From e6b4de6442062572d036a6280158b4a135392f5e Mon Sep 17 00:00:00 2001
From: hackerman-kl <hackerman-kl@kebag-logic.com>
Date: Sun, 19 Apr 2026 18:58:01 +0200
Subject: [PATCH] milan-avb: guard against size_t underflow on short packets in
 unsol reply prepare

---
 .../module-avb/aecp-aem-cmds-resps/reply-unsol-helpers.c   | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/modules/module-avb/aecp-aem-cmds-resps/reply-unsol-helpers.c b/src/modules/module-avb/aecp-aem-cmds-resps/reply-unsol-helpers.c
index dfc6617d4..ab776ba03 100644
--- a/src/modules/module-avb/aecp-aem-cmds-resps/reply-unsol-helpers.c
+++ b/src/modules/module-avb/aecp-aem-cmds-resps/reply-unsol-helpers.c
@@ -111,8 +111,11 @@ static void reply_unsol_notifications_prepare(struct aecp *aecp,
 
 	/* Here the value of 12 is the delta between the target_entity_id and
 	   start of the AECP message specific data. */
-	ctrl_data_length = len - (sizeof(*h) + sizeof(*p))
-				+ AVB_PACKET_CONTROL_DATA_OFFSET;
+	if (len < sizeof(*h) + sizeof(*p))
+		ctrl_data_length = AVB_PACKET_CONTROL_DATA_OFFSET;
+	else
+		ctrl_data_length = len - (sizeof(*h) + sizeof(*p))
+					+ AVB_PACKET_CONTROL_DATA_OFFSET;
 
 	h = (struct avb_ethernet_header*) packet;
 	p = SPA_PTROFF(h, sizeof(*h), void);