Index: /trunk/src/VBox/Devices/USB/DrvVUSBRootHub.cpp
===================================================================
--- /trunk/src/VBox/Devices/USB/DrvVUSBRootHub.cpp	(revision 83616)
+++ /trunk/src/VBox/Devices/USB/DrvVUSBRootHub.cpp	(revision 83617)
@@ -380,4 +380,10 @@
     RT_NOREF(pszTag);
     PVUSBURBPOOL pUrbPool = &pRh->Hub.Dev.UrbPool;
+
+    if (RT_UNLIKELY(cbData > (32 * _1M)))
+    {
+        LogFunc(("Bad URB size (%u)!\n", cbData));
+        return NULL;
+    }
 
     if (!pDev)
Index: /trunk/src/VBox/Devices/USB/VUSBUrb.cpp
===================================================================
--- /trunk/src/VBox/Devices/USB/VUSBUrb.cpp	(revision 83616)
+++ /trunk/src/VBox/Devices/USB/VUSBUrb.cpp	(revision 83617)
@@ -703,4 +703,8 @@
     if (pExtra->cbMax < cbBuf + pSetupIn->wLength + sizeof(VUSBURBVUSBINT))
     {
+#if 1
+        LogRelMax(10, ("VUSB: Control URB too large (wLength=%u)!\n", pSetupIn->wLength));
+        return false;
+#else
         uint32_t cbReq = RT_ALIGN_32(cbBuf + pSetupIn->wLength + sizeof(VUSBURBVUSBINT), 1024);
         PVUSBCTRLEXTRA pNew = (PVUSBCTRLEXTRA)RTMemRealloc(pExtra, RT_UOFFSETOF_DYN(VUSBCTRLEXTRA, Urb.abData[cbReq]));
@@ -717,7 +721,14 @@
             pPipe->pCtrl = pExtra;
         }
+
+        PVUSBURBVUSB pOldVUsb = (PVUSBURBVUSB)&pExtra->Urb.abData[pExtra->cbMax - sizeof(VUSBURBVUSBINT)];
         pExtra->Urb.pVUsb = (PVUSBURBVUSB)&pExtra->Urb.abData[cbBuf + pSetupIn->wLength];
+        memmove(pExtra->Urb.pVUsb, pOldVUsb, sizeof(VUSBURBVUSBINT));
+        memset(pOldVUsb, 0, (uint8_t *)pExtra->Urb.pVUsb - (uint8_t *)pOldVUsb);
         pExtra->Urb.pVUsb->pUrb = &pExtra->Urb;
+        pExtra->Urb.pVUsb->pvFreeCtx = &pExtra->Urb;
         pExtra->cbMax = cbReq;
+
+#endif
     }
     Assert(pExtra->Urb.enmState == VUSBURBSTATE_ALLOCATED);