On 2017-02-13 23:38, ekohl@svn.reactos.org wrote:

• _SEH2_TRY
• {

•    Relations = RelationsData->Relations;
  

•    BufferSize = RelationsData->BufferSize;
  

•    Buffer = RelationsData->Buffer;
  

•    ProbeForWrite(RelationsData->Buffer,
  

•                  RelationsData->BufferSize,
  

•                  sizeof(CHAR));
  

• }

You need to use the local 'Buffer' and 'BufferSize' variables in the probe or you get a race condition.

• Status = IopInitiatePnpIrp(DeviceObject,

•                           &IoStatusBlock,
  

•                           IRP_MN_QUERY_DEVICE_RELATIONS,
  

•                           &Stack);
  

• if (!NT_SUCCESS(Status) || Status == STATUS_PENDING)
• {

•    DPRINT1("IopInitiatePnpIrp() failed (Status 0x%08lx)\n", Status);
  

•    goto done;
  

• }

Failing on STATUS_PENDING seems broken. IoStatusBlock will go out of scope and the DeviceRelations set by the driver will be leaked.

•    if (RequiredSize > 0)
  

•        RequiredSize += sizeof(WCHAR);
  

Not sure I understand the >0 condition.

Best, Thomas