Crash in TCPIP.sys when 3p network driver is present.

Hi ,

We have a WFP driver in which we are performing out of band inspection for stream layer data.
Following are the steps performed in stream classify callout function:

  1. By default set classifyOut->actionType = FWP_ACTION_PERMIT
  2. Check for certain conditions(Ex: port number) and if it doesn’t match then return.
  3. Clone the net buffer list and push into a queue for out of band inspection.
  4. Block and absorb the packet.

Under scanning thread:

  1. Scan the data.
  2. Reinject net buffer list .

Crash dump occurs while browsing and the dump shows that crash is in TCPIP.sys.

So i want to know the behavior WFP engine in following contexts:

Case 1:
Under stream layer callout, Set permit action :“classifyOut->actionType = FWP_ACTION_PERMIT”.
Do not clear write flag “classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE”.

In this case can there be conflict for stream data if there are multiple filter drivers attached?
Why do we need to clear FWPS_RIGHT_ACTION_WRITE flag in classifyOut, if FWPS_FILTER_FLAG_CLEAR_ACTION_RIGHT is set in filter flags?
What is the significance of FWPS_FILTER_FLAG_CLEAR_ACTION_RIGHT for WFP?

Case 2:
Under stream layer callout Set Permit action “classifyOut->actionType = FWP_ACTION_CONTINUE”.
How does this action differ from Case 1 where we set FWP_ACTION_PERMIT without clearing FWPS_RIGHT_ACTION_WRITE?

Thanks,