locked
Modified packed not reinjected at IPPacket inbound RRS feed

  • Question


  • My driver modifies inbound packets content with NdisGetDataBuffer / NdisMoveMemory at IPPacket.
    On one particular Win7 x86 physical computer, if a single byte of the packet buffer is rewritten, the packet is silently lost with no error anywhere, the reinjection is not effective although apparently done.
    The same driver on a physical Win7 x64 and a VM Win7 x86 works just fine.

    What can be the cause of this behavior?

    Thanks for your help
    Monday, March 25, 2013 8:31 PM

Answers

  • My conclusion is that it's possible to modify the header with the buffer returned by NdisGetDataBuffer() but not the payload. So instead I create a new NBL and copy the header. I close this thread and open a new one, more specific.
    • Marked as answer by OlivierMSDN Wednesday, April 10, 2013 10:02 PM
    Wednesday, April 10, 2013 10:02 PM

All replies

  • Does the completionFn get invoked? What is the status within the NBL in the completionFn? On this 1 machine are there any other WFP providers on the machine which could affect your injection (anti-virus, firewalls etc)


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Monday, April 8, 2013 6:46 PM
    Moderator
  • Thanks for your reply.

    - The CompletionFn is invoked and the status is NDIS_STATUS_SUCCESS

    - The computer has MS essential security but other working computers too. I don't think there is another WFP, but I'm not sure

    - Can a WFP grant read rights on NBL and revoke write rights?

    - My WFP performs NAT and the ip and port swapping (rewrite in the tcp header) is OK even on the faulty computer. but not when writing after the header, into the http data on the faulty computer. That's strange because it's inside the same NBL, just the index changes between tcp header and http data. But it can't write after index 40 (ip header + tcp header).

    Monday, April 8, 2013 8:02 PM
  • I have the same issue with a completely different machine, so I assume it's a bug in my driver and not a conflict with an other WFPs.

    After more investigations, it appears the packet is reinjected but truncated, keeping just 13 bytes of the payload (http). If the modification doesn't exceed this limit of 13 as index, the modified packet is correctly and wholly reinjected.

    I need some help to understand the following: http://msdn.microsoft.com/en-us/library/windows/hardware/ff551134(v=vs.85).aspx

    "A callout driver can insert or replace individual net buffers (NET_BUFFER) or MDLs inside the clone net buffer list. Such a driver must also undo the modifications before it calls the FwpsFreeCloneNetBufferList0 function."

    Do this also apply to only modified NET_BUFFER, with no NET_BUFFER add/remove?

    Another question: is it possible that NdisGetDataBuffer returns a contiguous block for reading but not for writing? Could it be an alignment issue?
    I think the driver overwrite something.

    Thanks for your help.

    
    






    Tuesday, April 9, 2013 4:06 PM
  • My conclusion is that it's possible to modify the header with the buffer returned by NdisGetDataBuffer() but not the payload. So instead I create a new NBL and copy the header. I close this thread and open a new one, more specific.
    • Marked as answer by OlivierMSDN Wednesday, April 10, 2013 10:02 PM
    Wednesday, April 10, 2013 10:02 PM