Hi,
Jasper pointed out that the minimum length should be 1.
Plese test !
Index: src/sys/dev/usb/if_upl.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_upl.c,v
retrieving revision 1.47
diff -u -p -r1.47 if_upl.c
--- src/sys/dev/usb/if_upl.c 25 Jan 2011 20:03:35 -0000 1.47
+++ src/sys/dev/usb/if_upl.c 21 Mar 2011 18:51:02 -0000
@@ -494,6 +494,11 @@ upl_rxeof(usbd_xfer_handle xfer, usbd_pr
DPRINTFN(9,("%s: %s: enter status=%d length=%d\n",
sc->sc_dev.dv_xname, __func__, status, total_len));
+ if (total_len <= 1 || total_len > UPL_BUFSZ) {
+ ifp->if_ierrors++;
+ goto done;
+ }
+
m = c->upl_mbuf;
memcpy(mtod(c->upl_mbuf, char *), c->upl_buf, total_len);
