Tdi Bluescreen

Hi
I want to send UDP packets over the Ethernet. The driver must work on and
windows server 2003 OS and so the Winsock for Kernel are no option. So I use
the TDI. I can open an port and close an port without problems. But when i
want to send an packet i got an BSOD.

Sendroutine:

// send an udp packet to an spezific port and ip
NTSTATUS UdpToTdi_SendData(UDP_PORT_INFO* port, ushort destPort, ulong
destIp, uchar *data, uint size)
{
NTSTATUS status = STATUS_SUCCESS;
NDIS_STATUS ndis_status = NDIS_STATUS_SUCCESS;
PNDIS_BUFFER ndis_buffer;
PMDL pMdl;

if(gl_StatusInit == 0)
{
DbgPrint("TdiInterfaceUdp::UdpToTdi_Senddata: TDI not
initialized\n");
return STATUS_ACCESS_DENIED;
}

if(size == 0 || data == NULL || destPort == 0 || destIp == 0 || port
== NULL)
{
DbgPrint("TdiInterfaceUdp::UdpToTdi_Senddata: Invalid
Parameters\n");
return STATUS_ACCESS_DENIED;
}

port->addr.TAAddressCount = 1;
port->addr.Address[0].AddressLength = TDI_ADDRESS_LENGTH_IP;
port->addr.Address[0].AddressType = TDI_ADDRESS_TYPE_IP;
port->addr.Address[0].Address[0].sin_port =
RtlUshortByteSwap(destPort);
port->addr.Address[0].Address[0].in_addr =
RtlUlongByteSwap(destIp);
port->addr.Address[0].Address[0].sin_zero[0] = 0;
port->addr.Address[0].Address[0].sin_zero[1] = 0;
port->addr.Address[0].Address[0].sin_zero[2] = 0;
port->addr.Address[0].Address[0].sin_zero[3] = 0;
port->addr.Address[0].Address[0].sin_zero[4] = 0;
port->addr.Address[0].Address[0].sin_zero[5] = 0;
port->addr.Address[0].Address[0].sin_zero[6] = 0;
port->addr.Address[0].Address[0].sin_zero[7] = 0;

port->tdiInfo.UserDataLength = 0;
port->tdiInfo.UserData = 0;
port->tdiInfo.OptionsLength = 0;
port->tdiInfo.Options = 0;
port->tdiInfo.RemoteAddressLength = sizeof(port->addr);
port->tdiInfo.RemoteAddress = &port->addr;

port->pIrp = TdiBuildInternalDeviceControlIrp(TDI_SEND_DATAGRAM ,
gl_pDevice,
port->pAddrFileObj,
NULL,
&port->IoStatus);

if(port->pIrp == NULL)
{
DbgPrint("TdiInterfaceUdp::UdpToTdi_Senddata:
TdiBuildInternalDeviceControlIrp failed\n");
return STATUS_ACCESS_DENIED;
}

pMdl = IoAllocateMdl(&data, size, FALSE, FALSE, NULL);

if(pMdl == NULL)
{
DbgPrint("TdiInterfaceUdp::UdpToTdi_Senddata: Allocating pMdl not
successfull\n");
return STATUS_ACCESS_DENIED;
}

_try
{
MmProbeAndLockPages(pMdl, KernelMode, IoModifyAccess);
}
_except(EXCEPTION_EXECUTE_HANDLER)



{



DbgPrint("TdiInterfaceUdp::UdpToTdi_Senddata:
MmProbeAndLockPages() failed\n");
return STATUS_ACCESS_DENIED;
}

TdiBuildSendDatagram(port->pIrp,
gl_pDevice,
port->pAddrFileObj,
(PIO_COMPLETION_ROUTINE) UdpToTdi_SendComplete, //
completion routine
pMdl,//ndis_buffer,
// completion context
pMdl,//ndis_buffer,
size,
&port->tdiInfo);

if(port->pIrp != NULL && gl_pDevice != NULL)
status = IoCallDriver(gl_pDevice, port->pIrp);

if(status != STATUS_SUCCESS && status != STATUS_PENDING)
DbgPrint("TdiInterfaceUdp::UdpToTdi_Senddata: IoCallDriver
failed\n");

return status;
}

// callback function for the send function
NTSTATUS UdpToTdi_SendComplete(PDEVICE_OBJECT obj, PIRP Irp, PVOID
pContext)
{
TDI_STATUS Status = Irp->IoStatus.Status;
PMDL pMdl = (PMDL)pContext;

