Dereference before null check

2025-07-29 18:27:20 +02:00 · 2021-11-22 19:10:43 +08:00
parent 0755078ee6
commit d0dd9d446c
5 changed files with 20 additions and 17 deletions
--- a/components/bt/bluedroid/bta/gatt/bta_gattc_api.c
+++ b/components/bt/bluedroid/bta/gatt/bta_gattc_api.c
@ -298,7 +298,7 @@ void BTA_GATTC_ServiceSearchRequest (UINT16 conn_id, tBT_UUID *p_srvc_uuid)
 ** Returns          returns list_t of tBTA_GATTC_SERVICE or NULL.
 **
 *******************************************************************************/
-const list_t* BTA_GATTC_GetServices(UINT16 conn_id) 
+const list_t* BTA_GATTC_GetServices(UINT16 conn_id)
 {
    return bta_gattc_get_services(conn_id);
 }
@ -315,7 +315,7 @@ const list_t* BTA_GATTC_GetServices(UINT16 conn_id)
 ** Returns          returns pointer to tBTA_GATTC_CHARACTERISTIC or NULL.
 **
 *******************************************************************************/
-const tBTA_GATTC_CHARACTERISTIC* BTA_GATTC_GetCharacteristic(UINT16 conn_id, UINT16 handle) 
+const tBTA_GATTC_CHARACTERISTIC* BTA_GATTC_GetCharacteristic(UINT16 conn_id, UINT16 handle)
 {
    return bta_gattc_get_characteristic(conn_id, handle);
 }
@ -759,7 +759,7 @@ void BTA_GATTC_PrepareWriteCharDescr  (UINT16 conn_id, UINT16 handle,
                                       tBTA_GATT_AUTH_REQ auth_req)
 {
    tBTA_GATTC_API_WRITE  *p_buf;
-    UINT16  len = sizeof(tBTA_GATTC_API_WRITE) + p_data->len;
+    UINT16  len = sizeof(tBTA_GATTC_API_WRITE);

    if (p_data != NULL) {
        len += p_data->len;
@ -998,7 +998,7 @@ void BTA_GATTC_CacheAssoc(tBTA_GATTC_IF client_if, BD_ADDR src_addr, BD_ADDR ass
        memcpy(p_buf->assoc_addr, assoc_addr, sizeof(BD_ADDR));

        bta_sys_sendmsg(p_buf);
-        
+
    }
    return;
 }
--- a/components/bt/bluedroid/btc/profile/std/gatt/btc_gattc.c
+++ b/components/bt/bluedroid/btc/profile/std/gatt/btc_gattc.c
@ -121,14 +121,14 @@ static void btc_gattc_copy_req_data(btc_msg_t *msg, void *p_dest, void *p_src)
    tBTA_GATTC *p_dest_data = (tBTA_GATTC *) p_dest;
    tBTA_GATTC *p_src_data = (tBTA_GATTC *) p_src;

-    if (!p_src_data || !p_dest_data) {
+    if (!p_src_data || !p_dest_data || !msg) {
        return;
    }

    // Allocate buffer for request data if necessary
    switch (msg->act) {
        case BTA_GATTC_READ_DESCR_EVT:
-        case BTA_GATTC_READ_CHAR_EVT: 
+        case BTA_GATTC_READ_CHAR_EVT:
        case BTA_GATTC_READ_MULTIPLE_EVT: {
            if (p_src_data->read.p_value && p_src_data->read.p_value->p_value) {
                p_dest_data->read.p_value = (tBTA_GATT_UNFMT  *)osi_malloc(sizeof(tBTA_GATT_UNFMT) + p_src_data->read.p_value->len);
@ -164,7 +164,7 @@ static void btc_gattc_free_req_data(btc_msg_t *msg)
    tBTA_GATTC *arg = (tBTA_GATTC *)(msg->arg);
    switch (msg->act) {
        case BTA_GATTC_READ_DESCR_EVT:
-        case BTA_GATTC_READ_CHAR_EVT: 
+        case BTA_GATTC_READ_CHAR_EVT:
        case BTA_GATTC_READ_MULTIPLE_EVT: {
            if (arg->read.p_value) {
                osi_free(arg->read.p_value);
--- a/components/bt/bluedroid/hci/hci_hal_h4.c
+++ b/components/bt/bluedroid/hci/hci_hal_h4.c
@ -249,11 +249,12 @@ static void hci_hal_h4_hdl_rx_packet(BT_HDR *packet)
 {
    uint8_t type, hdr_size;
    uint16_t length;
-    uint8_t *stream = packet->data + packet->offset;
+    uint8_t *stream = NULL;

