tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

USB: Fix descriptor count when handling invalid MBIM extended descriptor

In cdc_parse_cdc_header(), the check for the USB_CDC_MBIM_EXTENDED_TYPE
descriptor was using 'break' upon detecting an invalid length.

This was incorrect because 'break' only exits the switch statement,
causing the code to fall through to cnt++, thus incorrectly
incrementing the count of parsed descriptors for a descriptor that was
actually invalid and being discarded.

This patch changes 'break' to 'goto next_desc;' to ensure that the
logic skips the counter increment and correctly proceeds to the next
descriptor in the buffer. This maintains an accurate count of only
the successfully parsed descriptors.

Fixes: e4c6fb7794982 ("usbnet: move the CDC parser into USB core")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
Link: https://lore.kernel.org/r/20250928185611.764589-1-eeodqql09@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Seungjin Bae and committed by
Greg Kroah-Hartman 5570ad14 1c97fc90

+1 -1
+1 -1
drivers/usb/core/message.c
··· 2431 2431 break; 2432 2432 case USB_CDC_MBIM_EXTENDED_TYPE: 2433 2433 if (elength < sizeof(struct usb_cdc_mbim_extended_desc)) 2434 - break; 2434 + goto next_desc; 2435 2435 hdr->usb_cdc_mbim_extended_desc = 2436 2436 (struct usb_cdc_mbim_extended_desc *)buffer; 2437 2437 break;