Patch Name: PHNE_20832 Patch Description: s700 10.20 cumulative ARPA Transport patch Creation Date: 00/08/16 Post Date: 00/09/25 Warning: 00/09/28 - This Critical Warning has been issued by HP. - PHNE_20832 introduces a 32 byte memory leak for each socket(2) that is created. This can can cause a system memory shortage and consequent system hang under extended or high socket(2) activity conditions. The problem only exists with uniprocessor systems. - The problem also exists with s800 patch PHNE_20834. - HP recommends that PHNE_20832 be removed from all uniprocessor systems. PHNE_20832 should also be removed from all software depots that may be used to install patches on uniprocessor systems. As the problem does not occur on multiprocessor systems there is no need to remove PHNE_20832 from these systems. - The previous patch, PHNE_19937, does not exhibit this same problem. PHNE_19937 is being re-released until a replacement patch is available. To avoid the potential problem with uniprocessor systems introduced by PHNE_20832, and to insure that as many other known issues as possible are addressed, HP recommends that PHNE_19937 be installed after PHNE_20832 is removed. If PHNE_19937 was installed prior to PHNE_20832, it will automatically be restored when PHNE_20832 is removed and will not need to be re-installed. Hardware Platforms - OS Releases: s700: 10.20 Products: N/A Filesets: OS-Core.CORE-KRN Networking.NET-KRN Automatic Reboot?: Yes Status: General Superseded With Warnings Critical: Yes PHNE_20832: PANIC HANG MEMORY_LEAK PHNE_19937: PANIC PHNE_19117: PANIC PHNE_17731: PANIC PHNE_17096: PANIC PHNE_16237: PANIC PHNE_15581: PANIC PHNE_14916: PANIC PHNE_14504: PANIC PHNE_13469: PANIC PHNE_13289: PANIC PHNE_13245: PANIC PHNE_12407: PANIC PHNE_11530: PANIC PHNE_9106: PANIC PHNE_9098: PANIC PHNE_9036: PANIC Path Name: /hp-ux_patches/s700/10.X/PHNE_20832 Symptoms: PHNE_20832: 1> SR#: 1653310896 ; DTS#: JAGab39908 ARP REPLY sent when ARP REQUEST has a source IP set to 0. 2> SR#: 8606104914 ; DTS#: JAGab72690 Unrecognised socket IOCTL request returns EOPNOTSUPP. 3> SR#: 8606106098 ; DTS#: JAGab74943 System Panic while trying to abort multicast tests with FDDI. 4> SR#: 8606107115 ; DTS#: JAGab76795 Keep alive probes are not sent at correct tcp_keepfreq. 5> SR#: 8606114419 ; DTS#: JAGac29183 System panics with spinlock deadlock. 6> SR#: 8606127426 ; DTS#: JAGac77712 ifconfig on 10.20 handles "lan" as "lan0" 7> SR#: 8606127589 ; DTS#: JAGac78391 Driver expecting all the parameters for outbound broadcast traffic will not work properly because driver output routine is called with insufficient (only two out of four) parameters. 8> SR#: 8606128169 ; DTS#: JAGac78969 256 byte bucket memory leak in tcp input path. 9> SR#: 8606129494 ; DTS#: JAGac87829 All inbound IP processing stops on UP K420 when IP input Q is full. 10> SR#: 8606140213 ; DTS#: JAGad09535 MIB variable for number of IP addresses is not decremented when an ip address is deleted using ifalias. 11> SR#: 8606145663 ; DTS#: JAGad14999 Panic in m_free from icmp_error PHNE_19937: See Defect Description PHNE_19117: See Defect Description PHNE_17731: See Defect Description PHNE_17096: See Defect Description PHNE_16237: See Defect Description PHNE_15581: See Defect Description PHNE_14916: See Defect Description PHNE_14504: See Defect Description PHNE_13469: See Defect Description PHNE_13289: See Defect Description PHNE_13245: See Defect Description PHNE_12407: See Defect Description PHNE_11530: See Defect Description PHNE_9106: See Defect Description PHNE_9098: See Defect Description PHNE_9036: See Defect Description Defect Description: PHNE_20832: 1> SR#: 1653310896 ; DTS#: JAGab39908 On an OTS installed machine when an ARP request with a source IP of 0.0.0.0 is received, the system logs a duplicate IP & responds with an unexpected ARP reply. Resolution: An ARP reply is sent only if a valid Interface address match is found. 2> SR#: 8606104914 ; DTS#: JAGab72690 in_control() returns EOPNOTSUPP for driver specific ioctls. Resolution: Modified code to pass an unrecognized IOCTL request to the driver instead of returning EOPNOTSUPP. 3> SR#: 8606106098 ; DTS#: JAGab74943 System paniced while trying to abort multicast tests on multiprocessor system with FDDI. The removal of multicast address from interface's list by multiple applications, in case driver fails to join to that multicast address, were corrupting multicast list for interface which in turn was resulting in panic while deleting multicast address. Resolution: Modified code to remove multicast address from interface's list by properly manipulating the list. 4> SR#: 8606107115 ; DTS#: JAGab76795 Keep alive probes were not sent at correct interval because timer was expiring pre-maturely. Resolution: Adjusted keep alive timer with proper offset to avoid pre-mature expiration. 