Guest

Cisco Catalyst 6000 Series Switches

Field Notice: *Expired* FN - 16811 - Cisco Catalyst 6000 NAM: RMON Daemon May Crash When Encountering Rare SMB NT-Transaction-secondary Packets or Malformed netbios-dgm Names


Revised December 20, 2007

January 16, 2002

NOTICE:

THIS FIELD NOTICE HAS BEEN EXPIRED AND IS NO LONGER MAINTAINED OR UPDATED BY CISCO.

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE, WARRANTY OR SUPPORT. USE OF THE INFORMATION ON THIS FIELD NOTICE OR MATERIALS LINKED FROM THIS FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.


Products Affected

Product

Comments

WS-X6380-NAM

Running software release 1.2(1)

Problem Description

The Remote Monitor (RMON) daemon can crash when it encounters some rare SMB packets. Malformed netbios-dgm names can also crash the RMON daemon. These issues have been detailed in the DDTS section of this document.

Background

Handling of SMB NT-Transaction-secondary packets was not implemented properly. There are no children for this protocol, as defined in pdparse.txt, but the decode algorithm tried to decode them like SMB NT-Transaction packets and parse the children. The children array was empty, so the decode algorithm fetched a NULL pointer and tried to dereference it.

Parsing is now stopped for SMB NT-transaction-secondary packets at this level, and the parser does not look for children. The decoding of NETBIOS names for NETBIOS datagram packets has also been improved to allow for:

  • Better error check

  • No reassembling of the name string

  • Disabling of the decode of child protocols of SMB (the SMB verbs)

Problem Symptoms

The RMON daemon can crash when it encounters rare SMB NT-Transaction-secondary packets (w-ether2.ip.tcp.mbt-session.smb.s-nt). This causes the network analysis module (NAM) to stop responding to SNMP traffic. However, the NAM is still reachable through Telnet and the session command from the Supervisor Engine. The RMON daemon can also crash in some cases when it decodes NETBIOS datagram (ip.udp.nbt-dadta, UDP port 138) or NETBIOS name (ip.udp.nbt-name, UDP port 137) packets with malformed names. In some cases, these malformed names cause stack corruption. The malformed names are usually caused by corrupted packets. This causes the NAM to stop responding to SNMP traffic. However, the NAM is still reachable through Telnet and the session command from the Supervisor Engine.

Workaround/Solution

In the unlikely event that either of these DDTS issues is encountered, a reboot clears the problem until the solution can be implemented.

The solution for this issue is to upgrade the NAM software to release 1.2(2) (c6nam.1-2-2.bin.gz) or to release 2.1(1a) (c6nam.2-1-1a.bin.gz).

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCdv35259

6KNAM: Crash when it sees some rare SMB packets.

CSCdv54214

Malformed netbios-dgm names can crash rmond.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.