tcpip.sys crash


  • Hello,

    a have a strange behavior with an application that uses IcmpCreateFile(), IcmpSendEcho() and IcmpCloseHandle() for searching for devices. This code is used from 10 threads at the same time:

    int ping(char *pstrHost, int to)
      HANDLE hIcmpFile;
      unsigned long ipaddr;
      DWORD dwRetVal;
      char SendData[] = "PING TEST";
      BYTE ReplyBuffer[40];
      LPHOSTENT lpHost;
      lpHost = gethostbyname(pstrHost);
      ipaddr = *((u_long FAR *) (lpHost->h_addr));
      if((hIcmpFile = IcmpCreateFile()) == INVALID_HANDLE_VALUE) 
        return -1;
      dwRetVal = IcmpSendEcho(hIcmpFile,
          ipaddr, SendData, sizeof(SendData), NULL, 
          ReplyBuffer, sizeof(ReplyBuffer), to);
      return (dwRetVal > 0)?1:-1;

    When I debug this application I get sometimes a BOD. Here is a crash-dump:

    Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.
    Loading Dump File [C:\Windows\MEMORY.DMP]
    Kernel Summary Dump File: Only kernel address space is available
    Symbol search path is: SRV*C:/symbols*;C:\Symbols
    Executable search path is: 
    Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 7601.18113.amd64fre.win7sp1_gdr.130318-1533
    Machine Name:
    Kernel base = 0xfffff800`03e1e000 PsLoadedModuleList = 0xfffff800`04061670
    Debug session time: Wed Jul  3 11:56:32.695 2013 (UTC + 2:00)
    System Uptime: 0 days 0:35:59.918
    Loading Kernel Symbols
    Loading User Symbols
    PEB is paged out (Peb.Ldr = 000007ff`fffdf018).  Type ".hh dbgerr001" for details
    Loading unloaded module list
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    Use !analyze -v to get detailed debugging information.
    BugCheck CB, {fffff8800168b385, 0, fffffa8003854690, 5}
    Probably caused by : tcpip.sys ( tcpip!Ipv4SetEchoRequestCreate+345 )
    Followup: MachineOwner
    0: kd> !analyze -v
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    Caused by a driver not cleaning up completely after an I/O.
    When possible, the guilty driver's name (Unicode string) is printed on
    the bugcheck screen and saved in KiBugCheckDriver.
    Arg1: fffff8800168b385, The calling address in the driver that locked the pages or if the
    	IO manager locked the pages this points to the dispatch routine of
    	the top driver on the stack to which the IRP was sent.
    Arg2: 0000000000000000, The caller of the calling address in the driver that locked the
    	pages. If the IO manager locked the pages this points to the device
    	object of the top driver on the stack to which the IRP was sent.
    Arg3: fffffa8003854690, A pointer to the MDL containing the locked pages.
    Arg4: 0000000000000005, The number of locked pages.
    Debugging Details:
    fffff880`0168b385 c644243401      mov     byte ptr [rsp+34h],1
    PROCESS_NAME:  EmpProcMon.exe
    LAST_CONTROL_TRANSFER:  from fffff800041ce96f to fffff80003e93c00
    fffff880`06a25a38 fffff800`041ce96f : 00000000`000000cb fffff880`0168b385 00000000`00000000 fffffa80`03854690 : nt!KeBugCheckEx
    fffff880`06a25a40 fffff800`0414d677 : fffffa80`07146750 fffffa80`03545b20 fffffa80`00000000 fffffa80`00000000 : nt! ?? ::NNGAKEGL::`string'+0x17dbc
    fffff880`06a25a80 fffff800`03e9ce44 : 00000000`00000000 fffffa80`06a45b30 fffffa80`07146720 fffffa80`039959b0 : nt!PspProcessDelete+0x177
    fffff880`06a25ae0 fffff800`0418c2d4 : fffffa80`06a45b30 00000000`00000000 fffffa80`06b2f750 00000000`00000000 : nt!ObfDereferenceObject+0xd4
    fffff880`06a25b40 fffff800`0418c884 : 00000000`00000170 fffffa80`06a45b30 fffff8a0`05498470 00000000`00000170 : nt!ObpCloseHandleTableEntry+0xc4
    fffff880`06a25bd0 fffff800`03e92e93 : fffffa80`06b2f750 fffff880`06a25ca0 00000000`00000000 fffffa80`06a658e0 : nt!ObpCloseHandle+0x94
    fffff880`06a25c20 00000000`779b140a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    00000000`0264fb58 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779b140a
    STACK_COMMAND:  .bugcheck ; kb
    fffff880`0168b385 c644243401      mov     byte ptr [rsp+34h],1
    SYMBOL_NAME:  tcpip!Ipv4SetEchoRequestCreate+345
    FOLLOWUP_NAME:  MachineOwner
    MODULE_NAME: tcpip
    IMAGE_NAME:  tcpip.sys
    FAILURE_BUCKET_ID:  X64_0xCB_tcpip!Ipv4SetEchoRequestCreate+345
    BUCKET_ID:  X64_0xCB_tcpip!Ipv4SetEchoRequestCreate+345
    Followup: MachineOwner

    It looks, like there is a problem inside of tcpip.sys.
    I noticed the crash only after hitting a breakpoint inside of the visualstudio debugger.

    I created this function because I need a "ping" without admin rights.


    • Edited by Uwe_K Wednesday, July 03, 2013 11:31 AM
    Wednesday, July 03, 2013 11:29 AM

All replies

  • Do you make sure that all your threads wait for pings to complete and exit cleanly before exiting the main process/app?

    -- pa

    Thursday, July 04, 2013 12:56 AM
  • Hello pa,

    no I don't wait, because normally the runtime lib closes all open handles afer terminating the main thread.

    And at no time a user program should be able to produce a BOD.


    Thursday, July 04, 2013 4:41 AM
  • You're right, user programs should not produce BSODs.

    So this is Win7 SP1 64-bit.  A nice catch. Unless this is caused by 3rd party components (the netcard driver, antivirus or virus), call the MS product support.

    -- pa

    Thursday, July 04, 2013 2:14 PM
  • Hello,

    only for information:

    This is a known BUG - but no fix available at the moment...



    • Proposed as answer by Pavel A Tuesday, July 16, 2013 2:39 PM
    Monday, July 15, 2013 8:45 AM