5> SR#: 8606114419 ; DTS#: JAGac29183 Socket select path doesn't check for semaphore lock ownership before releasing the semaphore lock. So, code may free up semaphore lock more than once which may cause corruption in the semaphore hash table and leading to a non-ending loop in b_sema_get_queue and may result in panic. Resolution: Added check for semaphore lock ownership before releasing the semaphore lock. 6> SR#: 8606127426 ; DTS#: JAGac77712 ifconfig command used to report lan0's configuration information when asked for "lan". Resolution: Modified code logic to check for proper interface name. 7> SR#: 8606127589 ; DTS#: JAGac78391 For an outbound broadcast packet, driver output routine was called with only two parameters instead of all four parameters. Hence, behaviour of any driver expecting all four parameters for outbound broadcast traffic will be undefined. Resolution: Modified code to pass all four parameters to driver output routine for outbound broadcast packet. 8> SR#: 8606128169 ; DTS#: JAGac78969 m_copy() of TCP options in tcp_input(), in case of inbound duplicate ACKs was resulting in 256 byte bucket memory leak. Resolution: Added code to free the memory allocated by m_copy of TCP option in tcp_input for inbound duplicate ACKs. 9> SR#: 8606129494 ; DTS#: JAGac87829 All inbound IP processing stops on UP K420 when IP input Q is full. The root cause of this hang is because of a race condition between schednetisrsq() and schednetisrmq().Both routines use same set of code for setting a event bit, where race condition may occur. Resolution: The fix is to raise the spl level to SPLIMP while modifying the netirr bit in both schednetisrsq and schednetisrmq routines thus preventing the race condition which caused this hang in an UP machine. 10> SR#: 8606140213 ; DTS#: JAGad09535 MIB_ipAddrNumEnt variable was not getting decremented when an IP address was deleted.If adding an alias IP and deleting it is done in a loop this variable can get to a huge value and if a query is made to fetch this value, the system may panic while mallocing for this amount of memory. Resolution: A new macro MIB_ipDecrAddrNumEnt is added in in.c which decrements MIB_ipAddrNumEnt. This is called in two places - while deleting the IP alias address in in_siocdelifaddr. - in the error path of the ioctl in in_control where we delete the node added in the first switch. 11> SR#: 8606145663 ; DTS#: JAGad14999 When a 10.20 system receives a bad ICMP packet with a corrupted/bad IP header, the system panics. Resolution: Typecasted sizeof() operator to int while processing route options in ip_dooptions() so that it results in a signed comparision thus avoiding overwriting of the mbuf Added some preliminary checks to see whether the ICMP packet received is valid and drop if not valid. PHNE_19937: ( SR number: 8606104868 ; DTS number: JAGab72621 ) Some raw ip packets cause panic as follows: panic+0x10 report_trap_or_int_and_panic+0xe8 trap+0xa48 $call_trap+0x20 bcopy_gr_method+0x12c m_copydata+0xf0 vtlan1_send_pkt+0x4e8 vtlan1_ac_output+0x324 unicast_ippkt+0xe0 arp_resolve+0x28c lanc_if_output+0xc8 ip_output+0x7a8 rip_output+0x120 raw_usrreq+0x220 sosend+0x6e4 sendit+0x268 sendto+0x5c syscall+0x1a4 $syscallrtn+0x0 Resolution: The problem is due to the overflowing of ip_len field in the IP header. Appropriate bound check is introduced in rip_output() and ip_insertoptions() to handle this. ( SR number: 8606104929 ; DTS number: JAGab72707 ) Bind does not allow to bind to a broadcast address. Resolution: Removed the condition which checks for binding to a broadcast address. PHNE_19117: ( SR not found ; DTS number: JAGaa26562 ) ioctl(FIOGETOWN) is not supported for sockets. Thus, we expect errno to be set to EOPNOTSUPP. This is true (or it should be) when ioctl(FIOGETOWN) is called after calling bind or connect. However, when ioctl(FIOGETOWN) is called before calling bind or connect, errno is set to EADDRNOTAVAIL. This is unexpected. Resolution: Modified code to return EOPNOTSUPP as error when ioctl commands not supported by the sockets. ( SR not found ; DTS number: JAGaa26658 ) in_notify_delete_ifaddr calls NET_SPLNET() instead of NET_SPLX(). Resolution: The fix replaces NET_SPLX() instead of NET_SPLNET() ( SR not found ; DTS number: JAGaa26659 ) HP-UX is not restricting access to the SIOCSWITCHIFADDR ioctl to processes whose effective user ID is root. Resolution: Added superuser check. ( SR not found ; DTS number: JAGaa26667 ) TCP/UDP sockets can bind to the broadcast address of the interface and manage to send packets out with broadcast address as the source IP address of the packet, which does not comply with RFC1122. Resolution: Binding the socket with the broadcast address of the interface is avoided to comply with RFC1122. ( SR not found ; DTS number: JAGaa26671 ) Nettune does not allow tuning of udp send and receive socket buffer sizes. Resolution: added tunable control for udp_send and