NULL layer data in my classifyFn function for the ALE connect (v4 and v6) callout

extredo · November 7, 2010, 3:34pm

Hi All,

I have created simple inspect packet driver based on C:\WinDDK\7600.16385.1\src\network\trans\inspect sample. After call TLInspectALEConnectClassify function assert was called “ASSERT(layerData != NULL)” and windows has been crashed to BSOD with BAD_POOL_CALLER error.

So invalid data (NULL layer data) has been recieved by TLInspectALEConnectClassify function.

WinDbg log please see below:

*** Assertion failed: packet->direction == FWP_DIRECTION_INBOUND
*** Source File: h:\e2e4\firewall\development\trunk\source\firewallenginedriver\utils.c, line 265

Break repeatedly, break Once, Ignore, terminate Process, or terminate Thread (boipt)? Ignore
Ignore

*** Assertion failed: layerData != NULL
*** Source File: h:\e2e4\firewall\development\trunk\source\firewallenginedriver\driverengine.c, line 264

Break repeatedly, break Once, Ignore, terminate Process, or terminate Thread (boipt)? Ignore
Ignore

*** Assertion failed: packet->direction == FWP_DIRECTION_INBOUND
*** Source File: h:\e2e4\firewall\development\trunk\source\firewallenginedriver\utils.c, line 265

Break repeatedly, break Once, Ignore, terminate Process, or terminate Thread (boipt)? Ignore
Ignore

*** Fatal System Error: 0x000000c2
(0x00000007,0x00001097,0x08110011,0x84608F80)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Thanks in advance for any help!

Frank_Friemel · November 8, 2010, 7:59am

Do you see this in the re-auth path of your Classify-routine?

In this case it happens because the mechanism of finding the original
connect request via “IsMatchingConnectPacket” is weird.

wrote news:xxxxx@ntdev…
> Hi All,
>
> I have created simple inspect packet driver based on
> C:\WinDDK\7600.16385.1\src\network\trans\inspect sample. After call
> TLInspectALEConnectClassify function assert was called “ASSERT(layerData
> != NULL)” and windows has been crashed to BSOD with BAD_POOL_CALLER error.
>
> So invalid data (NULL layer data) has been recieved by
> TLInspectALEConnectClassify function.
>
> WinDbg log please see below:
>
> Assertion failed: packet->direction == FWP_DIRECTION_INBOUND
> Source File:
> h:\e2e4\firewall\development\trunk\source\firewallenginedriver\utils.c,
> line 265
>
> Break repeatedly, break Once, Ignore, terminate Process, or terminate
> Thread (boipt)? Ignore
> Ignore
>
> Assertion failed: layerData != NULL
> Source File:
> h:\e2e4\firewall\development\trunk\source\firewallenginedriver\driverengine.c,
> line 264
>
> Break repeatedly, break Once, Ignore, terminate Process, or terminate
> Thread (boipt)? Ignore
> Ignore
>
> Assertion failed: packet->direction == FWP_DIRECTION_INBOUND
> Source File:
> h:\e2e4\firewall\development\trunk\source\firewallenginedriver\utils.c,
> line 265
>
> Break repeatedly, break Once, Ignore, terminate Process, or terminate
> Thread (boipt)? Ignore
> Ignore
>
> *** Fatal System Error: 0x000000c2
> (0x00000007,0x00001097,0x08110011,0x84608F80)
>
> Break instruction exception - code 80000003 (first chance)
>
> A fatal system error has occurred.
> Debugger entered on first try; Bugcheck callbacks have not been invoked.
>
> A fatal system error has occurred.
>
> Thanks in advance for any help!
>

Gary_Little-3 · November 8, 2010, 8:45am

Frank,

Can you define “weird”?

Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gdata.de
Sent: Monday, November 08, 2010 6:58 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] NULL layer data in my classifyFn function for the ALE
connect (v4 and v6) callout

Do you see this in the re-auth path of your Classify-routine?

