Subject: kern/9927: ne network driver hangs at broadcast flood (DoS attack possible)
To: None <gnats-bugs@gnats.netbsd.org>
From: None <itohy@netbsd.org>
List: netbsd-bugs
Date: 04/18/2000 15:55:11
>Number:         9927
>Category:       kern
>Synopsis:       ne network driver hangs at broadcast flood (DoS attack possible)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 18 15:56:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     ITOH Yasufumi
>Release:        1.4X (March 28, 2000)
>Organization:
	
>Environment:
System: NetBSD pino.my.domain 1.4X NetBSD 1.4X (PINO) #198: Tue Mar 28 23:58:32 JST 2000 itohy@pino.my.domain:/usr/src/sys/arch/i386/compile/PINO i386

NetBSD 1.4X (PINO) #198: Tue Mar 28 23:58:32 JST 2000
    itohy@pino.my.domain:/usr/src/sys/arch/i386/compile/PINO
cpu0: family 5 model 8 step 1
cpu0: Intel Pentium/MMX (Tillamook) (586-class)
total memory = 65216 KB
avail memory = 57972 KB
using 840 buffers containing 3360 KB of memory
	:
cbb0 at pci0 dev 19 function 0: Toshiba America Info Systems ToPIC95B CardBus-PCI Bridge (rev. 0x07)
cbb1 at pci0 dev 19 function 1: Toshiba America Info Systems ToPIC95B CardBus-PCI Bridge (rev. 0x07)
cbb0: interrupting at irq 11
cbb0: cacheline 0x0 lattimer 0x0
cbb0: bhlc 0x820000 lscp 0x141400
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 20 device 0 cacheline 0x0, lattimer 0x0
pcmcia0 at cardslot0
cbb1: interrupting at irq 11
cbb1: cacheline 0x0 lattimer 0x0
cbb1: bhlc 0x820000 lscp 0x151500
cardslot1 at cbb1 slot 1 flags 0
cardbus1 at cardslot1: bus 21 device 0 cacheline 0x0, lattimer 0x0
pcmcia1 at cardslot1
	:
pcmcia1: CIS version PCMCIA 2.0 or 2.1
pcmcia1: CIS info: ACCTON, EN2216-PCMCIA-ETHERNET, EN2216, R02
pcmcia1: Manufacturer code 0x1bf, product 0x2216
pcmcia1: function 0: network adapter, ccr addr 3f8 mask 3
pcmcia1: function 0, config table entry 32: I/O card; irq mask ffff; iomask a, iospace 300-31f; mwait_required io16 irqlevel
pcmcia1: function 0, config table entry 33: I/O card; irq mask ffff; iomask a, iospace 320-33f; mwait_required io16 irqlevel
pcmcia1: function 0, config table entry 34: I/O card; irq mask ffff; iomask a, iospace 340-35f; mwait_required io16 irqlevel
pcmcia1: function 0, config table entry 35: I/O card; irq mask ffff; iomask a, iospace 360-37f; mwait_required io16 irqlevel
ne0 at pcmcia1 function 0
ne0: I-O DATA PCLA/TE Ethernet

>Description:
	If the Ethernet is too busy, the ne driver may hang.

Apr 18 00:49:00 pino /netbsd: ne0: warning - receiver ring buffer overrun
Apr 18 00:49:29 pino last message repeated 7 times
Apr 18 00:51:05 pino last message repeated 10 times
Apr 18 00:52:32 pino last message repeated 37 times
	(The system haug)
	...
	(Removed the card --- system responded again)
Apr 18 01:16:45 pino /netbsd: ne0: length does not match next packet pointer
Apr 18 01:16:45 pino /netbsd: ne0: len f745 nlen 4345 start 4c first 78 curr 48 next bc stop 80
Apr 18 01:16:45 pino /netbsd: ne0: NIC memory corrupt - invalid packet length 17221
Apr 18 01:16:45 pino /netbsd: ne0 detached

>How-To-Repeat:
	Use ne at a excessively busy Ethernet (full of broadcasts).

>Fix:
	Unknown.  Possibly,
	 1. find and correct race conditions if any,
	 2. fix problem (if any) in discarding received packets, or
	 3. implement timeouts for expected interrupts.

>Release-Note:
>Audit-Trail:
>Unformatted: