->whoTo->cwnd += tp1->book_size;
			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
				sctp_log_sack(asoc->last_acked_seq,
					      cumack,
					      tp1->rec.data.tsn,
					      0,
					      0,
					      SCTP_LOG_TSN_REVOKED);
			}
		} else if (tp1->sent == SCTP_DATAGRAM_MARKED) {
			/* it has been re-acked in this SACK */
			tp1->sent = SCTP_DATAGRAM_ACKED;
		}
	}
	if (tp1->sent == SCTP_DATAGRAM_UNSENT)
		break;
}
}

static void
sctp_strike_gap_ack_chunks(struct sctp_tcb *stcb, struct sctp_association *asoc,
		   uint32_t biggest_tsn_acked, uint32_t biggest_tsn_newly_acked, uint32_t this_sack_lowest_newack, int accum_moved)
{
struct sctp_tmit_chunk *tp1;
int strike_flag = 0;
struct timeval now;
uint32_t sending_seq;
struct sctp_nets *net;
int num_dests_sacked = 0;

/*
 * select the sending_seq, this is either the next thing ready to be
 * sent but not transmitted, OR, the next seq we assign.
 */
tp1 = TAILQ_FIRST(&stcb->asoc.send_queue);
if (tp1 == NULL) {
	sending_seq = asoc->sending_seq;
} else {
	sending_seq = tp1->rec.data.tsn;
}

/* CMT DAC algo: finding out if SACK is a mixed SACK */
if ((asoc->sctp_cmt_on_off > 0) &&
    SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
		if (net->saw_newack)
			num_dests_sacked++;
	}
}
if (stcb->asoc.prsctp_supported) {
	(void)SCTP_GETTIME_TIMEVAL(&now);
}
TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
	strike_flag = 0;
	if (tp1->no_fr_allowed) {
		/* this one had a timeout or something */
		continue;
	}
	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
		if (tp1->sent < SCTP_DATAGRAM_RESEND)
			sctp_log_fr(biggest_tsn_newly_acked,
				    tp1->rec.data.tsn,
				    tp1->sent,
				    SCTP_FR_LOG_CHECK_STRIKE);
	}
	if (SCTP_TSN_GT(tp1->rec.data.tsn, biggest_tsn_acked) ||
	    tp1->sent == SCTP_DATAGRAM_UNSENT) {
		/* done */
		break;
	}
	if (stcb->asoc.prsctp_supported) {
		if ((PR_SCTP_TTL_ENABLED(tp1->flags)) && tp1->sent < SCTP_DATAGRAM_ACKED) {
			/* Is it expired? */
#if !(defined(__FreeBSD__) && !defined(__Userspace__))
			if (timercmp(&now, &tp1->rec.data.timetodrop, >)) {
#else
			if (timevalcmp(&now, &tp1->rec.data.timetodrop, >)) {
#endif
				/* Yes so drop it */
				if (tp1->data != NULL) {
					(void)sctp_release_pr_sctp_chunk(stcb, tp1, 1,
									 SCTP_SO_NOT_LOCKED);
				}
				continue;
			}
		}
	}
	if (SCTP_TSN_GT(tp1->rec.data.tsn, asoc->this_sack_highest_gap) &&
	                !(accum_moved && asoc->fast_retran_loss_recovery)) {
		/* we are beyond the tsn in the sack  */
		break;
	}
	if (tp1->sent >= SCTP_DATAGRAM_RESEND) {
		/* either a RESEND, ACKED, or MARKED */
		/* skip */
		if (tp1->sent == SCTP_FORWARD_TSN_SKIP) {
			/* Continue strikin FWD-TSN chunks */
			tp1->rec.data.fwd_tsn_cnt++;
		}
		continue;
	}
	/*
	 * CMT : SFR algo (covers part of DAC and HTNA as well)
	 */
	if (tp1->whoTo && tp1->whoTo->saw_newack == 0) {
		/*
		 * No new acks were received for data sent to this
		 * dest. Therefore, according to the SFR algo for
		 * CMT, no data sent to this dest can be marked for
		 * FR using this SACK.
		 */
		continue;
	} else if (tp1->whoTo &&
	           SCTP_TSN_GT(tp1->rec.data.tsn,
	                       tp1->whoTo->this_sack_highest_newack) &&
	           !(accum_moved && asoc->fast_retran_loss_recovery)) {
		/*
		 * CMT: New acks were received for data sent to
		 * this dest. But no new acks were seen for data
		 * sent after tp1. Therefore, according to the SFR
		 * algo for CMT, tp1 cannot be marked for FR using
		 * this SACK. This step covers part of the DAC algo
		 * and the HTNA algo as well.
		 */
		continue;
	}
	/*
	 * Here we check to see if we were have already done a FR
	 * and if so we see if the biggest TSN we saw in the sack is
	 * smaller than the recovery point. If so we don't strike
	 * the tsn... otherwise we CAN strike the TSN.
	 */
	/*
	 * @@@ JRI: Check for CMT
	 * if (accum_moved && asoc->fast_retran_loss_recovery && (sctp_cmt_on_off == 0)) {
	 */
	if (accum_moved && asoc->fast_retran_loss_recovery) {
		/*
		 * Strike the TSN if in fast-recovery and cum-ack
		 * moved.
		 */
		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
			sctp_log_fr(biggest_tsn_newly_acked,
				    tp1->rec.data.tsn,
				    tp1->sent,
				    SCTP_FR_LOG_STRIKE_CHUNK);
		}
		if (tp1->sent < SCTP_DATAGRAM_RESEND) {
			tp1->sent++;
		}
		if ((asoc->sctp_cmt_on_off > 0) &&
		    SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
			/*
			 * CMT DAC algorithm: If SACK flag is set to
			 * 0, then lowest_newack test will not pass
			 * because it would have been set to the
			 * cumack earlier. If not already to be
			 * rtx'd, If not a mixed sack and if tp1 is
			 * not between two sacked TSNs, then mark by
			 * one more.
			 * NOTE that we are marking by one additional time since the SACK DAC flag indicates that
			 * two packets have been received after this missing TSN.
			 */
			if ((tp1->sent < SCTP_DATAGRAM_RESEND) && (num_dests_sacked == 1) &&
			    SCTP_TSN_GT(this_sack_lowest_newack, tp1->rec.data.tsn)) {
				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
					sctp_log_fr(16 + num_dests_sacked,
						    tp1->rec.data.tsn,
						    tp1->sent,
						    SCTP_FR_LOG_STRIKE_CHUNK);
				}
				tp1->sent++;
			}
		}
	} else if ((tp1->rec.data.doing_fast_retransmit) &&
	           (asoc->sctp_cmt_on_off == 0)) {
		/*
		 * For those that have done a FR we must take
		 * special consideration if we strike. I.e the
		 * biggest_newly_acked must be higher than the
		 * sending_seq at the time we did the FR.
		 */
		if (
#ifdef SCTP_FR_TO_ALTERNATE
			/*
			 * If FR's go to new networks, then we must only do
			 * this for singly homed asoc's. However if the FR's
			 * go to the same network (Armando's work) then its
			 * ok to FR multiple times.
			 */
			(asoc->numnets < 2)
#else
			(1)
#endif
			) {
			if (SCTP_TSN_GE(biggest_tsn_newly_acked,
			                tp1->rec.data.fast_retran_tsn)) {
				/*
				 * Strike the TSN, since this ack is
				 * beyond where things were when we
				 * did a FR.
				 */
				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
					sctp_log_fr(biggest_tsn_newly_acked,
						    tp1->rec.data.tsn,
						    tp1->sent,
						    SCTP_FR_LOG_STRIKE_CHUNK);
				}
				if (tp1->sent < SCTP_DATAGRAM_RESEND) {
					tp1->sent++;
				}
				strike_flag = 1;
				if ((asoc->sctp_cmt_on_off > 0) &&
				    SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
					/*
					 * CMT DAC algorithm: If
					 * SACK flag is set to 0,
					 * then lowest_newack test
					 * will not pass because it
					 * would have been set to
					 * the cumack earlier. If
					 * not already to be rtx'd,
					 * If not a mixed sack and
					 * if tp1 is not between two
					 * sacked TSNs, then mark by
					 * one more.
					 * NOTE that we are marking by one additional time since the SACK DAC flag indicates that
					 * two packets have been received after this missing TSN.
					 */
					if ((tp1->sent < SCTP_DATAGRAM_RESEND) &&
					    (num_dests_sacked == 1) &&
					    SCTP_TSN_GT(this_sack_lowest_newack,
					                tp1->rec.data.tsn)) {
						if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
							sctp_log_fr(32 + num_dests_sacked,
								    tp1->rec.data.tsn,
								    tp1->sent,
								    SCTP_FR_LOG_STRIKE_CHUNK);
						}
						if (tp1->sent < SCTP_DATAGRAM_RESEND) {
							tp1->sent++;
						}
					}
				}
			}
		}
		/*
		 * JRI: TODO: remove code for HTNA algo. CMT's
		 * SFR algo covers HTNA.
		 */
	} else if (SCTP_TSN_GT(tp1->rec.data.tsn,
	                       biggest_tsn_newly_acked)) {
		/*
		 * We don't strike these: This is the  HTNA
		 * algorithm i.e. we don't strike If our TSN is
		 * larger than the Highest TSN Newly Acked.
		 */
		;
	} else {
		/* Strike the TSN */
		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
			sctp_log_fr(biggest_tsn_newly_acked,
				    tp1->rec.data.tsn,
				    tp1->sent,
				    SCTP_FR_LOG_STRIKE_CHUNK);
		}
		if (tp1->sent < SCTP_DATAGRAM_RESEND) {
			tp1->sent++;
		}
		if ((asoc->sctp_cmt_on_off > 0) &&
		    SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
			/*
			 * CMT DAC algorithm: If SACK flag is set to
			 * 0, then lowest_newack test will not pass
			 * because it would have been set to the
			 * cumack earlier. If not already to be
			 * rtx'd, If not a mixed sack and if tp1 is
			 * not between two sacked TSNs, then mark by
			 * one more.
			 * NOTE that we are marking by one additional time since the SACK DAC flag indicates that
			 * two packets have been received after this missing TSN.
			 */
			if ((tp1->sent < SCTP_DATAGRAM_RESEND) && (num_dests_sacked == 1) &&
			    SCTP_TSN_GT(this_sack_lowest_newack, tp1->rec.data.tsn)) {
				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
					sctp_log_fr(48 + num_dests_sacked,
						    tp1->rec.data.tsn,
						    tp1->sent,
						    SCTP_FR_LOG_STRIKE_CHUNK);
				}
				tp1->sent++;
			}
		}
	}
	if (tp1->sent == SCTP_DATAGRAM_RESEND) {
		struct sctp_nets *alt;

		/* fix counts and things */
		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
			sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_RSND,
				       (tp1->whoTo ? (tp1->whoTo->flight_size) : 0),
				       tp1->book_size,
				       (uint32_t)(uintptr_t)tp1->whoTo,
				       tp1->rec.data.tsn);
		}
		if (tp1->whoTo) {
			tp1->whoTo->net_ack++;
			sctp_flight_size_decrease(tp1);
			if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) {
				(*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged)(tp1->whoTo,
											     tp1);
			}
		}

		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
			sctp_log_rwnd(SCTP_INCREASE_PEER_RWND,
				      asoc->peers_rwnd, tp1->send_size, SCTP_BASE_SYSCTL(sctp_peer_chunk_oh));
		}
		/* add back to the rwnd */
		asoc->peers_rwnd += (tp1->send_size + SCTP_BASE_SYSCTL(sctp_peer_chunk_oh));

