/usr/src/usr.sbin/npppd/npppd/../l2tp/l2tp

Bug Summary

File:	src/usr.sbin/npppd/npppd/../l2tp/l2tp_ctrl.c
Warning:	line 134, column 2 Value stored to 'i' is never read

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name l2tp_ctrl.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.sbin/npppd/npppd/obj -resource-dir /usr/local/lib/clang/13.0.0 -I /usr/src/usr.sbin/npppd/npppd/../common -I /usr/src/usr.sbin/npppd/npppd -I /usr/src/usr.sbin/npppd/npppd/../pptp -I /usr/src/usr.sbin/npppd/npppd/../l2tp -I /usr/src/usr.sbin/npppd/npppd/../pppoe -D USE_NPPPD_PPTP -D USE_NPPPD_L2TP -D USE_NPPPD_PPPOE -D __COPYRIGHT(x)= -D __RCSID(x)= -D NPPPD_MAX_IFACE=8 -D NPPPD_MAX_POOL=8 -D USE_NPPPD_MPPE -D USE_NPPPD_PIPEX -D USE_NPPPD_RADIUS -D USE_SA_COOKIE -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/usr.sbin/npppd/npppd/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/usr.sbin/npppd/npppd/../l2tp/l2tp_ctrl.c

1	/* $OpenBSD: l2tp_ctrl.c,v 1.26 2021/05/22 08:29:57 yasuoka Exp $ */
2
3	/*-
4	* Copyright (c) 2009 Internet Initiative Japan Inc.
5	* All rights reserved.
6	*
7	* Redistribution and use in source and binary forms, with or without
8	* modification, are permitted provided that the following conditions
9	* are met:
10	* 1. Redistributions of source code must retain the above copyright
11	* notice, this list of conditions and the following disclaimer.
12	* 2. Redistributions in binary form must reproduce the above copyright
13	* notice, this list of conditions and the following disclaimer in the
14	* documentation and/or other materials provided with the distribution.
15	*
16	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26	* SUCH DAMAGE.
27	*/
28	/*@file Control connection processing functions for L2TP LNS /
29	/* $Id: l2tp_ctrl.c,v 1.26 2021/05/22 08:29:57 yasuoka Exp $ */
30	#include <sys/types.h>
31	#include <sys/time.h>
32	#include <sys/socket.h>
33	#include <netinet/in.h>
34	#include <net/if.h>
35	#include <arpa/inet.h>
36	#include <endian.h>
37	#include <errno(*__errno()).h>
38	#include <event.h>
39	#include <netdb.h>
40	#include <stdarg.h>
41	#include <stddef.h>
42	#include <stdio.h>
43	#include <stdlib.h>
44	#include <string.h>
45	#include <syslog.h>
46	#include <time.h>
47	#include <unistd.h>
48	#include <limits.h>
49
50	#ifdef USE_LIBSOCKUTIL
51	#include <seil/sockfromto.h>
52	#endif
53
54	#include "time_utils.h"
55	#include "bytebuf.h"
56	#include "hash.h"
57	#include "debugutil.h"
58	#include "slist.h"
59	#include "l2tp.h"
60	#include "l2tp_local.h"
61	#include "l2tp_subr.h"
62	#include "net_utils.h"
63	#include "version.h"
64	#include "recvfromto.h"
65
66	#define MINIMUM(a, b)(((a) < (b)) ? (a) : (b)) (((a) < (b)) ? (a) : (b))
67
68	static int l2tp_ctrl_init(l2tp_ctrl , l2tpd , struct sockaddr , struct sockaddr , void *);
69	static void l2tp_ctrl_reload(l2tp_ctrl *);
70	static int l2tp_ctrl_send_disconnect_notify(l2tp_ctrl *);
71	static void l2tp_ctrl_timeout(int, short, void *);
72	static int l2tp_ctrl_resend_una_packets(l2tp_ctrl *, bool_Bool);
73	static void l2tp_ctrl_destroy_all_calls(l2tp_ctrl *);
74	static int l2tp_ctrl_disconnect_all_calls(l2tp_ctrl *, int);
75	static void l2tp_ctrl_reset_timeout(l2tp_ctrl *);
76	static int l2tp_ctrl_txwin_size(l2tp_ctrl *);
77	static bool_Bool l2tp_ctrl_txwin_is_full(l2tp_ctrl *);
78	static bool_Bool l2tp_ctrl_in_peer_window(l2tp_ctrl *, uint16_t);
79	static bool_Bool l2tp_ctrl_in_our_window(l2tp_ctrl *, uint16_t);
80	static int l2tp_ctrl_recv_SCCRQ(l2tp_ctrl , u_char , int, l2tpd , struct sockaddr );
81	static int l2tp_ctrl_send_StopCCN(l2tp_ctrl *, int);
82	static int l2tp_ctrl_recv_StopCCN(l2tp_ctrl , u_char , int);
83	static void l2tp_ctrl_send_SCCRP(l2tp_ctrl *);
84	static int l2tp_ctrl_send_HELLO(l2tp_ctrl *);
85	static int l2tp_ctrl_send_ZLB(l2tp_ctrl *);
86	static const char l2tp_ctrl_state_string(l2tp_ctrl );
87
88	#ifdef L2TP_CTRL_DEBUG
89	#define L2TP_CTRL_ASSERT(x) ASSERT(x)((void)0);
90	#define L2TP_CTRL_DBG(x) l2tp_ctrl_log x
91	#else
92	#define L2TP_CTRL_ASSERT(x)
93	#define L2TP_CTRL_DBG(x)
94	#endif
95
96	/* Sequence # of l2tp_ctrl ID */
97	static u_int l2tp_ctrl_id_seq = 0;
98
99	#define SEQ_LT(a,b)((int16_t)((a) - (b)) < 0) ((int16_t)((a) - (b)) < 0)
100	#define SEQ_GT(a,b)((int16_t)((a) - (b)) > 0) ((int16_t)((a) - (b)) > 0)
101
102	/**
103	* Build instance of {@link ::_l2tp_ctrl L2TP LNS control connection}
104	*/
105	l2tp_ctrl *
106	l2tp_ctrl_create(void)
107	{
108
109	return calloc(1, sizeof(l2tp_ctrl));
110	}
111
112	/**
113	* initialize and startup of {@link ::_l2tp_ctrl L2TP LNS control connection}
114	* instance
115	*/
116	static int
117	l2tp_ctrl_init(l2tp_ctrl _this, l2tpd _l2tpd, struct sockaddr *peer,
118	struct sockaddr sock, void nat_t_ctx)
119	{
120	int tunid, i;
121	bytebuffer *bytebuf;
122	time_t curr_time;
123
124	memset(_this, 0, sizeof(l2tp_ctrl));
125
126	curr_time = get_monosec()((time_t)(get_nanotime() / 1000000000LL));
127	_this->l2tpd = _l2tpd;
128	_this->state = L2TP_CTRL_STATE_IDLE0;
129	_this->last_snd_ctrl = curr_time;
130
131	slist_init(&_this->call_list);
132
133	/* seek a free tunnel ID */
134	i = 0;
	Value stored to 'i' is never read
135	_this->id = ++l2tp_ctrl_id_seq;
136	for (i = 0, tunid = _this->id; ; i++, tunid++) {
137	tunid &= 0xffff;
138	_this->tunnel_id = l2tp_ctrl_id_seq & 0xffff;
139	if (tunid == 0)
140	continue;
141	if (l2tpd_get_ctrl(_l2tpd, tunid) == NULL((void*)0))
142	break;
143	if (i > 80000) {
144	/* this must be happen, just log it. */
145	l2tpd_log(_l2tpd, LOG_ERR3, "Too many l2tp controls");
146	return -1;
147	}
148	}
149
150	_this->tunnel_id = tunid;
151
152	L2TP_CTRL_ASSERT(peer != NULL);
153	L2TP_CTRL_ASSERT(sock != NULL);
154	memcpy(&_this->peer, peer, peer->sa_len);
155	memcpy(&_this->sock, sock, sock->sa_len);
156
157	/* prepare send buffer */
158	_this->winsz = L2TPD_DEFAULT_SEND_WINSZ4;
159	/*
160	* _this->winsz is informed as our receive window size. Also
161	* MIN(_this->winsz, _this->peer_winsiz) is used for the size of
162	* transmit side window. We need winsz * 2 sized buffer so that a
163	* stingy client can fill both of window separately.
