locked
BSOD with FWPS_FIELD_ALE_ENDPOINT_CLOSURE_V6_IP_REMOTE_ADDRESS RRS feed

  • Question

  • Recently added filtering at FWPS_LAYER_ALE_ENDPOINT_CLOSURE.  When the V6 layer is executed in the classifyFn, I get a BSOD at the following line.

    RtlCopyMemory(&packet->rIP6[0], &inFixedValues->incomingValue[FWPS_FIELD_ALE_ENDPOINT_CLOSURE_V6_IP_REMOTE_ADDRESS].value.byteArray16->byteArray16[0], 16);

    The same code but on different paths (FWPS_LAYER_ALE_AUTH_CONNECT_V6 and FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_V6) works fine.  Documentation says that  FWPS_FIELD_ALE_ENDPOINT_CLOSURE_V6_IP_REMOTE_ADDRESS is available at FWPS_LAYER_ALE_ENDPOINT_CLOSURE_V6.  The local variable 'packet' is initialized properly from NonPagedPool memory

    The specific error is

    SYSTEM_SERVICE_EXCEPTION (3b)
    An exception happened while executing a system service routine.
    Arguments:
    Arg1: 00000000c0000005, Exception code that caused the bugcheck
    Arg2: fffff880033bbb9d, Address of the instruction which caused the bugcheck
    Arg3: fffff88005421340, Address of the context record for the exception that caused the bugcheck
    Arg4: 0000000000000000, zero.

    Just doing some searching, I found someone with a similar problem (http://www.kernelmode.info/forum/viewtopic.php?f=10&t=1439) but there was no resolution.  The IRQL is at DISPATCH_LEVEL and the conditions for RtlCopyMemory state that it can work at any level above APC as long as both pieces of memory are NonPaged.  

    So a couple of questions:
    -Is it not safe to assume that all of the fields that should be there will be there even if the valueCount is set (in this case to 10)?
    -Is there some additional check on this code path that is needed before trying to access the remote address?
    -Do I need to just queue this to a work item to get to a lower IRQL because the function params are PagedPool?

    Thanks.

    Wednesday, January 15, 2014 5:24 AM

Answers

  • Are you checking the type? if the type is FWP_EMPTY, then you are dereferencing a bad pointer. just because the field is available, doesn't mean it is populated. There are multiple cases where this could be the case (i.e. the endpoint is only bound and never connected to a peer)

    So answers to your question:

    1)Yes you can assume that the fields are there.  No you cannot assume that the value is populated (check the type)

    2)check the type
    if(incomingValues->incomingValue[FWPS_FIELD_ALE_ENDPOINT_CLOSURE_V6_IP_REMOTE_ADDRESS]value.type == FWP_BYTE_ARRAY16_TYPE)

    3)No.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Wednesday, January 15, 2014 5:40 PM
    Moderator