Hi All,
We have a minifilter driver which queries file path information in Pre-Create callback.
While constructing file path, we call FltParseFilenameInformation API to parse the components. Due to old MS bug, we check the parent directory sub-path in share path.
But while doing this the system gets crashed. We analyzed the crash dump came to conclusion that:
When call FltParseFilenameInformation API to parse this file path, length member of ParentDir is too high(-ve is have considered signed number).
Have anyone come across similar kind of bug on Windows Server 2008?
From crash dump analysis:
1: kd> vertarget
Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: Server, suite: Enterprise TerminalServer
Built by: 6002.18327.x86fre.vistasp2_gdr.101014-0432
Machine Name:
Kernel base = 0x8343c000 PsLoadedModuleList = 0x83553c70
1: kd> dt 0xb3497f44 _FLT_FILE_NAME_INFORMATION -b
fltmgr!_FLT_FILE_NAME_INFORMATION
+0x000 Size : 0n64
+0x002 NamesParsed : 0n15
+0x004 Format : 2
+0x008 Name : _UNICODE_STRING "\Device\Mup;LanmanRedirector;Z:0000000000126563\fs\public"
+0x000 Length : 0n120
+0x002 MaximumLength : 0n120
+0x004 Buffer : 0xb3497f88 "\Device\Mup;LanmanRedirector;Z:0000000000126563\fs\public"
+0x010 Volume : _UNICODE_STRING “\Device\Mup”
+0x000 Length : 0n22
+0x002 MaximumLength : 0n22
+0x004 Buffer : 0xb3497f88 “\Device\Mup”
+0x018 Share : _UNICODE_STRING “;LanmanRedirector;Z:0000000000126563\fs\public”
+0x000 Length : 0n96
+0x002 MaximumLength : 0n96
+0x004 Buffer : 0xb3497f9e “;LanmanRedirector;Z:0000000000126563\fs\public”
+0x020 Extension : _UNICODE_STRING “”
+0x000 Length : 0
+0x002 MaximumLength : 0
+0x004 Buffer : (null)
+0x028 Stream : _UNICODE_STRING “”
+0x000 Length : 0
+0x002 MaximumLength : 0
+0x004 Buffer : (null)
+0x030 FinalComponent : _UNICODE_STRING “public”
+0x000 Length : 0n12
+0x002 MaximumLength : 0n12
+0x004 Buffer : 0xb3497ff2 “public”
+0x038 ParentDir : _UNICODE_STRING ""
+0x000 Length : 0n65524
+0x002 MaximumLength : 0n65524
+0x004 Buffer : 0xb3497ffe ""
Length member of ParentDir is 65524 -> (-12) which is length of FinalComponent.
Thanks,
Rajendra.