Your code is ugly and buggy and you don’t say which call to SecLookupAccountSid() causes crash. I’d bet it is the first one because you pass uninitialized UNICODE_STRING there:
UNICODE_STRING owner;
ULONG ownerSize = 1;
SID_NAME_USE eUse = SidTypeUnknown;
status = SecLookupAccountSid(sid, &ownerSize, &owner, 0, NULL, &eUse);
Note that NameSize parameter is __out, not __inout. I presume docs is wrong about input. In reality, code checks for NameBuffer->MaximumLength and there can be anything when you pass uninitialized variable there. Define variable like this:
UNICODE_STRING owner = {0};
or try to pass NULL (not documented but should work).
This is also wrong:
owner.Length = (USHORT)ownerSize + 1; /// for the ‘\0’
UNICODE_STRING is UNICODE so you have to add sizeof(WCHAR); adding one byte doesn’t make sense.
Michal
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-459221-
xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Tuesday, June 14, 2011 5:09 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] RE: [SPAM] RE: SecLookupAccountSid code section
crashing>Instead, you must queue up a work item. The work item will be called later,
when the thread’s >IRQL returns to a safe level.
Thank you for explaining this to me can you point me in the right direction of
any documents or examples of how to do this?I reduced the code down to just getting the owner and posted it below and
an updated crash report. Does anyone have anymore ideas on this? Also I
have 2 questions about the allocation of the UNICODE_STRING.
- owner.Length = (USHORT)ownerSize + 1; /// for the ‘\0’
Is the null terminator 1 byte or 2 or should I be adding 1 or 2 for it?- owner.Buffer = (PWCH)ExAllocatePoolWithTag(PagedPool, owner.Length,
‘oytF’);
When should you allocate using NonPagedPool over PagedPool? I have
tried both allocation methods but they have both crashed, but I am also
unsure when I should be using one over the other.CODE:
void ALEConnectClassifyFunction(IN const FWPS_INCOMING_VALUES0*
inFixedValues, IN const FWPS_INCOMING_METADATA_VALUES0*
inMetaValues, IN OUT void* layerData, IN const FWPS_FILTER0* filter, IN
UINT64 flowContext, OUT FWPS_CLASSIFY_OUT0* classifyOut)
{
NTSTATUS status;
UINT64 index;if(!(classifyOut->rights & FWPS_RIGHT_ACTION_WRITE))
return;// Get the Owner
PTOKEN_ACCESS_INFORMATION tok;
index = FWPS_FIELD_ALE_AUTH_CONNECT_V4_ALE_USER_ID;
tok = (PTOKEN_ACCESS_INFORMATION)inFixedValues-
>incomingValue[index].value.tokenAccessInformation->data;
PSID sid = tok->SidHash->SidAttr->Sid;// SecLookupAccountSid must be made a <= APC_LEVEL
if(KeGetCurrentIrql() > 1)
{
DoTraceMessage(TRACE_INIT, “IRQL Too High”);
goto exit;
}// Look up the SID to find out the owner. On the first call we only get
// the size of the owner so that we can allocate that much memory
and call
// it again.
UNICODE_STRING owner;
ULONG ownerSize = 1;
SID_NAME_USE eUse = SidTypeUnknown;
status = SecLookupAccountSid(sid, &ownerSize, &owner, 0, NULL,
&eUse);
if(status != STATUS_BUFFER_TOO_SMALL)
{
DoTraceMessage(TRACE_INIT, “Not buffer too small error.”);
goto exit;
}// Allocate the memory for the owner
RtlZeroMemory(&owner, sizeof(UNICODE_STRING));
owner.Length = (USHORT)ownerSize + 1; /// for the ‘\0’
owner.MaximumLength = owner.Length;
owner.Buffer = (PWCH)ExAllocatePoolWithTag(PagedPool,
owner.Length, ‘oytF’);// Make sure the Buffers allocated properly
if(!owner.Buffer)
{
DoTraceMessage(TRACE_INIT, “Memory Allocation of Owner
Failed.”);
goto exit;
}// Look up the SID again to find out the owner. This time it should
succeed
// and we should have retrieved the owner names.
status = SecLookupAccountSid(sid, &ownerSize, &owner, 0, NULL,
&eUse);
if(status != STATUS_SUCCESS)
{
DoTraceMessage(TRACE_INIT, “Lookup SID Failed”);
goto freeUser;
}DoTraceMessage(TRACE_INIT, “OWNER: %wZ”, &owner);
freeUser:
// Free the allocated buffers
ExFreePoolWithTag(owner.Buffer, ‘oytF’);exit:
// Set the action to allow the data
classifyOut->actionType = FWP_ACTION_CONTINUE;
}CRASH:
Crash Dump Analysis provided by OSR Open Systems Resources, Inc.
(http://www.osr.com)
Online Crash Dump Analysis Service
See http://www.osronline.com for more information
Windows 7 Kernel Version 7601 (Service Pack 1) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17592.x86fre.win7sp1_gdr.110408-1631
Machine Name:
Kernel base = 0x82843000 PsLoadedModuleList = 0x82983230
Debug session time: Tue Jun 14 09:54:27.062 2011 (UTC - 4:00)
System Uptime: 0 days 0:08:24.482
**********************************************************
*********************
* *
* Bugcheck Analysis *
* *
**********************************************************
*********************KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never
have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 82873f54, The address that the exception occurred at
Arg3: a5da8148, Trap Frame
Arg4: 00000000Debugging Details:
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
referenced
memory at “0x%08lx”. The memory could not be “%s”.FAULTING_IP:
nt!memcpy+114
82873f54 89448fec mov dword ptr [edi+ecx*4-14h],eaxTRAP_FRAME: a5da8148 – (.trap 0xffffffffa5da8148)
ErrCode = 00000002
eax=006d006f ebx=00000000 ecx=00000005 edx=00000000 esi=ab1b5210
edi=00000000
eip=82873f54 esp=a5da81bc ebp=a5da81c4 iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010293
nt!memcpy+0x114:
82873f54 89448fec mov dword ptr [edi+ecx*4-14h],eax
ds:0023:00000000=???
