Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

FwpsDereferenceNetBufferList0 causing BSOD

parsaparsa Member Posts: 50

Hi All,

I have an issue when passing the net buffer list to the FwpsDereferenceNetBufferList0() causing BSOD. When accessing the flags in the NBL within the function WfpNblInfoGetFlags() the issue occurs. But in the calling place (my driver code) the NBL is valid and not NULL. I could see the values in the memory. But in the FwpsDereferenceNetBufferList0->WfpNblInfoGetFlags, the flags are accessed at address 0x0+0xE0 causing the BSOD. I am not sure why the NBL address in zero inside the function WfpNblInfoGetFlags but it is valid in the caller code.

nt!KiPageFault+0x443 (TrapFrame @ ffff9a8d`163ff4b0)

14: kd> .trap ffff9a8d163ff4b0 NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000 rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000 rip=fffff806538ff920 rsp=ffff9a8d163ff648 rbp=0000000000000000 r8=000000000000002a r9=ffffffffffffff00 r10=fffff806538ff920 r11=ffff9a8d163ff400 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na po nc NETIO!WfpNblInfoGetFlags: fffff806538ff920 8b81e0000000 mov eax,dword ptr [rcx+0E0h] ds:00000000`000000e0=????????

This is NBL memory and it is valid.

14: kd> dx -r1 ((customdrv!_NET_BUFFER_LIST )0xffff8a0c9f5d7330)
((customdrv!_NET_BUFFER_LIST )0xffff8a0c9f5d7330) : 0xffff8a0c9f5d7330 [Type: _NET_BUFFER_LIST ]
[+0x000] Next : 0x0 [Type: _NET_BUFFER_LIST ]
[+0x008] FirstNetBuffer : 0xffff8a0ca5812190 [Type: _NET_BUFFER ]
[+0x000] Link [Type: _SLIST_HEADER]
[+0x000] NetBufferListHeader [Type: _NET_BUFFER_LIST_HEADER]
[+0x010] Context : 0x0 [Type: _NET_BUFFER_LIST_CONTEXT ]
[+0x018] ParentNetBufferList : 0x0 [Type: _NET_BUFFER_LIST ]
[+0x020] NdisPoolHandle : 0xffff8a0c88fd3000 [Type: void ]
[+0x030] NdisReserved [Type: void [2]]
[+0x040] ProtocolReserved [Type: void [4]]
[+0x060] MiniportReserved [Type: void [2]]
[+0x070] Scratch : 0x0 [Type: void ]
[+0x078] SourceHandle : 0x0 [Type: void ]
[+0x080] NblFlags : 0x0 [Type: unsigned long]
[+0x084] ChildRefCount : 0 [Type: long]
[+0x088] Flags : 0x100 [Type: unsigned long]
[+0x08c] Status : 0 [Type: int]
[+0x08c] NdisReserved2 : 0x0 [Type: unsigned long]
[+0x090] NetBufferListInfo [Type: void [11]]

When checking the address, it is from Nonpaged memory. So the page is memory resident.

14: kd> !pool 0xffff8a0c9f5d7330
Pool page ffff8a0c9f5d7330 region is Nonpaged pool
ffff8a0c9f5d7150 size: 1b0 previous size: 0 (Free) Nnbl
*ffff8a0c9f5d7300 size: 1b0 previous size: 0 (Allocated) *Nnbl
Pooltag Nnbl : NetIO NetBufferLists, Binary : netio.sys
ffff8a0c9f5d74b0 size: 1b0 previous size: 0 (Allocated) USBV
ffff8a0c9f5d7660 size: 1b0 previous size: 0 (Allocated) USBV
ffff8a0c9f5d7810 size: 1b0 previous size: 0 (Allocated) USBV
ffff8a0c9f5d79c0 size: 1b0 previous size: 0 (Allocated) USBV
ffff8a0c9f5d7b70 size: 1b0 previous size: 0 (Allocated) USBV
ffff8a0c9f5d7d20 size: 1b0 previous size: 0 (Allocated) USBV

ffff8a0c9f5d7ed0 doesn't look like a valid small pool allocation, checking to see
if the entire page is actually part of a large page allocation...

ffff8a0c9f5d7ed0 is not a valid large pool allocation, checking large session pool...
ffff8a0c9f5d7ed0 is not valid pool. Checking for freed (or corrupt) pool
Bad previous allocation size @ffff8a0c9f5d7ed0, last size was 0

An error (or corruption) in the pool was detected;
Attempting to diagnose the problem.

*** Use !poolval ffff8a0c9f5d7000 for more details.

Pool page [ ffff8a0c9f5d7000 ] is INVALID.

Any idea how to debug the issue. Any Help would be greatly appreciated.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Developing Minifilters 24 May 2021 Live, Online
Writing WDF Drivers 14 June 2021 Live, Online
Internals & Software Drivers 27 September 2021 Live, Online
Kernel Debugging TBD 2021 Live, Online