SNA Server Access Violation in Function Sapascp()

ID: Q172634


The information in this article applies to:
  • Microsoft SNA Server, versions 2.0, 2.1, 2.11 SP1, 3.0, 3.0 SP1


SYMPTOMS

SNA Server may encounter an access violation in SnaServer.exe if a 3270 emulator sends it an invalid OPEN SSCP request with no element data. This will cause the following entry to be logged in the Windows NT application event log:

Event: 624
Source: SNA Server
Description: Creating dump file C:\SNA\traces\snadump.log for
Snaservr.exe
Also, an <Ntroot>\Drwtsn32.log entry may be created, indicating the following failure:
Application exception occurred:
App: snaservr.DBG (pid=<process ID>)
When: <date and time>
Exception number: c0000005 (access violation)


CAUSE

The SNA Server service is not properly handling an invalid OPEN SSCP request from a third-party 3270 emulator. This problem can occur if the OPEN SSCP request contains no element data. The 3270 Emulator Interface Specification included in softcopy form on the SNA Server CD-ROM describes the proper format of the OPEN SSCP request.


STATUS

Microsoft has confirmed this to be a problem in SNA Server versions 2.0 and 2.1. We are currently researching this issue and will post more information here in the Microsoft Knowledge Base as it becomes available.

Microsoft has confirmed this to be a problem in SNA Server version 2.11. A supported fix for SNA Server 2.11 SP2 is now available, but has not been fully regression-tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information. Microsoft has confirmed this to be a problem in SNA Server versions 3.0 and 3.0 Service Pack 1 (SP1). This problem was corrected in the latest SNA Server version 3.0 U.S. Service Pack. For information on obtaining this Service Pack, query on the following word in the Microsoft Knowledge Base (without the spaces):

S E R V P A C K


MORE INFORMATION

State Dump for Thread Id <thread ID>


   eax=00000000 ebx=00000000 ecx=014677f6 edx=014677f6 esi=01460000
   edi=00000000
   eip=0030a3fc esp=0125fef0 ebp=014677e4 iopl=0         nv up ei pl zr na
   po
   nc
   cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
   efl=00000246

   function: sapascp
        0030a3da 33ff             xor     edi,edi
        0030a3dc 66897c2416       mov     [esp+0x16],di
   ss:0256e8f8=????
        0030a3e1 8b4c2448         mov     ecx,[esp+0x48]
   ss:0256e8f7=????????
        0030a3e5 668939           mov     [ecx],di
   ds:014677f6=0101
        0030a3e8 8b442444         mov     eax,[esp+0x44]
   ss:0256e8f7=????????
        0030a3ec 8b28             mov     ebp,[eax]
   ds:00000000=????????
        0030a3ee 8d4d12           lea     ecx,[ebp+0x12]
   ss:027761ea=????????
        0030a3f1 8b4504           mov     eax,[ebp+0x4]
   ss:027761ea=????????
        0030a3f4 894c2420         mov     [esp+0x20],ecx
   ss:0256e8f7=????????
        0030a3f8 8944241c         mov     [esp+0x1c],eax
   ss:0256e8f7=????????
   FAULT ->0030a3fc 0fbf5004         movsx   edx,word ptr [eax+0x4]
   ds:0130ea07=e2f2
        0030a400 0fbf4006         movsx   eax,word ptr [eax+0x6]
   ds:0130ea07=e2f2
        0030a404 2bc2             sub     eax,edx
        0030a406 83f822           cmp     eax,0x22
        0030a409 7c1c             jl      sapascp+0x57 (0030a427)
        0030a40b 807d2412         cmp     byte ptr [ebp+0x24],0x12
   ss:027761ea=??
        0030a40f 7416             jz      sapascp+0x57 (0030a427)
        0030a411 8b4c241c         mov     ecx,[esp+0x1c]
   ss:0256e8f7=????????
        0030a415 8a440a2a         mov     al,[edx+ecx+0x2a]
   ds:027761fd=??
        0030a419 fec8             dec     al
        0030a41b 3c01             cmp     al,0x1
        0030a41d 1ac0             sbb     al,al

*----> Stack Back Trace <----*

   FramePtr ReturnAd Param#1  Param#2  Param#3  Param#4  Function Name
   0125ff28 0030847c 00000002 0125ff70 0125ff6e 000000ff snaservr!sapascp
   (FPO: [EBP 0x000000ff] [3,11,4])
   0125ff50 0030c566 00000002 0125ff70 0125ff6e 00000000 snaservr!sapmain
   (FPO: [EBP 0x000000ff] [3,2,4])
   0125ff70 0030d1f4 0125ffec 001435a8 00000001 77f0178e snaservr!sbpcdin
   (FPO: [0,3,1])
   0125ff88 0030d7f5 009811c0 00000001 001435a8 77f8fe94 snaservr!sbpsched
   (FPO: [EBP 0x0125ffec] [0,1,4])
   0125ff8c 009811c0 00000001 001435a8 77f8fe94 001435a0 snaservr!sbpgmain
   (FPO: [0,0,0])
   0125ffa8 77dd8f76 00000001 001435a8 77f9b340 77f04f2c
   snasvc!ServiceMainFunction  (FPO: [2,1,3])
   0125ffec 00000000 77dd8f68 001435a0 00000000 00000000
   advapi32!RegisterServiceCtrlHandlerA
   00000000 00000000 00000000 00000000 00000000 00000000
   snaservr!<nosymbols> 
With the fix applied, SNA Server sends an OPEN SSCP negative response with operr1 set to Invalid message (BADSAMSG - 0A08) and operr2 set to Format / protocol error (CSREFORM - 4).

NOTE: The 3270 emulator that sent this invalid message will receive this negative response. The emulator may display the error to the user, though this may vary depending on the emulator being used. The error may appear in hex (operr1 = 0xA08, operr2 = 0x4) or decimal (operr1 = 2568, operr2 = 4). Since this problem indicates a logic error in the 3270 emulator being used, this problem should be reported to the emulator vendor.

Additional query words: sapascp drwatson

Keywords : kbnetwork snaserverservice kbfix3.00.sp2
Version : WINDOWS:2.0,2.1,2.11 SP1,3.0,3.0 SP1
Platform : WINDOWS
Issue type : kbbug


Last Reviewed: November 24, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.