From: Gerd Hoffmann <kraxel@redhat.com>
Date: Thu, 19 Apr 2012 11:35:07 +0000 (+0200)
Subject: usb-host: don't dereference invalid iovecs
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=818d59dc179b2861e49f3c6472787a23935aac0d;p=qemu.git

usb-host: don't dereference invalid iovecs

usb-host assumes the first iovec element is always valid.
In case of a zero-length packet this isn't true though.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---

diff --git a/hw/usb/host-linux.c b/hw/usb/host-linux.c
index 061a1b7825..c3684c8f92 100644
--- a/hw/usb/host-linux.c
+++ b/hw/usb/host-linux.c
@@ -884,16 +884,16 @@ static int usb_host_handle_data(USBDevice *dev, USBPacket *p)
     }
 
     v = 0;
-    prem = p->iov.iov[v].iov_len;
-    pbuf = p->iov.iov[v].iov_base;
+    prem = 0;
+    pbuf = NULL;
     rem = p->iov.size;
     while (rem) {
         if (prem == 0) {
-            v++;
             assert(v < p->iov.niov);
             prem = p->iov.iov[v].iov_len;
             pbuf = p->iov.iov[v].iov_base;
             assert(prem <= rem);
+            v++;
         }
         aurb = async_alloc(s);
         aurb->packet = p;