Incorrect NBL offset reported at FWPS_LAYER_INBOUND_IPPACKET_V4 win8.1 build 9456 RRS feed

  • Question

  • Hi, when enabling the hostednetwork feature (http://msdn.microsoft.com/en-us/library/windows/desktop/dd815252(v=vs.85).aspx) my INBOUND_IPPACKET_V4 callout receives NBLs pointing at the IP header as opposed to the transport header. This clearly is deviation from the documented behavor (http://msdn.microsoft.com/en-us/library/windows/hardware/ff546324(v=vs.85).aspx) and is also deviation from what we have observed with win7 and win8.

    Is this a defect or there is some magical flag somewhere I must check prior to deciding how to retreat (or not) the buffer?

    0d ffffd000`207efdf0 fffff800`00b9a3d5 mfewfpk!CWfpCallout::WfpInboundIpPacketV4Classify2+0x7c
    0e ffffd000`207efe50 fffff800`00b9ac8d NETIO!ProcessCallout+0x235
    0f ffffd000`207eff70 fffff800`00b98056 NETIO!ArbitrateAndEnforce+0x2ad
    10 ffffd000`207f00b0 fffff800`00c6c209 NETIO!KfdClassify+0x6f6
    11 ffffd000`207f04b0 fffff800`00c6b41a tcpip!IppReceiveHeadersHelper+0x5d9
    12 ffffd000`207f0c20 fffff800`00c69240 tcpip!IppReceiveHeaderBatch+0x8a
    13 ffffd000`207f0d30 fffff800`00c68956 tcpip!IppFlcReceivePacketsCore+0x6d0
    14 ffffd000`207f1020 fffff800`00c67f53 tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x316
    15 ffffd000`207f1100 fffff800`c2673dd6 tcpip!FlReceiveNetBufferListChainCalloutRoutine+0xd3
    16 ffffd000`207f1230 fffff800`00caba36 nt!KeExpandKernelStackAndCalloutInternal+0xe6
    17 ffffd000`207f1320 fffff800`00a897ae tcpip!FlReceiveNetBufferListChain+0xb6
    18 ffffd000`207f13a0 fffff800`00a8958d ndis!ndisMIndicateNetBufferListsToOpen+0x11e
    19 ffffd000`207f1460 fffff800`00a88e8c ndis!ndisMTopReceiveNetBufferLists+0x23d
    1a ffffd000`207f14f0 fffff800`01921c71 ndis!NdisMIndicateReceiveNetBufferLists+0xbec
    1b ffffd000`207f16e0 fffff800`01921674 k57nd60a!shoot_nbls_up+0xd5
    1c ffffd000`207f1730 fffff800`018e9423 k57nd60a!nd6x_ServiceRxRetProdRing+0x898
    1d ffffd000`207f1820 fffff800`018e11a7 k57nd60a!UM_ServiceRssIntr+0xb3
    1e ffffd000`207f1860 fffff800`018e1749 k57nd60a!UM_Dpc+0x243
    1f ffffd000`207f18b0 fffff800`00a91ad3 k57nd60a!UM_DpcMsi+0x171
    20 ffffd000`207f18f0 fffff800`c2657775 ndis!ndisInterruptDpc+0x1a3
    21 ffffd000`207f19d0 fffff800`c2656a01 nt!KiExecuteAllDpcs+0x1b5
    22 ffffd000`207f1b20 fffff800`c275f0ea nt!KiRetireDpcList+0xe1
    23 ffffd000`207f1da0 00000000`00000000 nt!KiIdleLoop+0x5a

    1: kd> dv
             pNb = 0xffffe000`019e2190
             HdrLen = 0n20
     kd> !ndiskd.nb 0xffffe000`019e2190
        NB                 ffffe000019e2190    Next NB            0
        Length             0n60                Source pool        ffffe000016e3540
        First MDL          ffffe000019f5920    DataOffset         0n14
        Current MDL        [First MDL]         Current MDL offset 0n14

    1: kd> db ffffe000019ec800 L4a
    ffffe000`019ec800  00 1f 16 b3 35 e5 00 14-1b 6a 23 80 08 00 45 00  ....5....j#...E.
    ffffe000`019ec810  00 3c 00 00 40 00 2e 06-18 10 b8 33 32 a1 c0 a8  .<..@......32...
    ffffe000`019ec820  89 2f 01 bb c3 01 c1 44-27 30 f8 4a ba 93 a0 12  ./.....D'0.J....
    ffffe000`019ec830  38 90 04 7e 00 00 02 04-05 b4 04 02 08 0a 7e 8f  8..~..........~.
    ffffe000`019ec840  2c 7e 3d c7 8d 56 01 03-03 01     

    BTW if I retreat the buffer with more than the offset, then apparently NDIS happily allocates a new MDL which is pre-pended at the front of the NET_BUFFER and later on there is a BSOD when NETIO tries to free the MDL after the ref count on the NBL drops to 0.

    Friday, July 26, 2013 4:51 PM