164	*/
165	_this->snd_buffercnt = _this->winsz * 2;
166	if ((_this->snd_buffers = calloc(_this->snd_buffercnt,
167	sizeof(bytebuffer ))) == NULL((void)0)) {
168	l2tpd_log(_l2tpd, LOG_ERR3,
169	"calloc() failed in %s(): %m", __func__);
170	goto fail;
171	}
172	for (i = 0; i < _this->snd_buffercnt; i++) {
173	if ((bytebuf = bytebuffer_create(L2TPD_SND_BUFSIZ2048)) == NULL((void*)0)) {
174	l2tpd_log(_l2tpd, LOG_ERR3,
175	"bytebuffer_create() failed in %s(): %m", __func__);
176	goto fail;
177	}
178	_this->snd_buffers[i] = bytebuf;
179	}
180	if ((_this->zlb_buffer = bytebuffer_create(sizeof(struct l2tp_header)
181	+ 128)) == NULL((void*)0)) {
182	l2tpd_log(_l2tpd, LOG_ERR3,
183	"bytebuffer_create() failed in %s(): %m", __func__);
184	goto fail;
185	}
186	#if defined(USE_LIBSOCKUTIL) \|\| defined(USE_SA_COOKIE1)
187	if (nat_t_ctx != NULL((void*)0)) {
188	if ((_this->sa_cookie = malloc(
189	sizeof(struct in_ipsec_sa_cookie))) != NULL((void*)0)) {
190	(struct in_ipsec_sa_cookie )_this->sa_cookie =
191	(struct in_ipsec_sa_cookie )nat_t_ctx;
192	} else {
193	l2tpd_log(_l2tpd, LOG_ERR3,
194	"creating sa_cookie failed: %m");
195	goto fail;
196	}
197	}
198	#endif
199	_this->hello_interval = L2TP_CTRL_DEFAULT_HELLO_INTERVAL60;
200	_this->hello_timeout = L2TP_CTRL_DEFAULT_HELLO_TIMEOUT30;
201	_this->hello_io_time = curr_time;
202
203	/* initialize timeout timer */
204	l2tp_ctrl_reset_timeout(_this);
205
206	/* register l2tp context */
207	l2tpd_add_ctrl(_l2tpd, _this);
208	return 0;
209	fail:
210	l2tp_ctrl_stop(_this, 0);
211	return -1;
212	}
213
214	/*
215	* setup {@link ::_l2tp_ctrl L2TP LNS control connection} instance
216	*/
217	static void
218	l2tp_ctrl_reload(l2tp_ctrl *_this)
219	{
220	_this->data_use_seq = L2TP_CTRL_CONF(_this)((l2tpd_listener *)slist_get(&(_this)->l2tpd->listener , (_this)->listener_index))->conf->data_use_seq;
221	if (L2TP_CTRL_CONF(_this)((l2tpd_listener *)slist_get(&(_this)->l2tpd->listener , (_this)->listener_index))->conf->hello_interval != 0)
222	_this->hello_interval = L2TP_CTRL_CONF(_this)((l2tpd_listener *)slist_get(&(_this)->l2tpd->listener , (_this)->listener_index))->conf->hello_interval;
223	if (L2TP_CTRL_CONF(_this)((l2tpd_listener *)slist_get(&(_this)->l2tpd->listener , (_this)->listener_index))->conf->hello_timeout != 0)
224	_this->hello_timeout = L2TP_CTRL_CONF(_this)((l2tpd_listener *)slist_get(&(_this)->l2tpd->listener , (_this)->listener_index))->conf->hello_timeout;
225	}
226
227	/*
228	* free {@link ::_l2tp_ctrl L2TP LNS control connection} instance
229	*/
230	void
231	l2tp_ctrl_destroy(l2tp_ctrl *_this)
232	{
233	L2TP_CTRL_ASSERT(_this != NULL);
234	#if defined(USE_LIBSOCKUTIL) \|\| defined(USE_SA_COOKIE1)
235	free(_this->sa_cookie);
236	#endif
237	free(_this);
238	}
239
240	/*
241	* nortify disconnection to peer
242	*
243	* @return 0: all CDN and StopCCN have been sent.
244	* N: if the remaining calls which still not sent CDN exist,
245	* return # of the calls.
246	* -1: when try to send of StopCCN failed.
247	*/
248	static int
249	l2tp_ctrl_send_disconnect_notify(l2tp_ctrl *_this)
250	{
251	int ncalls;
252
253	L2TP_CTRL_ASSERT(_this != NULL)
254	L2TP_CTRL_ASSERT(_this->state == L2TP_CTRL_STATE_ESTABLISHED \|\|
255	_this->state == L2TP_CTRL_STATE_CLEANUP_WAIT);
256
257	/* this control is not actively closing or StopCCN have been sent */
258	if (_this->active_closing == 0)
259	return 0;
260
261	/* Send CDN all Calls */
262	ncalls = 0;
263	if (slist_length(&_this->call_list) != 0) {
264	ncalls = l2tp_ctrl_disconnect_all_calls(_this, 0);
265	if (ncalls > 0) {
266	/*
267	* Call the function again to check whether the
268	* sending window is fulled. In case ncalls == 0,
269	* it means we've sent CDN for all calls.
270	*/
271	ncalls = l2tp_ctrl_disconnect_all_calls(_this, 0);
272	}
273	}
274	if (ncalls > 0)
275	return ncalls;
276
277	if (l2tp_ctrl_send_StopCCN(_this, _this->active_closing) != 0)
278	return -1;
279	_this->active_closing = 0;
280
281	return 0;
282	}
283
284	/*
285	* Terminate the control connection
286	*
287	* <p>
288	* please specify an appropriate value to result( >0 ) for
289	* StopCCN ResultCode AVP, when to sent Active Close (which
290	* require StopCCN sent).</p>
291	* <p>
292	* When the return value of this function is zero, the _this
293	* is already released. The lt2p_ctrl process that was bound to it
294	* could not continue.
295	* When the return value of this function is one, the timer
296	* is reset.</p>
297	*
298	* @return return 0 if terminate process was completed.
299	*/
300	int
301	l2tp_ctrl_stop(l2tp_ctrl *_this, int result)
302	{
303	int i;
304	l2tpd *_l2tpd;
305
306	L2TP_CTRL_ASSERT(_this != NULL);
307
308	switch (_this->state) {
309	case L2TP_CTRL_STATE_ESTABLISHED3:
310	_this->state = L2TP_CTRL_STATE_CLEANUP_WAIT4;
311	if (result > 0) {
312	_this->active_closing = result;
313	l2tp_ctrl_send_disconnect_notify(_this);
314	break;
315	}
316	goto cleanup;
317	default:
318	l2tp_ctrl_log(_this, LOG_DEBUG7, "%s() unexpected state=%s",
319	__func__, l2tp_ctrl_state_string(_this));
320	/* FALLTHROUGH */
321	case L2TP_CTRL_STATE_WAIT_CTL_CONN1:
322	/* FALLTHROUGH */
323	case L2TP_CTRL_STATE_CLEANUP_WAIT4:
324	cleanup:
325	if (slist_length(&_this->call_list) != 0) {
326	if (l2tp_ctrl_disconnect_all_calls(_this, 1) > 0)
327	break;
328	}
329
330	l2tp_ctrl_log(_this, LOG_NOTICE5, "logtype=Finished");
331
332	evtimer_del(&_this->ev_timeout)event_del(&_this->ev_timeout);
333
334	/* free send buffer */
335	if (_this->snd_buffers != NULL((void*)0)) {
336	for (i = 0; i < _this->snd_buffercnt; i++)
337	bytebuffer_destroy(_this->snd_buffers[i]);
338	free(_this->snd_buffers);
339	_this->snd_buffers = NULL((void*)0);
340	}
341	if (_this->zlb_buffer != NULL((void*)0)) {
342	bytebuffer_destroy(_this->zlb_buffer);
343	_this->zlb_buffer = NULL((void*)0);
344	}
345
346	/* free l2tp_call */
347	l2tp_ctrl_destroy_all_calls(_this);
348	slist_fini(&_this->call_list);
349
350	l2tpd_remove_ctrl(_this->l2tpd, _this->tunnel_id);
351
352	_l2tpd = _this->l2tpd;
353	l2tp_ctrl_destroy(_this);
354
355	l2tpd_ctrl_finished_notify(_l2tpd);
356	return 0; /* stopped */
357	}
358	l2tp_ctrl_reset_timeout(_this);
359
360	return 1;
361	}
362
363	/* timeout processing */
364	static void
365	l2tp_ctrl_timeout(int fd, short evtype, void *ctx)
366	{
367	int next_timeout, need_resend;
368	time_t curr_time;
369	l2tp_ctrl *_this;
370	l2tp_call *call;
371
372	/*
373	* the timer must be reset, when leave this function.
374	* MEMO: l2tp_ctrl_stop() will reset the timer in it.
375	* and please remember that the l2tp_ctrl_stop() may free _this.
376	*/
377	_this = ctx;
378	L2TP_CTRL_ASSERT(_this != NULL);
379
380	curr_time = get_monosec()((time_t)(get_nanotime() / 1000000000LL));
381
382	next_timeout = 2;
383	need_resend = 0;
384
385	if (l2tp_ctrl_txwin_size(_this) > 0) {
386	if (_this->state == L2TP_CTRL_STATE_ESTABLISHED3) {
387	if (_this->hello_wait_ack != 0) {
388	/* wait Hello reply */
389	if (curr_time - _this->hello_io_time >=
390	_this->hello_timeout) {
391	l2tp_ctrl_log(_this, LOG_NOTICE5,
392	"timeout waiting ack for hello "
393	"packets.");
394	l2tp_ctrl_stop(_this,
395	L2TP_STOP_CCN_RCODE_GENERAL1);
396	return;
397	}
398	}
399	} else if (curr_time - _this->last_snd_ctrl >=
400	L2TP_CTRL_CTRL_PKT_TIMEOUT12) {
401	l2tp_ctrl_log(_this, LOG_NOTICE5,
402	"timeout waiting ack for ctrl packets.");
403	l2tp_ctrl_stop(_this,
404	L2TP_STOP_CCN_RCODE_GENERAL1);
405	return;
406	}
407	need_resend = 1;
408	} else {
409	for (slist_itr_first(&_this->call_list);
410	slist_itr_has_next(&_this->call_list);) {
411	call = slist_itr_next(&_this->call_list);
412	if (call->state == L2TP_CALL_STATE_CLEANUP_WAIT3) {
413	l2tp_call_destroy(call, 1);
414	slist_itr_remove(&_this->call_list);
415	}
416	}
417	}
418
419	switch (_this->state) {
420	case L2TP_CTRL_STATE_IDLE0:
421	/*
422	* idle:
423	* XXX: never happen in current implementation
424	*/
425	l2tp_ctrl_log(_this, LOG_ERR3,
426	"Internal error, timeout on illegal state=idle");
427	l2tp_ctrl_stop(_this, L2TP_STOP_CCN_RCODE_GENERAL1);
428	break;
429	case L2TP_CTRL_STATE_WAIT_CTL_CONN1:
430	/*
431	* wait-ctrl-conn:
432	* if there is no ack for SCCRP, the peer will
433	* resend SCCRQ. however this implementation can
434	* not recognize that the SCCRQ was resent or not.
435	* Therefore, never resent from this side.
