locked
Crash while using FwpsInjectNetworkSendAsync0 RRS feed

  • Question

  •  

    Hi!

     

    I do have a WFP filter (PktIcpt) at packet layer, which is involved in a crash in a very rare case (not reproduceable). I am queueing packets to a work item and re inject them with FwpsInjectNetworkSendAsync0/FwpsInjectNetworkReceiveAsync0. The problem seems to be limited to Vista SP1 and never occured whithin FwpsInjectNetworkReceiveAsync0 but only FwpsInjectNetworkSendAsync0. Crash analysis follows.

     

    Any hints will be appreciated. Thank you!

    Frank Friemel

     

     

     

    Windows Kernel Version 6001 (Service Pack 1) UP Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 6001.18000.x86fre.longhorn_rtm.080118-1840
    Kernel base = 0x81a02000 PsLoadedModuleList = 0x81b19c70
    Debug session time: Wed Jul  2 08:23:44.597 2008 (GMT+2)
    System Uptime: 0 days 0:01:52.221
    Loading Kernel Symbols
    ...........................................................................................................................................
    Loading User Symbols

    Loading unloaded module list
    ....
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck D1, {0, 2, 0, 858a7d3c}

     

     

    Probably caused by : fwpkclnt.sys ( fwpkclnt!FwpsInjectNetworkSendAsync0+134 )

    Followup: MachineOwner
    ---------

    kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If kernel debugger is available get stack backtrace.
    Arguments:
    Arg1: 00000000, memory referenced
    Arg2: 00000002, IRQL
    Arg3: 00000000, value 0 = read operation, 1 = write operation
    Arg4: 858a7d3c, address which referenced memory

    Debugging Details:
    ------------------

     

     


    READ_ADDRESS:  00000000

    CURRENT_IRQL:  2

    FAULTING_IP:
    tcpip!IppFragmentPackets+171
    858a7d3c 8b148a          mov     edx,dword ptr [edx+ecx*4]

    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

    BUGCHECK_STR:  0xD1

    PROCESS_NAME:  System

    TRAP_FRAME:  8653b8dc -- (.trap 0xffffffff8653b8dc)
    ErrCode = 00000000
    eax=00000001 ebx=00000000 ecx=00000000 edx=00000000 esi=00000048 edi=8653bad0
    eip=858a7d3c esp=8653b950 ebp=8653b97c iopl=0         nv up ei pl zr na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
    tcpip!IppFragmentPackets+0x171:
    858a7d3c 8b148a          mov     edx,dword ptr [edx+ecx*4] ds:0023:00000000=????????
    Resetting default scope

    LAST_CONTROL_TRANSFER:  from 858a7d3c to 81a5cd84

    STACK_TEXT: 
    8653b8dc 858a7d3c badb0d00 00000000 00000000 nt!KiTrap0E+0x2ac
    8653b97c 858a79db 85910188 00000000 00000000 tcpip!IppFragmentPackets+0x171
    8653b9b4 858a97cb 85910188 84051608 616c7049 tcpip!IppDispatchSendPacketHelper+0x252
    8653ba54 858a8c3f 0053bad0 85910188 837769c0 tcpip!IppPacketizeDatagrams+0x8fd
    8653bbb4 858e0023 00000000 00000000 85910188 tcpip!IppSendDatagramsCommon+0x5f9
    8653bc94 85933046 00000029 00000001 8392fb10 tcpip!IppInspectInjectRawSend+0xc3
    8653bcd0 90de25b0 84091090 00000000 00000000 fwpkclnt!FwpsInjectNetworkSendAsync0+0x134
    8653bcfc 90de2ce8 0000a801 841b0708 0000a801 PktIcpt!CNetBufferQueueItem::Commit+0x4e [f:\projekte\avkfirewall\vistapkt\sys\pktinterceptor.cpp @ 3141]
    8653bd10 8562eba2 841b0708 844a03b8 84314e68 PktIcpt!PktIcptQueueItemWorkerRoutine+0x2a [f:\projekte\avkfirewall\vistapkt\sys\pktinterceptor.cpp @ 2763]
    8653bd44 81a3a41d 00000000 00000000 82df4d78 fltmgr!FltpProcessGenericWorkItem+0x38
    8653bd7c 81bd7a1c 841b0708 5bbb407e 00000000 nt!ExpWorkerThread+0xfd
    8653bdc0 81a30a3e 81a3a320 00000001 00000000 nt!PspSystemThreadStartup+0x9d
    00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


    STACK_COMMAND:  kb

    FOLLOWUP_IP:
    fwpkclnt!FwpsInjectNetworkSendAsync0+134
    85933046 e815080000      call    fwpkclnt!FwppInjectEpilogue (85933860)

    SYMBOL_STACK_INDEX:  6

    SYMBOL_NAME:  fwpkclnt!FwpsInjectNetworkSendAsync0+134

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: fwpkclnt

    IMAGE_NAME:  fwpkclnt.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  479190e0

    FAILURE_BUCKET_ID:  0xD1_fwpkclnt!FwpsInjectNetworkSendAsync0+134

    BUCKET_ID:  0xD1_fwpkclnt!FwpsInjectNetworkSendAsync0+134

     

    Wednesday, July 2, 2008 9:25 AM

Answers