Kdprint incorrect output

NTDEV
1

HI,

Could you please answer on following question.

Environment Win7 x86
WDK version: 7600.16385.1

I write driver on kernel mode.User-mode application uses ioctl call to request data from driver.
I called ioctl periodically with 3 second interval from user application.
I used KdPrint with date and time stamps in my driver.

Here is my ioctl implementation:

NTSTATUS
IoctlDeviceControl(
PDEVICE_OBJECT DeviceObject,
PIRP Irp
)
{
PIO_STACK_LOCATION irpSp;
NTSTATUS ntStatus = STATUS_SUCCESS;
ULONG inBufLength;
ULONG outBufLength;
PCHAR inBuf;
PCHAR outBuf;
PACKET_INFO* packet;
LIST_ENTRY* listEntry;
KLOCK_QUEUE_HANDLE packetInfoListLockHandle;
int maxSize;
int currentSize;
int packetSize;
int count;
char data[1028];
int counter;
memset(data, 0, sizeof(data));

UNREFERENCED_PARAMETER(DeviceObject);

PAGED_CODE();

irpSp = IoGetCurrentIrpStackLocation( Irp );
inBufLength = irpSp->Parameters.DeviceIoControl.InputBufferLength;
outBufLength = irpSp->Parameters.DeviceIoControl.OutputBufferLength;
KdPrint((“Enter IoctlDeviceControl %s %s \n”, DATE, TIME));

if (!inBufLength || !outBufLength)
{
ntStatus = STATUS_INVALID_PARAMETER;
goto End;
}
if( irpSp->Parameters.DeviceIoControl.IoControlCode==IOCTL_METHOD_BUFFERED )
{
maxSize=1028;
currentSize=4;
packetSize=sizeof(PACKET_INFO);
counter=0;

while (!IsListEmpty(&gPacketInfoList))
{
if (currentSize>maxSize)
break;
packet = NULL;
KeAcquireInStackQueuedSpinLock(
&gPacketInfoListLock,
&packetInfoListLockHandle);
if (!IsListEmpty(&gPacketInfoList))
{

listEntry = RemoveHeadList(&gPacketInfoList);
packet = CONTAINING_RECORD(
listEntry,
PACKET_INFO,
listEntry);
}
KeReleaseInStackQueuedSpinLock(&packetInfoListLockHandle);
if (packet!=NULL)
{
counter++;
KdPrint((“Packet Info %d proccessed \n”,counter));
memcpy(&data[currentSize],(char*)packet,packetSize);
currentSize+=packetSize;
ExFreePoolWithTag(packet, PACKET_INFO_POOL_TAG);
}
}
count=(int)((currentSize-4)/packetSize);
KdPrint((“Count packets %d \n”,count ));
inBuf = Irp->AssociatedIrp.SystemBuffer;
outBuf = Irp->AssociatedIrp.SystemBuffer;
memcpy(&data[0],&count,4);
RtlCopyBytes(outBuf, data, currentSize);
Irp->IoStatus.Information = (outBufLength }
End:
Irp->IoStatus.Status = ntStatus;
IoCompleteRequest( Irp, IO_NO_INCREMENT );
KdPrint((“Exit IoctlDeviceControl %s %s \n”, DATE , TIME ));
return ntStatus;
}

When i looked at windbg output after few calls ioctl i saw that output sequence is incorrect by time and order.
After last call ioctl i get “access violation” error.

Here is windbg output:

Enter DriverEntry Jan 29 2011 19:37:01
Exit DriverEntry Jan 29 2011 19:37:01
Enter IoctlDeviceControl Jan 29 2011 19:37:01
Packet Info 1 proccessed
Packet Info 2 proccessed
Packet Info 3 proccessed
Packet Info 4 proccessed
Count packets 4
Exit IoctlDeviceControl Jan 29 2011 19:37:01


