diff --git a/drivers/net/usb/cdc-phonet.c b/drivers/net/usb/cdc-phonet.c
index 7d78669000d7..af49e8fcd711 100644
--- a/drivers/net/usb/cdc-phonet.c
+++ b/drivers/net/usb/cdc-phonet.c
@@ -343,9 +343,9 @@ int usbpn_probe(struct usb_interface *intf, const struct usb_device_id *id)
 
 	data = intf->altsetting->extra;
 	len = intf->altsetting->extralen;
-	while (len >= 3) {
+	while (len > 0) {
 		u8 dlen = data[0];
-		if (dlen < 3)
+		if ((len < dlen) || (dlen < 3 ))
 			return -EINVAL;
 
 		/* bDescriptorType */
diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
index a477d35a633c..2debdb1b3980 100644
--- a/drivers/net/usb/cdc_ether.c
+++ b/drivers/net/usb/cdc_ether.c
@@ -127,7 +127,13 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf)
 
 	memset(info, 0, sizeof(*info));
 	info->control = intf;
-	while (len > 3) {
+	while (len > 0) {
+
+		if ((len < buf[0]) || (buf[0] < 3)) {
+			dev_dbg(&intf->dev, "invalid descriptor buffer length\n");
+			goto bad_desc;
+		}
+
 		if (buf[1] != USB_DT_CS_INTERFACE)
 			goto next_desc;
 
diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index 12aaf1f4f890..95b616bf48f2 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -235,9 +235,14 @@ static int qmi_wwan_bind(struct usbnet *dev, struct usb_interface *intf)
 	info->data = intf;
 
 	/* and a number of CDC descriptors */
-	while (len > 3) {
+	while (len > 0) {
 		struct usb_descriptor_header *h = (void *)buf;
 
+		if ((len < buf[0]) || (buf[0] < 3)) {
+			dev_dbg(&intf->dev, "invalid descriptor buffer length\n");
+			goto err;
+		}
+
 		/* ignore any misplaced descriptors */
 		if (h->bDescriptorType != USB_DT_CS_INTERFACE)
 			goto next_desc;
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 4345837a6936..a69c12ba95ca 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1043,13 +1043,13 @@ static int acm_probe(struct usb_interface *intf,
 		}
 	}
 
-	while (buflen >= 3) { /* minimum length making sense */
+	while (buflen > 0) {
 		elength = buffer[0];
-		if (!elength) {
-			dev_err(&intf->dev, "skipping garbage byte\n");
-			elength = 1;
-			goto next_desc;
+		if ((buflen < buffer[0]) || (buffer[0] < 3)) {
+			dev_err(&intf->dev, "invalid descriptor buffer length\n");
+			break;
 		}
+
 		if (buffer[1] != USB_DT_CS_INTERFACE) {
 			dev_err(&intf->dev, "skipping garbage\n");
 			goto next_desc;
diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
index f61b5e138bc7..bf581c8090e3 100644
--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -841,7 +841,12 @@ static int wdm_probe(struct usb_interface *intf, const struct usb_device_id *id)
 
 	if (!buffer)
 		goto err;
-	while (buflen > 2) {
+	while (buflen > 0) {
+	        if ((buflen < buffer[0]) || (buffer[0] < 3)) {
+	                dev_err(&intf->dev, "invalid descriptor buffer length\n");
+	                goto err;
+	        }
+
 		if (buffer[1] != USB_DT_CS_INTERFACE) {
 			dev_err(&intf->dev, "skipping garbage\n");
 			goto next_desc;