Merge pull request #1386 from andremueiot/user/andremueiot/multiplication_converted_to_larger_type

5an7y-Microsoft · web-flow · commit c7ad9e81acd5 · 2026-05-21T12:50:22.000-07:00
NDIS: Harden QoS bytes calculation in netvmini control path
diff --git a/network/ndis/netvmini/6x/ctrlpath.c b/network/ndis/netvmini/6x/ctrlpath.c
@@ -20,6 +20,7 @@ Module Name:
 
 
 #include "netvmin6.h"
+#include <ntintsafe.h>
 #include "ctrlpath.tmh"
 
 
@@ -1671,6 +1672,9 @@ Return Value:
 
     do
     {
+        ULONG ClassificationBytes = 0;
+        ULONG BytesRead = 0;
+
         //
         // Verify that the request matches our requirements.
         //
@@ -1681,8 +1685,18 @@ Return Value:
         //
         // Request is well formed, set bytes read.
         //
-        Method->BytesRead = NDIS_SIZEOF_QOS_PARAMETERS_REVISION_1 +
-                            Params->NumClassificationElements * Params->ClassificationElementSize;
+        if (!NT_SUCCESS(RtlULongMult(Params->NumClassificationElements,
+                                     Params->ClassificationElementSize,
+                                     &ClassificationBytes)) ||
+            !NT_SUCCESS(RtlULongAdd(NDIS_SIZEOF_QOS_PARAMETERS_REVISION_1,
+                                    ClassificationBytes,
+                                    &BytesRead)))
+        {
+            Status = NDIS_STATUS_INVALID_LENGTH;
+            break;
+        }
+
+        Method->BytesRead = BytesRead;
 
         Status = SetQOSParameters(Adapter, Params);
         if (Status != NDIS_STATUS_SUCCESS)
