Strange problem with netbt.sys

NTDEV
1

I’m experiencing a problem over a WXP SP1 system (I have reproduced below in
this mail the info that I got with WinDbg) It seems like the network driver
has any kind of problem when receiving an ARP packet. This bug happens
sporadically (I don’t know exactly how to cause it) and I have seen it over
systems with similar software and configuration installed. Has anybody seen
this problem before?

Thanks in advance,

Jose Vicente.

Microsoft (R) Windows Debugger Version 6.2.0013.1
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\TME\Mini111003-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: C:\Symbols\WXPSP1a
Executable search path is: c:\windows\system32
Windows XP Kernel Version 2600 (Service Pack 1) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp2.030422-1633
Kernel base = 0x804d4000 PsLoadedModuleList = 0x80543530
Debug session time: Mon Nov 10 19:06:43 2003
System Uptime: 0 days 0:02:54.375
Loading Kernel Symbols


Loading unloaded module list

Loading User Symbols
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

Use !analyze -v to get detailed debugging information.

BugCheck D1, {c, 2, 0, eff469b3}

Unable to load image e100b325.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for e100b325.sys
Probably caused by : netbt.sys ( netbt!DisconnectHndlrNotOs+2f )

Followup: MachineOwner

kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000c, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: eff469b3, address which referenced memory

Debugging Details:

READ_ADDRESS: 0000000c Nonpaged pool

CURRENT_IRQL: 2

FAULTING_IP:
netbt!DisconnectHndlrNotOs+2f
eff469b3 8b4708 mov eax,[edi+0x8]

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

TRAP_FRAME: 80538f98 – (.trap ffffffff80538f98)
ErrCode = 00000000
eax=00000002 ebx=eff5585e ecx=00000000 edx=00000002 esi=81b34ae0
edi=00000004
eip=eff469b3 esp=8053900c ebp=80539044 iopl=0 nv up ei pl nz na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010202
netbt!DisconnectHndlrNotOs+0x2f:
eff469b3 8b4708 mov eax,[edi+0x8]
ds:0023:0000000c=???
Resetting default scope

LAST_CONTROL_TRANSFER: from eff5587b to eff469b3

STACK_TEXT:
80539044 eff5587b 81b43a50 81b34ae0 00000000 netbt!DisconnectHndlrNotOs+0x2f
80539068 eff8fc7f 81b43a50 81b34ae0 00000000 netbt!TdiDisconnectHandler+0x1d
805390a8 eff90fea 02399bf8 805391cc c000020d tcpip!NotifyOfDisc+0x148
80539124 eff88685 00000000 fb3b420a 2e384280 tcpip!TCPRcv+0xfbf
80539170 eff882f8 eff8a9f5 81c65748 00000000 tcpip!DeliverToUser+0xf9
80539218 eff883b0 81c65748 81b9472c 0000001a tcpip!IPRcvPacket+0x5ca
80539258 eff87c15 00000000 81b67cd8 81b9470a tcpip!ARPRcvIndicationNew+0x143
80539294 f83b190e 81d453f8 00000000 81dea6d8 tcpip!ARPRcvPacket+0x66
805392f4 f81e6c0b 00c168d4 80539330 00000001
NDIS!ethFilterDprIndicateReceivePacket+0x2ef
80539324 f83b15ec 01c16b40 81b67cd8 81bde568 psched!ClReceivePacket+0xf9
80539384 f82cf79d f81e6b12 805393a4 00000001
NDIS!ethFilterDprIndicateReceivePacket+0x1a0
805394ec f82cf98d 01bde008 00000000 81dea6d8
e100b325!PciWritePowerState+0x53
80539518 f83a8685 00bde008 80542000 80541da0
e100b325!CheckForRicohBridgeAndModify+0xd
8053952c 805317a9 81bde3e0 81bde3cc 00000000 NDIS!ndisMDpcX+0x1d
80539540 80518023 80541da0 ffdffc50 00000000 nt!KiRetireDpcList+0x46
ffdff980 ffdff980 f895d000 00007416 00000000 nt!PopIdle0+0x47

FOLLOWUP_IP:
netbt!DisconnectHndlrNotOs+2f
eff469b3 8b4708 mov eax,[edi+0x8]

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: netbt!DisconnectHndlrNotOs+2f

MODULE_NAME: netbt

IMAGE_NAME: netbt.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3f0b5863

STACK_COMMAND: .trap ffffffff80538f98 ; kb

BUCKET_ID: 0xD1_netbt!DisconnectHndlrNotOs+2f

Followup: MachineOwner

kd> .trap ffffffff80538f98 ; kb
ErrCode = 00000000
eax=00000002 ebx=eff5585e ecx=00000000 edx=00000002 esi=81b34ae0
edi=00000004
eip=eff469b3 esp=8053900c ebp=80539044 iopl=0 nv up ei pl nz na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010202
netbt!DisconnectHndlrNotOs+0x2f:
eff469b3 8b4708 mov eax,[edi+0x8]
ds:0023:0000000c=???
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
80539044 eff5587b 81b43a50 81b34ae0 00000000 netbt!DisconnectHndlrNotOs+0x2f
80539068 eff8fc7f 81b43a50 81b34ae0 00000000 netbt!TdiDisconnectHandler+0x1d
805390a8 eff90fea 02399bf8 805391cc c000020d tcpip!NotifyOfDisc+0x148
80539124 eff88685 00000000 fb3b420a 2e384280 tcpip!TCPRcv+0xfbf
80539170 eff882f8 eff8a9f5 81c65748 00000000 tcpip!DeliverToUser+0xf9
80539218 eff883b0 81c65748 81b9472c 0000001a tcpip!IPRcvPacket+0x5ca
80539258 eff87c15 00000000 81b67cd8 81b9470a tcpip!ARPRcvIndicationNew+0x143
80539294 f83b190e 81d453f8 00000000 81dea6d8 tcpip!ARPRcvPacket+0x66
805392f4 f81e6c0b 00c168d4 80539330 00000001
NDIS!ethFilterDprIndicateReceivePacket+0x2ef
80539324 f83b15ec 01c16b40 81b67cd8 81bde568 psched!ClReceivePacket+0xf9
80539384 f82cf79d f81e6b12 805393a4 00000001
NDIS!ethFilterDprIndicateReceivePacket+0x1a0
805394ec f82cf98d 01bde008 00000000 81dea6d8
e100b325!PciWritePowerState+0x53
80539518 f83a8685 00bde008 80542000 80541da0
e100b325!CheckForRicohBridgeAndModify+0xd
8053952c 805317a9 81bde3e0 81bde3cc 00000000 NDIS!ndisMDpcX+0x1d
80539540 80518023 80541da0 ffdffc50 00000000 nt!KiRetireDpcList+0x46
ffdff980 ffdff980 f895d000 00007416 00000000 nt!PopIdle0+0x47