Hartmut Birr wrote:
I think the problem is a missing status check after a call to
ObReferenceXXX. The object is being deleted. The return value is an error and the object isn't referenced. Later the object get a dereference call too much.
Yes, even though looking at the code without my changes there obviously have to be too many dereferences. Just think of the case where the parse routine returns STATUS_SUCCESS and returns a pointer to the next object. In this case the ObFindObject routine doesn't reference it (because it assumes the parsing routine does it (which is wrong), and likely triggered the bug when handling symbolic links, which don't reference the next object pointer). the next loop it might find another next object and dereferences the previous one (which in case of symbolic links) wasn't referenced. every time objects were parsed bug there were deeper levels to be parsed some objects might be dereferenced too often.
I think my patch should fix this problem, so someone who can reproduce it should give it a try.
Sorry for this bad description but I'm a bit in a hurry.
Best Regards, Thomas