You have to love the irony of this one:
It turns out that if you apply the registry fix from this
page: http://www.ntsecurity.net/security/oob.htm then
your Win95 client can still crash an NT box.
This answers my own earlier question..
I broke out my sniffer, and it looks liek the difference
is in the urgent pointer. The one that will still crash
seems to have an urgent pointer of 2, and the one
that doesn't has an urgent pointer of 3.
Here's what seems to be an explaination of why there
is a difference, from TCP/IP Illustrated Volume 1, Stevens
1994, p. 292-293 (it looks like I may be quoting a quote, but
I can't tell for sure)
"There is continuing debate about whether the urgent pointer
points to the last byte or ugent data, or to the byte following the
last byte of urgent data. The original TCP specification gave
both interpretations but the Host Requirements RFC identifies which
is correct: the urgent pointer points to the last byte of urgent data.
The problem, however, is that most implementations (i.e. the
Berkeley-derived implementations) continue to use the wrong
interpretation. An implementation that follows the specification
in the Host Requirements RFC might be compliant, but might
not communicate correctly with most other hosts."
At least the Win95 designers seem to have allowed for
both possibilities. Anyway, anyone who makes the
following registry entry on their Win95 machine:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP]
"BSDUrgent"="0"
Can still crash NT at will, it seems. The Win95 machine with the
registry entry applied doesn't seem to be affected by either
type of OOB crash.
I've also included the two different packets (I believe I've
included the only pertinant packet out of the sequence)
so that if I've misinterpreted the reason, one can draw their
own conclusions.
These were tested against an NT 3.51 server with
SP5 and the Hotfix installed.
Ryan
Still crashes:
DLC: ----- DLC Header -----
DLC:
DLC: Frame 7 arrived at 08:17:26.6547; frame size is 60 (003C hex) bytes.
DLC: Destination = Station Compaq38E42A
DLC: Source = Station Compaq78C49E
DLC: Ethertype = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 43 bytes
IP: Identification = 17152
IP: Flags = 4X
IP: .1.. .... = don't fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 32 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = 4B5B (correct)
IP: Source address = [130.214.99.98]
IP: Destination address = [130.214.99.99], netcom_nt.sybase.com
IP: No options
IP:
TCP: ----- TCP header -----
TCP:
TCP: Source port = 1030
TCP: Destination port = 139 (NetBIOS-ssn)
TCP: Sequence number = 97385
TCP: Acknowledgment number = 56167856
TCP: Data offset = 20 bytes
TCP: Flags = 38
TCP: ..1. .... = Urgent pointer
TCP: ...1 .... = Acknowledgment
TCP: .... 1... = Push
TCP: .... .0.. = (No reset)
TCP: .... ..0. = (No SYN)
TCP: .... ...0 = (No FIN)
TCP: Window = 8760
TCP: Checksum = 877F (correct)
TCP: Urgent pointer = 2
TCP: No TCP options
TCP: [3 byte(s) of data]
TCP:
NETB: ----- NetBIOS Session protocol -----
NETB:
NETB: [3 more bytes of user data]
NETB:
ADDR HEX ASCII
0000 00 80 5F 38 E4 2A 00 80 5F 78 C4 9E 08 00 45 00 .._8.*.._x....E.
0010 00 2B 43 00 40 00 20 06 4B 5B 82 D6 63 62 82 D6 .+C.@. .K[..cb..
0020 63 63 04 06 00 8B 00 01 7C 69 03 59 0D B0 50 38 cc......|i.Y..P8
0030 22 38 87 7F 00 02 42 79 65 00 00 00 "8....Bye...
Doesn't crash any more:
IP: Fragment offset = 0 bytes
IP: Time to live = 32 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = 835B (correct)
IP: Source address = [130.214.99.98]
IP: Destination address = [130.214.99.99], netcom_nt.sybase.com
IP: No options
IP:
TCP: ----- TCP header -----
TCP:
TCP: Source port = 1026
TCP: Destination port = 139 (NetBIOS-ssn)
TCP: Sequence number = 69792
TCP: Acknowledgment number = 136447
TCP: Data offset = 20 bytes
TCP: Flags = 38
TCP: ..1. .... = Urgent pointer
TCP: ...1 .... = Acknowledgment
TCP: .... 1... = Push
TCP: .... .0.. = (No reset)
TCP: .... ..0. = (No SYN)
TCP: .... ...0 = (No FIN)
TCP: Window = 8760
TCP: Checksum = EF53 (correct)
TCP: Urgent pointer = 3
TCP: No TCP options
TCP: [3 byte(s) of data]
TCP:
NETB: ----- NetBIOS Session protocol -----
NETB:
NETB: [3 more bytes of user data]
NETB:
ADDR HEX ASCII
0000 00 80 5F 38 E4 2A 00 80 5F 78 C4 9E 08 00 45 00 .._8.*.._x....E.
0010 00 2B 0B 00 40 00 20 06 83 5B 82 D6 63 62 82 D6 .+..@. ..[..cb..
0020 63 63 04 02 00 8B 00 01 10 A0 00 02 14 FF 50 38 cc............P8
0030 22 38 EF 53 00 03 42 79 65 00 00 00 "8.S..Bye...