		/* remove from the total flight */
		sctp_total_flight_decrease(stcb, tp1);

		if ((stcb->asoc.prsctp_supported) &&
		    (PR_SCTP_RTX_ENABLED(tp1->flags))) {
			/* Has it been retransmitted tv_sec times? - we store the retran count there. */
			if (tp1->snd_count > tp1->rec.data.timetodrop.tv_sec) {
				/* Yes, so drop it */
				if (tp1->data != NULL) {
					(void)sctp_release_pr_sctp_chunk(stcb, tp1, 1,
									 SCTP_SO_NOT_LOCKED);
				}
				/* Make sure to flag we had a FR */
				if (tp1->whoTo != NULL) {
					tp1->whoTo->net_ack++;
				}
				continue;
			}
		}
		/* SCTP_PRINTF("OK, we are now ready to FR this guy\n"); */
		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
			sctp_log_fr(tp1->rec.data.tsn, tp1->snd_count,
				    0, SCTP_FR_MARKED);
		}
		if (strike_flag) {
			/* This is a subsequent FR */
			SCTP_STAT_INCR(sctps_sendmultfastretrans);
		}
		sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
		if (asoc->sctp_cmt_on_off > 0) {
			/*
			 * CMT: Using RTX_SSTHRESH policy for CMT.
			 * If CMT is being used, then pick dest with
			 * largest ssthresh for any retransmission.
			 */
			tp1->no_fr_allowed = 1;
			alt = tp1->whoTo;
			/*sa_ignore NO_NULL_CHK*/
			if (asoc->sctp_cmt_pf > 0) {
				/* JRS 5/18/07 - If CMT PF is on, use the PF version of find_alt_net() */
				alt = sctp_find_alternate_net(stcb, alt, 2);
			} else {
				/* JRS 5/18/07 - If only CMT is on, use the CMT version of find_alt_net() */
                                       /*sa_ignore NO_NULL_CHK*/
				alt = sctp_find_alternate_net(stcb, alt, 1);
			}
			if (alt == NULL) {
				alt = tp1->whoTo;
			}
			/*
			 * CUCv2: If a different dest is picked for
			 * the retransmission, then new
			 * (rtx-)pseudo_cumack needs to be tracked
			 * for orig dest. Let CUCv2 track new (rtx-)
			 * pseudo-cumack always.
			 */
			if (tp1->whoTo) {
				tp1->whoTo->find_pseudo_cumack = 1;
				tp1->whoTo->find_rtx_pseudo_cumack = 1;
			}
		} else {/* CMT is OFF */
#ifdef SCTP_FR_TO_ALTERNATE
			/* Can we find an alternate? */
			alt = sctp_find_alternate_net(stcb, tp1->whoTo, 0);
#else
			/*
			 * default behavior is to NOT retransmit
			 * FR's to an alternate. Armando Caro's
			 * paper details why.
			 */
			alt = tp1->whoTo;
#endif
		}

		tp1->rec.data.doing_fast_retransmit = 1;
		/* mark the sending seq for possible subsequent FR's */
		/*
		 * SCTP_PRINTF("Marking TSN for FR new value %x\n",
		 * (uint32_t)tpi->rec.data.tsn);
		 */
		if (TAILQ_EMPTY(&asoc->send_queue)) {
			/*
			 * If the queue of send is empty then its
			 * the next sequence number that will be
			 * assigned so we subtract one from this to
			 * get the one we last sent.
			 */
			tp1->rec.data.fast_retran_tsn = sending_seq;
		} else {
			/*
			 * If there are chunks on the send queue
			 * (unsent data that has made it from the
			 * stream queues but not out the door, we
			 * take the first one (which will have the
			 * lowest TSN) and subtract one to get the
			 * one we last sent.
			 */
			struct sctp_tmit_chunk *ttt;

			ttt = TAILQ_FIRST(&asoc->send_queue);
			tp1->rec.data.fast_retran_tsn =
				ttt->rec.data.tsn;
		}

		if (tp1->do_rtt) {
			/*
			 * this guy had a RTO calculation pending on
			 * it, cancel it
			 */
			if ((tp1->whoTo != NULL) &&
			    (tp1->whoTo->rto_needed == 0)) {
				tp1->whoTo->rto_needed = 1;
			}
			tp1->do_rtt = 0;
		}
		if (alt != tp1->whoTo) {
			/* yes, there is an alternate. */
			sctp_free_remote_addr(tp1->whoTo);
			/*sa_ignore FREED_MEMORY*/
			tp1->whoTo = alt;
			atomic_add_int(&alt->ref_count, 1);
		}
	}
}
}

struct sctp_tmit_chunk *
sctp_try_advance_peer_ack_point(struct sctp_tcb *stcb,
   struct sctp_association *asoc)
{
struct sctp_tmit_chunk *tp1, *tp2, *a_adv = NULL;
struct timeval now;
int now_filled = 0;

if (asoc->prsctp_supported == 0) {
	return (NULL);
}
TAILQ_FOREACH_SAFE(tp1, &asoc->sent_queue, sctp_next, tp2) {
	if (tp1->sent != SCTP_FORWARD_TSN_SKIP &&
	    tp1->sent != SCTP_DATAGRAM_RESEND &&
	    tp1->sent != SCTP_DATAGRAM_NR_ACKED) {
		/* no chance to advance, out of here */
		break;
	}
	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
		if ((tp1->sent == SCTP_FORWARD_TSN_SKIP) ||
		    (tp1->sent == SCTP_DATAGRAM_NR_ACKED)) {
			sctp_misc_ints(SCTP_FWD_TSN_CHECK,
				       asoc->advanced_peer_ack_point,
				       tp1->rec.data.tsn, 0, 0);
		}
	}
	if (!PR_SCTP_ENABLED(tp1->flags)) {
		/*
		 * We can't fwd-tsn past any that are reliable aka
		 * retransmitted until the asoc fails.
		 */
		break;
	}
	if (!now_filled) {
		(void)SCTP_GETTIME_TIMEVAL(&now);
		now_filled = 1;
	}
	/*
	 * now we got a chunk which is marked for another
	 * retransmission to a PR-stream but has run out its chances
	 * already maybe OR has been marked to skip now. Can we skip
	 * it if its a resend?
	 */
	if (tp1->sent == SCTP_DATAGRAM_RESEND &&
	    (PR_SCTP_TTL_ENABLED(tp1->flags))) {
		/*
		 * Now is this one marked for resend and its time is
		 * now up?
		 */
#if !(defined(__FreeBSD__) && !defined(__Userspace__))
		if (timercmp(&now, &tp1->rec.data.timetodrop, >)) {
#else
		if (timevalcmp(&now, &tp1->rec.data.timetodrop, >)) {
#endif
			/* Yes so drop it */
			if (tp1->data) {
				(void)sctp_release_pr_sctp_chunk(stcb, tp1,
				    1, SCTP_SO_NOT_LOCKED);
			}
		} else {
			/*
			 * No, we are done when hit one for resend
			 * whos time as not expired.
			 */
			break;
		}
	}
	/*
	 * Ok now if this chunk is marked to drop it we can clean up
	 * the chunk, advance our peer ack point and we can check
	 * the next chunk.
	 */
	if ((tp1->sent == SCTP_FORWARD_TSN_SKIP) ||
	    (tp1->sent == SCTP_DATAGRAM_NR_ACKED)) {
		/* advance PeerAckPoint goes forward */
		if (SCTP_TSN_GT(tp1->rec.data.tsn, asoc->advanced_peer_ack_point)) {
			asoc->advanced_peer_ack_point = tp1->rec.data.tsn;
			a_adv = tp1;
		} else if (tp1->rec.data.tsn == asoc->advanced_peer_ack_point) {
			/* No update but we do save the chk */
			a_adv = tp1;
		}
	} else {
		/*
		 * If it is still in RESEND we can advance no
		 * further
		 */
		break;
	}
}
return (a_adv);
}

static int
sctp_fs_audit(struct sctp_association *asoc)
{
struct sctp_tmit_chunk *chk;
int inflight = 0, resend = 0, inbetween = 0, acked = 0, above = 0;
int ret;
#ifndef INVARIANTS
int entry_flight, entry_cnt;
#endif

ret = 0;
#ifndef INVARIANTS
entry_flight = asoc->total_flight;
entry_cnt = asoc->total_flight_count;
#endif
if (asoc->pr_sctp_cnt >= asoc->sent_queue_cnt)
	return (0);

TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) {
	if (chk->sent < SCTP_DATAGRAM_RESEND) {
		SCTP_PRINTF("Chk TSN: %u size: %d inflight cnt: %d\n",
		            chk->rec.data.tsn,
		            chk->send_size,
		            chk->snd_count);
		inflight++;
	} else if (chk->sent == SCTP_DATAGRAM_RESEND) {
		resend++;
	} else if (chk->sent < SCTP_DATAGRAM_ACKED) {
		inbetween++;
	} else if (chk->sent > SCTP_DATAGRAM_ACKED) {
		above++;
	} else {
		acked++;
	}
}

if ((inflight > 0) || (inbetween > 0)) {
#ifdef INVARIANTS
	panic("Flight size-express incorrect F: %d I: %d R: %d Ab: %d ACK: %d",
	      inflight, inbetween, resend, above, acked);
#else
	SCTP_PRINTF("asoc->total_flight: %d cnt: %d\n",
	            entry_flight, entry_cnt);
	SCTP_PRINTF("Flight size-express incorrect F: %d I: %d R: %d Ab: %d ACK: %d\n",
	            inflight, inbetween, resend, above, acked);
	ret = 1;
#endif
}
return (ret);
}

static void
sctp_window_probe_recovery(struct sctp_tcb *stcb,
                          struct sctp_association *asoc,
                          struct sctp_tmit_chunk *tp1)
{
tp1->window_probe = 0;
if ((tp1->sent >= SCTP_DATAGRAM_ACKED) || (tp1->data == NULL)) {
	/* TSN's skipped we do NOT move back. */
	sctp_misc_ints(SCTP_FLIGHT_LOG_DWN_WP_FWD,
		       tp1->whoTo ? tp1->whoTo->flight_size : 0,
		       tp1->book_size,
		       (uint32_t)(uintptr_t)tp1->whoTo,
		       tp1->rec.data.tsn);
	return;
}
/* First setup this by shrinking flight */
if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) {
	(*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged)(tp1->whoTo,
								     tp1);
}
sctp_flight_size_decrease(tp1);
sctp_total_flight_decrease(stcb, tp1);
/* Now mark for resend */
tp1->sent = SCTP_DATAGRAM_RESEND;
sctp_ucount_incr(asoc->sent_queue_retran_cnt);

if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
	sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_WP,
		       tp1->whoTo->flight_size,
		       tp1->book_size,
		       (uint32_t)(uintptr_t)tp1->whoTo,
		       tp1->rec.data.tsn);
}
}

void
sctp_express_handle_sack(struct sctp_tcb *stcb, uint32_t cumack,
                        uint32_t rwnd, int *abort_now, int ecne_seen)
{
struct sctp_nets *net;
struct sctp_association *asoc;
struct sctp_tmit_chunk *tp1, *tp2;
uint32_t old_rwnd;
int win_probe_recovery = 0;
int win_probe_recovered = 0;
int j, done_once = 0;
int rto_ok = 1;
uint32_t send_s;

if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_SACK_ARRIVALS_ENABLE) {
	sctp_misc_ints(SCTP_SACK_LOG_EXPRESS, cumack,
	               rwnd, stcb->asoc.last_acked_seq, stcb->asoc.peers_rwnd);
}
SCTP_TCB_LOCK_ASSERT(stcb);
#ifdef SCTP_ASOCLOG_OF_TSNS
stcb->asoc.cumack_log[stcb->asoc.cumack_log_at] = cumack;
stcb->asoc.cumack_log_at++;
if (stcb->asoc.cumack_log_at > SCTP_TSN_LOG_SIZE) {
	stcb->asoc.cumack_log_at = 0;
}
#endif
asoc = &stcb->asoc;
old_rwnd = asoc->peers_rwnd;
if (SCTP_TSN_GT(asoc->last_acked_seq, cumack)) {
	/* old ack */
	return;
} else if (asoc->last_acked_seq == cumack) {
	/* Window update sack */
	asoc->peers_rwnd = sctp_sbspace_sub(rwnd,
					    (uint32_t) (asoc->total_flight + (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh))));
	if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
		/* SWS sender side engages */
		asoc->peers_rwnd = 0;
	}
	if (asoc->peers_rwnd > old_rwnd) {
		goto again;
	}
	return;
}

/* First setup for CC stuff */
TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
	if (SCTP_TSN_GT(cumack, net->cwr_window_tsn)) {
		/* Drag along the window_tsn for cwr's */
		net->cwr_window_tsn = cumack;
	}
	net->prev_cwnd = net->cwnd;
	net->net_ack = 0;
	net->net_ack2 = 0;

	/*
	 * CMT: Reset CUC and Fast recovery algo variables before
	 * SACK processing
	 */
	net->new_pseudo_cumack = 0;
	net->will_exit_fast_recovery = 0;
	if (stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack) {
		(*stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack)(stcb, net);
	}
}
if (!TAILQ_EMPTY(&asoc->sent_queue)) {
	tp1 = TAILQ_LAST(&asoc->sent_queue,
			 sctpchunk_listhead);
	send_s = tp1->rec.data.tsn + 1;
} else {
	send_s = asoc->sending_seq;
}
if (SCTP_TSN_GE(cumack, send_s)) {
	struct mbuf *op_err;
	char msg[SCTP_DIAG_INFO_LEN];

	*abort_now = 1;
	/* XXX */
	SCTP_SNPRINTF(msg, sizeof(msg),
	              "Cum ack %8.8x greater or equal than TSN %8.8x",
	              cumack, send_s);
	op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
	stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_25;
	sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, false, SCTP_SO_NOT_LOCKED);
	return;
}
asoc->this_sack_highest_gap = cumack;
if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
	sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
		       stcb->asoc.overall_error_count,
		       0,
		       SCTP_FROM_SCTP_INDATA,
		       __LINE__);
}
stcb->asoc.overall_error_count = 0;
if (SCTP_TSN_GT(cumack, asoc->last_acked_seq)) {
	/* process the new consecutive TSN first */
	TAILQ_FOREACH_SAFE(tp1, &asoc->sent_queue, sctp_next, tp2) {
		if (SCTP_TSN_GE(cumack, tp1->rec.data.tsn)) {
			if (tp1->sent == SCTP_DATAGRAM_UNSENT) {
				SCTP_PRINTF("Warning, an unsent is now acked?\n");
			}
			if (tp1->sent < SCTP_DATAGRAM_ACKED) {
				/*
				 * If it is less than ACKED, it is
				 * now no-longer in flight. Higher
				 * values may occur during marking
				 */
				if (tp1->sent < SCTP_DATAGRAM_RESEND) {
					if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
						sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_CA,
							       tp1->whoTo->flight_size,
							       tp1->book_size,
							       (uint32_t)(uintptr_t)tp1->whoTo,
							       tp1->rec.data.tsn);
					}
					sctp_flight_size_decrease(tp1);
					if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) {
						(*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged)(tp1->whoTo,
													     tp1);
					}
					/* sa_ignore NO_NULL_CHK */
					sctp_total_flight_decrease(stcb, tp1);
				}
				tp1->whoTo->net_ack += tp1->send_size;
				if (tp1->snd_count < 2) {
					/*
					 * True non-retransmitted
					 * chunk
					 */
					tp1->whoTo->net_ack2 +=
						tp1->send_size;

					/* update RTO too? */
					if (tp1->do_rtt) {
						if (rto_ok &&
						    sctp_calculate_rto(stcb,
								       &stcb->asoc,
								       tp1->whoTo,
								       &tp1->sent_rcv_time,
								       SCTP_RTT_FROM_DATA)) {
							rto_ok = 0;
						}
						if (tp1->whoTo->rto_needed == 0) {
							tp1->whoTo->rto_needed = 1;
						}
						tp1->do_rtt = 0;
					}
				}
				/*
				 * CMT: CUCv2 algorithm. From the
				 * cumack'd TSNs, for each TSN being
				 * acked for the first time, set the
				 * following variables for the
				 * corresp destination.
				 * new_pseudo_cumack will trigger a
				 * cwnd update.
				 * find_(rtx_)pseudo_cumack will
				 * trigger search for the next
				 * expected (rtx-)pseudo-cumack.
				 */
				tp1->whoTo->new_pseudo_cumack = 1;
				tp1->whoTo->find_pseudo_cumack = 1;
				tp1->whoTo->find_rtx_pseudo_cumack = 1;
				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
					/* sa_ignore NO_NULL_CHK */
					sctp_log_cwnd(stcb, tp1->whoTo, tp1->rec.data.tsn, SCTP_CWND_LOG_FROM_SACK);
				}
			}
			if (tp1->sent == SCTP_DATAGRAM_RESEND) {
				sctp_ucount_decr(asoc->sent_queue_retran_cnt);
			}
			if (tp1->rec.data.chunk_was_revoked) {
				/* deflate the cwnd */
				tp1->whoTo->cwnd -= tp1->book_size;
				tp1->rec.data.chunk_was_revoked = 0;
			}
			if (tp1->sent != SCTP_DATAGRAM_NR_ACKED) {
				if (asoc->strmout[tp1->rec.data.sid].chunks_on_queues > 0) {
					asoc->strmout[tp1->rec.data.sid].chunks_on_queues--;
#ifdef INVARIANTS
				} else {
					panic("No chunks on the queues for sid %u.", tp1->rec.data.sid);
#endif
				}
			}
			if ((asoc->strmout[tp1->rec.data.sid].chunks_on_queues == 0) &&
			    (asoc->strmout[tp1->rec.data.sid].state == SCTP_STREAM_RESET_PENDING) &&
			    TAILQ_EMPTY(&asoc->strmout[tp1->rec.data.sid].outqueue)) {
				asoc->trigger_reset = 1;
			}
			TAILQ_REMOVE(&asoc->sent_queue, tp1, sctp_next);
			if (tp1->data) {
				/* sa_ignore NO_NULL_CHK */
				sctp_free_bufspace(stcb, asoc, tp1, 1);
				sctp_m_freem(tp1->data);
				tp1->data = NULL;
			}
			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
				sctp_log_sack(asoc->last_acked_seq,
					      cumack,
					      tp1->rec.data.tsn,
					      0,
					      0,
					      SCTP_LOG_FREE_SENT);
			}
			asoc->sent_queue_cnt--;
			sctp_free_a_chunk(stcb, tp1, SCTP_SO_NOT_LOCKED);
		} else {
			break;
		}
	}
}
#if defined(__Userspace__)
if (stcb->sctp_ep->recv_callback) {
	if (stcb->sctp_socket) {
		uint32_t inqueue_bytes, sb_free_now;
		struct sctp_inpcb *inp;

		inp = stcb->sctp_ep;
		inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
		sb_free_now = SCTP_SB_LIMIT_SND(stcb->sctp_socket) - (inqueue_bytes + stcb->asoc.sb_send_resv);

		/* check if the amount free in the send socket buffer crossed the threshold */
		if (inp->send_callback &&
		    (((inp->send_sb_threshold > 0) &&
		      (sb_free_now >= inp->send_sb_threshold) &&
		      (stcb->asoc.chunks_on_out_queue <= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) ||
		     (inp->send_sb_threshold == 0))) {
			atomic_add_int(&stcb->asoc.refcnt, 1);
			SCTP_TCB_UNLOCK(stcb);
			inp->send_callback(stcb->sctp_socket, sb_free_now, inp->ulp_info);
			SCTP_TCB_LOCK(stcb);
			atomic_subtract_int(&stcb->asoc.refcnt, 1);
		}
	}
} else if (stcb->sctp_socket) {
#else
/* sa_ignore NO_NULL_CHK */
if (stcb->sctp_socket) {
#endif
#if defined(__APPLE__) && !defined(__Userspace__)
	struct socket *so;

#endif
	SOCKBUF_LOCK(&stcb->sctp_socket->so_snd);
	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) {
		/* sa_ignore NO_NULL_CHK */
		sctp_wakeup_log(stcb, 1, SCTP_WAKESND_FROM_SACK);
	}
#if defined(__APPLE__) && !defined(__Userspace__)
	so = SCTP_INP_SO(stcb->sctp_ep);
	atomic_add_int(&stcb->asoc.refcnt, 1);
	SCTP_TCB_UNLOCK(stcb);
	SCTP_SOCKET_LOCK(so, 1);
	SCTP_TCB_LOCK(stcb);
	atomic_subtract_int(&stcb->asoc.refcnt, 1);
	if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
		/* assoc was freed while we were unlocked */
		SCTP_SOCKET_UNLOCK(so, 1);
		return;
	}
#endif
	sctp_sowwakeup_locked(stcb->sctp_ep, stcb->sctp_socket);
#if defined(__APPLE__) && !defined(__Userspace__)
	SCTP_SOCKET_UNLOCK(so, 1);
#endif
} else {
	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) {
		sctp_wakeup_log(stcb, 1, SCTP_NOWAKE_FROM_SACK);
	}
}

/* JRS - Use the congestion control given in the CC module */
if ((asoc->last_acked_seq != cumack) && (ecne_seen == 0)) {
	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
		if (net->net_ack2 > 0) {
			/*
			 * Karn's rule applies to clearing error count, this
			 * is optional.
			 */
			net->error_count = 0;
			if ((net->dest_state & SCTP_ADDR_REACHABLE) == 0) {
				/* addr came good */
				net->dest_state |= SCTP_ADDR_REACHABLE;
				sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb,
				                0, (void *)net, SCTP_SO_NOT_LOCKED);
			}
			if (net == stcb->asoc.primary_destination) {
				if (stcb->asoc.alternate) {
					/* release the alternate, primary is good */
					sctp_free_remote_addr(stcb->asoc.alternate);
					stcb->asoc.alternate = NULL;
				}
			}
			if (net->dest_state & SCTP_ADDR_PF) {
				net->dest_state &= ~SCTP_ADDR_PF;
				sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT,
				                stcb->sctp_ep, stcb, net,
				                SCTP_FROM_SCTP_INDATA + SCTP_LOC_26);
				sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, net);
				asoc->cc_functions.sctp_cwnd_update_exit_pf(stcb, net);
				/* Done with this net */
				net->net_ack = 0;
			}
			/* restore any doubled timers */
			net->RTO = (net->lastsa >> SCTP_RTT_SHIFT) + net->lastsv;
			if (net->RTO < stcb->asoc.minrto) {
				net->RTO = stcb->asoc.minrto;
			}
			if (net->RTO > stcb->asoc.maxrto) {
				net->RTO = stcb->asoc.maxrto;
			}
		}
	}
	asoc->cc_functions.sctp_cwnd_update_after_sack(stcb, asoc, 1, 0, 0);
}
asoc->last_acked_seq = cumack;

if (TAILQ_EMPTY(&asoc->sent_queue)) {
	/* nothing left in-flight */
	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
		net->flight_size = 0;
		net->partial_bytes_acked = 0;
	}
	asoc->total_flight = 0;
	asoc->total_flight_count = 0;
}

