Sign in to follow this  
saeger

AFW.SYS causes BSOD

Recommended Posts

Hello.

I am Internet Download Manager team member. Some our customers reported BSODs and inability to boot their systems after LavaSoft Firewall installation. Our investigations showed that there is a bug in the firewall that triggers BSOD when another TDI filter is attached to TcpIp system driver. And though we have invented a workaround for our product already the firewall driver should be fixed in the first place.

Technical details, please forward this to your developers. Our driver attaches a layered filter device to \Device\Tcp which seems to have its dispatch table hooked by afw.sys. From WinDbg listing below you can see that idmtdi's completion routine gets wrong device object 8208e7a8 instead of 81d50c28 because afw.sys incorrectly handles IRP completion. It should take device object pointer to be passed to the upper routine from the upper IRP stack location and not from any other place.

1: kd> kp
ChildEBP RetAddr
f89ab2cc f7dbf3e3 idmtdi!TransportCreateComplete(struct _DEVICE_OBJECT * device = 0x8208e7a8, struct _IRP * irp = 0x81e48008, void * context = 0x00000000)+0x341
f89ab2f0 804e1f14 afw+0xe3e3
f89ab320 b2d91a9b nt!IopfCompleteRequest+0xa2
f89ab350 f7dbf753 tcpip!TCPDispatch+0x11a
f89ab378 804e19ee afw+0xe753
f89ab3c4 8057eeb8 nt!IopfCallDriver+0x31
...

1: kd> !devobj 0x8208e7a8
Device object (8208e7a8) is for:
Tcp \Driver\Tcpip DriverObject 81d50da0
Current Irp 00000000 RefCount 7 Type 00000012 Flags 00000050
Dacl e18da2fc DevExt 00000000 DevObjExt 8208e860
ExtensionFlags (0000000000)
AttachedDevice (Upper) 81d50c28 \Driver\IDMTDI
Device queue is not busy.

1: kd> !irp 0x81e48008
Irp is active with 2 stacks 2 is current (= 0x81e4809c)
No Mdl: System buffer=821edda8: Thread 823c18b8: Irp stack trace.
cmd flg cl Device File Completion-Context
[ 0, 0] 0 0 8208e7a8 00000000 f7dbf336-81e37768
\Driver\Tcpip afw
Args: 00000000 00000000 00000000 00000000
>[ 0, 0] 0 0 81d50c28 821f8408 00000000-00000000
\Driver\IDMTDI
Args: f89ab3f0 02000000 00000080 00000021

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this