USB: Fix descriptor count when handling invalid MBIM extended descriptor

In cdc_parse_cdc_header(), the check for the USB_CDC_MBIM_EXTENDED_TYPE
descriptor was using 'break' upon detecting an invalid length.

This was incorrect because 'break' only exits the switch statement,
causing the code to fall through to cnt++, thus incorrectly
incrementing the count of parsed descriptors for a descriptor that was
actually invalid and being discarded.

This patch changes 'break' to 'goto next_desc;' to ensure that the
logic skips the counter increment and correctly proceeds to the next
descriptor in the buffer. This maintains an accurate count of only
the successfully parsed descriptors.

Fixes: e4c6fb7794982 ("usbnet: move the CDC parser into USB core")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
Link: https://lore.kernel.org/r/20250928185611.764589-1-eeodqql09@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
index d2b2787be4092ee25e48d82b9a4db3e934478b1a..6138468c67c4722ba606e794d28f20d56539cf85 100644 (file)
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -2431,7 +2431,7 @@ int cdc_parse_cdc_header(struct usb_cdc_parsed_header *hdr,
                        break;
                case USB_CDC_MBIM_EXTENDED_TYPE:
                        if (elength < sizeof(struct usb_cdc_mbim_extended_desc))
-                               break;
+                               goto next_desc;
                        hdr->usb_cdc_mbim_extended_desc =
                                (struct usb_cdc_mbim_extended_desc *)buffer;
                        break;