locked
UDP flows with no port assigned at FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 layer RRS feed

  • Question

  • Anyone  know why there are udp flows from 0.0.0.0:0 at FWPM_LAYER_ALE_CONNECT_REDIRECT_V4? And, perhaps more importantly why when trying to redirect these a BugCheck deep within tcpip.sys occurs? It's attempting to calculate redirect record size.

    By the time the same flow is indicated at the FWPM_LAYER_ALE_AUTH_CONNECT_V4 it has been given a proper port (and address). For example my two callout classifyFn handlers only debug print I receive the following output running nslookup.exe www.microsoft.com

    FWPM_LAYER_ALE_CONNECT_REDIRECT_V4: UDP flow: 0.0.0.0:0 ---> 8.8.8.8:53

    FWPM_LAYER_ALE_AUTH_CONNECT_V4: UDP flow: 10.0.2.15 ---> 8.8.8.8:53

    Note: The crash only occurs in OS>= Win8 (As redirection records don't exist in OS<=Win7). But the 0 port behavior is the same on OS >= Win7. I've not tested on anything lower.

    JST


    Friday, October 30, 2015 12:26 PM

All replies

  • Bit of an update. My callouts classify function at FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 is called twice. First with a source port of zero, which if redirected will crash deep in the MS network stack. Then is is triggered again with a valid port, which can be redirected without crashing.

    Has anyone else seen this? Surely it's not intended behavior? Logs below for the faulty flow:

    ---Layer: FWPS_LAYER_ALE_BIND_REDIRECT_V4---
    FWPS_FIELD_ALE_BIND_REDIRECT_V4_ALE_APP_ID: <BLOB>
    FWPS_FIELD_ALE_BIND_REDIRECT_V4_ALE_USER_ID: <ACCESS_INFO>
    FWPS_FIELD_ALE_BIND_REDIRECT_V4_IP_LOCAL_ADDRESS: 0.0.0.0
    FWPS_FIELD_ALE_BIND_REDIRECT_V4_IP_LOCAL_ADDRESS_TYPE: 0x1
    FWPS_FIELD_ALE_BIND_REDIRECT_V4_IP_LOCAL_PORT: 0
    FWPS_FIELD_ALE_BIND_REDIRECT_V4_IP_PROTOCOL: 0x11
    FWPS_FIELD_ALE_BIND_REDIRECT_V4_FLAGS: 0
    FWPS_FIELD_ALE_BIND_REDIRECT_V4_ALE_PACKAGE_ID: 0XFFFFF88001C7FF60

    ---Layer: FWPS_LAYER_ALE_RESOURCE_ASSIGNMENT_V4---
    FWPS_FIELD_ALE_RESOURCE_ASSIGNMENT_V4_ALE_APP_ID: <BLOB>
    FWPS_FIELD_ALE_RESOURCE_ASSIGNMENT_V4_ALE_USER_ID: <ACCESS_INFO>
    FWPS_FIELD_ALE_RESOURCE_ASSIGNMENT_V4_IP_LOCAL_ADDRESS: 0000000000000000
    FWPS_FIELD_ALE_RESOURCE_ASSIGNMENT_V4_IP_LOCAL_ADDRESS_TYPE: 0
    FWPS_FIELD_ALE_RESOURCE_ASSIGNMENT_V4_IP_LOCAL_PORT: 0xe502
    FWPS_FIELD_ALE_RESOURCE_ASSIGNMENT_V4_IP_PROTOCOL: 0x11
    FWPS_FIELD_ALE_RESOURCE_ASSIGNMENT_V4_ALE_PROMISCUOUS_MODE: 0000000000000000
    FWPS_FIELD_ALE_RESOURCE_ASSIGNMENT_V4_IP_LOCAL_INTERFACE: 0
    FWPS_FIELD_ALE_RESOURCE_ASSIGNMENT_V4_FLAGS: 0x8
    FWPS_FIELD_ALE_RESOURCE_ASSIGNMENT_V4_INTERFACE_TYPE: 0
    FWPS_FIELD_ALE_RESOURCE_ASSIGNMENT_V4_TUNNEL_TYPE: 0
    FWPS_FIELD_ALE_RESOURCE_ASSIGNMENT_V4_LOCAL_INTERFACE_PROFILE_ID: 0000000000000000
    FWPS_FIELD_ALE_RESOURCE_ASSIGNMENT_V4_SIO_FIREWALL_SOCKET_PROPERTY: 0000000000000000
    FWPS_FIELD_ALE_RESOURCE_ASSIGNMENT_V4_ALE_PACKAGE_ID: 0XFFFFF88001C7FF60

