Merge branch 'bugfix/sdp_remove_record_no_evt' into 'master'

fix(bt/bluedroid): Fixed the crash caused by using illegal pointers during SDP deinit Closes BTQABR2023-201 See merge request espressif/esp-idf!29288
espressif · Apr 1, 2024 · 7915aee · 7915aee
2 parents 0c68b9b + eabd31e
commit 7915aee
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/components/bt/host/bluedroid/btc/profile/std/sdp/btc_sdp.c b/components/bt/host/bluedroid/btc/profile/std/sdp/btc_sdp.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -285,8 +285,8 @@ static int free_sdp_slot(int id)
         // Record have already been freed
         handle = -1;
     }
-    osi_free(slot);
-    slot = NULL;
+    osi_free(sdp_local_param.sdp_slots[id]);
+    sdp_local_param.sdp_slots[id] = NULL;
 
     return handle;
 }
@@ -1034,14 +1034,16 @@ static void btc_sdp_remove_record(btc_sdp_args_t *arg)
         } else {
             BTC_TRACE_ERROR("%s SDP record with handle %d not found",
                                 __func__, arg->remove_record.record_handle);
-            return;
+            ret = ESP_SDP_NO_CREATE_RECORD;
+            break;
         }
 
         /* Get the Record handle, and free the slot */
         /* The application layer record_handle is equivalent to the id of the btc layer */
         int slot = get_sdp_slot_id_by_handle(arg->remove_record.record_handle);
         if (slot < 0) {
-            return;
+            ret = ESP_SDP_NO_CREATE_RECORD;
+            break;
         }
 
         handle = free_sdp_slot(slot);