udp_receive. ( SR number: 5003278374 ; DTS number: JAGaa26675 ) HP-UX does not stop sending arp messages out of an interface that has been disabled via ifconfig. Resolution: Arp messages are not sent out of an interface that is down. ( SR not found ; DTS number: JAGaa26682 ) If ifconfig fails while setting one bit subnet mask, the interface is left in IP-up state, and the IP address is 0.0.0.0. Resolution: Failure in ifconfig while setting one bit subnet mask, will never leave the interface in IP-up state. ( SR not found ; DTS number: JAGaa26696 ) Multicast addresses can be added into the arp cache using SIOCSARP. Resolution: Multicast addresses are prevented from having entries in the arp cache. ( SR not found ; DTS number: JAGaa26698 ) The macro IN_MASK is not defined correctly. It defaults to a class-A netmask if the specified address is neither class-B nor class-C. Resolution: Modified the macro IN_MASK to return 0,if the specified addr is not in CLASS A, B or C networks. ( SR not found ; DTS number: JAGaa26715 ) sbwait is called inconsistently with one or two arguments. Resolution: The small performance cost in passing the 2nd arg in sbwait() has been removed. ( SR not found ; DTS number: JAGaa26767 ) IP fragmentation timeout is not compliant to RFC-1122. Resolution: Modified the macro IPFRAGTTL in ip_input.c to make it RFC-1122 compliant. ( SR number: 1653228965 ; DTS number: JAGaa26833 ) The default socket buffer size for UNIX domain stream sockets is not compliant with the unix(7p) manpage. Resolution: Modified the default socket buffer size in compliance with the unix(7p) manpage. ( SR number: 5003350629 ; DTS number: JAGaa26904 ) SIOCGIFCONF does not return all interfaces if exact length is passed. Resolution: The boundary condition has been properly checked to fix the defect. ( SR not found ; DTS number: JAGaa27012 ) ARP in HPUX is not replying correctly to the host, who is using same ip address of this machine. Resolution: Fixed an error in a bcopy and duplicate ip sender was responded to. ( SR not found ; DTS number: JAGaa27013 ) arp takes improper input if m_len is negative Resolution: Type mismatch was found as the cause and fixed. ( SR number: 1653231001 ; DTS number: JAGaa27146 ) HP-UX allows invalid netmasks to be set through the ioctl SIOCSIFNETMASK. Resolution: Introduced a check to avoid initialization of netmask to all 1's or a non-contiguous netmask. ( SR number: 5003439067 ; DTS number: JAGaa41264 ) HPUX goes into an endless loop sometimes when an attempt is made to close down a socket that is listening for connections. This problem will show up more easily when the tcp_keepstart value is tuned to a sufficiently low number. Resolution: The memory leak causing endless loop has been fixed. ( SR number: 1653275693 ; DTS number: JAGaa41744 ) NFS client hangs at clntkudp_callit(). Resolution: The hang happening in the interrupt timeout routines has been resolved. ( SR number: 5003441188 ; DTS number: JAGaa43526 ) HP-UX has problems allocating TCP source port numbers. Resolution: The algorithm to allocate port numbers was changed. ( SR number: 5003452474 ; DTS number: JAGaa93168 ) HP-UX gets into an infinite loop when a socket is closed abortively and will freeze a uniprocessor machine. Resolution: The hang happening during flushing the socket buffers has been fixed. ( SR number: 1653307215 ; DTS number: JAGab24836 ) In 10.20, the slow start algorithm starts off with a congestion window of one in contrast to a congestion window of two in 11.x. Resolution: The initial conjestion window used in slow-start algorithm has been made configurable. ( SR not found ; DTS number: JAGab25321 ) The panic happened with the following stack trace: q4> trace event 0 stack trace for event 0 crash event was a panic panic+0x10 report_trap_or_int_and_panic+0xe8 trap+0xa48 $call_trap+0x20 rt_pmtu_timer_this+0x180 rn_walktree+0x88 rt_pmtu_timer+0x34 net_callout+0x84 netisr_netisr+0x1bc netisr_daemon+0x68 main+0x920 $vstart+0x34 $locore+0x74 Resolution: The race condition leading to the panic has been fixed. PHNE_17731: ( SR not found ; DTS number: JAGaa26722 ) if an application passes a local sockaddr_in structure to the bind system call without clearing the uninitialized parts, then bind will sometimes fail. ( SR not found ; DTS number: JAGaa26762 ) ntimo_init() is being called twice during boot-time initialization. ( SR number: 5003382861 ; DTS number: JAGaa26905 ) None of the arp cache entries are absolutely permanent.Even the permanent entries get modified if the ARP code notices a different MAC address. ( SR number: 4701413534 ; DTS number: JAGaa27038 ) Implicit UDP connect results in using port number zero, when all the dynamic ports are in use. ( SR number: 5003406975 ; DTS number: JAGaa27184 ) Connection is never terminated by hpux if it the remote side is no longer accesible, e.g. PC client is powred off. ( SR