avb: check packet sizes

Clamp packet len to the buffer size.

Reject packets with invalid data_len.

src/modules/module-avb/acmp-cmds-resps/acmp-milan-v12.c

@@ -154,8 +154,8 @@ static struct acmp_lt_timers *acmp_lt_add_timer_milan_v12(struct acmp_milan_v12
 	if (tmr == NULL)
 		return NULL;
 	if (m) {
-		memcpy(tmr->saved_packet, m, len);
-		tmr->saved_packet_len = len;
+		tmr->saved_packet_len = SPA_MIN(len, sizeof(tmr->saved_packet));
+		memcpy(tmr->saved_packet, m, tmr->saved_packet_len);
 	}
 
 	tmr->timeout = timeout;

src/modules/module-avb/adp.c

@@ -153,8 +153,8 @@ static int adp_message(void *data, uint64_t now, const void *message, int len)
 			if (e == NULL)
 				return -errno;
 
-			memcpy(e->buf, message, len);
-			e->len = len;
+			e->len = SPA_MIN((size_t)len, sizeof(e->buf));
+			memcpy(e->buf, message, e->len);
 			e->valid_time = AVB_PACKET_ADP_GET_VALID_TIME(p);
 			e->entity_id = entity_id;
 			spa_list_append(&adp->entities, &e->link);
@@ -199,7 +199,8 @@ static int adp_message(void *data, uint64_t now, const void *message, int len)
 					}
 				}
 
-				memcpy(e->buf, message, len);
+				e->len = SPA_MIN((size_t)len, sizeof(e->buf));
+				memcpy(e->buf, message, e->len);
 			}
 		}
 		e->last_time = now;

src/modules/module-avb/stream.c

@@ -760,6 +760,8 @@ static void handle_aaf_packet(struct stream *stream,
 
 	filled = spa_ringbuffer_get_write_index(&stream->ring, &index);
 	n_bytes = ntohs(p->data_len);
+	if (n_bytes > (uint32_t)(len - (int)sizeof(*p)))
+		return;
 
 	/* IEEE 1722.1 Section 7.4.42 / Milan Section 5.4.5.3: FRAMES_RX counts every valid
 	 * AVTPDU received on the wire — independent of whether the listener