/* RWND update */
asoc->peers_rwnd = sctp_sbspace_sub(rwnd,
				    (uint32_t) (asoc->total_flight + (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh))));
if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
	/* SWS sender side engages */
	asoc->peers_rwnd = 0;
}
if (asoc->peers_rwnd > old_rwnd) {
	win_probe_recovery = 1;
}
/* Now assure a timer where data is queued at */
again:
j = 0;
TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
	if (win_probe_recovery && (net->window_probe)) {
		win_probe_recovered = 1;
		/*
		 * Find first chunk that was used with window probe
		 * and clear the sent
		 */
		/* sa_ignore FREED_MEMORY */
		TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
			if (tp1->window_probe) {
				/* move back to data send queue */
				sctp_window_probe_recovery(stcb, asoc, tp1);
				break;
			}
		}
	}
	if (net->flight_size) {
		j++;
		sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, net);
		if (net->window_probe) {
			net->window_probe = 0;
		}
	} else {
		if (net->window_probe) {
			/* In window probes we must assure a timer is still running there */
			net->window_probe = 0;
			if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
				sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, net);
			}
		} else if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
			sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
			                stcb, net,
			                SCTP_FROM_SCTP_INDATA + SCTP_LOC_27);
		}
	}
}
if ((j == 0) &&
    (!TAILQ_EMPTY(&asoc->sent_queue)) &&
    (asoc->sent_queue_retran_cnt == 0) &&
    (win_probe_recovered == 0) &&
    (done_once == 0)) {
	/* huh, this should not happen unless all packets
	 * are PR-SCTP and marked to skip of course.
	 */
	if (sctp_fs_audit(asoc)) {
		TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
			net->flight_size = 0;
		}
		asoc->total_flight = 0;
		asoc->total_flight_count = 0;
		asoc->sent_queue_retran_cnt = 0;
		TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
			if (tp1->sent < SCTP_DATAGRAM_RESEND) {
				sctp_flight_size_increase(tp1);
				sctp_total_flight_increase(stcb, tp1);
			} else if (tp1->sent == SCTP_DATAGRAM_RESEND) {
				sctp_ucount_incr(asoc->sent_queue_retran_cnt);
			}
		}
	}
	done_once = 1;
	goto again;
}
/**********************************/
/* Now what about shutdown issues */
/**********************************/
if (TAILQ_EMPTY(&asoc->send_queue) && TAILQ_EMPTY(&asoc->sent_queue)) {
	/* nothing left on sendqueue.. consider done */
	/* clean up */
	if ((asoc->stream_queue_cnt == 1) &&
	    ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) ||
	     (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) &&
	    ((*asoc->ss_functions.sctp_ss_is_user_msgs_incomplete)(stcb, asoc))) {
		SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_PARTIAL_MSG_LEFT);
	}
	if (((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) ||
	     (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) &&
	    (asoc->stream_queue_cnt == 1) &&
	    (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) {
		struct mbuf *op_err;

		*abort_now = 1;
		/* XXX */
		op_err = sctp_generate_cause(SCTP_CAUSE_USER_INITIATED_ABT, "");
		stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_28;
		sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, false, SCTP_SO_NOT_LOCKED);
		return;
	}
	if ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) &&
	    (asoc->stream_queue_cnt == 0)) {
		struct sctp_nets *netp;

		if ((SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) ||
		    (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
			SCTP_STAT_DECR_GAUGE32(sctps_currestab);
		}
		SCTP_SET_STATE(stcb, SCTP_STATE_SHUTDOWN_SENT);
		sctp_stop_timers_for_shutdown(stcb);
		if (asoc->alternate) {
			netp = asoc->alternate;
		} else {
			netp = asoc->primary_destination;
		}
		sctp_send_shutdown(stcb, netp);
		sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN,
				 stcb->sctp_ep, stcb, netp);
		sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
				 stcb->sctp_ep, stcb, NULL);
	} else if ((SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED) &&
		   (asoc->stream_queue_cnt == 0)) {
		struct sctp_nets *netp;

		SCTP_STAT_DECR_GAUGE32(sctps_currestab);
		SCTP_SET_STATE(stcb, SCTP_STATE_SHUTDOWN_ACK_SENT);
		sctp_stop_timers_for_shutdown(stcb);
		if (asoc->alternate) {
			netp = asoc->alternate;
		} else {
			netp = asoc->primary_destination;
		}
		sctp_send_shutdown_ack(stcb, netp);
		sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK,
				 stcb->sctp_ep, stcb, netp);
	}
}
/*********************************************/
/* Here we perform PR-SCTP procedures        */
/* (section 4.2)                             */
/*********************************************/
/* C1. update advancedPeerAckPoint */
if (SCTP_TSN_GT(cumack, asoc->advanced_peer_ack_point)) {
	asoc->advanced_peer_ack_point = cumack;
}
/* PR-Sctp issues need to be addressed too */
if ((asoc->prsctp_supported) && (asoc->pr_sctp_cnt > 0)) {
	struct sctp_tmit_chunk *lchk;
	uint32_t old_adv_peer_ack_point;

	old_adv_peer_ack_point = asoc->advanced_peer_ack_point;
	lchk = sctp_try_advance_peer_ack_point(stcb, asoc);
	/* C3. See if we need to send a Fwd-TSN */
	if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, cumack)) {
		/*
		 * ISSUE with ECN, see FWD-TSN processing.
		 */
		if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, old_adv_peer_ack_point)) {
			send_forward_tsn(stcb, asoc);
		} else if (lchk) {
			/* try to FR fwd-tsn's that get lost too */
			if (lchk->rec.data.fwd_tsn_cnt >= 3) {
				send_forward_tsn(stcb, asoc);
			}
		}
	}
	for (; lchk != NULL; lchk = TAILQ_NEXT(lchk, sctp_next)) {
		if (lchk->whoTo != NULL) {
			break;
		}
	}
	if (lchk != NULL) {
		/* Assure a timer is up */
		sctp_timer_start(SCTP_TIMER_TYPE_SEND,
		                 stcb->sctp_ep, stcb, lchk->whoTo);
	}
}
if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_RWND_LOGGING_ENABLE) {
	sctp_misc_ints(SCTP_SACK_RWND_UPDATE,
		       rwnd,
		       stcb->asoc.peers_rwnd,
		       stcb->asoc.total_flight,
		       stcb->asoc.total_output_queue_size);
}
}

void
sctp_handle_sack(struct mbuf *m, int offset_seg, int offset_dup,
                struct sctp_tcb *stcb,
                uint16_t num_seg, uint16_t num_nr_seg, uint16_t num_dup,
                int *abort_now, uint8_t flags,
                uint32_t cum_ack, uint32_t rwnd, int ecne_seen)
{
struct sctp_association *asoc;
struct sctp_tmit_chunk *tp1, *tp2;
uint32_t last_tsn, biggest_tsn_acked, biggest_tsn_newly_acked, this_sack_lowest_newack;
uint16_t wake_him = 0;
uint32_t send_s = 0;
long j;
int accum_moved = 0;
int will_exit_fast_recovery = 0;
uint32_t a_rwnd, old_rwnd;
int win_probe_recovery = 0;
int win_probe_recovered = 0;
struct sctp_nets *net = NULL;
int done_once;
int rto_ok = 1;
uint8_t reneged_all = 0;
uint8_t cmt_dac_flag;
/*
 * we take any chance we can to service our queues since we cannot
 * get awoken when the socket is read from :<
 */
/*
 * Now perform the actual SACK handling: 1) Verify that it is not an
 * old sack, if so discard. 2) If there is nothing left in the send
 * queue (cum-ack is equal to last acked) then you have a duplicate
 * too, update any rwnd change and verify no timers are running.
 * then return. 3) Process any new consecutive data i.e. cum-ack
 * moved process these first and note that it moved. 4) Process any
 * sack blocks. 5) Drop any acked from the queue. 6) Check for any
 * revoked blocks and mark. 7) Update the cwnd. 8) Nothing left,
 * sync up flightsizes and things, stop all timers and also check
 * for shutdown_pending state. If so then go ahead and send off the
 * shutdown. If in shutdown recv, send off the shutdown-ack and
 * start that timer, Ret. 9) Strike any non-acked things and do FR
 * procedure if needed being sure to set the FR flag. 10) Do pr-sctp
 * procedures. 11) Apply any FR penalties. 12) Assure we will SACK
 * if in shutdown_recv state.
 */
SCTP_TCB_LOCK_ASSERT(stcb);
/* CMT DAC algo */
this_sack_lowest_newack = 0;
SCTP_STAT_INCR(sctps_slowpath_sack);
last_tsn = cum_ack;
cmt_dac_flag = flags & SCTP_SACK_CMT_DAC;
#ifdef SCTP_ASOCLOG_OF_TSNS
stcb->asoc.cumack_log[stcb->asoc.cumack_log_at] = cum_ack;
stcb->asoc.cumack_log_at++;
if (stcb->asoc.cumack_log_at > SCTP_TSN_LOG_SIZE) {
	stcb->asoc.cumack_log_at = 0;
}
#endif
a_rwnd = rwnd;

if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_SACK_ARRIVALS_ENABLE) {
	sctp_misc_ints(SCTP_SACK_LOG_NORMAL, cum_ack,
	               rwnd, stcb->asoc.last_acked_seq, stcb->asoc.peers_rwnd);
}

old_rwnd = stcb->asoc.peers_rwnd;
if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
	sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
	               stcb->asoc.overall_error_count,
	               0,
	               SCTP_FROM_SCTP_INDATA,
	               __LINE__);
}
stcb->asoc.overall_error_count = 0;
asoc = &stcb->asoc;
if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
	sctp_log_sack(asoc->last_acked_seq,
	              cum_ack,
	              0,
	              num_seg,
	              num_dup,
	              SCTP_LOG_NEW_SACK);
}
if ((num_dup) && (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE)) {
	uint16_t i;
	uint32_t *dupdata, dblock;

	for (i = 0; i < num_dup; i++) {
		dupdata = (uint32_t *)sctp_m_getptr(m, offset_dup + i * sizeof(uint32_t),
		                                    sizeof(uint32_t), (uint8_t *)&dblock);
		if (dupdata == NULL) {
			break;
		}
		sctp_log_fr(*dupdata, 0, 0, SCTP_FR_DUPED);
	}
}
/* reality check */
if (!TAILQ_EMPTY(&asoc->sent_queue)) {
	tp1 = TAILQ_LAST(&asoc->sent_queue,
			 sctpchunk_listhead);
	send_s = tp1->rec.data.tsn + 1;
} else {
	tp1 = NULL;
	send_s = asoc->sending_seq;
}
if (SCTP_TSN_GE(cum_ack, send_s)) {
	struct mbuf *op_err;
	char msg[SCTP_DIAG_INFO_LEN];

