Probable bug in FltParseFilenameInformation

Hi All,

We have a minifilter driver which queries file path information in Pre-Create callback.
While constructing file path, we call FltParseFilenameInformation API to parse the components. Due to old MS bug, we check the parent directory sub-path in share path.
But while doing this the system gets crashed. We analyzed the crash dump came to conclusion that:
When call FltParseFilenameInformation API to parse this file path, length member of ParentDir is too high(-ve is have considered signed number).

Have anyone come across similar kind of bug on Windows Server 2008?

From crash dump analysis:
1: kd> vertarget
Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: Server, suite: Enterprise TerminalServer
Built by: 6002.18327.x86fre.vistasp2_gdr.101014-0432
Machine Name:
Kernel base = 0x8343c000 PsLoadedModuleList = 0x83553c70

1: kd> dt 0xb3497f44 _FLT_FILE_NAME_INFORMATION -b
fltmgr!_FLT_FILE_NAME_INFORMATION
+0x000 Size : 0n64
+0x002 NamesParsed : 0n15
+0x004 Format : 2
+0x008 Name : _UNICODE_STRING "\Device\Mup;LanmanRedirector;Z:0000000000126563\fs\public"
+0x000 Length : 0n120
+0x002 MaximumLength : 0n120
+0x004 Buffer : 0xb3497f88 "\Device\Mup;LanmanRedirector;Z:0000000000126563\fs\public"
+0x010 Volume : _UNICODE_STRING “\Device\Mup”
+0x000 Length : 0n22
+0x002 MaximumLength : 0n22
+0x004 Buffer : 0xb3497f88 “\Device\Mup”
+0x018 Share : _UNICODE_STRING “;LanmanRedirector;Z:0000000000126563\fs\public”
+0x000 Length : 0n96
+0x002 MaximumLength : 0n96
+0x004 Buffer : 0xb3497f9e “;LanmanRedirector;Z:0000000000126563\fs\public”
+0x020 Extension : _UNICODE_STRING “”
+0x000 Length : 0
+0x002 MaximumLength : 0
+0x004 Buffer : (null)
+0x028 Stream : _UNICODE_STRING “”
+0x000 Length : 0
+0x002 MaximumLength : 0
+0x004 Buffer : (null)
+0x030 FinalComponent : _UNICODE_STRING “public”
+0x000 Length : 0n12
+0x002 MaximumLength : 0n12
+0x004 Buffer : 0xb3497ff2 “public”
+0x038 ParentDir : _UNICODE_STRING ""
+0x000 Length : 0n65524
+0x002 MaximumLength : 0n65524
+0x004 Buffer : 0xb3497ffe ""

Length member of ParentDir is 65524 -> (-12) which is length of FinalComponent.

Thanks,
Rajendra.

I know about two bugs related to ParentDir member (post-create):

  1. There’s a bug on Win7 x86/x64 if you open a file with
    FILE_OPEN_BY_FILE_ID (you can check Data->Iopb->Parameters.Create.Options).
    In this case, ParentDir is bogus and you should clear this variable.
  2. XP bug when Share member is included in ParentDir
    (http://www.osronline.com/showThread.cfm?link=100426). In this case you need
    to repair ParentDir manually (using Share member)