There is a code error here
In hw/usb/redirect.c, when function usbredir_buffered_bulk_packet
call function bufp_alloc
, parameter data
use offset (data + i). But in function bufp_alloc
call function free
free paramter data
memory.
static void usbredir_buffered_bulk_packet(...)
......
for (i = 0; i < data_len; i += len) {
int r;
if (len >= (data_len - i)) {
len = data_len - i;
status = buffered_bulk_packet->status;
free_on_destroy = data;
}
/* bufp_alloc also adds the packet to the ep queue */
r = bufp_alloc(dev, data + i, len, status, ep, free_on_destroy);
if (r) {
break;
}
}
......
static int bufp_alloc(USBRedirDevice *dev, uint8_t *data, uint16_t len, uint8_t status, uint8_t ep, void *free_on_destroy)
......
if (dev->endpoint[EP2I(ep)].bufpq_dropping_packets) {
if (dev->endpoint[EP2I(ep)].bufpq_size >
dev->endpoint[EP2I(ep)].bufpq_target_size) {
free(data);
return -1;
}
dev->endpoint[EP2I(ep)].bufpq_dropping_packets = 0;
}
......