ProtocolReceive crashes again

OSR_Community_User · March 13, 2006, 5:20am

Hi!

I’m here again (last time my driver was ok on my vmware virtual machine
but not on my notebook) with my PtReceive function which gives me a blue
screen when I call NdisAllocateBuffer.
I deal with the case when NdisGetReceivedPacket returns with a NULL
Packet and LookAheadBufferSize == PacketSize. Here is my code:

Packet = NdisGetReceivedPacket(pAdapt->BindingHandle, MacReceiveContext);
if (Packet == NULL)
{
DbgPrint(“LookAheadBufferSize: %d\n”, LookAheadBufferSize);
DbgPrint(“PacketSize: %d\n”, PacketSize);
DbgPrint(“HeaderBufferSize: %d\n”, HeaderBufferSize);

if (LookAheadBufferSize < PacketSize)
{
DbgPrint(“<== PtReceive: LookAheadBufferSize < PacketSize\n”);

return NDIS_STATUS_FAILURE;
}
else
if (LookAheadBufferSize == PacketSize)
{
NdisAllocateMemoryWithTag(&dummyVA, HeaderBufferSize +
PacketSize, ‘ymuD’);
NdisMoveMemory(&dummyVA, HeaderBuffer, HeaderBufferSize);
NdisMoveMemory(&dummyVA + HeaderBufferSize, LookAheadBuffer,
LookAheadBufferSize);

NdisAllocateBuffer(&Status, &dummyBuffer,
pAdapt->BufferPoolHandle, dummyVA, HeaderBufferSize + LookAheadBufferSize);
if (Status != NDIS_STATUS_SUCCESS)
{
NdisFreeMemory(dummyVA, HeaderBufferSize + PacketSize, 0);

return NDIS_STATUS_FAILURE;
}

NdisDprAllocatePacket(&Status, &Packet,
pAdapt->RecvPacketPoolHandle);
if (Status != NDIS_STATUS_SUCCESS)
{
NdisFreeMemory(dummyVA, HeaderBufferSize + PacketSize, 0);
NdisFreeBuffer(dummyBuffer);

return NDIS_STATUS_FAILURE;
}

NdisChainBufferAtFront(Packet, dummyBuffer);
}
}

From WinDbg:
READ_ADDRESS: 12008426

CURRENT_IRQL: 2

FAULTING_IP:
passthru!PtReceive+17c [c:.…\protocol.c @ 1295]
f0dfefbc 8b4230 mov eax,[edx+0x30]

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from f0dfefbc to 804e187f

STACK_TEXT:
f9687d8c f0dfefbc badb0d00 120083f6 ff93d1b0 nt!KiTrap0E+0x233
f9687f28 f908ebd6 fe3f7e30 8130e468 f05e00cc passthru!PtReceive+0x17c
[c:.…\protocol.c @ 1295]
f9687f5c 64610400 04016c73 67b21000 bf199377
NDIS!EthFilterDprIndicateReceive+0xe0
WARNING: Frame IP not in any known module. Following frames may be wrong.
f9687f8c f9530802 8130e468 0000ffff 8130e468 0x64610400
f9687f9c f9530889 8130e468 804e4a15 ff936ad0 RTL8139!RTFast_RcvDpc+0x50
f9687fb4 f9087712 0030e468 ffad37b8 ffad3a1c
RTL8139!RTFast_HandleInterrupt+0x2f
f9687fd0 804dbbd4 8130e4d4 8130e4c0 00000000 NDIS!ndisMDpc+0xff
f9687ff4 804db89e f0fb4d54 00000000 00000000 nt!KiRetireDpcList+0x46
f9687ff8 f0fb4d54 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2a
804db89e 00000000 00000009 bb835675 00000128 0xf0fb4d54

STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_IP:
passthru!PtReceive+17c [c:.…\protocol.c @ 1295]
f0dfefbc 8b4230 mov eax,[edx+0x30]

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: passthru!PtReceive+17c

MODULE_NAME: passthru

IMAGE_NAME: passthru.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 44154218

FAILURE_BUCKET_ID: 0xD1_passthru!PtReceive+17c

BUCKET_ID: 0xD1_passthru!PtReceive+17c

Thanks for the help again.

Baki

David_R_Cattley · March 13, 2006, 7:03am

Baki,

Three things to consider:

Obviously you have this situation sitting in the debugger with the
bugcheck decoding and a stack back-trace. What is at line 1295 of
protocol.c ? That is where the bugcheck reports the problem.
Don’t leave us guessing. We love to guess and the less information you
give us the more likely we are to start a 700 message long thread of random
guessing which traverses the known universe of programing triva and patent
law. What is the !analyze output? Most importantly, what are the
registers. It is hard to know why the instruction sequence move
eax,[edx+0x30] is broken if we don’t know what EDX is (it is probably NULL).
When copying lookahead data you should use the function
NdisCopyLookaheadData() which means you will also need to query the MAC for
OID_GEN_MAC_OPTIONS. Some MAC drivers provide the Lookahead data in
‘device’ memory which is not necessarily ‘addressable’ via a pointer. This
is not the problem you are having here but I wanted to point it out.

