Bug Check In NDIS Intermediate driver. DRIVER_CORRUPTED_EXPOOL (c5) and BAD_POOL_CALLER (c2)

---

• From: "Rajesh Gupta" <guptarajesh@xxxxxxxxx>
• Date: Tue, 6 Sep 2005 15:37:18 -0700

---

All,
Thanks a lot in advance, if someone can help me out with these bugs it would
be great help.
I am having really hard time tracing these two bug checks in my NDIS
intermediate driver. As they are random bug checks, they happen once a while
so i am not sure what is the problem. Both the bug check are coming at the
same location. When i try to free the memory in my driver. Attached is the
memory dump of both the bug checks.

Bad_POOL_CALLER comes when my NDISReturnPacket handler is called by NDIS.
When i receive back the the packet then i try to free the VM, which i have
allocated while indicating the NDIS packet upward.

Driver_CORRUPT_EXPOOL is coming when my NDISSendComplete is called and i am
trying to free the VM which i have allocated while sending the NDIS packet.
In the memory dump it shows i tried to free location 00000001.
I am not sure if is memory 0000001 if valid memory, which i am suppose to
free.
Here is the code which i am using to free (FltCleanPacket) my packet memory
and below that is the code for creating the new packet
(FltCopyPacketBuffers). I am using the same code at both the locations. When
i reviewd my code, then i found out i must use NdisBufferVirtualAddressSafe,
instead of NdisBufferVirtualAddress functions. I am not sure if this is the
problem or its something else. Thanks a lot in advance.

VOID FltCleanPacket(IN PNDIS_PACKET Packet){

PNDIS_BUFFER pNDISBuffer = NULL;

PUCHAR pPacketBuff = NULL;

//Here we have to free all the buffer and memory..

// Packet this is my packet i have to work on Packet

NdisUnchainBufferAtBack(Packet,&pNDISBuffer);

////Get the VM from the Buffer//

pPacketBuff = NdisBufferVirtualAddress(pNDISBuffer);

//// Call free on this VM//

NdisFreeMemory(pPacketBuff,0,0);


//// Free the Buffer//

NdisFreeBuffer(pNDISBuffer);

return;}


VOID

FltCopyPacketBuffers(IN PADAPT pAdapt,IN PNDIS_PACKET Packet,IN PNDIS_PACKET
MyPacket)

{

PNDIS_BUFFER CurrentBuffer;

UINT nBufferCount, TotalPacketLength;

UINT BytesCopied = 0;

PUCHAR pPacketBuff = NULL;

NDIS_STATUS Status = 0;

PNDIS_BUFFER NewBuffer;



if( !Packet || !MyPacket )

return;




NdisQueryPacket(

(PNDIS_PACKET )Packet,

(PUINT )NULL, // Physical Buffer Count

(PUINT )&nBufferCount, // Buffer Count

&CurrentBuffer, // First Buffer

&TotalPacketLength // TotalPacketLength

);


__try{

do{

////We have the Total Packet length, we should allocate the Tagged Memory//

Status = NdisAllocateMemoryWithTag(&pPacketBuff,TotalPacketLength,'piSN');

if(Status != NDIS_STATUS_SUCCESS) {break;}

////Here we shuld allocate the Buffer and chain it to the packet//

NdisAllocateBuffer(&Status,&NewBuffer,pAdapt->BufferPoolHandle,pPacketBuff,TotalPacketLength
);

if(Status != NDIS_STATUS_SUCCESS)

__leave; // Leave __try and eventually return...

////Chain that buffer in the packet//

NdisChainBufferAtFront(MyPacket,NewBuffer);

}while(FALSE);

////We should use the Ndis Copy to copy the whole packet..//

NdisCopyFromPacketToPacketSafe(MyPacket,0,TotalPacketLength,Packet,0,&BytesCopied,NormalPagePriority);

}//__try

__finally

{


}//__finally

}






begin 666 BAD_POOL_CALLER.txt
M,3H@:V0^("%A;F%L>7IE("UV#0HJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
M*BHJ*BHJ*BHJ#0HJ(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @
M(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" J
M#0HJ(" @(" @(" @(" @(" @(" @(" @(" @0G5G8VAE8VL@06YA;'ES:7,@
M(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" J#0HJ(" @(" @
M(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @
M(" @(" @(" @(" @(" @(" @(" @(" @(" J#0HJ*BHJ*BHJ*BHJ*BHJ*BHJ
M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ#0H-"D)!1%]03T],7T-!3$Q%4B H8S(I#0I4
M:&4@8W5R<F5N="!T:')E860@:7,@;6%K:6YG(&$@8F%D('!O;VP@<F5Q=65S
M="X@(%1Y<&EC86QL>2!T:&ES(&ES(&%T(&$@8F%D($E244P@;&5V96P@;W(@
M9&]U8FQE(&9R965I;F<@=&AE('-A;64@86QL;V-A=&EO;BP@971C+@T*07)G
M=6UE;G1S.@T*07)G,3H@,# P,# P,#<L($%T=&5M<'0@=&\@9G)E92!P;V]L
M('=H:6-H('=A<R!A;')E861Y(&9R965D#0I!<F<R.B P,# P,3$U,RP@*')E
M<V5R=F5D*0T*07)G,SH@,# P,# P,# L($UE;6]R>2!C;VYT96YT<R!O9B!T
M:&4@<&]O;"!B;&]C:PT*07)G-#H@.#DX.6(P,&$L($%D9')E<W,@;V8@=&AE
M(&)L;V-K(&]F('!O;VP@8F5I;F<@9&5A;&QO8V%T960-"@T*1&5B=6=G:6YG
M($1E=&%I;',Z#0HM+2TM+2TM+2TM+2TM+2TM+2T-"@T*#0I"54=#2$5#2U]3
M5%(Z(" P>&,R7S<-"@T*1$5&055,5%]"54-+151?240Z("!$4DE615)?1D%5
M3%0-"@T*0U524D5.5%])4E%,.B @,@T*#0I,05-47T-/3E123TQ?5%)!3E-&
M15(Z("!F<F]M(#@P-38X860P('1O(#@P-30S86,Y#0H-"E-404-+7U1%6%0Z
M(" -"F(Y-#4U.6(T(#@P-38X860P(# P,# P,&,R(# P,# P,# W(# P,# Q
M,34S(&YT(4ME0G5G0VAE8VM%>"LP>#$Y#0IB.30U-6$Q-"!F-S(T-F4X." X
M.3@Y8C P82 P,# P,# P,"!B.30U-6$T,"!N="%%>$9R9650;V]L5VET:%1A
M9RLP>#4Q- T*8CDT-35A,C0@9C<U-V-B.60@.#DX.6(P,&$@,# P,# P,# @
M,# P,# P,# @3D1)4R%.9&ES1G)E94UE;6]R>2LP>#,Y#0I705).24Y'.B!3
M=&%C:R!U;G=I;F0@:6YF;W)M871I;VX@;F]T(&%V86EL86)L92X@1F]L;&]W
M:6YG(&9R86UE<R!M87D@8F4@=W)O;F<N#0IB.30U-6$T,"!F-S4W.&4Q-" X
M.3<R9F8Q," X.3<S9#4V," X.3<R9F8S,"!.4TE01DQ4*S!X-6(Y9 T*8CDT
M-35A-3@@9C<R-C R8C$@.#DW,S-B,C @.#DW,F9F,3 @8CDT-35C.3@@3E-)
M4$9,5"LP>#%E,30-"F(Y-#4U83<T(# P-#4U8C$X(# P,# P,# P(# P,# P
M,# P(&)A8C$Q-C%F($Y$25,A3F1I<U)E='5R;E!A8VME=',K,'AD80T*8CDT
M-35A.3@@8F%B,3$X-CD@.#AE,V,S,3@@.#DU-C$P,C @,# P,# P,# @=V-M
M*S!X-35B,3@-"C@xxxxxxxxx(#@Y.61A,3,P(#@Y.61D.#0X(#@Y-S,S8C(P
M(# P-64P,#5C(&%F9"%!9F1&87-T0V]N;F5C=&EO;E)E8V5I=F4K,'@R9# -
M"F(Y-#4U8S4X(#@P-3@U9F0T(#@X93(Y-C X(# P,# P,# Q(# Y8V)B.#(P
M(#!X.#DY9&$Q,S -"F(Y-#4U9# P(#@P-3@V,3(X(# P,# P-68P(# P,# P
M-65C(# P,# P,# P(&YT(4EO<%AX>$-O;G1R;VQ&:6QE*S!X,C4U#0IB.30U
M-60S-" X,#1D9F0R-" P,# P,#5F," P,# P,#5E8R P,# P,# P,"!N="%.
M=$1E=FEC94EO0V]N=')O;$9I;&4K,'@R. T*8CDT-35D,S0@-V9F93 S,#0@
M,# P,# U9C @,# P,# U96,@,# P,# P,# @;G0A2VE3>7-T96U397)V:6-E
M*S!X9# -"C Y8V)B-V4P(#<W9C0R-F-B(#<Q8C(Q.#$W(# P,# P-68P(# P
M,# P-65C(%-H87)E9%5S97)$871A(5-Y<W1E;4-A;&Q3='5B*S!X- T*,#EC
M8F(W930@-S%B,C$X,3<@,# P,# U9C @,# P,# U96,@,# P,# P,# @;G1D
M;&PA3G1$979I8V5);T-O;G1R;VQ&:6QE*S!X8PT*,#EC8F(X-S0@-S%C,&9D
M9C$@,# P,# U9C @,#EC8F(X86,@,# P,# P,#$@;7-W<V]C:R%74U!296-V
M*S!X,6%F#0HP.6-B8CAB8R P,#8U.60R-2 P,# P,#5F," P.6-B8CDP," P
M,# P,# S,"!74S)?,S(A<F5C=BLP>#@Q#0HP,# P,# P," P,# P,# P," P
M,# P,# P," P,# P,# P," P,# P,# P,"!W8VTK,'@R-3ED,C4-"@T*#0I&
M3TQ,3U=54%])4#H@#0I.4TE01DQ4*S5B.60-"F8W-3=C8CED(#AB-&1F8R @
M(" @(" @(" @;6]V(" @("!E8W@L6V5B<"TP>#1=#0H-"E-934)/3%]35$%#
M2U])3D1%6#H@(#,-"@T*1D],3$]755!?3D%-13H@($UA8VAI;F5/=VYE<@T*
M#0I364U"3TQ?3D%-13H@($Y325!&3%0K-6(Y9 T*#0I-3T153$5?3D%-13H@
M($Y325!&3%0-"@T*24U!1T5?3D%-13H@($Y325!&3%0N<WES#0H-"D1%0E5'
M7T9,4E])34%'15]424U%4U1!35 Z(" T,S!A-V8V. T*#0I35$%#2U]#3TU-
M04Y$.B @:V(-"@T*0E5#2T547TE$.B @,'AC,E\W7TY325!&3%0K-6(Y9 T*
E#0I&;VQL;W=U<#H@36%C:&EN94]W;F5R#0HM+2TM+2TM+2T-"@``
`
end

begin 666 DRIVER_CORRUPTED_EXPOOL.txt
M,CH@:V0^("%A;F%L>7IE("UV#0HJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
M*BHJ*BHJ*BHJ#0HJ(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @
M(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" J
M#0HJ(" @(" @(" @(" @(" @(" @(" @(" @0G5G8VAE8VL@06YA;'ES:7,@
M(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" J#0HJ(" @(" @
M(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @(" @
M(" @(" @(" @(" @(" @(" @(" @(" @(" J#0HJ*BHJ*BHJ*BHJ*BHJ*BHJ
M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ
M*BHJ*BHJ*BHJ*BHJ*BHJ*BHJ#0H-"D12259%4E]#3U)255!4141?15A03T],
M("AC-2D-"D%N(&%T=&5M<'0@=V%S(&UA9&4@=&\@86-C97-S(&$@<&%G96%B
M;&4@*&]R(&-O;7!L971E;'D@:6YV86QI9"D@861D<F5S<R!A="!A;@T*:6YT
M97)R=7!T(')E<75E<W0@;&5V96P@*$E244PI('1H870@:7,@=&]O(&AI9V@N
M("!4:&ES(&ES#0IC875S960@8GD@9')I=F5R<R!T:&%T(&AA=F4@8V]R<G5P
M=&5D('1H92!S>7-T96T@<&]O;"X@(%)U;B!T:&4@9')I=F5R#0IV97)I9FEE
M<B!A9V%I;G-T(&%N>2!N97<@*&]R('-U<W!E8W0I(&1R:79E<G,L(&%N9"!I
M9B!T:&%T(&1O97-N)W0@='5R;B!U< T*=&AE(&-U;'!R:70L('1H96X@=7-E
M(&=F;&%G<R!T;R!E;F%B;&4@<W!E8VEA;"!P;V]L+@T*07)G=6UE;G1S.@T*
M07)G,3H@,# P,# P,#$L(&UE;6]R>2!R969E<F5N8V5D#0I!<F<R.B P,# P
M,# P,BP@25)13 T*07)G,SH@,# P,# P,# L('9A;'5E(# @/2!R96%D(&]P
M97)A=&EO;BP@,2 ]('=R:71E(&]P97)A=&EO;@T*07)G-#H@.# U-C<T-&8L
M(&%D9')E<W,@=VAI8V@@<F5F97)E;F-E9"!M96UO<GD-"@T*1&5B=6=G:6YG
M($1E=&%I;',Z#0HM+2TM+2TM+2TM+2TM+2TM+2T-"@T*#0I$149!54Q47T)5
M0TM%5%])1#H@($12259%4E]&055,5 T*#0I"54=#2$5#2U]35%(Z(" P>$,U
M#0H-"D-54E)%3E1?25)13#H@(#(-"@T*3$%35%]#3TY44D],7U1204Y31D52
M.B @9G)O;2!F-S(T-F4X."!T;R X,#4V-S0T9@T*#0I44D%07T9204U%.B @
M9C<X8C)A8C @+2T@*"YT<F%P(&9F9F9F9F9F9C<X8C)A8C I#0I%<G)#;V1E
M(#T@,# P,# P,# -"F5A>#TP,# P,#$R82!E8G@].# U.#,S-S@@96-X/3 P
M,# P,# P(&5D>#TP,# P,# P,"!E<VD].#AE,V,P9C@@961I/3 P,# P,# Q
M#0IE:7 ].# U-C<T-&8@97-P/68W.&(R8C(T(&5B<#UF-SAB,F(V."!I;W!L
M/3 @(" @(" @("!N=B!U<"!E:2!P;"!N>B!N82!P92!N8PT*8W,],# P." @
M<W,],# Q," @9',],# R,R @97,],# R,R @9G,],# S," @9W,],# P," @
M(" @(" @(" @("!E9FP],# P,3 R,#(-"FYT(45X1G)E95!O;VQ7:71H5&%G
M*S!X-#-F.@T*.# U-C<T-&8@.# S9C S(" @(" @(" @("!C;7 @(" @(&)Y
M=&4@<'1R(%ME9&E=+#!X,R @(" @(&1S.C P,C,Z,# P,# P,#$]/S\-"E)E
M<V5T=&EN9R!D969A=6QT('-C;W!E#0H-"E-404-+7U1%6%0Z(" -"F8W.&(R
M8C8X(&8W,C0V93@X(#@X93-C,3 P(# P,# P,# P(&8W.&(R8CDT(&YT(45X
M1G)E95!O;VQ7:71H5&%G*S!X-#-F#0IF-SAB,F(W."!F-S4Y8V(Y9" X.&4S
M8S$P," P,# P,# P," P,# P,# P,"!.1$E3(4YD:7-&<F5E365M;W)Y*S!X
M,SD-"E=!4DY)3D<Z(%-T86-K('5N=VEN9"!I;F9O<FUA=&EO;B!N;W0@879A
M:6QA8FQE+B!&;VQL;W=I;F<@9G)A;65S(&UA>2!B92!W<F]N9RX-"F8W.&(R
M8CDT(&8W-3EA-S8V(#@X938S860X(#@X938S8C$P(#@X9&5F,#@X($Y325!&
M3%0K,'@U8CED#0IF-SAB,F)B,"!F-S(V,# V92 X.3<T.#1F," X.&4V,V%D
M." P,# P,# P,"!.4TE01DQ4*S!X,S<V-@T*9C<X8C)B9#0@9C<P,V,Y-V0@
M.#EA-3$Q,S @.#AE-C-A9#@@,# P,# P,# @3D1)4R%N9&ES35-E;F1#;VUP
M;&5T95@K,'@V90T*9C<X8C)B9C@@9C<P,V-A,60@.#DW-&%A-3 @,# W,S<V
M-3@@.#DW-&$W.3 @:6%N<W=X<"LP>#0Y-V0-"F8W.&(R8S$P(&8W,#,X9#EE
M(&8W.&(R8S(X(# P,# P,# U(#@Y-S,W-C4X(&EA;G-W>' K,'@T83%D#0IF
M-SAB,F,S."!F-S(V,# V92 X.3<T83 P." X.3<S-S8U." P,# P,# P,"!I
M86YS=WAP*S!X9#EE#0IF-SAB,F,U8R!F-S$Q,#AD9" X.6$V,#$S," X.3<S
M-S8U." P,# P,# P,"!.1$E3(6YD:7--4V5N9$-O;7!L971E6"LP>#9E#0IF
M-SAB,F,W-"!F-S$Q,&5C92!F-SAB,F,Y-" X.3<S-S8U." P,# P,# P,"!E
M,3 P,#,R-2LP>#AD9 T*9C<X8C)C.&,@9C<Q,35C,#(@.#EA-3-B,C@@.#DW
M,S<V-3@@,# P,# P,# @93$P,# S,C4K,'AE8V4-"F8W.&(R8V(P(&8W,3$U
M,S$X(#@Y.6(X,&8P(#@Y-S,W-C4X(&8W.&(R8V0T(&4Q,# P,S(U*S!X-6,P
M,@T*9C<X8C)C9&,@9C<Q,3 T9C0@,# Y8C@P9C @9C<R-C4P,C4@.#EA-3-B
M,C@@93$P,# S,C4K,'@U,S$X#0IF-SAB,F0U," X,#1E-C%F-R P,# P,# P
M," P,# P,# P92 P,# P,# P,"!E,3 P,#,R-2LP>#1F- T*#0H-"D9/3$Q/
M5U507TE0.B -"DY325!&3%0K-6(Y9 T*9C<U.6-B.60@,# P," @(" @(" @
M(" @("!A9&0@(" @(%ME87A=+&%L#0H-"E-934)/3%]35$%#2U])3D1%6#H@
M(#(-"@T*1D],3$]755!?3D%-13H@($UA8VAI;F5/=VYE<@T*#0I364U"3TQ?
M3D%-13H@($Y325!&3%0K-6(Y9 T*#0I-3T153$5?3D%-13H@($Y325!&3%0-
M"@T*24U!1T5?3D%-13H@($Y325!&3%0N<WES#0H-"D1%0E5'7T9,4E])34%'
M15]424U%4U1!35 Z("!F9F9F9F9F90T*#0I35$%#2U]#3TU-04Y$.B @+G1R
M87 @9F9F9F9F9F9F-SAB,F%B," [(&MB#0H-"D)50TM%5%])1#H@(#!X0S5?
H3E-)4$9,5"LU8CED#0H-"D9O;&QO=W5P.B!-86-H:6YE3W=N97(-"@``
`
end

.

---

• Follow-Ups:
  • Re: Bug Check In NDIS Intermediate driver. DRIVER_CORRUPTED_EXPOOL (c5) and BAD_POOL_CALLER (c2)
    • From: Thomas F. Divine [DDK MVP]

• Prev by Date: Re: 64bit issues
• Next by Date: Re: Repost: DIFxApp Legacy Mode on Windows 2000
• Previous by thread: Re: sequrity question
• Next by thread: Re: Bug Check In NDIS Intermediate driver. DRIVER_CORRUPTED_EXPOOL (c5) and BAD_POOL_CALLER (c2)
• Index(es):
  • Date
  • Thread

---

Relevant Pages CONFIG_PACKET_MMAP revisited ... I've been looking into faster ways to do packet captures and I stumbled on ... In that discussion Jamie Lokier suggested having a memory buffer that's ... shared between user and kernel space and having the NIC do DMA transfers ... (Linux-Kernel) Re: Bug Check In NDIS Intermediate driver. DRIVER_CORRUPTED_EXPOOL (c5) and BAD_POOL_CALLER (c2) ... Actually, I would suggest using NdisQueryBufferinstead of NdisBufferVirtualAddress, although the latter would seem to work OK. ... As they are random bug checks, they happen once a while so i am not sure what is the problem. ... Attached is the memory dump of both the bug checks. ... When i receive back the the packet then i try to free the VM, which i have allocated while indicating the NDIS packet upward. ... (microsoft.public.development.device.drivers) Re: How much RAM needed for low end Ethernet application? ... >> the fact that the Ethernet controller had buffer memory. ... it seems a convenient resource for packet ... How many Ethernet controllers are able to address this memory directly? ... (comp.arch.embedded) Re: Question about NDIS memory management ... Thanks for the reply Stephan - in my original message when I said "NDIS ... nor the memory that make up the ... actual buffer area. ... When the memory is full a new packet and buffer are ... (microsoft.public.development.device.drivers) Internet Explorer wininet.dll URL parsing memory corruption technical details ... Internet Explorer 6.0, 5.5, 5.01 ... 3APA3A, http://www.security.nnov.ru/ bug research ... because it's not typical buffer ... Because translated hostname points to empty memory chunk it contains ... (NT-Bugtraq)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Development  > microsoft.public.development.device.drivers  > 2005-09