not found ; DTS number: JAGaa27216 ) Potential race between systems during a connect can hang the systems or make them very slow. ( SR number: 5003443655 ; DTS number: JAGaa44124 ) The number of outstanding xti connection indications can exceed the backlog limit set by an application thus causing the the library to fail a t_listen() with the TQFULL error. ( SR number: 1653286641 ; DTS number: JAGaa44778 ) HP-UX is not returning the correct error when recvmsg runs out of file descriptors(when rights are received) ( SR number: 5003425660 ; DTS number: JAGaa45145 ) sendto() for a multicast datagram fails with ENETUNREACH if the default route is not specified , even when the multicast interface has been provided. ( SR number: 1653248880 ; DTS number: INDaa29722 ) Panic caused with the following stack when the customer tried to delete an interface. panic() report_trap_or_int_and_panic() trap() $RDB_trap_patch() sounlock() in_notify_delete_ifaddr() in_siocdelifaddr() in_control() udp_usrreq() ifioctl() soo_ioctl() ioctl() syscall() $syscallrtn ( SR number: 1653205393 ; DTS number: JAGaa26791 ) Syslog filling up with duplicate IP address 0.0.0.0 with messages on the console ARP packet duplicate IP address: 0.0.0.0 from 0020-afc9-d660 ARP packet duplicate IP address: 0.0.0.0 from 00a0-24f0-2766 PHNE_17096: ( SR number: 1653174441 ; DTS number: INDaa25119 ) nettune does not support the configuration of tcp_fin_wait_timer. ( SR number: 5003366849 ; DTS number: INDaa27541 ) PMTU is not being resized when clients are attaching to the secondary address. ( SR number: 5003430827 ; DTS number: INDaa31460 ) Panic in nmget_tcpCurrEstab(), with the stack traces of the events(0&1) as follows stack trace for event 0 crash event was a panic panic+0x10 report_trap_or_int_and_panic+0xe8 $call_trap+0x20 nmget_tcpCurrEstab+0x38 nmget_tcp+0x354 nmget+0x6c nm_ioctl+0x54 spec_ioctl+0xd4 vno_ioctl+0x98 ioctl+0x444 syscall+0x1a4 $syscallrtn+0x0 stack trace for event 1 crash event was a TOC wait_for_lock_spinner+0x2d4 wait_for_lock_4way+0x2c slu_retry+0x18 in_pcbbind+0x58 tcp_usrreq+0xb48 sobind+0x6c bind+0x6c syscall+0x1a4 $syscallrtn+0x0 ( SR number: 5003433490 ; DTS number: INDaa31638 ) System may panic with the following stack; panic+0x0010 report_trap_or_int_and_panic+0x008c trap+0x072c $thndlr_rtn+0x0000 sounlock+0x00ac ckuwakeup+0x004c net_callout+0x0078 netisr_netisr+0x01ac netisr_daemon+0x0118 main+0x0900 $ vstart+0x003d ( SR not found ; DTS number: JAGaa26869 ) MP systems sometimes panic with the following stack on receiving an ICMP_REDIRECT: in_pcbfree mp_in_pcbnotify in_pcbnotify tcp_ctlinput pfctlinput icmp_input ipintr netisr_netisr. ( SR not found ; DTS number: JAGaa27023 ) TCP/UDP send and receive buffers cannot be set to SB_MAX. ( SR number: 5003421560 ; DTS number: JAGaa27114 ) In sendmsg(), if the data size specified is larger than the send buffer size with the rights specified, there is a data loss. ( SR number: 4701404590 ; DTS number: JAGaa41628 ) When a dynamic host route is added by the OS then it panics sometimes if the socket that is using that route is terminated. ( SR not found ; DTS number: JAGaa41637 ) There is no way currently to retrieve the IP type of service value stored in the IP packet that contains the SYN at connection time. ( SR number: 5003443713 ; DTS number: JAGaa44208 ) A number of tcp connections are stuck in TIME_WAIT state and never get cleaned up because the value of tcp_keepstart is tuned to 5 seconds. ( SR number: 1653286146 ; DTS number: JAGaa44500 ) HP-UX panics intermittently with the following panic string: "panic: sbdrop". PHNE_16237: ( SR not found ; DTS number: INDaa22630 ) An error "Invalid argument" returned from setsockopt(): rc = setsockopt(tp->task_socket, level, opt, ptr, len) with the parms: tp->task_socket = 12; level = IPPROTO_IP; ==> 0 opt = IP_RECVDSTADDR; ==> 4103 len = 4; The socket() call parms are socket(domain, type, proto) where domain = AF_INET, type = SOCK _DGRAM, proto = 0 ( SR number: 5003396937 ; DTS number: INDaa29248 ) nettune does not support disabling of IP Directed broadcast forwarding. ( SR number: 5003423665 ; DTS number: INDaa30931 ) After an IP packet with source route or record route options is received, the system may panic in wait_for_lock_spinner() called from ip_rtaddr(), ip_output(), or elsewhere. ( SR number: 5003429464 ; DTS number: INDaa31420 ) The system panics with one of the two stacks (listed below) while running with AF_UNIX sockets. Either: panic() m_free() m_freem() uipc_usrreq() soo_stat() fstat_common() fstat() syscall() $syscallrtn() or: sounlock() mp_socket_unlock() uipc_usrreq() sosend() sendit() sendto() syscall() $syscallrtn() PHNE_15581: ( SR number: 5003417410 ; DTS number: INDaa30415 ) IP multicasting does not work in a SG environment after a local network interface switch. ( SR number: 5003417477 ; DTS number: INDaa30445 ) Network