system crashing after handling ClientEventReceive

NTDEV
1

Hi All,

Please help me to understand this bugcheck.

In my driver I am calling TDI interfaces to receive the RPC packet. I have
set up ClientEventReceive as event handler to receive RPC packet arrival
event. From the other endpoint of network I am getting 3 RPC packets up to
the transport layer. My EventHandler got invoked for first two packets, on
which I have done some processing and when the event handler returns after
processing 2 nd packet the machine got crashed before calling handler for
third packet.

From the bugcheck I observed that some null pointer is being accessed in tcp
driver resulting in to crash. (mov eax,[esi+0xc] where esi=00000000). Can
you please help me to point out something on this?

The system is running win2k3 OS.

Thanks,

Prashant

****************************************************************************

Bugcheck Analysis

****************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

An attempt was made to access a pageable (or completely invalid) address at
an interrupt request level (IRQL) that is too high. This is usually caused
by drivers using improper addresses.

If kernel debugger is available get stack backtrace.

Arguments:

Arg1: 0000000c, memory referenced

Arg2: 00000002, IRQL

Arg3: 00000000, value 0 = read operation, 1 = write operation

Arg4: f6610a2e, address which referenced memory

CURRENT_IRQL: 2

FAULTING_IP:

tcpip!FreePartialRB+f

f6610a2e 8b460c mov eax,[esi+0xc]

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from f66158bf to f6610a2e

TRAP_FRAME: 808a30b0 – (.trap ffffffff808a30b0)

ErrCode = 00000000

eax=808a32d0 ebx=f6617ddd ecx=10310004 edx=10300003 *esi=00000000*edi=000005b0

eip=f6610a2e esp=808a3124 ebp=808a312c iopl=0 nv up ei pl nz na pe
nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010202

tcpip!FreePartialRB+0xf:

f6610a2e 8b460c mov *eax,[esi+0xc]*
ds:0023:0000000c=???

Resetting default scope

STACK_TEXT:

808a312c f66158bf 808a32d0 00000b64 00000000 tcpip!FreePartialRB+0xf

808a3178 f66137ca 00000000 00001050 808a32d0 tcpip!IndicateData+0x40f

808a3238 f6611f9f 8607d668 de80a90a 0b80a90a tcpip!TCPRcv+0x93f

808a3298 f66119e8 00000020 8607d668 f661354d tcpip!DeliverToUser+0x189

808a334c f6611c66 8607d668 85f55022 000005c8 tcpip!IPRcvPacket+0x66c

808a338c f6611d68 00000000 85fc41e8 85f55000 tcpip!ARPRcvIndicationNew+0x149

808a33c8 f71071d9 85c84b58 00000000 86085008 tcpip!ARPRcvPacket+0x68

808a341c f6d5658d 861a8ad0 808a3460 00000001
NDIS!ethFilterDprIndicateReceivePacket+0x318

808a343c f6d572bd 86085008 808a3460 00000001
e1000325!ReceivePacketArrayIndicate+0x1d

808a3570 f6d57393 86085008 808a359f 861a8ad0
e1000325!RxProcessReceiveArray+0x8d

808a3594 f70fc12f 00085008 ffdffa40 8608535c
e1000325!E1000HandleInterrupt+0xa7

808a35a8 8083eb0f 8608535c 86085348 00000000 NDIS!ndisMDpcX+0x1f

808a3600 8083ac1f 00000000 0000000e 00000000 nt!KiRetireDpcList+0xca

808a3604 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x37

FOLLOWUP_IP:

e1000325!ReceivePacketArrayIndicate+1d

f6d5658d 8b7514 mov esi,[ebp+0x14]

SYMBOL_STACK_INDEX: 8

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: e1000325!ReceivePacketArrayIndicate+1d

MODULE_NAME: e1000325

2

Hello,

what exactly do you do in your ReceiveEventHandler with the packet? It looks you modified *BytesTaken, BytesAvailable or BytesIndicated inappropriately. Is it possible?

bye,
Petr Kurtin

“Prashant Bhosale” wrote in message news:xxxxx@ntdev…
Hi All,

Please help me to understand this bugcheck.

In my driver I am calling TDI interfaces to receive the RPC packet. I have set up ClientEventReceive as event handler to receive RPC packet arrival event. From the other endpoint of network I am getting 3 RPC packets up to the transport layer. My EventHandler got invoked for first two packets, on which I have done some processing and when the event handler returns after processing 2 nd packet the machine got crashed before calling handler for third packet.

From the bugcheck I observed that some null pointer is being accessed in tcp driver resulting in to crash. (mov eax,[esi+0xc] where esi=00000000). Can you please help me to point out something on this?

The system is running win2k3 OS.

Thanks,

Prashant



Bugcheck Analysis



DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses.

If kernel debugger is available get stack backtrace.

Arguments:

Arg1: 0000000c, memory referenced

Arg2: 00000002, IRQL

Arg3: 00000000, value 0 = read operation, 1 = write operation

Arg4: f6610a2e, address which referenced memory

CURRENT_IRQL: 2

FAULTING_IP:

tcpip!FreePartialRB+f

f6610a2e 8b460c mov eax,[esi+0xc]

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from f66158bf to f6610a2e

TRAP_FRAME: 808a30b0 – (.trap ffffffff808a30b0)

ErrCode = 00000000

eax=808a32d0 ebx=f6617ddd ecx=10310004 edx=10300003 esi=00000000 edi=000005b0

eip=f6610a2e esp=808a3124 ebp=808a312c iopl=0 nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202

tcpip!FreePartialRB+0xf:

f6610a2e 8b460c mov eax,[esi+0xc] ds:0023:0000000c=???

Resetting default scope

STACK_TEXT:

808a312c f66158bf 808a32d0 00000b64 00000000 tcpip!FreePartialRB+0xf

808a3178 f66137ca 00000000 00001050 808a32d0 tcpip!IndicateData+0x40f

808a3238 f6611f9f 8607d668 de80a90a 0b80a90a tcpip!TCPRcv+0x93f

808a3298 f66119e8 00000020 8607d668 f661354d tcpip!DeliverToUser+0x189

808a334c f6611c66 8607d668 85f55022 000005c8 tcpip!IPRcvPacket+0x66c

808a338c f6611d68 00000000 85fc41e8 85f55000 tcpip!ARPRcvIndicationNew+0x149

808a33c8 f71071d9 85c84b58 00000000 86085008 tcpip!ARPRcvPacket+0x68

808a341c f6d5658d 861a8ad0 808a3460 00000001 NDIS!ethFilterDprIndicateReceivePacket+0x318

808a343c f6d572bd 86085008 808a3460 00000001 e1000325!ReceivePacketArrayIndicate+0x1d

808a3570 f6d57393 86085008 808a359f 861a8ad0 e1000325!RxProcessReceiveArray+0x8d

808a3594 f70fc12f 00085008 ffdffa40 8608535c e1000325!E1000HandleInterrupt+0xa7

808a35a8 8083eb0f 8608535c 86085348 00000000 NDIS!ndisMDpcX+0x1f

808a3600 8083ac1f 00000000 0000000e 00000000 nt!KiRetireDpcList+0xca

808a3604 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x37

FOLLOWUP_IP:

e1000325!ReceivePacketArrayIndicate+1d

f6d5658d 8b7514 mov esi,[ebp+0x14]

SYMBOL_STACK_INDEX: 8

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: e1000325!ReceivePacketArrayIndicate+1d

MODULE_NAME: e1000325

3

Thanks for the reply,
I found the problem, There was a memory corruption happening at one place in
my eventhandler that I removed and it works fine now.

