ZDI-CAN-29089: New Vulnerability Report

ZDI-CAN-29089: New Vulnerability Report

[zdi-disclosures]

[-- Attachment #1: Type: text/plain, Size: 5861 bytes --]

ZDI-CAN-29089: oFono MBIM SMS Handling Heap-based Buffer Overflow Arbitrary Code Execution Vulnerability

-- CVSS -----------------------------------------

6.8: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
oFono - oFono

-- VULNERABILITY DETAILS ------------------------
* Version tested:20.0.3
* Installer file:agl-demo-platform-crosssdk-raspberrypi4-64.wic.xz
* Platform tested:Raspberry Pi

---

### Analysis

```
Bug 3: Heap Overflow
The most impactful bug being chained together in this exploit is a heap-based buffer
overflow in the MBIM device handling. The bug exists in the command_read_handler()
function of the mbim.c file:

static bool command_read_handler(struct l_io *io, void *user_data)
{
 struct mbim_device *device = user_data;
 ssize_t len;
 uint32_t type;
 int fd;
 struct mbim_message_header *hdr;
 struct iovec iov[2];
 uint32_t n_iov = 0;
 uint32_t header_size;
 struct mbim_message *message;
 uint32_t i;
 fd = l_io_get_fd(io);
 if (device->header_offset < sizeof(struct mbim_message_header)) {
 if (!receive_header(device, fd))
 return false;
 if (device->header_offset != sizeof(struct mbim_message_header))
 return true;
 }
 hdr = (struct mbim_message_header *) device->header;
 type = L_LE32_TO_CPU(hdr->typ

if (device->segment_bytes_remaining == 0)
 device->segment_bytes_remaining =
 L_LE32_TO_CPU(hdr->len) -
 sizeof(struct mbim_message_header);
 if (type == MBIM_COMMAND_DONE || type == MBIM_INDICATE_STATUS_MSG)
 header_size = HEADER_SIZE;
 else
 header_size = sizeof(struct mbim_message_header);
 /* Put the rest of the header into the first chunk */
 if (device->header_offset < header_size) {
 iov[n_iov].iov_base = device->header + device->header_offset;
 iov[n_iov].iov_len = header_size - device->header_offset;
 n_iov += 1;
 }
 l_util_debug(device->debug_handler, device->debug_data,
 "hdr->len: %u, header_size: %u, header_offset: %zu",
 L_LE32_TO_CPU(hdr->len), header_size,
 device->header_offset);
 l_util_debug(device->debug_handler, device->debug_data,
 "segment_bytes_remaining: %zu",
 device->segment_bytes_remaining);
 iov[n_iov].iov_base = device->segment + L_LE32_TO_CPU(hdr->len) -
 device->header_offset -
 device->segment_bytes_remaining;
 iov[n_iov].iov_len = device->segment_bytes_remaining -
 (header_size - device->header_offset);
 n_iov += 1;
 len = L_TFR(readv(fd, iov, n_iov));

In the code above, the vulnerability is that the hdr->len field specified by the user is
totally trusted and then used to set the device->segment_bytes_remaining field which is
used for keeping track of data to read into the MBIM session. Further below in the
function this can be used to cause heap overflow in the readv() call. The
segment_bytes_remaining field is used to set the iov_len field of the iovec which is
passed to readv(). Readv() is then used to read from the mbim character device into the

iovec object���s iov_base pointer of size iov_len. This vulnerability allows an unbounded
heap overflow into a pointer whose allocation size can be determined by a CDC
descriptor.