	/*
	 * no way, we have not even sent this TSN out yet.
	 * Peer is hopelessly messed up with us.
	 */
	SCTP_PRINTF("NEW cum_ack:%x send_s:%x is smaller or equal\n",
		    cum_ack, send_s);
	if (tp1) {
		SCTP_PRINTF("Got send_s from tsn:%x + 1 of tp1: %p\n",
			    tp1->rec.data.tsn, (void *)tp1);
	}
hopeless_peer:
	*abort_now = 1;
	/* XXX */
	SCTP_SNPRINTF(msg, sizeof(msg),
	              "Cum ack %8.8x greater or equal than TSN %8.8x",
	              cum_ack, send_s);
	op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
	stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_29;
	sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, false, SCTP_SO_NOT_LOCKED);
	return;
}
/**********************/
/* 1) check the range */
/**********************/
if (SCTP_TSN_GT(asoc->last_acked_seq, last_tsn)) {
	/* acking something behind */
	return;
}

/* update the Rwnd of the peer */
if (TAILQ_EMPTY(&asoc->sent_queue) &&
    TAILQ_EMPTY(&asoc->send_queue) &&
    (asoc->stream_queue_cnt == 0)) {
	/* nothing left on send/sent and strmq */
	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
		sctp_log_rwnd_set(SCTP_SET_PEER_RWND_VIA_SACK,
		                  asoc->peers_rwnd, 0, 0, a_rwnd);
	}
	asoc->peers_rwnd = a_rwnd;
	if (asoc->sent_queue_retran_cnt) {
		asoc->sent_queue_retran_cnt = 0;
	}
	if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
		/* SWS sender side engages */
		asoc->peers_rwnd = 0;
	}
	/* stop any timers */
	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
		sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
		                stcb, net, SCTP_FROM_SCTP_INDATA + SCTP_LOC_30);
		net->partial_bytes_acked = 0;
		net->flight_size = 0;
	}
	asoc->total_flight = 0;
	asoc->total_flight_count = 0;
	return;
}
/*
 * We init netAckSz and netAckSz2 to 0. These are used to track 2
 * things. The total byte count acked is tracked in netAckSz AND
 * netAck2 is used to track the total bytes acked that are un-
 * ambiguous and were never retransmitted. We track these on a per
 * destination address basis.
 */
TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
	if (SCTP_TSN_GT(cum_ack, net->cwr_window_tsn)) {
		/* Drag along the window_tsn for cwr's */
		net->cwr_window_tsn = cum_ack;
	}
	net->prev_cwnd = net->cwnd;
	net->net_ack = 0;
	net->net_ack2 = 0;

	/*
	 * CMT: Reset CUC and Fast recovery algo variables before
	 * SACK processing
	 */
	net->new_pseudo_cumack = 0;
	net->will_exit_fast_recovery = 0;
	if (stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack) {
		(*stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack)(stcb, net);
	}

	/*
	 * CMT: SFR algo (and HTNA) - this_sack_highest_newack has
	 * to be greater than the cumack. Also reset saw_newack to 0
	 * for all dests.
	 */
	net->saw_newack = 0;
	net->this_sack_highest_newack = last_tsn;
}
/* process the new consecutive TSN first */
TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
	if (SCTP_TSN_GE(last_tsn, tp1->rec.data.tsn)) {
		if (tp1->sent != SCTP_DATAGRAM_UNSENT) {
			accum_moved = 1;
			if (tp1->sent < SCTP_DATAGRAM_ACKED) {
				/*
				 * If it is less than ACKED, it is
				 * now no-longer in flight. Higher
				 * values may occur during marking
				 */
				if ((tp1->whoTo->dest_state &
				     SCTP_ADDR_UNCONFIRMED) &&
				    (tp1->snd_count < 2)) {
					/*
					 * If there was no retran
					 * and the address is
					 * un-confirmed and we sent
					 * there and are now
					 * sacked.. its confirmed,
					 * mark it so.
					 */
					tp1->whoTo->dest_state &=
						~SCTP_ADDR_UNCONFIRMED;
				}
				if (tp1->sent < SCTP_DATAGRAM_RESEND) {
					if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
						sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_CA,
						               tp1->whoTo->flight_size,
						               tp1->book_size,
						               (uint32_t)(uintptr_t)tp1->whoTo,
						               tp1->rec.data.tsn);
					}
					sctp_flight_size_decrease(tp1);
					sctp_total_flight_decrease(stcb, tp1);
					if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) {
						(*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged)(tp1->whoTo,
													     tp1);
					}
				}
				tp1->whoTo->net_ack += tp1->send_size;

				/* CMT SFR and DAC algos */
				this_sack_lowest_newack = tp1->rec.data.tsn;
				tp1->whoTo->saw_newack = 1;

				if (tp1->snd_count < 2) {
					/*
					 * True non-retransmitted
					 * chunk
					 */
					tp1->whoTo->net_ack2 +=
						tp1->send_size;

					/* update RTO too? */
					if (tp1->do_rtt) {
						if (rto_ok &&
						    sctp_calculate_rto(stcb,
								       &stcb->asoc,
								       tp1->whoTo,
								       &tp1->sent_rcv_time,
								       SCTP_RTT_FROM_DATA)) {
							rto_ok = 0;
						}
						if (tp1->whoTo->rto_needed == 0) {
							tp1->whoTo->rto_needed = 1;
						}
						tp1->do_rtt = 0;
					}
				}
				/*
				 * CMT: CUCv2 algorithm. From the
				 * cumack'd TSNs, for each TSN being
				 * acked for the first time, set the
				 * following variables for the
				 * corresp destination.
				 * new_pseudo_cumack will trigger a
				 * cwnd update.
				 * find_(rtx_)pseudo_cumack will
				 * trigger search for the next
				 * expected (rtx-)pseudo-cumack.
				 */
				tp1->whoTo->new_pseudo_cumack = 1;
				tp1->whoTo->find_pseudo_cumack = 1;
				tp1->whoTo->find_rtx_pseudo_cumack = 1;
				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
					sctp_log_sack(asoc->last_acked_seq,
					              cum_ack,
					              tp1->rec.data.tsn,
					              0,
					              0,
					              SCTP_LOG_TSN_ACKED);
				}
				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
					sctp_log_cwnd(stcb, tp1->whoTo, tp1->rec.data.tsn, SCTP_CWND_LOG_FROM_SACK);
				}
			}
			if (tp1->sent == SCTP_DATAGRAM_RESEND) {
				sctp_ucount_decr(asoc->sent_queue_retran_cnt);
#ifdef SCTP_AUDITING_ENABLED
				sctp_audit_log(0xB3,
				               (asoc->sent_queue_retran_cnt & 0x000000ff));
#endif
			}
			if (tp1->rec.data.chunk_was_revoked) {
				/* deflate the cwnd */
				tp1->whoTo->cwnd -= tp1->book_size;
				tp1->rec.data.chunk_was_revoked = 0;
			}
			if (tp1->sent != SCTP_DATAGRAM_NR_ACKED) {
				tp1->sent = SCTP_DATAGRAM_ACKED;
			}
		}
	} else {
		break;
	}
}
biggest_tsn_newly_acked = biggest_tsn_acked = last_tsn;
/* always set this up to cum-ack */
asoc->this_sack_highest_gap = last_tsn;

if ((num_seg > 0) || (num_nr_seg > 0)) {
	/*
	 * thisSackHighestGap will increase while handling NEW
	 * segments this_sack_highest_newack will increase while
	 * handling NEWLY ACKED chunks. this_sack_lowest_newack is
	 * used for CMT DAC algo. saw_newack will also change.
	 */
	if (sctp_handle_segments(m, &offset_seg, stcb, asoc, last_tsn, &biggest_tsn_acked,
		&biggest_tsn_newly_acked, &this_sack_lowest_newack,
		num_seg, num_nr_seg, &rto_ok)) {
		wake_him++;
	}
	/*
	 * validate the biggest_tsn_acked in the gap acks if
	 * strict adherence is wanted.
	 */
	if (SCTP_TSN_GE(biggest_tsn_acked, send_s)) {
		/*
		 * peer is either confused or we are under
		 * attack. We must abort.
		 */
		SCTP_PRINTF("Hopeless peer! biggest_tsn_acked:%x largest seq:%x\n",
			    biggest_tsn_acked, send_s);
		goto hopeless_peer;
	}
}
/*******************************************/
/* cancel ALL T3-send timer if accum moved */
/*******************************************/
if (asoc->sctp_cmt_on_off > 0) {
	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
		if (net->new_pseudo_cumack)
			sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
			                stcb, net,
			                SCTP_FROM_SCTP_INDATA + SCTP_LOC_31);
	}
} else {
	if (accum_moved) {
		TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
			sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
			                stcb, net, SCTP_FROM_SCTP_INDATA + SCTP_LOC_32);
		}
	}
}
/********************************************/
/* drop the acked chunks from the sentqueue */
/********************************************/
asoc->last_acked_seq = cum_ack;

TAILQ_FOREACH_SAFE(tp1, &asoc->sent_queue, sctp_next, tp2) {
	if (SCTP_TSN_GT(tp1->rec.data.tsn, cum_ack)) {
		break;
	}
	if (tp1->sent != SCTP_DATAGRAM_NR_ACKED) {
		if (asoc->strmout[tp1->rec.data.sid].chunks_on_queues > 0) {
			asoc->strmout[tp1->rec.data.sid].chunks_on_queues--;
#ifdef INVARIANTS
		} else {
			panic("No chunks on the queues for sid %u.", tp1->rec.data.sid);
#endif
		}
	}
	if ((asoc->strmout[tp1->rec.data.sid].chunks_on_queues == 0) &&
	    (asoc->strmout[tp1->rec.data.sid].state == SCTP_STREAM_RESET_PENDING) &&
	    TAILQ_EMPTY(&asoc->strmout[tp1->rec.data.sid].outqueue)) {
		asoc->trigger_reset = 1;
	}
	TAILQ_REMOVE(&asoc->sent_queue, tp1, sctp_next);
	if (PR_SCTP_ENABLED(tp1->flags)) {
		if (asoc->pr_sctp_cnt != 0)
			asoc->pr_sctp_cnt--;
	}
	asoc->sent_queue_cnt--;
	if (tp1->data) {
		/* sa_ignore NO_NULL_CHK */
		sctp_free_bufspace(stcb, asoc, tp1, 1);
		sctp_m_freem(tp1->data);
		tp1->data = NULL;
		if (asoc->prsctp_supported && PR_SCTP_BUF_ENABLED(tp1->flags)) {
			asoc->sent_queue_cnt_removeable--;
		}
	}
	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
		sctp_log_sack(asoc->last_acked_seq,
		              cum_ack,
		              tp1->rec.data.tsn,
		              0,
		              0,
		              SCTP_LOG_FREE_SENT);
	}
	sctp_free_a_chunk(stcb, tp1, SCTP_SO_NOT_LOCKED);
	wake_him++;
}
if (TAILQ_EMPTY(&asoc->sent_queue) && (asoc->total_flight > 0)) {
#ifdef INVARIANTS
	panic("Warning flight size is positive and should be 0");
#else
	SCTP_PRINTF("Warning flight size incorrect should be 0 is %d\n",
	            asoc->total_flight);
#endif
	asoc->total_flight = 0;
}

#if defined(__Userspace__)
if (stcb->sctp_ep->recv_callback) {
	if (stcb->sctp_socket) {
		uint32_t inqueue_bytes, sb_free_now;
		struct sctp_inpcb *inp;

		inp = stcb->sctp_ep;
		inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
		sb_free_now = SCTP_SB_LIMIT_SND(stcb->sctp_socket) - (inqueue_bytes + stcb->asoc.sb_send_resv);

