THE SCENARIO:
We run the following configuration: Win2k (SP4), User application,
protocol driver (NDISUIO-like), NDIS miniport driver. The Apps allocates
802.3 packet and uses WriteFile API in order to pass this to the Protocol
driver. Protocol driver uses DO_DIRECT_IO method to get data from an
application. Protocol driver allocates NDIS_PACKET and chains the
NDIS_BUFFER to it. According to DDK documentation and NDISUIO driver
sample, the Protocol driver uses the MDL which it gets from
Irp->MdlAddress directly as the NDIS_BUFFER attached to the NDIS_PACKET.
The Protocol driver calls NDIS API (NdisSendPackets). The base virtual
address of the buffer described by MDL (ro NDIS_BUFFER) is user virtual
space address (alocated by Apps).
THE PROBLEM:
Deserialized NDIS miniport driver receives that NDIS_PACKET and calls API
NdisGetFirstBufferFromPacket() in order to access the buffer in the
packet. Miniport driver gets the USER SPACE (!) virtual address in
parameter “FirstBufferVA” passed to NdisGetFirstBufferFromPacket().
Any access to this buffer not in the context of the calling application
thread will cause a system bug check since the user space virtual address
is no longer accessible in another process context.
On Mon, 2003-11-24 at 11:03, Igor Markov wrote:
THE SCENARIO:
We run the following configuration: Win2k (SP4), User application,
protocol driver (NDISUIO-like), NDIS miniport driver. The Apps allocates
802.3 packet and uses WriteFile API in order to pass this to the Protocol
driver. Protocol driver uses DO_DIRECT_IO method to get data from an
application. Protocol driver allocates NDIS_PACKET and chains the
NDIS_BUFFER to it. According to DDK documentation and NDISUIO driver
sample, the Protocol driver uses the MDL which it gets from
Irp->MdlAddress directly as the NDIS_BUFFER attached to the NDIS_PACKET.
The Protocol driver calls NDIS API (NdisSendPackets). The base virtual
address of the buffer described by MDL (ro NDIS_BUFFER) is user virtual
space address (alocated by Apps).
THE PROBLEM:
Deserialized NDIS miniport driver receives that NDIS_PACKET and calls API
NdisGetFirstBufferFromPacket() in order to access the buffer in the
packet. Miniport driver gets the USER SPACE (!) virtual address in
parameter FirstBufferVA passed to NdisGetFirstBufferFromPacket().
Any access to this buffer not in the context of the calling application
thread will cause a system bug check since the user space virtual address
is no longer accessible in another process context.
Are you calling MmGetSystemAddressForMdlSafe()? You can’t pass a
user-space VA to a miniport.
-sd
What you suggested should be done by NdisGetFirstBufferFromPacket.
Very interesting, our last findings:
win2k implementation of NdisGetFirstBufferFromPacket is different form
winXP, and this seems to be MSFT bug :
in win2k they use:
*(_FirstBufferVA) = MmGetMdlVirtualAddress(_pBuf)
in winxp they use:
*(_FirstBufferVA) = MmGetSystemAddressForMdl(_pBuf);
You may see this in DDK ndis.h. Funny how the things still work over
there…