may hang indefinitely when ARP interrupt queue is full. When it happens, the netisr may be idle and yet the ARP input interrupt queue is also full. ( SR number: 5003418228 ; DTS number: INDaa30448 ) The UDP checksum may not be set on outgoing IP multicast datagrams. This may happen if the IP_MULTICAST_IF socket option has been used to set an outgoing interface which does not support the checksum-offload (CKO) feature, and the datagram would have otherwise been sent out an interface which does support CKO. PHNE_14916: ( SR number: 5003294777 ; DTS number: INDaa23011 ) netstat -m occasionally reports unbelievable statistics, e.g.: "4294967270 mapped pages in use" ( SR not found ; DTS number: INDaa30014 ) HP-UX does not have token ring multicast support for drivers that support multicasting. ( SR number: 5003409268 ; DTS number: INDaa30038 ) UDP datagrams are occasionally being dropped on MP machines running 10.20. An inbound UDP packet which is sent to a valid local port results in the system returning an ICMP_UNREACH_PORT ICMP message. This occurs when the system is sending a UDP packet from the local port at the same time that the inbound packet arrives. ( SR number: 5003411926 ; DTS number: INDaa30157 ) A panic can occur in sounlock() because of a race between two processes trying to access the same AF_UNIX socket. The stack trace is: sounlock unp_connect uipc_usrreq soconnect connect syscall PHNE_14504: ( SR number: 1653232538 ; DTS number: INDaa28825 ) udp_usrreq cause system panic ( SR number: 4701371914 ; DTS number: INDaa28993 ) HP-UX does not have support for a socket API interface to get the TCP state. ( SR number: 5003401802 ; DTS number: INDaa29743 ) Bad mbuf offset alignment causes Data memory protection fault panic in icmp_error(). Stack Trace : ----------- Data memory protection fault panic+0x10 report_trap_or_int_and_panic+0xe8 interrupt+0x458 $ihndlr_rtn+0x0 icmp_error+0x244 ip_dooptions+0x260 ipintr+0xc2c netisr_netisr+0x208 netisr+0x28 inttr_emulate_save_fpu+0xf0 ni_write+0x364 spec_rdwr+0x69c vno_rw+0xb8 rwuio+0xc4 writev+0xb0 syscall+0x1a4 ( SR number: 5003408328 ; DTS number: INDaa29959 ) A system that has packets coming in on one interface type (i.e. Ethernet) and going out on another interface type (i.e. FDDI) can panic with a message of "m_free: freeing free mbuf". The stack trace is: panic+0x10 m_free+0x28 m_freem_train+0x1c unicast_ippkt+0x71c arp_resolve+0x288 lanc_if_output+0x48 ip_output+0x60c udp_output+0x1f8 ku_sendto_mbuf+0x8c svckudp_send+0x158 svc_sendreply+0x5c svckudp_send+0x158 svc_sendreply+0x5c PHNE_13469: ( SR number: 5003366906 ; DTS number: INDaa27509 ) Netstat -m displays an incorrect number of socket structures. ( SR number: 1653234245 ; DTS number: INDaa28951 ) When Service Guard requests a switch between two interfaces and the TARGET is not available, the ifnet structures may become corrupted. The system will crash when these structures are used later. ( SR number: 1653239764 ; DTS number: INDaa29253 ) If there is at least one IP packet on the ipintrq, one processor on an MP machine will do nothing but run netisr. Networking may be slow or appear to not work at all. The same problem causes single-processor machines to appear to be hung, but the machines will respond to ping. Netstat will show at least one SYN_RCVD socket where the local and remote addresses and ports are the same. PHNE_13289: ( SR number: 1653227116 ; DTS number: INDaa28439 ) The TCP retransmission timer range is not tuneable. PHNE_13245: ( SR number: 4701350173 ; DTS number: INDaa26913 ) The system panics during start-up due to a lack of defensive checks in IP interrupt processing. ( SR number: 5003361691 ; DTS number: INDaa27808 ) Nettune cannot tune sb_max. ( SR number: 5003379529 ; DTS number: INDaa27952 ) A customer wants to have more available IP addresses than what RFC 1122 will allow. ( SR number: 5003384719 ; DTS number: INDaa28504 ) A customer is running out of outbound ports, since the system is bounded by the port numbers 1024 to 5000. ( SR number: 1653229633 ; DTS number: INDaa28537 ) When using Service Guard in a spanning tree environment it is possible to lose the unsoliticited ARP_REQUESTS sent out when an IP address moves from one interface to another. ( SR number: 4701345082 ; DTS number: INDaa26302 ) If connections in TIME_WAIT reuse the same port, the socket options will get lost. PHNE_12407: ( SR number: 5003314351 ; DTS number: INDaa24634 ) HP-UX does not allow different subnets for IP aliases. ( SR number: 1653163436 ; DTS number: INDaa25115 ) A TCP client that is connected to itself will hang the session. ( SR number: 1653204198 ; DTS number: INDaa26665 ) An additional urgent byte could be sent in an AF_INET/STREAM socket if the send buffer is much larger than 64K bytes. ( SR number: 1653214981 ; DTS number: INDaa27440 ) ip_output() is using the PMTU from the dynamic route, but TCP is not, resulting in fragmentation and sub-optimal behavior. ( SR number: 5003366898 ; DTS number: INDaa27749 ) Whenever the PMTU value is changed, the remote system starts logging TCP checksum errors and existing connections time out. ( SR number: 1653221549 ; DTS number: INDaa27809 ) A Catalyst 5000's system does not reply to an HP-UX ARP request. ( SR number: 4701362756 ; DTS number: INDaa28061 ) poll() is not supported on series 800 machines. ( SR number: 4701363333 ; DTS number: INDaa28081 ) nfsd's are hanging because they sleep until the driver or other lower layer has released the memory for the packet that was sent down. This memory is not being freed. PHNE_11530: ( SR number: 5003320655 ; DTS number: INDaa24498 ) The HP 9000/UX BSD ARP implementation causes caching of the least optimal path to a remote host on a Token Ring network among multiple possible paths through various source routing bridges. This is true for both outbound and inbound ARP resolution cases. In the case of outbound ARP resolution, after HP 9000/UX issues an ARP broadcast request to a remote host which results in multiple requests reaching to that host, it begins to receive multiple responses, and for each such response it overwrites the cache data for that host. This results in the cache having the longest path corresponding to the last response received. Similarly, in the case of inbound ARP resolution, HP 9000/UX receives multiple ARP requests over multiple paths, and with each request it updates its cache with the path over which that request was received. This results in the cache finally containing the path over which the last request was received which may be the longest path in most cases. ( SR number: 5003355875 ; DTS number: INDaa26445 ) In 10.X TCP MSS does not behave the same way as in 9.X even when PMTU is disabled. ( SR not found ; DTS number: INDaa27510 ) The system may hang due to a memory leak caused by failed setsockopt(2) calls. ( SR number: 5003372144 ; DTS number: INDaa27528 ) The system will panic due to a null pointer dereference during a bind(2) system call. PHNE_9106: ( SR not found ; DTS number: INDaa25576 ) HP-UX does not allow tuning of the TCP hash table size. ( SR number: 5003345207 ; DTS number: INDaa25720 ) An application that is bound to a multicast address does not receive packets sent to that multicast address. ( SR number: 1653192054 ; DTS number: INDaa25760 ) IBM RS/6000 systems reject our arp requests. ( SR number: 1653198069 ; DTS number: INDaa26155 ) The system hangs in sbdrop() during shutdown. ( SR number: 5003352872 ; DTS number: INDaa26215 ) Network hangs because Stream Scheduler is looping on processor 0. ( SR not found ; DTS number: INDaa26243 ) HP-UX does not support IP directed broadcast forwarding. PHNE_9098: ( SR number: 5000710814 ; DTS number: INDaa20102 ) An ENXIO error is presently passed from the transport layer up to the application error as a "hard", or irrecoverable error. It is left up to the application to decide how to handle this situation. This is incorrect, because ENXIO is generated by the driver(s) in situations which *may* be recoverable, such as the imfamous 82596 LAN chip error. The user will see applications fail with a connection failure error which may be accompanied by a log message from the driver indicating that some sort of hardware error has occurred. ( SR number: 4701313866 ; DTS number: INDaa22779 ) Bug in source code. Found through code examination. Works accidentally. ( SR not found ; DTS number: INDaa24148 ) In a threaded environment, unp_externalize() can no longer depend on the file descriptor state being the same because another thread of the same process can change the state. ( SR number: 5003316810 ; DTS number: INDaa24262 ) System hang and network congestion. ( SR number: 5003318543 ; DTS number: INDaa24355 ) A memory leak occurs when an IPPROTO_TCP setsockopt() is done on a closed socket. ( SR not found ; DTS number: INDaa24426 ) netstat improperly displays the interface field for clan0. ( SR not found ; DTS number: INDaa24561 ) HP-UX does not have protocol switch entries for Raptor. ( SR number: 1653175810 ; DTS number: INDaa24600 ) ICMP packets sent to 255.255.255.255 cause system hangs on UP machines and a panic on MP machines. ( SR not found ; DTS number: INDaa24633 ) For a SYN, when the socket is not found in the listen queue, we search the whole list. This takes too long. It causes performance degradation in netscape. The above may happen when a service is not started. ( SR number: 1653176644 ; DTS number: INDaa24653 ) A panic occurs when we call audit_send_dgram (). ( SR number: 5003327973 ; DTS number: INDaa24727 ) Data is put in the socket buffer before calling TCP to send it out. If TCP gets an error from the interface (which may be transient), TCP returns the error to the application. If the application attempts to resend the data instead of exiting, potential data corruption can occur. ( SR number: 5003326199 ; DTS number: INDaa24752 ) A K400 system running ServiceGuard on 10.01 panics when pinging a floating ip address of a package that is being shutdown. ( SR not found ; DTS number: INDaa24826 ) The code does not ensure that there is always space left for '\0' for the case when an interface's unit number > 9. ( SR not found ; DTS number: INDaa24843 The default for a listen() queue has been increased from 20 to 4K. ( SR not found ; DTS number: INDaa24847 ) The maximum value of 20 for a listen() queue is inadequate for many applications. ( SR not found ; DTS number: INDaa24859 ) In tcp_close, we tie up the locks too long since we do a forward search to determine whether an inpcb belong to the hash list or not. ( SR not found ; DTS number: INDaa24936 ) Using a Fibre Channel driver with Service Guard causes a memory leak resulting in a hang. ( SR number: 4701333427 ; DTS number: INDaa24947 ) tcp_ctloutput() may cause a panic due to inproper locking and unlocking of inp. ( SR number: 5000716316 ; DTS number: INDaa25002 ) The system will hang when a second connect() is called on the same socket. ( SR number: 1653182782 ; DTS number: INDaa25005 ) Fast retransmission is not activated after three duplicate ACKs if window scaling is on (RFC 1323). ( SR number: 4701335596 ; DTS number: INDaa25125 ) A syn attack can result in Denial Of Service (DOS) to legitimate users. ( SR number: 1653184861 ; DTS number: INDaa25164 ) Customers in 9.x can tune sb_max, but cannot do it in 10.x. ( SR not found ; DTS number: INDaa25166 ) IPTOS_PREC_ROUTINE was defined as 0x10. That means the LOW DELAY bit in the type of service field is also set. This makes it difficult to assign "Routine" precedence with "Normal delay". ( SR number: 4701339044 ; DTS number: INDaa25467 ) A panic will occur in sounlock() when an application forks off multiple processes that call accept() on the same socket. ( SR number: 1653189852 ; DTS number: INDaa25498 ) A directed broadcast to a different network fails. ( SR number: 5003345215 ; DTS number: INDaa25698 ) Multicast addresses don't transfer over to the new interface during switchover. PHNE_9036: ( SR number: 5003342071 ; DTS number: INDaa25456 ) ping with illegal packets can cause panic. SR: 5000710814 4701313866 5003294777 5003316810 5003318543 5003320655 1653175810 5003314351 1653176644 5003327973 5003326199 4701333427 5000716316 1653182782 1653163436 1653174441 4701335596 1653184861 5003342071 4701339044 1653189852 5003345215 5003345207 1653192054 1653198069 5003352872 4701345082 5003355875 1653204198 4701350173 1653214981 5003366906 5003372144 5003366849 5003366898 5003361691 1653221549 5003379529 4701362756 4701363333 1653227116 5003384719 1653229633 1653232538 1653234245 4701371914 5003396937 1653239764 1653248880 5003401802 5003408328 5003409268 5003411926 5003417410 5003417477 5003418228 5003423665 5003429464 5003430827 5003433490 5003278374 1653205393 1653228965 5003350629 5003382861 4701413534 5003421560 1653231001 5003406975 5003439067 4701404590 1653275693 5003441188 5003443655 5003443713 1653286146 1653286641 5003425660 5003452474 1653307215 8606104929 8606104868 1653310896 8606104914 8606106098 8606107115 8606114419 8606127426 8606127589 8606128169 8606129494 8606140213 8606145663 Patch Files: /usr/conf/lib/libinet.a(udp_usrreq.o) /usr/conf/lib/libinet.a(tcp_usrreq.o) /usr/conf/lib/libinet.a(tcp_timer.o) /usr/conf/lib/libinet.a(tcp_subr.o) /usr/conf/lib/libinet.a(tcp_output.o) /usr/conf/lib/libinet.a(tcp_input.o) /usr/conf/lib/libinet.a(raw_ip.o) /usr/conf/lib/libhp-ux.a(nm_tune.o) /usr/conf/lib/libinet.a(nm_tcp.o) /usr/conf/lib/libinet.a(ip_output.o) /usr/conf/lib/libinet.a(ip_mroute.o) /usr/conf/lib/libinet.a(ip_input.o) /usr/conf/lib/libinet.a(ip_icmp.o) /usr/conf/lib/libinet.a(in_proto.o) /usr/conf/lib/libinet.a(in_pcb.o) /usr/conf/lib/libinet.a(in.o) /usr/conf/lib/libinet.a(if_ether.o) /usr/conf/lib/libnet.a(route.o) /usr/conf/lib/libuipc.a(netisr.o) /usr/conf/lib/libnet.a(if_ni.o) /usr/conf/lib/libnet.a(if.o) /usr/conf/lib/libhp-ux.a(dgram_aud.o) /usr/conf/lib/libuipc.a(sys_socket.o) /usr/conf/lib/libuipc.a(uipc_init.o) /usr/conf/lib/libuipc.a(uipc_socket2.o) /usr/conf/lib/libuipc.a(uipc_usrreq.o) /usr/conf/lib/libhp-ux.a(uipc_mbuf.o) /usr/conf/lib/libuipc.a(uipc_socket.o) /usr/conf/lib/libuipc.a(uipc_syscall.o) /usr/conf/lib/libtpiso.a(xtiso.o) what(1) Output: /usr/conf/lib/libinet.a(udp_usrreq.o): PHNE_20832 udp_usrreq.c $Revision: 1.8.112.12 $ $Da te: 98/03/17 18:21:37 $ /usr/conf/lib/libinet.a(tcp_usrreq.o): PHNE_20832 tcp_usrreq.c $Revision: 1.10.112.12 $ $D ate: 00/02/03 18:48:18 $ /usr/conf/lib/libinet.a(tcp_timer.o): PHNE_20832 tcp_timer.c $Revision: 1.8.112.7 $ /usr/conf/lib/libinet.a(tcp_subr.o): PHNE_20832 tcp_subr.c $Revision: 1.8.112.11 $ $Date : 99/07/04 23:05:45 $ /usr/conf/lib/libinet.a(tcp_output.o): PHNE_20832 tcp_output.c $Revision: 1.6.112.6 $ $Dat e: 99/02/14 23:09:25 $ /usr/conf/lib/libinet.a(tcp_input.o): PHNE_20832 tcp_input.c $Revision: 1.11.112.25 $ $Da te: 00/03/28 18:55:36 $ /usr/conf/lib/libinet.a(raw_ip.o): PHNE_20832 raw_ip.c $Revision: 1.5.112.2 $ /usr/conf/lib/libhp-ux.a(nm_tune.o): PHNE_20832 nm_tune.c $Revision: 1.3.112.13 $ /usr/conf/lib/libinet.a(nm_tcp.o): PHNE_20832 nm_tcp.c $Revision: 1.4.112.2 $ /usr/conf/lib/libinet.a(ip_output.o): PHNE_20832 ip_output.c $Revision: 1.7.112.8 $ $Date : 99/09/15 23:41:34 $ /usr/conf/lib/libinet.a(ip_mroute.o): PHNE_20832 ip_mroute.c $Revision: 1.3.112.3 $ IPM3. 