--- hw/usb.h.orig	2010-05-09 07:05:19.000000000 -0400
+++ hw/usb.h	2010-06-30 20:04:38.214593011 -0400
@@ -113,6 +113,11 @@
 #define USB_DT_INTERFACE		0x04
 #define USB_DT_ENDPOINT			0x05
 
+#define USB_DT_DEVICE_LEN		18
+#define USB_DT_CONFIG_LEN		9
+#define USB_DT_INTERFACE_LEN		9
+#define USB_DT_ENDPOINT_LEN		7
+
 #define USB_ENDPOINT_XFER_CONTROL	0
 #define USB_ENDPOINT_XFER_ISOC		1
 #define USB_ENDPOINT_XFER_BULK		2
--- usb-linux.c.orig	2010-05-09 07:05:19.000000000 -0400
+++ usb-linux.c	2010-06-30 20:40:25.398072273 -0400
@@ -286,7 +286,7 @@
 
 static int usb_host_claim_interfaces(USBHostDevice *dev, int configuration)
 {
-    int dev_descr_len, config_descr_len;
+    int dev_descr_len, config_descr_total_len;
     int interface, nb_interfaces, nb_configurations;
     int ret, i;
 
@@ -295,31 +295,39 @@
 
     dprintf("husb: claiming interfaces. config %d\n", configuration);
 
-    i = 0;
     dev_descr_len = dev->descr[0];
-    if (dev_descr_len > dev->descr_len)
+    if (dev_descr_len == 0x18 && dev->descr[ 8] == 0x47 && dev->descr[ 9] == 0x46
+                              && dev->descr[10] == 0x00 && dev->descr[11] == 0x30)
+        dev_descr_len = USB_DT_DEVICE_LEN; /* for buggy MX-950 remote reporting len in hex */
+
+    if (dev_descr_len > dev->descr_len || dev_descr_len < USB_DT_DEVICE_LEN || dev->descr[1] != USB_DT_DEVICE) {
+        fprintf(stderr, "husb: invalid device descriptor\n");
         goto fail;
+    }
     nb_configurations = dev->descr[17];
 
-    i += dev_descr_len;
-    while (i < dev->descr_len) {
+    for (i = dev_descr_len; i < dev->descr_len; ) {
         dprintf("husb: i is %d, descr_len is %d, dl %d, dt %d\n", i, dev->descr_len,
                dev->descr[i], dev->descr[i+1]);
 
-        if (dev->descr[i+1] != USB_DT_CONFIG) {
-            i += dev->descr[i];
-            continue;
+        if (dev->descr[i] < 2) {
+            fprintf(stderr, "husb: invalid descriptor\n");
+            goto fail;
         }
-        config_descr_len = dev->descr[i];
+        if (dev->descr[i+1] == USB_DT_CONFIG) {
+            config_descr_total_len = dev->descr[i+2] + (dev->descr[i+3] << 8);
 
-	printf("husb: config #%d need %d\n", dev->descr[i + 5], configuration); 
+            printf("husb: config #%d need %d\n", dev->descr[i + 5], configuration); 
 
-        if (configuration < 0 || configuration == dev->descr[i + 5]) {
-            configuration = dev->descr[i + 5];
-            break;
-        }
+            if (configuration < 0 || configuration == dev->descr[i + 5]) {
+                configuration = dev->descr[i + 5];
+                break;
+            }
 
-        i += config_descr_len;
+            i += config_descr_total_len;
+        }
+        else
+            i += dev->descr[i];
     }
 
     if (i >= dev->descr_len) {