wfp - FwpsDereferenceNetBufferList0 导致 BSOD

问题描述

将网络缓冲区列表传递给导致 BSOD 的 FwpsDereferenceNetBufferList0() 时出现问题。从 WfpNblInfoGetFlags() 访问 NBL 中的 NBL 标志时，会出现问题。但是在调用位置（我的驱动程序代码），NBL 是有效的，而不是 NULL。我可以看到内存中的值。但是在 FwpsDereferenceNetBufferList0->WfpNblInfoGetFlags 中，标志在地址 0x0+0xE0 处被访问，导致 BSOD。

nt!RtlpExecuteHandlerForException+0xf
nt!RtlDispatchException+0x297
nt!KiDispatchException+0x186
nt!KiExceptionDispatch+0x12c
nt!KiPageFault+0x443 (TrapFrame @ ffff9a8d`163ff4b0)
NETIO!WfpNblInfoGetFlags
fwpkclnt!FwpsDereferenceNetBufferList0+0x1c

14: kd> .trap ffff9a8d`163ff4b0
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff806538ff920 rsp=ffff9a8d163ff648 rbp=0000000000000000
r8=000000000000002a r9=ffffffffffffff00 r10=fffff806538ff920
r11=ffff9a8d163ff400 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
NETIO!WfpNblInfoGetFlags:
fffff806`538ff920 8b81e0000000 mov eax,dword ptr [rcx+0E0h] ds:00000000`000000e0=????????

这是 NBL 内存，它是有效的。

14: kd> dx -r1 ((customdrv!_NET_BUFFER_LIST )0xffff8a0c9f5d7330)
((customdrv!_NET_BUFFER_LIST )0xffff8a0c9f5d7330) : 0xffff8a0c9f5d7330 [Type: _NET_BUFFER_LIST ]
[+0x000] Next : 0x0 [Type: _NET_BUFFER_LIST ]
[+0x008] FirstNetBuffer : 0xffff8a0ca5812190 [Type: _NET_BUFFER ]
[+0x000] Link [Type: _SLIST_HEADER]
[+0x000] NetBufferListHeader [Type: _NET_BUFFER_LIST_HEADER]
[+0x010] Context : 0x0 [Type: _NET_BUFFER_LIST_CONTEXT ]
[+0x018] ParentNetBufferList : 0x0 [Type: _NET_BUFFER_LIST ]
[+0x020] NdisPoolHandle : 0xffff8a0c88fd3000 [Type: void ]
[+0x030] NdisReserved [Type: void [2]]
[+0x040] ProtocolReserved [Type: void [4]]
[+0x060] MiniportReserved [Type: void [2]]
[+0x070] Scratch : 0x0 [Type: void ]
[+0x078] SourceHandle : 0x0 [Type: void ]
[+0x080] NblFlags : 0x0 [Type: unsigned long]
[+0x084] ChildRefCount : 0 [Type: long]
[+0x088] Flags : 0x100 [Type: unsigned long]
[+0x08c] Status : 0 [Type: int]
[+0x08c] NdisReserved2 : 0x0 [Type: unsigned long]
[+0x090] NetBufferListInfo [Type: void [11]]

检查地址时，它来自非分页内存。所以页面是内存驻留的。

14: kd> !pool 0xffff8a0c9f5d7330
Pool page ffff8a0c9f5d7330 region is Nonpaged pool
ffff8a0c9f5d7150 size: 1b0 previous size: 0 (Free) Nnbl
*ffff8a0c9f5d7300 size: 1b0 previous size: 0 (Allocated) *Nnbl
Pooltag Nnbl : NetIO NetBufferLists, Binary : netio.sys
ffff8a0c9f5d74b0 size: 1b0 previous size: 0 (Allocated) USBV
ffff8a0c9f5d7660 size: 1b0 previous size: 0 (Allocated) USBV
ffff8a0c9f5d7810 size: 1b0 previous size: 0 (Allocated) USBV
ffff8a0c9f5d79c0 size: 1b0 previous size: 0 (Allocated) USBV
ffff8a0c9f5d7b70 size: 1b0 previous size: 0 (Allocated) USBV
ffff8a0c9f5d7d20 size: 1b0 previous size: 0 (Allocated) USBV

ffff8a0c9f5d7ed0 doesn't look like a valid small pool allocation, checking to see
if the entire page is actually part of a large page allocation...

ffff8a0c9f5d7ed0 is not a valid large pool allocation, checking large session pool...
ffff8a0c9f5d7ed0 is not valid pool. Checking for freed (or corrupt) pool
Bad previous allocation size @ffff8a0c9f5d7ed0, last size was 0

An error (or corruption) in the pool was detected;
Attempting to diagnose the problem.

*** Use !poolval ffff8a0c9f5d7000 for more details.

Pool page [ ffff8a0c9f5d7000 ] is INVALID.

任何想法如何调试问题。任何帮助将不胜感激。

标签： wfp