3 /usr/conf/lib/libinet.a(ip_input.o): PHNE_20832 ip_input.c $Revision: 1.8.112.13 $ $Date : 00/08/04 12:21:36 $ /usr/conf/lib/libinet.a(ip_icmp.o): PHNE_20832 ip_icmp.c $Revision: 1.9.112.5 $ /usr/conf/lib/libinet.a(in_proto.o): PHNE_20832 in_proto.c $Revision: 1.4.112.4 $ $Date: 96/08/19 18:40:49 $ /usr/conf/lib/libinet.a(in_pcb.o): PHNE_20832 in_pcb.c $Revision: 1.10.112.18 $ $Date: 99/08/31 01:33:14 $ /usr/conf/lib/libinet.a(in.o): PHNE_20832 in.c $Revision: 1.9.112.26 $ $Date: 00/0 7/27 17:33:05 $ /usr/conf/lib/libinet.a(if_ether.o): PHNE_20832 if_ether.c $Revision: 1.10.112.24 $ /usr/conf/lib/libnet.a(route.o): PHNE_20832 route.c $Revision: 1.8.112.11 $ /usr/conf/lib/libuipc.a(netisr.o): PHNE_20832 netisr.c $Revision: 1.12.112.12 $ /usr/conf/lib/libnet.a(if_ni.o): PHNE_20832 if_ni.c $Revision: 1.8.112.3 $ $Date: 98 /03/27 11:50:24 $ /usr/conf/lib/libnet.a(if.o): PHNE_20832 if.c $Revision: 1.7.112.4 $ /usr/conf/lib/libhp-ux.a(dgram_aud.o): PHNE_20832 dgram_aud.c $Revision: 1.3.112.2 $ $Date : 96/08/02 20:37:56 $ /usr/conf/lib/libuipc.a(sys_socket.o): PHNE_20832 sys_socket.c $Revision: 1.7.112.4 $ /usr/conf/lib/libuipc.a(uipc_init.o): FILESET BSDIPC-SOCKET: lib uipc: Version: A.10.00 PHNE_20832 uipc_init.c $Date: 98/04/07 22:39:36 $ $ Revision: 1.7.112.2 $ /usr/conf/lib/libuipc.a(uipc_socket2.o): PHNE_20832 uipc_socket2.c $Revision: 1.10.112.14 $ $Date: 99/03/23 00:42:50 $ /usr/conf/lib/libuipc.a(uipc_usrreq.o): PHNE_20832 uipc_usrreq.c $Revision: 1.8.112.11 $ /usr/conf/lib/libhp-ux.a(uipc_mbuf.o): PHNE_20832 uipc_mbuf.c $Revision: 1.9.112.5 $ $Date : 98/03/27 12:57:17 $ /usr/conf/lib/libuipc.a(uipc_socket.o): PHNE_20832 uipc_socket.c $Revision: 1.11.112.16 $ $ Date: 00/05/25 10:44:35 $ /usr/conf/lib/libuipc.a(uipc_syscall.o): PHNE_20832 uipc_syscall.c $Revision: 1.10.112.4 $ $ Date: 96/12/16 10:45:36 $ /usr/conf/lib/libtpiso.a(xtiso.o): PHNE_20832 xtiso.c $Revision: 1.4.112.7 $ $Date: 99 /02/21 22:45:54 $ cksum(1) Output: 2711823987 15232 /usr/conf/lib/libinet.a(udp_usrreq.o) 786550910 11804 /usr/conf/lib/libinet.a(tcp_usrreq.o) 113472223 13340 /usr/conf/lib/libinet.a(tcp_timer.o) 853208195 11024 /usr/conf/lib/libinet.a(tcp_subr.o) 1777496502 7576 /usr/conf/lib/libinet.a(tcp_output.o) 2125793114 21656 /usr/conf/lib/libinet.a(tcp_input.o) 3621093450 3556 /usr/conf/lib/libinet.a(raw_ip.o) 771330706 10324 /usr/conf/lib/libhp-ux.a(nm_tune.o) 967018449 4372 /usr/conf/lib/libinet.a(nm_tcp.o) 2232853748 12476 /usr/conf/lib/libinet.a(ip_output.o) 3355953076 21020 /usr/conf/lib/libinet.a(ip_mroute.o) 1820222396 17824 /usr/conf/lib/libinet.a(ip_input.o) 677486019 7344 /usr/conf/lib/libinet.a(ip_icmp.o) 1021384799 3192 /usr/conf/lib/libinet.a(in_proto.o) 2976360298 17656 /usr/conf/lib/libinet.a(in_pcb.o) 3067529642 18328 /usr/conf/lib/libinet.a(in.o) 1799248759 48356 /usr/conf/lib/libinet.a(if_ether.o) 3516899634 18132 /usr/conf/lib/libnet.a(route.o) 2639255891 9060 /usr/conf/lib/libuipc.a(netisr.o) 2126346986 10504 /usr/conf/lib/libnet.a(if_ni.o) 3745394303 7492 /usr/conf/lib/libnet.a(if.o) 3870250862 2504 /usr/conf/lib/libhp-ux.a(dgram_aud.o) 2164924402 4196 /usr/conf/lib/libuipc.a(sys_socket.o) 481298393 4404 /usr/conf/lib/libuipc.a(uipc_init.o) 1234793598 21708 /usr/conf/lib/libuipc.a(uipc_socket2.o) 772359592 13480 /usr/conf/lib/libuipc.a(uipc_usrreq.o) 3374930143 12692 /usr/conf/lib/libhp-ux.a(uipc_mbuf.o) 296838449 21368 /usr/conf/lib/libuipc.a(uipc_socket.o) 2815547648 17108 /usr/conf/lib/libuipc.a(uipc_syscall.o) 920949614 60120 /usr/conf/lib/libtpiso.a(xtiso.o) Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHNE_9036 PHNE_9098 PHNE_9106 PHNE_11530 PHNE_12407 PHNE_13245 PHNE_13289 PHNE_13469 PHNE_14504 PHNE_14916 PHNE_15581 PHNE_16237 PHNE_17096 PHNE_17731 PHNE_19117 PHNE_19937 Equivalent Patches: None Patch Package Size: 530 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_20832 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHNE_20832.depot By default swinstall will archive the original software in /var/adm/sw/patch/PHNE_20832. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. WARNING: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHNE_20832.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_20832.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None