none
tcpip.sys crash

    Question

  • Hello,

    a have a strange behavior with an application that uses IcmpCreateFile(), IcmpSendEcho() and IcmpCloseHandle() for searching for devices. This code is used from 10 threads at the same time:

    int ping(char *pstrHost, int to)
    {
      HANDLE hIcmpFile;
      unsigned long ipaddr;
      DWORD dwRetVal;
      char SendData[] = "PING TEST";
      BYTE ReplyBuffer[40];
      LPHOSTENT lpHost;
    
      lpHost = gethostbyname(pstrHost);
      ipaddr = *((u_long FAR *) (lpHost->h_addr));
      
      if((hIcmpFile = IcmpCreateFile()) == INVALID_HANDLE_VALUE) 
        return -1;
     
      dwRetVal = IcmpSendEcho(hIcmpFile,
          ipaddr, SendData, sizeof(SendData), NULL, 
          ReplyBuffer, sizeof(ReplyBuffer), to);
      
      IcmpCloseHandle(hIcmpFile);
      
      return (dwRetVal > 0)?1:-1;
    }

    When I debug this application I get sometimes a BOD. Here is a crash-dump:

    Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    
    Loading Dump File [C:\Windows\MEMORY.DMP]
    Kernel Summary Dump File: Only kernel address space is available
    
    Symbol search path is: SRV*C:/symbols*http://msdl.microsoft.com/download/symbols;C:\Symbols
    Executable search path is: 
    Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 7601.18113.amd64fre.win7sp1_gdr.130318-1533
    Machine Name:
    Kernel base = 0xfffff800`03e1e000 PsLoadedModuleList = 0xfffff800`04061670
    Debug session time: Wed Jul  3 11:56:32.695 2013 (UTC + 2:00)
    System Uptime: 0 days 0:35:59.918
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ..................................
    Loading User Symbols
    PEB is paged out (Peb.Ldr = 000007ff`fffdf018).  Type ".hh dbgerr001" for details
    Loading unloaded module list
    .......
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck CB, {fffff8800168b385, 0, fffffa8003854690, 5}
    
    Probably caused by : tcpip.sys ( tcpip!Ipv4SetEchoRequestCreate+345 )
    
    Followup: MachineOwner
    ---------
    
    0: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    DRIVER_LEFT_LOCKED_PAGES_IN_PROCESS (cb)
    Caused by a driver not cleaning up completely after an I/O.
    When possible, the guilty driver's name (Unicode string) is printed on
    the bugcheck screen and saved in KiBugCheckDriver.
    Arguments:
    Arg1: fffff8800168b385, The calling address in the driver that locked the pages or if the
    	IO manager locked the pages this points to the dispatch routine of
    	the top driver on the stack to which the IRP was sent.
    Arg2: 0000000000000000, The caller of the calling address in the driver that locked the
    	pages. If the IO manager locked the pages this points to the device
    	object of the top driver on the stack to which the IRP was sent.
    Arg3: fffffa8003854690, A pointer to the MDL containing the locked pages.
    Arg4: 0000000000000005, The number of locked pages.
    
    Debugging Details:
    ------------------
    
    
    FAULTING_IP: 
    tcpip!Ipv4SetEchoRequestCreate+345
    fffff880`0168b385 c644243401      mov     byte ptr [rsp+34h],1
    
