In hw/usb/redirect.c, when function `usbredir_buffered_bulk_packet` call function `bufp_alloc`, parameter `data` use offset (data + i). But in function `bufp_alloc` call function `free` free paramter `data` memory. static void usbredir_buffered_bulk_packet(...) ``` ...... for (i = 0; i < data_len; i += len) { int r; if (len >= (data_len - i)) { len = data_len - i; status = buffered_bulk_packet->status; free_on_destroy = data; } /* bufp_alloc also adds the packet to the ep queue */ r = bufp_alloc(dev, data + i, len, status, ep, free_on_destroy); if (r) { break; } } ...... ``` static int bufp_alloc(USBRedirDevice *dev, uint8_t *data, uint16_t len, uint8_t status, uint8_t ep, void *free_on_destroy) ``` ...... if (dev->endpoint[EP2I(ep)].bufpq_dropping_packets) { if (dev->endpoint[EP2I(ep)].bufpq_size > dev->endpoint[EP2I(ep)].bufpq_target_size) { free(data); return -1; } dev->endpoint[EP2I(ep)].bufpq_dropping_packets = 0; } ...... ```