Enter IoctlDeviceControl Jan 29 2011 19:37:01
Packet Info 1 proccessed
Packet Info 2 proccessed
Packet Info 3 proccessed
Packet Info 4 proccessed
Packet Info 5 proccessed
Packet Info 6 proccessed
Count packets 6
Exit IoctlDeviceControl Jan 29 2011 19:37:01
Enter IoctlDeviceControl Jan 29 2011 19:37:01
Packet Info 1 proccessed
Packet Info 2 proccessed
Packet Info 3 proccessed
Packet Info 4 proccessed
Packet Info 5 proccessed
Packet Info 6 proccessed
Packet Info 7 proccessed
Packet Info 8 proccessed
Packet Info 9 proccessed
Packet Info 10 proccessed
Packet Info 11 proccessed
Packet Info 12 proccessed
Packet Info 13 proccessed
Packet Info 14 proccessed
Packet Info 15 proccessed
Packet Info 16 proccessed
Packet Info 1 proccessed
Packet Info 2 proccessed
Packet Info 3 proccessed
Packet Info 4 proccessed
Packet Info 5 proccessed
Packet Info 6 proccessed
Packet Info 7 proccessed
Packet Info 8 proccessed
Packet Info 9 proccessed
Packet Info 10 proccessed
Packet Info 11 proccessed
Count packets 11
Access violation - code c0000005 (!!! second chance !!!)
TestDriver!IoctlDeviceControl+0x287:
92131c37 8b480c mov ecx,dword ptr [eax+0Ch]

How to resolve this issue?
Thanks for any help.

2

At a guess, DATE and TIME refer to the date and time that the
binary was compiled. They will be constant throughout the execution.

That won’t cause your crash though.

James

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-439325-
xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Monday, 31 January 2011 00:22
To: Windows System Software Devs Interest List
Subject: [ntdev] Kdprint incorrect output

HI,

Could you please answer on following question.

Environment Win7 x86
WDK version: 7600.16385.1

I write driver on kernel mode.User-mode application uses ioctl call to
request
data from driver.
I called ioctl periodically with 3 second interval from user
application.
I used KdPrint with date and time stamps in my driver.

Here is my ioctl implementation:

NTSTATUS
IoctlDeviceControl(
PDEVICE_OBJECT DeviceObject,
PIRP Irp
)
{
PIO_STACK_LOCATION irpSp;
NTSTATUS ntStatus = STATUS_SUCCESS;
ULONG inBufLength;
ULONG outBufLength;
PCHAR inBuf;
PCHAR outBuf;
PACKET_INFO* packet;
LIST_ENTRY* listEntry;
KLOCK_QUEUE_HANDLE packetInfoListLockHandle;
int maxSize;
int currentSize;
int packetSize;
int count;
char data[1028];
int counter;
memset(data, 0, sizeof(data));

UNREFERENCED_PARAMETER(DeviceObject);

PAGED_CODE();

irpSp = IoGetCurrentIrpStackLocation( Irp );
inBufLength = irpSp->Parameters.DeviceIoControl.InputBufferLength;
outBufLength =
irpSp->Parameters.DeviceIoControl.OutputBufferLength;
KdPrint((“Enter IoctlDeviceControl %s %s \n”, DATE,
TIME));

if (!inBufLength || !outBufLength)
{
ntStatus = STATUS_INVALID_PARAMETER;
goto End;
}
if(
irpSp->Parameters.DeviceIoControl.IoControlCode==IOCTL_METHOD_BUFFERED
)
{
maxSize=1028;
currentSize=4;
packetSize=sizeof(PACKET_INFO);
counter=0;

while (!IsListEmpty(&gPacketInfoList))
{
if (currentSize>maxSize)
break;
packet = NULL;
KeAcquireInStackQueuedSpinLock(
&gPacketInfoListLock,
&packetInfoListLockHandle);
if (!IsListEmpty(&gPacketInfoList))
{

listEntry =
RemoveHeadList(&gPacketInfoList);
packet = CONTAINING_RECORD(
listEntry,
PACKET_INFO,
listEntry);
}

