aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGerd Hoffmann <kraxel@redhat.com>2012-04-19 13:35:07 +0200
committerGerd Hoffmann <kraxel@redhat.com>2012-04-26 12:21:16 +0200
commit818d59dc179b2861e49f3c6472787a23935aac0d (patch)
tree18c1f0565928752619be718950d6278ff51bc206
parent6d7aeeeb8985634a2015e804045a1ca52573ccc5 (diff)
downloadqemu-818d59dc179b2861e49f3c6472787a23935aac0d.zip
qemu-818d59dc179b2861e49f3c6472787a23935aac0d.tar.gz
qemu-818d59dc179b2861e49f3c6472787a23935aac0d.tar.bz2
usb-host: don't dereference invalid iovecs
usb-host assumes the first iovec element is always valid. In case of a zero-length packet this isn't true though. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-rw-r--r--hw/usb/host-linux.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/hw/usb/host-linux.c b/hw/usb/host-linux.c
index 061a1b7..c3684c8 100644
--- a/hw/usb/host-linux.c
+++ b/hw/usb/host-linux.c
@@ -884,16 +884,16 @@ static int usb_host_handle_data(USBDevice *dev, USBPacket *p)
}
v = 0;
- prem = p->iov.iov[v].iov_len;
- pbuf = p->iov.iov[v].iov_base;
+ prem = 0;
+ pbuf = NULL;
rem = p->iov.size;
while (rem) {
if (prem == 0) {
- v++;
assert(v < p->iov.niov);
prem = p->iov.iov[v].iov_len;
pbuf = p->iov.iov[v].iov_base;
assert(prem <= rem);
+ v++;
}
aurb = async_alloc(s);
aurb->packet = p;