Bluetooth: OTS: Add len validation in olcp_ind_handler

Verify the length of the indication before we pull from the
buffer.

Signed-off-by: Emil Gydesen <[email protected]>
(cherry picked from commit 044f8aa)

Author: Thalley

subsys/bluetooth/services/ots/ots_client.c

@@ -297,13 +297,24 @@ static void olcp_ind_handler(struct bt_conn *conn,
 	enum bt_gatt_ots_olcp_proc_type op_code;
 	struct net_buf_simple net_buf;
 
+	if (length < sizeof(op_code)) {
+		LOG_DBG("Invalid indication length: %u", length);
+		return;
+	}
+
 	net_buf_simple_init_with_data(&net_buf, (void *)data, length);
 
 	op_code = net_buf_simple_pull_u8(&net_buf);
 
 	LOG_DBG("OLCP indication");
 
 	if (op_code == BT_GATT_OTS_OLCP_PROC_RESP) {
+		if (net_buf.len < (sizeof(uint8_t) + sizeof(uint8_t))) {
+			LOG_DBG("Invalid indication length for op_code %u: %u", op_code,
+				net_buf.len);
+			return;
+		}
+
 		enum bt_gatt_ots_olcp_proc_type req_opcode =
 			net_buf_simple_pull_u8(&net_buf);
 		enum bt_gatt_ots_olcp_res_code result_code =
@@ -366,6 +377,11 @@ static void oacp_ind_handler(struct bt_conn *conn,
 	uint32_t checksum;
 	struct net_buf_simple net_buf;
 
+	if (length < sizeof(op_code)) {
+		LOG_DBG("Invalid indication length: %u", length);
+		return;
+	}
+
 	net_buf_simple_init_with_data(&net_buf, (void *)data, length);
 
 	op_code = net_buf_simple_pull_u8(&net_buf);