Access Violation in SNASERVR!SNPUGETI if Invalid Frame Received

ID: Q197903

The information in this article applies to:

SYMPTOMS

The SNA Server service (Snaservr.exe) may fail unexpectedly with an access violation in function snpugeti. This failure may occur when receiving an invalid RU (Request Unit) from a mainframe.

If Drwtsn32.exe is configured as the default debugger on the SNA Server system, the Drwtsn32.log file may contain an entry similar to the following when this access violation occurs: 


   Application exception occurred:
   App: snaservr.exe (pid=<process ID #>)
   When: <date> @ <time>
   Exception number: c0000005 (access violation)
   [...] 



   function: snpugeti
0100a43a 8d4e04 lea ecx,[esi+0x4] ds:0131ea06=???????? 0100a43d 2bea sub ebp,edx 0100a43f 0fbfd7 movsx edx,di 0100a442 3bd5 cmp edx,ebp 0100a444 7e27 jle snpugeti+0x4d (0100a46d) 0100a446 85f6 test esi,esi 0100a448 7427 jz snpugeti+0x51 (0100a471) 0100a44a 668b09 mov cx,[ecx] ds:019efffe=0000 0100a44d 8b36 mov esi,[esi] ds:00000000=???????? 0100a44f 662b08 sub cx,[eax] ds:019ec78a=000c 

   FAULT ->0100a452 0fbf5606 movsx   edx,word ptr [esi+0x6]
ds:0131ea07=???? 0100a456 0fbf6e04 movsx ebp,word ptr [esi+0x4] ds:0131ea07=???? 0100a45a 8d7c0fff lea edi,[edi+ecx-0x1] ds:02d0ea05=???????? 0100a45e 8d4606 lea eax,[esi+0x6] ds:0131ea06=???????? 0100a461 8d4e04 lea ecx,[esi+0x4] ds:0131ea06=???????? 0100a464 2bd5 sub edx,ebp 0100a466 0fbfef movsx ebp,di 0100a469 3bea cmp ebp,edx 0100a46b 7fd9 jg snpugeti+0x26 (0100a446) 0100a46d 85f6 test esi,esi 0100a46f 750f jnz snpugeti+0x60 (0100a480) 0100a471 53 push ebx 



   *----> Stack Back Trace <----* 



   FramePtr ReturnAd Param#1  Param#2  Param#3  Param#4  Function Name
   00000002 00000000 00000000 00000000 00000000 00000000 snaservr!snpugeti
   (FPO: [EBP 0x00000000] [2,0,4])
   00000012 00000000 00000000 00000000 00000000 00000000
   snaservr!<nosymbols>


In addition, an event similar to the following will be logged in the Windows NT Application Event Log: 


   Event ID: 624
   Source: SNA Server
   Description: Creating dump file C:\SNA\traces\snadump.log for
   SNASERVR.EXE


NOTE: An access violation very similar to the one described here can also occur when using the PU Passthrough feature in SNA Server 4.0.


CAUSE

The access violation is caused when SNA Server receives an invalid RU from the mainframe. In this case, the invalid RU was sent by the mainframe to indicate an -RSP to an RU it had previously received for a particular LU-LU (Logical Unit) session. The RU indicated that it included Sense Data (SD) since the SD flag was set in its Response Header (RH). The RU was invalid since it did not contain the 4 bytes of sense data that is supposed to be included when the SD flag is set.

When the SNA Server service receives this data, it attempts to extract the sense data from the host response to include it in a Function Management Interface (FMI) Status Acknowledgement that has to be sent to the client emulator to inform the emulator of the detected error. The access violation occurs because the message is too short. It only has 9 bytes of data (6 bytes for the Transmission Header plus 3 bytes for the RH) when it should be 13 bytes in length. The SNA Server service then accesses data beyond the end of the actual message because the last 4 bytes of data are not there. It is the attempt to access memory beyond the end of the message that results in the access violation. The access violation causes the SNA Server service to terminate.


RESOLUTION

This problem was resolved by applying IBM APAR #OW36556 to VTAM Version 4.4.1.


STATUS

Microsoft has confirmed this to be a problem in SNA Server versions 3.0, 3.0 Service Pack 1, 3.0 Service Pack 2, 3.0 Service Pack 3, 4.0, 4.0 Service Pack 1. This problem was first corrected in SNA Server 3.0 Service Pack 4.


MORE INFORMATION

The following is one of the invalid RUs that can cause the access violation described in this article as shown in a SNA Server Data Link Control message trace: 


   ----------------------------------------------- 08:52:26.0440
   04160009->01021301 DLC DATA
DAF:52 OAF:01 ODAI:off Normal -RSP FMD SD BC EC DR1 



   ---- Header  at address 01456E24, 1 elements ----
   00000000 00032C00 52010001 01006100     <......,.R.....a.> 



   ---- Element at address 01955688, start 10, end 12 ----
   879000                                  <g..             >


This is an RU from the mainframe that indicates an -RSP message. The RH in this case indicates that this RU contains Sense Data as noted by the SD flag in the message above. An RU that contains sense data is supposed to include 4 bytes of data that specifies the actual sense code as defined by IBM's SNA protocol. The sense data is used to determine exactly what error condition was detected in the preceding SNA data flow.

In this case, this RU is invalid because it does not contain the 4 bytes of sense data. The only data contained in this RU is the TH (Transmission Header) that is included in the Header portion of the trace message shown above and the RH. In this case, the TH is 0x'2C0052010001' and the RH is 0x'879000'. A valid frame with sense data includes 4 additional bytes of data for the sense code after the RH.

Please refer to the IBM SNA Formats Guide (GA27-3136) for more details on the format of various SNA RUs.

Additional query words: 


Keywords          : 
Version           : WINDOWS:3.0,3.0SP1,3.0SP2,3.0SP3,4.0,4.0SP1
Platform          : WINDOWS 
Issue type        : kbbug

Last Reviewed: May 26, 1999