DbgPrint("SendComplete arrived\n");

if (Status)
DbgPrint("TdiInterfaceUdp::UdpToTdi_SendComplete: Error %d during
sending an paket\n", Status);

if(pMdl != NULL)
IoFreeMdl(pMdl);

if(Irp != NULL)
IoFreeIrp(Irp);
else
DbgPrint("Irp == NULL\n");
return STATUS_MORE_PROCESSING_REQUIRED;
}

BlueScreen:

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: b936bcf4, The address that the exception occurred at
Arg3: b902bc5c, Exception Record Address
Arg4: b902b958, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
tcpip!TCPDispatchInternalDeviceControl+36
b936bcf4 8b4810 mov ecx,dword ptr [eax+10h]

EXCEPTION_RECORD: b902bc5c -- (.exr 0xffffffffb902bc5c)
ExceptionAddress: b936bcf4 (tcpip!TCPDispatchInternalDeviceControl+0x00000036 )
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 65732084
Attempt to read from address 65732084

CONTEXT: b902b958 -- (.cxr 0xffffffffb902b958)
eax=65732074 ebx=00000000 ecx=89db8a68 edx=89abe098 esi=89abe098 edi=89abe108
eip=b936bcf4 esp=b902bd24 ebp=b902bd30 iopl=0 nv up ei ng nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010283
tcpip!TCPDispatchInternalDeviceControl+0x36:
b936bcf4 8b4810 mov ecx,dword ptr [eax+10h] ds:0023:65732084=????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 11

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

CURRENT_IRQL: 0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced
memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 65732084

READ_ADDRESS: 65732084

FOLLOWUP_IP:
ITCTECCTI!UdpToTdi_SendData+2f7
[c:\itcteccti\test_wdf_itcteccti\wdf_itcteccti\tdii nterfaceudp.c @ 342]
b80e8bb7 8945d8 mov dword ptr [ebp-28h],eax

BUGCHECK_STR: 0x7E

EXCEPTION_STR: 0x0

LAST_CONTROL_TRANSFER: from 8081df85 to b936bcf4

STACK_TEXT:
b902bd30 8081df85 89db8a68 89abe098 89a8c460
tcpip!TCPDispatchInternalDeviceControl+0x36
b902bd44 b80e8bb7 0124b395 00000000 89a8c460 nt!IoCsqInitializeEx+0xf
b902bd90 b80e82eb 88c2af84 00001000 5802a8c0
ITCTECCTI!UdpToTdi_SendData+0x2f7
[c:\itcteccti\test_wdf_itcteccti\wdf_itcteccti\tdii nterfaceudp.c @ 342]
b902bdac 80949b7c 00000000 00000000 00000000 ITCTECCTI!TimingThread+0x3b
[c:\itcteccti\test_wdf_itcteccti\wdf_itcteccti\itct ecctidriver.c @ 241]
b902bddc 8088e092 b80e82b0 00000000 00000000
nt!NtSetInformationJobObject+0x58c
00000000 00000000 00000000 00000000 00000000 nt!HalDispatchTable+0x1a


FAULTING_SOURCE_CODE:
No source found for
'c:\itcteccti\test_wdf_itcteccti\wdf_itcteccti\tdi interfaceudp.c'


SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: ITCTECCTI!UdpToTdi_SendData+2f7

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: ITCTECCTI

IMAGE_NAME: ITCTECCTI.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a42210e

STACK_COMMAND: .cxr 0xffffffffb902b958 ; kb

FAILURE_BUCKET_ID: 0x7E_ITCTECCTI!UdpToTdi_SendData+2f7

BUCKET_ID: 0x7E_ITCTECCTI!UdpToTdi_SendData+2f7

Followup: MachineOwner
---------


If somebody see an error please tell me. THANKS. Sory for asking again but i
dont know where the error could be and thats not really funny!

