![]() ![]() First, I started SoftICE and set a breakpoint on I decided to investigate this particular case as I was writing this blog posting. Here’s an example I see on a Windows XP SP2 system that results when I open My Computer: At least that’s what you’d expect, but on many occasions I’ve seen two buffer overflow errors followed by a third query of the same data that succeeds. Given these approaches you should never see two buffer overflow errors in a row that query the same data. The second approach has the advantage of avoiding a second query in most cases. If the system reports ERROR_MORE_DATA, which is the Windows API equivalent of the native STATUS_BUFFER_OVERFLOW error, the application dynamically allocates a buffer of the required size and re-executes the query. ![]() The other approach is for an application to first try and use a static buffer of a size that the programmer expects will usually be large enough to receive the stored data. The first is to simply pass in a NULL pointer on the first call and if the call succeeds to allocate a buffer for a second query. There are two programming approaches commonly taken to reading variable-length Registry data. This enables an application to determine the best way to allocate a buffer for the value's data. If lpData is NULL, and lpcbData is non-NULL, the function returns ERROR_SUCCESS and stores the size of the data, in bytes, in the variable pointed to by lpcbData. In this case, the contents of the lpData buffer are undefined. If the buffer specified by lpData parameter is not large enough to hold the data, the function returns ERROR_MORE_DATA and stores the required buffer size in the variable pointed to by lpcbData. There is in fact a STATUS_BUFFER_TOO_SMALL error code, but it’s used in situations where no data is copied to the caller’s buffer, whereas STATUS_BUFFER_OVERFLOW is used when some, but not all, available data has been copied.īuffer overflow errors in Regmon traces are relatively common. A commenter on the previous post pointed out that a better error for this case would be “buffer too small” or “more data available”, and I agree. Recall that a buffer overflow error in this context is not a security hole, but a way for the system to tell an application that there’s more data available in response to a query the application has made than can fit in the application’s output buffer. Now I’ll turn my attention to the same errors, but in Regmon traces. Last time I talked about buffer overflow errors that you might see in Filemon traces. First published on TechNet on Jun 04, 2005
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |