diff --git a/nimble/host/audio/services/bass/src/ble_audio_svc_bass.c b/nimble/host/audio/services/bass/src/ble_audio_svc_bass.c
index 1c4ff639e..f277375ef 100644
--- a/nimble/host/audio/services/bass/src/ble_audio_svc_bass.c
+++ b/nimble/host/audio/services/bass/src/ble_audio_svc_bass.c
@@ -523,13 +523,19 @@ ble_svc_audio_bass_modify_source(uint8_t *data, uint16_t data_len, uint16_t conn
 }
 
 static int
-ble_svc_audio_bass_set_broadcast_code(uint8_t *data, uint16_t data_len, uint16_t conn_handle)
+ble_svc_audio_bass_set_broadcast_code(uint8_t *data, uint16_t conn_handle)
 {
     struct ble_svc_audio_bass_rcv_state_entry *rcv_state = NULL;
     struct ble_audio_event ev = {
         .type = BLE_AUDIO_EVENT_BASS_BROADCAST_CODE_SET,
     };
 
+    om_len = OS_MBUF_PKTLEN(ctxt->om);
+    rc = ble_hs_mbuf_to_flat(ctxt->om, data, om_len, NULL);
+    if (rc) {
+        return BLE_ATT_ERR_UNLIKELY;
+    }
+
     ev.bass_set_broadcast_code.source_id = data[0];
 
     ble_svc_audio_bass_receive_state_find_by_source_id(&rcv_state,
@@ -546,7 +552,7 @@ ble_svc_audio_bass_set_broadcast_code(uint8_t *data, uint16_t data_len, uint16_t
 }
 
 static int
-ble_svc_audio_bass_remove_source(uint8_t *data, uint16_t data_len, uint16_t conn_handle)
+ble_svc_audio_bass_remove_source(uint8_t *data, uint16_t conn_handle)
 {
     struct ble_audio_event ev = {
         .type = BLE_AUDIO_EVENT_BASS_BROADCAST_CODE_SET,
@@ -617,13 +623,16 @@ ble_svc_audio_bass_find_handler(uint8_t opcode)
 static int
 ble_svc_audio_bass_ctrl_point_write_access(struct ble_gatt_access_ctxt *ctxt, uint16_t conn_handle)
 {
+    struct os_mbuf *om;
+    uint8_t opcode;
+    uint16_t mbuf_len = OS_MBUF_PKTLEN(ctxt->om);
     struct ble_svc_audio_bass_ctrl_point_handler *handler;
 
-    uint8_t opcode = ctxt->om->om_data[0];
+    opcode = ctxt->om->om_data[0];
 
     handler = ble_svc_audio_bass_find_handler(opcode);
 
-    if (!handler) {
+    if (handler == NULL) {
         return BLE_SVC_AUDIO_BASS_ERR_OPCODE_NOT_SUPPORTED;
     }
 
@@ -633,7 +642,12 @@ ble_svc_audio_bass_ctrl_point_write_access(struct ble_gatt_access_ctxt *ctxt, ui
         return BLE_ATT_ERR_WRITE_REQ_REJECTED;
     }
 
-    return handler->handler_cb(&ctxt->om->om_data[1], ctxt->om->om_len - 1, conn_handle);
+    om = os_mbuf_pullup(ctxt->om, mbuf_len);
+    if (!om) {
+        return BLE_ATT_ERR_UNLIKELY;
+    }
+
+    return handler->handler_cb(&om->om_data[1], mbuf_len - 1, conn_handle);
 }
 
 static int