Skip to content

Commit 55c0f00

Browse files
lylezhu2012kartben
lylezhu2012
authored and
kartben
committed
Bluetooth: Classic: SDP: Avoid invalid session->param be accessed
The `session->param` should be updated to date whatever the function `sdp_client_ssa_search()`, `sdp_client_sa_search()` or `sdp_client_ss_search()` can be executed properly. Update the `session->param` to the new `param` when executing the function. Fixes #91156 Signed-off-by: Lyle Zhu <[email protected]>
1 parent 3728a80 commit 55c0f00

File tree

1 file changed

+9
-6
lines changed
  • subsys/bluetooth/host/classic

1 file changed

+9
-6
lines changed

subsys/bluetooth/host/classic/sdp.c

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1485,6 +1485,9 @@ static int sdp_client_ss_search(struct bt_sdp_client *session,
14851485
{
14861486
struct net_buf *buf;
14871487

1488+
/* Update context param directly. */
1489+
session->param = param;
1490+
14881491
buf = bt_sdp_create_pdu();
14891492

14901493
/* BT_SDP_SEQ8 means length of sequence is on additional next byte */
@@ -1530,8 +1533,6 @@ static int sdp_client_ss_search(struct bt_sdp_client *session,
15301533
net_buf_add_mem(buf, session->cstate.data, session->cstate.length);
15311534
}
15321535

1533-
/* Update context param to the one being resolving now */
1534-
session->param = param;
15351536
session->tid++;
15361537

15371538
return bt_sdp_send(&session->chan.chan, buf, BT_SDP_SVC_SEARCH_REQ, session->tid);
@@ -1543,6 +1544,9 @@ static int sdp_client_sa_search(struct bt_sdp_client *session,
15431544
{
15441545
struct net_buf *buf;
15451546

1547+
/* Update context param directly. */
1548+
session->param = param;
1549+
15461550
buf = bt_sdp_create_pdu();
15471551

15481552
/* Add service record handle */
@@ -1575,8 +1579,6 @@ static int sdp_client_sa_search(struct bt_sdp_client *session,
15751579
net_buf_add_mem(buf, session->cstate.data, session->cstate.length);
15761580
}
15771581

1578-
/* Update context param to the one being resolving now */
1579-
session->param = param;
15801582
session->tid++;
15811583

15821584
return bt_sdp_send(&session->chan.chan, buf, BT_SDP_SVC_ATTR_REQ, session->tid);
@@ -1588,6 +1590,9 @@ static int sdp_client_ssa_search(struct bt_sdp_client *session,
15881590
{
15891591
struct net_buf *buf;
15901592

1593+
/* Update context param directly. */
1594+
session->param = param;
1595+
15911596
buf = bt_sdp_create_pdu();
15921597

15931598
/* BT_SDP_SEQ8 means length of sequence is on additional next byte */
@@ -1646,8 +1651,6 @@ static int sdp_client_ssa_search(struct bt_sdp_client *session,
16461651
session->cstate.length);
16471652
}
16481653

1649-
/* Update context param to the one being resolving now */
1650-
session->param = param;
16511654
session->tid++;
16521655

16531656
return bt_sdp_send(&session->chan.chan, buf, BT_SDP_SVC_SEARCH_ATTR_REQ,

0 commit comments

Comments
 (0)