USB: fix buffer overflows with parsing CDC headers

				dev_dbg(&intf->dev, "extra CDC header\n");

				goto bad_desc;

			}

			if (len < sizeof(struct usb_cdc_header_desc))

				break;

			info->header = (void *) buf;

			if (info->header->bLength != sizeof(*info->header)) {

				dev_dbg(&intf->dev, "CDC header len %u\n",

			 */

			if (rndis) {

				struct usb_cdc_acm_descriptor *acm;

				if (len < sizeof(struct usb_cdc_acm_descriptor))

					break;

				acm = (void *) buf;

				if (acm->bmCapabilities) {

				dev_dbg(&intf->dev, "extra CDC union\n");

				goto bad_desc;

			}

			if (len < sizeof(struct usb_cdc_union_desc))

				break;

			info->u = (void *) buf;

			if (info->u->bLength != sizeof(*info->u)) {

				dev_dbg(&intf->dev, "CDC union len %u\n",

				dev_dbg(&intf->dev, "extra CDC ether\n");

				goto bad_desc;

			}

			if (len < sizeof(struct usb_cdc_ether_desc))

				break;

			info->ether = (void *) buf;

			if (info->ether->bLength != sizeof(*info->ether)) {

				dev_dbg(&intf->dev, "CDC ether len %u\n",

				dev_dbg(&intf->dev, "extra MDLM descriptor\n");

				goto bad_desc;

			}

			desc = (void *)buf;

			if (desc->bLength != sizeof(*desc))

		}

	}

	while (buflen > 0) {

	while (buflen >= 3) { /* minimum length making sense */

		elength = buffer[0];

		if (!elength) {

			dev_err(&intf->dev, "skipping garbage byte\n");

		case USB_CDC_HEADER_TYPE:

			break;

		case USB_CDC_DMM_TYPE:

			if (buflen < sizeof(struct usb_cdc_dmm_desc))

				break;

			dmhd = (struct usb_cdc_dmm_desc *)buffer;

			maxcom = le16_to_cpu(dmhd->wMaxCommand);

			dev_dbg(&intf->dev,