tcpcrypt

tcpcrypt copied to clipboard

With tcpcrypt started under Windows Vista, I have had multiple BSODs. I can't provide much useful information (flashes off the screen too quickly) other than that the most recent one occurred in passthru.sys

On restart, Vista says:

Problem signature: Problem Event Name: BlueScreen OS Version: 6.0.6002.2.2.0.256.6 Locale ID: 3081

Additional information about the problem: BCCode: d1 BCP1: 8ACFC810 BCP2: 00000002 BCP3: 00000000 BCP4: 8C7E7F7D OS Version: 6_0_6002 Service Pack: 2_0 Product: 256_1

There's an XML file that contains info about all the drivers that were loaded. This contains in part:

<DRIVER>
    <FILENAME>passthru.sys</FILENAME>
    <FILESIZE>45416</FILESIZE>
    <CREATIONDATE>10-13-2010 06:38:10</CREATIONDATE>
    <VERSION>6.1.7600.16385</VERSION>
    <MANUFACTURER>Windows (R) Win 7 DDK provider</MANUFACTURER>
    <PRODUCTNAME>Windows (R) Win 7 DDK driver</PRODUCTNAME>
    <HASH>fce1c6c0949f178dc01b5f6f1bc28c7f</HASH>
</DRIVER>

There's a Windows Minidump file but I don't know how to get anything useful out of it.

I can confirm that tcpcrypt also crashes Win7 64-bit reasonably often.

I had a quick look into this and here is my educated guess:

In divert.c, in divert_write(), the driver constructs a packet pNdisPacket from the IRP's MdlAddress. This packet is then sent to the miniport driver via a call to NdisSendPackets. Later, IoCompleteRequest is called to complete the IRP. IoCompleteRequest presumably frees or invalidates the MdlAddress.

This is a race condition: if IoCompleteRequest is called before the Miniport has finished sending the packet (i.e. before divert_send_complete() is called), then bad things will happen.