KeReleaseInStackQueuedSpinLock(&packetInfoListLockHandle);

if (packet!=NULL)
{
counter++;
KdPrint((“Packet Info %d proccessed
\n”,counter));

memcpy(&data[currentSize],(char*)packet,packetSize);

currentSize+=packetSize;
ExFreePoolWithTag(packet,
PACKET_INFO_POOL_TAG);
}
}
count=(int)((currentSize-4)/packetSize);
KdPrint((“Count packets %d \n”,count ));
inBuf = Irp->AssociatedIrp.SystemBuffer;
outBuf = Irp->AssociatedIrp.SystemBuffer;
memcpy(&data[0],&count,4);
RtlCopyBytes(outBuf, data, currentSize);
Irp->IoStatus.Information =
(outBufLength> }
> End:
> Irp->IoStatus.Status = ntStatus;
> IoCompleteRequest( Irp, IO_NO_INCREMENT );
> KdPrint((“Exit IoctlDeviceControl %s %s \n”, DATE , TIME
));
> return ntStatus;
> }
>
> When i looked at windbg output after few calls ioctl i saw that output
> sequence is incorrect by time and order.
> After last call ioctl i get “access violation” error.
>
> Here is windbg output:
>
> Enter DriverEntry Jan 29 2011 19:37:01
> Exit DriverEntry Jan 29 2011 19:37:01
> Enter IoctlDeviceControl Jan 29 2011 19:37:01
> Packet Info 1 proccessed
> Packet Info 2 proccessed
> Packet Info 3 proccessed
> Packet Info 4 proccessed
> Count packets 4
> Exit IoctlDeviceControl Jan 29 2011 19:37:01
> …
>
> Enter IoctlDeviceControl Jan 29 2011 19:37:01
> Packet Info 1 proccessed
> Packet Info 2 proccessed
> Packet Info 3 proccessed
> Packet Info 4 proccessed
> Packet Info 5 proccessed
> Packet Info 6 proccessed
> Count packets 6
> Exit IoctlDeviceControl Jan 29 2011 19:37:01
> Enter IoctlDeviceControl Jan 29 2011 19:37:01
> Packet Info 1 proccessed
> Packet Info 2 proccessed
> Packet Info 3 proccessed
> Packet Info 4 proccessed
> Packet Info 5 proccessed
> Packet Info 6 proccessed
> Packet Info 7 proccessed
> Packet Info 8 proccessed
> Packet Info 9 proccessed
> Packet Info 10 proccessed
> Packet Info 11 proccessed
> Packet Info 12 proccessed
> Packet Info 13 proccessed
> Packet Info 14 proccessed
> Packet Info 15 proccessed
> Packet Info 16 proccessed
> Packet Info 1 proccessed
> Packet Info 2 proccessed
> Packet Info 3 proccessed
> Packet Info 4 proccessed
> Packet Info 5 proccessed
> Packet Info 6 proccessed
> Packet Info 7 proccessed
> Packet Info 8 proccessed
> Packet Info 9 proccessed
> Packet Info 10 proccessed
> Packet Info 11 proccessed
> Count packets 11
> Access violation - code c0000005 (!!! second chance !!!)
> TestDriver!IoctlDeviceControl+0x287:
> 92131c37 8b480c mov ecx,dword ptr [eax+0Ch]
>
> How to resolve this issue?
> Thanks for any help.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

3

How big is packetsize? You don’t seem to do any checking anywhere to see
if you have gone past the end of ‘data’.

James

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-439325-
xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Monday, 31 January 2011 00:22
To: Windows System Software Devs Interest List
Subject: [ntdev] Kdprint incorrect output

HI,

Could you please answer on following question.

Environment Win7 x86
WDK version: 7600.16385.1

I write driver on kernel mode.User-mode application uses ioctl call to
request
data from driver.
I called ioctl periodically with 3 second interval from user
application.
I used KdPrint with date and time stamps in my driver.

Here is my ioctl implementation:

NTSTATUS
IoctlDeviceControl(
PDEVICE_OBJECT DeviceObject,
PIRP Irp
)
{
PIO_STACK_LOCATION irpSp;
NTSTATUS ntStatus = STATUS_SUCCESS;
ULONG inBufLength;
ULONG outBufLength;
PCHAR inBuf;
PCHAR outBuf;
PACKET_INFO* packet;
LIST_ENTRY* listEntry;
KLOCK_QUEUE_HANDLE packetInfoListLockHandle;
int maxSize;
int currentSize;
int packetSize;
int count;
char data[1028];
int counter;
memset(data, 0, sizeof(data));

