这是什么原因吗？(已解决！)

在PtReceive函数中对数据包进行再处理：基本架构是参照前辈胡大侠的代码：

PtReceive()
{
  Packet = NdisGetReceivedPacket(pAdapt->BindingHandle, MacReceiveContext);
        if (Packet != NULL)
       {}
      else if(LookAheadBufferSize >= PacketSize)
      {}
      else
      {
       //在此当中也参考胡大侠的部分，在PtTransferDataComplete 中对数据包进行重组在进行提交：
      }
}
但是在MPReturnPacket 中对刚申请的地址进行释放：

        RecvRsvd = (PRECV_RSVD)(Packet->MiniportReserved);
        MyPacket = RecvRsvd->OriginalPkt;    
        if(MyPacket)
        {
            NdisFreePacket(Packet);
            NdisReturnPackets(&MyPacket, 1);
        }
        else
        {
            NdisUnchainBufferAtFront(Packet, &pNdisBuffer);
            if(pNdisBuffer != NULL)
            {
                NdisQueryBufferSafe( pNdisBuffer, &pPacketContent, &PackContentLen, 32);
                DbgPrint(("MPResturn 释放情况 :MyPacket:%08x,Packet:%08x pNdisBuffer:%08x pPacketContent:%08x Len:%d \n",MyPacket,Packet,pNdisBuffer,pPacketContent,PackContentLen));
                NdisFreeBuffer( pNdisBuffer );                    
                if(pPacketContent != NULL)
                {
                    NdisFreeMemory(pPacketContent, PackContentLen, 0);
                    pPacketContent = NULL;        
                }
                NdisDprFreePacket(Packet);
                DbgPrint(("已经释放完毕\n"));
            }
        }

在 NdisFreeBuffer 出现错误： 分析如下：


BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000cd4, (reserved)
Arg3: 00000000, Memory contents of the pool block
Arg4: 89577ce0, Address of the block of pool being deallocated

Debugging Details:
------------------


POOL_ADDRESS:  89577ce0 Nonpaged pool

BUGCHECK_STR:  0xc2_7

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  Test.EXE

LAST_CONTROL_TRANSFER:  from 804f9afd to 8052b5d8

STACK_TEXT:  
b4644580 804f9afd 00000003 b46448dc 00000000 nt!RtlpBreakWithStatusInstruction
b46445cc 804fa6e8 00000003 89577da0 89577cd8 nt!KiBugCheckDebugBreak+0x19
b46449ac 804fac37 000000c2 00000007 00000cd4 nt!KeBugCheck2+0x574
b46449cc 8054b583 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
b4644a1c 804f032c 89577ce0 00000000 8961aad0 nt!ExFreePoolWithTag+0x2a3
b4644a30 b44fe145 89577ce0 b380e000 b380e000 nt!IoFreeMdl+0x6e
b4644a58 b7e1e87f 898c7ea8 89577da0 b4644c9c passthru!MPReturnPacket+0x105 [f:\netpassthruc\passthru\driver\miniport.c @ 1178]
b4644a80 b4b2d875 8959ca30 00000001 b4644c9c NDIS!NdisReturnPackets+0xe9
89577ce0 89500ad0 8999e0a0 b380e000 00000000 afd!AfdReturnBuffer+0xe1
WARNING: Frame IP not in any known module. Following frames may be wrong.
89577cec 00000000 00480000 00000000 00000000 0x89500ad0

郁闷至死！各位大侠帮忙看看！..在此先谢过！如果代码不够的话，我再贴！非常感谢！

在MPReturnPacket中要处理NdisIndicateReceivePacket 情况，主要是因为在处理PtReceive时，分别考虑了可以完全收报和一次不能完全收到数据包的情况。PtTransferDataComplete的代码如下：VOID
PtTransferDataComplete(
    IN NDIS_HANDLE ProtocolBindingContext,
    IN PNDIS_PACKET Packet,
    IN NDIS_STATUS Status,
    IN UINT BytesTransferred
)
{
    PADAPT pAdapt = (PADAPT)ProtocolBindingContext;
    PUCHAR pPacketContent;
    PRSVD Rsvd;
    UINT OffsetSize, Result, PacketLen;

    PNDIS_BUFFER pPacketBuffer;
    PNDIS_PACKET pBakPacket;
    PNDIS_BUFFER pBakBuffer;

    PUCHAR pBakContent;
    UINT BufferLen , nPacketLen;
    UINT flag = 1;

    DbgPrint(("In PtTransferDataComplete\n"));

    //
    // Returning the Send on the Primary, will point to itself if there is no LBFO
    //
    pAdapt = pAdapt->pPrimaryAdapt;
    Rsvd = (PRSVD)(Packet->MiniportReserved);
    // pBakPacket 里是 HeaderBuffer + LookAheadBuffer 的内容。
    pBakPacket = (PNDIS_PACKET)(Rsvd->OriginalPkt);

    if(pAdapt->MiniportHandle)
    {
        if(pBakPacket == NULL)
            NdisMTransferDataComplete(pAdapt->MiniportHandle, Packet, Status, BytesTransferred);
        else
        {
            Status = NdisAllocateMemory(&pPacketContent, BUFFER_SIZE, 0, HighestAcceptableMax);
            CopyPacket2Buffer(pBakPacket, pPacketContent, &OffsetSize);
            nPacketLen = OffsetSize ;
            CopyPacket2Buffer(Packet, pPacketContent+OffsetSize, &PacketLen);
            nPacketLen += PacketLen ;
            
            if(Monitor_flag)
            {
                if (flag && Encrypt_flag)
                    EncryptPackets(pPacketContent,nPacketLen) ;

                if(Check_Packet((char*)pPacketContent,FALSE))
                {
                    flag = 0;    // 不向上指示该包
                }                
            }
            else {}

            PacketLen += OffsetSize;
            // 释放包描述符pBakPacket、缓冲描述符pBakBuffer、内存pBakContent。
            NdisUnchainBufferAtFront(pBakPacket, &pBakBuffer);
            NdisQueryBufferSafe(pBakBuffer, &pBakContent, &BufferLen, 32);
            NdisFreeBuffer(pBakBuffer);
            NdisFreeMemory(pBakContent, BUFFER_SIZE, 0);
            NdisFreePacket(pBakPacket);

            memset(Packet->MiniportReserved, 0, sizeof(Packet->MiniportReserved));

            NdisUnchainBufferAtFront(Packet, &pPacketBuffer);
            NdisQueryBufferSafe(pPacketBuffer, &pBakContent, &BufferLen, 32);
            NdisFreeBuffer(pPacketBuffer);
            NdisFreeMemory(pBakContent, BUFFER_SIZE, 0);

            if(!flag)
            {
                // 释放资源并返回
                NdisFreePacket(Packet);
                return;
            }

            NdisAllocateBuffer(&Status, &pPacketBuffer, pAdapt->RecvBufferPoolHandle, pPacketContent, PacketLen);
            NdisChainBufferAtFront(Packet, pPacketBuffer);
            Packet->Private.Head->Next=NULL;
            Packet->Private.Tail=NULL;
            NDIS_SET_PACKET_HEADER_SIZE(Packet,14);
            
            // 向上层协议驱动指示数据包，防真网卡行为。
            NdisMIndicateReceivePacket(pAdapt->MiniportHandle, &Packet, 1);

            if(NDIS_GET_PACKET_STATUS(Packet)!=NDIS_STATUS_PENDING)
            {
                MPReturnPacket((NDIS_HANDLE)pAdapt, Packet);
            }
        }
    }
    return;
}

各位大侠帮忙看看到底这些代码出现了什么问题