Hi,
My driver is using WSK and NetAdapterCx and I stumbled upon this https://github.com/microsoft/Network-Adapter-Class-Extension/blob/release_2004/netcx/adapter/verifier.cpp#L1714 violation:
if (! (fragmentAfter->Offset < fragmentAfter->ValidLength))
{
Verifier_ReportViolation(
&PrivateGlobals,
VerifierAction_BugcheckAlways,
FailureCode_InvalidRingRxPacketFragmentOffsetInvalid,
reinterpret_cast<ULONG_PTR>(fragmentAfter),
0);
}
This barks on me and I am not sure if the above code is correct. Why Offset
, which is “offset from the start of the VirtualAddress and DmaLogicalAddress to the start of the valid packet payload”, must less than ValidLength
, which “contains the length of packet payload”? As far as I read the code, those values correspond to DataOffset
and DataLength
of NET_PACKET
. I couldn’t find in NDIS documentation that DataOffset must be less that DataLength.
Here is how this is triggered in my case. I receive a datagram from WSK:
0: kd> dx -id 0,0,ffffe503cadb6040 -r1 (*((ovpn_dco!_WSK_BUF *)0xffffe503c7306048))
(*((ovpn_dco!_WSK_BUF *)0xffffe503c7306048)) [Type: _WSK_BUF]
[+0x000] Mdl : 0xffffe503c8d63770 [Type: _MDL *]
[+0x008] Offset : 42 [Type: unsigned long]
[+0x010] Length : 48 [Type: unsigned __int64]
0: kd> dx -id 0,0,ffffe503cadb6040 -r1 ((ovpn_dco!_MDL *)0xffffe503c8d63770)
((ovpn_dco!_MDL *)0xffffe503c8d63770) : 0xffffe503c8d63770 [Type: _MDL *]
[+0x000] Next : 0x0 [Type: _MDL *]
[+0x008] Size : 64 [Type: short]
[+0x00a] MdlFlags : 12 [Type: short]
[+0x010] Process : 0x0 [Type: _EPROCESS *]
[+0x018] MappedSystemVa : 0xffffe503c87f09de [Type: void *]
[+0x020] StartVa : 0xffffe503c87f0000 [Type: void *]
[+0x028] ByteCount : 90 [Type: unsigned long]
[+0x02c] ByteOffset : 2526 [Type: unsigned long]
As you can see, Offset 42
is less that Length 48
and their sum is ByteCount 90
- so far so good. However, this is an encapsulated data coming from network and I need to peel off 8 bytes protocol wrapping before indicating packet to OS. When I do that, I need to decrement length by 8 bytes, after which its value becomes less than Offset, which, after I assign those values to NET_FRAGMENT, triggers violation.
Am I correct in my analysis and abovementioned violation check is not quite correct or am I missing something?