Dereference after null check

components/bt/host/bluedroid/bta/gatt/bta_gattc_act.c

@@ -494,9 +494,14 @@ void bta_gattc_open(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_DATA *p_data)
 {
     tBTA_GATTC_DATA gattc_data;
     BOOLEAN found_app = FALSE;
+    tGATT_TCB *p_tcb;
 
-    tGATT_TCB *p_tcb = gatt_find_tcb_by_addr(p_data->api_conn.remote_bda, BT_TRANSPORT_LE);
-    if(p_tcb && p_clcb && p_data) {
+    if (!p_clcb || !p_data) {
+        return;
+    }
+
+    p_tcb = gatt_find_tcb_by_addr(p_data->api_conn.remote_bda, BT_TRANSPORT_LE);
+    if(p_tcb) {
         found_app = gatt_find_specific_app_in_hold_link(p_tcb, p_clcb->p_rcb->client_if);
     }
     /* open/hold a connection */

components/bt/host/bluedroid/stack/btm/btm_acl.c

@@ -509,7 +509,7 @@ void btm_acl_device_down (void)
     BTM_TRACE_DEBUG ("btm_acl_device_down\n");
     for (list_node_t *p_node = list_begin(btm_cb.p_acl_db_list); p_node; p_node = list_next(p_node)) {
        p = list_node(p_node);
-       if (!p && p->in_use) {
+       if (p && p->in_use) {
            BTM_TRACE_DEBUG ("hci_handle=%d HCI_ERR_HW_FAILURE \n", p->hci_handle );
            l2c_link_hci_disc_comp (p->hci_handle, HCI_ERR_HW_FAILURE);
        }

components/bt/host/bluedroid/stack/btm/btm_ble_gap.c

@@ -1527,6 +1527,8 @@ tBTM_STATUS BTM_BleSetAdvParamsAll(UINT16 adv_int_min, UINT16 adv_int_max, UINT8
 
     if (p_dir_bda) {
         memcpy(&p_cb->direct_bda, p_dir_bda, sizeof(tBLE_BD_ADDR));
+    } else {
+        return BTM_ILLEGAL_VALUE;
     }
 
     BTM_TRACE_EVENT ("update params for an active adv\n");

components/bt/host/bluedroid/stack/btm/btm_sec.c

@@ -1527,8 +1527,8 @@ void BTM_ConfirmReqReply(tBTM_STATUS res, BD_ADDR bd_addr)
         if (res == BTM_SUCCESS) {
             if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) {
                 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
+                p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
             }
-            p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
         }
 
         btsnd_hcic_user_conf_reply (bd_addr, TRUE);

components/bt/host/bluedroid/stack/gatt/gatt_auth.c

@@ -140,19 +140,20 @@ void gatt_verify_signature(tGATT_TCB *p_tcb, BT_HDR *p_buf)
 *******************************************************************************/
 void gatt_sec_check_complete(BOOLEAN sec_check_ok, tGATT_CLCB   *p_clcb, UINT8 sec_act)
 {
-    if (p_clcb && p_clcb->p_tcb &&
-        fixed_queue_is_empty(p_clcb->p_tcb->pending_enc_clcb)) {
-        gatt_set_sec_act(p_clcb->p_tcb, GATT_SEC_NONE);
-    }
+    if (p_clcb && p_clcb->p_tcb) {
+        if (fixed_queue_is_empty(p_clcb->p_tcb->pending_enc_clcb)) {
+            gatt_set_sec_act(p_clcb->p_tcb, GATT_SEC_NONE);
+        }
 #if (GATTC_INCLUDED == TRUE)
-    if (!sec_check_ok) {
-        gatt_end_operation(p_clcb, GATT_AUTH_FAIL, NULL);
-    } else if (p_clcb->operation == GATTC_OPTYPE_WRITE) {
-        gatt_act_write(p_clcb, sec_act);
-    } else if (p_clcb->operation == GATTC_OPTYPE_READ) {
-        gatt_act_read(p_clcb, p_clcb->counter);
-    }
+        if (!sec_check_ok) {
+            gatt_end_operation(p_clcb, GATT_AUTH_FAIL, NULL);
+        } else if (p_clcb->operation == GATTC_OPTYPE_WRITE) {
+            gatt_act_write(p_clcb, sec_act);
+        } else if (p_clcb->operation == GATTC_OPTYPE_READ) {
+            gatt_act_read(p_clcb, p_clcb->counter);
+        }
 #endif  ///GATTC_INCLUDED == TRUE
+    }
 }
 /*******************************************************************************
 **

components/bt/host/bluedroid/stack/l2cap/l2c_main.c

@@ -970,8 +970,8 @@ void l2c_process_timeout (TIMER_LIST_ENT *p_tle)
         if (p_lcb){
             p_lcb->conn_update_mask &= ~L2C_BLE_UPDATE_PENDING;
             p_lcb->conn_update_mask &= ~L2C_BLE_UPDATE_PARAM_FULL;
+            l2c_send_update_conn_params_cb(p_lcb, status);
         }
-        l2c_send_update_conn_params_cb(p_lcb, status);
 #endif  ///BLE_INCLUDED == TRUE
         break;
     }