Harald

You've been told several times that you need to learn how to debug
in kernel mode. No offense please, this is not trivial and does
require some learning. Asking here every time when you get a BSOD
is indeed not funny, people may ignore you other time when you
come with a more interesting issue. Perhaps, find somebody to
help you offline.

Good luck,
--pa


Harald wrote:
> Hi
> I want to send UDP packets over the Ethernet. The driver must work on and
> windows server 2003 OS and so the Winsock for Kernel are no option. So I use
> the TDI. I can open an port and close an port without problems. But when i
> want to send an packet i got an BSOD.
>
> Sendroutine:
>
> // send an udp packet to an spezific port and ip
> NTSTATUS UdpToTdi_SendData(UDP_PORT_INFO* port, ushort destPort, ulong
> destIp, uchar *data, uint size)
> {
> NTSTATUS status = STATUS_SUCCESS;
> NDIS_STATUS ndis_status = NDIS_STATUS_SUCCESS;
> PNDIS_BUFFER ndis_buffer;
> PMDL pMdl;
>
> if(gl_StatusInit == 0)
> {
> DbgPrint("TdiInterfaceUdp::UdpToTdi_Senddata: TDI not
> initialized\n");
> return STATUS_ACCESS_DENIED;
> }
>
> if(size == 0 || data == NULL || destPort == 0 || destIp == 0 || port
> == NULL)
> {
> DbgPrint("TdiInterfaceUdp::UdpToTdi_Senddata: Invalid
> Parameters\n");
> return STATUS_ACCESS_DENIED;
> }
>
> port->addr.TAAddressCount = 1;
> port->addr.Address[0].AddressLength = TDI_ADDRESS_LENGTH_IP;
> port->addr.Address[0].AddressType = TDI_ADDRESS_TYPE_IP;
> port->addr.Address[0].Address[0].sin_port =
> RtlUshortByteSwap(destPort);
> port->addr.Address[0].Address[0].in_addr =
> RtlUlongByteSwap(destIp);
> port->addr.Address[0].Address[0].sin_zero[0] = 0;
> port->addr.Address[0].Address[0].sin_zero[1] = 0;
> port->addr.Address[0].Address[0].sin_zero[2] = 0;
> port->addr.Address[0].Address[0].sin_zero[3] = 0;
> port->addr.Address[0].Address[0].sin_zero[4] = 0;
> port->addr.Address[0].Address[0].sin_zero[5] = 0;
> port->addr.Address[0].Address[0].sin_zero[6] = 0;
> port->addr.Address[0].Address[0].sin_zero[7] = 0;
>
> port->tdiInfo.UserDataLength = 0;
> port->tdiInfo.UserData = 0;
> port->tdiInfo.OptionsLength = 0;
> port->tdiInfo.Options = 0;
> port->tdiInfo.RemoteAddressLength = sizeof(port->addr);
> port->tdiInfo.RemoteAddress = &port->addr;
>
> port->pIrp = TdiBuildInternalDeviceControlIrp(TDI_SEND_DATAGRAM ,
> gl_pDevice,
> port->pAddrFileObj,
> NULL,
> &port->IoStatus);
>
> if(port->pIrp == NULL)
> {
> DbgPrint("TdiInterfaceUdp::UdpToTdi_Senddata:
> TdiBuildInternalDeviceControlIrp failed\n");
> return STATUS_ACCESS_DENIED;
> }
>
> pMdl = IoAllocateMdl(&data, size, FALSE, FALSE, NULL);
>
> if(pMdl == NULL)
> {
> DbgPrint("TdiInterfaceUdp::UdpToTdi_Senddata: Allocating pMdl not
> successfull\n");
> return STATUS_ACCESS_DENIED;
> }
>
> _try
> {
> MmProbeAndLockPages(pMdl, KernelMode, IoModifyAccess);
> }
> _except(EXCEPTION_EXECUTE_HANDLER)
>
>
>
> {
>
>
>
> DbgPrint("TdiInterfaceUdp::UdpToTdi_Senddata:
> MmProbeAndLockPages() failed\n");
> return STATUS_ACCESS_DENIED;
> }
>
> TdiBuildSendDatagram(port->pIrp,
> gl_pDevice,
> port->pAddrFileObj,
> (PIO_COMPLETION_ROUTINE) UdpToTdi_SendComplete, //
> completion routine
> pMdl,//ndis_buffer,
> // completion context
> pMdl,//ndis_buffer,
> size,
> &port->tdiInfo);
>
> if(port->pIrp != NULL && gl_pDevice != NULL)
> status = IoCallDriver(gl_pDevice, port->pIrp);
>
> if(status != STATUS_SUCCESS && status != STATUS_PENDING)
> DbgPrint("TdiInterfaceUdp::UdpToTdi_Senddata: IoCallDriver
> failed\n");
>
> return status;
> }
>
> // callback function for the send function
> NTSTATUS UdpToTdi_SendComplete(PDEVICE_OBJECT obj, PIRP Irp, PVOID
> pContext)
> {
> TDI_STATUS Status = Irp->IoStatus.Status;
> PMDL pMdl = (PMDL)pContext;
>
> DbgPrint("SendComplete arrived\n");
>
> if (Status)
> DbgPrint("TdiInterfaceUdp::UdpToTdi_SendComplete: Error %d during
> sending an paket\n", Status);
>
> if(pMdl != NULL)
> IoFreeMdl(pMdl);
>
> if(Irp != NULL)
> IoFreeIrp(Irp);