		/* check if the amount free in the send socket buffer crossed the threshold */
		if (inp->send_callback &&
		   (((inp->send_sb_threshold > 0) && (sb_free_now >= inp->send_sb_threshold)) ||
		    (inp->send_sb_threshold == 0))) {
			atomic_add_int(&stcb->asoc.refcnt, 1);
			SCTP_TCB_UNLOCK(stcb);
			inp->send_callback(stcb->sctp_socket, sb_free_now, inp->ulp_info);
			SCTP_TCB_LOCK(stcb);
			atomic_subtract_int(&stcb->asoc.refcnt, 1);
		}
	}
} else if ((wake_him) && (stcb->sctp_socket)) {
#else
/* sa_ignore NO_NULL_CHK */
if ((wake_him) && (stcb->sctp_socket)) {
#endif
#if defined(__APPLE__) && !defined(__Userspace__)
	struct socket *so;

#endif
	SOCKBUF_LOCK(&stcb->sctp_socket->so_snd);
	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) {
		sctp_wakeup_log(stcb, wake_him, SCTP_WAKESND_FROM_SACK);
	}
#if defined(__APPLE__) && !defined(__Userspace__)
	so = SCTP_INP_SO(stcb->sctp_ep);
	atomic_add_int(&stcb->asoc.refcnt, 1);
	SCTP_TCB_UNLOCK(stcb);
	SCTP_SOCKET_LOCK(so, 1);
	SCTP_TCB_LOCK(stcb);
	atomic_subtract_int(&stcb->asoc.refcnt, 1);
	if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
		/* assoc was freed while we were unlocked */
		SCTP_SOCKET_UNLOCK(so, 1);
		return;
	}
#endif
	sctp_sowwakeup_locked(stcb->sctp_ep, stcb->sctp_socket);
#if defined(__APPLE__) && !defined(__Userspace__)
	SCTP_SOCKET_UNLOCK(so, 1);
#endif
} else {
	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) {
		sctp_wakeup_log(stcb, wake_him, SCTP_NOWAKE_FROM_SACK);
	}
}

if (asoc->fast_retran_loss_recovery && accum_moved) {
	if (SCTP_TSN_GE(asoc->last_acked_seq, asoc->fast_recovery_tsn)) {
		/* Setup so we will exit RFC2582 fast recovery */
		will_exit_fast_recovery = 1;
	}
}
/*
 * Check for revoked fragments:
 *
 * if Previous sack - Had no frags then we can't have any revoked if
 * Previous sack - Had frag's then - If we now have frags aka
 * num_seg > 0 call sctp_check_for_revoked() to tell if peer revoked
 * some of them. else - The peer revoked all ACKED fragments, since
 * we had some before and now we have NONE.
 */

if (num_seg) {
	sctp_check_for_revoked(stcb, asoc, cum_ack, biggest_tsn_acked);
	asoc->saw_sack_with_frags = 1;
} else if (asoc->saw_sack_with_frags) {
	int cnt_revoked = 0;

	/* Peer revoked all dg's marked or acked */
	TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
		if (tp1->sent == SCTP_DATAGRAM_ACKED) {
			tp1->sent = SCTP_DATAGRAM_SENT;
			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
				sctp_misc_ints(SCTP_FLIGHT_LOG_UP_REVOKE,
				               tp1->whoTo->flight_size,
				               tp1->book_size,
				               (uint32_t)(uintptr_t)tp1->whoTo,
				               tp1->rec.data.tsn);
			}
			sctp_flight_size_increase(tp1);
			sctp_total_flight_increase(stcb, tp1);
			tp1->rec.data.chunk_was_revoked = 1;
			/*
			 * To ensure that this increase in
			 * flightsize, which is artificial,
			 * does not throttle the sender, we
			 * also increase the cwnd
			 * artificially.
			 */
			tp1->whoTo->cwnd += tp1->book_size;
			cnt_revoked++;
		}
	}
	if (cnt_revoked) {
		reneged_all = 1;
	}
	asoc->saw_sack_with_frags = 0;
}
if (num_nr_seg > 0)
	asoc->saw_sack_with_nr_frags = 1;
else
	asoc->saw_sack_with_nr_frags = 0;

/* JRS - Use the congestion control given in the CC module */
if (ecne_seen == 0) {
	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
		if (net->net_ack2 > 0) {
			/*
			 * Karn's rule applies to clearing error count, this
			 * is optional.
			 */
			net->error_count = 0;
			if ((net->dest_state & SCTP_ADDR_REACHABLE) == 0) {
				/* addr came good */
				net->dest_state |= SCTP_ADDR_REACHABLE;
				sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb,
				                0, (void *)net, SCTP_SO_NOT_LOCKED);
			}

			if (net == stcb->asoc.primary_destination) {
				if (stcb->asoc.alternate) {
					/* release the alternate, primary is good */
					sctp_free_remote_addr(stcb->asoc.alternate);
					stcb->asoc.alternate = NULL;
				}
			}

			if (net->dest_state & SCTP_ADDR_PF) {
				net->dest_state &= ~SCTP_ADDR_PF;
				sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT,
				                stcb->sctp_ep, stcb, net,
				                SCTP_FROM_SCTP_INDATA + SCTP_LOC_33);
				sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, net);
				asoc->cc_functions.sctp_cwnd_update_exit_pf(stcb, net);
				/* Done with this net */
				net->net_ack = 0;
			}
			/* restore any doubled timers */
			net->RTO = (net->lastsa >> SCTP_RTT_SHIFT) + net->lastsv;
			if (net->RTO < stcb->asoc.minrto) {
				net->RTO = stcb->asoc.minrto;
			}
			if (net->RTO > stcb->asoc.maxrto) {
				net->RTO = stcb->asoc.maxrto;
			}
		}
	}
	asoc->cc_functions.sctp_cwnd_update_after_sack(stcb, asoc, accum_moved, reneged_all, will_exit_fast_recovery);
}

if (TAILQ_EMPTY(&asoc->sent_queue)) {
	/* nothing left in-flight */
	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
		/* stop all timers */
		sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
		                stcb, net,
		                SCTP_FROM_SCTP_INDATA + SCTP_LOC_34);
		net->flight_size = 0;
		net->partial_bytes_acked = 0;
	}
	asoc->total_flight = 0;
	asoc->total_flight_count = 0;
}

/**********************************/
/* Now what about shutdown issues */
/**********************************/
if (TAILQ_EMPTY(&asoc->send_queue) && TAILQ_EMPTY(&asoc->sent_queue)) {
	/* nothing left on sendqueue.. consider done */
	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
		sctp_log_rwnd_set(SCTP_SET_PEER_RWND_VIA_SACK,
		                  asoc->peers_rwnd, 0, 0, a_rwnd);
	}
	asoc->peers_rwnd = a_rwnd;
	if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
		/* SWS sender side engages */
		asoc->peers_rwnd = 0;
	}
	/* clean up */
	if ((asoc->stream_queue_cnt == 1) &&
	    ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) ||
	     (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) &&
	    ((*asoc->ss_functions.sctp_ss_is_user_msgs_incomplete)(stcb, asoc))) {
		SCTP_ADD_SUBSTATE(stcb, SCTP_STATE_PARTIAL_MSG_LEFT);
	}
	if (((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) ||
	     (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) &&
	    (asoc->stream_queue_cnt == 1) &&
	    (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) {
		struct mbuf *op_err;

		*abort_now = 1;
		/* XXX */
		op_err = sctp_generate_cause(SCTP_CAUSE_USER_INITIATED_ABT, "");
		stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_35;
		sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, false, SCTP_SO_NOT_LOCKED);
		return;
	}
	if ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) &&
	    (asoc->stream_queue_cnt == 0)) {
		struct sctp_nets *netp;

		if ((SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) ||
		    (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
			SCTP_STAT_DECR_GAUGE32(sctps_currestab);
		}
		SCTP_SET_STATE(stcb, SCTP_STATE_SHUTDOWN_SENT);
		sctp_stop_timers_for_shutdown(stcb);
		if (asoc->alternate) {
			netp = asoc->alternate;
		} else {
			netp = asoc->primary_destination;
		}
		sctp_send_shutdown(stcb, netp);
		sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN,
				 stcb->sctp_ep, stcb, netp);
		sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
				 stcb->sctp_ep, stcb, NULL);
		return;
	} else if ((SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED) &&
		   (asoc->stream_queue_cnt == 0)) {
		struct sctp_nets *netp;

		SCTP_STAT_DECR_GAUGE32(sctps_currestab);
		SCTP_SET_STATE(stcb, SCTP_STATE_SHUTDOWN_ACK_SENT);
		sctp_stop_timers_for_shutdown(stcb);
		if (asoc->alternate) {
			netp = asoc->alternate;
		} else {
			netp = asoc->primary_destination;
		}
		sctp_send_shutdown_ack(stcb, netp);
		sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK,
		                 stcb->sctp_ep, stcb, netp);
		return;
	}
}
/*
 * Now here we are going to recycle net_ack for a different use...
 * HEADS UP.
 */
TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
	net->net_ack = 0;
}

/*
 * CMT DAC algorithm: If SACK DAC flag was 0, then no extra marking
 * to be done. Setting this_sack_lowest_newack to the cum_ack will
 * automatically ensure that.
 */
if ((asoc->sctp_cmt_on_off > 0) &&
    SCTP_BASE_SYSCTL(sctp_cmt_use_dac) &&
    (cmt_dac_flag == 0)) {
	this_sack_lowest_newack = cum_ack;
}
if ((num_seg > 0) || (num_nr_seg > 0)) {
	sctp_strike_gap_ack_chunks(stcb, asoc, biggest_tsn_acked,
	                           biggest_tsn_newly_acked, this_sack_lowest_newack, accum_moved);
}
/* JRS - Use the congestion control given in the CC module */
asoc->cc_functions.sctp_cwnd_update_after_fr(stcb, asoc);

/* Now are we exiting loss recovery ? */
if (will_exit_fast_recovery) {
	/* Ok, we must exit fast recovery */
	asoc->fast_retran_loss_recovery = 0;
}
if ((asoc->sat_t3_loss_recovery) &&
    SCTP_TSN_GE(asoc->last_acked_seq, asoc->sat_t3_recovery_tsn)) {
	/* end satellite t3 loss recovery */
	asoc->sat_t3_loss_recovery = 0;
}
/*
 * CMT Fast recovery
 */
TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
	if (net->will_exit_fast_recovery) {
		/* Ok, we must exit fast recovery */
		net->fast_retran_loss_recovery = 0;
	}
}

/* Adjust and set the new rwnd value */
if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
	sctp_log_rwnd_set(SCTP_SET_PEER_RWND_VIA_SACK,
	                  asoc->peers_rwnd, asoc->total_flight, (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)), a_rwnd);
}
asoc->peers_rwnd = sctp_sbspace_sub(a_rwnd,
                                    (uint32_t) (asoc->total_flight + (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh))));
if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
	/* SWS sender side engages */
	asoc->peers_rwnd = 0;
}
if (asoc->peers_rwnd > old_rwnd) {
	win_probe_recovery = 1;
}

