From 2a1bcc29199472da8d8134647ad231a480bb9d2d Mon Sep 17 00:00:00 2001
From: Lyle Zhu <lyle.zhu@nxp.com>
Date: Mon, 28 Apr 2025 20:04:05 +0800
Subject: [PATCH] Bluetooth: Classic: L2CAP: Fix issue is received data len
 less than 2

If the received data length is less than 2 in none basic mode, the
L2CAP channel connection will be dropped.

Only check the received data length if the `SAR` is
`BT_L2CAP_CONTROL_SAR_START`.

Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
---
 subsys/bluetooth/host/classic/l2cap_br.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/subsys/bluetooth/host/classic/l2cap_br.c b/subsys/bluetooth/host/classic/l2cap_br.c
index 7680b715812..942fe40a0a6 100644
--- a/subsys/bluetooth/host/classic/l2cap_br.c
+++ b/subsys/bluetooth/host/classic/l2cap_br.c
@@ -5767,17 +5767,15 @@ static void bt_l2cap_br_ret_fc_i_recv(struct bt_l2cap_br_chan *br_chan, struct n
 
 valid_frame:
 	switch (sar) {
-	case BT_L2CAP_CONTROL_SAR_UNSEG:
-		__fallthrough;
 	case BT_L2CAP_CONTROL_SAR_START:
 		if (buf->len < 2) {
-			LOG_WRN("Invalid SDU length");
+			LOG_WRN("Too short data packet");
 			bt_l2cap_chan_disconnect(&br_chan->chan);
 			return;
 		}
 		break;
+	case BT_L2CAP_CONTROL_SAR_UNSEG:
 	case BT_L2CAP_CONTROL_SAR_END:
-		__fallthrough;
 	case BT_L2CAP_CONTROL_SAR_CONTI:
 		break;
 	}