[Winpcap-bugs] WinPcap 4.1.1 - BSOD

Boaz Brickner boaz.brickner at gmail.com
Fri Nov 13 00:05:13 PST 2009 

Hi,

It seems the zip file was corrupted.
I've rezipped it, uploaded it, and here are the different parameters on the
zip file.

BoazMEMORY3.zip
56478352 bytes

ADLER32: cf6243a1
CRC32: 0ac90d25
MD2: 5a6af575a6321cd270af60dfd3e9ad22
MD4: b922517648db0a9f75f79aeb0ef9c68b
MD5: 6001d5fda98dc209f54b43a41c18930a
SHA1: ee5b542b4fead9b4b0a91f91847527fca6ea83ea
SHA256: 373ec76e3ba7431c83c9508219ae20b1a132a714c8eddf296405d7ea8ba141e1
SHA384:
45ca4d2049dde87e6ec313d48356b839b817fe51c96bfcf5c9fcbe45e066915959efe7ef403363fe4424e1c38091fb72
SHA512:
270ba74400a79a889e1480f3f37f51de1a728895a10de502b78ccd1bff982a0b2a6701b67c9eaa4cc3db2fcf44c524b8ecb401dd53afb7604806933c8daddb64
RIPEMD128: 02b0cf064234ec8ba6190a4584f29d3d
RIPEMD160: d55ebced51778c48a14ef0fcf5772925466cea34
TIGER128: 2ca256a32a6178908ef849b5298ab5ec
TIGER160: 2ca256a32a6178908ef849b5298ab5ecb0b45815
TIGER192: 2ca256a32a6178908ef849b5298ab5ecb0b458152e4a6294
GOST: 5284d47812e1256d7894b187a3f54b3da0c9f5de3ec0a247d01a1da9b2f7d789

On Fri, Nov 13, 2009 at 01:52, Gianluca Varenni <
gianluca.varenni at cacetech.com> wrote:

>  It looks like the file got corrupted during the upload.
>
> Can you please upload it again, and provide me the SHA1 or MD5 checksum of
> the zip file?
>
> Have a nice day
> GV
>
>
> ----- Original Message -----
>  *From:* Boaz Brickner <boaz.brickner at gmail.com>
> *To:* Gianluca Varenni <gianluca.varenni at cacetech.com>
> *Cc:* winpcap-bugs at winpcap.org
>  *Sent:* Thursday, November 12, 2009 3:05 PM
> *Subject:* Re: [Winpcap-bugs] WinPcap 4.1.1 - BSOD
>
> Hi,
>
> I've just uploaded a 45 MB zip file containing the kernel dump.
> I hope this helps.
>
> Boaz.
>
> On Thu, Nov 12, 2009 at 23:45, Gianluca Varenni <
> gianluca.varenni at cacetech.com> wrote:
>
>>  Would it be possible for you to enable kernel crash dumps and try to
>> crash your machine as well?
>>
>> Have a nice day
>> GV
>>
>>  ----- Original Message -----
>>  *From:* Boaz Brickner <boaz.brickner at gmail.com>
>>   *To:* Gianluca Varenni <gianluca.varenni at cacetech.com>
>> *Cc:* winpcap-bugs at winpcap.org
>> *Sent:* Thursday, November 12, 2009 1:41 PM
>> *Subject:* Re: [Winpcap-bugs] WinPcap 4.1.1 - BSOD
>>
>> Hi,
>>
>> I've uploaded 2 Windows XP mini dumps to
>> ftp://www.winpcap.org/pub/incoming/ and I hope it got there.
>> There are also 6 Windows 7 mini dumps publicly available in
>> http://www.sevenforums.com/crashes-debugging/37276-bsod-windows-7-professional-64-bit.html
>>
>> Thank you,
>>
>> Boaz.
>>
>> On Thu, Nov 12, 2009 at 22:22, Gianluca Varenni <
>> gianluca.varenni at cacetech.com> wrote:
>>
>>>  I analyzed the stack trace that you sent below, and it's definitely a
>>> NULL pointer dereference, that should not happen (in the sense that such
>>> pointer should not be null, it comes from the OS itself). In order to
>>> further investigate the problem, however, I need to have a kernel memory
>>> dump, so that I can get a look at the variables on the stack...
>>>
>>>
>>> Have a nice day
>>> GV
>>>
>>>
>>>  ----- Original Message -----
>>>  *From:* Boaz Brickner <boaz.brickner at gmail.com>
>>> *To:* winpcap-bugs at winpcap.org
>>> *Sent:* Thursday, November 12, 2009 11:03 AM
>>> *Subject:* [Winpcap-bugs] WinPcap 4.1.1 - BSOD
>>>
>>>   Hi,
>>>
>>> I'm working on a new wrapper for WinPcap in .Net call Pcap.Net.
>>> I've recently tried to upgrade Pcap.Net project (
>>> http://pcapdotnet.codeplex.com) to WinPcap 4.1.1 to support Windows 7
>>> (I've used WinPcap 4.0.2 before).
>>>
>>> When I run my different unit tests that use all kinds of WinPcap's
>>> features while using my network drive, I'm getting a Blue Screen Of Death
>>> (BSOD) - Windows Crash.
>>> I've managed to get BSOD both on Windows 7 Professional 64 bit and on
>>> Windows XP SP3 32 bit (two different computer systems).
>>> Before I've upgraded to WinPcap 4.1.1 I've never got a BSOD (Windows XP
>>> SP3).
>>>
>>> *It seems this BSOD is caused by WinPcap's npf driver.*
>>>
>>> At first I thought this problem is caused by Windows 7 or a combination
>>> of Windows 7 and WinPcap.
>>> After I've seen that this problem also appears on my Windows XP that
>>> never experienced this problem before, I believe this is not the case and it
>>> is caused by WinPcap 4.1.1 alone.
>>>
>>> Since a full reboot is needed after the BSOD appears, I'm having a hard
>>> time figuring out what exactly causes this problem.
>>>
>>> If you want to try and recreate this problem you are welcome to use
>>> WinPcap 4.1.1 and download the latest source from Pcap.Net project site
>>> (changeset 30721):
>>>
>>> http://pcapdotnet.codeplex.com/SourceControl/ListDownloadableCommits.aspx
>>>
>>> If you're having troubles compiling and running the unit tests using
>>> Visual Studio Team Suite 2008 SP1, you are welcome to contact me and I'll
>>> try to help you with it. Sometimes more than one run of all the unit tests
>>> may be needed to cause the crash and you might need to do use your network
>>> drive (by downloading a file for example) to make the BSOD appear.
>>>
>>>
>>> Also see my post on Windows 7 forums:
>>>