/*
 * Now we must setup so we have a timer up for anyone with
 * outstanding data.
 */
done_once = 0;
again:
j = 0;
TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
	if (win_probe_recovery && (net->window_probe)) {
		win_probe_recovered = 1;
		/*-
		 * Find first chunk that was used with
		 * window probe and clear the event. Put
		 * it back into the send queue as if has
		 * not been sent.
		 */
		TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
			if (tp1->window_probe) {
				sctp_window_probe_recovery(stcb, asoc, tp1);
				break;
			}
		}
	}
	if (net->flight_size) {
		j++;
		if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
			sctp_timer_start(SCTP_TIMER_TYPE_SEND,
			                 stcb->sctp_ep, stcb, net);
		}
		if (net->window_probe) {
			net->window_probe = 0;
		}
	} else {
		if (net->window_probe) {
			/* In window probes we must assure a timer is still running there */
			if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
				sctp_timer_start(SCTP_TIMER_TYPE_SEND,
				                 stcb->sctp_ep, stcb, net);
			}
		} else if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
			sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
			                stcb, net,
			                SCTP_FROM_SCTP_INDATA + SCTP_LOC_36);
		}
	}
}
if ((j == 0) &&
    (!TAILQ_EMPTY(&asoc->sent_queue)) &&
    (asoc->sent_queue_retran_cnt == 0) &&
    (win_probe_recovered == 0) &&
    (done_once == 0)) {
	/* huh, this should not happen unless all packets
	 * are PR-SCTP and marked to skip of course.
	 */
	if (sctp_fs_audit(asoc)) {
		TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
			net->flight_size = 0;
		}
		asoc->total_flight = 0;
		asoc->total_flight_count = 0;
		asoc->sent_queue_retran_cnt = 0;
		TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
			if (tp1->sent < SCTP_DATAGRAM_RESEND) {
				sctp_flight_size_increase(tp1);
				sctp_total_flight_increase(stcb, tp1);
			} else if (tp1->sent == SCTP_DATAGRAM_RESEND) {
				sctp_ucount_incr(asoc->sent_queue_retran_cnt);
			}
		}
	}
	done_once = 1;
	goto again;
}
/*********************************************/
/* Here we perform PR-SCTP procedures        */
/* (section 4.2)                             */
/*********************************************/
/* C1. update advancedPeerAckPoint */
if (SCTP_TSN_GT(cum_ack, asoc->advanced_peer_ack_point)) {
	asoc->advanced_peer_ack_point = cum_ack;
}
/* C2. try to further move advancedPeerAckPoint ahead */
if ((asoc->prsctp_supported) && (asoc->pr_sctp_cnt > 0)) {
	struct sctp_tmit_chunk *lchk;
	uint32_t old_adv_peer_ack_point;

	old_adv_peer_ack_point = asoc->advanced_peer_ack_point;
	lchk = sctp_try_advance_peer_ack_point(stcb, asoc);
	/* C3. See if we need to send a Fwd-TSN */
	if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, cum_ack)) {
		/*
		 * ISSUE with ECN, see FWD-TSN processing.
		 */
		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
			sctp_misc_ints(SCTP_FWD_TSN_CHECK,
			               0xee, cum_ack, asoc->advanced_peer_ack_point,
			               old_adv_peer_ack_point);
		}
		if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, old_adv_peer_ack_point)) {
			send_forward_tsn(stcb, asoc);
		} else if (lchk) {
			/* try to FR fwd-tsn's that get lost too */
			if (lchk->rec.data.fwd_tsn_cnt >= 3) {
				send_forward_tsn(stcb, asoc);
			}
		}
	}
	for (; lchk != NULL; lchk = TAILQ_NEXT(lchk, sctp_next)) {
		if (lchk->whoTo != NULL) {
			break;
		}
	}
	if (lchk != NULL) {
		/* Assure a timer is up */
		sctp_timer_start(SCTP_TIMER_TYPE_SEND,
		                 stcb->sctp_ep, stcb, lchk->whoTo);
	}
}
if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_RWND_LOGGING_ENABLE) {
	sctp_misc_ints(SCTP_SACK_RWND_UPDATE,
	               a_rwnd,
	               stcb->asoc.peers_rwnd,
	               stcb->asoc.total_flight,
	               stcb->asoc.total_output_queue_size);
}
}

void
sctp_update_acked(struct sctp_tcb *stcb, struct sctp_shutdown_chunk *cp, int *abort_flag)
{
/* Copy cum-ack */
uint32_t cum_ack, a_rwnd;

cum_ack = ntohl(cp->cumulative_tsn_ack);
/* Arrange so a_rwnd does NOT change */
a_rwnd = stcb->asoc.peers_rwnd + stcb->asoc.total_flight;

/* Now call the express sack handling */
sctp_express_handle_sack(stcb, cum_ack, a_rwnd, abort_flag, 0);
}

static void
sctp_kick_prsctp_reorder_queue(struct sctp_tcb *stcb,
                              struct sctp_stream_in *strmin)
{
struct sctp_queued_to_read *control, *ncontrol;
struct sctp_association *asoc;
uint32_t mid;
int need_reasm_check = 0;

KASSERT(stcb != NULL, ("stcb == NULL"));
SCTP_TCB_LOCK_ASSERT(stcb);
SCTP_INP_READ_LOCK_ASSERT(stcb->sctp_ep);

asoc = &stcb->asoc;
mid = strmin->last_mid_delivered;
/*
 * First deliver anything prior to and including the stream no that
 * came in.
 */
TAILQ_FOREACH_SAFE(control, &strmin->inqueue, next_instrm, ncontrol) {
	if (SCTP_MID_GE(asoc->idata_supported, mid, control->mid)) {
		/* this is deliverable now */
		if (((control->sinfo_flags >> 8) & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) {
			if (control->on_strm_q) {
				if (control->on_strm_q == SCTP_ON_ORDERED) {
					TAILQ_REMOVE(&strmin->inqueue, control, next_instrm);
				} else if (control->on_strm_q == SCTP_ON_UNORDERED) {
					TAILQ_REMOVE(&strmin->uno_inqueue, control, next_instrm);
#ifdef INVARIANTS
				} else {
					panic("strmin: %p ctl: %p unknown %d",
					      strmin, control, control->on_strm_q);
#endif
				}
				control->on_strm_q = 0;
			}
			/* subtract pending on streams */
			if (asoc->size_on_all_streams >= control->length) {
				asoc->size_on_all_streams -= control->length;
			} else {
#ifdef INVARIANTS
				panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
#else
				asoc->size_on_all_streams = 0;
#endif
			}
			sctp_ucount_decr(asoc->cnt_on_all_streams);
			/* deliver it to at least the delivery-q */
			if (stcb->sctp_socket) {
				sctp_mark_non_revokable(asoc, control->sinfo_tsn);
				sctp_add_to_readq(stcb->sctp_ep, stcb, control,
				                  &stcb->sctp_socket->so_rcv, 1,
				                  SCTP_READ_LOCK_HELD, SCTP_SO_NOT_LOCKED);
			}
		} else {
			/* Its a fragmented message */
			if (control->first_frag_seen) {
				/* Make it so this is next to deliver, we restore later */
				strmin->last_mid_delivered = control->mid - 1;
				need_reasm_check = 1;
				break;
			}
		}
	} else {
		/* no more delivery now. */
		break;
	}
}
if (need_reasm_check) {
	int ret;
	ret = sctp_deliver_reasm_check(stcb, &stcb->asoc, strmin, SCTP_READ_LOCK_HELD);
	if (SCTP_MID_GT(asoc->idata_supported, mid, strmin->last_mid_delivered)) {
		/* Restore the next to deliver unless we are ahead */
		strmin->last_mid_delivered = mid;
	}
	if (ret == 0) {
		/* Left the front Partial one on */
		return;
	}
	need_reasm_check = 0;
}
/*
 * now we must deliver things in queue the normal way  if any are
 * now ready.
 */
mid = strmin->last_mid_delivered + 1;
TAILQ_FOREACH_SAFE(control, &strmin->inqueue, next_instrm, ncontrol) {
	if (SCTP_MID_EQ(asoc->idata_supported, mid, control->mid)) {
		if (((control->sinfo_flags >> 8) & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) {
			/* this is deliverable now */
			if (control->on_strm_q) {
				if (control->on_strm_q == SCTP_ON_ORDERED) {
					TAILQ_REMOVE(&strmin->inqueue, control, next_instrm);
				} else if (control->on_strm_q == SCTP_ON_UNORDERED) {
					TAILQ_REMOVE(&strmin->uno_inqueue, control, next_instrm);
#ifdef INVARIANTS
				} else {
					panic("strmin: %p ctl: %p unknown %d",
					      strmin, control, control->on_strm_q);
#endif
				}
				control->on_strm_q = 0;
			}
			/* subtract pending on streams */
			if (asoc->size_on_all_streams >= control->length) {
				asoc->size_on_all_streams -= control->length;
			} else {
#ifdef INVARIANTS
				panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
#else
				asoc->size_on_all_streams = 0;
#endif
			}
			sctp_ucount_decr(asoc->cnt_on_all_streams);
			/* deliver it to at least the delivery-q */
			strmin->last_mid_delivered = control->mid;
			if (stcb->sctp_socket) {
				sctp_mark_non_revokable(asoc, control->sinfo_tsn);
				sctp_add_to_readq(stcb->sctp_ep, stcb, control,
				                  &stcb->sctp_socket->so_rcv, 1,
				                  SCTP_READ_LOCK_HELD, SCTP_SO_NOT_LOCKED);
			}
			mid = strmin->last_mid_delivered + 1;
		} else {
			/* Its a fragmented message */
			if (control->first_frag_seen) {
				/* Make it so this is next to deliver */
				strmin->last_mid_delivered = control->mid - 1;
				need_reasm_check = 1;
				break;
			}
		}
	} else {
		break;
	}
}
if (need_reasm_check) {
	(void)sctp_deliver_reasm_check(stcb, &stcb->asoc, strmin, SCTP_READ_LOCK_HELD);
}
}

static void
sctp_flush_reassm_for_str_seq(struct sctp_tcb *stcb,
                             struct sctp_association *asoc, struct sctp_stream_in *strm,
                             struct sctp_queued_to_read *control, int ordered, uint32_t cumtsn)
{
struct sctp_tmit_chunk *chk, *nchk;

/*
 * For now large messages held on the stream reasm that are
 * complete will be tossed too. We could in theory do more
 * work to spin through and stop after dumping one msg aka
 * seeing the start of a new msg at the head, and call the
 * delivery function... to see if it can be delivered... But
 * for now we just dump everything on the queue.
 */

