Hi.
If I am doing a query with FltQueryInformationFile of Class
“FileNameInformation” and a buffer which is too small I get
STATUS_BUFFER_OVERFLOW with LengthReturned set to zero by
FltQueryInformationFile although the underlaying filesystem returned
something greater zero specifing the full length that is required in the
FileNameLength parameter of the FILE_NAME_INFORMATION structure.
I stepped into FltQueryInformationFile and it seems to act like this:
…
FltPerformSynchronousIo(pCallbackData);
if (NT_SUCCESS(pCallbackData->IoStatus.Status))
{
if (LengthReturned != NULL)
*LengthReturned = pCallbackData->IoStatus.Information;
}
…
Shouldn’t FltQueryInformationFile return IoStatus.Information in any case?
Or is this a special case of STATUS_BUFFER_OVERFLOW?
Thanks
Frank
Hello Frank,
If I remember correctly the IoStatus.Information in this case holds the number of bytes actually written in the buffer. As per the documentation for ZwQueryInformationFile the number of required bytes *MIGHT* be in the FileNameLength parameter of the FILE_NAME_INFORMATION structure in case of failure. Here is a quote from the documentation:
“If ZwQueryInformationFile fails because of an overflow, drivers that implement FileNameInformation should return as many WCHAR characters of the file name as possible and specify the full length that is required in the FileNameLength parameter of the FILE_NAME_INFORMATION structure. You should reissue the query by using the file name length so that you can retrieve the full file name. Drivers that do not follow this pattern might require a gradual increase in length until they retrieve the full file name.”
Thanks,
Alex.
From: xxxxx@lists.osr.com [xxxxx@lists.osr.com] On Behalf Of Frank [xxxxx@gdata.de]
Sent: Wednesday, February 04, 2009 2:54 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] FltQueryInformationFile
Hi.
If I am doing a query with FltQueryInformationFile of Class
“FileNameInformation” and a buffer which is too small I get
STATUS_BUFFER_OVERFLOW with LengthReturned set to zero by
FltQueryInformationFile although the underlaying filesystem returned
something greater zero specifing the full length that is required in the
FileNameLength parameter of the FILE_NAME_INFORMATION structure.
I stepped into FltQueryInformationFile and it seems to act like this:
…
FltPerformSynchronousIo(pCallbackData);
if (NT_SUCCESS(pCallbackData->IoStatus.Status))
{
if (LengthReturned != NULL)
*LengthReturned = pCallbackData->IoStatus.Information;
}
…
Shouldn’t FltQueryInformationFile return IoStatus.Information in any case?
Or is this a special case of STATUS_BUFFER_OVERFLOW?
Thanks
Frank
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer