microsoft · benhillis · Feb 10, 2026 · Feb 10, 2026 · Copilot · Feb 10, 2026
@@ -41,6 +41,8 @@ pub enum QueueError {
     TooLong,
     #[error("Invalid queue size {0}. Must be a power of 2.")]
     InvalidQueueSize(u16),
+    #[error("descriptor index {0} is out of range")]
+    InvalidDescriptorIndex(u16),
 }
 
 pub struct QueueDescriptor {
@@ -240,6 +242,10 @@ impl SplitQueueGetWork {
         mem: GuestMemory,
         params: QueueParams,
     ) -> Result<Self, QueueError> {
+        if params.size == 0 {
-        if params.size == 0 {
+        if !params.size.is_power_of_two() {
-        if params.size == 0 {
+        if !params.size.is_power_of_two() {
+            return Err(QueueError::InvalidQueueSize(params.size));
+        }
+
         let queue_avail = mem
             .subrange(
                 params.avail_addr,
@@ -313,13 +319,17 @@ impl SplitQueueGetWork {
     }
 
     pub fn get_available_descriptor_index(&self, wrapped_index: u16) -> Result<u16, QueueError> {
-        Ok(self
+        let desc_index = self
             .queue_avail
             .read_plain::<u16_le>(
                 spec::AVAIL_OFFSET_RING + spec::AVAIL_ELEMENT_SIZE * wrapped_index as u64,
             )
             .map_err(QueueError::Memory)?
-            .get())
+            .get();
+        if desc_index >= self.queue_size {
+            return Err(QueueError::InvalidDescriptorIndex(desc_index));
+        }
+        Ok(desc_index)
     }
 
     fn set_available_event(&self, index: u16) -> Result<(), QueueError> {