From 55c0f00f23dd3f4b15016860d47c7118c6a5f55f Mon Sep 17 00:00:00 2001 From: Lyle Zhu Date: Fri, 6 Jun 2025 08:50:19 +0800 Subject: [PATCH] Bluetooth: Classic: SDP: Avoid invalid `session->param` be accessed The `session->param` should be updated to date whatever the function `sdp_client_ssa_search()`, `sdp_client_sa_search()` or `sdp_client_ss_search()` can be executed properly. Update the `session->param` to the new `param` when executing the function. Fixes #91156 Signed-off-by: Lyle Zhu --- subsys/bluetooth/host/classic/sdp.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/subsys/bluetooth/host/classic/sdp.c b/subsys/bluetooth/host/classic/sdp.c index 6d6b983f694..0978a1714d7 100644 --- a/subsys/bluetooth/host/classic/sdp.c +++ b/subsys/bluetooth/host/classic/sdp.c @@ -1485,6 +1485,9 @@ static int sdp_client_ss_search(struct bt_sdp_client *session, { struct net_buf *buf; + /* Update context param directly. */ + session->param = param; + buf = bt_sdp_create_pdu(); /* BT_SDP_SEQ8 means length of sequence is on additional next byte */ @@ -1530,8 +1533,6 @@ static int sdp_client_ss_search(struct bt_sdp_client *session, net_buf_add_mem(buf, session->cstate.data, session->cstate.length); } - /* Update context param to the one being resolving now */ - session->param = param; session->tid++; return bt_sdp_send(&session->chan.chan, buf, BT_SDP_SVC_SEARCH_REQ, session->tid); @@ -1543,6 +1544,9 @@ static int sdp_client_sa_search(struct bt_sdp_client *session, { struct net_buf *buf; + /* Update context param directly. */ + session->param = param; + buf = bt_sdp_create_pdu(); /* Add service record handle */ @@ -1575,8 +1579,6 @@ static int sdp_client_sa_search(struct bt_sdp_client *session, net_buf_add_mem(buf, session->cstate.data, session->cstate.length); } - /* Update context param to the one being resolving now */ - session->param = param; session->tid++; return bt_sdp_send(&session->chan.chan, buf, BT_SDP_SVC_ATTR_REQ, session->tid); @@ -1588,6 +1590,9 @@ static int sdp_client_ssa_search(struct bt_sdp_client *session, { struct net_buf *buf; + /* Update context param directly. */ + session->param = param; + buf = bt_sdp_create_pdu(); /* BT_SDP_SEQ8 means length of sequence is on additional next byte */ @@ -1646,8 +1651,6 @@ static int sdp_client_ssa_search(struct bt_sdp_client *session, session->cstate.length); } - /* Update context param to the one being resolving now */ - session->param = param; session->tid++; return bt_sdp_send(&session->chan.chan, buf, BT_SDP_SVC_SEARCH_ATTR_REQ,