I have a legacy virtual volume driver. In this driver I use an I/O
remove lock and handle count to make sure no I/O or handles are
outstanding on my devices before deleting them. The devices are deleted
on demand after they have been locked and dismounted.
I’m running into a problem where I’ve deleted my device object and the
DOE_DELETE_PENDING is set in my device object. A user mode process tries
to access my virtual volume or a file on it, which causes a mount
request. During this mount request, sr.sys is called and it calls
ObQueryNameString which returns a UNICODE_STRING structure with a length
of 0 and a NULL buffer. sr.sys just tries to access the buffer in the
UNICODE_STRING structure without checking the length or the buffer. It
seems like ObQueryNameString should have failed and that sr.sys should
have checked the length before accessing the buffer.
Does anyone know what’s going on with this? Is there something I should
be doing to prevent this from happening? Does anyone know if this is
just a Microsoft Bug? We’re seeing this on a Windows XP SP2 x86 machine.
Thanks,
Jonathan Ludwig