Merge branch 'bugfix/fix_call_spp_start_discovert_twice_crash_v5.5' into 'release/v5.5'

fix(bt): fix crash when calling esp_spp_start_discovery twice in succession(v5.5)

See merge request espressif/esp-idf!46665

components/bt/host/bluedroid/bta/jv/bta_jv_act.c

@@ -1002,13 +1002,14 @@ static void bta_jv_start_discovery_cback(UINT16 result, void *user_data)
 *******************************************************************************/
 void bta_jv_start_discovery(tBTA_JV_MSG *p_data)
 {
-    tBTA_JV_STATUS status = BTA_JV_FAILURE;
+    tBTA_JV_DISCOVERY_COMP disc_comp = {0};
+
     APPL_TRACE_DEBUG("bta_jv_start_discovery in, sdp_active:%d", bta_jv_cb.sdp_active);
     if (bta_jv_cb.sdp_active != BTA_JV_SDP_ACT_NONE) {
-        /* SDP is still in progress */
-        status = BTA_JV_BUSY;
+        /* SDP is still in progress: report BUSY with a full tBTA_JV so BTC can copy safely */
+        disc_comp.status = BTA_JV_BUSY;
         if (bta_jv_cb.p_dm_cback) {
-            bta_jv_cb.p_dm_cback(BTA_JV_DISCOVERY_COMP_EVT, (tBTA_JV *)&status, p_data->start_discovery.user_data);
+            bta_jv_cb.p_dm_cback(BTA_JV_DISCOVERY_COMP_EVT, (tBTA_JV *)&disc_comp, p_data->start_discovery.user_data);
         }
         return;
     }
@@ -1031,9 +1032,10 @@ void bta_jv_start_discovery(tBTA_JV_MSG *p_data)
                                             p_bta_jv_cfg->p_sdp_db,
                                             bta_jv_start_discovery_cback, p_data->start_discovery.user_data)) {
         bta_jv_cb.sdp_active = BTA_JV_SDP_ACT_NONE;
-        /* failed to start SDP. report the failure right away */
+        /* failed to start SDP: report failure with a full tBTA_JV so BTC can copy safely */
+        disc_comp.status = BTA_JV_FAILURE;
         if (bta_jv_cb.p_dm_cback) {
-            bta_jv_cb.p_dm_cback(BTA_JV_DISCOVERY_COMP_EVT, (tBTA_JV *)&status, p_data->start_discovery.user_data);
+            bta_jv_cb.p_dm_cback(BTA_JV_DISCOVERY_COMP_EVT, (tBTA_JV *)&disc_comp, p_data->start_discovery.user_data);
         }
     }
     /*

components/bt/host/bluedroid/btc/profile/std/spp/btc_spp.c

@@ -1041,7 +1041,7 @@ void btc_spp_call_handler(btc_msg_t *msg)
 
 void btc_spp_cb_handler(btc_msg_t *msg)
 {
-    esp_spp_cb_param_t param;
+    esp_spp_cb_param_t param = {0};
     tBTA_JV *p_data = (tBTA_JV *)msg->arg;
     spp_slot_t *slot = NULL;
     uint8_t serial = 0;
@@ -1054,10 +1054,12 @@ void btc_spp_cb_handler(btc_msg_t *msg)
         break;
     case BTA_JV_DISCOVERY_COMP_EVT:
         param.disc_comp.status = p_data->disc_comp.status;
-        param.disc_comp.scn_num = p_data->disc_comp.scn_num;
-        memcpy(param.disc_comp.scn, p_data->disc_comp.scn, p_data->disc_comp.scn_num);
-        memcpy(param.disc_comp.service_name, p_data->disc_comp.service_name,
-               p_data->disc_comp.scn_num * sizeof(const char *));
+        if (param.disc_comp.status == BTA_JV_SUCCESS) {
+            param.disc_comp.scn_num = p_data->disc_comp.scn_num;
+            memcpy(param.disc_comp.scn, p_data->disc_comp.scn, p_data->disc_comp.scn_num);
+            memcpy(param.disc_comp.service_name, p_data->disc_comp.service_name,
+                p_data->disc_comp.scn_num * sizeof(const char *));
+        }
         btc_spp_cb_to_app(ESP_SPP_DISCOVERY_COMP_EVT, &param);
         break;
     case BTA_JV_RFCOMM_CL_INIT_EVT: