For Help: RtlStringVPrintfWorkerW bug check

NTDEV
1

Hi All,
Please help me in fixing this problem , In my Kernel driver code i am trying to print some traces,
for that i am allocating a buff from non paged pool and formatting it.
After that trying to print it through DbgPrint.and after printing freeing the buff.

For Formatting the Buff, i am using RtlStringCchPrintfW function call.
But i am getting an bugcheck just after calling RtlStringCchPrintfW.
pls check my code below and tell me anything wrong.

PWCHAR pBuf = NULL;
pBuf = ExAllocatePoolWithTagNonPagedPool, MAX_TRACEBUFF_SIZE ,BUS_POOL_TAG);

RtlStringCchPrintfW(pBuf, MAX_TRACEBUFF_SIZE,
L"%-4d:%-4d:%-4d\n"
L"Configuration[%d]\n"
L"%-40ws" L"%d\n"
L"%-40ws" L"%d\n",
min,sec,mls,pConfig->bConfigurationValue,
L" wTotalLength",pConfig->wTotalLength,
L" bNumInterfaces",pConfig->bNumInterfaces
);

in the above call

pBuf ---->is buffer pointer.
MAX_TRACEBUFF_SIZE ---->buffer size

L"%-4d:%-4d:%-4d\n" |
L"Configuration[%d]\n" |-------->format string
L"%-40ws" L"%d\n" |
L"%-40ws" L"%d\n", |

min,sec,mls,pConfig->bConfigurationValue, |
L" wTotalLength",pConfig->wTotalLength, |–>arguments
L" bNumInterfaces",pConfig->bNumInterfaces |

The IRQL while calling this is DISPATCH LEVEL.

Thanks,

Get your own web address for just $1.99/1st yr. We’ll help. Yahoo! Small Business.

2

See the documentation:

Callers of RtlStringCchPrintfW and RtlStringCchPrintfA must be running at
IRQL = PASSIVE_LEVEL.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of aare ravinder
Sent: Friday, October 06, 2006 9:29 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] For Help: RtlStringVPrintfWorkerW bug check

Hi All,
Please help me in fixing this problem , In my Kernel driver code i am trying
to print some traces,
for that i am allocating a buff from non paged pool and formatting it.
After that trying to print it through DbgPrint.and after printing freeing
the buff.

For Formatting the Buff, i am using RtlStringCchPrintfW function call.
But i am getting an bugcheck just after calling RtlStringCchPrintfW.
pls check my code below and tell me anything wrong.

PWCHAR pBuf = NULL;
pBuf = ExAllocatePoolWithTagNonPagedPool, MAX_TRACEBUFF_SIZE ,BUS_POOL_TAG);

RtlStringCchPrintfW(pBuf, MAX_TRACEBUFF_SIZE,
L"%-4d:%-4d:%-4d\n"
L"Configuration[%d]\n"
L"%-40ws" L"%d\n"
L"%-40ws" L"%d\n",
min,sec,mls,pConfig->bConfigurationValue,
L" wTotalLength",pConfig->wTotalLength,
L" bNumInterfaces",pConfig->bNumInterfaces
);

in the above call

pBuf ---->is buffer
pointer.
MAX_TRACEBUFF_SIZE ---->buffer size

L"%-4d:%-4d:%-4d\n" |
L"Configuration[%d]\n" |-------->format
string
L"%-40ws" L"%d\n" |
L"%-40ws" L"%d\n", |

min,sec,mls,pConfig->bConfigurationValue, |
L" wTotalLength",pConfig->wTotalLength,
|–>arguments
L" bNumInterfaces",pConfig->bNumInterfaces |

The IRQL while calling this is DISPATCH LEVEL.

Thanks,

Get your own web
http:
address for just $1.99/1st yr. We’ll help. Yahoo!
http:</http:> Small
Business. — Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the List
Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</http:>

3

If you follow these two steps it might help.