> else
> DbgPrint("Irp == NULL\n");
> return STATUS_MORE_PROCESSING_REQUIRED;
> }
>
> BlueScreen:
>
> SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
> This is a very common bugcheck. Usually the exception address pinpoints
> the driver/function that caused the problem. Always note this address
> as well as the link date of the driver/image that contains this address.
> Some common problems are exception code 0x80000003. This means a hard
> coded breakpoint or assertion was hit, but this system was booted
> /NODEBUG. This is not supposed to happen as developers should never have
> hardcoded breakpoints in retail code, but ...
> If this happens, make sure a debugger gets connected, and the
> system is booted /DEBUG. This will let us see why this breakpoint is
> happening.
> Arguments:
> Arg1: c0000005, The exception code that was not handled
> Arg2: b936bcf4, The address that the exception occurred at
> Arg3: b902bc5c, Exception Record Address
> Arg4: b902b958, Context Record Address
>
> Debugging Details:
> ------------------
>
>
> EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
> referenced memory at "0x%08lx". The memory could not be "%s".
>
> FAULTING_IP:
> tcpip!TCPDispatchInternalDeviceControl+36
> b936bcf4 8b4810 mov ecx,dword ptr [eax+10h]
>
> EXCEPTION_RECORD: b902bc5c -- (.exr 0xffffffffb902bc5c)
> ExceptionAddress: b936bcf4 (tcpip!TCPDispatchInternalDeviceControl+0x00000036 )
> ExceptionCode: c0000005 (Access violation)
> ExceptionFlags: 00000000
> NumberParameters: 2
> Parameter[0]: 00000000
> Parameter[1]: 65732084
> Attempt to read from address 65732084
>
> CONTEXT: b902b958 -- (.cxr 0xffffffffb902b958)
> eax=65732074 ebx=00000000 ecx=89db8a68 edx=89abe098 esi=89abe098 edi=89abe108
> eip=b936bcf4 esp=b902bd24 ebp=b902bd30 iopl=0 nv up ei ng nz na po cy
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010283
> tcpip!TCPDispatchInternalDeviceControl+0x36:
> b936bcf4 8b4810 mov ecx,dword ptr [eax+10h] ds:0023:65732084=????????
> Resetting default scope
>
> CUSTOMER_CRASH_COUNT: 11
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
>
> CURRENT_IRQL: 0
>
> ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced
> memory at "0x%08lx". The memory could not be "%s".
>
> EXCEPTION_PARAMETER1: 00000000
>
> EXCEPTION_PARAMETER2: 65732084
>
> READ_ADDRESS: 65732084
>
> FOLLOWUP_IP:
> ITCTECCTI!UdpToTdi_SendData+2f7
> [c:\itcteccti\test_wdf_itcteccti\wdf_itcteccti\tdii nterfaceudp.c @ 342]
> b80e8bb7 8945d8 mov dword ptr [ebp-28h],eax
>
> BUGCHECK_STR: 0x7E
>
> EXCEPTION_STR: 0x0
>
> LAST_CONTROL_TRANSFER: from 8081df85 to b936bcf4
>
> STACK_TEXT:
> b902bd30 8081df85 89db8a68 89abe098 89a8c460
> tcpip!TCPDispatchInternalDeviceControl+0x36
> b902bd44 b80e8bb7 0124b395 00000000 89a8c460 nt!IoCsqInitializeEx+0xf
> b902bd90 b80e82eb 88c2af84 00001000 5802a8c0
> ITCTECCTI!UdpToTdi_SendData+0x2f7
> [c:\itcteccti\test_wdf_itcteccti\wdf_itcteccti\tdii nterfaceudp.c @ 342]
> b902bdac 80949b7c 00000000 00000000 00000000 ITCTECCTI!TimingThread+0x3b
> [c:\itcteccti\test_wdf_itcteccti\wdf_itcteccti\itct ecctidriver.c @ 241]
> b902bddc 8088e092 b80e82b0 00000000 00000000
> nt!NtSetInformationJobObject+0x58c
> 00000000 00000000 00000000 00000000 00000000 nt!HalDispatchTable+0x1a
>
>
> FAULTING_SOURCE_CODE:
> No source found for
> 'c:\itcteccti\test_wdf_itcteccti\wdf_itcteccti\tdi interfaceudp.c'
>
>
> SYMBOL_STACK_INDEX: 2
>
> SYMBOL_NAME: ITCTECCTI!UdpToTdi_SendData+2f7
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: ITCTECCTI
>
> IMAGE_NAME: ITCTECCTI.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 4a42210e
>
> STACK_COMMAND: .cxr 0xffffffffb902b958 ; kb
>
> FAILURE_BUCKET_ID: 0x7E_ITCTECCTI!UdpToTdi_SendData+2f7
>
> BUCKET_ID: 0x7E_ITCTECCTI!UdpToTdi_SendData+2f7
>
> Followup: MachineOwner
> ---------
>
>
> If somebody see an error please tell me. THANKS. Sory for asking again but i
> dont know where the error could be and thats not really funny!
>
> Harald