```


-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Rob Blakely working with TrendAI Zero Day Initiative

-- FURTHER DETAILS ------------------------------

Supporting files:


If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
zdi-disclosures@trendmicro.com

The PGP key used for all ZDI vendor communications is available from:

  http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contact us for further details or refer to:

  http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

  http://www.zerodayinitiative.com/advisories/disclosure_policy/
    

TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
For details about what personal information we collect and why, please see our Privacy Notice on our website at: [ https://www.trendmicro.com/privacy]

[-- Attachment #2: ZDI-CAN-29089.zip --]
[-- Type: application/x-zip-compressed, Size: 288753 bytes --]

ZDI-CAN-29088: New Vulnerability Report

[zdi-disclosures]

[-- Attachment #1: Type: text/plain, Size: 5845 bytes --]

ZDI-CAN-29088: oFono QMI MBIM SMS Handling Uncontrolled Resource Consumption Denial-of-Service Vulnerability

-- CVSS -----------------------------------------

2.4: AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
oFono - oFono

-- VULNERABILITY DETAILS ------------------------
* Version tested:20.0.3
* Installer file:agl-demo-platform-crosssdk-raspberrypi4-64.wic.xz
* Platform tested:Raspberry Pi

---

### Analysis

```
Bug 2: Memory Exhaustion
The MBIM device receives all of its data into a pointer called ���segment��� which belongs to
the mbim_device structure. There are two times which this segment object is allocated
via l_malloc. The first time is in a call to mbim_device_new() when the MBIM device
initializes. The second time is in command_read_handler() when handling incoming
MBIM data. The size used in both of these allocations is the
device->max_segment_size field, which is set by a CDC device descriptor which is used
to specify the size of MBIM segments

The following code shows the initial segment pointer allocation. If the size is greater
than the MAX_CONTROL_TRANSFER size of 4096, it���s truncated to that size:

struct mbim_device *mbim_device_new(int fd, uint32_t max_segment_size)
{
 struct mbim_device *device;
 if (fd < 0)
 return NULL;
 device = l_new(struct mbim_device, 1);
 if (max_segment_size > MAX_CONTROL_TRANSFER)
 max_segment_size = MAX_CONTROL_TRANSFER;
 device->max_segment_size = max_segment_size;
 device->max_outstanding = 1;
 device->next_tid = 1;
 device->next_notification = 1;
 device->segment = l_malloc(max_segment_size - HEADER_SIZE);

The max_segment_size variable passed to mbim_device_new() is originally set during
mbim_parse_descriptors:

md->max_segment = L_LE16_TO_CPU(desc->wMaxControlMessage);

The following code in mbim.c shows when the segment is re-allocated after adding a
header for assembly.

device->header_offset = 0;
 message = message_assembly_add(device->assembly, device->header,
 device->segment,
 L_LE32_TO_CPU(hdr->len) - header_size);
 device->segment = l_malloc(device->max_segment_size - HEADER_SIZE);

The vulnerability lies in the fact that message_assembly_add() is responsible for
free���ing the segment pointer before it gets re-allocated immediately after. Inside of
message_assembly_add there are message types that can cause the function to return
NULL early, which never free���s the segment pointer even though it���s guaranteed to be
re-allocated even on a NULL return. This behavior can be used to cause a memory
leak/exhaustion, where sending MBIM messages of a certain header type will keep

triggering new allocations that are never freed, also known as dangling pointers. This
vulnerability is critical for the exploit which is shown later in this paper.
This is the code in message_assembly_add() which will immediately return NULL when
the MBIM type does not match MBIM_COMMAND_DONE or
MBIM_INDICATE_STATUS_MSG:
 if (type != MBIM_COMMAND_DONE && type != MBIM_INDICATE_STATUS_MSG)
 return NULL;

```


-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Rob Blakely working with TrendAI Zero Day Initiative

-- FURTHER DETAILS ------------------------------

Supporting files:


If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
zdi-disclosures@trendmicro.com

The PGP key used for all ZDI vendor communications is available from:

  http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contact us for further details or refer to:

  http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

  http://www.zerodayinitiative.com/advisories/disclosure_policy/
     

TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
For details about what personal information we collect and why, please see our Privacy Notice on our website at: [ https://www.trendmicro.com/privacy]

[-- Attachment #2: ZDI-CAN-29088.zip --]
[-- Type: application/x-zip-compressed, Size: 288753 bytes --]

ZDI-CAN-28993: New Vulnerability Report

[zdi-disclosures]

