diff --git a/channels/urbdrc/client/data_transfer.c b/channels/urbdrc/client/data_transfer.c
index e4c4c2a3a..1c57cfdf1 100644
--- a/channels/urbdrc/client/data_transfer.c
+++ b/channels/urbdrc/client/data_transfer.c
@@ -327,6 +327,9 @@ static UINT urbdrc_process_internal_io_control(IUDEVICE* pdev, GENERIC_CHANNEL_C
 	if (!pdev || !callback || !s || !udevman)
 		return ERROR_INVALID_PARAMETER;
 
+	URBDRC_PLUGIN* urbdrc = (URBDRC_PLUGIN*)callback->plugin;
+	WINPR_ASSERT(urbdrc);
+
 	if (!Stream_CheckAndLogRequiredLength(TAG, s, 8))
 		return ERROR_INVALID_DATA;
 
@@ -343,6 +346,13 @@ static UINT urbdrc_process_internal_io_control(IUDEVICE* pdev, GENERIC_CHANNEL_C
 	// TODO: Implement control code.
 	/** Fixme: Currently this is a FALSE bustime... */
 	frames = GetTickCount();
+
+	if (4 > OutputBufferSize)
+	{
+		WLog_Print(urbdrc->log, WLOG_DEBUG, "out_size %" PRIu32 " > OutputBufferSize %" PRIu32, 4,
+		           OutputBufferSize);
+		return ERROR_BAD_CONFIGURATION;
+	}
 	out = urb_create_iocompletion(InterfaceId, MessageId, RequestId, 4);
 
 	if (!out)
@@ -593,6 +603,14 @@ static UINT urb_select_interface(IUDEVICE* pdev, GENERIC_CHANNEL_CALLBACK* callb
 	MsInterface = MsConfig->MsInterfaces[InterfaceNumber];
 	interface_size = 16 + (MsInterface->NumberOfPipes * 20);
 	out_size = 36 + interface_size;
+	if (out_size > OutputBufferSize)
+	{
+		WLog_Print(urbdrc->log, WLOG_DEBUG, "out_size %" PRIu32 " > OutputBufferSize %" PRIu32,
+		           out_size, OutputBufferSize);
+		msusb_msconfig_free(MsConfig);
+		return ERROR_BAD_CONFIGURATION;
+	}
+
 	out = Stream_New(NULL, out_size);
 
 	if (!out)
@@ -1282,6 +1300,12 @@ static UINT urb_pipe_request(IUDEVICE* pdev, GENERIC_CHANNEL_CALLBACK* callback,
 
 	/** send data */
 	out_size = 36;
+	if (out_size > OutputBufferSize)
+	{
+		WLog_Print(urbdrc->log, WLOG_DEBUG, "out_size %" PRIu32 " > OutputBufferSize %" PRIu32,
+		           out_size, OutputBufferSize);
+		return ERROR_BAD_CONFIGURATION;
+	}
 	out = Stream_New(NULL, out_size);
 
 	if (!out)
@@ -1327,6 +1351,14 @@ static UINT urb_get_current_frame_number(IUDEVICE* pdev, GENERIC_CHANNEL_CALLBAC
 	/** Fixme: Need to fill actual frame number!!*/
 	dummy_frames = GetTickCount();
 	out_size = 40;
+
+	if (out_size > OutputBufferSize)
+	{
+		WLog_Print(urbdrc->log, WLOG_DEBUG, "out_size %" PRIu32 " > OutputBufferSize %" PRIu32,
+		           out_size, OutputBufferSize);
+		return ERROR_BAD_CONFIGURATION;
+	}
+
 	out = Stream_New(NULL, out_size);
 
 	if (!out)
diff --git a/channels/urbdrc/client/urbdrc_main.c b/channels/urbdrc/client/urbdrc_main.c
index 3f83934e2..68451a01a 100644
--- a/channels/urbdrc/client/urbdrc_main.c
+++ b/channels/urbdrc/client/urbdrc_main.c
@@ -403,6 +403,15 @@ static UINT urbdrc_exchange_capabilities(GENERIC_CHANNEL_CALLBACK* callback, wSt
 	switch (FunctionId)
 	{
 		case RIM_EXCHANGE_CAPABILITY_REQUEST:
+			if (InterfaceId != 0)
+			{
+				WLog_ERR(
+				    TAG,
+				    "[MS-RDPEUSB] 2.2.3.1 Interface Manipulation Exchange Capabilities Request "
+				    "(RIM_EXCHANGE_CAPABILITY_REQUEST))::InterfaceId expected 0, got %" PRIu32,
+				    InterfaceId);
+				return ERROR_INVALID_DATA;
+			}
 			error = urbdrc_process_capability_request(callback, data, MessageId);
 			break;