From 7341d36362731df34fd8a5ba8e75d8bf17e48675 Mon Sep 17 00:00:00 2001 From: Pavel Vasilyev Date: Mon, 7 Oct 2024 14:19:05 +0200 Subject: [PATCH] [nrf fromtree] bluetooth: host: l2cap: Check conn state before queueing PDU In case of UATT, if a connection was lost while user was holding a read or write attribute callback, `bt_l2cap_send_pdu` (called from `att.c::chan_send`) will anyway queue a PDU and trigger tx work. The PDU won't be sent eventually, but neither will hold an error code, which will allow it to bypass the error check in `att_on_sent_cb` and call `att_sent` function. For EATT `bt_l2cap_chan_send` is used which already handles this case and the error code is passed to `att_on_sent_cb`. This change adds connection state check to `bt_l2cap_send_pdu` preventing from unnecessary code execution when connection does not exist anymore. Signed-off-by: Pavel Vasilyev (cherry picked from commit 74972e694b4916fa2b2d3d457155c1e3f3e24e79) --- subsys/bluetooth/host/l2cap.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/subsys/bluetooth/host/l2cap.c b/subsys/bluetooth/host/l2cap.c index b6ca2f3ea00..3b5cfe82864 100644 --- a/subsys/bluetooth/host/l2cap.c +++ b/subsys/bluetooth/host/l2cap.c @@ -717,6 +717,10 @@ static void cancel_data_ready(struct bt_l2cap_le_chan *le_chan) int bt_l2cap_send_pdu(struct bt_l2cap_le_chan *le_chan, struct net_buf *pdu, bt_conn_tx_cb_t cb, void *user_data) { + if (!le_chan->chan.conn || le_chan->chan.conn->state != BT_CONN_CONNECTED) { + return -ENOTCONN; + } + if (pdu->ref != 1) { /* The host may alter the buf contents when fragmenting. Higher * layers cannot expect the buf contents to stay intact. Extra