From 09f9100ce7dcd7ddbe16adfbc91c355017783630 Mon Sep 17 00:00:00 2001
From: hackerman-kl <hackerman-kl@kebag-logic.com>
Date: Sun, 19 Apr 2026 07:39:03 +0200
Subject: [PATCH] milan-avb: validate packet length before dereferencing
 SET_CONTROL value byte

---
 .../module-avb/aecp-aem-cmds-resps/cmd-get-set-control.c     | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/modules/module-avb/aecp-aem-cmds-resps/cmd-get-set-control.c b/src/modules/module-avb/aecp-aem-cmds-resps/cmd-get-set-control.c
index 7891782ff..d24a15629 100644
--- a/src/modules/module-avb/aecp-aem-cmds-resps/cmd-get-set-control.c
+++ b/src/modules/module-avb/aecp-aem-cmds-resps/cmd-get-set-control.c
@@ -150,6 +150,11 @@ static int handle_cmd_set_control_identify(struct aecp *aecp, struct descriptor
 	old_value_format = desc_formats;
 	value_req = (uint8_t *)control->payload;
 
+	if (len < 0 || (size_t)len < sizeof(*h) + sizeof(*p) +
+			sizeof(*control) + CONTROL_LINEAR_UINT8_SIZE)
+		return reply_status(aecp, AVB_AECP_AEM_STATUS_BAD_ARGUMENTS,
+			m, len);
+
 	if (*value_req == desc_formats->current_value) {
 		return reply_success(aecp, m, len);
 	}