bluetooth: Fix null pointer dereference before null check issues.

EListenX · hyson710 · commit 54e536407f19 · 2026-01-07T16:47:47.000+08:00
bug: v/81520

In `spp_find_connection_by_sdp_param` and `spp_connect_with_uuid`, the pointer `spp_conn` was dereferenced before the NULL check. This patch ensures the pointer is validated before access to avoid potential crashes.

Signed-off-by: v-yichenxi &lt;v-yichenxi@xiaomi.com&gt;
diff --git a/service/stacks/zephyr/sal_spp_interface.c b/service/stacks/zephyr/sal_spp_interface.c
@@ -219,7 +219,7 @@ static sal_spp_connection_t* spp_find_connection_by_sdp_param(struct bt_conn* co
 
         spp_conn = bt_list_node(node);
         spp_client = spp_conn->spp_client;
-        if ((spp_conn && (spp_conn->conn == conn)) && (spp_client && (&spp_client->sdp_discover == param))) {
+        if ((spp_conn->conn == conn) && (spp_client && (&spp_client->sdp_discover == param))) {
             return spp_conn;
         }
     }
@@ -771,7 +771,7 @@ static void sdp_disconnected_cb(struct bt_conn* conn, const struct bt_sdp_discov
 
 static bt_status_t spp_connect_with_uuid(sal_spp_connection_t* spp_conn, bt_uuid_t* uuid)
 {
-    sal_spp_client_t* spp_client = spp_conn->spp_client;
+    sal_spp_client_t* spp_client;
     int err;
     bt_uuid_t uuid_128;
 
@@ -780,6 +780,12 @@ static bt_status_t spp_connect_with_uuid(sal_spp_connection_t* spp_conn, bt_uuid
         return BT_STATUS_PARM_INVALID;
     }
 
+    spp_client = spp_conn->spp_client;
+    if (!spp_client) {
+        BT_LOGE("SPP client not found for conn");
+        return BT_STATUS_PARM_INVALID;
+    }
+
     sys_memcpy_swap(uuid_128.val.u128, uuid->val.u128, sizeof(uuid->val.u128));
 
     err = bt_uuid_create((struct bt_uuid*)&spp_client->uuid_128, uuid_128.val.u128, BT_UUID_SIZE_128);

Original file line number	Diff line number	Diff line change
`@@ -219,7 +219,7 @@ static sal_spp_connection_t* spp_find_connection_by_sdp_param(struct bt_conn* co`
`219`	`219`
`220`	`220`	`spp_conn = bt_list_node(node);`
`221`	`221`	`spp_client = spp_conn->spp_client;`
`222`		`- if ((spp_conn && (spp_conn->conn == conn)) && (spp_client && (&spp_client->sdp_discover == param))) {`
	`222`	`+ if ((spp_conn->conn == conn) && (spp_client && (&spp_client->sdp_discover == param))) {`
`223`	`223`	`return spp_conn;`
`224`	`224`	`}`
`225`	`225`	`}`
`@@ -771,7 +771,7 @@ static void sdp_disconnected_cb(struct bt_conn* conn, const struct bt_sdp_discov`
`771`	`771`
`772`	`772`	`static bt_status_t spp_connect_with_uuid(sal_spp_connection_t* spp_conn, bt_uuid_t* uuid)`
`773`	`773`	`{`
`774`		`- sal_spp_client_t* spp_client = spp_conn->spp_client;`
	`774`	`+ sal_spp_client_t* spp_client;`
`775`	`775`	`int err;`
`776`	`776`	`bt_uuid_t uuid_128;`
`777`	`777`
`@@ -780,6 +780,12 @@ static bt_status_t spp_connect_with_uuid(sal_spp_connection_t* spp_conn, bt_uuid`
`780`	`780`	`return BT_STATUS_PARM_INVALID;`
`781`	`781`	`}`
`782`	`782`
	`783`	`+ spp_client = spp_conn->spp_client;`
	`784`	`+ if (!spp_client) {`
	`785`	`+ BT_LOGE("SPP client not found for conn");`
	`786`	`+ return BT_STATUS_PARM_INVALID;`
	`787`	`+ }`
	`788`	`+`
`783`	`789`	`sys_memcpy_swap(uuid_128.val.u128, uuid->val.u128, sizeof(uuid->val.u128));`
`784`	`790`
`785`	`791`	`err = bt_uuid_create((struct bt_uuid*)&spp_client->uuid_128, uuid_128.val.u128, BT_UUID_SIZE_128);`