UNREFERENCED_PARAMETER(DeviceObject);

PAGED_CODE();

irpSp = IoGetCurrentIrpStackLocation( Irp );
inBufLength = irpSp->Parameters.DeviceIoControl.InputBufferLength;
outBufLength =
irpSp->Parameters.DeviceIoControl.OutputBufferLength;
KdPrint((“Enter IoctlDeviceControl %s %s \n”, DATE,
TIME));

if (!inBufLength || !outBufLength)
{
ntStatus = STATUS_INVALID_PARAMETER;
goto End;
}
if(
irpSp->Parameters.DeviceIoControl.IoControlCode==IOCTL_METHOD_BUFFERED
)
{
maxSize=1028;
currentSize=4;
packetSize=sizeof(PACKET_INFO);
counter=0;

while (!IsListEmpty(&gPacketInfoList))
{
if (currentSize>maxSize)
break;
packet = NULL;
KeAcquireInStackQueuedSpinLock(
&gPacketInfoListLock,
&packetInfoListLockHandle);
if (!IsListEmpty(&gPacketInfoList))
{

listEntry =
RemoveHeadList(&gPacketInfoList);
packet = CONTAINING_RECORD(
listEntry,
PACKET_INFO,
listEntry);
}

KeReleaseInStackQueuedSpinLock(&packetInfoListLockHandle);

if (packet!=NULL)
{
counter++;
KdPrint((“Packet Info %d proccessed
\n”,counter));

memcpy(&data[currentSize],(char*)packet,packetSize);

currentSize+=packetSize;
ExFreePoolWithTag(packet,
PACKET_INFO_POOL_TAG);
}
}
count=(int)((currentSize-4)/packetSize);
KdPrint((“Count packets %d \n”,count ));
inBuf = Irp->AssociatedIrp.SystemBuffer;
outBuf = Irp->AssociatedIrp.SystemBuffer;
memcpy(&data[0],&count,4);
RtlCopyBytes(outBuf, data, currentSize);
Irp->IoStatus.Information =
(outBufLength> }
> End:
> Irp->IoStatus.Status = ntStatus;
> IoCompleteRequest( Irp, IO_NO_INCREMENT );
> KdPrint((“Exit IoctlDeviceControl %s %s \n”, DATE , TIME
));
> return ntStatus;
> }
>
> When i looked at windbg output after few calls ioctl i saw that output
> sequence is incorrect by time and order.
> After last call ioctl i get “access violation” error.
>
> Here is windbg output:
>
> Enter DriverEntry Jan 29 2011 19:37:01
> Exit DriverEntry Jan 29 2011 19:37:01
> Enter IoctlDeviceControl Jan 29 2011 19:37:01
> Packet Info 1 proccessed
> Packet Info 2 proccessed
> Packet Info 3 proccessed
> Packet Info 4 proccessed
> Count packets 4
> Exit IoctlDeviceControl Jan 29 2011 19:37:01
> …
>
> Enter IoctlDeviceControl Jan 29 2011 19:37:01
> Packet Info 1 proccessed
> Packet Info 2 proccessed
> Packet Info 3 proccessed
> Packet Info 4 proccessed
> Packet Info 5 proccessed
> Packet Info 6 proccessed
> Count packets 6
> Exit IoctlDeviceControl Jan 29 2011 19:37:01
> Enter IoctlDeviceControl Jan 29 2011 19:37:01
> Packet Info 1 proccessed
> Packet Info 2 proccessed
> Packet Info 3 proccessed
> Packet Info 4 proccessed
> Packet Info 5 proccessed
> Packet Info 6 proccessed
> Packet Info 7 proccessed
> Packet Info 8 proccessed
> Packet Info 9 proccessed
> Packet Info 10 proccessed
> Packet Info 11 proccessed
> Packet Info 12 proccessed
> Packet Info 13 proccessed
> Packet Info 14 proccessed
> Packet Info 15 proccessed
> Packet Info 16 proccessed
> Packet Info 1 proccessed
> Packet Info 2 proccessed
> Packet Info 3 proccessed
> Packet Info 4 proccessed
> Packet Info 5 proccessed
> Packet Info 6 proccessed
> Packet Info 7 proccessed
> Packet Info 8 proccessed
> Packet Info 9 proccessed
> Packet Info 10 proccessed
> Packet Info 11 proccessed
> Count packets 11
> Access violation - code c0000005 (!!! second chance !!!)
> TestDriver!IoctlDeviceControl+0x287:
> 92131c37 8b480c mov ecx,dword ptr [eax+0Ch]
>
> How to resolve this issue?
> Thanks for any help.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

