diff options
author | Gerd Hoffmann <kraxel@redhat.com> | 2012-04-19 13:35:07 +0200 |
---|---|---|
committer | Gerd Hoffmann <kraxel@redhat.com> | 2012-04-26 12:21:16 +0200 |
commit | 818d59dc179b2861e49f3c6472787a23935aac0d (patch) | |
tree | 18c1f0565928752619be718950d6278ff51bc206 | |
parent | 6d7aeeeb8985634a2015e804045a1ca52573ccc5 (diff) | |
download | qemu-818d59dc179b2861e49f3c6472787a23935aac0d.zip qemu-818d59dc179b2861e49f3c6472787a23935aac0d.tar.gz qemu-818d59dc179b2861e49f3c6472787a23935aac0d.tar.bz2 |
usb-host: don't dereference invalid iovecs
usb-host assumes the first iovec element is always valid.
In case of a zero-length packet this isn't true though.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-rw-r--r-- | hw/usb/host-linux.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/hw/usb/host-linux.c b/hw/usb/host-linux.c index 061a1b7..c3684c8 100644 --- a/hw/usb/host-linux.c +++ b/hw/usb/host-linux.c @@ -884,16 +884,16 @@ static int usb_host_handle_data(USBDevice *dev, USBPacket *p) } v = 0; - prem = p->iov.iov[v].iov_len; - pbuf = p->iov.iov[v].iov_base; + prem = 0; + pbuf = NULL; rem = p->iov.size; while (rem) { if (prem == 0) { - v++; assert(v < p->iov.niov); prem = p->iov.iov[v].iov_len; pbuf = p->iov.iov[v].iov_base; assert(prem <= rem); + v++; } aurb = async_alloc(s); aurb->packet = p; |