michaelh/zephyr
1
0
Fork 0
Code Releases Activity

Bluetooth: Classic: SDP: Avoid invalid session->param be accessed

Browse source 
The `session->param` should be updated to date whatever the function
`sdp_client_ssa_search()`, `sdp_client_sa_search()` or
`sdp_client_ss_search()` can be executed properly.

Update the `session->param` to the new `param` when executing the
function.

Fixes #91156

Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
This commit is contained in:
Lyle Zhu 2025-06-06 08:50:19 +08:00 committed by Benjamin Cabé
commit 55c0f00f23
1 changed files with 9 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

15
subsys/bluetooth/host/classic/sdp.c
View file

@ -1485,6 +1485,9 @@ static int sdp_client_ss_search(struct bt_sdp_client *session,
{
struct net_buf *buf;
/* Update context param directly. */
session->param = param;
buf = bt_sdp_create_pdu();
/* BT_SDP_SEQ8 means length of sequence is on additional next byte */
@ -1530,8 +1533,6 @@ static int sdp_client_ss_search(struct bt_sdp_client *session,
net_buf_add_mem(buf, session->cstate.data, session->cstate.length);
}
/* Update context param to the one being resolving now */
session->param = param;
session->tid++;
return bt_sdp_send(&session->chan.chan, buf, BT_SDP_SVC_SEARCH_REQ, session->tid);
@ -1543,6 +1544,9 @@ static int sdp_client_sa_search(struct bt_sdp_client *session,
{
struct net_buf *buf;
/* Update context param directly. */
session->param = param;
buf = bt_sdp_create_pdu();
/* Add service record handle */
@ -1575,8 +1579,6 @@ static int sdp_client_sa_search(struct bt_sdp_client *session,
net_buf_add_mem(buf, session->cstate.data, session->cstate.length);
}
/* Update context param to the one being resolving now */
session->param = param;
session->tid++;
return bt_sdp_send(&session->chan.chan, buf, BT_SDP_SVC_ATTR_REQ, session->tid);
@ -1588,6 +1590,9 @@ static int sdp_client_ssa_search(struct bt_sdp_client *session,
{
struct net_buf *buf;
/* Update context param directly. */
session->param = param;
buf = bt_sdp_create_pdu();
/* BT_SDP_SEQ8 means length of sequence is on additional next byte */
@ -1646,8 +1651,6 @@ static int sdp_client_ssa_search(struct bt_sdp_client *session,
session->cstate.length);
}
/* Update context param to the one being resolving now */
session->param = param;
session->tid++;
return bt_sdp_send(&session->chan.chan, buf, BT_SDP_SVC_SEARCH_ATTR_REQ,