436	*/
437	need_resend = 0;
438	break;
439	case L2TP_CTRL_STATE_ESTABLISHED3:
440	if (slist_length(&_this->call_list) == 0 &&
441	curr_time - _this->last_snd_ctrl >=
442	L2TP_CTRL_WAIT_CALL_TIMEOUT16) {
443	if (_this->ncalls == 0)
444	/* fail to receive first call */
445	l2tp_ctrl_log(_this, LOG_WARNING4,
446	"timeout waiting call");
447	l2tp_ctrl_stop(_this,
448	L2TP_STOP_CCN_RCODE_GENERAL1);
449	return;
450	}
451	if (_this->hello_wait_ack == 0 && _this->hello_interval > 0) {
452	/* send Hello */
453	if (curr_time - _this->hello_interval >=
454	_this->hello_io_time) {
455	if (l2tp_ctrl_send_HELLO(_this) == 0)
456	/* success */
457	_this->hello_wait_ack = 1;
458	_this->hello_io_time = curr_time;
459	need_resend = 0;
460	}
461	}
462	break;
463	case L2TP_CTRL_STATE_CLEANUP_WAIT4:
464	if (curr_time - _this->last_snd_ctrl >=
465	L2TP_CTRL_CLEANUP_WAIT_TIME3) {
466	l2tp_ctrl_log(_this, LOG_NOTICE5,
467	"Cleanup timeout state=%d", _this->state);
468	l2tp_ctrl_stop(_this, 0);
469	return;
470	}
471	if (_this->active_closing != 0)
472	l2tp_ctrl_send_disconnect_notify(_this);
473	break;
474	default:
475	l2tp_ctrl_log(_this, LOG_ERR3,
476	"Internal error, timeout on illegal state=%d",
477	_this->state);
478	l2tp_ctrl_stop(_this, L2TP_STOP_CCN_RCODE_GENERAL1);
479	return;
480	}
481	/* resend if required */
482	if (need_resend)
483	l2tp_ctrl_resend_una_packets(_this, true1);
484	l2tp_ctrl_reset_timeout(_this);
485	}
486
487	int
488	l2tp_ctrl_send(l2tp_ctrl _this, const void msg, int len)
489	{
490	int rval;
491
492	#ifdef USE_LIBSOCKUTIL
493	if (_this->sa_cookie != NULL((void*)0))
494	rval = sendfromto_nat_t(LISTENER_SOCK(_this)((l2tpd_listener *)slist_get(&(_this)->l2tpd->listener , (_this)->listener_index))->sock, msg, len, 0,
495	(struct sockaddr *)&_this->sock,
496	(struct sockaddr *)&_this->peer, _this->sa_cookie);
497	else
498	rval = sendfromto(LISTENER_SOCK(_this)((l2tpd_listener *)slist_get(&(_this)->l2tpd->listener , (_this)->listener_index))->sock, msg, len, 0,
499	(struct sockaddr *)&_this->sock,
500	(struct sockaddr *)&_this->peer);
501	#else
502	#ifdef USE_SA_COOKIE1
503	if (_this->sa_cookie != NULL((void*)0))
504	rval = sendto_nat_t(LISTENER_SOCK(_this)((l2tpd_listener *)slist_get(&(_this)->l2tpd->listener , (_this)->listener_index))->sock, msg, len, 0,
505	(struct sockaddr *)&_this->peer, _this->peer.ss_len,
506	_this->sa_cookie);
507	else
508	#endif
509	rval = sendto(LISTENER_SOCK(_this)((l2tpd_listener *)slist_get(&(_this)->l2tpd->listener , (_this)->listener_index))->sock, msg, len, 0,
510	(struct sockaddr *)&_this->peer, _this->peer.ss_len);
511	#endif
512	return rval;
513	}
514
515	/* resend una packets */
516	static int
517	l2tp_ctrl_resend_una_packets(l2tp_ctrl *_this, bool_Bool resend)
518	{
519	uint16_t seq;
520	bytebuffer *bytebuf;
521	struct l2tp_header *header;
522	int nsend;
523
524	nsend = 0;
525	for (seq = _this->snd_una; SEQ_LT(seq, _this->snd_nxt)((int16_t)((seq) - (_this->snd_nxt)) < 0); seq++) {
526	if (!l2tp_ctrl_in_peer_window(_this, seq))
527	break;
528	if (SEQ_LT(seq, _this->snd_last)((int16_t)((seq) - (_this->snd_last)) < 0) && !resend)
529	continue;
530	bytebuf = _this->snd_buffers[seq % _this->snd_buffercnt];
531	header = bytebuffer_pointer(bytebuf);
532	header->nr = htons(_this->rcv_nxt)(__uint16_t)(__builtin_constant_p(_this->rcv_nxt) ? (__uint16_t )(((__uint16_t)(_this->rcv_nxt) & 0xffU) << 8 \| ( (__uint16_t)(_this->rcv_nxt) & 0xff00U) >> 8) : __swap16md (_this->rcv_nxt));
533	_this->snd_lastnr = _this->rcv_nxt;
534	#ifdef L2TP_CTRL_DEBUG
535	if (debuglevel >= 3) {
536	l2tp_ctrl_log(_this, DEBUG_LEVEL_3( 3 << 24), "RESEND seq=%u",
537	ntohs(header->ns)(__uint16_t)(__builtin_constant_p(header->ns) ? (__uint16_t )(((__uint16_t)(header->ns) & 0xffU) << 8 \| ((__uint16_t )(header->ns) & 0xff00U) >> 8) : __swap16md(header ->ns)));
538	show_hd(debug_get_debugfp(),
539	bytebuffer_pointer(bytebuf),
540	bytebuffer_remaining(bytebuf));
541	}
542	#endif
543	if (l2tp_ctrl_send(_this, bytebuffer_pointer(bytebuf),
544	bytebuffer_remaining(bytebuf)) < 0) {
545	l2tp_ctrl_log(_this, LOG_ERR3,
546	"sendto() failed in %s: %m", __func__);
547	return -1;
548	}
549	nsend++;
550	}
551	return nsend;
552	}
553
554	/* free all calls */
555	static void
556	l2tp_ctrl_destroy_all_calls(l2tp_ctrl *_this)
557	{
558	l2tp_call *call;
559
560	L2TP_CTRL_ASSERT(_this != NULL);
561
562	while ((call = slist_remove_first(&_this->call_list)) != NULL((void*)0))
563	l2tp_call_destroy(call, 1);
564	}
565
566
567	/* disconnect all calls on the control context
568	* @return return # of calls that is not waiting cleanup.
569	*/
570	static int
571	l2tp_ctrl_disconnect_all_calls(l2tp_ctrl *_this, int drop)
572	{
573	int i, len, ncalls;
574	l2tp_call *call;
575
576	L2TP_CTRL_ASSERT(_this != NULL);
577
578	ncalls = 0;
579	len = slist_length(&_this->call_list);
580	for (i = 0; i < len; i++) {
581	call = slist_get(&_this->call_list, i);
582	if (call->state != L2TP_CALL_STATE_CLEANUP_WAIT3) {
583	ncalls++;
584	if (l2tp_ctrl_txwin_is_full(_this)) {
585	L2TP_CTRL_DBG((_this, LOG_INFO,
586	"Too many calls. Sending window is not "
587	"enough to send CDN to all clients."));
588	if (drop)
589	l2tp_call_drop(call);
590	} else
591	l2tp_call_admin_disconnect(call);
592	}
593	}
594	return ncalls;
595	}
596
597	/* reset timeout */
598	static void
599	l2tp_ctrl_reset_timeout(l2tp_ctrl *_this)
600	{
601	int intvl;
602	struct timeval tv0;
603
604	L2TP_CTRL_ASSERT(_this != NULL);
605
606	if (evtimer_initialized(&_this->ev_timeout)((&_this->ev_timeout)->ev_flags & 0x80))
607	evtimer_del(&_this->ev_timeout)event_del(&_this->ev_timeout);
608
609	switch (_this->state) {
610	case L2TP_CTRL_STATE_CLEANUP_WAIT4:
611	intvl = 1;
612	break;
613	default:
614	intvl = 2;
615	break;
616	}
617	tv0.tv_usec = 0;
618	tv0.tv_sec = intvl;
619	if (!evtimer_initialized(&_this->ev_timeout)((&_this->ev_timeout)->ev_flags & 0x80))
620	evtimer_set(&_this->ev_timeout, l2tp_ctrl_timeout, _this)event_set(&_this->ev_timeout, -1, 0, l2tp_ctrl_timeout , _this);
621	evtimer_add(&_this->ev_timeout, &tv0)event_add(&_this->ev_timeout, &tv0);
622	}
623
624	/*
625	* protocols / send and receive
626	*/
627	/* Receive packet */
628	void
629	l2tp_ctrl_input(l2tpd _this, int listener_index, struct sockaddr peer,
630	struct sockaddr sock, void nat_t_ctx, u_char *pkt, int pktlen)
631	{
632	int i, len, offsiz, reqlen, is_ctrl;
633	uint16_t mestype;
634	struct l2tp_avp avp, avp0;
635	l2tp_ctrl *ctrl;
636	l2tp_call *call;
637	char buf[L2TP_AVP_MAXSIZ1024], errmsg[256];
638	time_t curr_time;
639	u_char *pkt0;
640	struct l2tp_header hdr;
641	char hbuf[NI_MAXHOST256 + NI_MAXSERV32 + 16];
642
643	ctrl = NULL((void*)0);
644	curr_time = get_monosec()((time_t)(get_nanotime() / 1000000000LL));
645	pkt0 = pkt;
646
647	L2TP_CTRL_ASSERT(peer->sa_family == sock->sa_family);
648	L2TP_CTRL_ASSERT(peer->sa_family == AF_INET \|\|
649	peer->sa_family == AF_INET6)
650	/*
651	* Parse L2TP Header
652	*/
653	memset(&hdr, 0, sizeof(hdr));
654	if (pktlen < 2) {
655	snprintf(errmsg, sizeof(errmsg), "a short packet. "
656	"length=%d", pktlen);
657	goto bad_packet;
658	}
659	memcpy(&hdr, pkt, 2);
660	pkt += 2;
661	if (hdr.ver != L2TP_HEADER_VERSION_RFC26610x02) {
662	/* XXX: only RFC2661 is supported */