Thanks again for the Reply,
Prashant

On 12/28/05, Petr Kurtin wrote:
>
> Hello,
>
> what exactly do you do in your ReceiveEventHandler with the packet? It
> looks you modified *BytesTaken, BytesAvailable or BytesIndicated
> inappropriately. Is it possible?
>
> bye,
> Petr Kurtin
>
>
>
> “Prashant Bhosale” wrote in message
> news:xxxxx@ntdev…
>
> Hi All,
>
>
>
> Please help me to understand this bugcheck.
>
>
>
> In my driver I am calling TDI interfaces to receive the RPC packet. I have
> set up ClientEventReceive as event handler to receive RPC packet arrival
> event. From the other endpoint of network I am getting 3 RPC packets up to
> the transport layer. My EventHandler got invoked for first two packets, on
> which I have done some processing and when the event handler returns after
> processing 2 nd packet the machine got crashed before calling handler for
> third packet.
>
>
>
> From the bugcheck I observed that some null pointer is being accessed in
> tcp driver resulting in to crash. (mov eax,[esi+0xc] where esi=00000000).
> Can you please help me to point out something on this?
>
>
>
> The system is running win2k3 OS.
>
>
>
> Thanks,
>
> Prashant
>
>
>
>
>
>
> Bugcheck Analysis
>
>
>
>
> DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
>
> An attempt was made to access a pageable (or completely invalid) address
> at an interrupt request level (IRQL) that is too high. This is usually
> caused by drivers using improper addresses.
>
> If kernel debugger is available get stack backtrace.
>
> Arguments:
>
> Arg1: 0000000c, memory referenced
>
> Arg2: 00000002, IRQL
>
> Arg3: 00000000, value 0 = read operation, 1 = write operation
>
> Arg4: f6610a2e, address which referenced memory
>
>
>
> CURRENT_IRQL: 2
>
>
>
> FAULTING_IP:
>
> tcpip!FreePartialRB+f
>
> f6610a2e 8b460c mov eax,[esi+0xc]
>
>
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
>
>
> BUGCHECK_STR: 0xD1
>
>
>
> LAST_CONTROL_TRANSFER: from f66158bf to f6610a2e
>
>
>
> TRAP_FRAME: 808a30b0 – (.trap ffffffff808a30b0)
>
> ErrCode = 00000000
>
> eax=808a32d0 ebx=f6617ddd ecx=10310004 edx=10300003 esi=00000000edi=000005b0
>
> eip=f6610a2e esp=808a3124 ebp=808a312c iopl=0 nv up ei pl nz na pe
> nc
>
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00010202
>
> tcpip!FreePartialRB+0xf:
>
> f6610a2e 8b460c mov eax,[esi+0xc]
> ds:0023:0000000c=???
>
> Resetting default scope
>
>
>
> STACK_TEXT:
>
> 808a312c f66158bf 808a32d0 00000b64 00000000 tcpip!FreePartialRB+0xf
>
> 808a3178 f66137ca 00000000 00001050 808a32d0 tcpip!IndicateData+0x40f
>
> 808a3238 f6611f9f 8607d668 de80a90a 0b80a90a tcpip!TCPRcv+0x93f
>
> 808a3298 f66119e8 00000020 8607d668 f661354d tcpip!DeliverToUser+0x189
>
> 808a334c f6611c66 8607d668 85f55022 000005c8 tcpip!IPRcvPacket+0x66c
>
> 808a338c f6611d68 00000000 85fc41e8 85f55000
> tcpip!ARPRcvIndicationNew+0x149
>
> 808a33c8 f71071d9 85c84b58 00000000 86085008 tcpip!ARPRcvPacket+0x68
>
> 808a341c f6d5658d 861a8ad0 808a3460 00000001
> NDIS!ethFilterDprIndicateReceivePacket+0x318
>
> 808a343c f6d572bd 86085008 808a3460 00000001
> e1000325!ReceivePacketArrayIndicate+0x1d
>
> 808a3570 f6d57393 86085008 808a359f 861a8ad0
> e1000325!RxProcessReceiveArray+0x8d
>
> 808a3594 f70fc12f 00085008 ffdffa40 8608535c
> e1000325!E1000HandleInterrupt+0xa7
>
> 808a35a8 8083eb0f 8608535c 86085348 00000000 NDIS!ndisMDpcX+0x1f
>
> 808a3600 8083ac1f 00000000 0000000e 00000000 nt!KiRetireDpcList+0xca
>
> 808a3604 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x37
>
>
>
>
>
> FOLLOWUP_IP:
>
> e1000325!ReceivePacketArrayIndicate+1d
>
> f6d5658d 8b7514 mov esi,[ebp+0x14]
>
>
>
> SYMBOL_STACK_INDEX: 8
>
>
>
> FOLLOWUP_NAME: MachineOwner
>
>
>
> SYMBOL_NAME: e1000325!ReceivePacketArrayIndicate+1d
>
>
>
> MODULE_NAME: e1000325
>
>
>
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
>
> To unsubscribe send a blank email to xxxxx@lists.osr.com