[-- Attachment #1: Type: text/plain, Size: 5144 bytes --]

ZDI-CAN-28993: oFono QMI SMS Handling Out-Of-Bounds Read Information Disclosure Vulnerability

-- CVSS -----------------------------------------

2.4: AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
oFono - oFono

-- VULNERABILITY DETAILS ------------------------
* Version tested:20.0.3
* Installer file:agl-demo-platform-crosssdk-raspberrypi4-64.wic.xz
* Platform tested:Raspberry Pi

---

### Analysis

```
Bug 1: Memory Leak
Bug 1 exists in the file /drivers/qmimodem/sms.c of the ofono repository in the
get_msg_list_cb function. There was previously a memory leak in this function that was
discovered and patched. However, there is a vulnerability in the patched
implementation, leading to a similar memory leak vulnerability.
The following check was introduced to fix the previous vulnerability:

list = qmi_result_get(result, QMI_WMS_RESULT_MSG_LIST, &length);
 if (list == NULL) {
 DBG("Err: get msg list empty");
 goto done;
 }
cnt = L_LE32_TO_CPU(list->cnt);
DBG("msgs found %d", cnt);
msg_size = cnt * sizeof(list->msg[0]);
if (length != sizeof(list->cnt) + msg_size) {
 DBG("Err: invalid msg list count");
 goto done;
 }


The issue in the new implementation is that the length variable is set by any user
specified size in a TLV which is parsed by tlv_get():
static const void *tlv_get(const void *data, uint16_t size,

uint8_t type, uint16_t *length)
{
 const void *ptr = data;
 uint16_t len = size;
 while (len > QMI_TLV_HDR_SIZE) {
 const struct qmi_tlv_hdr *tlv = ptr;
 uint16_t tlv_length = L_LE16_TO_CPU(tlv->length);
 if (tlv->type == type) {
 if (length)
 *length = tlv_length;
 return ptr + QMI_TLV_HDR_SIZE;
 }
 ptr += QMI_TLV_HDR_SIZE + tlv_length;
 len -= QMI_TLV_HDR_SIZE + tlv_length;
 }
 return NULL;
}

This new bug allows a user to lie about the TLV size of the message actually delivered
to satisfy the check. If you notice, the TLV length stored and returned can by of any u16
value, it���s not validated to actually match the message length!
The behavior that this then creates is an out of bounds read of stack data when the ���cnt���
value is later on used for a memcpy size. This buffer is then used by ofono as a list of
SMS indexes to perform reads upon. The QMI driver will then continuously leak 5 bytes
at a time of that buffer until it���s worked through the entire buffer
```


-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Rob Blakely working with TrendAI Zero Day Initiative

-- FURTHER DETAILS ------------------------------

Supporting files:


If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
zdi-disclosures@trendmicro.com

The PGP key used for all ZDI vendor communications is available from:

  http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contact us for further details or refer to:

  http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

  http://www.zerodayinitiative.com/advisories/disclosure_policy/
    

TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
For details about what personal information we collect and why, please see our Privacy Notice on our website at: [ https://www.trendmicro.com/privacy]

[-- Attachment #2: ZDI-CAN-28993.zip --]
[-- Type: application/x-zip-compressed, Size: 288753 bytes --]

Re: ZDI-CAN-29089: New Vulnerability Report

[Willy Tarreau]

Hello,

On Tue, Feb 10, 2026 at 04:54:46PM +0000, zdi-disclosures@trendmicro.com wrote:
> ZDI-CAN-29089: oFono MBIM SMS Handling Heap-based Buffer Overflow Arbitrary Code Execution Vulnerability
> 
> -- CVSS -----------------------------------------
> 
> 6.8: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
> 
> -- ABSTRACT -------------------------------------
> 
> Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
> oFono - oFono
> 
> -- VULNERABILITY DETAILS ------------------------
> * Version tested:20.0.3
> * Installer file:agl-demo-platform-crosssdk-raspberrypi4-64.wic.xz
> * Platform tested:Raspberry Pi
(...)

