if
(((struct bpf_insn*)prog)[cnt].code==BPF_SEPARATION && (insns-cnt-1)!=0)In user land, there is nothing to suggest the dynamically allocated memory for the bpf_insn struct (happening at icode_to_fcode in optimize.c) has been freed before sending DeviceIoControl, or that the malloc failed. From what I know about whats happening with the IO, the user virtual memory is mapped to the system buffer in the non-paged pool (I could be wrong here). The only explaination I see is that the SystemBuffer, which exists in the non-paged pool, has somehow become bogus, and when the above line of code is executed, we get the crash.
Has anyone experienced this behavior before, or know of any related bugs? I'm basically left clueless as to why this is happening!
Kind Regards,
Daniel