drivers: bluetooth: spi: Check lengths in incoming headers

So far the lengths provided in event and ACL packets were not being
checked at all, which could have caused an overflow if the contents were
not to fit inside the net_buf.
Check the length and discard the packet when it doesn't fit.

Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>

drivers/bluetooth/hci/spi.c

diff --git a/drivers/bluetooth/hci/spi.c b/drivers/bluetooth/hci/spi.c
index 563a95e..642c379 100644
--- a/drivers/bluetooth/hci/spi.c
+++ b/drivers/bluetooth/hci/spi.c
@@ -314,6 +314,7 @@
 	struct bt_hci_acl_hdr acl_hdr;
 	uint8_t size = 0U;
 	int ret;
+	int len;
 
 	(void)memset(&txmsg, 0xFF, SPI_MAX_MSG_LEN);
 
@@ -383,15 +384,24 @@
 					}
 				}
 
-				net_buf_add_mem(buf, &rxmsg[1],
-						rxmsg[EVT_HEADER_SIZE] + 2);
+				len = sizeof(struct bt_hci_evt_hdr) + rxmsg[EVT_HEADER_SIZE];
+				if (len > net_buf_tailroom(buf)) {
+					BT_ERR("Event too long: %d", len);
+					net_buf_unref(buf);
+					continue;
+				}
+				net_buf_add_mem(buf, &rxmsg[1], len);
 				break;
 			case HCI_ACL:
 				buf = bt_buf_get_rx(BT_BUF_ACL_IN, K_FOREVER);
 				memcpy(&acl_hdr, &rxmsg[1], sizeof(acl_hdr));
-				net_buf_add_mem(buf, &acl_hdr, sizeof(acl_hdr));
-				net_buf_add_mem(buf, &rxmsg[5],
-						sys_le16_to_cpu(acl_hdr.len));
+				len = sizeof(acl_hdr) + sys_le16_to_cpu(acl_hdr.len);
+				if (len > net_buf_tailroom(buf)) {
+					BT_ERR("ACL too long: %d", len);
+					net_buf_unref(buf);
+					continue;
+				}
+				net_buf_add_mem(buf, &rxmsg[1], len);
 				break;
 			default:
 				BT_ERR("Unknown BT buf type %d", rxmsg[0]);