COMMAND

    TCP/IP

SYSTEMS AFFECTED

    Win NT (with SP3 and recent HFs)

PROBLEM

    NMRC covered following in their advisory.  On Token Ring  networks
    a packet with bad data in the RIF fields will cause all Windows NT
    workstations and servers on the  ring to crash with a  blue screen
    of death.  When  a Token Ring frame  passes through a bridge,  the
    bridge will update the Routing Information Field (RIF) with its ID
    number, among  other little  bits of  information (including  info
    that limits  the size  of the  data field).   This information  is
    used to help route traffic back and forth between rings  connected
    by bridges.

    On Token Ring if  you have a hop  count greater than 7  defined in
    the RIF fields this will cause Windows NT's TCP/IP stack to  "blue
    screen", forcing the user to reboot.  Also if there are  duplicate
    Token Ring IDs listed in the hops this will also "blue screen" NT.
    The bad news is that the  packet does not have to be  addressed to
    the NT target  to blue screen  it.  It  will blue screen  every NT
    workstation or server on the ring. The good news is that  properly
    configured and  functioning network  equipment will  not pass this
    type of illegal packet  across a hop to  a different ring, so  the
    Denial of Service  will be limited  to one ring.   It is  possible
    that some routers will allow RIF fields to have more than 7  hops,
    but unless they  have been configured  to handle this  it will not
    pass the packet across a hop  as it is considered a bad  frame. It
    should be  noted that  in all  related RFCs  it is  clearly stated
    that >7 is a no-no and should not be done.  Malfunctioning network
    equipment  could  cause  this  to  happen,  as  this  is  how  the
    information was originally discovered.

SOLUTION

    BSODs due to more than 18bytes of Source Routing data was fixed by
    Teadrop2-fix.  See

        http://support.microsoft.com/support/kb/articles/q179/1/57.asp