663	snprintf(errmsg, sizeof(errmsg),
664	"Unsupported version at header = %d", hdr.ver);
665	goto bad_packet;
666	}
667	is_ctrl = (hdr.t != 0)? 1 : 0;
668
669	/* calc required length */
670	reqlen = 6; /* for Flags, Tunnel-Id, Session-Id field */
671	if (hdr.l) reqlen += 2; /* for Length field (opt) */
672	if (hdr.s) reqlen += 4; /* for Ns, Nr field (opt) */
673	if (hdr.o) reqlen += 2; /* for Offset Size field (opt) */
674	if (reqlen > pktlen) {
675	snprintf(errmsg, sizeof(errmsg),
676	"a short packet. length=%d", pktlen);
677	goto bad_packet;
678	}
679
680	if (hdr.l != 0) {
681	GETSHORT(hdr.length, pkt){ hdr.length = (pkt)++ << 8; hdr.length \|= (pkt)++; };
682	if (hdr.length > pktlen) {
683	snprintf(errmsg, sizeof(errmsg),
684	"Actual packet size is smaller than the length "
685	"field %d < %d", pktlen, hdr.length);
686	goto bad_packet;
687	}
688	pktlen = hdr.length; /* remove trailing trash */
689	}
690	GETSHORT(hdr.tunnel_id, pkt){ hdr.tunnel_id = (pkt)++ << 8; hdr.tunnel_id \|= (pkt )++; };
691	GETSHORT(hdr.session_id, pkt){ hdr.session_id = (pkt)++ << 8; hdr.session_id \|= (pkt )++; };
692	if (hdr.s != 0) {
693	GETSHORT(hdr.ns, pkt){ hdr.ns = (pkt)++ << 8; hdr.ns \|= (pkt)++; };
694	GETSHORT(hdr.nr, pkt){ hdr.nr = (pkt)++ << 8; hdr.nr \|= (pkt)++; };
695	}
696	if (hdr.o != 0) {
697	GETSHORT(offsiz, pkt){ offsiz = (pkt)++ << 8; offsiz \|= (pkt)++; };
698	if (pktlen < offsiz) {
699	snprintf(errmsg, sizeof(errmsg),
700	"offset field is bigger than remaining packet "
701	"length %d > %d", offsiz, pktlen);
702	goto bad_packet;
703	}
704	pkt += offsiz;
705	}
706	L2TP_CTRL_ASSERT(pkt - pkt0 == reqlen);
707	pktlen -= (pkt - pkt0); /* cut down the length of header */
708
709	ctrl = NULL((void*)0);
710	memset(buf, 0, sizeof(buf));
711	mestype = 0;
712	avp = NULL((void*)0);
713
714	if (is_ctrl) {
715	avp0 = (struct l2tp_avp *)buf;
716	avp = avp_find_message_type_avp(avp0, pkt, pktlen);
717	if (avp != NULL((void*)0))
718	mestype = avp->attr_value[0] << 8 \| avp->attr_value[1];
719	}
720	ctrl = l2tpd_get_ctrl(_this, hdr.tunnel_id);
721
722	if (ctrl == NULL((void*)0)) {
723	/* new control */
724	if (!is_ctrl) {
725	snprintf(errmsg, sizeof(errmsg),
726	"bad data message: tunnelId=%d is not "
727	"found.", hdr.tunnel_id);
728	goto bad_packet;
729	}
730	if (mestype != L2TP_AVP_MESSAGE_TYPE_SCCRQ1) {
731	snprintf(errmsg, sizeof(errmsg),
732	"bad control message: tunnelId=%d is not "
733	"found. mestype=%s", hdr.tunnel_id,
734	avp_mes_type_string(mestype));
735	goto bad_packet;
736	}
737
738	if ((ctrl = l2tp_ctrl_create()) == NULL((void*)0)) {
739	l2tp_ctrl_log(ctrl, LOG_ERR3,
740	"l2tp_ctrl_create() failed: %m");
741	goto fail;
742	}
743
744	if (l2tp_ctrl_init(ctrl, _this, peer, sock, nat_t_ctx) != 0) {
745	l2tp_ctrl_log(ctrl, LOG_ERR3,
746	"l2tp_ctrl_start() failed: %m");
747	goto fail;
748	}
749
750	ctrl->listener_index = listener_index;
751	l2tp_ctrl_reload(ctrl);
752	} else {
753	/*
754	* treat as an error if src address and port is not
755	* match. (because it is potentially DoS attach)
756	*/
757	int notmatch = 0;
758
759	if (ctrl->peer.ss_family != peer->sa_family)
760	notmatch = 1;
761	else if (peer->sa_family == AF_INET2) {
762	if (SIN(peer)((struct sockaddr_in *)(peer))->sin_addr.s_addr !=
763	SIN(&ctrl->peer)((struct sockaddr_in *)(&ctrl->peer))->sin_addr.s_addr \|\|
764	SIN(peer)((struct sockaddr_in )(peer))->sin_port != SIN(&ctrl->peer)((struct sockaddr_in )(&ctrl->peer))->sin_port)
765	notmatch = 1;
766	} else if (peer->sa_family == AF_INET624) {
767	if (!IN6_ARE_ADDR_EQUAL(&(SIN6(peer)->sin6_addr),(memcmp(&(&(((struct sockaddr_in6 )(peer))->sin6_addr ))->__u6_addr.__u6_addr8[0], &(&(((struct sockaddr_in6 )(&ctrl->peer))->sin6_addr))->__u6_addr.__u6_addr8 [0], sizeof(struct in6_addr)) == 0)
768	&(SIN6(&ctrl->peer)->sin6_addr))(memcmp(&(&(((struct sockaddr_in6 )(peer))->sin6_addr ))->__u6_addr.__u6_addr8[0], &(&(((struct sockaddr_in6 )(&ctrl->peer))->sin6_addr))->__u6_addr.__u6_addr8 [0], sizeof(struct in6_addr)) == 0) \|\|
769	SIN6(peer)((struct sockaddr_in6 *)(peer))->sin6_port !=
770	SIN6(&ctrl->peer)((struct sockaddr_in6 *)(&ctrl->peer))->sin6_port)
771	notmatch = 1;
772	}
773	if (notmatch) {
774	snprintf(errmsg, sizeof(errmsg),
775	"tunnelId=%u is already assigned for %s",
776	hdr.tunnel_id, addrport_tostring(
777	(struct sockaddr *)&ctrl->peer,
778	ctrl->peer.ss_len, hbuf, sizeof(hbuf)));
779	goto bad_packet;
780	}
781	}
782	ctrl->last_rcv = curr_time;
783	call = NULL((void*)0);
784	if (hdr.session_id != 0) {
785	/* search l2tp_call by Session ID */
786	/* linear search is enough for this purpose */
787	len = slist_length(&ctrl->call_list);
788	for (i = 0; i < len; i++) {
789	call = slist_get(&ctrl->call_list, i);
790	if (call->session_id == hdr.session_id)
791	break;
792	call = NULL((void*)0);
793	}
794	}
795	if (!is_ctrl) {
796	int delayed = 0;
797
798	/* L2TP data */
799	if (ctrl->state != L2TP_CTRL_STATE_ESTABLISHED3) {
800	l2tp_ctrl_log(ctrl, LOG_WARNING4,
801	"Received Data packet in '%s'",
802	l2tp_ctrl_state_string(ctrl));
803	goto fail;
804	}
805	if (call == NULL((void*)0)) {
806	l2tp_ctrl_log(ctrl, LOG_WARNING4,
807	"Received a data packet but it has no call. "
808	"session_id=%u", hdr.session_id);
809	goto fail;
810	}
811	L2TP_CTRL_DBG((ctrl, DEBUG_LEVEL_2,
812	"call=%u RECV ns=%u nr=%u snd_nxt=%u rcv_nxt=%u len=%d",
813	call->id, hdr.ns, hdr.nr, call->snd_nxt, call->rcv_nxt,
814	pktlen));
815	if (call->state != L2TP_CALL_STATE_ESTABLISHED2){
816	l2tp_ctrl_log(ctrl, LOG_WARNING4,
817	"Received a data packet but call is not "
818	"established");
819	goto fail;
820	}
821
822	if (hdr.s != 0) {
823	if (SEQ_LT(hdr.ns, call->rcv_nxt)((int16_t)((hdr.ns) - (call->rcv_nxt)) < 0)) {
824	if (SEQ_LT(hdr.ns,((int16_t)((hdr.ns) - (call->rcv_nxt - 64)) < 0)
825	call->rcv_nxt - L2TP_CALL_DELAY_LIMIT)((int16_t)((hdr.ns) - (call->rcv_nxt - 64)) < 0)) {
826	/* sequence number seems to be delayed */
827	/* XXX: need to log? */
828	L2TP_CTRL_DBG((ctrl, LOG_DEBUG,
829	"receive a out of sequence "
830	"data packet: %u < %u.",
831	hdr.ns, call->rcv_nxt));
832	return;
833	}
834	delayed = 1;
835	} else {
836	call->rcv_nxt = hdr.ns + 1;
837	}
838	}
839
840	l2tp_call_ppp_input(call, pkt, pktlen, delayed);
841
842	return;
843	}
844	if (hdr.s != 0) {
845	L2TP_CTRL_DBG((ctrl, DEBUG_LEVEL_2,
846	"RECV %s ns=%u nr=%u snd_nxt=%u snd_una=%u rcv_nxt=%u "
847	"len=%d", (is_ctrl)? "C" : "", hdr.ns, hdr.nr,
848	ctrl->snd_nxt, ctrl->snd_una, ctrl->rcv_nxt, pktlen));
849
850	if (pktlen <= 0)
851	l2tp_ctrl_log(ctrl, LOG_INFO6, "RecvZLB");
852
853	if (SEQ_GT(hdr.nr, ctrl->snd_una)((int16_t)((hdr.nr) - (ctrl->snd_una)) > 0)) {
854	/* a new ack arrived */
855	if (SEQ_GT(hdr.nr, ctrl->snd_nxt)((int16_t)((hdr.nr) - (ctrl->snd_nxt)) > 0)) {
856	/* ack is proceeded us */
857	l2tp_ctrl_log(ctrl, LOG_INFO6,
858	"Received message has bad Nr field: "
859	"%u < %u", ctrl->snd_nxt, hdr.nr);
860	goto fail;
861	}
862	ctrl->snd_una = hdr.nr;
863	/* peer window is moved. send out pending packets */
864	l2tp_ctrl_resend_una_packets(ctrl, false0);
865	}
866	if (l2tp_ctrl_txwin_size(ctrl) <= 0) {
867	/* no waiting ack */
868	if (ctrl->hello_wait_ack != 0) {
869	/*
870	* Reset Hello state, as an ack for the Hello
871	* is received.
