Need help!

I use tdifw(1.2 Version) of ntdev.h1.ru
I just got a crash I can't seem to puzzle out.
Here is the bugcheck info and source.
I'd like to hear any explanation for problem of tdifw.
Thanks in advance.

****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 00000000, address which referenced memory

Debugging Details:

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*** ERROR: Symbol file could not be found. Defaulted to export symbols for
tcpip.sys -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
halmacpi.dll -

READ_ADDRESS: unable to get nt!MmPoolCodeEnd
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSpecialPoolStart
unable to get nt!MmPagedPoolStart
unable to get nt!MmNonPagedPoolExpansionStart
unable to get nt!MmPoolCodeStart
00000000

CURRENT_IRQL: 2

FAULTING_IP:
+0
00000000 ?? ???

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from 00000000 to 8046987c

STACK_TEXT:
f245f944 00000000 00000000 00000000 00000000 nt!Kei386EoiHelper+0x2ae4

FAILED_INSTRUCTION_ADDRESS:
+0
00000000 ?? ???

FOLLOWUP_IP:
tdifw!tdi_event_receive_datagram+8b [c:\tdifw1.2\src\drv\ev_dg.c @ 83]
bfd6f4ab eb05 jmp tdifw!tdi_event_receive_datagram+0x92 (bfd6f4b2)

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: tdifw!tdi_event_receive_datagram+8b

MODULE_NAME: tdifw

IMAGE_NAME: tdifw.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3fcee114

STACK_COMMAND: kb

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

// -*- mode: C++; tab-width: 4; indent-tabs-mode: nil -*- (for GNU Emacs)
//
// $Id: ev_dg.c,v 1.2 2002/10/01 12:54:15 dev Exp $

/*
* This file contains TDI_EVENT_RECEIVE_DATAGRAM handler
*/

#include <ntddk.h>
#include <tdikrnl.h>
#include "sock.h"

#include "events.h"
#include "filter.h"
#include "obj_tbl.h"
#include "tdifw.h"

//--------------------------------------------------------------------------
--

/*
* TDI_EVENT_RECEIVE_DATAGRAM handler
*/

NTSTATUS tdi_event_receive_datagram(
IN PVOID TdiEventContext,
IN LONG SourceAddressLength,
IN PVOID SourceAddress,
IN LONG OptionsLength,
IN PVOID Options,
IN ULONG ReceiveDatagramFlags,
IN ULONG BytesIndicated,
IN ULONG BytesAvailable,
OUT ULONG *BytesTaken,
IN PVOID Tsdu,
OUT PIRP *IoRequestPacket)
{
TDI_EVENT_CONTEXT *ctx = (TDI_EVENT_CONTEXT *)TdiEventContext;
struct ot_entry *ote_addr = NULL;
KIRQL irql;
TA_ADDRESS *remote_addr, *local_addr;
NTSTATUS status;
int ipproto, result = FILTER_DENY;
struct flt_request request;
struct flt_rule rule;

// get local address of address object

ote_addr = ot_find_fileobj(ctx->fileobj, &irql);
if (ote_addr == NULL) {
KdPrint(("[tdifw] tdi_receive_datagram: ot_find_fileobj(0x%x)!\n",
ctx->fileobj));
goto done;
}

KdPrint(("[tdifw] tdi_event_receive_datagram: addrobj 0x%x\n",
ctx->fileobj));

// check device object: UDP or RawIP
if (get_original_devobj(ote_addr->devobj, &ipproto) == NULL ||
(ipproto != IPPROTO_UDP && ipproto != IPPROTO_IP)) {
// unknown device object!
KdPrint(("[tdifw] tdi_event_receive_datagram: unknown DeviceObject
0x%x!\n", ote_addr));
goto done;
}

local_addr = (TA_ADDRESS *)(ote_addr->local_addr);
remote_addr = ((TRANSPORT_ADDRESS *)SourceAddress)->Address;

KdPrint(("[tdifw] tdi_event_receive_datagram(pid:%u): %x:%u -> %x:%u\n",
ote_addr->pid, ntohl(((TDI_ADDRESS_IP *)(remote_addr->Address))->in_addr),
ntohs(((TDI_ADDRESS_IP *)(remote_addr->Address))->sin_port),
ntohl(((TDI_ADDRESS_IP *)(local_addr->Address))->in_addr),
ntohs(((TDI_ADDRESS_IP *)(local_addr->Address))->sin_port)));

