bluetooth: host: gatt: fix null-ptr access if no include-svc userdata

nirav-agrawal · dkalowsk · commit 5a8189bf2afe · 2025-06-25T15:51:24.000-10:00
- Issue: There is a bus-fault while accessing empty userdata structure
  pointer if application does not include any include service
  userdata instance (which consist of UUID list of included service)
  but service array has defined dummy entry for it assumed to be
  overridden by app during initial flow.
- For example, the issue has happened in case of tmap-central sample
 without "CONFIG_BT_OTS" support. there are some MCS attributes
 dependent on OTS service because of that
 "BT_GATT_INCLUDE_SERVICE(NULL)" entry is added as part of service
 definition. The given entry does not have userdata handler defined
 and is expecting to be overriden by the app if it will be included.
 During "bt_mcs_init()" call, "mcs.attrs[i].user_data" is not
 populated with any attr-instance pointer. This makes CPU to access
 null-address during reading local-database include-service attribute
 which was not provided by the app but the include-service entry was
 added to the db.
- Fix: Adding condition to check if user-data has null address, and
 returning back to avoid any hard-faults.

Signed-off-by: Nirav Agrawal &lt;nirav.agrawal@nxp.com&gt;
diff --git a/include/zephyr/bluetooth/gatt.h b/include/zephyr/bluetooth/gatt.h
@@ -918,6 +918,7 @@ ssize_t bt_gatt_attr_read_service(struct bt_conn *conn,
  *  Read include service attribute value from local database storing the result
  *  into buffer after encoding it.
  *  @note Only use this with attributes which user_data is a ``bt_gatt_include``.
+ *  The function returns EINVAL if @p attr or @p attr->user_data is NULL.
  *
  *  @param conn Connection object.
  *  @param attr Attribute to read.
diff --git a/subsys/bluetooth/host/gatt.c b/subsys/bluetooth/host/gatt.c
@@ -1917,6 +1917,10 @@ ssize_t bt_gatt_attr_read_included(struct bt_conn *conn,
 				   const struct bt_gatt_attr *attr,
 				   void *buf, uint16_t len, uint16_t offset)
 {
+	if ((attr == NULL) || (attr->user_data == NULL)) {
+		return -EINVAL;
+	}
+
 	struct bt_gatt_attr *incl = attr->user_data;
 	uint16_t handle = bt_gatt_attr_get_handle(incl);
 	struct bt_uuid *uuid = incl->user_data;

Original file line number	Diff line number	Diff line change
`@@ -918,6 +918,7 @@ ssize_t bt_gatt_attr_read_service(struct bt_conn *conn,`
`918`	`918`	`* Read include service attribute value from local database storing the result`
`919`	`919`	`* into buffer after encoding it.`
`920`	`920`	* @note Only use this with attributes which user_data is a ``bt_gatt_include``.
	`921`	`+ * The function returns EINVAL if @p attr or @p attr->user_data is NULL.`
`921`	`922`	`*`
`922`	`923`	`* @param conn Connection object.`
`923`	`924`	`* @param attr Attribute to read.`