Hi On Thu, Jul 22, 2021 at 11:28 AM Gerd Hoffmann <kra...@redhat.com> wrote:
> data might point into the middle of a larger buffer, there is a separate > free_on_destroy pointer passed into bufp_alloc() to handle that. It is > only used in the normal workflow though, not when dropping packets due > to the queue being full. Fix that. > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/491 > Signed-off-by: Gerd Hoffmann <kra...@redhat.com> > Reviewed-by: Marc-André Lureau <marcandre.lur...@redhat.com> --- > hw/usb/redirect.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c > index 4ec9326e0582..1ec909a63a80 100644 > --- a/hw/usb/redirect.c > +++ b/hw/usb/redirect.c > @@ -476,7 +476,7 @@ static int bufp_alloc(USBRedirDevice *dev, uint8_t > *data, uint16_t len, > if (dev->endpoint[EP2I(ep)].bufpq_dropping_packets) { > if (dev->endpoint[EP2I(ep)].bufpq_size > > dev->endpoint[EP2I(ep)].bufpq_target_size) { > - free(data); > + free(free_on_destroy); > return -1; > } > dev->endpoint[EP2I(ep)].bufpq_dropping_packets = 0; > -- > 2.31.1 > > > -- Marc-André Lureau
