How did my hard drive turn into a TARDIS?


A customer observed that the entry for a network drive looked liked this in My Computer, well, except that there was a network drive icon instead of ASCII art.

O Public (\\server) (S:)
 
 
3.81TB free of 2.5GB

How is it possible for a 2.5GB drive to have 3.81TB free?

While there have certainly been examples of Explorer showing confusing values the reason for the strange results was, at least this time, not Explorer's fault.

This particular network drive actually reported (via Get­Disk­Free­Space­Ex) that it had more free space than drive space. Explorer is dutifully reporting the information it was given, because it doesn't try to second-guess the file system. If a network drive wants to report that it is a TARDIS, then it's a TARDIS.

Comments (44)
  1. Anonymous says:

    You went full TARDIS, man.  Never go full TARDIS.

  2. Anonymous says:

    LOL by far the funniest article I've seen in a while on here!!! On ya Raymond.

  3. Anonymous says:

    I'm guessing the real answer is that the server was truncating the drive size to 32 bits before returning it, while the available disk space (that everybody looks at) was fixed to be 64 bits ages ago when somebody first got a disk bigger than 4GB.

  4. Programmerman says:

    Windows Home Server (the one built on Server 2003) does this. It reports the size of one of the disks as the total size and the combined free space as the available space.

  5. Why's the bar red then?

    [Because the calculation of space used underflows and turns into a huge positive value, which means that the drive is a billion percent full. -Raymond]
  6. Anonymous says:

    While this sharpens the question somewhat, it doesn't answer it. Personally, I think the 32/64-bit truncation explanation is more likely than the WHS explanation since that would either require lots of disks, or possibly disks of very disparate sizes.

    [ rest of post deleted because Raymond was there first ]

  7. One could make an argument that inconsistent data should result in an error condition (could not determine drive space) rather than a confusing display (3.8 TB are free but the bar is red.)

    [At what point do you give up trying to defend against inconsistent data from a trusted component? -Raymond]
  8. Anonymous says:

    I used to see this daily when I was running WHS v1 at home. The "free space" was reported based upon the combined free space of the drive extended volume (which is spanned across multiple physical disks) — the "total space" was reported based upon the fixed size of the D: partition.

    In my case, I had 2×1.5TB and 2x2TB drives (in addition to the 1TB system drive). So it was not infrequent to see 2 – 3TB of free space on a .8TB network drive.

  9. > At what point do you give up trying to defend against inconsistent data from a trusted component?

    I don't understand this.  Every time you do a division, check for zero.  Every time you calculate a "disk full" percentage, check that it's in the range 0 to 100.  It doesn't matter where the numbers came from.

    If you're a performance bottleneck, the rules change, but that's not the case here. Premature optimization blah blah blah.

    [That's what the code did. It noticed that the percentage was out of range, so it clipped it to 100%. -Raymond]
  10. > At what point do you give up trying to defend against inconsistent data from a trusted component?

    I don't see how a network storage running on possibly third-party reverse-engineered software can be considered a trusted component.

    [It came in via the file system, which is trusted. (Because how can you defend against a rogue file system? "I issued a read request, and it formatted the drive!") -Raymond]
  11. I see… this is the difference between

    float PercentFull(float capacity, float used);

    and

    HRESULT PercentFull(float capacity, float used, float *pPercent);

  12. Anonymous says:

    [At what point do you give up trying to defend against inconsistent data from a trusted component? -Raymond]

    Since when do you trust removable media? [Insert obvious cheap shot about viruses here.]

    [We're not trusting the files on the media. We're trusting the driver. If you can't trust a driver, then you're doomed. -Raymond]
  13. [It came in via the file system, which is trusted. (Because how can you defend against a rogue file system? "I issued a read request, and it formatted the drive!") -Raymond]

    So combining the two, you get a rouge TARDIS?

    Anyway, with all the comments wondering about why Explorer does things like it does. I'm wondering what the commenters would do instead. Block access to the network share? Wouldn't that result in complaints, "Windows will not show my network share". With the percentage bar, what would people do differently? Make it empty, but surely that would result in complaints "My drive has data on there, but Explorer is showing it as empty, useless Explorer". The data is simply meaningless in this situation, so there is no good solution. Especially when the share used is a well trusted network share.

  14. > what the commenters would do instead

    Well, if it were me, I would display the usage and capacity information as reported, but simply not color the bar in at all, or perhaps do diagonal strips or something (similar to what Outlook does when you're trying to schedule a meeting with people but their Free/Busy information is not available.)

    Also note that GetDiskFreeSpace can fail.

    [That's an awful lot of work (adding a bitmap is expensive) for a fringe scenario. And how would you test it? -Raymond]
  15. Anonymous says:

    "So combining the two, you get a rouge TARDIS?" — Crescens2k

    And everyone knows the TARDIS is blue!

  16. [It came in via the file system, which is trusted. (Because how can you defend against a rogue file system? "I issued a read request, and it formatted the drive!") -Raymond]

    You have to trust the kernel code. The kernel code cannot trust the media, even the fixed disk. If a partition table contains bogus data, that should not cause the partmgr.sys to fail with a bugcheck. That's the point. For example, if you insert a USB device with bogus descriptors, USBHUB should not bugcheck (that was the case once).

