diff --git a/usr.sbin/bhyve/pci_virtio_scsi.c b/usr.sbin/bhyve/pci_virtio_scsi.c
--- a/usr.sbin/bhyve/pci_virtio_scsi.c
+++ b/usr.sbin/bhyve/pci_virtio_scsi.c
@@ -364,14 +364,27 @@
 	struct pci_vtscsi_ctrl_an *an;
 	uint32_t type;
 
+	if (bufsize < sizeof(uint32_t)) {
+		WPRINTF("ignoring truncated control request");
+		return (0);
+	}
+
 	type = *(uint32_t *)buf;
 
 	if (type == VIRTIO_SCSI_T_TMF) {
+		if (bufsize != sizeof(*tmf)) {
+			WPRINTF("ignoring tmf request with size %zu", bufsize);
+			return (0);
+		}
 		tmf = (struct pci_vtscsi_ctrl_tmf *)buf;
 		return (pci_vtscsi_tmf_handle(sc, tmf));
 	}
 
 	if (type == VIRTIO_SCSI_T_AN_QUERY) {
+		if (bufsize != sizeof(*an)) {
+			WPRINTF("ignoring AN request with size %zu", bufsize);
+			return (0);
+		}
 		an = (struct pci_vtscsi_ctrl_an *)buf;
 		return (pci_vtscsi_an_handle(sc, an));
 	}
@@ -468,6 +481,15 @@
 	uint32_t ext_data_len = 0, ext_sg_entries = 0;
 	int err, nxferred;
 
+	if (count_iov(iov_out, niov_out) < VTSCSI_OUT_HEADER_LEN(sc)) {
+		WPRINTF("ignoring request with insufficient output");
+		return (0);
+	}
+	if (count_iov(iov_in, niov_in) < VTSCSI_IN_HEADER_LEN(sc)) {
+		WPRINTF("ignoring request with incomplete header");
+		return (0);
+	}
+
 	seek_iov(iov_in, niov_in, data_iov_in, &data_niov_in,
 	    VTSCSI_IN_HEADER_LEN(sc));
 	seek_iov(iov_out, niov_out, data_iov_out, &data_niov_out,
@@ -477,7 +499,7 @@
 	truncate_iov(iov_out, &niov_out, VTSCSI_OUT_HEADER_LEN(sc));
 	iov_to_buf(iov_in, niov_in, (void **)&cmd_rd);
 
-	cmd_wr = malloc(VTSCSI_OUT_HEADER_LEN(sc));
+	cmd_wr = calloc(1, VTSCSI_OUT_HEADER_LEN(sc));
 	io = ctl_scsi_alloc_io(sc->vss_iid);
 	ctl_scsi_zero_io(io);