locked
crash in IppIsBasicIPHeaderContiguous() RRS feed

  • Question

  • tcpip!IppIsBasicIPHeaderContiguous:
    8d0e1463 8bff            mov     edi,edi
    8d0e1465 55              push    ebp
    8d0e1466 8bec            mov     ebp,esp
    8d0e1468 8b4508          mov     eax,dword ptr [ebp+8]
    8d0e146b 53              push    ebx
    8d0e146c 8b5d0c          mov     ebx,dword ptr [ebp+0Ch]
    8d0e146f 0fb74b1e        movzx   ecx,word ptr [ebx+1Eh]
    8d0e1473 56              push    esi
    8d0e1474 8b7004          mov     esi,dword ptr [eax+4]
    8d0e1477 8b4604          mov     eax,dword ptr [esi+4]
    8d0e147a 57              push    edi
    8d0e147b 8b7814          mov     edi,dword ptr [eax+14h]  //BSOD

    after doing the stack trace

    ChildEBP RetAddr  
    904b1c60 8d0e14ec tcpip!IppIsBasicIPHeaderContiguous+0x18
    904b1c78 8d16e185 tcpip!IppInspectInjectReceive+0x21
    904b1cb0 8d3c1cdd fwpkclnt!FwpsInjectTransportReceiveAsync0+0x1bc

       status = FwpsInjectTransportReceiveAsync0(
                   GetgVar()->hWfpTransportInjectionHandleV4,
                   NULL,
                   NULL,
                   0,
                   packet->addressFamily,
                   packet->compartmentId,
                   packet->interfaceIndex,
                   packet->subInterfaceIndex,
                   clonedNetBufferList,//this is also the first parmeter passing to IppIsBasicIPHeaderContiguous
                   InspectInjectComplete,
                   packet
                   );

    according the offset,it looks like the IppIsBasicIPHeaderContiguous just assuming the "CurrentMdl" member of the first _NET_BUFFER in clonedNetBufferList is "NOT" NULL.

    so.in what situation FwpsAllocateCloneNetBufferList0 return success but "CurrentMdl" IS NULL. Memory insufficient, or CurrentMdl is Null also in the Original NetBufferList?


    PS:FwpsInjectTransportReceiveAsync0 is invoked in "InspectCloneReinjectInbound()" from wdk sample of Inspect



    Wednesday, December 18, 2013 12:07 PM

All replies

  • here is CloneNetBufferlist Info :

    1: kd>  dt ndis!_NET_BUFFER_LIST fffffa80`037cd8f0
       +0x000 Next             : (null) 
       +0x008 FirstNetBuffer   : 0xfffffa80`037cda20 _NET_BUFFER
       +0x000 Link             : _SLIST_HEADER
       +0x010 Context          : (null) 
       +0x018 ParentNetBufferList : 0xfffffa80`09e9f600 _NET_BUFFER_LIST
       +0x020 NdisPoolHandle   : 0xfffffa80`061d4a00 Void
       +0x030 NdisReserved     : [2] (null) 
       +0x040 ProtocolReserved : [4] 0x00000000`00000001 Void
       +0x060 MiniportReserved : [2] (null) 
       +0x070 Scratch          : (null) 
       +0x078 SourceHandle     : 0xfffffa80`06680630 Void
       +0x080 NblFlags         : 0
       +0x084 ChildRefCount    : 0n0
       +0x088 Flags            : 0x100
       +0x08c Status           : 0n0
       +0x090 NetBufferListInfo : [19] (null) 


    1: kd> dt 0xfffffa80`037cda20 _NET_BUFFER
    ndis!_NET_BUFFER
       +0x000 Next             : (null) 
       +0x008 CurrentMdl       : (null) 
       +0x010 CurrentMdlOffset : 0
       +0x018 DataLength       : 0
       +0x018 stDataLength     : 0
       +0x020 MdlChain         : (null) 
       +0x028 DataOffset       : 0
       +0x000 Link             : _SLIST_HEADER
       +0x030 ChecksumBias     : 0
       +0x032 Reserved         : 0
       +0x038 NdisPoolHandle   : 0xfffffa80`061d4a00 Void
       +0x040 NdisReserved     : [2] (null) 
       +0x050 ProtocolReserved : [6] (null) 
       +0x080 MiniportReserved : [4] (null) 
       +0x0a0 DataPhysicalAddress : _LARGE_INTEGER 0x0
       +0x0a8 SharedMemoryInfo : (null) 
       +0x0a8 ScatterGatherList : (null) 

    here is Parent netbufferlist:

    1: kd> dt 0xfffffa80`09e9f600 _NET_BUFFER_LIST
    ndis!_NET_BUFFER_LIST
       +0x000 Next             : (null) 
       +0x008 FirstNetBuffer   : 0xfffffa80`09e9f730 _NET_BUFFER
       +0x000 Link             : _SLIST_HEADER
       +0x010 Context          : (null) 
       +0x018 ParentNetBufferList : (null) 
       +0x020 NdisPoolHandle   : 0xfffffa80`061db080 Void
       +0x030 NdisReserved     : [2] (null) 
       +0x040 ProtocolReserved : [4] 0x00000000`00000003 Void
       +0x060 MiniportReserved : [2] (null) 
       +0x070 Scratch          : (null) 
       +0x078 SourceHandle     : 0xfffffa80`06680630 Void
       +0x080 NblFlags         : 0
       +0x084 ChildRefCount    : 0n1
       +0x088 Flags            : 0x2800100
       +0x08c Status           : 0n0
       +0x090 NetBufferListInfo : [19] (null) 

    1: kd> dt  0xfffffa80`09e9f730 _NET_BUFFER
    ndis!_NET_BUFFER
       +0x000 Next             : (null) 
       +0x008 CurrentMdl       : 0xfffffa80`09d5df40 _MDL
       +0x010 CurrentMdlOffset : 0x30
       +0x018 DataLength       : 0xc5
       +0x018 stDataLength     : 0xc5
       +0x020 MdlChain         : 0xfffffa80`09d5df40 _MDL
       +0x028 DataOffset       : 0x14
       +0x000 Link             : _SLIST_HEADER
       +0x030 ChecksumBias     : 0
       +0x032 Reserved         : 0
       +0x038 NdisPoolHandle   : 0xfffffa80`061db080 Void
       +0x040 NdisReserved     : [2] (null) 
       +0x050 ProtocolReserved : [6] 0x000000d9`00000000 Void
       +0x080 MiniportReserved : [4] (null) 
       +0x0a0 DataPhysicalAddress : _LARGE_INTEGER 0x0
       +0x0a8 SharedMemoryInfo : (null) 
       +0x0a8 ScatterGatherList : (null) 
    1: kd> dt  0xfffffa80`09d5df40 _MDL
    hal!_MDL
       +0x000 Next             : (null) 
       +0x008 Size             : 0n56
       +0x00a MdlFlags         : 0n28
       +0x010 Process          : (null) 
       +0x018 MappedSystemVa   : 0xfffffa80`096c825e Void
       +0x020 StartVa          : 0xfffffa80`096c8000 Void
       +0x028 ByteCount        : 0xd9
       +0x02c ByteOffset       : 0x25e

    Thursday, December 19, 2013 3:44 AM
  • Can you share your call to FwpsAllocateCloneNetBufferList?  Additionally, please send a memory dump to DHarper @AT@ Microsoft .DOT. com

    Thanks,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------


    Thursday, December 19, 2013 7:34 PM
    Moderator
  • Can you share your call to FwpsAllocateCloneNetBufferList?  Additionally, please send a memory dump to DHarper @AT@ Microsoft .DOT. com

    Thanks,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------


    sent!

    Friday, December 20, 2013 6:16 AM
  • Can you share your call to FwpsAllocateCloneNetBufferList?  Additionally, please send a memory dump to DHarper @AT@ Microsoft .DOT. com

    Thanks,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------


    i got a full dump today on a win7 32bit plaform.that may make it easier for debugging. i will send it later.

    Monday, December 23, 2013 2:41 PM
  • i have caught another dump crashs at different place.

    but there is something really interesting..

