diff --git a/components/bt/host/bluedroid/stack/btm/btm_acl.c b/components/bt/host/bluedroid/stack/btm/btm_acl.c
index b1e3ecb882..b954cb7ed1 100644
--- a/components/bt/host/bluedroid/stack/btm/btm_acl.c
+++ b/components/bt/host/bluedroid/stack/btm/btm_acl.c
@@ -2318,7 +2318,7 @@ err_out:
 ** Returns          void
 **
 *******************************************************************************/
-void btm_read_rssi_complete (UINT8 *p)
+void btm_read_rssi_complete (UINT8 *p, UINT16 evt_len)
 {
     tBTM_CMPL_CB            *p_cb = btm_cb.devcb.p_rssi_cmpl_cb;
     tBTM_RSSI_RESULTS        results;
@@ -2331,11 +2331,21 @@ void btm_read_rssi_complete (UINT8 *p)
     btm_cb.devcb.p_rssi_cmpl_cb = NULL;
 
     if (p_cb) {
+        if (evt_len < 1) {
+            BTM_TRACE_ERROR("Bogus event packet, too short");
+            results.status = BTM_ERR_PROCESSING;
+            goto err_out;
+        }
         STREAM_TO_UINT8  (results.hci_status, p);
 
         if (results.hci_status == HCI_SUCCESS) {
             results.status = BTM_SUCCESS;
 
+            if (evt_len < 1 + 3) {
+                BTM_TRACE_ERROR("Bogus event packet, too short");
+                results.status = BTM_ERR_PROCESSING;
+                goto err_out;
+            }
             STREAM_TO_UINT16 (handle, p);
 
             STREAM_TO_UINT8 (results.rssi, p);
@@ -2351,6 +2361,7 @@ void btm_read_rssi_complete (UINT8 *p)
             results.status = BTM_ERR_PROCESSING;
         }
 
+err_out:
         (*p_cb)(&results);
     }
 }
diff --git a/components/bt/host/bluedroid/stack/btm/include/btm_int.h b/components/bt/host/bluedroid/stack/btm/include/btm_int.h
index c9fc25fac6..b20e1fca43 100644
--- a/components/bt/host/bluedroid/stack/btm/include/btm_int.h
+++ b/components/bt/host/bluedroid/stack/btm/include/btm_int.h
@@ -1051,7 +1051,7 @@ void         btm_cont_rswitch (tACL_CONN *p,
 
 tACL_CONN    *btm_handle_to_acl (UINT16 hci_handle);
 void         btm_read_link_policy_complete (UINT8 *p);
-void         btm_read_rssi_complete (UINT8 *p);
+void         btm_read_rssi_complete (UINT8 *p, UINT16 evt_len);
 void         btm_read_tx_power_complete (UINT8 *p, UINT16 evt_len, BOOLEAN is_ble);
 void         btm_acl_pkt_types_changed(UINT8 status, UINT16 handle, UINT16 pkt_types);
 void         btm_read_link_quality_complete (UINT8 *p);
diff --git a/components/bt/host/bluedroid/stack/btu/btu_hcif.c b/components/bt/host/bluedroid/stack/btu/btu_hcif.c
index 3c53d15de4..a66082b4d5 100644
--- a/components/bt/host/bluedroid/stack/btu/btu_hcif.c
+++ b/components/bt/host/bluedroid/stack/btu/btu_hcif.c
@@ -977,7 +977,7 @@ static void btu_hcif_hdl_command_complete (UINT16 opcode, UINT8 *p, UINT16 evt_l
         break;
 
     case HCI_READ_RSSI:
-        btm_read_rssi_complete (p);
+        btm_read_rssi_complete (p, evt_len);
         break;
 
     case HCI_READ_TRANSMIT_POWER_LEVEL: