locked
FwpsCompleteOperation0 and FwpsInjectTransportSendAsync RRS feed

  • Question

  • What is a right order to call FwpsCompleteOperation0 and FwpsInjectTransportSendAsync0 for outbound authorization?

    I've caught severl BSODs in the stress tests. Test is very simple: sending UDP datagrams to the random address in a loop without any delay from the same socket.

    My driver use this order in a work item:
    FwpsCompleteOperation0
    FwpsInjectTransportSendAsync0

    I  move a call FwpsCompleteOperation0 into injectComplete routine. And Is look's like the bug is gone.

    Now:

    ClassifyFn:
       FwpsReferenceNetBufferList( nbl )
       FwpsPendOperation

    WorkItem:
        FwpsAllocateCloneNetBufferList( nbl, cloneNbl )
        FwpsInjectTransportSendAsync0( cloneNbl )

    InjectCompletion:
        FwpsCompleteOperation0
        FwpsDereferenceNetBufferList
        FwpsFreeCloneNetBufferList

    Is it a right order? It has one defect: the first datagram is seems being lost. And I dont understand, why I have injected datagram? It is rejected because connect is not authorized. But if I try to call FwpsCompleteOperation0 before datagram injection I can get a BSOD.

    OS: win 8220


    Saturday, March 24, 2012 3:56 PM

Answers

  • I've solved this issue:

    I moved  cloning NBL from working item to classifyFn and removed NBL referencing at all.

    ClassifyFn:
       //FwpsReferenceNetBufferList( nbl )
       FwpsAllocateCloneNetBufferList( nbl, cloneNbl )  // clone instead reference
       FwpsPendOperation

    WorkItem:
        FwpsCompleteOperation0
        FwpsInjectTransportSendAsync0( cloneNbl )

    InjectCompletion:
        FwpsFreeCloneNetBufferList

    • Marked as answer by pykd team Tuesday, March 27, 2012 10:11 AM
    Tuesday, March 27, 2012 10:11 AM

All replies

  • BSOD stack:

    nt!RtlpBreakWithStatusInstruction
    nt!KiBugCheckDebugBreak
    nt!KeBugCheck2
    nt!KiBugCheck2
    nt!KiTrap0E
    tcpip! ?? ::FNODOBFM::`string'
    tcpip!WfpProcessOutTransportStackIndication
    tcpip!IppSendDatagramsCommon
    tcpip!IpNlpSendDatagrams
    tcpip!UdpSendMessagesOnPathCreation
    tcpip!UdpSendMessages
    tcpip!UdpTlProviderSendMessagesCalloutRoutine
    nt!KeExpandKernelStackAndCalloutInternal
    nt!KeExpandKernelStackAndCalloutEx
    tcpip!UdpTlProviderSendMessages
    afd!AfdTLFastDgramSend
    afd!AfdFastDatagramSend
    afd!AfdFastIoDeviceControl
    nt!IopXxxControlFile
    nt!NtDeviceIoControlFile
    nt!KiFastCallEntry
    ntdll!KiFastSystemCallRet
    ntdll!NtDeviceIoControlFile
    mswsock!WSPSendTo

    FAULTING_IP:
    tcpip! ?? ::FNODOBFM::`string'+3f07d
    823409f3 8b400c          mov     eax,dword ptr [eax+0Ch]

    TRAP_FRAME:  a5a8f09c
    eax=a8900e28

    !verifier 80 a8900e28
    Pool block a8900e28, Size 000001d8, Thread 8fb54d40
    817078bd nt!VfFreePoolNotification+0x44
    8143fa0a nt!ExFreePoolWithTag+0x1716
    816fa6c8 nt!VerifierExFreePoolWithTag+0x3b
    816fa6fa nt!VerifierExFreePool+0x1f
    816fa64c nt!VerifierExFreePoolEx+0xd
    850eceea NETIO!PplGenericFreeFunction+0x31
    850e40f4 NETIO!WfpNblInfoDestroyIfUnused+0xaa
    8516cb37 fwpkclnt!FwppSetPacketInfo+0x52
    8516dbcd fwpkclnt!FwppDereferenceNetBufferListCommon+0x42
    8516dca8 fwpkclnt!FwpsDereferenceNetBufferList0+0x2d
    a1001c11 mydriver!AleCleanupContext+0x61
    a1001c45 mydriver!AleInjectComplete+0x15
    8516f58f fwpkclnt!FwppInjectComplete+0x8a

    It seems like original NBL is re usining before I release my reference by FwpsDereferenceNetBufferList0. If I move FwpsCompleteOperation0 into AleInjectComplete, bug is gone. I think FwpsCompleteOperation0 release original NBL. If it is true, it is a wfp bug

    Tuesday, March 27, 2012 8:41 AM
  • I've solved this issue:

    I moved  cloning NBL from working item to classifyFn and removed NBL referencing at all.

    ClassifyFn:
       //FwpsReferenceNetBufferList( nbl )
       FwpsAllocateCloneNetBufferList( nbl, cloneNbl )  // clone instead reference
       FwpsPendOperation

    WorkItem:
        FwpsCompleteOperation0
        FwpsInjectTransportSendAsync0( cloneNbl )

    InjectCompletion:
        FwpsFreeCloneNetBufferList

    • Marked as answer by pykd team Tuesday, March 27, 2012 10:11 AM
    Tuesday, March 27, 2012 10:11 AM
  • yes,very useful ideal
    Tuesday, March 5, 2013 10:27 AM