Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results


More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

NetAdapterCx: possibly incorrect verifier violation check

lstipakovlstipakov Member Posts: 5


My driver is using WSK and NetAdapterCx and I stumbled upon this violation:

    if (! (fragmentAfter->Offset < fragmentAfter->ValidLength))

This barks on me and I am not sure if the above code is correct. Why Offset, which is "offset from the start of the VirtualAddress and DmaLogicalAddress to the start of the valid packet payload", must less than ValidLength, which "contains the length of packet payload"? As far as I read the code, those values correspond to DataOffset and DataLength of NET_PACKET. I couldn't find in NDIS documentation that DataOffset must be less that DataLength.

Here is how this is triggered in my case. I receive a datagram from WSK:

0: kd> dx -id 0,0,ffffe503cadb6040 -r1 (*((ovpn_dco!_WSK_BUF *)0xffffe503c7306048))
(*((ovpn_dco!_WSK_BUF *)0xffffe503c7306048))                 [Type: _WSK_BUF]
    [+0x000] Mdl              : 0xffffe503c8d63770 [Type: _MDL *]
    [+0x008] Offset           : 42 [Type: unsigned long]
    [+0x010] Length           : 48 [Type: unsigned __int64]
0: kd> dx -id 0,0,ffffe503cadb6040 -r1 ((ovpn_dco!_MDL *)0xffffe503c8d63770)
((ovpn_dco!_MDL *)0xffffe503c8d63770)                 : 0xffffe503c8d63770 [Type: _MDL *]
    [+0x000] Next             : 0x0 [Type: _MDL *]
    [+0x008] Size             : 64 [Type: short]
    [+0x00a] MdlFlags         : 12 [Type: short]
    [+0x010] Process          : 0x0 [Type: _EPROCESS *]
    [+0x018] MappedSystemVa   : 0xffffe503c87f09de [Type: void *]
    [+0x020] StartVa          : 0xffffe503c87f0000 [Type: void *]
    [+0x028] ByteCount        : 90 [Type: unsigned long]
    [+0x02c] ByteOffset       : 2526 [Type: unsigned long]

As you can see, Offset 42 is less that Length 48 and their sum is ByteCount 90 - so far so good. However, this is an encapsulated data coming from network and I need to peel off 8 bytes protocol wrapping before indicating packet to OS. When I do that, I need to decrement length by 8 bytes, after which its value becomes less than Offset, which, after I assign those values to NET_FRAGMENT, triggers violation.

Am I correct in my analysis and abovementioned violation check is not quite correct or am I missing something?


  • lstipakovlstipakov Member Posts: 5

    I got a response from the NetAdapter team that this is indeed a bug and this wrong check has been removed in Windows 11.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,663

    Thank you for getting back to us, and posting the outcome here. In my experience, over the entire history of Windows, the network teams have been nothing if not really responsive and outstandingly helpful.


    Peter Viscarola

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 15 November 2021 Live, Online
Writing WDF Drivers TBD Live, Online
Developing Minifilters 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online