I recently used the WDK 7600 KMDF dynamic bus sample to start a new driver.
It looks like Bus_EvtStdDataQueryInstance has a latent bug, which doesn’t
crash the exact sample code, but is a poor sample because trivial changes to
the .MOF cause a crash. In my case, I added a Boolean to the .mof file, as
the last field, and the driver became unstable.
There are a few lines that return a WMI instance and it uses a structure
assignment like:
*BufferUsed = sizeof (TOASTER_BUS_WMI_STD_DATA);
* (PTOASTER_BUS_WMI_STD_DATA) OutBuffer = fdoData->StdToasterBusData;
This works so long as the structure in C is the same size as the WMI record.
Unfortunately, if you add a single byte field, like a boolean, to the end of
the WMI record definition, the structure assignment corrupts memory at the
end of the WMI request buffer. Running verifier detected this corruption. It
looks like the compiler pads the structure size to be a natural boundary
like 4 bytes. WMI doesn’t seem to pad records to any alignment boundary.
What’s curious is WDF_WMI_PROVIDER_CONFIG_INIT sets the WMI record size to
sizeof (TOASTER_BUS_WMI_STD_DATA), and part of the time things seem to work.
At other times, KMDF gets an internal breakpoint, and other times verifier
detects memory corruption (during a pool free as I remember). Seems like
there might be something a little off in the KMDF buffer size validation.
The much better example in the KMDF toaster function driver uses a
RtlCopyMemory to copy the correct number of bytes, no matter what the WMI
record size is.
RtlCopyMemory(OutBuffer,
ToasterWmiGetControlData(WmiInstance),
ToasterControl_SIZE);
*BufferUsed = ToasterControl_SIZE;
When I changed my driver to use RtlCopyMemory with the size #define
generated by the mof compiler, instead of the structure assignment, the
crashes vanished.
Just an FYI for people.
Jan