bluetooth: host: l2cap: Check conn state before queueing PDU

In case of UATT, if a connection was lost while user was holding a read or write attribute callback, `bt_l2cap_send_pdu` (called from `att.c::chan_send`) will anyway queue a PDU and trigger tx work. The PDU won't be sent eventually, but neither will hold an error code, which will allow it to bypass the error check in `att_on_sent_cb` and call `att_sent` function. For EATT `bt_l2cap_chan_send` is used which already handles this case and the error code is passed to `att_on_sent_cb`. This change adds connection state check to `bt_l2cap_send_pdu` preventing from unnecessary code execution when connection does not exist anymore. Signed-off-by: Pavel Vasilyev <pavel.vasilyev@nordicsemi.no>
zephyrproject-rtos · Oct 8, 2024 · 64034af · 64034af
1 parent 09f6068
commit 64034af
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/subsys/bluetooth/host/l2cap.c b/subsys/bluetooth/host/l2cap.c
@@ -717,6 +717,10 @@ static void cancel_data_ready(struct bt_l2cap_le_chan *le_chan)
 int bt_l2cap_send_pdu(struct bt_l2cap_le_chan *le_chan, struct net_buf *pdu,
 		      bt_conn_tx_cb_t cb, void *user_data)
 {
+	if (!le_chan->chan.conn || le_chan->chan.conn->state != BT_CONN_CONNECTED) {
+		return -ENOTCONN;
+	}
+
 	if (pdu->ref != 1) {
 		/* The host may alter the buf contents when fragmenting. Higher
 		 * layers cannot expect the buf contents to stay intact. Extra