NetAdapterCx: possibly incorrect verifier violation check

Hi,

My driver is using WSK and NetAdapterCx and I stumbled upon this https://github.com/microsoft/Network-Adapter-Class-Extension/blob/release_2004/netcx/adapter/verifier.cpp#L1714 violation:

    if (! (fragmentAfter->Offset < fragmentAfter->ValidLength))
    {
        Verifier_ReportViolation(
            &PrivateGlobals,
            VerifierAction_BugcheckAlways,
            FailureCode_InvalidRingRxPacketFragmentOffsetInvalid,
            reinterpret_cast<ULONG_PTR>(fragmentAfter),
            0);
    }

This barks on me and I am not sure if the above code is correct. Why Offset, which is “offset from the start of the VirtualAddress and DmaLogicalAddress to the start of the valid packet payload”, must less than ValidLength, which “contains the length of packet payload”? As far as I read the code, those values correspond to DataOffset and DataLength of NET_PACKET. I couldn’t find in NDIS documentation that DataOffset must be less that DataLength.

Here is how this is triggered in my case. I receive a datagram from WSK:

0: kd> dx -id 0,0,ffffe503cadb6040 -r1 (*((ovpn_dco!_WSK_BUF *)0xffffe503c7306048))
(*((ovpn_dco!_WSK_BUF *)0xffffe503c7306048))                 [Type: _WSK_BUF]
    [+0x000] Mdl              : 0xffffe503c8d63770 [Type: _MDL *]
    [+0x008] Offset           : 42 [Type: unsigned long]
    [+0x010] Length           : 48 [Type: unsigned __int64]
0: kd> dx -id 0,0,ffffe503cadb6040 -r1 ((ovpn_dco!_MDL *)0xffffe503c8d63770)
((ovpn_dco!_MDL *)0xffffe503c8d63770)                 : 0xffffe503c8d63770 [Type: _MDL *]
    [+0x000] Next             : 0x0 [Type: _MDL *]
    [+0x008] Size             : 64 [Type: short]
    [+0x00a] MdlFlags         : 12 [Type: short]
    [+0x010] Process          : 0x0 [Type: _EPROCESS *]
    [+0x018] MappedSystemVa   : 0xffffe503c87f09de [Type: void *]
    [+0x020] StartVa          : 0xffffe503c87f0000 [Type: void *]
    [+0x028] ByteCount        : 90 [Type: unsigned long]
    [+0x02c] ByteOffset       : 2526 [Type: unsigned long]

As you can see, Offset 42 is less that Length 48 and their sum is ByteCount 90 - so far so good. However, this is an encapsulated data coming from network and I need to peel off 8 bytes protocol wrapping before indicating packet to OS. When I do that, I need to decrement length by 8 bytes, after which its value becomes less than Offset, which, after I assign those values to NET_FRAGMENT, triggers violation.

Am I correct in my analysis and abovementioned violation check is not quite correct or am I missing something?

I got a response from the NetAdapter team that this is indeed a bug and this wrong check has been removed in Windows 11.

Thank you for getting back to us, and posting the outcome here. In my experience, over the entire history of Windows, the network teams have been nothing if not really responsive and outstandingly helpful.

Peter