    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
    
    BUGCHECK_STR:  0xCB
    
    PROCESS_NAME:  EmpProcMon.exe
    
    CURRENT_IRQL:  0
    
    LAST_CONTROL_TRANSFER:  from fffff800041ce96f to fffff80003e93c00
    
    STACK_TEXT:  
    fffff880`06a25a38 fffff800`041ce96f : 00000000`000000cb fffff880`0168b385 00000000`00000000 fffffa80`03854690 : nt!KeBugCheckEx
    fffff880`06a25a40 fffff800`0414d677 : fffffa80`07146750 fffffa80`03545b20 fffffa80`00000000 fffffa80`00000000 : nt! ?? ::NNGAKEGL::`string'+0x17dbc
    fffff880`06a25a80 fffff800`03e9ce44 : 00000000`00000000 fffffa80`06a45b30 fffffa80`07146720 fffffa80`039959b0 : nt!PspProcessDelete+0x177
    fffff880`06a25ae0 fffff800`0418c2d4 : fffffa80`06a45b30 00000000`00000000 fffffa80`06b2f750 00000000`00000000 : nt!ObfDereferenceObject+0xd4
    fffff880`06a25b40 fffff800`0418c884 : 00000000`00000170 fffffa80`06a45b30 fffff8a0`05498470 00000000`00000170 : nt!ObpCloseHandleTableEntry+0xc4
    fffff880`06a25bd0 fffff800`03e92e93 : fffffa80`06b2f750 fffff880`06a25ca0 00000000`00000000 fffffa80`06a658e0 : nt!ObpCloseHandle+0x94
    fffff880`06a25c20 00000000`779b140a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    00000000`0264fb58 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779b140a
    
    
    STACK_COMMAND:  .bugcheck ; kb
    
    FOLLOWUP_IP: 
    tcpip!Ipv4SetEchoRequestCreate+345
    fffff880`0168b385 c644243401      mov     byte ptr [rsp+34h],1
    
    SYMBOL_NAME:  tcpip!Ipv4SetEchoRequestCreate+345
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: tcpip
    
    IMAGE_NAME:  tcpip.sys
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  50e4f6f4
    
    FAILURE_BUCKET_ID:  X64_0xCB_tcpip!Ipv4SetEchoRequestCreate+345
    
    BUCKET_ID:  X64_0xCB_tcpip!Ipv4SetEchoRequestCreate+345
    
    Followup: MachineOwner
    ---------
    

    It looks, like there is a problem inside of tcpip.sys.
    I noticed the crash only after hitting a breakpoint inside of the visualstudio debugger.

    I created this function because I need a "ping" without admin rights.

    Bye
    Uwe


    • Edited by Uwe_K Wednesday, July 03, 2013 11:31 AM
    Wednesday, July 03, 2013 11:29 AM

All replies

  • Do you make sure that all your threads wait for pings to complete and exit cleanly before exiting the main process/app?

    -- pa

    Thursday, July 04, 2013 12:56 AM
  • Hello pa,

    no I don't wait, because normally the runtime lib closes all open handles afer terminating the main thread.

    And at no time a user program should be able to produce a BOD.

    Bye
    Uwe

    Thursday, July 04, 2013 4:41 AM
  • You're right, user programs should not produce BSODs.

    So this is Win7 SP1 64-bit.  A nice catch. Unless this is caused by 3rd party components (the netcard driver, antivirus or virus), call the MS product support.

    -- pa

    Thursday, July 04, 2013 2:14 PM
  • Hello,

    only for information:

    This is a known BUG - but no fix available at the moment...

    Bye

    Uwe

    • Proposed as answer by Pavel A Tuesday, July 16, 2013 2:39 PM
    Monday, July 15, 2013 8:45 AM
  • Hello,

    I must reopen this issue!

    The Problem is still not resolved!

    I have permanent crashes in TCPIP.SYS:

    ======================================

    Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\Windows\MEMORY.DMP]
    Kernel Summary Dump File: Only kernel address space is available

    Symbol search path is: SRV*C:/symbols*http://msdl.microsoft.com/download/symbols;C:\Symbols
    Executable search path is:
    Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 7601.22616.amd64fre.win7sp1_ldr.140303-2307
    Machine Name:
    Kernel base = 0xfffff800`0425c000 PsLoadedModuleList = 0xfffff800`044a0890
    Debug session time: Fri Mar 27 08:59:18.630 2015 (UTC + 1:00)
    System Uptime: 0 days 0:06:35.714
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ...........................................
    Loading User Symbols

    Loading unloaded module list
    .......
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck CB, {fffff8800168f315, 0, fffffa800388a290, 1}