Please note that none of these 3 reports concern code in the Linux
kernel, so security@kernel.org can be dropped from future exchanges.

Thanks,
Willy

RE: ZDI-CAN-29089: New Vulnerability Report

[zdi-disclosures]

Hello Willy,

Noted thank you!

Any updates on this issue?

Thanks,
ZDI

-----Original Message-----
From: Willy Tarreau <w@1wt.eu>
Sent: Tuesday, February 10, 2026 9:02 AM
To: ZDI Disclosures Mailbox <zdi-disclosures@trendmicro.com>
Cc: ofono@lists.linux.dev; secalert@redhat.com; security@kernel.org
Subject: Re: ZDI-CAN-29089: New Vulnerability Report

Hello,

On Tue, Feb 10, 2026 at 04:54:46PM +0000, zdi-disclosures@trendmicro.com wrote:
> ZDI-CAN-29089: oFono MBIM SMS Handling Heap-based Buffer Overflow Arbitrary Code Execution Vulnerability
>
> -- CVSS -----------------------------------------
>
> 6.8: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
>
> -- ABSTRACT -------------------------------------
>
> Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
> oFono - oFono
>
> -- VULNERABILITY DETAILS ------------------------
> * Version tested:20.0.3
> * Installer file:agl-demo-platform-crosssdk-raspberrypi4-64.wic.xz
> * Platform tested:Raspberry Pi
(...)

Please note that none of these 3 reports concern code in the Linux
kernel, so security@kernel.org can be dropped from future exchanges.

Thanks,
Willy
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
For details about what personal information we collect and why, please see our Privacy Notice on our website at: [ https://www.trendmicro.com/privacy]

Re: ZDI-CAN-29089: New Vulnerability Report

[Sicelo]

Hi

Community members will work on these. As with any other open-source
projects, patches welcome.

Best Regards

On Thu, Mar 12, 2026 at 07:13:20PM +0000, zdi-disclosures@trendmicro.com wrote:
> Hello Willy,
> 
> Noted thank you!
> 
> Any updates on this issue?
> 
> Thanks,
> ZDI
> 
> -----Original Message-----
> From: Willy Tarreau <w@1wt.eu>
> Sent: Tuesday, February 10, 2026 9:02 AM
> To: ZDI Disclosures Mailbox <zdi-disclosures@trendmicro.com>
> Cc: ofono@lists.linux.dev; secalert@redhat.com; security@kernel.org
> Subject: Re: ZDI-CAN-29089: New Vulnerability Report
> 
> Hello,
> 
> On Tue, Feb 10, 2026 at 04:54:46PM +0000, zdi-disclosures@trendmicro.com wrote:
> > ZDI-CAN-29089: oFono MBIM SMS Handling Heap-based Buffer Overflow Arbitrary Code Execution Vulnerability
> >
> > -- CVSS -----------------------------------------
> >
> > 6.8: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
> >
> > -- ABSTRACT -------------------------------------
> >
> > Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
> > oFono - oFono
> >
> > -- VULNERABILITY DETAILS ------------------------
> > * Version tested:20.0.3
> > * Installer file:agl-demo-platform-crosssdk-raspberrypi4-64.wic.xz
> > * Platform tested:Raspberry Pi
> (...)
> 
> Please note that none of these 3 reports concern code in the Linux
> kernel, so security@kernel.org can be dropped from future exchanges.
> 
> Thanks,
> Willy
> TREND MICRO EMAIL NOTICE
> The information contained in this email and any attachments is confidential
> and may be subject to copyright or other intellectual property protection.
> If you are not the intended recipient, you are not authorized to use or
> disclose this information, and we request that you notify us by reply mail or
> telephone and delete the original message from your mail system.
> For details about what personal information we collect and why, please see our Privacy Notice on our website at: [ https://www.trendmicro.com/privacy]
> 
> 

Re: ZDI-CAN-29089: New Vulnerability Report

[Morgan Hughes]

[-- Attachment #1.1: Type: text/plain, Size: 2259 bytes --]

On 2026-03-12 13:13, Sicelo wrote:
> Community members will work on these. As with any other open-source
> projects, patches welcome.

