Bluetooth: Classic: Add length check in bluetooth classic

Added length checks for user input in `sdp_client_receive` and
`l2cap_br_info_rsp`.

Signed-off-by: Eunkyu Lee <[email protected]>
(cherry picked from commit 8888125)

Author: ekleezg

subsys/bluetooth/host/l2cap_br.c

@@ -392,6 +392,11 @@ static int l2cap_br_info_rsp(struct bt_l2cap_br *l2cap, uint8_t ident,
 
 	switch (type) {
 	case BT_L2CAP_INFO_FEAT_MASK:
+		if (buf->len < sizeof(uint32_t)) {
+			LOG_ERR("Invalid remote info feat mask");
+			err = -EINVAL;
+			break;
+		}
 		l2cap->info_feat_mask = net_buf_pull_le32(buf);
 		LOG_DBG("remote info mask 0x%08x", l2cap->info_feat_mask);
 
@@ -402,6 +407,11 @@ static int l2cap_br_info_rsp(struct bt_l2cap_br *l2cap, uint8_t ident,
 		l2cap_br_get_info(l2cap, BT_L2CAP_INFO_FIXED_CHAN);
 		return 0;
 	case BT_L2CAP_INFO_FIXED_CHAN:
+		if (buf->len < sizeof(uint8_t)) {
+			LOG_ERR("Invalid remote info fixed chan");
+			err = -EINVAL;
+			break;
+		}
 		l2cap->info_fixed_chan = net_buf_pull_u8(buf);
 		LOG_DBG("remote fixed channel mask 0x%02x", l2cap->info_fixed_chan);
 

subsys/bluetooth/host/sdp.c

@@ -1750,6 +1750,11 @@ static int sdp_client_receive(struct bt_l2cap_chan *chan, struct net_buf *buf)
 
 	switch (hdr->op_code) {
 	case BT_SDP_SVC_SEARCH_ATTR_RSP:
+		/* Check the buffer len for the length field */
+		if (buf->len < sizeof(uint16_t)) {
+			LOG_ERR("Invalid frame payload length");
+			return 0;
+		}
 		/* Get number of attributes in this frame. */
 		frame_len = net_buf_pull_be16(buf);
 		/* Check valid buf len for attribute list and cont state */