    if (!packet) {
        return;
    }
+    stream = packet->data + packet->offset;

 #if (C2H_FLOW_CONTROL_INCLUDED == TRUE)
    hci_packet_complete(packet);
--- a/components/bt/bluedroid/stack/btm/btm_ble.c
+++ b/components/bt/bluedroid/stack/btm/btm_ble.c
@ -827,6 +827,7 @@ BOOLEAN BTM_UseLeLink (BD_ADDR bd_addr)
 tBTM_STATUS BTM_SetBleDataLength(BD_ADDR bd_addr, UINT16 tx_pdu_length)
 {
    tACL_CONN *p_acl = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE);
+
    BTM_TRACE_DEBUG("%s: tx_pdu_length =%d", __FUNCTION__, tx_pdu_length);

    if (!controller_get_interface()->supports_ble_packet_extension()) {
@ -834,12 +835,12 @@ tBTM_STATUS BTM_SetBleDataLength(BD_ADDR bd_addr, UINT16 tx_pdu_length)
        return BTM_CONTROL_LE_DATA_LEN_UNSUPPORTED;
    }

-    if (!HCI_LE_DATA_LEN_EXT_SUPPORTED(p_acl->peer_le_features)) {
-        BTM_TRACE_ERROR("%s failed, peer does not support request", __FUNCTION__);
-        return BTM_PEER_LE_DATA_LEN_UNSUPPORTED;
-    }
-
    if (p_acl != NULL) {
+        if (!HCI_LE_DATA_LEN_EXT_SUPPORTED(p_acl->peer_le_features)) {
+            BTM_TRACE_ERROR("%s failed, peer does not support request", __FUNCTION__);
+            return BTM_PEER_LE_DATA_LEN_UNSUPPORTED;
+        }
+
        if (tx_pdu_length > BTM_BLE_DATA_SIZE_MAX) {
            tx_pdu_length =  BTM_BLE_DATA_SIZE_MAX;
        } else if (tx_pdu_length < BTM_BLE_DATA_SIZE_MIN) {
--- a/components/bt/bluedroid/stack/gatt/gatt_api.c
+++ b/components/bt/bluedroid/stack/gatt/gatt_api.c
@ -814,15 +814,16 @@ tGATT_STATUS GATTC_ConfigureMTU (UINT16 conn_id)

    GATT_TRACE_API ("GATTC_ConfigureMTU conn_id=%d mtu=%d", conn_id, mtu );

+    if ((p_tcb == NULL) || (p_reg == NULL) || (mtu < GATT_DEF_BLE_MTU_SIZE) || (mtu > GATT_MAX_MTU_SIZE)) {
+        return GATT_ILLEGAL_PARAMETER;
+    }
+
+
    /* Validate that the link is BLE, not BR/EDR */
    if (p_tcb->transport != BT_TRANSPORT_LE) {
        return GATT_ERROR;
    }

-    if ( (p_tcb == NULL) || (p_reg == NULL) || (mtu < GATT_DEF_BLE_MTU_SIZE) || (mtu > GATT_MAX_MTU_SIZE)) {
-        return GATT_ILLEGAL_PARAMETER;
-    }
-
    if (gatt_is_clcb_allocated(conn_id)) {
        GATT_TRACE_ERROR("GATTC_ConfigureMTU GATT_BUSY conn_id = %d", conn_id);
        return GATT_BUSY;