Microsoft KB Archive/827661

= Windows Server 2003 SP1 includes a new feature to prevent the use of uninitialized data to pad short Ethernet packets =

Article ID: 827661

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition

-



Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SUMMARY
This article discusses a new security-related feature that is included in Windows Server 2003 Service Pack 1 (SP1). This feature helps to prevent uninitialized data from being used to pad packets that are transmitted from the local computer through an Ethernet network.



MORE INFORMATION
The Institute of Electrical and Electronics Engineers (IEEE) 802.3 Ethernet standard requires that Ethernet frames that are transmitted through an Ethernet network have a minimum size of 64 bytes. The minimum 64-bite frame is made up of 14 bytes of header information, 46 bytes of payload data, and 4 bytes of frame check sequence data. Sometimes, higher-level protocols send less than 46 bytes of payload data, resulting in an Ethernet frame that is smaller than 64 bytes. When an Ethernet frame is smaller than 64 bytes, the network adapter or the miniport driver must add additional data to the frame to increase the size of the frame to 64 bytes. This addition of data is also called &quot;padding the packet.&quot; Sometimes, the information that is used to pad a packet is taken from an uninitialized memory location, and it may include information from a previous packet or from the contents of a random memory location on the computer. The use of such information may cause the unintentional transmission of sensitive data on the local network. The type of data that is used to pad a packet depends on the device driver implementation for the network adapter in the computer, but the data may include one or more of the following types of data:
 * Data that is stored in dynamic kernel memory
 * Data that is located in the static memory that is allocated to the network adapter driver
 * Data that is stored in a hardware buffer on the network adapter device

A malicious user on the local network link might send multiple Internet Control Message Protocol (ICMP) packets to a computer and then capture the returned reply packets to view information that is used to pad the reply packets.

Note This issue occurs only on the local network link that the computer is connected to. When the packet passes through a router or through a switch, the padding contents are not preserved.

Important Although Microsoft has determined that a malicious user may use this method to capture sensitive data from the local network, Microsoft currently has no reported cases of this method being used to capture sensitive data.

Microsoft has taken the following steps to address this issue:  Microsoft has created a new test in the Network Driver Interface Specification (NDIS) test tool (NDISTest). This test determines if extra padding that is added to a short Ethernet frame is set to NULL. Network adapter drivers that fail this test may have the potential to transmit sensitive information to other computers that are on the same Ethernet network link.

Microsoft recommends this test for Windows Server 2003 drivers that are in the Windows Logo program. Microsoft requires this test for Windows Server 2003 SP1-and-later drivers that are in the Windows Logo program. Microsoft also requires this test for drivers that are in all builds of the next Windows release. Microsoft has added a new option to NDIS to correctly pad short Ethernet packets before they are sent to the underlying miniport driver. This option prevents the scenario where the miniport driver or the network adapter has to pad the packet. By default, this option is turned off. When you turn on this option, you may experience a performance degradation of about 1 to 2 percent of the overall operating system performance. To turn on this option, follow these steps.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.  Click Start, click Run, type regedit, and then click OK. Click the following registry subkey:

 Right-click Parameters, point to New, and then click DWORD Value. Name the value PadShortPacket . Right-click PadShortPacket, and then click Modify.</li> In the Value data box, type 1 (one), and then click OK.</li> Quit Registry Editor, and then restart the computer.</li></ol> </li></ul>

Keywords: kbhowto kbinfo kbwinservnetwork KB827661

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.