In this case it happens because the mechanism of finding the original
connect request via “IsMatchingConnectPacket” is weird.

wrote news:xxxxx@ntdev…
> Hi All,
>
> I have created simple inspect packet driver based on
> C:\WinDDK\7600.16385.1\src\network\trans\inspect sample. After call
> TLInspectALEConnectClassify function assert was called “ASSERT(layerData
> != NULL)” and windows has been crashed to BSOD with BAD_POOL_CALLER error.
>
> So invalid data (NULL layer data) has been recieved by
> TLInspectALEConnectClassify function.
>
> WinDbg log please see below:
>
> Assertion failed: packet->direction == FWP_DIRECTION_INBOUND
> Source File:
> h:\e2e4\firewall\development\trunk\source\firewallenginedriver\utils.c,
> line 265
>
> Break repeatedly, break Once, Ignore, terminate Process, or terminate
> Thread (boipt)? Ignore
> Ignore
>
> Assertion failed: layerData != NULL
> Source File:
>
h:\e2e4\firewall\development\trunk\source\firewallenginedriver\driverengine.
c,
> line 264
>
> Break repeatedly, break Once, Ignore, terminate Process, or terminate
> Thread (boipt)? Ignore
> Ignore
>
> Assertion failed: packet->direction == FWP_DIRECTION_INBOUND
> Source File:
> h:\e2e4\firewall\development\trunk\source\firewallenginedriver\utils.c,
> line 265
>
> Break repeatedly, break Once, Ignore, terminate Process, or terminate
> Thread (boipt)? Ignore
> Ignore
>
> *** Fatal System Error: 0x000000c2
> (0x00000007,0x00001097,0x08110011,0x84608F80)
>
> Break instruction exception - code 80000003 (first chance)
>
> A fatal system error has occurred.
> Debugger entered on first try; Bugcheck callbacks have not been invoked.
>
> A fatal system error has occurred.
>
> Thanks in advance for any help!
>

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Information from ESET Smart Security, version of virus signature
database 5600 (20101108)

The message was checked by ESET Smart Security.

http://www.eset.com

Frank_Friemel · November 8, 2010, 9:27am

In the re-auth path of the Classify-routine: the sample tries to find the
matching pended connect with IsMatchingConnectPacket by comparing the IP
addresses and ports (local and remote). But what if there are more than one
pended connect-request with the same IP addresses and ports in the list?
This criteria is not unique, isn’t it?

“Gary G. Little” wrote news:xxxxx@ntdev…
> Frank,
>
> Can you define “weird”?
>
> Gary G. Little
> H (952) 223-1349
> C (952) 454-4629
> xxxxx@comcast.net
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@gdata.de
> Sent: Monday, November 08, 2010 6:58 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] NULL layer data in my classifyFn function for the ALE
> connect (v4 and v6) callout
>
> Do you see this in the re-auth path of your Classify-routine?
>
> In this case it happens because the mechanism of finding the original
> connect request via “IsMatchingConnectPacket” is weird.
>
>
>
> wrote news:xxxxx@ntdev…
>> Hi All,
>>
>> I have created simple inspect packet driver based on
>> C:\WinDDK\7600.16385.1\src\network\trans\inspect sample. After call
>> TLInspectALEConnectClassify function assert was called “ASSERT(layerData
>> != NULL)” and windows has been crashed to BSOD with BAD_POOL_CALLER
>> error.
>>
>> So invalid data (NULL layer data) has been recieved by
>> TLInspectALEConnectClassify function.
>>
>> WinDbg log please see below:
>>
>> Assertion failed: packet->direction == FWP_DIRECTION_INBOUND
>> Source File:
>> h:\e2e4\firewall\development\trunk\source\firewallenginedriver\utils.c,
>> line 265
>>
>> Break repeatedly, break Once, Ignore, terminate Process, or terminate
>> Thread (boipt)? Ignore
>> Ignore
>>
>> Assertion failed: layerData != NULL
>> Source File:
>>
> h:\e2e4\firewall\development\trunk\source\firewallenginedriver\driverengine.
> c,
>> line 264
>>
>> Break repeatedly, break Once, Ignore, terminate Process, or terminate
>> Thread (boipt)? Ignore
>> Ignore
>>
>> Assertion failed: packet->direction == FWP_DIRECTION_INBOUND
>> Source File:
>> h:\e2e4\firewall\development\trunk\source\firewallenginedriver\utils.c,
>> line 265
>>
>> Break repeatedly, break Once, Ignore, terminate Process, or terminate
>> Thread (boipt)? Ignore
>> Ignore
>>
>> *** Fatal System Error: 0x000000c2
>> (0x00000007,0x00001097,0x08110011,0x84608F80)
>>
>> Break instruction exception - code 80000003 (first chance)
>>
>> A fatal system error has occurred.
>> Debugger entered on first try; Bugcheck callbacks have not been invoked.
>>
>> A fatal system error has occurred.
>>
>> Thanks in advance for any help!
>>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> Information from ESET Smart Security, version of virus
> signature
> database 5600 (20101108)
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>