security: validate packet length in AVB AECP AEM command handlers

Memory Safety: High

Multiple AVB AECP AEM command handler functions copied network packet
data into stack buffers via memcpy(buf, m, len) without validating
that len fits within the destination buffer. A crafted AVB packet with
an oversized length could overflow the stack buffer.

Added bounds validation before each memcpy in:
- cmd-available.c: handle_cmd_entity_available_milan_v12
- cmd-get-set-configuration.c: set and get configuration handlers
- cmd-get-set-sampling-rate.c: unsolicited, invalid response, and get handlers
- cmd-get-set-stream-format.c: get and set stream format handlers
- cmd-lock-entity.c: handle_cmd_lock_entity_milan_v12

This matches the bounds checking pattern already used in
cmd-get-set-control.c, cmd-get-set-clock-source.c, and
cmd-get-set-name.c.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/modules/module-avb/aecp-aem-cmds-resps/cmd-get-set-configuration.c

@@ -87,6 +87,10 @@ int handle_cmd_set_configuration_milan_v12(struct aecp *aecp, int64_t now,
 		return reply_status(aecp, 
 				AVB_AECP_AEM_STATUS_NO_SUCH_DESCRIPTOR, p, len);
 
+	if (len < 0 || (size_t)len > sizeof(buf))
+		return reply_status(aecp,
+				AVB_AECP_AEM_STATUS_BAD_ARGUMENTS, p, len);
+
 	// TODO maybe avoid copy here
 	memcpy(buf, m, len);
 	h_reply = (struct avb_ethernet_header *)buf;
@@ -169,6 +173,10 @@ int handle_cmd_get_configuration_common(struct aecp *aecp, int64_t now,
 		return reply_status(aecp,
 				AVB_AECP_AEM_STATUS_NO_SUCH_DESCRIPTOR, p, len);
 
+	if (len < 0 || (size_t)len > sizeof(buf))
+		return reply_status(aecp,
+				AVB_AECP_AEM_STATUS_BAD_ARGUMENTS, p, len);
+
 	memcpy(buf, m, len);
 	h_reply = (struct avb_ethernet_header *)buf;
 	p_reply = SPA_PTROFF(h_reply, sizeof(*h_reply), void);