Harden BLE SPP command buffer length handling

[orbisai0security]

Summary

This PR applies a small defensive hardening change to the WIP BLE SPP command handling path.

Changes:

• main/bluetooth_le.c
• Check p_data->write.len before copying into the allocated SPP command buffer.
• Avoid copying more than the allocated MTU-derived buffer size.
• Replace a few unbounded string writes with bounded variants.

This does not claim to make the BLE SPP implementation complete or to add authentication/pairing enforcement. It is intended only as a narrow memory-safety hardening cleanup.

Verification

• Build passes
• Scanner re-scan confirms fix
• LLM code review passed

---

Automated security fix by OrbisAI Security

[terjeio]

Does this fix the code so it works now? It did not before (was WIP).

[orbisai0security]

Thanks for checking. No, this PR does not make the BLE SPP implementation fully functional, and I should not have framed it as a complete authentication/security fix.

The actual change is narrower: it hardens the WIP BLE command write path by bounding p_data->write.len before copying into the allocated SPP command buffer, and replaces a few unbounded string writes with bounded variants.

I’ll retitle/rewrite the PR as a defensive hardening cleanup rather than a critical vulnerability fix.