You are rebrowsing the *whole* list, yet the caller gave you an argument (DriverObjectListSize) that indicated to you how large his array is.

You should browse the minimum of the whole list while making sure that "Index" does not grow larger than DriverObjectListSize / sizeof(pointer).

Right now the function is overwriting memory possibly.

This is because + /* Then, check if given buffer is big enough to contain list */

+    if (ListSize > DriverObjectListSize / sizeof(PDRIVER_OBJECT))
+    {
+        Status = STATUS_BUFFER_TOO_SMALL;
+    }
+    else

is incorrect. The function attempts to write as many entries as possible instead of failing.

As per the docs:

" Note that if the array at DriverObjectList is too small, the number of driver object pointers that are copied into the array will be less than ActualNumberDriverObjects."

Best regards,

Alex Ionescu

On 2011-06-02, at 1:43 PM, pschweitzer@svn.reactos.org wrote:

+        /* Rebrowse the whole list */
+        ListEntry = IopFsNotifyChangeQueueHead.Flink;
+        while (ListEntry != &IopFsNotifyChangeQueueHead)
+        {