    [And how would you test it? -Raymond]

    Using Microsoft Windows Home Server, of course.

  17. @alger1

    The thing is, since this is via the network redirector, and the share is connected properly, this means that the file system driver on the server is up and running properly. If there was any problems, the partition would just fail to mount in the first place. In that case the share would just refuse to work and not even get this far. So the fact that everything is working implies that there is no problems that the driver would choke on.

    So you can't say for sure that this is a case of the driver just implicitly trusting the media. This is a network share so the server would be responsible for all of that. Since this is a share, it is a matter of sending and receiving packets over SMB or whatever NFS uses, and so it is as far removed from the physical media as it can get.

  18. I didn't say it would be worth changing, just that it would be a reasonable alternative design.

  19. I hope the Windows SMB client doesn't trust the server too much. What if the server sends malformed packets and that causes the memory corruption and arbitrary code execution?

    [That's the SMB driver's problem, not Explorer's. -Raymond]
  20. Anonymous says:

    alegrl:

    Using Microsoft Windows Home Server, of course.

    Feeling sharp?

  21. Anonymous says:

    Some people should checkout security updates(oatches) with SMB in name and description. (something always slips past SDL no matter what)

  22. Anonymous says:

    Seems to me that doing lots of additional work (basically what Maurits proposes) for a case that shouldn't happen in the first place and if it happens only results in a slightly ugly looking GUI is a pretty bad idea. Yes, as soon as the team has finished doing everything else on their list, why not – but since that won't happen before 2025 (and that only if they stopped accepting new features and bugs right now) this seems like a sensible tradeoff.

    If the wrong data caused explorer to fail in some spectacular manner? Sure fix it, but "it shows a negative value and a full bar" is a pretty minor thing.. especially since the fix wouldn't be perfect either (hard to be perfect if you only have useless information available).

  23. Wow, I didn't think defensive programming was so controversial :-)

    About 2/3 of my code tends to be error handling.

  24. MikeBMcL says:

    @alegr1 I think the point Antonio Rodrigues was trying to make is that a SMB driver cannot possibly validate all data sent through it since it has no idea whether the data is an Excel spreadsheet, a plain text file, an EXE, a DLL, a log file, a virus being sent for analysis, an actual virus that will infect the computer, etc., etc., etc. It should validate that the packets conform to the SMB specs (and any other applicable specs), but beyond that it simply cannot validate every last bit of data because it doesn't know what that data is. (That's what antivirus software is for.)

    Windows must trust drivers otherwise your computer cannot ever use hardware at all. And Microsoft cannot make drivers for every possible piece of equipment that might ever exist, but they do have generic drivers that work fine for many major components (though good luck using a generic video driver; there's a reason that Safe Mode doesn't look very good).

  25. Anonymous says:

    "So combining the two, you get a rouge TARDIS?"

    The TARDIS is blue, how dare you.

  26. @Maurits

    I think Raymond's point is that there's a limit to the amount of effort that's worth investing into a hypercube's corner condition. Even though I can imagine how to test it (mock the network replies, give bad values back), if it doesn't crash, I doubt this would even make the MQ bar. Every feature is at -100 points, after all….

  27. Anonymous says:

    @Kzinti: a normally operating TARDIS may be blue, but this is a rogue one, so it may well be red…

  28. Anonymous says:

    I think many commenters are ofrgetting the obvious: a computer system is based on trust. It is a *system*, a set of components that work together to achieve an end (in this case, managing the hardware and letting the user run applications). And as in every system, there has to be some kind of trust between its components. The application trusts the Win32/Win64 subsystem, which in turn trusts the I/O manager, which trusts the filesystem driver, which trusts the filter driver(s) (if any), which trust the port driver, which trusts the miniport driver, which trust the IDE/SATA/SCSI/SAS controller, which trusts the hard drive or SSD. Sometimes it's amazing to see all of this work reliably!

    The SMB client filesystem driver, of course, has to trust the information send by the server over the network. It can (and must) do some sanity checks to avoid chocking on corrupt or malformed packets, but has no way to test the validity of every individual value.

    That's what people don't understand. They go applying unofficial BIOS updates, drivers downloaded from who knows where, and overclocking the computer. Then it hangs or bluescreens, and of course, it's Windows' blame. I always use drivers from Microsoft or the manufacturer, and never install third party kernel-mode software or run the hardware outside its specifications, and I barely see a bluescreen in years, even if my computer is running 24/7.

  29. alegr1 says:

    Antonio Rodrigues,

    Even first tier OEMs (think *first*) could release BIOS and video drivers that would crash the system periodically on very low level, without even allowing to save a crashdump. There is no perfect IHV/ISV. Of course, one better buys devices that are supported by a generic inbox driver. I would not want a webcam that requires an IHV driver. Although I learned that hard way.

    But an SMB client CANNOT trust a remote server. Any network information crosses the trust boundary, and is untrusted by definition. An user application can't do anything about validity of data, but the service has to validate all metadata.

