fix(ble/bluedroid): Fix memory leak in ble_spp_server example

2026-04-27 19:13:21 +00:00 · 2025-11-27 18:04:54 +08:00
parent e26b60090d
commit b6b3b81bf6
2 changed files with 15 additions and 11 deletions
@@ -277,20 +277,25 @@ static bool store_wr_buffer(esp_ble_gatts_cb_param_t *p_data)
        ESP_LOGI(GATTS_TABLE_TAG, "malloc error %s %d", __func__, __LINE__);
        return false;
    }
+
+    temp_spp_recv_data_node_p1->len = p_data->write.len;
+    temp_spp_recv_data_node_p1->next_node = NULL;
+    temp_spp_recv_data_node_p1->node_buff = (uint8_t *)malloc(p_data->write.len);
+    if (temp_spp_recv_data_node_p1->node_buff == NULL) {
+        ESP_LOGI(GATTS_TABLE_TAG, "malloc error %s %d\n", __func__, __LINE__);
+        // Security fix: Free the node and return false to prevent memory leak
+        free(temp_spp_recv_data_node_p1);
+        temp_spp_recv_data_node_p1 = NULL;
+        return false;
+    }
+    memcpy(temp_spp_recv_data_node_p1->node_buff, p_data->write.value, p_data->write.len);
+
+    // Security fix: Link to list only after successful allocation
    if(temp_spp_recv_data_node_p2 != NULL){
        temp_spp_recv_data_node_p2->next_node = temp_spp_recv_data_node_p1;
    }
-    temp_spp_recv_data_node_p1->len = p_data->write.len;
-    SppRecvDataBuff.buff_size += p_data->write.len;
-    temp_spp_recv_data_node_p1->next_node = NULL;
-    temp_spp_recv_data_node_p1->node_buff = (uint8_t *)malloc(p_data->write.len);
    temp_spp_recv_data_node_p2 = temp_spp_recv_data_node_p1;
-    if (temp_spp_recv_data_node_p1->node_buff == NULL) {
-        ESP_LOGI(GATTS_TABLE_TAG, "malloc error %s %d\n", __func__, __LINE__);
-        temp_spp_recv_data_node_p1->len = 0;
-    } else {
-        memcpy(temp_spp_recv_data_node_p1->node_buff,p_data->write.value,p_data->write.len);
-    }
+    SppRecvDataBuff.buff_size += p_data->write.len;

    if(SppRecvDataBuff.node_num == 0){
        SppRecvDataBuff.first_node = temp_spp_recv_data_node_p1;
@@ -16,7 +16,6 @@
 //#define SUPPORT_HEARTBEAT
 //#define SPP_DEBUG_MODE

-#define spp_sprintf(s,...)         sprintf((char*)(s), ##__VA_ARGS__)
 #define SPP_DATA_MAX_LEN           (512)
 #define SPP_CMD_MAX_LEN            (20)
 #define SPP_STATUS_MAX_LEN         (20)