Bluetooth: controller: Fix HCI ISO header RFU bit masking

Mask out RFU bits in HCI ISO header to prevent set RFU bits leaking into
length values.

Signed-off-by: Morten Priess <mtpr@oticon.com>

include/zephyr/bluetooth/hci_types.h

@@ -84,13 +84,13 @@ struct bt_hci_acl_hdr {
 #define BT_ISO_DATA_INVALID              0x01
 #define BT_ISO_DATA_NOP                  0x02
 
-#define bt_iso_pkt_len(h)                ((h) & 0x3fff)
+#define bt_iso_pkt_len(h)                ((h) & BIT_MASK(12))
 #define bt_iso_pkt_flags(h)              ((h) >> 14)
-#define bt_iso_pkt_len_pack(h, f)        ((h) | ((f) << 14))
+#define bt_iso_pkt_len_pack(h, f)        (((h) & BIT_MASK(12)) | ((f) << 14))
 
 struct bt_hci_iso_data_hdr {
 	uint16_t sn;
-	uint16_t slen;
+	uint16_t slen; /* 12 bit len, 2 bit RFU, 2 bit packet status */
 } __packed;
 #define BT_HCI_ISO_DATA_HDR_SIZE	4
 

subsys/bluetooth/controller/hci/hci.c

@@ -5666,7 +5666,7 @@ int hci_iso_handle(struct net_buf *buf, struct net_buf **evt)
 
 	iso_hdr = net_buf_pull_mem(buf, sizeof(*iso_hdr));
 	handle = sys_le16_to_cpu(iso_hdr->handle);
-	len = sys_le16_to_cpu(iso_hdr->len);
+	len = bt_iso_hdr_len(sys_le16_to_cpu(iso_hdr->len));
 
 	if (buf->len < len) {
 		LOG_ERR("Invalid HCI ISO packet length");
@@ -5706,7 +5706,8 @@ int hci_iso_handle(struct net_buf *buf, struct net_buf **evt)
 		iso_data_hdr = net_buf_pull_mem(buf, sizeof(*iso_data_hdr));
 		len -= sizeof(*iso_data_hdr);
 		sdu_frag_tx.packet_sn = sys_le16_to_cpu(iso_data_hdr->sn);
-		sdu_frag_tx.iso_sdu_length = sys_le16_to_cpu(iso_data_hdr->slen);
+		sdu_frag_tx.iso_sdu_length =
+			sys_le16_to_cpu(bt_iso_pkt_len(iso_data_hdr->slen));
 	} else {
 		sdu_frag_tx.packet_sn = 0;
 		sdu_frag_tx.iso_sdu_length = 0;