I am trying to write Windows driver code to scan a directory for file names:
HANDLE directory_handle;
FILE_BOTH_DIR_INFORMATION directory_information;
IO_STATUS_BLOCK io_status_block;
NTSTATUS status;
OBJECT_ATTRIBUTES directory_attributes;
InitializeObjectAttributes(&directory_attributes ,
&directory_name ,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
0 ,
0 );
status = ZwCreateFile(&directory_handle ,
FILE_LIST_DIRECTORY | SYNCHRONIZE ,
&directory_attributes ,
&io_status_block ,
0 ,
0 ,
FILE_SHARE_VALID_FLAGS ,
FILE_OPEN ,
FILE_SYNCHRONOUS_IO_NONALERT | FILE_DIRECTORY_FILE,
0 ,
0 );
status = ZwQueryDirectoryFile(directory_handle ,
NULL ,
0 ,
0 ,
&io_status_block ,
&directory_information ,
sizeof(directory_information),
FileBothDirectoryInformation ,
TRUE ,
NULL ,
FALSE );
status = ZwQueryDirectoryFile(directory_handle ,
NULL ,
0 ,
0 ,
&io_status_block ,
&directory_information ,
sizeof(directory_information),
FileBothDirectoryInformation ,
TRUE ,
NULL ,
FALSE );
The first call to ZwQueryDirectoryFile() returns a STATUS_SUCCESS (0x00000000) result, but the second call returns a status of STATUS_BUFFER_OVERFLOW (0x80000005). Do you know what might cause this buffer-overflow error?
Thank you.
STATUS_BUFFER_OVERFLOW indicates that the buffer isn't big enough to return the full filename (however we know the buffer is big enough for at least the base structure, else STATUS_BUFFER_TOO_SMALL).
What's happening here is the first call successfully returned the "." entry (as there is room in the base structure for a single character filename), but the second call failed with STATUS_BUFFER_OVERFLOW because the buffer isn't big enough for the ".." entry.