Hi ,
In the file object we have a UNICODE string field file name .
Who is allocating the buffer in this file name?
My guess is IO Manager. Am I right?
For what size is it allocating this buffer?
Regards,
Priya
Get your Free E-mail at http://freelancewriting.zzn.com
___________________________________________________________
Get your own Web-based E-mail Service at http://www.zzn.com
IO manager allocates this from the usual pool. As usually, .MaximumLength is the allocated size.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: priya priya
To: Windows File Systems Devs Interest List
Sent: Wednesday, January 12, 2005 4:14 PM
Subject: [ntfsd] FileObject
Hi ,
In the file object we have a UNICODE string field file name .
Who is allocating the buffer in this file name?
My guess is IO Manager. Am I right?
For what size is it allocating this buffer?
Regards,
Priya
Get your Free E-mail at http://freelancewriting.zzn.com
Get your own Web-based E-mail Service at http://www.zzn.com
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
In my case length is 0x110 and Maximum length is 0x110.
There is a line of code in my program ,
FileObject->FileName.Length -= (USHORT)(i * sizeof(WCHAR));
RtlCopyMemory( &FileObject->FileName.Buffer[0],
&FileObject->FileName.Buffer[i],
FileObject->FileName.Length + sizeof
(WCHAR));
Here the RtlCopyMemory results in Page Fault in Non Paged area.
Is this possible? Will the additional sizeof(WCHAR) result in this
error?
‘i’ is calculated by finding the first non backslash character
if (FileObject->FileName.Buffer[i] == L’\') {
i += 1;
break;
}
Regards,
Priya
Get your Free E-mail at http://freelancewriting.zzn.com
___________________________________________________________
Get your own Web-based E-mail Service at http://www.zzn.com
The Name of a file is valid only in the context of a IRP_MJ_CREATE operation.
So if you want to store names, you should doit at create time.
Dan
----- Original Message -----
From: priya priya
To: Windows File Systems Devs Interest List
Sent: Wednesday, January 12, 2005 3:41 PM
Subject: Re: Re: [ntfsd] FileObject
In my case length is 0x110 and Maximum length is 0x110.
There is a line of code in my program ,
FileObject->FileName.Length -= (USHORT)(i * sizeof(WCHAR));
RtlCopyMemory( &FileObject->FileName.Buffer[0],
&FileObject->FileName.Buffer[i],
FileObject->FileName.Length + sizeof
(WCHAR));
Here the RtlCopyMemory results in Page Fault in Non Paged area.
Is this possible? Will the additional sizeof(WCHAR) result in this
error?
‘i’ is calculated by finding the first non backslash character
if (FileObject->FileName.Buffer[i] == L’\') {
i += 1;
break;
}
Regards,
Priya
Get your Free E-mail at http://freelancewriting.zzn.com
Get your own Web-based E-mail Service at http://www.zzn.com
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
To unsubscribe send a blank email to xxxxx@lists.osr.com
Yes the Create operation is called before this rename operation and
the name gets stored only in the create operation.
But my question is will this additional bytes in the RtlCopy
instruction lead to page fault?
Get your Free E-mail at http://freelancewriting.zzn.com
___________________________________________________________
Get your own Web-based E-mail Service at http://www.zzn.com
Hi,
Why are you adding the sizeof(WCHAR)? UNICODE_STRINGs are not NULL
terminated and I believe that in your case this will definitely result in a
buffer overrun.
Regards,
-scott
–
Scott Noone
Software Engineer
OSR Open Systems Resources, Inc.
http://www.osronline.com
“priya priya” wrote in message
news:xxxxx@ntfsd…
In my case length is 0x110 and Maximum length is 0x110.
There is a line of code in my program ,
FileObject->FileName.Length -= (USHORT)(i * sizeof(WCHAR));
RtlCopyMemory( &FileObject->FileName.Buffer[0],
&FileObject->FileName.Buffer[i],
FileObject->FileName.Length + sizeof
(WCHAR));
Here the RtlCopyMemory results in Page Fault in Non Paged area.
Is this possible? Will the additional sizeof(WCHAR) result in this
error?
‘i’ is calculated by finding the first non backslash character
if (FileObject->FileName.Buffer[i] == L’\') {
i += 1;
break;
}
Regards,
Priya
Get your Free E-mail at http://freelancewriting.zzn.com
___________________________________________________________
Get your own Web-based E-mail Service at http://www.zzn.com
I recommend freeing the original buffer and allocating a new buffer if you
want to patch the file name.
Jamey
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of priya priya
Sent: Wednesday, January 12, 2005 8:41 AM
To: Windows File Systems Devs Interest List
Subject: Re: Re: [ntfsd] FileObject
In my case length is 0x110 and Maximum length is 0x110.
There is a line of code in my program ,
FileObject->FileName.Length -= (USHORT)(i * sizeof(WCHAR));
RtlCopyMemory( &FileObject->FileName.Buffer[0],
&FileObject->FileName.Buffer[i],
FileObject->FileName.Length + sizeof
(WCHAR));
Here the RtlCopyMemory results in Page Fault in Non Paged area.
Is this possible? Will the additional sizeof(WCHAR) result in this
error?
‘i’ is calculated by finding the first non backslash character
if (FileObject->FileName.Buffer[i] == L’\') {
i += 1;
break;
}
Regards,
Priya
Get your Free E-mail at http://freelancewriting.zzn.com
Get your own Web-based E-mail Service at http://www.zzn.com
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@tfb.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
__________ NOD32 1.968 (20050111) Information __________
This message was checked by NOD32 antivirus system.
http://www.nod32.com
Hi,
What do u mean by Unicode strings are not NULL terminated.
If the string which we write into the buffer is NULL terminated those
strings are also NULL terminated right?
Regards,
Priya
Get your Free E-mail at http://freelancewriting.zzn.com
___________________________________________________________
Get your own Web-based E-mail Service at http://www.zzn.com
> What do u mean by Unicode strings are not NULL terminated.
Strings used by the kernel (UNICODE_STRINGs)
are not terminated by zero character, like string
in “normal” C/C++ applications. This is often a source
of programming errors (e.g. using strXXX functions
on UNICODE_STRINGs).
Note to all your last questions - you should really
learn more about kernel programming. If you cannot
get over copying unicode strings, I guarantee you will
have no chance to solve *real* problems in writing
FSD filters. And I can also guarantee you that such
problems come, sooner or later.
Don’t take it personally, everyone was once a beginner.
L.
Thanks,
I think I will learn more from my mistakes.
I really need the guidance of this group to improve much.
Get your Free E-mail at http://freelancewriting.zzn.com
___________________________________________________________
Get your own Web-based E-mail Service at http://www.zzn.com
Hi,
Yes, but by definition they are not NULL terminated even if they happen to
be (see the DDK documentation). It looks like you are treating the Length
field as you would the return value of a “strlen” call, which is not
correct. Length is the number of bytes that make up the valid bytes of the
string, NOT including the NULL character (if there happens to be one), and
MaximumLength is the maximum number of bytes that the Buffer field of the
UNICODE_STRING can hold. In your case where you experienced the crash,
Length was equal to MaximumLength so let’s take a trivial example:
The Buffer is “\a”, Length is 4 and MaximumLength is 4. This means that the
Buffer parameter is only a valid allocation for 4 bytes, any access to the
buffer beyond that is a buffer overrun. Your loop runs, sets “i” to 1, and
adjusts Length to 2. You then try to copy Length+sizeof(WCHAR) bytes out of
the Buffer field starting at the character “a” and you overflow the buffer.
Have you ever run this driver with Driver Verifier enabled? If not, I would
highly suggest it.
Regards,
-scott
–
Scott Noone
Software Engineer
OSR Open Systems Resources, Inc.
http://www.osronline.com
“priya priya” wrote in message
news:xxxxx@ntfsd…
Hi,
What do u mean by Unicode strings are not NULL terminated.
If the string which we write into the buffer is NULL terminated those
strings are also NULL terminated right?
Regards,
Priya
Get your Free E-mail at http://freelancewriting.zzn.com
___________________________________________________________
Get your own Web-based E-mail Service at http://www.zzn.com
Hi ,
Thanks for the information.
I will use the Driver Verifier and check out.
Regards,
Priya
Get your Free E-mail at http://freelancewriting.zzn.com
___________________________________________________________
Get your own Web-based E-mail Service at http://www.zzn.com
You are right. Additional sizeof(WCHAR) is causing problem. As you have already stated Maximum Length is 0x110 and Length is also 0x110, this clearly shows that additional sizeof(WCHAR) will cause RtlCopyMemory to read past the buffer (specifically 2 bytes) and thus the crash.
Also take a look at RtlCopyMemory, it is not safe when buffer overlap. You might want to consider using RtlMoveMemory.
As for UNICODE_STRING discussion:
You can treat the Buffer member of UNICODE_STRING as array of bytes. Length field tells how many bytes are in the array and MaximumLength tells the array size. Ofcourse there will be a crash if you try to write past the array, right? There is no significance of NULL termination in this. You can have a UNICODE_STRING which can have strings with embedded NULL characters in them like “TestString\0TestString1\0TestString”.
–
Pankaj Garg
This posting is provided “AS IS” with no warranties and confers no rights.
“priya priya” wrote in message news:xxxxx@ntfsd…
In my case length is 0x110 and Maximum length is 0x110.
There is a line of code in my program ,
FileObject->FileName.Length -= (USHORT)(i * sizeof(WCHAR));
RtlCopyMemory( &FileObject->FileName.Buffer[0],
&FileObject->FileName.Buffer[i],
FileObject->FileName.Length + sizeof
(WCHAR));
Here the RtlCopyMemory results in Page Fault in Non Paged area.
Is this possible? Will the additional sizeof(WCHAR) result in this
error?
‘i’ is calculated by finding the first non backslash character
if (FileObject->FileName.Buffer[i] == L’\') {
i += 1;
break;
}
Regards,
Priya
Get your Free E-mail at http://freelancewriting.zzn.com
___________________________________________________________
Get your own Web-based E-mail Service at http://www.zzn.com
This means that Buffer[Length / sizeof(WCHAR)] is not necessary UNICODE_NULL, but can be any junk.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: priya priya
To: Windows File Systems Devs Interest List
Sent: Thursday, January 13, 2005 8:52 AM
Subject: Re: Re:[ntfsd] Re: FileObject
Hi,
What do u mean by Unicode strings are not NULL terminated.
If the string which we write into the buffer is NULL terminated those
strings are also NULL terminated right?
Regards,
Priya
Get your Free E-mail at http://freelancewriting.zzn.com
Get your own Web-based E-mail Service at http://www.zzn.com
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com