From 363b8b2973f33f316939fb290deb70c7df91b91d Mon Sep 17 00:00:00 2001
From: "zhiweijian@espressif.com" <zhiweijian@espressif.com>
Date: Wed, 6 Jul 2022 15:56:05 +0800
Subject: [PATCH] Fixed bluedroid host memory overflow

---
 components/bt/host/bluedroid/stack/gatt/gatt_api.c | 10 ++++++++++
 components/bt/host/bluedroid/stack/l2cap/l2c_api.c |  7 +++++++
 2 files changed, 17 insertions(+)

diff --git a/components/bt/host/bluedroid/stack/gatt/gatt_api.c b/components/bt/host/bluedroid/stack/gatt/gatt_api.c
index 06e0ac4d1a..50a01251f4 100644
--- a/components/bt/host/bluedroid/stack/gatt/gatt_api.c
+++ b/components/bt/host/bluedroid/stack/gatt/gatt_api.c
@@ -583,6 +583,11 @@ tGATT_STATUS GATTS_HandleValueIndication (UINT16 conn_id,  UINT16 attr_handle, U
         return (tGATT_STATUS) GATT_INVALID_CONN_ID;
     }
 
+    if ((GATT_CH_OPEN != gatt_get_ch_state(p_tcb)) || (p_tcb->payload_size == 0)) {
+        GATT_TRACE_ERROR("connection not established\n");
+        return GATT_WRONG_STATE;
+    }
+
     if (! GATT_HANDLE_IS_VALID (attr_handle)) {
         return GATT_ILLEGAL_PARAMETER;
     }
@@ -650,6 +655,11 @@ tGATT_STATUS GATTS_HandleValueNotification (UINT16 conn_id, UINT16 attr_handle,
         return (tGATT_STATUS) GATT_INVALID_CONN_ID;
     }
 
+    if ((GATT_CH_OPEN != gatt_get_ch_state(p_tcb)) || (p_tcb->payload_size == 0)) {
+        GATT_TRACE_ERROR("connection not established\n");
+        return GATT_WRONG_STATE;
+    }
+
     if (GATT_HANDLE_IS_VALID (attr_handle)) {
         notif.handle    = attr_handle;
         notif.len       = val_len;
diff --git a/components/bt/host/bluedroid/stack/l2cap/l2c_api.c b/components/bt/host/bluedroid/stack/l2cap/l2c_api.c
index c60435b902..a3dddca13d 100644
--- a/components/bt/host/bluedroid/stack/l2cap/l2c_api.c
+++ b/components/bt/host/bluedroid/stack/l2cap/l2c_api.c
@@ -2329,6 +2329,13 @@ void l2ble_update_att_acl_pkt_num(UINT8 type, tl2c_buff_param_t *param)
             xSemaphoreGive(buff_semaphore);
             break;
         }
+
+        if ((GATT_CH_OPEN != gatt_get_ch_state(p_tcb)) || (p_tcb->payload_size == 0)) {
+            L2CAP_TRACE_ERROR("connection not established\n");
+            xSemaphoreGive(buff_semaphore);
+            break;
+        }
+
         tL2C_LCB * p_lcb = l2cu_find_lcb_by_bd_addr (p_tcb->peer_bda, BT_TRANSPORT_LE);
         if (p_lcb == NULL){
             L2CAP_TRACE_ERROR("%s not found p_lcb", __func__);