Change Details

- buf_to_iov() does not use buflen parameter, allow out of bound read. - if seek argument > 0, buf_to_iov() leaks memory. - iov_to_buf() don't need to reallocate buffer for every segment. - there is no point to use size_t for iov counts, int is more then enough. - some iov function arguments can be constified. - pci_vtscsi_request_handle() used truncate_iov() incorrectly, allowing getting out of buffer and possibly corrupting data. - pci_vtscsi_controlq_notify() leaked one buffer per event.

- buf_to_iov() does not use buflen parameter, allowing out of bound read. - buf_to_iov() leaks memory if seek argument > 0. - iov_to_buf() doesn't need to reallocate buffer for every segment. - there is no point to use size_t for iov counts, int is more then enough. - some iov function arguments can be constified. - pci_vtscsi_request_handle() used truncate_iov() incorrectly, allowing getting out of buffer and possibly corrupting data. - pci_vtscsi_controlq_notify() written returned status at wrong offset. - pci_vtscsi_controlq_notify() leaked one buffer per event.

- buf_to_iov() does not use buflen parameter, allowing out of bound read. - buf_to_iov() leaks memory if seek argument > 0, buf_to_iov() leaks memory. - iov_to_buf() doesn't need to reallocate buffer for every segment. - there is no point to use size_t for iov counts, int is more then enough. - some iov function arguments can be constified. - pci_vtscsi_request_handle() used truncate_iov() incorrectly, allowing getting out of buffer and possibly corrupting data. - pci_vtscsi_controlq_notify() written returned status at wrong offset. - pci_vtscsi_controlq_notify() leaked one buffer per event.