diff --git a/components/bt/host/bluedroid/stack/btm/btm_ble_privacy.c b/components/bt/host/bluedroid/stack/btm/btm_ble_privacy.c
index 16617f3bd03..ccc7f6e0b7c 100644
--- a/components/bt/host/bluedroid/stack/btm/btm_ble_privacy.c
+++ b/components/bt/host/bluedroid/stack/btm/btm_ble_privacy.c
@@ -227,6 +227,7 @@ void btm_ble_update_resolving_list(BD_ADDR pseudo_bda, BOOLEAN add)
 void btm_ble_clear_resolving_list_complete(UINT8 *p, UINT16 evt_len)
 {
     UINT8 status = 0;
+
     STREAM_TO_UINT8(status, p);
 
     BTM_TRACE_DEBUG("%s status=%d", __func__, status);
diff --git a/components/bt/host/bluedroid/stack/btm/btm_sec.c b/components/bt/host/bluedroid/stack/btm/btm_sec.c
index 8ac25d0971b..e1d4f11fa76 100644
--- a/components/bt/host/bluedroid/stack/btm/btm_sec.c
+++ b/components/bt/host/bluedroid/stack/btm/btm_sec.c
@@ -3792,13 +3792,27 @@ void btm_rem_oob_req (UINT8 *p)
 ** Returns          void
 **
 *******************************************************************************/
-void btm_read_local_oob_complete (UINT8 *p)
+void btm_read_local_oob_complete (UINT8 *p, UINT16 evt_len)
 {
     tBTM_SP_LOC_OOB evt_data;
-    UINT8           status = *p++;
+    UINT8           status;
+
+    if (evt_len < 1) {
+        BTM_TRACE_ERROR("%s malformatted event packet, too short", __func__);
+        evt_data.status = BTM_ERR_PROCESSING;
+        goto err_out;
+    }
+
+    STREAM_TO_UINT8(status, p);
 
     BTM_TRACE_EVENT ("btm_read_local_oob_complete:%d\n", status);
     if (status == HCI_SUCCESS) {
+        if (evt_len < 1 + 32) {
+            BTM_TRACE_ERROR("%s malformatted event packet, too short", __func__);
+            evt_data.status = BTM_ERR_PROCESSING;
+            goto err_out;
+        }
+
         evt_data.status = BTM_SUCCESS;
         STREAM_TO_ARRAY16(evt_data.c, p);
         STREAM_TO_ARRAY16(evt_data.r, p);
@@ -3806,6 +3820,7 @@ void btm_read_local_oob_complete (UINT8 *p)
         evt_data.status = BTM_ERR_PROCESSING;
     }
 
+err_out:
     if (btm_cb.api.p_sp_callback) {
         (*btm_cb.api.p_sp_callback) (BTM_SP_LOC_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
     }
diff --git a/components/bt/host/bluedroid/stack/btm/include/btm_int.h b/components/bt/host/bluedroid/stack/btm/include/btm_int.h
index 7b65fc6e4fa..8a263593aad 100644
--- a/components/bt/host/bluedroid/stack/btm/include/btm_int.h
+++ b/components/bt/host/bluedroid/stack/btm/include/btm_int.h
@@ -1254,10 +1254,10 @@ tINQ_DB_ENT *btm_inq_db_new (BD_ADDR p_bda);
 
 #if BTM_OOB_INCLUDED == TRUE
 void  btm_rem_oob_req (UINT8 *p);
-void  btm_read_local_oob_complete (UINT8 *p);
+void  btm_read_local_oob_complete (UINT8 *p, UINT16 evt_len);
 #else
 #define btm_rem_oob_req(p)
-#define btm_read_local_oob_complete(p)
+#define btm_read_local_oob_complete(p, evt_len)
 #endif
 
 void  btm_acl_resubmit_page (void);
diff --git a/components/bt/host/bluedroid/stack/btu/btu_hcif.c b/components/bt/host/bluedroid/stack/btu/btu_hcif.c
index 64b1136e840..3121cf6dae4 100644
--- a/components/bt/host/bluedroid/stack/btu/btu_hcif.c
+++ b/components/bt/host/bluedroid/stack/btu/btu_hcif.c
@@ -1170,7 +1170,7 @@ static void btu_hcif_hdl_command_complete (UINT16 opcode, UINT8 *p, UINT16 evt_l
 #endif // #if (CLASSIC_BT_INCLUDED == TRUE)
     case HCI_READ_LOCAL_OOB_DATA:
 #if BTM_OOB_INCLUDED == TRUE && SMP_INCLUDED == TRUE
-        btm_read_local_oob_complete(p);
+        btm_read_local_oob_complete(p, evt_len);
 #endif
         break;