BoomiP avatar image
0 Votes"
BoomiP asked ·


Hi All,

I have an issue when passing the net buffer list to the FwpsDereferenceNetBufferList0() causing BSOD. When accessing the NBL flags in the NBL from the WfpNblInfoGetFlags() the issue occurs. But in the calling place (my driver code) the NBL is valid and not NULL. I could see the values in the memory. But in the FwpsDereferenceNetBufferList0->WfpNblInfoGetFlags, the flags are accessed at address 0x0+0xE0 causing the BSOD.

nt!KiPageFault+0x443 (TrapFrame @ ffff9a8d`163ff4b0)

14: kd> .trap ffff9a8d`163ff4b0
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff806538ff920 rsp=ffff9a8d163ff648 rbp=0000000000000000
r8=000000000000002a r9=ffffffffffffff00 r10=fffff806538ff920
r11=ffff9a8d163ff400 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
fffff806`538ff920 8b81e0000000 mov eax,dword ptr [rcx+0E0h] ds:00000000`000000e0=????????

This is NBL memory and it is valid.

14: kd> dx -r1 ((customdrv!_NET_BUFFER_LIST )0xffff8a0c9f5d7330)
)0xffff8a0c9f5d7330) : 0xffff8a0c9f5d7330 [Type: _NET_BUFFER_LIST ]
[+0x000] Next : 0x0 [Type: _NET_BUFFER_LIST
[+0x008] FirstNetBuffer : 0xffff8a0ca5812190 [Type: _NET_BUFFER ]
[+0x000] Link [Type: _SLIST_HEADER]
[+0x000] NetBufferListHeader [Type: _NET_BUFFER_LIST_HEADER]
[+0x010] Context : 0x0 [Type: _NET_BUFFER_LIST_CONTEXT
[+0x018] ParentNetBufferList : 0x0 [Type: _NET_BUFFER_LIST ]
[+0x020] NdisPoolHandle : 0xffff8a0c88fd3000 [Type: void
[+0x030] NdisReserved [Type: void [2]]
[+0x040] ProtocolReserved [Type: void
[+0x060] MiniportReserved [Type: void [2]]
[+0x070] Scratch : 0x0 [Type: void
[+0x078] SourceHandle : 0x0 [Type: void ]
[+0x080] NblFlags : 0x0 [Type: unsigned long]
[+0x084] ChildRefCount : 0 [Type: long]
[+0x088] Flags : 0x100 [Type: unsigned long]
[+0x08c] Status : 0 [Type: int]
[+0x08c] NdisReserved2 : 0x0 [Type: unsigned long]
[+0x090] NetBufferListInfo [Type: void

When checking the address, it is from Nonpaged memory. So the page is memory resident.

14: kd> !pool 0xffff8a0c9f5d7330
Pool page ffff8a0c9f5d7330 region is Nonpaged pool
ffff8a0c9f5d7150 size: 1b0 previous size: 0 (Free) Nnbl
*ffff8a0c9f5d7300 size: 1b0 previous size: 0 (Allocated) *Nnbl
Pooltag Nnbl : NetIO NetBufferLists, Binary : netio.sys
ffff8a0c9f5d74b0 size: 1b0 previous size: 0 (Allocated) USBV
ffff8a0c9f5d7660 size: 1b0 previous size: 0 (Allocated) USBV
ffff8a0c9f5d7810 size: 1b0 previous size: 0 (Allocated) USBV
ffff8a0c9f5d79c0 size: 1b0 previous size: 0 (Allocated) USBV
ffff8a0c9f5d7b70 size: 1b0 previous size: 0 (Allocated) USBV
ffff8a0c9f5d7d20 size: 1b0 previous size: 0 (Allocated) USBV

ffff8a0c9f5d7ed0 doesn't look like a valid small pool allocation, checking to see
if the entire page is actually part of a large page allocation...

ffff8a0c9f5d7ed0 is not a valid large pool allocation, checking large session pool...
ffff8a0c9f5d7ed0 is not valid pool. Checking for freed (or corrupt) pool
Bad previous allocation size @ffff8a0c9f5d7ed0, last size was 0

An error (or corruption) in the pool was detected;
Attempting to diagnose the problem.

*** Use !poolval ffff8a0c9f5d7000 for more details.

Pool page [ ffff8a0c9f5d7000 ] is INVALID.

Any idea how to debug the issue. Any Help would be greatly appreciated.


10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

0 Answers