OOB inspection of FWPM_LAYER_INBOUND_TRANSPORT_V4_DISCARD

Hi all,

My driver inspects OOB packets originated from 3 callouts:

  1. FWPM_LAYER_OUTBOUND_IPPACKET_V4

  2. FWPM_LAYER_INBOUND_TRANSPORT_V4

  3. FWPM_LAYER_INBOUND_TRANSPORT_V4_DISCARD

The logic of the OOB inspections for all of the callouts is:

  1. FwpsReferenceNetBufferList0 (with intendToModify set) in the classifyFn

  2. Keep a pointer to the NBL and other relevant metadata for later OOB inspection

  3. Set FWP_ACTION_BLOCK (for all of the callouts) and FWPS_CLASSIFY_OUT_FLAG_ABSORB (except for the discard callout)

  4. Inspecting the packet OOB

  5. FwpsDereferenceNetBufferList0

Notice that I don’t need to reinject any packet.

The inspection of outgoing packets is working perfectly, however the inspection of the incoming packets (mostly originated from the discard callout) at some point of the execution lead to a BSOD that states that FwpsDereferenceNetBufferList0 triggered a double-free on the heap. I don’t know if this is the real cause, but there is definitely a heap corruption.

Is there anything wrong with my OOB inspection of incoming packets that may cause this behavior?