FilterGetMessage and insufficient buffers

Hi,

Because couldn’t find documentation nor samples, I did some reverse engineering on FilterGetMessage/FltSendMessage/etc. calls and would like to confirm the behavior if the buffer that receives a message or reply from/to driver is not large enough.

Based on what I see, assuming we are sending a message from driver to usermode

  1. If buffer size of FilterGetMessage is small, the API will return ERROR_INSUFFICIENT_BUFFER or ERROR_MORE_DATA and we can retry the call using a larger buffer. FltSendMessage will wait for a new request from usermode.

  2. When we call FilterReplyMessage with a larger buffer FltSendMessage expects to receive,
    FltSendMessage will return STATUS_BUFFER_OVERFLOW or STATUS_BUFFER_TOO_SMALL. Usermode will get the win32 error.

Sounds right?

Regards,
Mauro.