Hi

I know that i have to learn to interpret the debugmessages but i dont see
the error. Is it rigth that the bluescreen is because there is a nullpointer
as parameter. But the Nullpointer is notin my code because when i watch the
local variables in the debugger they are all not null.

Harald

You were given a link to working TDI samples in past. Look at them, compile
them, debug them. After check your code and compare the differences. Find
out the bugs introduced in your code. Do it yourself. I can help, but there
is a difference between _helping_ and __fullfiling job for your__. We helped
you - we gave you enough information and advises. Now you have to implement
it on your own. C'est la vie

--
Volodymyr M. Shcherbyna, blog: http://www.shcherbyna.com/
(This posting is provided "AS IS" with no warranties, and confers no
rights)

"Harald" <> a écrit dans le message de
news:E4016556-636F-461C-BBFA-...
> Hi
>
> I know that i have to learn to interpret the debugmessages but i dont see
> the error. Is it rigth that the bluescreen is because there is a
> nullpointer
> as parameter. But the Nullpointer is notin my code because when i watch
> the
> local variables in the debugger they are all not null.
>
> Harald
>
> __________ Information from ESET Smart Security, version of virus
> signature database 4186 (20090624) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>


__________ Information from ESET Smart Security, version of virus signature database 4186 (20090624) __________

The message was checked by ESET Smart Security.

http://www.eset.com