From 8113ff7e9c66ed212be90b2b299ffcebb8d4e173 Mon Sep 17 00:00:00 2001 From: Lyle Zhu Date: Wed, 4 Sep 2024 09:38:48 +0800 Subject: [PATCH] bluetooth: AVDTP: Check buffer len before pulling data Check the remaining buffer length is not less than required data length before pulling data from the buffer. Signed-off-by: Lyle Zhu --- subsys/bluetooth/host/classic/avdtp.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/subsys/bluetooth/host/classic/avdtp.c b/subsys/bluetooth/host/classic/avdtp.c index e969d1f7696..c036d00f5e7 100644 --- a/subsys/bluetooth/host/classic/avdtp.c +++ b/subsys/bluetooth/host/classic/avdtp.c @@ -919,6 +919,11 @@ int bt_avdtp_l2cap_recv(struct bt_l2cap_chan *chan, struct net_buf *buf) struct net_buf *rsp_buf; int err; + if (buf->len < sizeof(sigid)) { + LOG_ERR("Invalid AVDTP Header"); + return 0; + } + sigid = net_buf_pull_u8(buf); rsp_buf = avdtp_create_reply_pdu(BT_AVDTP_REJECT, BT_AVDTP_PACKET_TYPE_SINGLE,