// call quick filter for datagram

memset(&request, 0, sizeof(request));
request.struct_size = sizeof(request);

request.type = TYPE_DATAGRAM;
request.direction = DIRECTION_IN;
request.proto = ipproto;
request.pid = ote_addr->pid;

memcpy(&request.addr.from, &remote_addr->AddressType, sizeof(struct
sockaddr));
memcpy(&request.addr.to, &local_addr->AddressType, sizeof(struct
sockaddr));
request.addr.len = sizeof(struct sockaddr_in);

memset(&rule, 0, sizeof(rule));

result = quick_filter(&request, &rule);

if (rule.log)
log_request(&request);

done:
// cleanup
if (ote_addr != NULL)
KeReleaseSpinLock(&g_ot_hash_guard, irql);

if (result == FILTER_ALLOW) {

return ((PTDI_IND_RECEIVE_DATAGRAM)(ctx->old_handler))
(ctx->old_context, SourceAddressLength, SourceAddress, OptionsLength,
Options, ReceiveDatagramFlags, BytesIndicated, BytesAvailable,
BytesTaken,
Tsdu, IoRequestPacket);

} else
return STATUS_DATA_NOT_ACCEPTED;
}</tdikrnl.h></ntddk.h>

WinDbg has told you all you need to know.

1. you’re accessing a NULL pointer. Doesn’t matter what IRQL you’re at,
   you’re going to crash.

2. The symbol path for your driver doesn’t contain the symbol file that
   matches your driver. Fix this. If the symbols and driver are in sync
   WinDbg will highlight the source line at which it crashed.

3. if you can’t be bothered using matching driver and symbols, try
   compiling with the -Fc switch to create a .COD file. Then have a look at
   relative offset 0x8b of the offending function.

4. you might also want to set up the downstream symbol server properly.

5. Even having screwed the symbol file synchronisation, WinDbg has kindly
   told you that the error is at line 83 of your source file. Line wrapping
   makes counting a little imprecise, but by my reckoning it’s one of these
   two lines:

memcpy(&request.addr.from, &remote_addr->AddressType, sizeof(struct
sockaddr));
memcpy(&request.addr.to, &local_addr->AddressType, sizeof(struct
sockaddr));

Surprise, surprise … these are memory copies. Since the fault was on a
memory read, either or both remote_addr or local_addr are NULL.

WinDbg is a great tool, they’ve gone to a lot of effort in the Bugcheck
Analysis section to make life easy for you. There’s not a lot more they
can do in this case to highlight the obvious except hit you with a 2 x 4.

So the next question is, how much down time have you had posting this
question when 30 seconds actually reading the WinDbg output tells you
everything that you could possibly need to locate the problem ?

Mark.

At 09:07 AM 5/19/2004, csjung wrote:

I use tdifw(1.2 Version) of ntdev.h1.ru
I just got a crash I can’t seem to puzzle out.
Here is the bugcheck info and source.
I’d like to hear any explanation for problem of tdifw.
Thanks in advance.

****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 00000000, address which referenced memory

Debugging Details:

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*** ERROR: Symbol file could not be found. Defaulted to export symbols for
tcpip.sys -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
halmacpi.dll -

READ_ADDRESS: unable to get nt!MmPoolCodeEnd
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSpecialPoolStart
unable to get nt!MmPagedPoolStart
unable to get nt!MmNonPagedPoolExpansionStart
unable to get nt!MmPoolCodeStart
00000000

CURRENT_IRQL: 2

FAULTING_IP:
+0
00000000 ?? ???

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from 00000000 to 8046987c

STACK_TEXT:
f245f944 00000000 00000000 00000000 00000000 nt!Kei386EoiHelper+0x2ae4

FAILED_INSTRUCTION_ADDRESS:
+0
00000000 ?? ???

