From 9eb724a37e869f526c78f97232ddf473ee7c2a0f Mon Sep 17 00:00:00 2001
From: Jin Cheng <jinCheng@espressif.com>
Date: Sat, 11 Oct 2025 15:43:43 +0800
Subject: [PATCH] fix(bt/bluedroid): fixed p_data null dereference in
 l2c_csm_open

---
 .../bt/host/bluedroid/stack/l2cap/l2c_csm.c   | 30 ++++++++++++-------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/components/bt/host/bluedroid/stack/l2cap/l2c_csm.c b/components/bt/host/bluedroid/stack/l2cap/l2c_csm.c
index 9abe72e285..fc5f5b0700 100644
--- a/components/bt/host/bluedroid/stack/l2cap/l2c_csm.c
+++ b/components/bt/host/bluedroid/stack/l2cap/l2c_csm.c
@@ -695,7 +695,7 @@ static void l2c_csm_config (tL2C_CCB *p_ccb, UINT16 event, void *p_data)
         l2cu_process_peer_cfg_rsp (p_ccb, p_cfg);
 
         if (p_cfg->result != L2CAP_CFG_PENDING) {
-            /* TBD: When config options grow beyong minimum MTU (48 bytes)
+            /* TBD: When config options grow beyond minimum MTU (48 bytes)
              *      logic needs to be added to handle responses with
              *      continuation bit set in flags field.
              *       1. Send additional config request out until C-bit is cleared in response
@@ -885,7 +885,7 @@ static void l2c_csm_open (tL2C_CCB *p_ccb, UINT16 event, void *p_data)
     tL2CAP_CFG_INFO         *p_cfg;
     tL2C_CHNL_STATE         tempstate;
     UINT8                   tempcfgdone;
-    UINT8                   cfg_result;
+    UINT8                   cfg_result = L2CAP_PEER_CFG_DISCONNECT;
 
 #if (BT_TRACE_VERBOSE == TRUE)
     L2CAP_TRACE_EVENT ("L2CAP - LCID: 0x%04x  st: OPEN  evt: %s",
@@ -931,7 +931,11 @@ static void l2c_csm_open (tL2C_CCB *p_ccb, UINT16 event, void *p_data)
 
         btu_start_timer (&p_ccb->timer_entry, BTU_TTYPE_L2CAP_CHNL, L2CAP_CHNL_CFG_TIMEOUT);
 
-        if ((cfg_result = l2cu_process_peer_cfg_req (p_ccb, p_cfg)) == L2CAP_PEER_CFG_OK) {
+        if (p_cfg) {
+            cfg_result = l2cu_process_peer_cfg_req (p_ccb, p_cfg);
+        }
+
+        if (cfg_result == L2CAP_PEER_CFG_OK) {
             (*p_ccb->p_rcb->api.pL2CA_ConfigInd_Cb)(p_ccb->local_cid, p_cfg);
         }
 
@@ -968,7 +972,7 @@ static void l2c_csm_open (tL2C_CCB *p_ccb, UINT16 event, void *p_data)
     break;
 
     case L2CEVT_L2CAP_DATA:                         /* Peer data packet rcvd    */
-        if ((p_ccb->p_rcb) && (p_ccb->p_rcb->api.pL2CA_DataInd_Cb)) {
+        if (p_data && (p_ccb->p_rcb) && (p_ccb->p_rcb->api.pL2CA_DataInd_Cb)) {
             (*p_ccb->p_rcb->api.pL2CA_DataInd_Cb)(p_ccb->local_cid, (BT_HDR *)p_data);
         }
         break;
@@ -988,16 +992,20 @@ static void l2c_csm_open (tL2C_CCB *p_ccb, UINT16 event, void *p_data)
     break;
 
     case L2CEVT_L2CA_DATA_WRITE:                    /* Upper layer data to send */
-        l2c_enqueue_peer_data (p_ccb, (BT_HDR *)p_data);
-        l2c_link_check_send_pkts (p_ccb->p_lcb, NULL, NULL);
+        if (p_data) {
+            l2c_enqueue_peer_data (p_ccb, (BT_HDR *)p_data);
+            l2c_link_check_send_pkts (p_ccb->p_lcb, NULL, NULL);
+        }
         break;
 
     case L2CEVT_L2CA_CONFIG_REQ:                   /* Upper layer config req   */
-        p_ccb->chnl_state = CST_CONFIG;
-        p_ccb->config_done &= ~CFG_DONE_MASK;
-        l2cu_process_our_cfg_req (p_ccb, (tL2CAP_CFG_INFO *)p_data);
-        l2cu_send_peer_config_req (p_ccb, (tL2CAP_CFG_INFO *)p_data);
-        btu_start_timer (&p_ccb->timer_entry, BTU_TTYPE_L2CAP_CHNL, L2CAP_CHNL_CFG_TIMEOUT);
+        if (p_data) {
+            p_ccb->chnl_state = CST_CONFIG;
+            p_ccb->config_done &= ~CFG_DONE_MASK;
+            l2cu_process_our_cfg_req (p_ccb, (tL2CAP_CFG_INFO *)p_data);
+            l2cu_send_peer_config_req (p_ccb, (tL2CAP_CFG_INFO *)p_data);
+            btu_start_timer (&p_ccb->timer_entry, BTU_TTYPE_L2CAP_CHNL, L2CAP_CHNL_CFG_TIMEOUT);
+        }
         break;
 
     case L2CEVT_TIMEOUT: