Packet Filtering API (PfSetLogBuffer)
- From: Swandog46@xxxxxxxx
- Date: Wed, 27 May 2009 08:33:51 -0700 (PDT)
I have a question about logging (PfSetLogBuffer) with the MS Packet
Filtering API.
http://msdn.microsoft.com/en-us/library/aa376636.aspx
I know that this API is no longer supported, but it is the only option
for programmatic packet filtering on legacy (pre-Vista) Windows (i.e.
before the Windows Filtering Platform). I only need to filter by IP
(I don't even care about port) so I would prefer not to have to write
a kernel component (an NDIS driver or filter hook driver) -- I'd
prefer to use user-mode APIs for simplicity and stability.
To my question:
I am using the Packet Filtering APIs to drop packets matching certain
IPs I want to filter. The APIs work correctly in this regard -- they
drop the correct packets.
Now I am trying to set up logging, through the use of the PfMakeLog,
PfSetLogBuffer functions. This does not work correctly. In fact, it
appears to smash the stack on my Windows XP SP2 test system.
Consider the following sample function:
<code>
extern PBYTE LogBuffer;
DWORD ThreadProc( LPVOID pArg )
{
DWORD RetVal, EntriesLogged, EntriesLost, BytesWritten;
CHAR buffer[ MAX_PATH ];
for( ; ; ) {
if( WaitForSingleObject( hEvent, INFINITE ) == WAIT_FAILED )
break;
PBYTE NewBuffer = new BYTE[ LOG_BUFFER_SIZE ];
RetVal = PfSetLogBuffer( NewBuffer, LOG_BUFFER_SIZE, 64, 1,
&EntriesLogged, &EntriesLost, &BytesWritten );
PFLOGFRAME* pLogFrame = (PFLOGFRAME*) LogBuffer;
printf( "Caught packet (rule %d)\r\n", pLogFrame-
dwFilterRule );
delete [] LogBuffer;
LogBuffer = NewBuffer;
ResetEvent( hEvent );
}
return 0;
}
</code>
This function is spawned via CreateThread and should just wait for log
data (signaled by the hEvent I pass to PfMakeLog when I call it
earlier).
And it does print correctly the first time the function is called.
However, the second time the function is called the stack gets
smashed. Before this call:
RetVal = PfSetLogBuffer( NewBuffer, LOG_BUFFER_SIZE, 64, 1,
&EntriesLogged, &EntriesLost, &BytesWritten );
The buffer (CHAR buffer[ MAX_PATH ] ) contains some junk data. After
that call, the first 8 bytes of the buffer have been overwritten with
the addresses of EntriesLost and BytesWritten. I did not pass the
address of the char buffer to the PfSetLogBuffer function at all.
Therefore, it is somehow overwriting the stack.
In addition, after the second call to this function, the program
segfaults and dies. Given that the char buffer is being overwritten,
I assume there is more massive memory/stack corruption somewhere, and
indeed if I try to unwind the stack with a debugger afterwards the
frame has been totally corrupted.
I do not understand what is going on here. I must be doing something
wrong, but I can't see what. Or are the APIs just buggy?
Thank you very much for any light anyone can shed.
.
- Prev by Date: IPPROTO_IP / IP_DONTFRAGMENT and multicast
- Next by Date: Problem when connecting Java App with C++ App using Windows Socket
- Previous by thread: IPPROTO_IP / IP_DONTFRAGMENT and multicast
- Next by thread: Problem when connecting Java App with C++ App using Windows Socket
- Index(es):
Relevant Pages
|
