This device:
udav0 at uhub5 port 2 "ShanTou DM9601" rev 1.10/1.01 addr 2
udav0: address 00:60:6e:00:6e:20
amphy0 at udav0 phy 0: DM9601 10/100 PHY, rev. 0
causes a kernel crash with the following messages:
memcpy() at memcpy+0x16
usb_transfer_complete() at usb_transfer_complete+0x256
uhci_softintr() at uchi_softintr+0x40
softintr_dispatch() at softintr_dispatch+0x5d
end trace frame:0x0,count:-5
Using printf() with total_len shows that at certain times,
it is 54768, where it should be less than the maximum frame size.
Experimentally, the maximum value of total_len is 1514, but
in if_udavreg.h, it is 1536.
Index: src/sys/dev/usb/if_udav.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_udav.c,v
retrieving revision 1.51
diff -u -p -r1.51 if_udav.c
--- src/sys/dev/usb/if_udav.c 25 Jan 2011 20:03:35 -0000 1.51
+++ src/sys/dev/usb/if_udav.c 14 Mar 2011 12:17:40 -0000
@@ -1139,6 +1139,7 @@ udav_rxeof(usbd_xfer_handle xfer, usbd_p
}
if (total_len < sizeof(struct ether_header) ||
+ total_len > UDAV_MAX_MTU ||
h->pktstat & UDAV_RSR_ERR) {
ifp->if_ierrors++;
goto done;
