----- Original Message -----
From: "Bruce Leidl" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 13, 2004 2:26 PM
Subject: [WinPcap-users] BSOD while setting packet filter in Winpcap 3.0
> Hi list,
>
> While investigating a system crash while using Winpcap 3.0 I discovered
> that the source of the problem was a two byte read off of the end of an
> array in the packet driver while processing the BIOCSETF IoControl which
> is called by pcap_setfilter() to apply a packet filter. The problem is
> not particularly easy to reproduce and I suppose the only time it would
> cause a problem (and a blue screen) is if the buffer happened to be
> aligned to end exactly at the end of a page when the following page is
> not mapped in the memory manager.
>
> I noticed that this has been fixed in the latest beta version of 3.1
> although I didn't see any reference to this particular bug in the
> changelogs for the last few versions.
You are right.
The bug has been fixed between WinPcap 3.01 alpha and WinPcap 3.1 beta. The
changelog on the web site is a summary of the CVS changelog, and this was
not listed (actually, this fix should be under the changelog item "minor bug
fixes", but I forgot to add this line in the WinPcap 3.1beta changelog).
>
> Since for my application it is not convenient to force the user to
> upgrade their version of Winpcap to a version without the bug, and since
> I am not sure how tightly coupled the libraries are with the driver for
> a particular version I instead tried to find a workaround that I could
> apply to the application itself. I ended up adding a harmless (I think)
> instruction to the end of the bpf program structure between the call to
> pcap_compile() and pcap_setfilter() which should avoid the bug in the
> kernel.
On my dev machine I usually have mismatching versions for the driver and the
dlls, BUT I have never performed any test regarding the compatibility of all
the features of the driver coupled with various versions of the DLLs.
The solution you are using should work, but I think that the best solution
would be to migrate to winpcap 3.1 betas, we have fixed a couple of other
bugs in the drivers that caused BSODs.
>
> I've pasted my code below in case somebody else is in the same situation
> and might find this useful. It would also be great if somebody that is
> more familiar with the driver than I am could review this workaround and
> verify that it avoids the problem without breaking anything and also
> that it will be compatible with future versions.
>
> #ifdef WIN32
> // This is a workaround for a bug in the winpcap driver that
> can cause a BSOD
> // on windows. There is an off by one read when setting the
> filter that we can
> // avoid by appending a BPF_SEPARATION instruction to the
> filter program.
> {
> struct bpf_insn *ins;
> unsigned len;
>
> len = bpf.bf_len;
>
> ins = (struct bpf_insn *)malloc((len + 1) * sizeof(struct
> bpf_insn));
> if(ins) {
> memset(ins, 0, (len + 1) * sizeof (struct bpf_insn));
> memcpy(ins, bpf.bf_insns, len * sizeof(struct bpf_insn));
> pcap_freecode(&bpf);
> ins[len].code = BPF_SEPARATION;
> bpf.bf_len = len + 1;
> bpf.bf_insns = ins;
> }
> }
> #endif
I think that this patch is applied to your code (and not in wpcap.dll).
Isn't it?
Be careful if you allocate memory inside your app (ins = (...)malloc(...)),
and then free it by using "pcap_freecode()" (somewhere in your code, not the
one in the snippet you sent). It's always extremely dangerous to allocate
memory into an exe/dll and free it into another dll/exe: you don't know
which version of the C RunTime the exe/dll has been linked to (libc, msvcrt,
debug/release, single thread/multithread), and the memory managers changes
between different C RunTimes. Some time ago I experienced a similar problem
(causing a crash into an app), and it took me some *months* to address it (I
didn't spend months to debug it, I left a memory leak into the app...).
Knowlegde base Q140584 in the Microsoft documentation gives some hints on
such problems with the CRT.
Have a nice day
GV
>
> cheers,
>
> --brl
>
>
>
>
> ==================================================================
> This is the WinPcap users list. It is archived at
> http://www.mail-archive.com/[EMAIL PROTECTED]/
>
> To unsubscribe use
> mailto: [EMAIL PROTECTED]
> ==================================================================
>
==================================================================
This is the WinPcap users list. It is archived at
http://www.mail-archive.com/[EMAIL PROTECTED]/
To unsubscribe use
mailto: [EMAIL PROTECTED]
==================================================================
