[Vrtule]

Hello,

currently, I work on a test driver which purpose is to get more knowledge about Windows Filtering Platform interface. The driver installs callout for several layers (FWPS_LAYER_ALE_ENDPOINT_CLOSURE_V6 included). The callout only grabs data available on the particular layer and sends them (asynchronously because the callout might run at DISPATCH_LEVEL etc.) to the application which displays them.

The callout header is defined as follows:

Code: Select all

VOID NTAPI CalloutClassfy(
    IN const FWPS_INCOMING_VALUES0 *inFixedValues,
    IN const FWPS_INCOMING_METADATA_VALUES0 *inMetaValues,
    IN OUT VOID *layerData,
    IN const FWPS_FILTER0 *filter,
    IN UINT64 flowContext,
    OUT FWPS_CLASSIFY_OUT0 *classifyOut);

Everything worked well until today when I added filtering at FWPS_LAYER_ALE_ENDPOINT_CLOSURE_V6. The documentation says that on this layer, the remote address is present in inFixedValues->incomingValue parameter under FWPS_FIELD_ALE_ENDPOINT_CLOSURE_V6_IP_REMOTE_ADDRESS index. I use the following code to copy the remote address data:

Code: Select all

      ipv6_ip_remote = (CHAR*)&(inFixedValues->incomingValue[FWPS_FIELD_ALE_ENDPOINT_CLOSURE_V6_IP_REMOTE_ADDRESS].value.byteArray16->byteArray16);
RtlCopyMemory(&event->ipv6_ip_remote, ipv6_ip_remote, 16);

BSOD occurs in RtlCopy memory when reading data from address given by the ipv6_ip_remote variable.

I am testing the driver on 64bit version of Windows 7.

Does anybody know by what the problem might be caused?

Thanks in advance

[EreTIk]

byteArray16 is already pointer, see FWP_VALUE0 definition. Try without operator &

[Vrtule]

No, this seems not to be the cause of the problem.