Resetting default scopeDEFAULT_BUCKET_ID: CODE_CORRUPTION
BUGCHECK_STR: 0x8E
PROCESS_NAME: firefox.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 828e63af to 82873f54
STACK_TEXT:
a5da81c4 828e63af 00000000 ab1b5210 00000014 nt!memcpy+0x114
a5da81e4 8b646e0e a5da8288 a5da821c 2ebe51da
nt!RtlCopyUnicodeString+0x32
a5da8248 a4c907d7 84f208f0 a5da827c a5da8288
ksecdd!SspipLookupAccountSid+0x100
WARNING: Stack unwind information not available. Following frames may be
wrong.
a5da82a4 8b7b3ede a5da865c a5da86a4 00000000 networkfilter+0x17d7
a5da82c8 8b79df32 00000000 a4c90700 a5da865c
NETIO!ProcessNonBufferedCallout+0x23
a5da8324 8b79eb5e 00000030 a5da865c a5da86a4
NETIO!ProcessCallout+0x184
a5da8398 8b79d24a 00000030 a5da865c a5da86a4
NETIO!ArbitrateAndEnforce+0xae
a5da84a8 8b87c3ab 00000030 a5da865c a5da86a4 NETIO!KfdClassify+0x1c7
a5da84d4 8b84a266 a5da865c a5da86a4 00000000 tcpip!WfpAleClassify+0x38
a5da8800 8b8557c9 84f0cc78 00000030 8b8e1488
tcpip!WfpAlepAuthorizeConnect+0x866
a5da89ac 8b83be2b 00000030 85b841ac 0000c7f5
tcpip!WfpAleAuthorizeConnect+0x308
a5da89dc 8b840db0 8b83c111 85276df8 84f0cc78
tcpip!InetInspectConnect+0x3c
a5da8a30 8b84f6c0 85276df8 00000000 85276f34
tcpip!TcpContinueCreateAndConnect+0x4dc
a5da8a48 8b8429e1 85276df8 00000000 00000000
tcpip!TcpCreateAndConnectTcbInspectConnectRequestComplete+0xf8
a5da8ab0 8b84574d 85276f34 00000000 86a23498
tcpip!TcpCreateAndConnectTcbWorkQueueRoutine+0x4df
a5da8b0c 8bb936b2 85d10240 a5da8b38 2e6d5e96
tcpip!TcpCreateAndConnectTcb+0x82a
a5da8bec 8bb8d2bc 866fc968 85d13dc0 a5da8c14 afd!AfdConnect+0x826
a5da8bfc 82872067 85d13dc0 8519b138 8519b138
afd!AfdDispatchDeviceControl+0x3b
a5da8c14 82a479d5 866fc968 8519b138 8519b214 nt!IofCallDriver+0x63
a5da8c34 82a49dc8 85d13dc0 866fc968 00000000
nt!IopSynchronousServiceTail+0x1f8
a5da8cd0 82a50d9d 85d13dc0 8519b138 00000000 nt!IopXxxControlFile+0x6aa
a5da8d04 828788ba 000001f0 00000000 00000000
nt!NtDeviceIoControlFile+0x2a
a5da8d04 76e070c6 000001f0 00000000 00000000 nt!KiFastCallEntry+0x12a
0375f844 00000000 00000000 00000000 00000000 0x76e070c6STACK_COMMAND: kb
CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
82873299 - nt!KiSaveProcessorControlState+75[0f:cc]
828732a0 - nt!KiSaveProcessorControlState+7c (+0x07)[0f:cc]
828732a7 - nt!KiSaveProcessorControlState+83 (+0x07)[0f:cc]
828732ae - nt!KiSaveProcessorControlState+8a (+0x07)[0f:cc]
82873405-82873409 5 bytes - nt!KiXMMIZeroPages+19 (+0x157)[fa f7 80 fc 01:e9 de 4f d3 0e]
9 errors : !nt (82873299-82873409)MODULE_NAME: memory_corruption
IMAGE_NAME: memory_corruption
FOLLOWUP_NAME: memory_corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MEMORY_CORRUPTOR: LARGE
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE
BUCKET_ID: MEMORY_CORRUPTION_LARGE
Followup: memory_corruption
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
NOTE: The information in this message is intended for the personal and confidential use of the designated recipient(s) named above. To the extent the recipient(s) is/are bound by a non-disclosure agreement, or other agreement that contains an obligation of confidentiality, with AuthenTec, then this message and/or any attachments shall be considered confidential information and subject to the confidentiality terms of that agreement. If the reader of this message is not the intended recipient named above, you are notified that you have received this document in error, and any review, dissemination, distribution or copying of this message is strictly prohibited. If you have received this document in error, please delete the original message and notify the sender immediately.
Thank You!
AuthenTec, Inc. http://www.authentec.com/