[WinPcap-users] BSOD while setting packet filter in Winpcap 3.0

[Bruce Leidl]

Hi list,

While investigating a system crash while using Winpcap 3.0 I discovered 
that the source of the problem was a two byte read off of the end of an 
array in the packet driver while processing the BIOCSETF IoControl which 
is called by pcap_setfilter() to apply a packet filter.  The problem is 
not particularly easy to reproduce and I suppose the only time it would 
cause a problem (and a blue screen) is if the buffer happened to be 
aligned to end exactly at the end of a page when the following page is 
not mapped in the memory manager.

I noticed that this has been fixed in the latest beta version of  3.1 
although I didn't see any reference to this particular bug in the 
changelogs for the last few versions.

Since for my application it is not convenient to force the user to 
upgrade their version of Winpcap to a version without the bug, and since 
I am not sure how tightly coupled the libraries are with the driver for 
a particular version I instead tried to find a workaround that I could 
apply to the application itself.  I ended up adding a harmless (I think) 
instruction to the end of the bpf program structure between the call to 
pcap_compile() and pcap_setfilter() which should avoid the bug in the 
kernel.

I've pasted my code below in case somebody else is in the same situation 
and might find this useful.  It would also be great if somebody that is 
more familiar with the driver than I am could review this workaround and 
verify that it avoids the problem without breaking anything and also 
that it will be compatible with future versions.

#ifdef WIN32
          // This is a workaround for a bug in the winpcap driver that 
can cause a BSOD
          // on windows.  There is an off by one read when setting the 
filter that we can
          // avoid by appending a BPF_SEPARATION instruction to the 
filter program.
          {
           struct bpf_insn *ins;
           unsigned len;

           len = bpf.bf_len;

           ins = (struct bpf_insn *)malloc((len + 1) * sizeof(struct 
bpf_insn));
           if(ins) {
               memset(ins, 0, (len + 1) * sizeof (struct bpf_insn));
               memcpy(ins, bpf.bf_insns, len * sizeof(struct bpf_insn));
               pcap_freecode(&bpf);
               ins[len].code = BPF_SEPARATION;
               bpf.bf_len = len + 1;
               bpf.bf_insns = ins;
           }
          }
#endif

cheers,

--brl



==================================================================
This is the WinPcap users list. It is archived at
http://www.mail-archive.com/[EMAIL PROTECTED]/
To unsubscribe use 
mailto: [EMAIL PROTECTED]
==================================================================