Memory leak in npcap 0.9988 with data on loopback when capture another eth?

[yyjdelete]

Tested with npcap 0.9988 + win10

A lot of memory leak happen on paged pools with tag Mdl and NPBL. NPBL is only used by npcap.sys, and it leak 50% of allocs, and also the same leak count for Mdl.

This only happen for me when a lot of data is send and recv though loopback, and an capture (can also be tested with wireshark) on another eths.
(EVEN when loopback is not captured, which I used to think npcap should do nothing in this case, is it another bug?)

npcap/packetWin7/npf/npf/Loopback.c

Lines 439 to 440 in 39b72d0

	/* First NBL is pre-allocated, so skip that one. */
	pFakeNetBuffer = NET_BUFFER_NEXT_NB(NET_BUFFER_LIST_FIRST_NB(pFakeNbl));

Is the comments here and NET_BUFFER_NEXT_NB really right? Seems the above logic didn't skip the first node.

Use https://github.com/zodiacon/AllTools/blob/master/PoolMonXv2.exe, can also get almost the same result with poolmon from Mircosoft.

[dmiller-nmap]

Thanks for this report. This is new code in this version, but I'm disappointed I didn't catch this leak. I'll take a look at the function in question. Npcap does not unregister its WFP filter when the loopback handle is closed, which is why the leaks continue even when loopback capture is stopped. We may consider doing that to limit performance impact in the future.

[dmiller-nmap]

You were right about NET_BUFFER_NEXT_NB: though we need to skip freeing the first NB, we still need to free the MDL (tag 'Mdl') and its associated buffer (tag 'NPBL'), and that is what was leaking. We'll be doing a release soon with this fix.

[dmiller-nmap]

WORKAROUND: Until the next release can be made, a workaround is to disable loopback capture: Set the Registry value HKLM\SYSTEM\CurrentControlSet\Services\npcap\Parameters\LoopbackSupport to 0x0 and restart the npcap driver service: net stop npcap; net start npcap. This change will persist across reboots, but may be reset by the next installation or upgrade.