4
  1. DATE and TIME are predefined compiler macros that are set at
    compile time and will have the same value until you recompile your driver,
    so they are not going to do what I think you want here (timestamping). If
    you’re looking for timestamping, you might want to look at:

KeQuerySystemTime() -
http://msdn.microsoft.com/en-us/library/ff553068.aspx
ExSystemTimeToLocalTime() -
http://msdn.microsoft.com/en-us/library/ff545622.aspx
RtlTimeToTimeFields() -
http://msdn.microsoft.com/en-us/library/ff562884(VS.85).aspx

  1. You are presumably overrunning your buffer somewhere in the
    memcpy/RtlCopyMemory portion of your code; you don’t seem to check any of
    the lengths, which is not a good idea.

If you post an !analyze -v of the crash, that would help.

mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Sunday, January 30, 2011 8:22 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Kdprint incorrect output

HI,

Could you please answer on following question.

Environment Win7 x86
WDK version: 7600.16385.1

I write driver on kernel mode.User-mode application uses ioctl call to
request data from driver.
I called ioctl periodically with 3 second interval from user application.
I used KdPrint with date and time stamps in my driver.

Here is my ioctl implementation:

NTSTATUS
IoctlDeviceControl(
PDEVICE_OBJECT DeviceObject,
PIRP Irp
)
{
PIO_STACK_LOCATION irpSp;
NTSTATUS ntStatus = STATUS_SUCCESS;
ULONG inBufLength;
ULONG outBufLength;
PCHAR inBuf;
PCHAR outBuf;
PACKET_INFO* packet;
LIST_ENTRY* listEntry;
KLOCK_QUEUE_HANDLE packetInfoListLockHandle;
int maxSize;
int currentSize;
int packetSize;
int count;
char data[1028];
int counter;
memset(data, 0, sizeof(data));

UNREFERENCED_PARAMETER(DeviceObject);

PAGED_CODE();

irpSp = IoGetCurrentIrpStackLocation( Irp );
inBufLength = irpSp->Parameters.DeviceIoControl.InputBufferLength;
outBufLength = irpSp->Parameters.DeviceIoControl.OutputBufferLength;
KdPrint((“Enter IoctlDeviceControl %s %s \n”, DATE, TIME));

if (!inBufLength || !outBufLength)
{
ntStatus = STATUS_INVALID_PARAMETER;
goto End;
}
if(
irpSp->Parameters.DeviceIoControl.IoControlCode==IOCTL_METHOD_BUFFERED )
{
maxSize=1028;
currentSize=4;
packetSize=sizeof(PACKET_INFO);
counter=0;

while (!IsListEmpty(&gPacketInfoList))
{
if (currentSize>maxSize)
break;
packet = NULL;
KeAcquireInStackQueuedSpinLock(
&gPacketInfoListLock,
&packetInfoListLockHandle);
if (!IsListEmpty(&gPacketInfoList))
{

listEntry =
RemoveHeadList(&gPacketInfoList);
packet = CONTAINING_RECORD(
listEntry,
PACKET_INFO,
listEntry);
}

KeReleaseInStackQueuedSpinLock(&packetInfoListLockHandle);
if (packet!=NULL)
{
counter++;
KdPrint((“Packet Info %d proccessed
\n”,counter));

memcpy(&data[currentSize],(char*)packet,packetSize);
currentSize+=packetSize;
ExFreePoolWithTag(packet,
PACKET_INFO_POOL_TAG);
}
}
count=(int)((currentSize-4)/packetSize);
KdPrint((“Count packets %d \n”,count ));
inBuf = Irp->AssociatedIrp.SystemBuffer;
outBuf = Irp->AssociatedIrp.SystemBuffer;
memcpy(&data[0],&count,4);
RtlCopyBytes(outBuf, data, currentSize);
Irp->IoStatus.Information =
(outBufLength }
End:
Irp->IoStatus.Status = ntStatus;
IoCompleteRequest( Irp, IO_NO_INCREMENT );
KdPrint((“Exit IoctlDeviceControl %s %s \n”, DATE , TIME ));
return ntStatus;
}

When i looked at windbg output after few calls ioctl i saw that output
sequence is incorrect by time and order.
After last call ioctl i get “access violation” error.