  1. Read description of cchDest parameter on RtlStringCchPrintf page
  2. Read description of NumberOfBytes parameters on ExAllocatePoolWithTag
    page

“aare ravinder” wrote in message
news:xxxxx@ntdev…
Hi All,
Please help me in fixing this problem , In my Kernel driver code i am trying
to print some traces,
for that i am allocating a buff from non paged pool and formatting it.
After that trying to print it through DbgPrint.and after printing freeing
the buff.

For Formatting the Buff, i am using RtlStringCchPrintfW function call.
But i am getting an bugcheck just after calling RtlStringCchPrintfW.
pls check my code below and tell me anything wrong.

PWCHAR pBuf = NULL;
pBuf = ExAllocatePoolWithTagNonPagedPool, MAX_TRACEBUFF_SIZE ,BUS_POOL_TAG);

RtlStringCchPrintfW(pBuf, MAX_TRACEBUFF_SIZE,
L"%-4d:%-4d:%-4d\n"
L"Configuration[%d]\n"
L"%-40ws" L"%d\n"
L"%-40ws" L"%d\n",
min,sec,mls,pConfig->bConfigurationValue,
L" wTotalLength",pConfig->wTotalLength,
L" bNumInterfaces",pConfig->bNumInterfaces
);

in the above call

pBuf ---->is buffer
pointer.
MAX_TRACEBUFF_SIZE ---->buffer size

L"%-4d:%-4d:%-4d\n" |
L"Configuration[%d]\n" |-------->format
string
L"%-40ws" L"%d\n" |
L"%-40ws" L"%d\n", |

min,sec,mls,pConfig->bConfigurationValue, |
L" wTotalLength",pConfig->wTotalLength,
|–>arguments
L" bNumInterfaces",pConfig->bNumInterfaces |

The IRQL while calling this is DISPATCH LEVEL.

Thanks,

Get your own web address for just $1.99/1st yr. We’ll help. Yahoo! Small
Business.

4

You can’t use widechar string formatting calls at DISPATCH_LEVEL due to code
page idiocy in the kernel.

=====================
Mark Roddy DDK MVP
Windows 2003/XP/2000 Consulting
Hollis Technology Solutions 603-321-1032
www.hollistech.com

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of aare ravinder
Sent: Friday, October 06, 2006 11:29 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] For Help: RtlStringVPrintfWorkerW bug check

Hi All,
Please help me in fixing this problem , In my Kernel driver code i am trying
to print some traces,
for that i am allocating a buff from non paged pool and formatting it.
After that trying to print it through DbgPrint.and after printing freeing
the buff.

For Formatting the Buff, i am using RtlStringCchPrintfW function call.
But i am getting an bugcheck just after calling RtlStringCchPrintfW.
pls check my code below and tell me anything wrong.

PWCHAR pBuf = NULL;
pBuf = ExAllocatePoolWithTagNonPagedPool, MAX_TRACEBUFF_SIZE ,BUS_POOL_TAG);

RtlStringCchPrintfW(pBuf, MAX_TRACEBUFF_SIZE,
L"%-4d:%-4d:%-4d\n"
L"Configuration[%d]\n"
L"%-40ws" L"%d\n"
L"%-40ws" L"%d\n",
min,sec,mls,pConfig->bConfigurationValue,
L" wTotalLength",pConfig->wTotalLength,
L" bNumInterfaces",pConfig->bNumInterfaces
);

in the above call

pBuf ---->is buffer
pointer.
MAX_TRACEBUFF_SIZE ---->buffer size

L"%-4d:%-4d:%-4d\n" |
L"Configuration[%d]\n" |-------->format
string
L"%-40ws" L"%d\n" |
L"%-40ws" L"%d\n", |

min,sec,mls,pConfig->bConfigurationValue, |
L" wTotalLength",pConfig->wTotalLength,
|–>arguments
L" bNumInterfaces",pConfig->bNumInterfaces |

The IRQL while calling this is DISPATCH LEVEL.