    0: kd> k
    ChildEBP RetAddr  
    84b6f434 8d8a55a7 nt!KiTrap0E+0x1b3
    84b6f4b0 8d8a57e2 tcpip!RawEndDelivery+0x2f
    84b6f4ec 8d8a55e7 tcpip!RawReceiveDatagrams+0x1f2
    84b6f4fc 8d8a37fb tcpip!RawNlClientReceiveDatagrams+0x12
    84b6f528 8d8a3146 tcpip!IppDeliverListToProtocol+0x49
    84b6f548 8d8a1527 tcpip!IppProcessDeliverList+0x2a
    84b6f5a0 8d8a2fef tcpip!IppReceiveHeaderBatch+0x21a
    84b6f634 8d8b1451 tcpip!IpFlcReceivePackets+0xbe5
    84b6f6b0 8d8aba5d tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x746
    84b6f6e4 84ad0ac3 tcpip!FlReceiveNetBufferListChainCalloutRoutine+0x11e
    84b6f74c 8d8abbcb nt!KeExpandKernelStackAndCalloutEx+0x132
    84b6f788 8d71b18d tcpip!FlReceiveNetBufferListChain+0x7c
    84b6f7c0 8d7095be ndis!ndisMIndicateNetBufferListsToOpen+0x188
    84b6f7e8 8d7094b2 ndis!ndisIndicateSortedNetBufferLists+0x4a
    84b6f964 8d6b4c1d ndis!ndisMDispatchReceiveNetBufferLists+0x129
    84b6f980 8d709553 ndis!ndisMTopReceiveNetBufferLists+0x2d
    84b6f9a8 8d6b4c78 ndis!ndisMIndicateReceiveNetBufferListsInternal+0x62
    84b6f9d0 94b41091 ndis!NdisMIndicateReceiveNetBufferLists+0x52
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    84b6fa68 84ac4cff 0x94b41091
    84b6fa80 84ac1465 nt!KiProcessThreadWaitList+0x3f
    84b6fb78 84abf675 nt!KiProcessExpiredTimerList+0xe9
    84b6fb98 84a16cca nt!KiExecuteAllDpcs+0xf9
    84b6fba4 84a81e78 hal!HalEndSystemInterrupt+0x6e
    84b6fba4 00000054 nt!KiInterruptDispatch+0xc8
    00000034 00000000 0x54

    ==================================

    asm from IDA

    .text:0009C51A ; void __stdcall RawEndDelivery(_RAW_AF *Af, _NLC_RECEIVE_DATAGRAM *Datagram, _NLC_RECEIVE_DATAGRAM *NextDatagram)
    .text:0009C51A _RawEndDelivery@12 proc near            ; CODE XREF: RawReceiveDatagrams(x,x)+1EDp
    .text:0009C51A
    .text:0009C51A arg_0           = dword ptr  8
    .text:0009C51A Datagram        = dword ptr  0Ch
    .text:0009C51A NextDatagram    = dword ptr  10h
    .text:0009C51A
    .text:0009C51A                 mov     edi, edi
    .text:0009C51C                 push    ebp
    .text:0009C51D                 mov     ebp, esp
    .text:0009C51F                 push    ebx
    .text:0009C520                 push    esi
    .text:0009C521                 mov     esi, [ebp+Datagram]
    .text:0009C524
    .text:0009C524 loc_9C524:                              ; CODE XREF: RawEndDelivery(x,x,x)+50j
    .text:0009C524                 cmp     dword ptr [esi+2Ch], 0
    .text:0009C528                 jz      short loc_9C565
    .text:0009C52A                 mov     eax, [ebp+arg_0]
    .text:0009C52D                 cmp     word ptr [eax+0Ch], 2
    .text:0009C532                 jnz     short loc_9C565
    .text:0009C534                 mov     ecx, [esi+_NLC_RECEIVE_DATAGRAM.NetworkLayerHeadersSize]
    .text:0009C537                 mov     eax, [esi+_NLC_RECEIVE_DATAGRAM.NetBufferList]
    .text:0009C53A                 mov     eax, [eax+_NET_BUFFER_LIST.___u0._s0.FirstNetBuffer]
    .text:0009C53D                 test    ecx, ecx
    .text:0009C53F                 jz      short loc_9C565
    .text:0009C541                 mov     edx, [eax+_NET_BUFFER.CurrentMdlOffset]
    .text:0009C544                 mov     ebx, [eax+_NET_BUFFER.___u0._s0.CurrentMdl]
    .text:0009C547                 add     edx, ecx
    .text:0009C549                 cmp     edx, [ebx+14h] // bsod
    .text:0009C54C                 jnb     short loc_9C559

    this crash is also trying to access MDL+0x14,just like the crash from tcpip!IppIsBasicIPHeaderContiguous

         

    0: kd> dt _net_buffer_list cf32af00
    ndis!_NET_BUFFER_LIST
       +0x000 Next             : (null) 
       +0x004 FirstNetBuffer   : 0xcf32afa0 _NET_BUFFER
       +0x000 Link             : _SLIST_HEADER
       +0x008 Context          : (null) 
       +0x00c ParentNetBufferList : (null) 
       +0x010 NdisPoolHandle   : 0x8b1eaa80 Void
       +0x018 NdisReserved     : [2] (null) 
       +0x020 ProtocolReserved : [4] 0x00000001 Void
       +0x030 MiniportReserved : [2] (null) 
       +0x038 Scratch          : (null) 
       +0x03c SourceHandle     : 0x8dfc00e0 Void
       +0x040 NblFlags         : 0
       +0x044 ChildRefCount    : 0n0
       +0x048 Flags            : 0x2200100
       +0x04c Status           : 0n-1073741250
       +0x050 NetBufferListInfo : [19] 0x00000028 Void
    0: kd> dt 0xcf32afa0 _NET_BUFFER
    ndis!_NET_BUFFER
       +0x000 Next             : (null) 
     +0x004 CurrentMdl       : (null) 
       +0x008 CurrentMdlOffset : 0
       +0x00c DataLength       : 0
       +0x00c stDataLength     : 0
    +0x010 MdlChain         : 0xdc97cfe0 _MDL
       +0x014 DataOffset       : 0x28
       +0x000 Link             : _SLIST_HEADER
       +0x018 ChecksumBias     : 0
       +0x01a Reserved         : 0
       +0x01c NdisPoolHandle   : 0x8b1eaa80 Void
       +0x020 NdisReserved     : [2] (null) 
       +0x028 ProtocolReserved : [6] (null) 
       +0x040 MiniportReserved : [4] (null) 
       +0x050 DataPhysicalAddress : _LARGE_INTEGER 0x0
       +0x058 SharedMemoryInfo : (null) 
       +0x058 ScatterGatherList : (null) 
    0: kd> dt 0xdc97cfe0 _MDL
    kdcom!_MDL
       +0x000 Next             : (null) 
       +0x004 Size             : 0n32
       +0x006 MdlFlags         : 0n20
       +0x008 Process          : (null) 
       +0x00c MappedSystemVa   : 0x980cd798 Void
       +0x010 StartVa          : 0x980cd000 Void
       +0x014 ByteCount        : 0x28
       +0x018 ByteOffset       : 0x798

    0: kd> !pool cf32af00
    Pool page cf32af00 region is Special pool
    *cf32a000 size:  110 data: cf32aef0 (NonPaged) *Nnnn
    Pooltag Nnnn : NetIO NetBuffers And NetBufferLists, Binary : netio.sys

    Tuesday, December 24, 2013 8:56 AM
  • BTW,im not using the transport layer

     *** Stack trace for last set context - .thread/.cxr resets it
    ChildEBP RetAddr  
    912a5a04 8deeb5ac tcpip!FlpReturnNetBufferListChain+0x35
    912a5a24 8deeced5 NETIO!NetioDereferenceNetBufferList+0xa2
    912a5a54 8e0757a6 NETIO!NetioDereferenceNetBufferListChain+0x3a
    912a5a74 8e0735a2 tcpip!IppCompleteAndFreePacketList+0xd7
    912a5ab8 8e074fef tcpip!IppReceiveHeaderBatch+0x295
    912a5b4c 8e0c9b46 tcpip!IpFlcReceivePackets+0xbe5
    912a5b6c 8e15617c tcpip!IppInspectInjectReceive+0xca
    912a5ba4 8de09a5d fwpkclnt!FwpsInjectTransportReceiveAsync0+0x1bc

    Friday, December 27, 2013 3:03 AM
  • Due to the holidays, the investigation will take a bit longer.  I appreciate your patience. What layer are you doing the injection from (in case there may be some nuance to that layer)?

    Thanks,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Tuesday, December 31, 2013 2:00 AM
    Moderator
  • thanks for your response.

    i did it at accept layer,i pend it then reject it .

    and albeit the stacks from dumps are different,but looks like they all access NET_BUFFER_LIST->NET_BUFFER->Mdlchain which is NULL,

    PS:when i pend it .i clear the flag "FWPS_RIGHT_ACTION_WRITE"

    Tuesday, December 31, 2013 7:30 AM
  • still need help
    Monday, January 13, 2014 3:53 AM
  • Again thank you for your patience. The issue has been forwarded to Microsoft's Sustained Engineering team. They have informed me that they will be investigating this week, and you should expect a reply shortly.

    Thanks,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Monday, January 13, 2014 5:23 PM
    Moderator
  • My apologies this investigation is taking so long.  Our SE team is backlogged with other items.  Can you repro this on Windows 8  / 8.1?  If so a dump from one of those OS's would be much appreciated.  Also when creating the new dump can you enable the following:

    Driver Verifer:

    Verifier.exe /standard /driver afd.sys fwpkclnt.sys ndis.sys netio.sys tcpip.sys YOUR_DRIVER.sys

    NBL Tracking:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters]
    "TrackNblOwner"=dword:00000004

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
    “VerifierPoolTracesLength”=dword:100000

    Thanks,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Thursday, January 30, 2014 7:36 PM
    Moderator
  • ok,i will try it..


    Monday, February 17, 2014 6:52 AM