bt: host: Fix possible buffer overflow

Check in bt_conn_le_start_encryption if the given
ltk fits in bt_conn.ltk before copying it.

Signed-off-by: Flavio Ceolin <[email protected]>
(cherry picked from commit fbd56fd)

Author: Flavio Ceolin

subsys/bluetooth/host/conn.c

@@ -2159,6 +2159,10 @@ int bt_conn_le_start_encryption(struct bt_conn *conn, uint8_t rand[8],
 	struct bt_hci_cp_le_start_encryption *cp;
 	struct net_buf *buf;
 
+	if (len > sizeof(cp->ltk)) {
+		return -EINVAL;
+	}
+
 	buf = bt_hci_cmd_create(BT_HCI_OP_LE_START_ENCRYPTION, sizeof(*cp));
 	if (!buf) {
 		return -ENOBUFS;