diff --git a/subsys/bluetooth/services/ots/ots_client.c b/subsys/bluetooth/services/ots/ots_client.c
index e14e83b047a..f8f03d7200c 100644
--- a/subsys/bluetooth/services/ots/ots_client.c
+++ b/subsys/bluetooth/services/ots/ots_client.c
@@ -297,6 +297,11 @@ static void olcp_ind_handler(struct bt_conn *conn,
 	enum bt_gatt_ots_olcp_proc_type op_code;
 	struct net_buf_simple net_buf;
 
+	if (length < sizeof(op_code)) {
+		LOG_DBG("Invalid indication length: %u", length);
+		return;
+	}
+
 	net_buf_simple_init_with_data(&net_buf, (void *)data, length);
 
 	op_code = net_buf_simple_pull_u8(&net_buf);
@@ -304,6 +309,12 @@ static void olcp_ind_handler(struct bt_conn *conn,
 	LOG_DBG("OLCP indication");
 
 	if (op_code == BT_GATT_OTS_OLCP_PROC_RESP) {
+		if (net_buf.len < (sizeof(uint8_t) + sizeof(uint8_t))) {
+			LOG_DBG("Invalid indication length for op_code %u: %u", op_code,
+				net_buf.len);
+			return;
+		}
+
 		enum bt_gatt_ots_olcp_proc_type req_opcode =
 			net_buf_simple_pull_u8(&net_buf);
 		enum bt_gatt_ots_olcp_res_code result_code =
@@ -366,6 +377,11 @@ static void oacp_ind_handler(struct bt_conn *conn,
 	uint32_t checksum;
 	struct net_buf_simple net_buf;
 
+	if (length < sizeof(op_code)) {
+		LOG_DBG("Invalid indication length: %u", length);
+		return;
+	}
+
 	net_buf_simple_init_with_data(&net_buf, (void *)data, length);
 
 	op_code = net_buf_simple_pull_u8(&net_buf);