NetBSD Problem Report #9927

Received: (qmail 16067 invoked from network); 18 Apr 2000 22:55:48 -0000
Message-Id: <200004181347.WAA10140@icnmp9.icg.tnr.sharp.co.jp>
Date: Tue, 18 Apr 2000 22:47:05 +0900 (JST)
From: itohy@netbsd.org
Reply-To: itohy@netbsd.org
To: gnats-bugs@gnats.netbsd.org
Subject: ne network driver hangs at broadcast flood (DoS attack possible)
X-Send-Pr-Version: 3.95

>Number:         9927
>Category:       kern
>Synopsis:       ne network driver hangs at broadcast flood (DoS attack possible)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 18 22:56:00 +0000 2000
>Closed-Date:    
>Last-Modified:  
>Originator:     ITOH Yasufumi
>Release:        1.4X (March 28, 2000)
>Organization:

>Environment:
System: NetBSD pino.my.domain 1.4X NetBSD 1.4X (PINO) #198: Tue Mar 28 23:58:32 JST 2000 itohy@pino.my.domain:/usr/src/sys/arch/i386/compile/PINO i386

NetBSD 1.4X (PINO) #198: Tue Mar 28 23:58:32 JST 2000
    itohy@pino.my.domain:/usr/src/sys/arch/i386/compile/PINO
cpu0: family 5 model 8 step 1
cpu0: Intel Pentium/MMX (Tillamook) (586-class)
total memory = 65216 KB
avail memory = 57972 KB
using 840 buffers containing 3360 KB of memory
	:
cbb0 at pci0 dev 19 function 0: Toshiba America Info Systems ToPIC95B CardBus-PCI Bridge (rev. 0x07)
cbb1 at pci0 dev 19 function 1: Toshiba America Info Systems ToPIC95B CardBus-PCI Bridge (rev. 0x07)
cbb0: interrupting at irq 11
cbb0: cacheline 0x0 lattimer 0x0
cbb0: bhlc 0x820000 lscp 0x141400
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 20 device 0 cacheline 0x0, lattimer 0x0
pcmcia0 at cardslot0
cbb1: interrupting at irq 11
cbb1: cacheline 0x0 lattimer 0x0
cbb1: bhlc 0x820000 lscp 0x151500
cardslot1 at cbb1 slot 1 flags 0
cardbus1 at cardslot1: bus 21 device 0 cacheline 0x0, lattimer 0x0
pcmcia1 at cardslot1
	:
pcmcia1: CIS version PCMCIA 2.0 or 2.1
pcmcia1: CIS info: ACCTON, EN2216-PCMCIA-ETHERNET, EN2216, R02
pcmcia1: Manufacturer code 0x1bf, product 0x2216
pcmcia1: function 0: network adapter, ccr addr 3f8 mask 3
pcmcia1: function 0, config table entry 32: I/O card; irq mask ffff; iomask a, iospace 300-31f; mwait_required io16 irqlevel
pcmcia1: function 0, config table entry 33: I/O card; irq mask ffff; iomask a, iospace 320-33f; mwait_required io16 irqlevel
pcmcia1: function 0, config table entry 34: I/O card; irq mask ffff; iomask a, iospace 340-35f; mwait_required io16 irqlevel
pcmcia1: function 0, config table entry 35: I/O card; irq mask ffff; iomask a, iospace 360-37f; mwait_required io16 irqlevel
ne0 at pcmcia1 function 0
ne0: I-O DATA PCLA/TE Ethernet

>Description:
	If the Ethernet is too busy, the ne driver may hang.

Apr 18 00:49:00 pino /netbsd: ne0: warning - receiver ring buffer overrun
Apr 18 00:49:29 pino last message repeated 7 times
Apr 18 00:51:05 pino last message repeated 10 times
Apr 18 00:52:32 pino last message repeated 37 times
	(The system haug)
	...
	(Removed the card --- system responded again)
Apr 18 01:16:45 pino /netbsd: ne0: length does not match next packet pointer
Apr 18 01:16:45 pino /netbsd: ne0: len f745 nlen 4345 start 4c first 78 curr 48 next bc stop 80
Apr 18 01:16:45 pino /netbsd: ne0: NIC memory corrupt - invalid packet length 17221
Apr 18 01:16:45 pino /netbsd: ne0 detached

>How-To-Repeat:
	Use ne at a excessively busy Ethernet (full of broadcasts).

>Fix:
	Unknown.  Possibly,
	 1. find and correct race conditions if any,
	 2. fix problem (if any) in discarding received packets, or
	 3. implement timeouts for expected interrupts.

>Release-Note:
>Audit-Trail:
>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.