windows api frequently sends a query security with a buffer len of 0
to figure out how big of buffer is needed for a security descriptor.
we send a getattr for acl attribute on the 1st irp, then cache the
returned security descriptor in fobx. on the 2nd query, if the buffer
is cached and it's not "stale", we return that buffer.
28992406a7