Here is windbg output:

Enter DriverEntry Jan 29 2011 19:37:01
Exit DriverEntry Jan 29 2011 19:37:01
Enter IoctlDeviceControl Jan 29 2011 19:37:01
Packet Info 1 proccessed
Packet Info 2 proccessed
Packet Info 3 proccessed
Packet Info 4 proccessed
Count packets 4
Exit IoctlDeviceControl Jan 29 2011 19:37:01


Enter IoctlDeviceControl Jan 29 2011 19:37:01
Packet Info 1 proccessed
Packet Info 2 proccessed
Packet Info 3 proccessed
Packet Info 4 proccessed
Packet Info 5 proccessed
Packet Info 6 proccessed
Count packets 6
Exit IoctlDeviceControl Jan 29 2011 19:37:01
Enter IoctlDeviceControl Jan 29 2011 19:37:01
Packet Info 1 proccessed
Packet Info 2 proccessed
Packet Info 3 proccessed
Packet Info 4 proccessed
Packet Info 5 proccessed
Packet Info 6 proccessed
Packet Info 7 proccessed
Packet Info 8 proccessed
Packet Info 9 proccessed
Packet Info 10 proccessed
Packet Info 11 proccessed
Packet Info 12 proccessed
Packet Info 13 proccessed
Packet Info 14 proccessed
Packet Info 15 proccessed
Packet Info 16 proccessed
Packet Info 1 proccessed
Packet Info 2 proccessed
Packet Info 3 proccessed
Packet Info 4 proccessed
Packet Info 5 proccessed
Packet Info 6 proccessed
Packet Info 7 proccessed
Packet Info 8 proccessed
Packet Info 9 proccessed
Packet Info 10 proccessed
Packet Info 11 proccessed
Count packets 11
Access violation - code c0000005 (!!! second chance !!!)
TestDriver!IoctlDeviceControl+0x287:
92131c37 8b480c mov ecx,dword ptr [eax+0Ch]

How to resolve this issue?
Thanks for any help.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

5

Very helpfull, thanks a lot.

6

xxxxx@gmail.com wrote:

Could you please answer on following question.

Environment Win7 x86
WDK version: 7600.16385.1

I write driver on kernel mode.User-mode application uses ioctl call to request data from driver.
I called ioctl periodically with 3 second interval from user application.
I used KdPrint with date and time stamps in my driver.

Packet Info 11 proccessed
Count packets 11
Access violation - code c0000005 (!!! second chance !!!)
TestDriver!IoctlDeviceControl+0x287:
92131c37 8b480c mov ecx,dword ptr [eax+0Ch]

How to resolve this issue?

I’ll be the third person to tell you the answer here, but I want to make
sure you understand what is going on.

My guess is you are getting about 64 bytes in each request. As you go
through your loop, you append each packet’s buffer to the “data” array
in your code, and advance the “currentSize” pointer. When you get to
the 17th packet, you starting writing 64 bytes at offset 1024. That, of
course, copies past the end of the array. The thing that follows the
“data” array in memory is your “counter” variable, so the memcpy
actually resets the counter to zero. You KEEP copying data, stepping on
the stack, until eventually you trash some pointer value, causing the crash.

You need to step back and think about what you’re asking here. You
require both an input buffer and an output buffer. Why? As near as I
can tell, you have an output operation here. Why do you care about the
input buffer at all? Also, and I should not need to tell you this,
“IOCTL_METHOD_BUFFERED” is an absolutely terrible name for an ioctl.
You ioctl names should reflect what the ioctl actually does. Otherwise,
you’ll never remember it when you come back to this code.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.