diff --git a/system/stack/gatt/att_protocol.cc b/system/stack/gatt/att_protocol.cc
index 01dc10516cb09f1847617ef954c87935acd2f1f1..da3cf51e0e872731aa2099ceda8562b14939df2f 100644
--- a/system/stack/gatt/att_protocol.cc
+++ b/system/stack/gatt/att_protocol.cc
@@ -165,7 +165,13 @@ static BT_HDR* attp_build_read_by_type_value_cmd(
     uint16_t payload_size, tGATT_FIND_TYPE_VALUE* p_value_type) {
   uint8_t* p;
   uint16_t len = p_value_type->value_len;
-  BT_HDR* p_buf =
+  BT_HDR* p_buf = nullptr;
+
+  if (payload_size < 5) {
+    return nullptr;
+  }
+
+  p_buf =
       (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
 
   p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;