Wireshark-dev: Re: [Wireshark-dev] Npcap 0.03 call for test
From: Pascal Quantin <pascal.quantin@xxxxxxxxx>
Date: Mon, 3 Aug 2015 23:19:23 +0200


2015-08-03 17:57 GMT+02:00 Yang Luo <hsluoyb@xxxxxxxxx>:
Hi Pascal,

Thanks for testing. The output of your dump is pasted below. It seems that NdisFOidRequest call fails in Npcap's NPF_GetDeviceMTU routine. It is in the same position with the previous SYSTEM_SERVICE_EXCEPTION BSoD. So I think they may belong to the same bug. However, I didn't find what's wrong with this code (go to this link if anyone is interested with the code: https://github.com/nmap/npcap/blob/master/packetWin7/npf/npf/Openclos.c, Line: 570). WinDbg said "An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high." But actually all arguments of NdisFOidRequest are from the OPEN_INSTANCE struct and this struct is allocated in a NonPaged pool, so it's hard to understand its reason.

Hi Yang,

the page https://msdn.microsoft.com/en-us/library/windows/hardware/ff549954%28v=vs.85%29.aspx suggests that:
"Before the driver calls NdisFOidRequest, the driver must allocate an NDIS_OID_REQUEST structure and transfer the request information to the new structure by calling NdisAllocateCloneOidRequest. As an option, a filter driver can complete a request immediately without forwarding the request."

When looking at your code, you seem to use directly an array entry in OPEN_INSTANCE structure (or at least that's the feeling it gives). Something missed when porting the code from NDIS5 to NDIS6? This is properly done in NPF_OidRequest() function.
Note that I just looked at the code during less than 5mn and I'm not familiar with driver development at all so I could be completely wrong and have missed an obvious thing ;)

Regards,
Pascal.