    ---Layer: FWPS_LAYER_ALE_CONNECT_REDIRECT_V4 ***NOTE THE ZERO LOCAL PORT AND ADDRESS***---
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_ALE_APP_ID: <BLOB>
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_ALE_USER_ID: <ACCESS_INFO>
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_IP_LOCAL_ADDRESS: 0.0.0.0
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_IP_LOCAL_ADDRESS_TYPE: 0x1
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_IP_LOCAL_PORT: 0
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_IP_PROTOCOL: 0x11
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_IP_REMOTE_ADDRESS: 8.8.8.8
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_IP_DESTINATION_ADDRESS_TYPE: 0x1
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_IP_REMOTE_PORT: 0x35
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_FLAGS: 0
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_ALE_ORIGINAL_APP_ID: 0000000000000000
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_ALE_PACKAGE_ID: 0XFFFFF88001C7FF60

    ---Layer: FWPS_LAYER_ALE_CONNECT_REDIRECT_V4---
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_ALE_APP_ID: <BLOB>
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_ALE_USER_ID: <ACCESS_INFO>
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_IP_LOCAL_ADDRESS: 10.0.2.15
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_IP_LOCAL_ADDRESS_TYPE: 0x1
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_IP_LOCAL_PORT: 0xe502
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_IP_PROTOCOL: 0x11
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_IP_REMOTE_ADDRESS: 8.8.8.8
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_IP_DESTINATION_ADDRESS_TYPE: 0x1
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_IP_REMOTE_PORT: 0x35
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_FLAGS: 0
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_ALE_ORIGINAL_APP_ID: 0X00000000000007FF
    FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_ALE_PACKAGE_ID: 0XFFFFF88001C7FF60

    ---Layer: FWPS_LAYER_ALE_AUTH_CONNECT_V4---
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_ALE_APP_ID: <BLOB>
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_ALE_USER_ID: <ACCESS_INFO>
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_LOCAL_ADDRESS: 10.0.2.15
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_LOCAL_ADDRESS_TYPE: 0x1
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_LOCAL_PORT: 0xe502
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_PROTOCOL: 0x11
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_REMOTE_ADDRESS: 8.8.8.8
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_REMOTE_PORT: 0x35
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_ALE_REMOTE_USER_ID: 0000000000000000
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_ALE_REMOTE_MACHINE_ID: 0000000000000000
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_DESTINATION_ADDRESS_TYPE: 0x1
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_LOCAL_INTERFACE: 0x6000007000000
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_FLAGS: 0
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_INTERFACE_TYPE: 0x6
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_TUNNEL_TYPE: 0
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_INTERFACE_INDEX: 0xc
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_SUB_INTERFACE_INDEX: 0000000000000000
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_ARRIVAL_INTERFACE: 0000000000000000
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_ARRIVAL_INTERFACE_TYPE: 0000000000000000
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_ARRIVAL_TUNNEL_TYPE: 0000000000000000
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_ARRIVAL_INTERFACE_INDEX: 0000000000000000
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_NEXTHOP_SUB_INTERFACE_INDEX: 0
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_NEXTHOP_INTERFACE: 0x6000007000000
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_NEXTHOP_INTERFACE_TYPE: 0x6
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_NEXTHOP_TUNNEL_TYPE: 0
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_NEXTHOP_INTERFACE_INDEX: 0xc
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_ORIGINAL_PROFILE_ID: 0x2
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_CURRENT_PROFILE_ID: 0x2
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_REAUTHORIZE_REASON: 0
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_PEER_NAME: 0000000000000000
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_ORIGINAL_ICMP_TYPE: 0000000000000000
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_INTERFACE_QUARANTINE_EPOCH: 0x269e1b
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_ALE_ORIGINAL_APP_ID: 0000000000000000
    FWPS_FIELD_ALE_AUTH_CONNECT_V4_ALE_PACKAGE_ID: 0XFFFFF88001C7FF60

    Monday, November 2, 2015 6:07 PM
  • I am also seeing this issue win windows10 1803. Any way to resolve this
    Wednesday, May 15, 2019 6:11 AM