>>> http://www.sevenforums.com/crashes-debugging/37276-bsod-windows-7-professional-64-bit.html
>>>
>>> *
>>> Details from Windows 7 mini dump (note that npf.sys is specifically
>>> referenced):*
>>>
>>> IRQL_NOT_LESS_OR_EQUAL (a)
>>> An attempt was made to access a pageable (or completely invalid) address
>>> at an
>>> interrupt request level (IRQL) that is too high.  This is usually
>>> caused by drivers using improper addresses.
>>> If a kernel debugger is available get the stack backtrace.
>>> Arguments:
>>> Arg1: 0000000000003178, memory referenced
>>> Arg2: 0000000000000002, IRQL
>>> Arg3: 0000000000000001, bitfield :
>>>     bit 0 : value 0 = read operation, 1 = write operation
>>>     bit 3 : value 0 = not an execute operation, 1 = execute operation
>>> (only on chips which support this level of status)
>>> Arg4: fffff80003eccb75, address which referenced memory
>>>
>>> Debugging Details:
>>> ------------------
>>>
>>>
>>> WRITE_ADDRESS: GetPointerFromAddress: unable to read from
>>> fffff800040fa0e0
>>>  0000000000003178
>>>
>>> CURRENT_IRQL:  2
>>>
>>> FAULTING_IP:
>>> nt!KeAcquireSpinLockRaiseToDpc+55
>>> fffff800`03eccb75 f0480fba2900    lock bts qword ptr [rcx],0
>>>
>>> CUSTOMER_CRASH_COUNT:  1
>>>
>>> DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
>>>
>>> BUGCHECK_STR:  0xA
>>>
>>> PROCESS_NAME:  VSTestHost.exe
>>>
>>> TRAP_FRAME:  fffff8800909b7b0 -- (.trap 0xfffff8800909b7b0)
>>> NOTE: The trap frame does not contain all registers.
>>> Some register values may be zeroed or incorrect.
>>> rax=0000000000000002 rbx=0000000000000000 rcx=0000000000003178
>>> rdx=0000000000000085 rsi=0000000000000000 rdi=0000000000000000
>>> rip=fffff80003eccb75 rsp=fffff8800909b940 rbp=0000000000003178
>>>  r8=0000000000000065  r9=0000000000000000 r10=0000000000000000
>>> r11=fffff8800909b980 r12=0000000000000000 r13=0000000000000000
>>> r14=0000000000000000 r15=0000000000000000
>>> iopl=0         nv up ei pl nz na po nc
>>> nt!KeAcquireSpinLockRaiseToDpc+0x55:
>>> fffff800`03eccb75 f0480fba2900    lock bts qword ptr [rcx],0
>>> ds:00000000`00003178=????????????????
>>> Resetting default scope
>>>
>>> LAST_CONTROL_TRANSFER:  from fffff80003ec3469 to fffff80003ec3f00
>>>
>>> STACK_TEXT:
>>> fffff880`0909b668 fffff800`03ec3469 : 00000000`0000000a 00000000`00003178
>>> 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
>>> fffff880`0909b670 fffff800`03ec20e0 : 00000000`00000000 00000000`00000000
>>> 00000000`00000000 fffff800`03eca1a2 : nt!KiBugCheckDispatch+0x69
>>> fffff880`0909b7b0 fffff800`03eccb75 : fffffa80`03e5c3f0 00000000`08004870
>>> 00000000`00000001 fffffa80`06a57900 : nt!KiPageFault+0x260
>>> fffff880`0909b940 fffff880`05c02ef5 : fffffa80`0677d990 00000000`00000000
>>> fffffa80`0677d8c0 00000000`00000000 : nt!KeAcquireSpinLockRaiseToDpc+0x55
>>> fffff880`0909b990 fffffa80`0677d990 : 00000000`00000000 fffffa80`0677d8c0
>>> 00000000`00000000 fffffa80`0677d8c0 : npf+0x2ef5
>>> fffff880`0909b998 00000000`00000000 : fffffa80`0677d8c0 00000000`00000000
>>> fffffa80`0677d8c0 fffff880`05c03edf : 0xfffffa80`0677d990
>>>
>>>
>>> STACK_COMMAND:  kb
>>>
>>> FOLLOWUP_IP:
>>> npf+2ef5
>>> fffff880`05c02ef5 ??              ???
>>>
>>> SYMBOL_STACK_INDEX:  4
>>>
>>> SYMBOL_NAME:  npf+2ef5
>>>
>>> FOLLOWUP_NAME:  MachineOwner
>>>
>>> *MODULE_NAME: npf
>>>
>>> IMAGE_NAME:  npf.sys*
>>>
>>> DEBUG_FLR_IMAGE_TIMESTAMP:  4addfab3
>>>
>>> FAILURE_BUCKET_ID:  X64_0xA_npf+2ef5
>>>
>>>
>>>  ------------------------------
>>>
>>> _______________________________________________
>>> Winpcap-bugs mailing list
>>> Winpcap-bugs at winpcap.org
>>> https://www.winpcap.org/mailman/listinfo/winpcap-bugs
>>>
>>>
>>
>  ------------------------------
>
> _______________________________________________
> Winpcap-bugs mailing list
> Winpcap-bugs at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-bugs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-bugs/attachments/20091113/cf23d4bb/attachment.htm

More information about the Winpcap-bugs mailing list