none
BAD_POOL_HEADER (19) BSOD RRS feed

  • Question

  • hi,

    I get a BSOD of BAD_POOL_HEADER, when trying to free a memory by ExFreePool. code is attached:

    if (Params->Parameters.Ioctl.Output.Length > 0)
    {
    	pOutputBuffer = (char*)ExAllocatePoolWithTag(NonPagedPoolNx, Params->Parameters.Ioctl.Output.Length, HID_TAG6);
    	if (pOutputBuffer != NULL)
    	{
    		status = WdfMemoryCopyToBuffer(	Params->Parameters.Ioctl.Output.Buffer,
    	0,
    	pOutputBuffer,
    	Params->Parameters.Ioctl.Output.Length);
    		if (!NT_SUCCESS(status))
    		{
    			TraceEvents(TRACE_LEVEL_ERROR, TRACE_DEVICE, DRIVER_NAME "%!FUNC! WdfMemoryCopyToBuffer failed with status %!STATUS!\n", status);
    		}
    		else
    		{
    	status = WdfRequestRetrieveOutputMemor(orgRequest, &orgMem);
    		if (!NT_SUCCESS(status))
    		{
    		TraceEvents(TRACE_LEVEL_ERROR, TRACE_DEVICE, DRIVER_NAME " %!FUNC! WdfRequestRetrieveOutputMemory failed with status %!STATUS!\n", status);
    		}
    		else
    		{
    			UINT32 i;
    		TraceEvents(TRACE_LEVEL_VERBOSE, TRACE_HID, "%s  RETURN SENSOR DATA ", HID_HEAD);
    			for (i = 0; i < Params->Parameters.Ioctl.Output.Length; i++)
    									TraceEvents(TRACE_LEVEL_VERBOSE, TRACE_HID, "%s  0x%x ", HID_HEAD, pOutputBuffer[i]);
    							status = WdfMemoryCopyFromBuffer(orgMem, 0, pOutputBuffer, Params->Parameters.Ioctl.Output.Length);
    								if (!NT_SUCCESS(status))				{							TraceEvents(TRACE_LEVEL_ERROR, TRACE_DEVICE, DRIVER_NAME "%!FUNC! WdfRequestRetrieveOutputMemory passed with status %!STATUS!\n", status);
    	}
    	}
    	}
    	ExFreePool(pOutputBuffer);
    	}
    }

    from windbg:

    Params->Parameters.Ioctl.Output.Length = 15

    Params->Parameters.Ioctl.Output.Buffer has an address but in the memory window I get "Unable to retrieve information, NTSTATUS 0xC0000147: {No Paging File Specified}  No paging file was specified in the system configuration. " when set it's address. also, in it'ss IRP information I get No System Buffer for this request.

    any suggestion why do I faild here? use ExFreePoolWithTag would help?

    thanks,

    Shosho



    Monday, December 8, 2014 1:34 PM

All replies

  • What are you really trying to do here?  You have code that copies data from the requests output buffer to pOutputBuffer and then gets a handle to that same buffer and copies the data back.  Step back and explain what you are really trying to do here.

      


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Monday, December 8, 2014 1:53 PM
  • What am I trying to do is to copey data from one requests output buffer - Params.Parameters.Ioctl.Output.buffer to another requests output buffer - orgMem. this is done by using temp buffer - pOutputbuffer because I don't know about a way to copy from memory to memory directly.

    for any reason Params.Parameters.Ioctl.Output.buffer has an adress (it is not NULL) but have no buffer. is this can influence the pOutputBuffer? why am I failing on the ExFreePool(pOutputBuffer)?

    tha relevant lines from windbg's stack text:

    fffff803`cfc99d88 fffff803`ce512fb3 : 00000000`00000019 00000000`0000000e ffffe001`65948810 4d92b2fd`b79ed1c8 : nt!KeBugCheckEx
    fffff803`cfc99d90 fffff800`8a63c983 : ffffe001`8156ea70 fffff800`8a63f000 ffffe001`818db810 fffff800`8a63e130 : nt!ExFreePool+0x35f

    Tuesday, December 9, 2014 7:19 AM