From 5cb916555623b1d2e8a4ab389484a696a2e69d7a Mon Sep 17 00:00:00 2001
From: Michael Tuexen <tuexen@FreeBSD.org>
Date: Wed, 21 Sep 2016 08:28:18 +0000
Subject: [PATCH] Fix the handling of unordered fragmented user messages using
 DATA chunks.

There were two bugs:
* There was an accounting bug resulting in reporting a too small a_rwnd.
* There are a bug when abandoning messages in the reassembly queue.

MFC after:	4 weeks
---
 sys/netinet/sctp_indata.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sys/netinet/sctp_indata.c b/sys/netinet/sctp_indata.c
index 40112530f4fc..cfdcfe7d0ffb 100644
--- a/sys/netinet/sctp_indata.c
+++ b/sys/netinet/sctp_indata.c
@@ -809,6 +809,8 @@ sctp_handle_old_unordered_data(struct sctp_tcb *stcb,
 					tchk = TAILQ_FIRST(&control->reasm);
 					if (tchk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) {
 						TAILQ_REMOVE(&control->reasm, tchk, sctp_next);
+						asoc->size_on_reasm_queue -= tchk->send_size;
+						sctp_ucount_decr(asoc->cnt_on_reasm_queue);
 						nc->first_frag_seen = 1;
 						nc->fsn_included = tchk->rec.data.fsn_num;
 						nc->data = tchk->data;
@@ -5322,6 +5324,9 @@ sctp_flush_reassm_for_str_seq(struct sctp_tcb *stcb,
 		/* Not found */
 		return;
 	}
+	if (old && !ordered && SCTP_TSN_GT(control->fsn_included, cumtsn)) {
+		return;
+	}
 	TAILQ_FOREACH_SAFE(chk, &control->reasm, sctp_next, nchk) {
 		/* Purge hanging chunks */
 		if (old && (ordered == 0)) {