From f06234fda887d5b99e43b20abf6f46e1caf23042 Mon Sep 17 00:00:00 2001
From: hackerman-kl <hackerman-kl@kebag-logic.com>
Date: Thu, 16 Apr 2026 19:07:59 +0200
Subject: [PATCH] milan-avb: bound packet copy length in clock-source handlers

---
 .../aecp-aem-cmds-resps/cmd-get-set-clock-source.c     | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/modules/module-avb/aecp-aem-cmds-resps/cmd-get-set-clock-source.c b/src/modules/module-avb/aecp-aem-cmds-resps/cmd-get-set-clock-source.c
index 0991e6214..2c8fabd02 100644
--- a/src/modules/module-avb/aecp-aem-cmds-resps/cmd-get-set-clock-source.c
+++ b/src/modules/module-avb/aecp-aem-cmds-resps/cmd-get-set-clock-source.c
@@ -3,6 +3,7 @@
 /* SPDX-FileCopyrightText: Copyright © 2025 Alexandre Malki <alexandre.malki@kebag-logic.com> */
 /* SPDX-License-Identifier: MIT  */
 
+#include <errno.h>
 #include <stdint.h>
 #include <stdbool.h>
 
@@ -23,6 +24,9 @@ static int reply_invalid_clock_source(struct aecp *aecp,
 	struct avb_packet_aecp_aem *p = SPA_PTROFF(h, sizeof(*h), void);
 	struct avb_packet_aecp_aem_setget_clock_source *sclk_source;
 
+	if (len < 0 || (size_t)len > sizeof(buf))
+		return reply_status(aecp, AVB_AECP_AEM_STATUS_BAD_ARGUMENTS, m, len);
+
 	memcpy(buf, m, len);
 	sclk_source =
 		(struct avb_packet_aecp_aem_setget_clock_source *) p->payload;
@@ -41,6 +45,9 @@ static int handle_unsol_set_clock_source(struct aecp *aecp, struct descriptor *d
 	struct aecp_aem_base_info bi = { 0 };
 	int rc;
 
+	if (len < 0 || (size_t)len > sizeof(buf))
+		return -EINVAL;
+
 	memcpy(buf, m, len);
 	bi.controller_entity_id = htobe64(ctrler_id);
 	bi.expire_timeout = INT64_MAX;
@@ -67,6 +74,9 @@ int handle_cmd_get_clock_source_milan_v12(struct aecp *aecp, int64_t now,
 	uint16_t desc_index;
 	uint16_t desc_type;
 
+	if (len < 0 || (size_t)len > sizeof(buf))
+		return reply_status(aecp, AVB_AECP_AEM_STATUS_BAD_ARGUMENTS, m, len);
+
 	memcpy(buf, m, len);
 	sclk_source =
 		(struct avb_packet_aecp_aem_setget_clock_source *) p->payload;