[nrf fromtree] bluetooth: host: gatt: fix null-ptr access if no include-svc userdata

nirav-agrawal · nordicjm · commit 57d8acee344a · 2025-08-06T09:00:51.000+01:00
- Issue: There is a bus-fault while accessing empty userdata structure pointer if application does not include any include service userdata instance (which consist of UUID list of included service) but service array has defined dummy entry for it assumed to be overridden by app during initial flow. - For example, the issue has happened in case of tmap-central sample without "CONFIG_BT_OTS" support. there are some MCS attributes dependent on OTS service because of that "BT_GATT_INCLUDE_SERVICE(NULL)" entry is added as part of service definition. The given entry does not have userdata handler defined and is expecting to be overriden by the app if it will be included. During "bt_mcs_init()" call, "mcs.attrs[i].user_data" is not populated with any attr-instance pointer. This makes CPU to access null-address during reading local-database include-service attribute which was not provided by the app but the include-service entry was added to the db. - Fix: Adding condition to check if user-data has null address, and returning back to avoid any hard-faults. Signed-off-by: Nirav Agrawal <nirav.agrawal@nxp.com> (cherry picked from commit 5a8189b) Signed-off-by: Håvard Reierstad <haavard.reierstad@nordicsemi.no>
diff --git a/include/zephyr/bluetooth/gatt.h b/include/zephyr/bluetooth/gatt.h
@@ -918,6 +918,7 @@ ssize_t bt_gatt_attr_read_service(struct bt_conn *conn,
  *  Read include service attribute value from local database storing the result
  *  into buffer after encoding it.
  *  @note Only use this with attributes which user_data is a ``bt_gatt_include``.
+ *  The function returns EINVAL if @p attr or @p attr->user_data is NULL.
  *
  *  @param conn Connection object.
  *  @param attr Attribute to read.
diff --git a/subsys/bluetooth/host/gatt.c b/subsys/bluetooth/host/gatt.c
@@ -1917,6 +1917,10 @@ ssize_t bt_gatt_attr_read_included(struct bt_conn *conn,
 				   const struct bt_gatt_attr *attr,
 				   void *buf, uint16_t len, uint16_t offset)
 {
+	if ((attr == NULL) || (attr->user_data == NULL)) {
+		return -EINVAL;
+	}
+
 	struct bt_gatt_attr *incl = attr->user_data;
 	uint16_t handle = bt_gatt_attr_get_handle(incl);
 	struct bt_uuid *uuid = incl->user_data;

Original file line number	Diff line number	Diff line change
`@@ -918,6 +918,7 @@ ssize_t bt_gatt_attr_read_service(struct bt_conn *conn,`
`918`	`918`	`* Read include service attribute value from local database storing the result`
`919`	`919`	`* into buffer after encoding it.`
`920`	`920`	* @note Only use this with attributes which user_data is a ``bt_gatt_include``.
	`921`	`+ * The function returns EINVAL if @p attr or @p attr->user_data is NULL.`
`921`	`922`	`*`
`922`	`923`	`* @param conn Connection object.`
`923`	`924`	`* @param attr Attribute to read.`