diff --git a/subsys/bluetooth/controller/ll_sw/nordic/lll/lll_scan.c b/subsys/bluetooth/controller/ll_sw/nordic/lll/lll_scan.c index 666806675c3350..8d7a0c4e773906 100644 --- a/subsys/bluetooth/controller/ll_sw/nordic/lll/lll_scan.c +++ b/subsys/bluetooth/controller/ll_sw/nordic/lll/lll_scan.c @@ -1267,6 +1267,7 @@ static inline int isr_rx_pdu(struct lll_scan *lll, struct pdu_adv *pdu_adv_rx, /* Active scanner */ } else if (((pdu_adv_rx->type == PDU_ADV_TYPE_ADV_IND) || (pdu_adv_rx->type == PDU_ADV_TYPE_SCAN_IND)) && + (pdu_adv_rx->len >= offsetof(struct pdu_adv_adv_ind, data)) && (pdu_adv_rx->len <= sizeof(struct pdu_adv_adv_ind)) && lll->type && !lll->state && #if defined(CONFIG_BT_CENTRAL) @@ -1359,6 +1360,7 @@ static inline int isr_rx_pdu(struct lll_scan *lll, struct pdu_adv *pdu_adv_rx, else if (((((pdu_adv_rx->type == PDU_ADV_TYPE_ADV_IND) || (pdu_adv_rx->type == PDU_ADV_TYPE_NONCONN_IND) || (pdu_adv_rx->type == PDU_ADV_TYPE_SCAN_IND)) && + (pdu_adv_rx->len >= offsetof(struct pdu_adv_adv_ind, data)) && (pdu_adv_rx->len <= sizeof(struct pdu_adv_adv_ind))) || ((pdu_adv_rx->type == PDU_ADV_TYPE_DIRECT_IND) && (pdu_adv_rx->len == sizeof(struct pdu_adv_direct_ind)) && @@ -1373,6 +1375,7 @@ static inline int isr_rx_pdu(struct lll_scan *lll, struct pdu_adv *pdu_adv_rx, &dir_report)) || #endif /* CONFIG_BT_CTLR_ADV_EXT */ ((pdu_adv_rx->type == PDU_ADV_TYPE_SCAN_RSP) && + (pdu_adv_rx->len >= offsetof(struct pdu_adv_scan_rsp, data)) && (pdu_adv_rx->len <= sizeof(struct pdu_adv_scan_rsp)) && (lll->state != 0U) && isr_scan_rsp_adva_matches(pdu_adv_rx))) && @@ -1423,6 +1426,7 @@ static inline bool isr_scan_init_check(const struct lll_scan *lll, lll_scan_adva_check(lll, pdu->tx_addr, pdu->adv_ind.addr, rl_idx)) && (((pdu->type == PDU_ADV_TYPE_ADV_IND) && + (pdu->len >= offsetof(struct pdu_adv_adv_ind, data)) && (pdu->len <= sizeof(struct pdu_adv_adv_ind))) || ((pdu->type == PDU_ADV_TYPE_DIRECT_IND) && (pdu->len == sizeof(struct pdu_adv_direct_ind)) &&