From 818d59dc179b2861e49f3c6472787a23935aac0d Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Thu, 19 Apr 2012 13:35:07 +0200
Subject: usb-host: don't dereference invalid iovecs

usb-host assumes the first iovec element is always valid.
In case of a zero-length packet this isn't true though.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/usb/host-linux.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hw/usb/host-linux.c b/hw/usb/host-linux.c
index 061a1b7..c3684c8 100644
--- a/hw/usb/host-linux.c
+++ b/hw/usb/host-linux.c
@@ -884,16 +884,16 @@ static int usb_host_handle_data(USBDevice *dev, USBPacket *p)
     }
 
     v = 0;
-    prem = p->iov.iov[v].iov_len;
-    pbuf = p->iov.iov[v].iov_base;
+    prem = 0;
+    pbuf = NULL;
     rem = p->iov.size;
     while (rem) {
         if (prem == 0) {
-            v++;
             assert(v < p->iov.niov);
             prem = p->iov.iov[v].iov_len;
             pbuf = p->iov.iov[v].iov_base;
             assert(prem <= rem);
+            v++;
         }
         aurb = async_alloc(s);
         aurb->packet = p;
-- 
cgit v1.1