FOLLOWUP_IP:
tdifw!tdi_event_receive_datagram+8b [c:\tdifw1.2\src\drv\ev_dg.c @ 83]
bfd6f4ab eb05 jmp tdifw!tdi_event_receive_datagram+0x92 (bfd6f4b2)

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: tdifw!tdi_event_receive_datagram+8b

MODULE_NAME: tdifw

IMAGE_NAME: tdifw.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3fcee114

STACK_COMMAND: kb

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

// -*- mode: C++; tab-width: 4; indent-tabs-mode: nil -*- (for GNU Emacs)
//
// $Id: ev_dg.c,v 1.2 2002/10/01 12:54:15 dev Exp $

/*
* This file contains TDI_EVENT_RECEIVE_DATAGRAM handler
*/

#include <ntddk.h>
>#include <tdikrnl.h>
>#include “sock.h”
>
>#include “events.h”
>#include “filter.h”
>#include “obj_tbl.h”
>#include “tdifw.h”
>
>//--------------------------------------------------------------------------
>–
>
>/*
> * TDI_EVENT_RECEIVE_DATAGRAM handler
> */
>
>NTSTATUS tdi_event_receive_datagram(
> IN PVOID TdiEventContext,
> IN LONG SourceAddressLength,
> IN PVOID SourceAddress,
> IN LONG OptionsLength,
> IN PVOID Options,
> IN ULONG ReceiveDatagramFlags,
> IN ULONG BytesIndicated,
> IN ULONG BytesAvailable,
> OUT ULONG *BytesTaken,
> IN PVOID Tsdu,
> OUT PIRP *IoRequestPacket)
>{
> TDI_EVENT_CONTEXT *ctx = (TDI_EVENT_CONTEXT *)TdiEventContext;
> struct ot_entry *ote_addr = NULL;
> KIRQL irql;
> TA_ADDRESS *remote_addr, *local_addr;
> NTSTATUS status;
> int ipproto, result = FILTER_DENY;
> struct flt_request request;
> struct flt_rule rule;
>
> // get local address of address object
>
> ote_addr = ot_find_fileobj(ctx->fileobj, &irql);
> if (ote_addr == NULL) {
> KdPrint((“[tdifw] tdi_receive_datagram: ot_find_fileobj(0x%x)!\n”,
>ctx->fileobj));
> goto done;
> }
>
> KdPrint((“[tdifw] tdi_event_receive_datagram: addrobj 0x%x\n”,
>ctx->fileobj));
>
> // check device object: UDP or RawIP
> if (get_original_devobj(ote_addr->devobj, &ipproto) == NULL ||
> (ipproto != IPPROTO_UDP && ipproto != IPPROTO_IP)) {
> // unknown device object!
> KdPrint((“[tdifw] tdi_event_receive_datagram: unknown DeviceObject
>0x%x!\n”, ote_addr));
> goto done;
> }
>
> local_addr = (TA_ADDRESS *)(ote_addr->local_addr);
> remote_addr = ((TRANSPORT_ADDRESS *)SourceAddress)->Address;
>
> KdPrint((“[tdifw] tdi_event_receive_datagram(pid:%u): %x:%u -> %x:%u\n”,
>ote_addr->pid, ntohl(((TDI_ADDRESS_IP *)(remote_addr->Address))->in_addr),
>ntohs(((TDI_ADDRESS_IP *)(remote_addr->Address))->sin_port),
>ntohl(((TDI_ADDRESS_IP *)(local_addr->Address))->in_addr),
>ntohs(((TDI_ADDRESS_IP *)(local_addr->Address))->sin_port)));
>
> // call quick filter for datagram
>
> memset(&request, 0, sizeof(request));
> request.struct_size = sizeof(request);
>
> request.type = TYPE_DATAGRAM;
> request.direction = DIRECTION_IN;
> request.proto = ipproto;
> request.pid = ote_addr->pid;
>
> memcpy(&request.addr.from, &remote_addr->AddressType, sizeof(struct
>sockaddr));
> memcpy(&request.addr.to, &local_addr->AddressType, sizeof(struct
>sockaddr));
> request.addr.len = sizeof(struct sockaddr_in);
>
> memset(&rule, 0, sizeof(rule));
>
> result = quick_filter(&request, &rule);
>
> if (rule.log)
> log_request(&request);
>
>done:
> // cleanup
> if (ote_addr != NULL)
> KeReleaseSpinLock(&g_ot_hash_guard, irql);
>
> if (result == FILTER_ALLOW) {
>
> return ((PTDI_IND_RECEIVE_DATAGRAM)(ctx->old_handler))
> (ctx->old_context, SourceAddressLength, SourceAddress, OptionsLength,
> Options, ReceiveDatagramFlags, BytesIndicated, BytesAvailable,
>BytesTaken,
> Tsdu, IoRequestPacket);
>
> } else
> return STATUS_DATA_NOT_ACCEPTED;
>}
></tdikrnl.h></ntddk.h>