And since I cannot resist guessing I am going to guess that either

A) pAdapt is bogus

-or-

B) pAdapt->BufferPoolHandle is bogus.

Good Luck,
Dave Cattley
Consulting Engineer
Systems Software Development

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Bakonyi Gabor
Sent: Monday, March 13, 2006 5:20 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] ProtocolReceive crashes again

Hi!

I’m here again (last time my driver was ok on my vmware virtual machine but
not on my notebook) with my PtReceive function which gives me a blue screen
when I call NdisAllocateBuffer.
I deal with the case when NdisGetReceivedPacket returns with a NULL Packet
and LookAheadBufferSize == PacketSize. Here is my code:

Packet = NdisGetReceivedPacket(pAdapt->BindingHandle, MacReceiveContext); if
(Packet == NULL) {
DbgPrint(“LookAheadBufferSize: %d\n”, LookAheadBufferSize);
DbgPrint(“PacketSize: %d\n”, PacketSize);
DbgPrint(“HeaderBufferSize: %d\n”, HeaderBufferSize);

if (LookAheadBufferSize < PacketSize)
{
DbgPrint(“<== PtReceive: LookAheadBufferSize < PacketSize\n”);

return NDIS_STATUS_FAILURE;
}
else
if (LookAheadBufferSize == PacketSize)
{
NdisAllocateMemoryWithTag(&dummyVA, HeaderBufferSize + PacketSize,
‘ymuD’);
NdisMoveMemory(&dummyVA, HeaderBuffer, HeaderBufferSize);
NdisMoveMemory(&dummyVA + HeaderBufferSize, LookAheadBuffer,
LookAheadBufferSize);

NdisAllocateBuffer(&Status, &dummyBuffer,
pAdapt->BufferPoolHandle, dummyVA, HeaderBufferSize +
pAdapt->LookAheadBufferSize);
if (Status != NDIS_STATUS_SUCCESS)
{
NdisFreeMemory(dummyVA, HeaderBufferSize + PacketSize, 0);

return NDIS_STATUS_FAILURE;
}

NdisDprAllocatePacket(&Status, &Packet,
pAdapt->RecvPacketPoolHandle);
if (Status != NDIS_STATUS_SUCCESS)
{
NdisFreeMemory(dummyVA, HeaderBufferSize + PacketSize, 0);
NdisFreeBuffer(dummyBuffer);

return NDIS_STATUS_FAILURE;
}

NdisChainBufferAtFront(Packet, dummyBuffer);
}
}

From WinDbg:
READ_ADDRESS: 12008426

CURRENT_IRQL: 2

FAULTING_IP:
passthru!PtReceive+17c [c:.…\protocol.c @ 1295]
f0dfefbc 8b4230 mov eax,[edx+0x30]

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from f0dfefbc to 804e187f

STACK_TEXT:
f9687d8c f0dfefbc badb0d00 120083f6 ff93d1b0 nt!KiTrap0E+0x233
f9687f28 f908ebd6 fe3f7e30 8130e468 f05e00cc passthru!PtReceive+0x17c
[c:.…\protocol.c @ 1295] f9687f5c 64610400 04016c73 67b21000 bf199377
NDIS!EthFilterDprIndicateReceive+0xe0
WARNING: Frame IP not in any known module. Following frames may be wrong.
f9687f8c f9530802 8130e468 0000ffff 8130e468 0x64610400 f9687f9c f9530889
8130e468 804e4a15 ff936ad0 RTL8139!RTFast_RcvDpc+0x50
f9687fb4 f9087712 0030e468 ffad37b8 ffad3a1c
RTL8139!RTFast_HandleInterrupt+0x2f
f9687fd0 804dbbd4 8130e4d4 8130e4c0 00000000 NDIS!ndisMDpc+0xff
f9687ff4 804db89e f0fb4d54 00000000 00000000 nt!KiRetireDpcList+0x46
f9687ff8 f0fb4d54 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2a
804db89e 00000000 00000009 bb835675 00000128 0xf0fb4d54

STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_IP:
passthru!PtReceive+17c [c:.…\protocol.c @ 1295]
f0dfefbc 8b4230 mov eax,[edx+0x30]

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: passthru!PtReceive+17c

MODULE_NAME: passthru

IMAGE_NAME: passthru.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 44154218

FAILURE_BUCKET_ID: 0xD1_passthru!PtReceive+17c

BUCKET_ID: 0xD1_passthru!PtReceive+17c

Thanks for the help again.

