Bluetooth: AVRCP: Return INVALID_COMMAND when PDU ID is invalid

Added a check in the vendor dependent handler to ensure the PDU ID
matches supported command handlers. If the PDU ID or command type
is invalid, respond with BT_AVRCP_STATUS_INVALID_COMMAND.

Signed-off-by: Make Shi <[email protected]>

Author: makeshi

subsys/bluetooth/host/classic/avrcp.c

@@ -1739,19 +1739,24 @@ static int handle_vendor_pdu(struct bt_avrcp *avrcp, uint8_t tid, struct net_buf
 			     uint8_t ctype, uint8_t pdu_id,
 			     const struct avrcp_pdu_vendor_handler *handlers, size_t num_handlers)
 {
+	size_t min_len;
+
 	for (size_t i = 0; i < num_handlers; i++) {
 		const struct avrcp_pdu_vendor_handler *handler = &handlers[i];
 
 		if (handler->pdu_id != pdu_id) {
 			continue;
 		}
 
+		if (handlers != rsp_vendor_handlers && ctype != handler->cmd_type) {
+			LOG_ERR("Invalid ctype 0x%02x for pdu_id 0x%02x", ctype, pdu_id);
+			return BT_AVRCP_STATUS_INVALID_COMMAND;
+		}
+
 		/** For REJECTED responses, only need 1 byte for error code.
 		 *  For NOT_IMPLEMENTED and IN_TRANSITION, no additional data is needed.
 		 *  For other responses, use the handler's minimum length requirement.
 		 */
-		size_t min_len;
-
 		if (ctype == BT_AVRCP_RSP_REJECTED) {
 			min_len = sizeof(uint8_t);
 		} else if (ctype == BT_AVRCP_RSP_NOT_IMPLEMENTED ||
@@ -2383,11 +2388,6 @@ static void avrcp_vendor_dependent_cmd_handler(struct bt_avrcp *avrcp, uint8_t t
 		goto err_rsp;
 	}
 
-	if (ctype_or_rsp !=  get_cmd_type_by_pdu(pdu->pdu_id)) {
-		LOG_ERR("Invalid ctype 0x%02x for pdu_id 0x%02x", ctype_or_rsp, pdu->pdu_id);
-		error_code = BT_AVRCP_STATUS_INVALID_COMMAND;
-		goto err_rsp;
-	}
 
 	error_code = handle_vendor_pdu(avrcp, tid, buf, ctype_or_rsp, pdu->pdu_id,
 				       cmd_vendor_handlers, ARRAY_SIZE(cmd_vendor_handlers));