    Probably caused by : tcpip.sys ( tcpip!Ipv4SetEchoRequestCreate+345 )

    Followup: MachineOwner
    ---------

    0: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    DRIVER_LEFT_LOCKED_PAGES_IN_PROCESS (cb)
    Caused by a driver not cleaning up completely after an I/O.
    When possible, the guilty driver's name (Unicode string) is printed on
    the bugcheck screen and saved in KiBugCheckDriver.
    Arguments:
    Arg1: fffff8800168f315, The calling address in the driver that locked the pages or if the
     IO manager locked the pages this points to the dispatch routine of
     the top driver on the stack to which the IRP was sent.
    Arg2: 0000000000000000, The caller of the calling address in the driver that locked the
     pages. If the IO manager locked the pages this points to the device
     object of the top driver on the stack to which the IRP was sent.
    Arg3: fffffa800388a290, A pointer to the MDL containing the locked pages.
    Arg4: 0000000000000001, The number of locked pages.

    Debugging Details:
    ------------------


    FAULTING_IP:
    tcpip!Ipv4SetEchoRequestCreate+345
    fffff880`0168f315 c644243401      mov     byte ptr [rsp+34h],1

    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

    BUGCHECK_STR:  0xCB

    PROCESS_NAME:  System

    CURRENT_IRQL:  0

    LAST_CONTROL_TRANSFER:  from fffff8000460db46 to fffff800042d0540

    STACK_TEXT: 
    fffff880`02fafb78 fffff800`0460db46 : 00000000`000000cb fffff880`0168f315 00000000`00000000 fffffa80`0388a290 : nt!KeBugCheckEx
    fffff880`02fafb80 fffff800`0458ab92 : 00000000`00000001 fffffa80`035c8b50 fffffa80`00000000 fffffa80`00000000 : nt! ?? ::NNGAKEGL::`string'+0x175bc
    fffff880`02fafbc0 fffff800`045a7112 : fffffa80`03881030 fffffa80`03545b20 00000000`00000000 00000000`00000000 : nt!PspProcessDelete+0x1a2
    fffff880`02fafc20 fffff800`045843cf : fffffa80`03881030 00000000`00000000 fffffa80`035c8b50 fffffa80`035c8b50 : nt!ObpRemoveObjectRoutine+0x7e
    fffff880`02fafc80 fffff800`042d95b9 : fffff800`04584398 fffff800`04478280 fffffa80`035c8b00 fffffa80`00000003 : nt!ObpProcessRemoveObjectQueue+0x37
    fffff880`02fafcb0 fffff800`0456ed6a : 00000000`00000000 fffffa80`035c8b50 00000000`00000080 fffffa80`0354a890 : nt!ExpWorkerThread+0x111
    fffff880`02fafd40 fffff800`042c1266 : fffff880`009ec180 fffffa80`035c8b50 fffff880`009f6f40 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
    fffff880`02fafd80 00000000`00000000 : fffff880`02fb0000 fffff880`02faa000 fffff880`02faf9e0 00000000`00000000 : nt!KxStartSystemThread+0x16


    STACK_COMMAND:  .bugcheck ; kb

    FOLLOWUP_IP:
    tcpip!Ipv4SetEchoRequestCreate+345
    fffff880`0168f315 c644243401      mov     byte ptr [rsp+34h],1

    SYMBOL_NAME:  tcpip!Ipv4SetEchoRequestCreate+345

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: tcpip

    IMAGE_NAME:  tcpip.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  533f5937

    FAILURE_BUCKET_ID:  X64_0xCB_tcpip!Ipv4SetEchoRequestCreate+345

    BUCKET_ID:  X64_0xCB_tcpip!Ipv4SetEchoRequestCreate+345

    Followup: MachineOwner
    ---------

    ==============================================

    Uwe

    Friday, March 27, 2015 8:16 AM
  • So you have the advise to call MS product support. Try to present this as a security issue (even as denial of service).

    -- pa

    Friday, March 27, 2015 1:56 PM