872	*/
873	ctrl->hello_wait_ack = 0;
874	ctrl->hello_io_time = curr_time;
875	}
876	switch (ctrl->state) {
877	case L2TP_CTRL_STATE_CLEANUP_WAIT4:
878	l2tp_ctrl_stop(ctrl, 0);
879	return;
880	}
881	}
882	if (hdr.ns != ctrl->rcv_nxt) {
883	/* there are remaining packet */
884	if (l2tp_ctrl_resend_una_packets(ctrl, true1) <= 0) {
885	/* resend or sent ZLB */
886	l2tp_ctrl_send_ZLB(ctrl);
887	}
888	#ifdef L2TP_CTRL_DEBUG
889	if (pktlen != 0) { /* not ZLB */
890	L2TP_CTRL_DBG((ctrl, LOG_DEBUG,
891	"receive out of sequence %u must be %u. "
892	"mestype=%s", hdr.ns, ctrl->rcv_nxt,
893	avp_mes_type_string(mestype)));
894	}
895	#endif
896	return;
897	}
898	if (pktlen <= 0)
899	return; /* ZLB */
900
901	if (!l2tp_ctrl_in_our_window(ctrl, hdr.ns)) {
902	l2tp_ctrl_log(ctrl, LOG_WARNING4,
903	"received message is outside of window. "
904	"ns=%d window=%u:%u",
905	hdr.ns, ctrl->snd_lastnr,
906	(uint16_t)(ctrl->snd_lastnr + ctrl->winsz - 1));
907	return;
908	}
909
910	ctrl->rcv_nxt++;
911	if (avp == NULL((void*)0)) {
912	l2tpd_log(_this, LOG_WARNING4,
913	"bad control message: no message-type AVP.");
914	goto fail;
915	}
916	}
917
918	/*
919	* state machine (RFC2661 pp. 56-57)
920	*/
921	switch (ctrl->state) {
922	case L2TP_CTRL_STATE_IDLE0:
923	switch (mestype) {
924	case L2TP_AVP_MESSAGE_TYPE_SCCRQ1:
925	if (l2tp_ctrl_recv_SCCRQ(ctrl, pkt, pktlen, _this,
926	peer) == 0) {
927	/* acceptable */
928	l2tp_ctrl_send_SCCRP(ctrl);
929	ctrl->state = L2TP_CTRL_STATE_WAIT_CTL_CONN1;
930	return;
931	}
932	/*
933	* in case un-acceptable, it was already processed
934	* at l2tcp_ctrl_recv_SCCRQ
935	*/
936	return;
937	case L2TP_AVP_MESSAGE_TYPE_SCCRP2:
938	/*
939	* RFC specifies that sent of StopCCN in the state,
940	* However as this implementation only support Passive
941	* open, this packet will not received.
942	*/
943	/* FALLTHROUGH */
944	case L2TP_AVP_MESSAGE_TYPE_SCCCN3:
945	default:
946	break;
947	}
948	goto fsm_fail;
949
950	case L2TP_CTRL_STATE_WAIT_CTL_CONN1:
951	/* Wait-Ctl-Conn */
952	switch (mestype) {
953	case L2TP_AVP_MESSAGE_TYPE_SCCCN3:
954	l2tp_ctrl_log(ctrl, LOG_INFO6, "RecvSCCN");
955	if (l2tp_ctrl_send_ZLB(ctrl) == 0) {
956	ctrl->state = L2TP_CTRL_STATE_ESTABLISHED3;
957	}
958	return;
959	case L2TP_AVP_MESSAGE_TYPE_StopCCN4:
960	goto receive_stop_ccn;
961	case L2TP_AVP_MESSAGE_TYPE_SCCRQ1:
962	case L2TP_AVP_MESSAGE_TYPE_SCCRP2:
963	default:
964	break;
965	}
966	break; /* fsm_fail */
967	case L2TP_CTRL_STATE_ESTABLISHED3:
968	/* Established */
969	switch (mestype) {
970	case L2TP_AVP_MESSAGE_TYPE_SCCCN3:
971	case L2TP_AVP_MESSAGE_TYPE_SCCRQ1:
972	case L2TP_AVP_MESSAGE_TYPE_SCCRP2:
973	break;
974	receive_stop_ccn:
975	case L2TP_AVP_MESSAGE_TYPE_StopCCN4:
976	l2tp_ctrl_recv_StopCCN(ctrl, pkt, pktlen);
977	l2tp_ctrl_send_ZLB(ctrl);
978	l2tp_ctrl_stop(ctrl, 0);
979	return;
980
981	case L2TP_AVP_MESSAGE_TYPE_HELLO6:
982	l2tp_ctrl_send_ZLB(ctrl);
983	return;
984	case L2TP_AVP_MESSAGE_TYPE_CDN14:
985	case L2TP_AVP_MESSAGE_TYPE_ICRP11:
986	case L2TP_AVP_MESSAGE_TYPE_ICCN12:
987	if (call == NULL((void*)0)) {
988	l2tp_ctrl_log(ctrl, LOG_INFO6,
989	"Unknown call message: %s",
990	avp_mes_type_string(mestype));
991	goto fail;
992	}
993	/* FALLTHROUGH */
994	case L2TP_AVP_MESSAGE_TYPE_ICRQ10:
995	l2tp_call_recv_packet(ctrl, call, mestype, pkt,
996	pktlen);
997	return;
998	default:
999	break;
1000	}
1001	break; /* fsm_fail */
1002	case L2TP_CTRL_STATE_CLEANUP_WAIT4:
1003	if (mestype == L2TP_AVP_MESSAGE_TYPE_StopCCN4) {
1004	/*
1005	* We left ESTABLISHED state, but the peer sent StopCCN.
1006	*/
1007	goto receive_stop_ccn;
1008	}
1009	break; /* fsm_fail */
1010	}
1011
1012	fsm_fail:
1013	/* state machine error */
1014	l2tp_ctrl_log(ctrl, LOG_WARNING4, "Received %s in '%s' state",
1015	avp_mes_type_string(mestype), l2tp_ctrl_state_string(ctrl));
1016	l2tp_ctrl_stop(ctrl, L2TP_STOP_CCN_RCODE_FSM_ERROR7);
1017
1018	return;
1019	fail:
1020	if (ctrl != NULL((void*)0) && mestype != 0) {
1021	l2tp_ctrl_log(ctrl, LOG_WARNING4, "Received %s in '%s' state",
1022	avp_mes_type_string(mestype), l2tp_ctrl_state_string(ctrl));
1023	l2tp_ctrl_stop(ctrl, L2TP_STOP_CCN_RCODE_GENERAL_ERROR2);
1024	}
1025	return;
1026
1027	bad_packet:
1028	l2tpd_log(_this, LOG_INFO6, "Received from=%s: %s",
1029	addrport_tostring(peer, peer->sa_len, hbuf, sizeof(hbuf)), errmsg);
1030
1031	return;
1032	}
1033
1034	static int
1035	l2tp_ctrl_txwin_size(l2tp_ctrl *_this)
1036	{
1037	uint16_t sz;
1038
1039	sz = _this->snd_nxt - _this->snd_una;
1040
1041	L2TP_CTRL_ASSERT(sz <= _this->buffercnt);
1042
1043	return sz;
1044	}
1045
1046	static bool_Bool
1047	l2tp_ctrl_txwin_is_full(l2tp_ctrl *_this)
1048	{
1049	return (l2tp_ctrl_txwin_size(_this) >= _this->snd_buffercnt)? 1 : 0;
1050	}
1051
1052	static bool_Bool
1053	l2tp_ctrl_in_peer_window(l2tp_ctrl *_this, uint16_t seq)
1054	{
1055	uint16_t off;
1056	int winsz;
1057
1058	winsz = MINIMUM(_this->winsz, _this->peer_winsz)(((_this->winsz) < (_this->peer_winsz)) ? (_this-> winsz) : (_this->peer_winsz));
1059	off = seq - _this->snd_una;
1060
1061	return ((off < winsz)? true1 : false0);
1062	}
1063
1064	static bool_Bool
1065	l2tp_ctrl_in_our_window(l2tp_ctrl *_this, uint16_t seq)
1066	{
1067	uint16_t off;
1068
1069	off = seq - _this->snd_lastnr;
1070
1071	return ((off < _this->winsz)? true1 : false0);
1072	}
1073	/* send control packet */
1074	int
1075	l2tp_ctrl_send_packet(l2tp_ctrl _this, int call_id, bytebuffer bytebuf)
1076	{
1077	struct l2tp_header *hdr;
1078	int rval;
1079	time_t curr_time;
1080	uint16_t seq;
1081
1082	curr_time = get_monosec()((time_t)(get_nanotime() / 1000000000LL));
1083
1084	bytebuffer_flip(bytebuf);
1085	hdr = (struct l2tp_header *)bytebuffer_pointer(bytebuf);
1086	memset(hdr, 0, sizeof(*hdr));
1087
1088	hdr->t = 1;
1089	hdr->ver = L2TP_HEADER_VERSION_RFC26610x02;
1090	hdr->l = 1;
1091	hdr->length = htons(bytebuffer_remaining(bytebuf))(__uint16_t)(__builtin_constant_p(bytebuffer_remaining(bytebuf )) ? (__uint16_t)(((__uint16_t)(bytebuffer_remaining(bytebuf) ) & 0xffU) << 8 \| ((__uint16_t)(bytebuffer_remaining (bytebuf)) & 0xff00U) >> 8) : __swap16md(bytebuffer_remaining (bytebuf)));
1092	hdr->tunnel_id = htons(_this->peer_tunnel_id)(__uint16_t)(__builtin_constant_p(_this->peer_tunnel_id) ? (__uint16_t)(((__uint16_t)(_this->peer_tunnel_id) & 0xffU ) << 8 \| ((__uint16_t)(_this->peer_tunnel_id) & 0xff00U ) >> 8) : __swap16md(_this->peer_tunnel_id));