KASSERT(stcb != NULL, ("stcb == NULL"));
SCTP_TCB_LOCK_ASSERT(stcb);
SCTP_INP_READ_LOCK_ASSERT(stcb->sctp_ep);

if (!asoc->idata_supported && !ordered &&
    control->first_frag_seen &&
    SCTP_TSN_GT(control->fsn_included, cumtsn)) {
	return;
}
TAILQ_FOREACH_SAFE(chk, &control->reasm, sctp_next, nchk) {
	/* Purge hanging chunks */
	if (!asoc->idata_supported && !ordered) {
		if (SCTP_TSN_GT(chk->rec.data.tsn, cumtsn)) {
			break;
		}
	}
	TAILQ_REMOVE(&control->reasm, chk, sctp_next);
	if (asoc->size_on_reasm_queue >= chk->send_size) {
		asoc->size_on_reasm_queue -= chk->send_size;
	} else {
#ifdef INVARIANTS
		panic("size_on_reasm_queue = %u smaller than chunk length %u", asoc->size_on_reasm_queue, chk->send_size);
#else
		asoc->size_on_reasm_queue = 0;
#endif
	}
	sctp_ucount_decr(asoc->cnt_on_reasm_queue);
	if (chk->data) {
		sctp_m_freem(chk->data);
		chk->data = NULL;
	}
	sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
}
if (!TAILQ_EMPTY(&control->reasm)) {
	KASSERT(!asoc->idata_supported,
	    ("Reassembly queue not empty for I-DATA"));
	KASSERT(!ordered,
	    ("Reassembly queue not empty for ordered data"));
	if (control->data) {
		sctp_m_freem(control->data);
		control->data = NULL;
	}
	control->fsn_included = 0xffffffff;
	control->first_frag_seen = 0;
	control->last_frag_seen = 0;
	if (control->on_read_q) {
		/*
		 * We have to purge it from there,
		 * hopefully this will work :-)
		 */
		TAILQ_REMOVE(&stcb->sctp_ep->read_queue, control, next);
		control->on_read_q = 0;
	}
	chk = TAILQ_FIRST(&control->reasm);
	if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) {
		TAILQ_REMOVE(&control->reasm, chk, sctp_next);
		sctp_add_chk_to_control(control, strm, stcb, asoc,
		                        chk, SCTP_READ_LOCK_HELD);
	}
	sctp_deliver_reasm_check(stcb, asoc, strm, SCTP_READ_LOCK_HELD);
	return;
}
if (control->on_strm_q == SCTP_ON_ORDERED) {
	TAILQ_REMOVE(&strm->inqueue, control, next_instrm);
	if (asoc->size_on_all_streams >= control->length) {
		asoc->size_on_all_streams -= control->length;
	} else {
#ifdef INVARIANTS
		panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
#else
		asoc->size_on_all_streams = 0;
#endif
	}
	sctp_ucount_decr(asoc->cnt_on_all_streams);
	control->on_strm_q = 0;
} else if (control->on_strm_q == SCTP_ON_UNORDERED) {
	TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm);
	control->on_strm_q = 0;
#ifdef INVARIANTS
} else if (control->on_strm_q) {
	panic("strm: %p ctl: %p unknown %d",
	    strm, control, control->on_strm_q);
#endif
}
control->on_strm_q = 0;
if (control->on_read_q == 0) {
	sctp_free_remote_addr(control->whoFrom);
	if (control->data) {
		sctp_m_freem(control->data);
		control->data = NULL;
	}
	sctp_free_a_readq(stcb, control);
}
}

void
sctp_handle_forward_tsn(struct sctp_tcb *stcb,
                       struct sctp_forward_tsn_chunk *fwd,
                       int *abort_flag, struct mbuf *m , int offset)
{
/* The pr-sctp fwd tsn */
/*
 * here we will perform all the data receiver side steps for
 * processing FwdTSN, as required in by pr-sctp draft:
 *
 * Assume we get FwdTSN(x):
 *
 * 1) update local cumTSN to x
 * 2) try to further advance cumTSN to x + others we have
 * 3) examine and update re-ordering queue on pr-in-streams
 * 4) clean up re-assembly queue
 * 5) Send a sack to report where we are.
 */
struct sctp_association *asoc;
uint32_t new_cum_tsn, gap;
unsigned int i, fwd_sz, m_size;
struct sctp_stream_in *strm;
struct sctp_queued_to_read *control, *ncontrol;

asoc = &stcb->asoc;
if ((fwd_sz = ntohs(fwd->ch.chunk_length)) < sizeof(struct sctp_forward_tsn_chunk)) {
	SCTPDBG(SCTP_DEBUG_INDATA1,
		"Bad size too small/big fwd-tsn\n");
	return;
}
m_size = (stcb->asoc.mapping_array_size << 3);
/*************************************************************/
/* 1. Here we update local cumTSN and shift the bitmap array */
/*************************************************************/
new_cum_tsn = ntohl(fwd->new_cumulative_tsn);

if (SCTP_TSN_GE(asoc->cumulative_tsn, new_cum_tsn)) {
	/* Already got there ... */
	return;
}
/*
 * now we know the new TSN is more advanced, let's find the actual
 * gap
 */
SCTP_CALC_TSN_TO_GAP(gap, new_cum_tsn, asoc->mapping_array_base_tsn);
asoc->cumulative_tsn = new_cum_tsn;
if (gap >= m_size) {
	if ((long)gap > sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv)) {
		struct mbuf *op_err;
		char msg[SCTP_DIAG_INFO_LEN];

		/*
		 * out of range (of single byte chunks in the rwnd I
		 * give out). This must be an attacker.
		 */
		*abort_flag = 1;
		SCTP_SNPRINTF(msg, sizeof(msg),
		              "New cum ack %8.8x too high, highest TSN %8.8x",
		              new_cum_tsn, asoc->highest_tsn_inside_map);
		op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
		stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_37;
		sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, false, SCTP_SO_NOT_LOCKED);
		return;
	}
	SCTP_STAT_INCR(sctps_fwdtsn_map_over);

	memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size);
	asoc->mapping_array_base_tsn = new_cum_tsn + 1;
	asoc->highest_tsn_inside_map = new_cum_tsn;

	memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.mapping_array_size);
	asoc->highest_tsn_inside_nr_map = new_cum_tsn;

	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
		sctp_log_map(0, 3, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
	}
} else {
	SCTP_TCB_LOCK_ASSERT(stcb);
	for (i = 0; i <= gap; i++) {
		if (!SCTP_IS_TSN_PRESENT(asoc->mapping_array, i) &&
		    !SCTP_IS_TSN_PRESENT(asoc->nr_mapping_array, i)) {
			SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, i);
			if (SCTP_TSN_GT(asoc->mapping_array_base_tsn + i, asoc->highest_tsn_inside_nr_map)) {
				asoc->highest_tsn_inside_nr_map = asoc->mapping_array_base_tsn + i;
			}
		}
	}
}
/*************************************************************/
/* 2. Clear up re-assembly queue                             */
/*************************************************************/

/* This is now done as part of clearing up the stream/seq */
if (asoc->idata_supported == 0) {
	uint16_t sid;

	/* Flush all the un-ordered data based on cum-tsn */
	SCTP_INP_READ_LOCK(stcb->sctp_ep);
	for (sid = 0; sid < asoc->streamincnt; sid++) {
		strm = &asoc->strmin[sid];
		if (!TAILQ_EMPTY(&strm->uno_inqueue)) {
			sctp_flush_reassm_for_str_seq(stcb, asoc, strm, TAILQ_FIRST(&strm->uno_inqueue), 0, new_cum_tsn);
		}
	}
	SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
}
/*******************************************************/
/* 3. Update the PR-stream re-ordering queues and fix  */
/*    delivery issues as needed.                       */
/*******************************************************/
fwd_sz -= sizeof(*fwd);
if (m && fwd_sz) {
	/* New method. */
	unsigned int num_str;
	uint32_t mid;
	uint16_t sid;
	uint16_t ordered, flags;
	struct sctp_strseq *stseq, strseqbuf;
	struct sctp_strseq_mid *stseq_m, strseqbuf_m;
	offset += sizeof(*fwd);

	SCTP_INP_READ_LOCK(stcb->sctp_ep);
	if (asoc->idata_supported) {
		num_str = fwd_sz / sizeof(struct sctp_strseq_mid);
	} else {
		num_str = fwd_sz / sizeof(struct sctp_strseq);
	}
	for (i = 0; i < num_str; i++) {
		if (asoc->idata_supported) {
			stseq_m = (struct sctp_strseq_mid *)sctp_m_getptr(m, offset,
								    sizeof(struct sctp_strseq_mid),
								    (uint8_t *)&strseqbuf_m);
			offset += sizeof(struct sctp_strseq_mid);
			if (stseq_m == NULL) {
				break;
			}
			sid = ntohs(stseq_m->sid);
			mid = ntohl(stseq_m->mid);
			flags = ntohs(stseq_m->flags);
			if (flags & PR_SCTP_UNORDERED_FLAG) {
				ordered = 0;
			} else {
				ordered = 1;
			}
		} else {
			stseq = (struct sctp_strseq *)sctp_m_getptr(m, offset,
								    sizeof(struct sctp_strseq),
								    (uint8_t *)&strseqbuf);
			offset += sizeof(struct sctp_strseq);
			if (stseq == NULL) {
				break;
			}
			sid = ntohs(stseq->sid);
			mid = (uint32_t)ntohs(stseq->ssn);
			ordered = 1;
		}
		/* Convert */

		/* now process */

		/*
		 * Ok we now look for the stream/seq on the read queue
		 * where its not all delivered. If we find it we transmute the
		 * read entry into a PDI_ABORTED.
		 */
		if (sid >= asoc->streamincnt) {
			/* screwed up streams, stop!  */
			break;
		}
		if ((asoc->str_of_pdapi == sid) &&
		    (asoc->ssn_of_pdapi == mid)) {
			/* If this is the one we were partially delivering
			 * now then we no longer are. Note this will change
			 * with the reassembly re-write.
			 */
			asoc->fragmented_delivery_inprogress = 0;
		}
		strm = &asoc->strmin[sid];
		if (ordered) {
			TAILQ_FOREACH_SAFE(control, &strm->inqueue, next_instrm, ncontrol) {
				if (SCTP_MID_GE(asoc->idata_supported, mid, control->mid)) {
					sctp_flush_reassm_for_str_seq(stcb, asoc, strm, control, ordered, new_cum_tsn);
				}
			}
		} else {
			if (asoc->idata_supported) {
				TAILQ_FOREACH_SAFE(control, &strm->uno_inqueue, next_instrm, ncontrol) {
					if (SCTP_MID_GE(asoc->idata_supported, mid, control->mid)) {
						sctp_flush_reassm_for_str_seq(stcb, asoc, strm, control, ordered, new_cum_tsn);
					}
				}
			} else {
				if (!TAILQ_EMPTY(&strm->uno_inqueue)) {
					sctp_flush_reassm_for_str_seq(stcb, asoc, strm, TAILQ_FIRST(&strm->uno_inqueue), ordered, new_cum_tsn);
				}
			}
		}
		TAILQ_FOREACH(control, &stcb->sctp_ep->read_queue, next) {
			if ((control->sinfo_stream == sid) &&
			    (SCTP_MID_EQ(asoc->idata_supported, control->mid, mid))) {
				control->pdapi_aborted = 1;
				control->end_added = 1;
				if (control->on_strm_q == SCTP_ON_ORDERED) {
					TAILQ_REMOVE(&strm->inqueue, control, next_instrm);
					if (asoc->size_on_all_streams >= control->length) {
						asoc->size_on_all_streams -= control->length;
					} else {
#ifdef INVARIANTS
						panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
#else
						asoc->size_on_all_streams = 0;
#endif
					}
					sctp_ucount_decr(asoc->cnt_on_all_streams);
				} else if (control->on_strm_q == SCTP_ON_UNORDERED) {
					TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm);
#ifdef INVARIANTS
				} else if (control->on_strm_q) {
					panic("strm: %p ctl: %p unknown %d",
					      strm, control, control->on_strm_q);
#endif
				}
				control->on_strm_q = 0;
				sctp_ulp_notify(SCTP_NOTIFY_PARTIAL_DELVIERY_INDICATION,
				                stcb,
				                SCTP_PARTIAL_DELIVERY_ABORTED,
				                (void *)control,
				                SCTP_SO_NOT_LOCKED);
				break;
			} else if ((control->sinfo_stream == sid) &&
				   SCTP_MID_GT(asoc->idata_supported, control->mid, mid)) {
				/* We are past our victim SSN */
				break;
			}
		}
		if (SCTP_MID_GT(asoc->idata_supported, mid, strm->last_mid_delivered)) {
			/* Update the sequence number */
			strm->last_mid_delivered = mid;
		}
		/* now kick the stream the new way */
		/*sa_ignore NO_NULL_CHK*/
		sctp_kick_prsctp_reorder_queue(stcb, strm);
	}
	SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
}
/*
 * Now slide thing forward.
 */
sctp_slide_mapping_arrays(stcb);
}