From c4289d33165d82afc4779f3d148a49e57f96b454 Mon Sep 17 00:00:00 2001 From: Andre Muezerie Date: Wed, 20 May 2026 13:53:41 -0400 Subject: [PATCH] ndis: Harden QoS bytes calculation in netvmini control path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Replaced direct size arithmetic in NICSetQOSParameters with checked integer-safe operations. - Added overflow handling for classification table size computation: - Multiply NumClassificationElements × ClassificationElementSize via RtlULongMult. - Add the revision header size via RtlULongAdd. - Return NDIS_STATUS_INVALID_LENGTH when either checked operation fails, instead of relying on unchecked arithmetic. --- network/ndis/netvmini/6x/ctrlpath.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/network/ndis/netvmini/6x/ctrlpath.c b/network/ndis/netvmini/6x/ctrlpath.c index 6a745a360..f6131196b 100644 --- a/network/ndis/netvmini/6x/ctrlpath.c +++ b/network/ndis/netvmini/6x/ctrlpath.c @@ -20,6 +20,7 @@ Module Name: #include "netvmin6.h" +#include #include "ctrlpath.tmh" @@ -1671,6 +1672,9 @@ Return Value: do { + ULONG ClassificationBytes = 0; + ULONG BytesRead = 0; + // // Verify that the request matches our requirements. // @@ -1681,8 +1685,18 @@ Return Value: // // Request is well formed, set bytes read. // - Method->BytesRead = NDIS_SIZEOF_QOS_PARAMETERS_REVISION_1 + - Params->NumClassificationElements * Params->ClassificationElementSize; + if (!NT_SUCCESS(RtlULongMult(Params->NumClassificationElements, + Params->ClassificationElementSize, + &ClassificationBytes)) || + !NT_SUCCESS(RtlULongAdd(NDIS_SIZEOF_QOS_PARAMETERS_REVISION_1, + ClassificationBytes, + &BytesRead))) + { + Status = NDIS_STATUS_INVALID_LENGTH; + break; + } + + Method->BytesRead = BytesRead; Status = SetQOSParameters(Adapter, Params); if (Status != NDIS_STATUS_SUCCESS)