This looks a lot like a problem I encountered on a buggy modem in October and submitted a 
patch for.  I've re-attached the patch here, perhaps it was missed because I didn't submit 
it using git?

Morgan Hughes


>
>
>
> On Thu, Mar 12, 2026 at 07:13:20PM +0000,zdi-disclosures@trendmicro.com wrote:
>> Hello Willy,
>>
>> Noted thank you!
>>
>> Any updates on this issue?
>>
>> Thanks,
>> ZDI
>>
>> -----Original Message-----
>> From: Willy Tarreau<w@1wt.eu>
>> Sent: Tuesday, February 10, 2026 9:02 AM
>> To: ZDI Disclosures Mailbox<zdi-disclosures@trendmicro.com>
>> Cc:ofono@lists.linux.dev;secalert@redhat.com;security@kernel.org
>> Subject: Re: ZDI-CAN-29089: New Vulnerability Report
>>
>> Hello,
>>
>> On Tue, Feb 10, 2026 at 04:54:46PM +0000,zdi-disclosures@trendmicro.com wrote:
>>> ZDI-CAN-29089: oFono MBIM SMS Handling Heap-based Buffer Overflow Arbitrary Code Execution Vulnerability
>>>
>>> -- CVSS -----------------------------------------
>>>
>>> 6.8: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
>>>
>>> -- ABSTRACT -------------------------------------
>>>
>>> Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
>>> oFono - oFono
>>>
>>> -- VULNERABILITY DETAILS ------------------------
>>> * Version tested:20.0.3
>>> * Installerfile:agl-demo-platform-crosssdk-raspberrypi4-64.wic.xz
>>> * Platform tested:Raspberry Pi
>> (...)
>>
>> Please note that none of these 3 reports concern code in the Linux
>> kernel, sosecurity@kernel.org can be dropped from future exchanges.
>>
>> Thanks,
>> Willy
>> TREND MICRO EMAIL NOTICE
>> The information contained in this email and any attachments is confidential
>> and may be subject to copyright or other intellectual property protection.
>> If you are not the intended recipient, you are not authorized to use or
>> disclose this information, and we request that you notify us by reply mail or
>> telephone and delete the original message from your mail system.
>> For details about what personal information we collect and why, please see our Privacy Notice on our website at: [https://www.trendmicro.com/privacy]
>>
>>

[-- Attachment #1.2: Type: text/html, Size: 3770 bytes --]

[-- Attachment #2: mbim-header-validate.patch --]
[-- Type: text/x-patch, Size: 899 bytes --]

diff --git a/drivers/mbimmodem/mbim.c b/drivers/mbimmodem/mbim.c
index c405761d..4322f5ad 100644
--- a/drivers/mbimmodem/mbim.c
+++ b/drivers/mbimmodem/mbim.c
@@ -18,6 +18,7 @@
 #include <linux/types.h>
 
 #include <ell/ell.h>
+#include <ell/useful.h>
 
 #include "mbim.h"
 #include "mbim-message.h"
@@ -613,6 +614,15 @@ static bool command_read_handler(struct l_io *io, void *user_data)
 	hdr = (struct mbim_message_header *) device->header;
 	type = L_LE32_TO_CPU(hdr->type);
 
+	if (unlikely(hdr->len > MAX_CONTROL_TRANSFER)) {
+		char *hex = l_util_hexstring(device->header,
+						sizeof(struct mbim_message_header));
+		l_warn("MBIM: skip implausible hdr %s: len 0x%x type 0x%x", hex,
+			L_LE32_TO_CPU(hdr->len), L_LE32_TO_CPU(hdr->type));
+		l_free(hex);
+		return false;
+	}
+
 	if (device->segment_bytes_remaining == 0)
 		device->segment_bytes_remaining =
 					L_LE32_TO_CPU(hdr->len) -