Baki

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · March 13, 2006, 11:33am

> I’m here again (last time my driver was ok on my vmware

virtual machine
but not on my notebook) with my PtReceive function which
gives me a blue
screen when I call NdisAllocateBuffer.
I deal with the case when NdisGetReceivedPacket returns with a NULL
Packet and LookAheadBufferSize == PacketSize. Here is my code:

…

else
if (LookAheadBufferSize == PacketSize)
{
NdisAllocateMemoryWithTag(&dummyVA, HeaderBufferSize +
PacketSize, ‘ymuD’);
NdisMoveMemory(&dummyVA, HeaderBuffer, HeaderBufferSize);
NdisMoveMemory(&dummyVA + HeaderBufferSize, LookAheadBuffer,
LookAheadBufferSize);

Although we can’t see what dummyVA was declared as, I assume it was declared
as a PVOID on the stack. The NdisMoveMemory calls are going to lead to
stack corruption because you’re copying the data to the address of dummyVA
(a stack address), not the address pointed to by dummyVA (as returned from
NdisAllocateMemoryWithTag). This leads to corruption of local variables and
arguments and thus makes subsequent dereferences of pAdapt bogus. The
second copy is doubly flawed due to pointer math issues.

OSR_Community_User · March 26, 2006, 4:22am

Matt Miller wrote:

Although we can’t see what dummyVA was declared as, I assume it was declared
as a PVOID on the stack. The NdisMoveMemory calls are going to lead to
stack corruption because you’re copying the data to the address of dummyVA
(a stack address), not the address pointed to by dummyVA (as returned from
NdisAllocateMemoryWithTag). This leads to corruption of local variables and
arguments and thus makes subsequent dereferences of pAdapt bogus. The
second copy is doubly flawed due to pointer math issues.

That was the bug, thank you for pointing out.
Now I have another crash with ProtocolReceive when I call
NdisTransferData. I copy here my code and the results from WinDbg.

Code:
PNDIS_BUFFER dummyBuffer;
PNDIS_BUFFER extraBuffer;
PNDIS_BUFFER dummyBufferUnchained;
PUCHAR dummyVA;
UINT bytesTransferred;

1103: Packet = NdisGetReceivedPacket(pAdapt->BindingHandle,
MacReceiveContext);
1104:
1105:if (Packet == NULL)
1106:{
1107: DbgPrint(“LookAheadBufferSize: %d\n”, LookAheadBufferSize);
1108: DbgPrint(“PacketSize: %d\n”, PacketSize);
1109: DbgPrint(“HeaderBufferSize: %d\n”, HeaderBufferSize);
1110:
1111: if (LookAheadBufferSize > PacketSize)
1112: {
1113: DbgPrint(“<== PtReceive: LookAheadBufferSize > PacketSize\n”);
1114:
1115: return NDIS_STATUS_FAILURE;
1116: }
1117:
1118: NdisAllocateMemoryWithTag(&dummyVA, HeaderBufferSize +
PacketSize, ‘ymuD’);
1119: NdisMoveMemory(dummyVA, HeaderBuffer, HeaderBufferSize);
1120: NdisMoveMemory(dummyVA + HeaderBufferSize, LookAheadBuffer,
LookAheadBufferSize);
1121:
1122: NdisAllocateBuffer(&Status, &dummyBuffer,
pAdapt->BufferPoolHandle, dummyVA, HeaderBufferSize + PacketSize);
1123: if (Status != NDIS_STATUS_SUCCESS)
1124: {
1125: NdisFreeMemory(dummyVA, HeaderBufferSize + PacketSize, 0);
1126:
1127: DbgPrint(“<== PtReceive: Packet is NULL, cannot allocate
buffer\n”);
1128:
1129: return NDIS_STATUS_FAILURE;
1130: }
1131:
1132: NdisDprAllocatePacket(&Status, &Packet,
pAdapt->RecvPacketPoolHandle);
1133: if (Status != NDIS_STATUS_SUCCESS)
1134: {
1135: NdisFreeMemory(dummyVA, HeaderBufferSize + PacketSize, 0);
1136: NdisFreeBuffer(dummyBuffer);
1137:
1138: DbgPrint(“<== PtReceive: Packet is NULL, cannot allocate
packet\n”);
1139:
1140: return NDIS_STATUS_FAILURE;
1141: }
1142:
1143: if (LookAheadBufferSize == PacketSize)
1144: {
1145: NdisChainBufferAtFront(Packet, dummyBuffer);
1146: }
1147: else
1148: if (LookAheadBufferSize < PacketSize)
1149: {
1150: DbgPrint(“=== PtReceive: Packet is NULL,
LookAheadBufferSize < PacketSize\n”);
1151:
1152: NdisAllocateBuffer(&Status, &extraBuffer,
pAdapt->BufferPoolHandle, dummyVA + HeaderBufferSize, PacketSize);
1153: if (Status != NDIS_STATUS_SUCCESS)
1154: {
1155: NdisFreeMemory(dummyVA, HeaderBufferSize + PacketSize, 0);
1156: NdisFreeBuffer(dummyBuffer);
1157: NdisDprFreePacket(Packet);
1158:
1159: DbgPrint(“<== PtReceive: cannot allocate extra buffer\n”);
1160:
1161: return Status;
1162: }
1163:
1164: NdisUnchainBufferAtFront(Packet, &dummyBufferUnchained);
1165: NdisChainBufferAtFront(Packet, extraBuffer);
1166:
1167: NdisTransferData(&Status, ProtocolBindingContext,
MacReceiveContext, HeaderBufferSize, PacketSize, Packet, &bytesTransferred);
1168: if (Status != NDIS_STATUS_SUCCESS)
1169: {
1170: NdisFreeMemory(dummyVA, HeaderBufferSize + PacketSize, 0);
1171: NdisFreeBuffer(dummyBuffer);
1172: NdisFreeBuffer(extraBuffer);
1173: NdisDprFreePacket(Packet);
1174:
1175: DbgPrint(“<== PtReceive: NdisTransferData failure\n”);
1176:
1177: return Status;
1178: }
1179:
1180: NdisFreeBuffer(dummyBuffer);
1181: }
1182:}