  30. @alegr1

    What does this have to do with anything in the post? The post was about a funny situation where the network share server reported a free space value higher than the total space value. How is that showing any kind of trust? Just because Explorer is dutifully reporting what it was given, that doesn't mean anything about the level of trust involved in the SMB client. Also, any conversation about that is out of scope here since it has nothing to do with Explorer. Network shares are not controlled by Explorer after all, they are controlled by a completely different component of Windows.

    Also think about it, what could Explorer do in this situation? If the drive has already been mapped then that means the connection to the server has already been made, so nothing Explorer could do at this point would help any. Anyway, how long has SMB been around now? The NT driver was definitely in Windows NT 3, so we have had since the 1990s for people to come up with all sorts of attacks against the driver, and there have been may hotfixes for a long time. So I think by now Microsoft know that the SMB client and SMB server are a source of attacks. I also think that Microsoft don't trust the other end at all.

  31. @Everyone else concerning my TARDIS comment

    Erm, that rouge was meant to be rogue. So it was meant to be a rogue TARDIS

  32. Anonymous says:

    @Crescens2k: AFAIK, much of the filesharing stuff was rewritten with Vista, and IIRC, there was an exploit later that only affected Vista and Server 2008, but not older versions of Windows.

  33. Anonymous says:

    @Maurits – nothing wrong with defensive programming, but there are limits. Would you *really* write some simple feature like this one, in the assumption that you can't trust the information the kernel is supplying you?

  34. Anonymous says:

    @Maurits So how much of your time are you spending defensively programming against rare errors that lead to cosmetic problems? Yes that does seem controversial if you could at the same time fix, you know, errors that lead to the process crashing (explorer still does some of those).

  35. Anonymous says:

    [And how would you test it? -Raymond]

    You mean Windows Explorer isn't architected to allow unit testing and plugging in mock objects…?  :p

  36. Anonymous says:

    @Maurits

    It depends on your level of defensive programming. If by defensive programming, you mean that we should check inputs for conditions that could cause catastrophic failure (i.e. does this parameter that I intend to use as a divisor hold a value of 0) then I think there is no controversy. But if your idea of defensive programming, as it would seem by your comments, is to partially or fully re-implement some other layer's logic because other programmers are not to be trusted, then you've lost me and probably a whole lot of people.

    In this specific example, you are asking a UI layer to re-implement logic regarding permissible values which it has no control over, can not correct, and really can not anticipate every possible situation without itself being more intelligent about the inner workings of other layers of software and hardware. This is the UI layer after all. So, as Raymond pointed out, the only defensive logic it needs to implement is to check for values that are impossible to display (i.e. it can't display greater than 100% so clip it).

  37. Anonymous says:

    @Crescens2k: You could've said it was intentional: if it's a "rogue TARDIS" that's also red, well, c'est TARDIS rouge! (Please forgive my broken French!)

  38. Anonymous says:

    @alegr1: ‘Using Microsoft Windows Home Server, of course.’

    Thank you. I gave me a laugh, which I sorely needed.

  39. Anonymous says:

    I'd like to know what icon the underlined O is supposed to represent in the "ASCII art".

  40. Oh, good, there's already an HRESULT in play.

    The question is whether you want to return E_TARDIS to callers

    I think so, yes.

    Do you have confidence that every third party app can handle the case where a drive cannot report its percent full?

    I don't know.  I suppose if there was a popular third party app that didn't handle the case (maybe they don't even check the HRESULT) then we would have to shim it.  What does GetDetailsEx do if GetDiskFreeSpaceEx fails?  I suppose I could look it up…

  41. Anonymous says:

    @gabe – I think it's suppose to be the windows networked drive icon.  The drive with (what looks like) a 10base2 network cable running below/connect to it. (for example: img.lib.msu.edu/…/afsfiles.jpg)

    Maybe

    would have been clearer, but probably not.

  42. > partially or fully re-implement some other layer's logic

    I see…

    No, I'm definitely not suggesting that.  I infer from this thread (I haven't looked at the code) that there's a function somewhere that looks like this:

    float PercentFull(float capacity, float used);

    This is either clipping to 100% internally, or is returning a value that is being clipped in the client.

    What I'm suggesting instead is a function that looks like this:

    HRESULT PercentFull(float capacity, float used, float *pPercent);

    This would fail instead of clipping.  On failure, the client would skip the code that painted the "full" rectangle.  The client doesn't need to care *why* the percentage couldn't be calculated (because the capacity was zero, or used was > capacity, etc., etc.)

    I'm not suggesting that this scenario is compelling enough to merit a change to the existing implementation.

    [It's neither. The function is HRESULT IShellFolder::GetDetailsEx() where the requested property is PKEY_PercentFull. The question is whether you want to return E_TARDIS to callers. Do you have confidence that every third party app can handle the case where a drive cannot report its percent full? -Raymond]
  43. Since the output of GetDetailsEx is a VARIANT, another option is to return S_OK with a VT_EMPTY variant; this is idiomatic for "the disk doesn't have a 'fullness' property."  On the other hand this violates typeInfo.

Comments are closed.