Wireshark mailing list archives

Re: Npcap 0.03 call for test

From: Pascal Quantin <pascal.quantin () gmail com>
Date: Mon, 3 Aug 2015 23:19:23 +0200

2015-08-03 17:57 GMT+02:00 Yang Luo <hsluoyb () gmail com>:

Hi Pascal,

Thanks for testing. The output of your dump is pasted below. It seems that
NdisFOidRequest call fails in Npcap's NPF_GetDeviceMTU routine. It is in
the same position with the previous SYSTEM_SERVICE_EXCEPTION BSoD. So I
think they may belong to the same bug. However, I didn't find what's wrong
with this code (go to this link if anyone is interested with the code:
https://github.com/nmap/npcap/blob/master/packetWin7/npf/npf/Openclos.c,
Line: 570). WinDbg said "*An attempt was made to access a pageable (or
completely invalid) address at an interrupt request level (IRQL) that is
too high.*" But actually all arguments of NdisFOidRequest are from the
OPEN_INSTANCE struct and this struct is allocated in a NonPaged pool, so
it's hard to understand its reason.


Hi Yang,

the page
https://msdn.microsoft.com/en-us/library/windows/hardware/ff549954%28v=vs.85%29.aspx
suggests that:
"Before the driver calls *NdisFOidRequest*, the driver must allocate an
*NDIS_OID_REQUEST*
<https://msdn.microsoft.com/en-us/library/windows/hardware/ff566710%28v=vs.85%29.aspx>
structure and transfer the request information to the new structure by
calling *NdisAllocateCloneOidRequest*
<https://msdn.microsoft.com/en-us/library/windows/hardware/ff560706%28v=vs.85%29.aspx>.
As an option, a filter driver can complete a request immediately without
forwarding the request."

When looking at your code, you seem to use directly an array entry in
OPEN_INSTANCE structure (or at least that's the feeling it gives).
Something missed when porting the code from NDIS5 to NDIS6? This is
properly done in NPF_OidRequest() function.
Note that I just looked at the code during less than 5mn and I'm not
familiar with driver development at all so I could be completely wrong and
have missed an obvious thing ;)

Regards,
Pascal.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Re: Npcap 0.03 call for test, (continued)
- - - Re: Npcap 0.03 call for test Tyson Key (Aug 01)
    - Re: Npcap 0.03 call for test Tyson Key (Aug 01)
    - Re: Npcap 0.03 call for test Yang Luo (Aug 02)
    - Re: Npcap 0.03 call for test Yang Luo (Aug 03)
    - Re: Npcap 0.03 call for test Pascal Quantin (Aug 03)
    - Re: Npcap 0.03 call for test Yang Luo (Aug 03)
    - Re: Npcap 0.03 call for test Pascal Quantin (Aug 03)
    - Re: Npcap 0.03 call for test Jim Young (Aug 03)
    - Re: Npcap 0.03 call for test Yang Luo (Aug 03)
    - Re: Npcap 0.03 call for test Yang Luo (Aug 03)
    - Re: Npcap 0.03 call for test Pascal Quantin (Aug 03)
    - Re: Npcap 0.03 call for test Yang Luo (Aug 03)
    - Re: Npcap 0.03 call for test Jim Young (Aug 03)
    - Re: Npcap 0.03 call for test Yang Luo (Aug 05)
    - Re: Npcap 0.03 call for test Jim Young (Aug 06)
    - Re: Npcap 0.03 call for test Yang Luo (Aug 15)
    - Re: Npcap 0.03 call for test Pascal Quantin (Aug 06)
    - Re: Npcap 0.03 call for test Yang Luo (Aug 06)
    - Re: Npcap 0.03 call for test Pascal Quantin (Aug 06)
    - Re: Npcap 0.03 call for test Jim Young (Aug 06)
    - Re: Npcap 0.03 call for test Yang Luo (Aug 10)

(Thread continues...)