From WinDbg:
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address
at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00b19287, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: ffb1d6bf, address which referenced memory

Debugging Details:

WRITE_ADDRESS: 00b19287

CURRENT_IRQL: 2

FAULTING_IP:
+ffffffffffb1d6bf
ffb1d6bf 0080c8bbff00 add [eax+0xffbbc8],al

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from ffb1d6bf to 804e187f

STACK_TEXT:
80550010 ffb1d6bf badb0d00 ff9d0804 00000000 nt!KiTrap0E+0x233
WARNING: Frame IP not in any known module. Following frames may be wrong.
805500a8 f953c93a 805500e8 ffb1d608 ff9d0008 0xffb1d6bf
80550104 f90ccbd6 ffb1d608 ff9d0008 f22563c0 passthru!PtReceive+0x2da
[c:.…\protocol.c @ 1168]
80550138 f9548493 ff9d1c00 ff9d0008 f22563c0
NDIS!EthFilterDprIndicateReceive+0xe0
80550168 f9548802 ff9d0008 0000ffff ff9d0008
RTL8139!RTFast_IndicatePacket+0x85
80550178 f9548889 ff9d0008 804e4a15 812c5410 RTL8139!RTFast_RcvDpc+0x50
80550190 f90c5712 009d0008 80558e80 80558c20
RTL8139!RTFast_HandleInterrupt+0x2f
805501ac 804dbbd4 ff9d0074 ff9d0060 00000000 NDIS!ndisMDpc+0xff
805501d0 804dbb4d 00000000 0000000e 00000000 nt!KiRetireDpcList+0x46
805501d4 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x26

STACK_COMMAND: kb

FOLLOWUP_IP:
passthru!PtReceive+2da [c:.…\protocol.c @ 1168]
f953c93a 837de400 cmp dword ptr [ebp-0x1c],0x0

SYMBOL_STACK_INDEX: 2

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: passthru!PtReceive+2da

MODULE_NAME: passthru

IMAGE_NAME: passthru.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 44264da7

FAILURE_BUCKET_ID: 0xD1_W_passthru!PtReceive+2da

BUCKET_ID: 0xD1_W_passthru!PtReceive+2da

Registers:
eax - ffdff13c
ebp - 80550010

Locals (Name - Value - Location):
ProtocolBindingContext - ffb1d608 - 8055010c
MacReceiveContext - ff9d0008 - 80550110
HeaderBuffer - f22563c0 - 80550114
HeaderBufferSize - e - 80550118
LookAheadBuffer - f22563ce - 8055011c
LookAheadBufferSize - 80 - 80550120
PacketSize - 154 - 80550124
bytesTransferred - 202 - 805500f4
dummyBuffer - ff4738f0 struct _MDL * - 805500f0
dummyVA - ffb02a58 “” - 805500f8
extraBuffer - 812703f0 struct _MDL * - 80550100
Packet - 8129c440 struct _NDIS_PACKET * - 805500e0
pAdapt - 67b1d608 struct _ADAPT * - 805500fc
Status - 0 - 805500e8

Thank you for any help.

Baki