Dereference before null check

components/bt/host/bluedroid/bta/gatt/bta_gattc_api.c

@@ -758,7 +758,7 @@ void BTA_GATTC_PrepareWriteCharDescr  (UINT16 conn_id, UINT16 handle,
                                        tBTA_GATT_AUTH_REQ auth_req)
 {
     tBTA_GATTC_API_WRITE  *p_buf;
-    UINT16  len = sizeof(tBTA_GATTC_API_WRITE) + p_data->len;
+    UINT16  len = sizeof(tBTA_GATTC_API_WRITE);
 
     if (p_data != NULL) {
         len += p_data->len;

components/bt/host/bluedroid/btc/profile/std/gatt/btc_gattc.c

@@ -1,16 +1,8 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+/*
+ * SPDX-FileCopyrightText: 2017-2021 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
 
 #include <string.h>
 
@@ -121,7 +113,7 @@ static void btc_gattc_copy_req_data(btc_msg_t *msg, void *p_dest, void *p_src)
     tBTA_GATTC *p_dest_data = (tBTA_GATTC *) p_dest;
     tBTA_GATTC *p_src_data = (tBTA_GATTC *) p_src;
 
-    if (!p_src_data || !p_dest_data) {
+    if (!p_src_data || !p_dest_data || !msg) {
         return;
     }
 

components/bt/host/bluedroid/hci/hci_hal_h4.c

@@ -229,11 +229,12 @@ static void hci_hal_h4_hdl_rx_packet(BT_HDR *packet)
 {
     uint8_t type, hdr_size;
     uint16_t length;
-    uint8_t *stream = packet->data + packet->offset;
+    uint8_t *stream = NULL;
 
     if (!packet) {
         return;
     }
+    stream = packet->data + packet->offset;
 
 #if (C2H_FLOW_CONTROL_INCLUDED == TRUE)
     hci_packet_complete(packet);

components/bt/host/bluedroid/stack/btm/btm_ble.c

@@ -867,6 +867,7 @@ BOOLEAN BTM_UseLeLink (BD_ADDR bd_addr)
 tBTM_STATUS BTM_SetBleDataLength(BD_ADDR bd_addr, UINT16 tx_pdu_length)
 {
     tACL_CONN *p_acl = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE);
+
     BTM_TRACE_DEBUG("%s: tx_pdu_length =%d", __FUNCTION__, tx_pdu_length);
 
     if (!controller_get_interface()->supports_ble_packet_extension()) {
@@ -874,12 +875,12 @@ tBTM_STATUS BTM_SetBleDataLength(BD_ADDR bd_addr, UINT16 tx_pdu_length)
         return BTM_CONTROL_LE_DATA_LEN_UNSUPPORTED;
     }
 
-    if (!HCI_LE_DATA_LEN_EXT_SUPPORTED(p_acl->peer_le_features)) {
-        BTM_TRACE_ERROR("%s failed, peer does not support request", __FUNCTION__);
-        return BTM_PEER_LE_DATA_LEN_UNSUPPORTED;
-    }
-
     if (p_acl != NULL) {
+        if (!HCI_LE_DATA_LEN_EXT_SUPPORTED(p_acl->peer_le_features)) {
+            BTM_TRACE_ERROR("%s failed, peer does not support request", __FUNCTION__);
+            return BTM_PEER_LE_DATA_LEN_UNSUPPORTED;
+        }
+
         if (tx_pdu_length > BTM_BLE_DATA_SIZE_MAX) {
             tx_pdu_length =  BTM_BLE_DATA_SIZE_MAX;
         } else if (tx_pdu_length < BTM_BLE_DATA_SIZE_MIN) {

components/bt/host/bluedroid/stack/gatt/gatt_api.c

@@ -814,15 +814,15 @@ tGATT_STATUS GATTC_ConfigureMTU (UINT16 conn_id)
 
     GATT_TRACE_API ("GATTC_ConfigureMTU conn_id=%d mtu=%d", conn_id, mtu );
 
+    if ( (p_tcb == NULL) || (p_reg == NULL) || (mtu < GATT_DEF_BLE_MTU_SIZE) || (mtu > GATT_MAX_MTU_SIZE)) {
+        return GATT_ILLEGAL_PARAMETER;
+    }
+
     /* Validate that the link is BLE, not BR/EDR */
     if (p_tcb->transport != BT_TRANSPORT_LE) {
         return GATT_ERROR;
     }
 
-    if ( (p_tcb == NULL) || (p_reg == NULL) || (mtu < GATT_DEF_BLE_MTU_SIZE) || (mtu > GATT_MAX_MTU_SIZE)) {
-        return GATT_ILLEGAL_PARAMETER;
-    }
-
     if (gatt_is_clcb_allocated(conn_id)) {
         GATT_TRACE_ERROR("GATTC_ConfigureMTU GATT_BUSY conn_id = %d", conn_id);
         return GATT_BUSY;

components/bt/host/bluedroid/stack/l2cap/l2c_ble.c

@@ -1206,6 +1206,8 @@ void l2cble_update_data_length(tL2C_LCB *p_lcb)
 void l2cble_process_data_length_change_event(UINT16 handle, UINT16 tx_data_len, UINT16 rx_data_len)
 {
     tL2C_LCB *p_lcb = l2cu_find_lcb_by_handle(handle);
+    tACL_CONN *p_acl = btm_handle_to_acl(handle);
+    tBTM_LE_SET_PKT_DATA_LENGTH_PARAMS data_length_params;
 
     L2CAP_TRACE_DEBUG("%s TX data len = %d", __FUNCTION__, tx_data_len);
     if (p_lcb == NULL) {
@@ -1216,16 +1218,15 @@ void l2cble_process_data_length_change_event(UINT16 handle, UINT16 tx_data_len,
         p_lcb->tx_data_len = tx_data_len;
     }
 
-    tACL_CONN *p_acl = btm_handle_to_acl(handle);
-    tBTM_LE_SET_PKT_DATA_LENGTH_PARAMS data_length_params;
     data_length_params.rx_len = rx_data_len;
     data_length_params.tx_len = tx_data_len;
-    p_acl->data_length_params = data_length_params;
-    if (p_acl != NULL && p_acl->p_set_pkt_data_cback){
-       (*p_acl->p_set_pkt_data_cback)(BTM_SUCCESS, &data_length_params);
-    }
 
     if(p_acl) {
+        p_acl->data_length_params = data_length_params;
+        if (p_acl->p_set_pkt_data_cback) {
+            (*p_acl->p_set_pkt_data_cback)(BTM_SUCCESS, &data_length_params);
+        }
+
         p_acl->data_len_updating = false;
         if(p_acl->data_len_waiting) {
             p_acl->data_len_waiting = false;

tools/ci/check_copyright_ignore.txt

@@ -275,7 +275,6 @@ components/bt/host/bluedroid/btc/profile/std/gap/btc_gap_ble.c
 components/bt/host/bluedroid/btc/profile/std/gap/btc_gap_bt.c
 components/bt/host/bluedroid/btc/profile/std/gatt/btc_gatt_common.c
 components/bt/host/bluedroid/btc/profile/std/gatt/btc_gatt_util.c
-components/bt/host/bluedroid/btc/profile/std/gatt/btc_gattc.c
 components/bt/host/bluedroid/btc/profile/std/gatt/btc_gatts.c
 components/bt/host/bluedroid/btc/profile/std/hf_ag/bta_ag_co.c
 components/bt/host/bluedroid/btc/profile/std/hf_ag/btc_hf_ag.c