Getting bsod while reinjecting packet to tcp data stream

_nilofar · September 4, 2024, 11:09am

Hi, I am using network driver where we are reinjecting packet using FwpsStreamInjectAsync API. It works fine normally but at one point it is getting crash randomly.
Below is the output of !anaylze -v:

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the BugCheck
Arg2: fffff8074f3ed66f, Address of the instruction which caused the BugCheck
Arg3: fffff686432cdf80, Address of the context record for the exception that caused the BugCheck
Arg4: 0000000000000000, zero.

Debugging Details:

BUGCHECK_CODE: 3b

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff8074f3ed66f

BUGCHECK_P3: fffff686432cdf80

BUGCHECK_P4: 0

FILE_IN_CAB: MEMORY.DMP

FAULTING_THREAD: ffffe50958df2080

CONTEXT: fffff686432cdf80 -- (.cxr 0xfffff686432cdf80)
rax=0000000000001001 rbx=fffff686432ceaf8 rcx=ffffe50967dee000
rdx=0000000000001001 rsi=fffff686432ceac0 rdi=ffffe50967dee0e0
rip=fffff8074f3ed66f rsp=fffff686432ce980 rbp=fffff686432ce9f9
r8=000000000008c0b2 r9=0000000000000000 r10=0000000000000106
r11=0000000000003000 r12=0000000000000004 r13=fffff686432cede0
r14=0000000000000001 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050246
NETIO!StreamInvokeCalloutAndNormalizeAction+0x213:
fffff8074f3ed66f 4183795003 cmp dword ptr [r9+50h],3 ds:002b:0000000000000050=????????
Resetting default scope

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXWINLOGON: 1

PROCESS_NAME: process.exe

STACK_TEXT:
fffff686432ce980 fffff8074f3ed1c4 fffff686432cea50 fffff8074f3ec7cf fffff686432ceb80 fffff8074f3e962b fffff686432ced00 fffff8074f3e81ca fffff686432cee60 fffff8074f43ab9a fffff686432cf260 fffff8074f43a5bf fffff686432cf380 fffff8074f43747b fffff686432cf450 fffff8074f7ca1fd fffff686432cf4e0 fffff8074f94a77e fffff686432cf540 fffff8074f948d59 fffff686432cf610 fffff8074f953568 fffff686432cf650 fffff8074a42d3f5 fffff686432cf6f0 fffff8074a81bddc fffff686432cf730 fffff8074a81ba2a fffff686432cf7d0 fffff8074a81ad06 fffff686432cf920 fffff8074a611d05 fffff686432cf990 00007ff9ba5ad644 000000000ebf4428 00007ff9b7bf2931 000000000ebf4430 00007ff9ba395951 000000000ebf44a0 00007ff9aa5d40de 000000000ebf44f0 000000000000002c 000000000ebf44f8 0000000000000000 : fffff686432cede0 ffffe50967dee010 0000000000000000 ffffe50967dee0e0 : NETIO!StreamInvokeCalloutAndNormalizeAction+0x213
: 0000000000000014 fffff807616e1af4 ffffe50900000002 ffffe50958ec6ae0 : NETIO!StreamProcessCallout+0x3fc
: 0000000000000014 ffffe50958ec6ae0 ffffe5095f6f31c0 fffff686432cf2b0 : NETIO!ProcessCallout+0x76f
: ffffe5095c9a9ea0 ffffe50944ce6960 0000000000000000 fffff8074a42ee99 : NETIO!ArbitrateAndEnforce+0x71b
: 00000000ffffffff fffff8074f7b1143 ffffe5095c46beb0 ffffe5095ecd9800 : NETIO!KfdClassify+0x37a
: 0000000000000000 fffff686432cf401 00000000000004d6 0000000000000000 : NETIO!StreamInternalClassify+0x106
: 0000000000000014 ffffe5095f6f3010 0000000000000000 ffffe5095ecd9820 : NETIO!StreamInject+0x253
: ffffe5095f6f3010 000000000000012c 0000000000000000 0000000000010000 : NETIO!FwppStreamInject+0x13b
: ffffe509568ec700 fffff686432cf5a9 0000000000000001 fffff686432cf598 : fwpkclnt!FwpsStreamInjectAsync0+0xfd
: 0000000000000000 ffffe509568ec700 000000000000002c 0000000000000000 : myDriver!funct1+0x652 [myFile.c @ 2191]
: ffff9d807226b5c0 0000000000000000 ffffe5095a261af0 0000000084002123 : myDriver!func2+0x1f5 [myFile.c @ 798]
: b0834c7100000000 ffffe509614fb550 fffff68684002123 0000000000000000 : myDriver!func3+0x250 [myFile.c @ 2143]
: 0000000000000002 0000000000000000 ffffe5094aebe150 000000000000002c : nt!IofCallDriver+0x55
: 0000000000000000 fffff686432cfa80 0000000000040800 0000000084002123 : nt!IopSynchronousServiceTail+0x34c
: 0000000000000000 0000000000000580 0000000000000000 0000000003380410 : nt!IopXxxControlFile+0xd0a
: 00000000000003c4 0000000000000007 000000000ebf2038 00000000cec0fa8e : nt!NtDeviceIoControlFile+0x56
: 00007ff9b7bf2931 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25
: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!NtDeviceIoControlFile+0x14
: 0000000084002123 0000000000000000 0000000000000000 00007ff9b7bf2931 : KERNELBASE!DeviceIoControl+0x121
: 000000000000002c 0000000000000000 0000000000000000 0000000003380410 : KERNEL32!DeviceIoControlImplementation+0x81
: 0000000000000000 0000000000000000 0000000003380410 0000000000000000 : driver!CApi::DeviceIoControl+0x5e
: 0000000000000000 0000000003380410 0000000000000000 0000000000000000 : 0x2c

MODULE_NAME: memory_corruption

IMAGE_NAME: memory_corruption

MEMORY_CORRUPTOR: LARGE

STACK_COMMAND: .cxr 0xfffff686432cdf80 ; kb

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {e29154ac-69a4-0eb8-172a-a860f73c0a3c}

Followup: memory_corruption

I can see in context that while executing below instruction, r9 register is not valid.
NETIO!StreamInvokeCalloutAndNormalizeAction+0x213:
fffff8074f3ed66f 4183795003 cmp dword ptr [r9+50h],3 ds:002b:0000000000000050=????????

What could be the reason of the crash? Is it possible that somehow nbl is getting corrupt and how to check it? Thanks in advance.

Tim_Roberts · September 5, 2024, 3:28am

Well, it's more than "not valid", it's a null pointer. Is this a net buffer list you created? My guess is you have a null pointer in there somewhere you shouldn't.