AFW.SYS causes BSOD
Hello.
I am Internet Download Manager team member. Some our customers reported BSODs and inability to boot their systems after LavaSoft Firewall installation. Our investigations showed that there is a bug in the firewall that triggers BSOD when another TDI filter is attached to TcpIp system driver. And though we have invented a workaround for our product already the firewall driver should be fixed in the first place.
Technical details, please forward this to your developers. Our driver attaches a layered filter device to \Device\Tcp which seems to have its dispatch table hooked by afw.sys. From WinDbg listing below you can see that idmtdi's completion routine gets wrong device object 8208e7a8 instead of 81d50c28 because afw.sys incorrectly handles IRP completion. It should take device object pointer to be passed to the upper routine from the upper IRP stack location and not from any other place.
1: kd> kp
ChildEBP RetAddr
f89ab2cc f7dbf3e3 idmtdi!TransportCreateComplete(struct _DEVICE_OBJECT * device = 0x8208e7a8, struct _IRP * irp = 0x81e48008, void * context = 0x00000000)+0x341
f89ab2f0 804e1f14 afw+0xe3e3
f89ab320 b2d91a9b nt!IopfCompleteRequest+0xa2
f89ab350 f7dbf753 tcpip!TCPDispatch+0x11a
f89ab378 804e19ee afw+0xe753
f89ab3c4 8057eeb8 nt!IopfCallDriver+0x31
...
1: kd> !devobj 0x8208e7a8
Device object (8208e7a8) is for:
Tcp \Driver\Tcpip DriverObject 81d50da0
Current Irp 00000000 RefCount 7 Type 00000012 Flags 00000050
Dacl e18da2fc DevExt 00000000 DevObjExt 8208e860
ExtensionFlags (0000000000)
AttachedDevice (Upper) 81d50c28 \Driver\IDMTDI
Device queue is not busy.
1: kd> !irp 0x81e48008
Irp is active with 2 stacks 2 is current (= 0x81e4809c)
No Mdl: System buffer=821edda8: Thread 823c18b8: Irp stack trace.
cmd flg cl Device File Completion-Context
[ 0, 0] 0 0 8208e7a8 00000000 f7dbf336-81e37768
\Driver\Tcpip afw
Args: 00000000 00000000 00000000 00000000
>[ 0, 0] 0 0 81d50c28 821f8408 00000000-00000000
\Driver\IDMTDI
Args: f89ab3f0 02000000 00000080 00000021
I am Internet Download Manager team member. Some our customers reported BSODs and inability to boot their systems after LavaSoft Firewall installation. Our investigations showed that there is a bug in the firewall that triggers BSOD when another TDI filter is attached to TcpIp system driver. And though we have invented a workaround for our product already the firewall driver should be fixed in the first place.
Technical details, please forward this to your developers. Our driver attaches a layered filter device to \Device\Tcp which seems to have its dispatch table hooked by afw.sys. From WinDbg listing below you can see that idmtdi's completion routine gets wrong device object 8208e7a8 instead of 81d50c28 because afw.sys incorrectly handles IRP completion. It should take device object pointer to be passed to the upper routine from the upper IRP stack location and not from any other place.
1: kd> kp
ChildEBP RetAddr
f89ab2cc f7dbf3e3 idmtdi!TransportCreateComplete(struct _DEVICE_OBJECT * device = 0x8208e7a8, struct _IRP * irp = 0x81e48008, void * context = 0x00000000)+0x341
f89ab2f0 804e1f14 afw+0xe3e3
f89ab320 b2d91a9b nt!IopfCompleteRequest+0xa2
f89ab350 f7dbf753 tcpip!TCPDispatch+0x11a
f89ab378 804e19ee afw+0xe753
f89ab3c4 8057eeb8 nt!IopfCallDriver+0x31
...
1: kd> !devobj 0x8208e7a8
Device object (8208e7a8) is for:
Tcp \Driver\Tcpip DriverObject 81d50da0
Current Irp 00000000 RefCount 7 Type 00000012 Flags 00000050
Dacl e18da2fc DevExt 00000000 DevObjExt 8208e860
ExtensionFlags (0000000000)
AttachedDevice (Upper) 81d50c28 \Driver\IDMTDI
Device queue is not busy.
1: kd> !irp 0x81e48008
Irp is active with 2 stacks 2 is current (= 0x81e4809c)
No Mdl: System buffer=821edda8: Thread 823c18b8: Irp stack trace.
cmd flg cl Device File Completion-Context
[ 0, 0] 0 0 8208e7a8 00000000 f7dbf336-81e37768
\Driver\Tcpip afw
Args: 00000000 00000000 00000000 00000000
>[ 0, 0] 0 0 81d50c28 821f8408 00000000-00000000
\Driver\IDMTDI
Args: f89ab3f0 02000000 00000080 00000021
0
-
Thank you for the information, I will get this looked in to and come back as soon as I have some information for you. 0 -
Sent PM. 0 -
Hello again
Would it be possible for you to provide us a mini dump for this BSOD?
If so, please send me a PM and I will provide you a location to upload it to.0
Please sign in to leave a comment.
Comments
3 comments