1093	hdr->session_id = htons(call_id)(__uint16_t)(__builtin_constant_p(call_id) ? (__uint16_t)(((__uint16_t )(call_id) & 0xffU) << 8 \| ((__uint16_t)(call_id) & 0xff00U) >> 8) : __swap16md(call_id));
1094
1095	hdr->s = 1;
1096	seq = _this->snd_nxt;
1097	hdr->ns = htons(seq)(__uint16_t)(__builtin_constant_p(seq) ? (__uint16_t)(((__uint16_t )(seq) & 0xffU) << 8 \| ((__uint16_t)(seq) & 0xff00U ) >> 8) : __swap16md(seq));
1098	hdr->nr = htons(_this->rcv_nxt)(__uint16_t)(__builtin_constant_p(_this->rcv_nxt) ? (__uint16_t )(((__uint16_t)(_this->rcv_nxt) & 0xffU) << 8 \| ( (__uint16_t)(_this->rcv_nxt) & 0xff00U) >> 8) : __swap16md (_this->rcv_nxt));
1099
1100	if (bytebuffer_remaining(bytebuf) > sizeof(struct l2tp_header))
1101	/* Not ZLB */
1102	_this->snd_nxt++;
1103
1104	if (!l2tp_ctrl_in_peer_window(_this, seq))
1105	return (0);
1106
1107	L2TP_CTRL_DBG((_this, DEBUG_LEVEL_2,
1108	"SEND C ns=%u nr=%u snd_nxt=%u snd_una=%u rcv_nxt=%u ",
1109	ntohs(hdr->ns), htons(hdr->nr),
1110	_this->snd_nxt, _this->snd_una, _this->rcv_nxt));
1111
1112	if (L2TP_CTRL_CONF(_this)((l2tpd_listener *)slist_get(&(_this)->l2tpd->listener , (_this)->listener_index))->conf->ctrl_out_pktdump != 0) {
1113	l2tpd_log(_this->l2tpd, LOG_DEBUG7,
1114	"L2TP Control output packet dump");
1115	show_hd(debug_get_debugfp(), bytebuffer_pointer(bytebuf),
1116	bytebuffer_remaining(bytebuf));
1117	}
1118
1119	if ((rval = l2tp_ctrl_send(_this, bytebuffer_pointer(bytebuf),
1120	bytebuffer_remaining(bytebuf))) < 0) {
1121	L2TP_CTRL_DBG((_this, LOG_DEBUG, "sendto() failed: %m"));
1122	}
1123
1124	_this->snd_lastnr = _this->rcv_nxt;
1125	_this->last_snd_ctrl = curr_time;
1126	_this->snd_last = seq;
1127
1128	return (rval == bytebuffer_remaining(bytebuf))? 0 : 1;
1129	}
1130
1131	/*
1132	* receiver SCCRQ
1133	*/
1134	static int
1135	l2tp_ctrl_recv_SCCRQ(l2tp_ctrl _this, u_char pkt, int pktlen, l2tpd *_l2tpd,
1136	struct sockaddr *peer)
1137	{
1138	int avpsz, len, protover, protorev, firmrev, result;
1139	struct l2tp_avp *avp;
1140	char host[NI_MAXHOST256], serv[NI_MAXSERV32];
1141	char buf[L2TP_AVP_MAXSIZ1024], emes[256], hostname[256], vendorname[256];
1142
1143	result = L2TP_STOP_CCN_RCODE_GENERAL_ERROR2;
1144	strlcpy(hostname, "(no hostname)", sizeof(hostname));
1145	strlcpy(vendorname, "(no vendorname)", sizeof(vendorname));
1146
1147	_this->peer_winsz = 4; /* default is 4 in RFC 2661 */
1148	firmrev = 0;
1149	protover = 0;
1150	protorev = 0;
1151	avp = (struct l2tp_avp *)buf;
1152	while (pktlen >= 6 && (avpsz = avp_enum(avp, pkt, pktlen, 1)) > 0) {
1153	pkt += avpsz;
1154	pktlen -= avpsz;
1155	if (avp->vendor_id != 0) {
1156	L2TP_CTRL_DBG((_this, LOG_DEBUG,
1157	"Received a Vendor-specific AVP vendor-id=%d "
1158	"type=%d", avp->vendor_id, avp->attr_type));
1159	continue;
1160	}
1161	switch (avp->attr_type) {
1162	case L2TP_AVP_TYPE_MESSAGE_TYPE0:
1163	AVP_SIZE_CHECK(avp, ==, 8)do { if (!((avp)->length == (8))) { snprintf(emes, sizeof( emes), "invalid packet size %s %d" "==" "%d)", avp_attr_type_string ((avp)->attr_type), (avp)->length, (8)); goto size_check_failed ; } } while ( 0);
1164	continue;
1165	case L2TP_AVP_TYPE_PROTOCOL_VERSION2:
1166	AVP_SIZE_CHECK(avp, ==, 8)do { if (!((avp)->length == (8))) { snprintf(emes, sizeof( emes), "invalid packet size %s %d" "==" "%d)", avp_attr_type_string ((avp)->attr_type), (avp)->length, (8)); goto size_check_failed ; } } while ( 0);
1167	protover = avp->attr_value[0];
1168	protorev = avp->attr_value[1];
1169
1170	if (protover != L2TP_RFC2661_VERSION1 \|\|
1171	protorev != L2TP_RFC2661_REVISION0) {
1172	result = L2TP_STOP_CCN_RCODE_GENERAL_ERROR2;
1173	snprintf(emes, sizeof(emes),
1174	"Peer's protocol version is not supported:"
1175	" %d.%d", protover, protorev);
1176	goto not_acceptable;
1177	}
1178	continue;
1179	case L2TP_AVP_TYPE_FRAMING_CAPABILITIES3:
1180	AVP_SIZE_CHECK(avp, ==, 10)do { if (!((avp)->length == (10))) { snprintf(emes, sizeof (emes), "invalid packet size %s %d" "==" "%d)", avp_attr_type_string ((avp)->attr_type), (avp)->length, (10)); goto size_check_failed ; } } while ( 0);
1181	if ((avp_get_val32(avp) & L2TP_FRAMING_CAP_FLAGS_SYNC0x00000001)
1182	== 0) {
1183	L2TP_CTRL_DBG((_this, LOG_DEBUG, "Peer doesn't "
1184	"support synchronous framing"));
1185	}
1186	continue;
1187	case L2TP_AVP_TYPE_BEARER_CAPABILITIES4:
1188	AVP_SIZE_CHECK(avp, ==, 10)do { if (!((avp)->length == (10))) { snprintf(emes, sizeof (emes), "invalid packet size %s %d" "==" "%d)", avp_attr_type_string ((avp)->attr_type), (avp)->length, (10)); goto size_check_failed ; } } while ( 0);
1189	continue;
1190	case L2TP_AVP_TYPE_TIE_BREAKER5:
1191	AVP_SIZE_CHECK(avp, ==, 14)do { if (!((avp)->length == (14))) { snprintf(emes, sizeof (emes), "invalid packet size %s %d" "==" "%d)", avp_attr_type_string ((avp)->attr_type), (avp)->length, (14)); goto size_check_failed ; } } while ( 0);
1192	/*
1193	* As the implementation never send SCCRQ,
1194	* the peer is always winner
1195	*/
1196	continue;
1197	case L2TP_AVP_TYPE_FIRMWARE_REVISION6:
1198	AVP_SIZE_CHECK(avp, >=, 6)do { if (!((avp)->length >= (6))) { snprintf(emes, sizeof (emes), "invalid packet size %s %d" ">=" "%d)", avp_attr_type_string ((avp)->attr_type), (avp)->length, (6)); goto size_check_failed ; } } while ( 0);
1199	firmrev = avp_get_val16(avp);
1200	continue;
1201	case L2TP_AVP_TYPE_HOST_NAME7:
1202	AVP_SIZE_CHECK(avp, >, 4)do { if (!((avp)->length > (4))) { snprintf(emes, sizeof (emes), "invalid packet size %s %d" ">" "%d)", avp_attr_type_string ((avp)->attr_type), (avp)->length, (4)); goto size_check_failed ; } } while ( 0);
1203	len = MINIMUM(sizeof(hostname) - 1, avp->length - 6)(((sizeof(hostname) - 1) < (avp->length - 6)) ? (sizeof (hostname) - 1) : (avp->length - 6));
1204	memcpy(hostname, avp->attr_value, len);
1205	hostname[len] = '\0';
1206	continue;
1207	case L2TP_AVP_TYPE_VENDOR_NAME8:
1208	AVP_SIZE_CHECK(avp, >, 4)do { if (!((avp)->length > (4))) { snprintf(emes, sizeof (emes), "invalid packet size %s %d" ">" "%d)", avp_attr_type_string ((avp)->attr_type), (avp)->length, (4)); goto size_check_failed ; } } while ( 0);
1209	len = MINIMUM(sizeof(vendorname) - 1, avp->length - 6)(((sizeof(vendorname) - 1) < (avp->length - 6)) ? (sizeof (vendorname) - 1) : (avp->length - 6));
1210	memcpy(vendorname, avp->attr_value, len);
1211	vendorname[len] = '\0';
1212	continue;
1213	case L2TP_AVP_TYPE_ASSINGED_TUNNEL_ID9:
1214	AVP_SIZE_CHECK(avp, ==, 8)do { if (!((avp)->length == (8))) { snprintf(emes, sizeof( emes), "invalid packet size %s %d" "==" "%d)", avp_attr_type_string ((avp)->attr_type), (avp)->length, (8)); goto size_check_failed ; } } while ( 0);
1215	_this->peer_tunnel_id = avp_get_val16(avp);
1216	continue;
1217	case L2TP_AVP_TYPE_RECV_WINDOW_SIZE10:
1218	AVP_SIZE_CHECK(avp, ==, 8)do { if (!((avp)->length == (8))) { snprintf(emes, sizeof( emes), "invalid packet size %s %d" "==" "%d)", avp_attr_type_string ((avp)->attr_type), (avp)->length, (8)); goto size_check_failed ; } } while ( 0);
1219	_this->peer_winsz = avp_get_val16(avp);
1220	continue;
1221	}
1222	if (avp->is_mandatory) {
1223	l2tp_ctrl_log(_this, LOG_WARNING4,
1224	"Received AVP (%s/%d) is not supported, but it's "
1225	"mandatory", avp_attr_type_string(avp->attr_type),
1226	avp->attr_type);
1227	#ifdef L2TP_CTRL_DEBUG
1228	} else {
1229	L2TP_CTRL_DBG((_this, LOG_DEBUG,
1230	"AVP (%s/%d) is not handled",
1231	avp_attr_type_string(avp->attr_type),
1232	avp->attr_type));
1233	#endif
1234	}
1235	}
1236	if (getnameinfo((struct sockaddr *)&_this->peer, _this->peer.ss_len,
1237	host, sizeof(host), serv, sizeof(serv),
1238	NI_NUMERICHOST1 \| NI_NUMERICSERV2 \| NI_DGRAM16) != 0) {
1239	l2tp_ctrl_log(_this, LOG_ERR3,
1240	"getnameinfo() failed at %s(): %m", __func__);
1241	strlcpy(host, "error", sizeof(host));
1242	strlcpy(serv, "error", sizeof(serv));
1243	}
1244	l2tp_ctrl_log(_this, LOG_NOTICE5, "logtype=Started RecvSCCRQ "
1245	"from=%s:%s/udp tunnel_id=%u/%u protocol=%d.%d winsize=%d "
1246	"hostname=%s vendor=%s firm=%04X", host, serv, _this->tunnel_id,
1247	_this->peer_tunnel_id, protover, protorev, _this->peer_winsz,
1248	hostname, vendorname, firmrev);
1249
1250	if (_this->peer_winsz == 0)
1251	_this->peer_winsz = 1;
1252
1253	return 0;
1254	not_acceptable:
1255	size_check_failed:
1256	l2tp_ctrl_log(_this, LOG_ERR3, "Received bad SCCRQ: %s", emes);
1257	l2tp_ctrl_stop(_this, result);
1258
1259	return 1;
1260	}
1261
1262	/*
1263	* send StopCCN
1264	*/
1265	static int
1266	l2tp_ctrl_send_StopCCN(l2tp_ctrl *_this, int result)
1267	{
1268	struct l2tp_avp *avp;
1269	char buf[L2TP_AVP_MAXSIZ1024];
1270	bytebuffer *bytebuf;
1271
1272	if ((bytebuf = l2tp_ctrl_prepare_snd_buffer(_this, 1)) == NULL((void*)0)) {
1273	l2tp_ctrl_log(_this, LOG_ERR3,
1274	"sending StopCCN failed: no buffer.");
1275	return -1;
1276	}
1277	avp = (struct l2tp_avp *)buf;
1278
1279	/* Message Type = StopCCN */
1280	memset(avp, 0, sizeof(*avp));
1281	avp->is_mandatory = 1;
1282	avp->attr_type = L2TP_AVP_TYPE_MESSAGE_TYPE0;
1283	avp_set_val16(avp, L2TP_AVP_MESSAGE_TYPE_StopCCN4);
1284	bytebuf_add_avp(bytebuf, avp, 2);
1285
1286	/* Assigned Tunnel Id */
1287	memset(avp, 0, sizeof(*avp));
1288	avp->is_mandatory = 1;
1289	avp->attr_type = L2TP_AVP_TYPE_ASSINGED_TUNNEL_ID9;
1290	avp_set_val16(avp, _this->tunnel_id);
1291	bytebuf_add_avp(bytebuf, avp, 2);
1292
1293	/* Result Code */
1294	memset(avp, 0, sizeof(*avp));
1295	avp->is_mandatory = 1;
1296	avp->attr_type = L2TP_AVP_TYPE_RESULT_CODE1;
1297	avp_set_val16(avp, result);
1298	bytebuf_add_avp(bytebuf, avp, 2);
1299
1300	if (l2tp_ctrl_send_packet(_this, 0, bytebuf) != 0) {
1301	l2tp_ctrl_log(_this, LOG_ERR3, "sending StopCCN failed");
1302	return - 1;
1303	}
1304	l2tp_ctrl_log(_this, LOG_INFO6, "SendStopCCN result=%d", result);
1305
1306	return 0;
1307	}
1308
1309	/*
1310	* Receiver StopCCN
1311	*/
1312	static int
1313	l2tp_ctrl_recv_StopCCN(l2tp_ctrl _this, u_char pkt, int pktlen)
1314	{
1315	int result, error, avpsz, len;
1316	uint16_t tunid;
1317	struct l2tp_avp *avp;
1318	char buf[L2TP_AVP_MAXSIZ1024 + 16], emes[256], pmes[256];
1319
1320	result = 0;
1321	error = 0;
1322	tunid = 0;
1323	pmes[0] = '\0';
1324	avp = (struct l2tp_avp *)buf;
1325	while (pktlen >= 6 && (avpsz = avp_enum(avp, pkt, pktlen, 1)) > 0) {
1326	pkt += avpsz;
1327	pktlen -= avpsz;
1328	if (avp->vendor_id != 0) {
1329	L2TP_CTRL_DBG((_this, LOG_DEBUG,
1330	"Received a Vendor-specific AVP vendor-id=%d "
1331	"type=%d", avp->vendor_id, avp->attr_type));
1332	continue;
1333	}
1334	if (avp->is_hidden != 0) {
1335	l2tp_ctrl_log(_this, LOG_WARNING4,
1336	"Received AVP (%s/%d) is hidden. But we don't "
1337	"share secret.",
1338	avp_attr_type_string(avp->attr_type),
1339	avp->attr_type);
1340	if (avp->is_mandatory != 0) {
1341	l2tp_ctrl_stop(_this,
1342	L2TP_STOP_CCN_RCODE_GENERAL_ERROR2 \|
1343	L2TP_ECODE_UNKNOWN_MANDATORY_AVP8);
1344	return 1;
1345	}
1346	continue;
1347	}
1348	switch (avp->attr_type) {
1349	case L2TP_AVP_TYPE_MESSAGE_TYPE0:
1350	AVP_SIZE_CHECK(avp, ==, 8)do { if (!((avp)->length == (8))) { snprintf(emes, sizeof( emes), "invalid packet size %s %d" "==" "%d)", avp_attr_type_string ((avp)->attr_type), (avp)->length, (8)); goto size_check_failed ; } } while ( 0);
1351	continue;
1352	case L2TP_AVP_TYPE_RESULT_CODE1:
1353	AVP_SIZE_CHECK(avp, >=, 8)do { if (!((avp)->length >= (8))) { snprintf(emes, sizeof (emes), "invalid packet size %s %d" ">=" "%d)", avp_attr_type_string ((avp)->attr_type), (avp)->length, (8)); goto size_check_failed ; } } while ( 0);
1354	result = avp->attr_value[0] << 8 \| avp->attr_value[1];
1355	if (avp->length >= 10) {
1356	error = avp->attr_value[2] << 8 \|
1357	avp->attr_value[3];
1358	len = avp->length - 12;
1359	if (len > 0) {
1360	len = MINIMUM(len, sizeof(pmes) - 1)(((len) < (sizeof(pmes) - 1)) ? (len) : (sizeof(pmes) - 1) );
1361	memcpy(pmes, &avp->attr_value[4], len);
1362	pmes[len] = '\0';
1363	}
1364	}
1365	continue;
1366	case L2TP_AVP_TYPE_ASSINGED_TUNNEL_ID9:
1367	AVP_SIZE_CHECK(avp, ==, 8)do { if (!((avp)->length == (8))) { snprintf(emes, sizeof( emes), "invalid packet size %s %d" "==" "%d)", avp_attr_type_string ((avp)->attr_type), (avp)->length, (8)); goto size_check_failed ; } } while ( 0);
1368	tunid = avp_get_val16(avp);
1369	continue;
1370	default:
1371	if (avp->is_mandatory != 0) {
1372	l2tp_ctrl_log(_this, LOG_WARNING4,
1373	"Received AVP (%s/%d) is not supported, "
1374	"but it's mandatory",
1375	avp_attr_type_string(avp->attr_type),
1376	avp->attr_type);
1377	#ifdef L2TP_CTRL_DEBUG
1378	} else {
1379	L2TP_CTRL_DBG((_this, LOG_DEBUG,
1380	"AVP (%s/%d) is not handled",
1381	avp_attr_type_string(avp->attr_type),
1382	avp->attr_type));
1383	#endif
1384	}
1385	}
1386	}
1387
1388	if (result == L2TP_CDN_RCODE_ERROR_CODE2 &&
1389	error == L2TP_ECODE_NO_RESOURCE4) {
1390	/*
1391	* Memo:
1392	* This state may be happen in following state.
1393	* - lots of connect/disconnect by long-running
1394	* windows2000, sometimes it fall to this state.
