usb-host: don't dereference invalid iovecs

usb-host assumes the first iovec element is always valid. In case of a zero-length packet this isn't true though. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
author: Gerd Hoffmann <kraxel@redhat.com> 2012-04-19 13:35:07 +0200
committer: Gerd Hoffmann <kraxel@redhat.com> 2012-04-26 12:21:16 +0200
commit: 818d59dc179b2861e49f3c6472787a23935aac0d (patch)
tree: 18c1f0565928752619be718950d6278ff51bc206 /hw/usb/host-linux.c
parent: 6d7aeeeb8985634a2015e804045a1ca52573ccc5 (diff)
download: focaccia-qemu-818d59dc179b2861e49f3c6472787a23935aac0d.tar.gz
focaccia-qemu-818d59dc179b2861e49f3c6472787a23935aac0d.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/hw/usb/host-linux.c b/hw/usb/host-linux.c
index 061a1b7825..c3684c8f92 100644
--- a/hw/usb/host-linux.c
+++ b/hw/usb/host-linux.c
@@ -884,16 +884,16 @@ static int usb_host_handle_data(USBDevice *dev, USBPacket *p)
     }
 
     v = 0;
-    prem = p->iov.iov[v].iov_len;
-    pbuf = p->iov.iov[v].iov_base;
+    prem = 0;
+    pbuf = NULL;
     rem = p->iov.size;
     while (rem) {
         if (prem == 0) {
-            v++;
             assert(v < p->iov.niov);
             prem = p->iov.iov[v].iov_len;
             pbuf = p->iov.iov[v].iov_base;
             assert(prem <= rem);
+            v++;
         }
         aurb = async_alloc(s);
         aurb->packet = p;
author	Gerd Hoffmann <kraxel@redhat.com>	2012-04-19 13:35:07 +0200
committer	Gerd Hoffmann <kraxel@redhat.com>	2012-04-26 12:21:16 +0200
commit	818d59dc179b2861e49f3c6472787a23935aac0d (patch)
tree	18c1f0565928752619be718950d6278ff51bc206 /hw/usb/host-linux.c
parent	6d7aeeeb8985634a2015e804045a1ca52573ccc5 (diff)
download	focaccia-qemu-818d59dc179b2861e49f3c6472787a23935aac0d.tar.gz focaccia-qemu-818d59dc179b2861e49f3c6472787a23935aac0d.zip