DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. [COLOR=#ff0000][U][B]This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.[/B][/U][/COLOR]
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: 1bfbd676, Actual security check cookie from the stack
Arg2: 8c0ea0ad, Expected security check cookie
Arg3: 73f15f52, Complement of the expected security check cookie
Arg4: 00000000, zero
Debugging Details:
------------------
GSFAILURE_FUNCTION: tcpip!Ipv4pFragmentPacketHelper
GSFAILURE_RA_SMASHED: TRUE
GSFAILURE_MODULE_COOKIE: 8c0ea0ad tcpip!__security_cookie [ 8c0ea004 ]
GSFAILURE_FRAME_COOKIE: ffffffff
SECURITY_COOKIE: Expected 8c0ea0ad found 1bfbd676
GSFAILURE_ANALYSIS_TEXT: !gs output:
Corruption occurred in tcpip!Ipv4pFragmentPacketHelper or one of its callers
Analyzing __report_gsfailure frame (2)...
LEA usage: Function @0xFFFFFFFF8C084BC5-0xFFFFFFFF8C085397 is NOT using LEA
Module canary at 0xFFFFFFFF8C0EA004 (tcpip!__security_cookie): 0x8C0EA0AD
Complement at 0xFFFFFFFF8C0EA008: 0x73F15F52 (matches OK)
couldn't disassemble
Stack buffer overrun analysis completed successfully.
BUGCHECK_STR: STACK_BUFFER_OVERRUN
DEFAULT_BUCKET_ID: GS_FALSE_POSITIVE_PROBABLY_NOT_USING_GS
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: System
CURRENT_IRQL: 2
STACK_TEXT:
8fbe69ec 8c098069 000000f7 1bfbd676 8c0ea0ad nt!KeBugCheckEx+0x1e
8fbe6a0c 8c085397 00000000 864d5a70 00000030 tcpip!__report_gsfailure+0x25
8fbe6ad0 4ae8c041 3dd26b26 a80769bf b5173c80 tcpip!Ipv4pFragmentPacketHelper+0x7d2
WARNING: Frame IP not in any known module. Following frames may be wrong.
8fbe6adc b5173c80 e828bb64 648b96f4 f315f9b3 0x4ae8c041
8fbe6bdc 8c07c174 8958c810 b4a3d3d2 8c0e9b44 0xb5173c80
8fbe6c6c 8c080e46 8a785008 86276978 00000000 tcpip!Fl48pReceiveArpPackets+0xf8
8fbe6ce8 8c07b45e 8a785008 86276978 00000000 tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x760
8fbe6d1c 836d577a 86276978 00000000 ffffffff tcpip!FlReceiveNetBufferListChainCalloutRoutine+0x11e
8fbe6d1c 836d5871 86276978 00000000 ffffffff nt!KiSwapKernelStackAndExit+0x15a
8df2f148 00000000 00000000 00000000 00000000 nt!KiSwitchKernelStackAndCallout+0x31
STACK_COMMAND: kb
FOLLOWUP_IP:
tcpip!Ipv4pFragmentPacketHelper+7d2
8c085397 c9 leave
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: tcpip!Ipv4pFragmentPacketHelper+7d2
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: tcpip
IMAGE_NAME: tcpip.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4e83e463
FAILURE_BUCKET_ID: STACK_BUFFER_OVERRUN_MISMATCH_GSCOOKIE_tcpip!Ipv4pFragmentPacketHelper+7d2
BUCKET_ID: STACK_BUFFER_OVERRUN_MISMATCH_GSCOOKIE_tcpip!Ipv4pFragmentPacketHelper+7d2
Followup: MachineOwner