--- x/net/bluetooth/hci_sock.c
+++ y/net/bluetooth/hci_sock.c
@@ -1946,7 +1946,7 @@ static int hci_sock_setsockopt_old(struc
 
 	switch (optname) {
 	case HCI_DATA_DIR:
-		if (copy_from_sockptr(&opt, optval, sizeof(opt))) {
+		if (len < sizeof(opt) || copy_from_sockptr(&opt, optval, sizeof(opt))) {
 			err = -EFAULT;
 			break;
 		}