1395	* Once it fall to here, connection will fail till
1396	* the windows rebooted
1397	*/
1398	l2tp_ctrl_log(_this, LOG_WARNING4,
1399	"Peer indicates \"No Resource\" error.");
1400	}
1401
1402	l2tp_ctrl_log(_this, LOG_INFO6, "RecvStopCCN result=%s/%u "
1403	"error=%s/%u tunnel_id=%u message=\"%s\"",
1404	l2tp_stopccn_rcode_string(result), result,
1405	l2tp_ecode_string(error), error, tunid, pmes);
1406
1407	return 0;
1408
1409	size_check_failed:
1410	l2tp_ctrl_log(_this, LOG_ERR3, "Received bad StopCCN: %s", emes);
1411
1412	return -1;
1413	}
1414
1415	/*
1416	* send SCCRP
1417	*/
1418	static void
1419	l2tp_ctrl_send_SCCRP(l2tp_ctrl *_this)
1420	{
1421	int len;
1422	struct l2tp_avp *avp;
1423	char buf[L2TP_AVP_MAXSIZ1024], hbuf[HOST_NAME_MAX255+1];
1424	const char *val;
1425	bytebuffer *bytebuf;
1426
1427	if ((bytebuf = l2tp_ctrl_prepare_snd_buffer(_this, 1)) == NULL((void*)0)) {
1428	l2tp_ctrl_log(_this, LOG_ERR3,
1429	"sending SCCRP failed: no buffer.");
1430	return;
1431	}
1432	avp = (struct l2tp_avp *)buf;
1433
1434	/* Message Type = SCCRP */
1435	memset(avp, 0, sizeof(*avp));
1436	avp->is_mandatory = 1;
1437	avp->attr_type = L2TP_AVP_TYPE_MESSAGE_TYPE0;
1438	avp_set_val16(avp, L2TP_AVP_MESSAGE_TYPE_SCCRP2);
1439	bytebuf_add_avp(bytebuf, avp, 2);
1440
1441	/* Protocol Version = 1.0 */
1442	memset(avp, 0, sizeof(*avp));
1443	avp->is_mandatory = 1;
1444	avp->attr_type = L2TP_AVP_TYPE_PROTOCOL_VERSION2;
1445	avp->attr_value[0] = L2TP_RFC2661_VERSION1;
1446	avp->attr_value[1] = L2TP_RFC2661_REVISION0;
1447	bytebuf_add_avp(bytebuf, avp, 2);
1448
1449	/* Framing Capability = Async */
1450	memset(avp, 0, sizeof(*avp));
1451	avp->is_mandatory = 1;
1452	avp->attr_type = L2TP_AVP_TYPE_FRAMING_CAPABILITIES3;
1453	avp_set_val32(avp, L2TP_FRAMING_CAP_FLAGS_SYNC0x00000001);
1454	bytebuf_add_avp(bytebuf, avp, 4);
1455
1456	/* Host Name */
1457	memset(avp, 0, sizeof(*avp));
1458	avp->is_mandatory = 1;
1459	avp->attr_type = L2TP_AVP_TYPE_HOST_NAME7;
1460	if ((val = L2TP_CTRL_CONF(_this)((l2tpd_listener )slist_get(&(_this)->l2tpd->listener , (_this)->listener_index))->conf->hostname) == NULL((void)0)) {
1461	gethostname(hbuf, sizeof(hbuf));
1462	val = hbuf;
1463	}
1464	len = strlen(val);
1465	memcpy(avp->attr_value, val, len);
1466	bytebuf_add_avp(bytebuf, avp, len);
1467
1468	/* Assigned Tunnel Id */
1469	memset(avp, 0, sizeof(*avp));
1470	avp->is_mandatory = 1;
1471	avp->attr_type = L2TP_AVP_TYPE_ASSINGED_TUNNEL_ID9;
1472	avp_set_val16(avp, _this->tunnel_id);
1473	bytebuf_add_avp(bytebuf, avp, 2);
1474
1475	/* Bearer Capability
1476	* This implementation never act as LAC.
1477	*
1478	memset(avp, 0, sizeof(*avp));
1479	avp->is_mandatory = 1;
1480	avp->attr_type = L2TP_AVP_TYPE_BEARER_CAPABILITIES;
1481	avp_set_val32(avp, 0);
1482	bytebuf_add_avp(bytebuf, avp, 4);
1483	*/
1484
1485	/* Firmware Revision */
1486	memset(avp, 0, sizeof(*avp));
1487	avp->is_mandatory = 0;
1488	avp->attr_type = L2TP_AVP_TYPE_FIRMWARE_REVISION6;
1489	avp->attr_value[0] = MAJOR_VERSION5;
1490	avp->attr_value[1] = MINOR_VERSION2;
1491	bytebuf_add_avp(bytebuf, avp, 2);
1492
1493	/* Vendor Name */
1494	if ((val = L2TP_CTRL_CONF(_this)((l2tpd_listener )slist_get(&(_this)->l2tpd->listener , (_this)->listener_index))->conf->vendor_name) != NULL((void)0)) {
1495	memset(avp, 0, sizeof(*avp));
1496	avp->is_mandatory = 0;
1497	avp->attr_type = L2TP_AVP_TYPE_VENDOR_NAME8;
1498
1499	len = strlen(val);
1500	memcpy(avp->attr_value, val, len);
1501	bytebuf_add_avp(bytebuf, avp, len);
1502	}
1503
1504	/* Window Size */
1505	memset(avp, 0, sizeof(*avp));
1506	avp->is_mandatory = 1;
1507	avp->attr_type = L2TP_AVP_TYPE_RECV_WINDOW_SIZE10;
1508	avp_set_val16(avp, _this->winsz);
1509	bytebuf_add_avp(bytebuf, avp, 2);
1510
1511	if ((l2tp_ctrl_send_packet(_this, 0, bytebuf)) != 0) {
1512	l2tp_ctrl_log(_this, LOG_ERR3, "sending SCCRP failed");
1513	l2tp_ctrl_stop(_this, L2TP_STOP_CCN_RCODE_GENERAL1);
1514	return;
1515	}
1516	l2tp_ctrl_log(_this, LOG_INFO6, "SendSCCRP");
1517	}
1518
1519	static int
1520	l2tp_ctrl_send_HELLO(l2tp_ctrl *_this)
1521	{
1522	struct l2tp_avp *avp;
1523	char buf[L2TP_AVP_MAXSIZ1024];
1524	bytebuffer *bytebuf;
1525
1526	if ((bytebuf = l2tp_ctrl_prepare_snd_buffer(_this, 1)) == NULL((void*)0)) {
1527	l2tp_ctrl_log(_this, LOG_ERR3,
1528	"sending HELLO failed: no buffer.");
1529	return 1;
1530	}
1531	avp = (struct l2tp_avp *)buf;
1532
1533	/* Message Type = HELLO */
1534	memset(avp, 0, sizeof(*avp));
1535	avp->is_mandatory = 1;
1536	avp->attr_type = L2TP_AVP_TYPE_MESSAGE_TYPE0;
1537	avp_set_val16(avp, L2TP_AVP_MESSAGE_TYPE_HELLO6);
1538	bytebuf_add_avp(bytebuf, avp, 2);
1539
1540	if ((l2tp_ctrl_send_packet(_this, 0, bytebuf)) != 0) {
1541	l2tp_ctrl_log(_this, LOG_ERR3, "sending HELLO failed");
1542	l2tp_ctrl_stop(_this, L2TP_STOP_CCN_RCODE_GENERAL1);
1543	return 1;
1544	}
1545	l2tp_ctrl_log(_this, LOG_DEBUG7, "SendHELLO");
1546
1547	return 0;
1548	}
1549
1550	/* Send ZLB */
1551	static int
1552	l2tp_ctrl_send_ZLB(l2tp_ctrl *_this)
1553	{
1554	int loglevel;
1555
1556	loglevel = (_this->state == L2TP_CTRL_STATE_ESTABLISHED3)
1557	? LOG_DEBUG7 : LOG_INFO6;
1558	l2tp_ctrl_log(_this, loglevel, "SendZLB");
1559	bytebuffer_clear(_this->zlb_buffer);
1560	bytebuffer_put(_this->zlb_buffer, BYTEBUFFER_PUT_DIRECT,
1561	sizeof(struct l2tp_header));
1562
1563	return l2tp_ctrl_send_packet(_this, 0, _this->zlb_buffer);
1564	}
1565
1566	/*
1567	* Utitlity
1568	*/
1569
1570	/**
1571	* Prepare send buffer
1572	* @return return Null when the send buffer exceed Window.
1573	*/
1574	bytebuffer *
1575	l2tp_ctrl_prepare_snd_buffer(l2tp_ctrl *_this, int with_seq)
1576	{
1577	bytebuffer *bytebuf;
1578
1579	L2TP_CTRL_ASSERT(_this != NULL);
1580
1581	if (l2tp_ctrl_txwin_is_full(_this)) {
1582	l2tp_ctrl_log(_this, LOG_INFO6, "sending buffer is full.");
1583	return NULL((void*)0);
1584	}
1585	bytebuf = _this->snd_buffers[_this->snd_nxt % _this->snd_buffercnt];
1586	bytebuffer_clear(bytebuf);
1587	if (with_seq)
1588	bytebuffer_put(bytebuf, BYTEBUFFER_PUT_DIRECT,
1589	sizeof(struct l2tp_header));
1590	else
1591	bytebuffer_put(bytebuf, BYTEBUFFER_PUT_DIRECT,
1592	offsetof(struct l2tp_header, ns)__builtin_offsetof(struct l2tp_header, ns));
1593
1594	return bytebuf;
1595	}
1596
1597	/**
1598	* return current state as strings
1599	*/
1600	static inline const char *
1601	l2tp_ctrl_state_string(l2tp_ctrl *_this)
1602	{
1603	switch (_this->state) {
1604	case L2TP_CTRL_STATE_IDLE0: return "idle";
1605	case L2TP_CTRL_STATE_WAIT_CTL_CONN1: return "wait-ctl-conn";
1606	case L2TP_CTRL_STATE_WAIT_CTL_REPLY2: return "wait-ctl-reply";
1607	case L2TP_CTRL_STATE_ESTABLISHED3: return "established";
1608	case L2TP_CTRL_STATE_CLEANUP_WAIT4: return "cleanup-wait";
1609	}
1610	return "unknown";
1611	}
1612
1613	/* logging with the label of the l2tp instance. */
1614	void
1615	l2tp_ctrl_log(l2tp_ctrl _this, int prio, const char fmt, ...)
1616	{
1617	char logbuf[BUFSIZ1024];
1618	va_list ap;
1619
1620	va_start(ap, fmt)__builtin_va_start(ap, fmt);
1621	#ifdef L2TPD_MULTIPLE
1622	snprintf(logbuf, sizeof(logbuf), "l2tpd id=%u ctrl=%u %s",
1623	_this->l2tpd->id, _this->id, fmt);
1624	#else
1625	snprintf(logbuf, sizeof(logbuf), "l2tpd ctrl=%u %s", _this->id, fmt);
1626	#endif
1627	vlog_printf(prio, logbuf, ap);
1628	va_end(ap)__builtin_va_end(ap);
1629	}