Thanks,

Get your own web
http:
address for just $1.99/1st yr. We’ll help. Yahoo!
http:</http:> Small
Business. — Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the List
Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</http:>

5

You allocated MAX_TRACEBUFF_SIZE bytes- you said the buffer contained MAX_TRACEBUFF_SIZE Unicode characters.

Unicode characters are 2 bytes each, meaning your buffer is actually half the size you reported it to be the safe string API.

Classic UNICODE buffer overflow.

6

MessageD’oh I should have read to the bottom of the page of the OP - talk
about pot calling kettle black eh?

Cheers
Lyndon

“Dan Kyler” wrote in message news:xxxxx@ntdev…
See the documentation:
>Callers of RtlStringCchPrintfW and RtlStringCchPrintfA must be running at
>IRQL = PASSIVE_LEVEL.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of aare ravinder
Sent: Friday, October 06, 2006 9:29 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] For Help: RtlStringVPrintfWorkerW bug check

Hi All,
Please help me in fixing this problem , In my Kernel driver code i am trying
to print some traces,
for that i am allocating a buff from non paged pool and formatting it.
After that trying to print it through DbgPrint.and after printing freeing
the buff.

For Formatting the Buff, i am using RtlStringCchPrintfW function call.
But i am getting an bugcheck just after calling RtlStringCchPrintfW.
pls check my code below and tell me anything wrong.

PWCHAR pBuf = NULL;
pBuf = ExAllocatePoolWithTagNonPagedPool, MAX_TRACEBUFF_SIZE ,BUS_POOL_TAG);

RtlStringCchPrintfW(pBuf, MAX_TRACEBUFF_SIZE,
L"%-4d:%-4d:%-4d\n"
L"Configuration[%d]\n"
L"%-40ws" L"%d\n"
L"%-40ws" L"%d\n",
min,sec,mls,pConfig->bConfigurationValue,
L" wTotalLength",pConfig->wTotalLength,
L" bNumInterfaces",pConfig->bNumInterfaces
);

in the above call

pBuf ---->is buffer
pointer.
MAX_TRACEBUFF_SIZE ---->buffer size

L"%-4d:%-4d:%-4d\n" |
L"Configuration[%d]\n" |-------->format
string
L"%-40ws" L"%d\n" |
L"%-40ws" L"%d\n", |

min,sec,mls,pConfig->bConfigurationValue, |
L" wTotalLength",pConfig->wTotalLength,
|–>arguments
L" bNumInterfaces",pConfig->bNumInterfaces |

The IRQL while calling this is DISPATCH LEVEL.

Thanks,

Get your own web address for just $1.99/1st yr. We’ll help. Yahoo! Small
Business. — Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the List
Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

7

And I should have looked closer at the code…your observation was spot on
as well.

And as Mark pointed out, despite the IRQL restriction, it does work at
dispatch as long as you don’t use strings.

  • Dan.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J. Clarke
Sent: Friday, October 06, 2006 10:37 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] For Help: RtlStringVPrintfWorkerW bug check

MessageD’oh I should have read to the bottom of the page of the OP - talk
about pot calling kettle black eh?

Cheers
Lyndon

“Dan Kyler” wrote in message news:xxxxx@ntdev… See
the documentation:
>Callers of RtlStringCchPrintfW and RtlStringCchPrintfA must be running
>at
>IRQL = PASSIVE_LEVEL.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of aare ravinder
Sent: Friday, October 06, 2006 9:29 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] For Help: RtlStringVPrintfWorkerW bug check

Hi All,
Please help me in fixing this problem , In my Kernel driver code i am trying

to print some traces,
for that i am allocating a buff from non paged pool and formatting it. After
that trying to print it through DbgPrint.and after printing freeing
the buff.

For Formatting the Buff, i am using RtlStringCchPrintfW function call.
But i am getting an bugcheck just after calling RtlStringCchPrintfW. pls
check my code below and tell me anything wrong.

PWCHAR pBuf = NULL;
pBuf = ExAllocatePoolWithTagNonPagedPool, MAX_TRACEBUFF_SIZE ,BUS_POOL_TAG);

RtlStringCchPrintfW(pBuf, MAX_TRACEBUFF_SIZE,
L"%-4d:%-4d:%-4d\n"
L"Configuration[%d]\n"
L"%-40ws" L"%d\n"
L"%-40ws" L"%d\n",
min,sec,mls,pConfig->bConfigurationValue,
L" wTotalLength",pConfig->wTotalLength,
L" bNumInterfaces",pConfig->bNumInterfaces
);

in the above call

pBuf ---->is buffer
pointer.
MAX_TRACEBUFF_SIZE ---->buffer size

L"%-4d:%-4d:%-4d\n" |
L"Configuration[%d]\n" |-------->format
string
L"%-40ws" L"%d\n" |
L"%-40ws" L"%d\n", |

min,sec,mls,pConfig->bConfigurationValue, |
L" wTotalLength",pConfig->wTotalLength,
|–>arguments
L" bNumInterfaces",pConfig->bNumInterfaces |

The IRQL while calling this is DISPATCH LEVEL.

Thanks,

Get your own web address for just $1.99/1st yr. We’ll help. Yahoo! Small
Business. — Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the List
Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

8

Both are right. Either problem reported back on this thread could cause a bugcheck in that routine. Not knowing what the bugcheck was, it could have been either. Both have to be fixed.

9

You cannot work with Unicode strings at DISPATCH_LEVEL, since the Unicode
collation sequence tables are in paged memory.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “aare ravinder”
To: “Windows System Software Devs Interest List”
Sent: Friday, October 06, 2006 7:29 PM
Subject: [ntdev] For Help: RtlStringVPrintfWorkerW bug check

> Hi All,
> Please help me in fixing this problem , In my Kernel driver code i am
trying to print some traces,
> for that i am allocating a buff from non paged pool and formatting it.
> After that trying to print it through DbgPrint.and after printing freeing
the buff.
>
> For Formatting the Buff, i am using RtlStringCchPrintfW function call.
> But i am getting an bugcheck just after calling RtlStringCchPrintfW.
> pls check my code below and tell me anything wrong.
>
>
> PWCHAR pBuf = NULL;
> pBuf = ExAllocatePoolWithTagNonPagedPool, MAX_TRACEBUFF_SIZE
,BUS_POOL_TAG);
>
> RtlStringCchPrintfW(pBuf, MAX_TRACEBUFF_SIZE,
> L"%-4d:%-4d:%-4d\n"
> L"Configuration[%d]\n"
> L"%-40ws" L"%d\n"
> L"%-40ws" L"%d\n",
> min,sec,mls,pConfig->bConfigurationValue,
> L" wTotalLength",pConfig->wTotalLength,
> L" bNumInterfaces",pConfig->bNumInterfaces
> );
>
>
> in the above call
>
> pBuf ---->is buffer
pointer.
> MAX_TRACEBUFF_SIZE ---->buffer size
>
> L"%-4d:%-4d:%-4d\n" |
> L"Configuration[%d]\n" |-------->format string
> L"%-40ws" L"%d\n" |
> L"%-40ws" L"%d\n", |
>
> min,sec,mls,pConfig->bConfigurationValue, |
> L" wTotalLength",pConfig->wTotalLength,
|–>arguments
> L" bNumInterfaces",pConfig->bNumInterfaces |
>
>
> The IRQL while calling this is DISPATCH LEVEL.
>
>
> Thanks,
>
>
>
> ---------------------------------
> Get your own web address for just $1.99/1st yr. We’ll help. Yahoo! Small
Business.
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer