2

I'm using ReadDirectoryChangesW (Windows API) asynchronously in combination with GetQueuedCompletionStatus. How can I detect a possible buffer overflow to understand that at least one file system change event has been lost?

mstrap
  • 16,808
  • 10
  • 56
  • 86

3 Answers3

2

When using ReadDirectoryChangesW asynchronously, you will get the first group of events, then you have to call it again for more events. Having more events than fit in your buffer is not an error. Having more events than fit in the OS-level buffer is the error condition, and you find out like so:

  1. Some event happens.
  2. The asynchronous operation started by ReadDirectoryChangesW completes successfully. Your buffer is filled, your event handle is set or the IOCP is triggered.
  3. Additional events happen, which are stored in the OS-level buffer.
  4. More additional events happen, which overflow the OS-level buffer. This doesn't change the status of the overlapped operation, which already succeeded at step 2.
  5. You wait on the event handle, or process the IOCP, and discover the completed OVERLAPPED call.
  6. You call ReadDirectoryChangesW again to begin an asynchronous overlapped operation checking for any events that happened since step 2. This call fails synchronously, with GetLastError() == ERROR_NOTIFY_ENUM_DIR, or succeeds with dwBytesTransferred == 0, since the documentation says this also means to re-enumerate the directory

If the number of bytes transferred is zero, the buffer was either too large for the system to allocate or too small to provide detailed information on all the changes that occurred in the directory or subtree. In this case, you should compute the changes by enumerating the directory or subtree.

Ben Voigt
  • 277,958
  • 43
  • 419
  • 720
  • Sounds interesting. Is this from your experience? Is there any documentation specifying this behavior? Might this be something which could have changed for more recent Windows versions? It's 5 years ago I was investigating `ReadDirectoryChangesW` behavior but I'm pretty sure that I didn't see any error indication by the synchronous call to `ReadDirectoryChangesW`. – mstrap Jul 24 '17 at 09:56
  • @mstrap: Actually I'm not entirely sure about #6. The documentation suggests that it might instead complete with `dwBytesTransferred == 0`. What I am sure about is that the error will be reporting on the subsequent call, since it happens after data is available to complete the first call. – Ben Voigt Jul 24 '17 at 14:08
0

You may not be able to accomplish your detections that way, but here is a great tutorial that may help.

You might also check out the answer to this other question.

Community
  • 1
  • 1
Jeff Wolski
  • 6,332
  • 6
  • 37
  • 69
-1

Judging from here, it seems like there is no such error code returned asynchronously.

Suggestion: Monitor for changes synchronously, but in a dedicated thread, and watch out for ERROR_NOTIFY_ENUM_DIR.

user541686
  • 205,094
  • 128
  • 528
  • 886