From b6b3b81bf698dd7f85303de0cdcdb2d050e6efd2 Mon Sep 17 00:00:00 2001
From: zhanghaipeng <zhanghaipeng@espressif.com>
Date: Thu, 27 Nov 2025 18:04:54 +0800
Subject: [PATCH] fix(ble/bluedroid): Fix memory leak in ble_spp_server example

---
 .../ble_spp_server/main/ble_spp_server_demo.c | 25 +++++++++++--------
 .../ble_spp_server/main/ble_spp_server_demo.h |  1 -
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/examples/bluetooth/bluedroid/ble/ble_spp_server/main/ble_spp_server_demo.c b/examples/bluetooth/bluedroid/ble/ble_spp_server/main/ble_spp_server_demo.c
index 4532235abe..ebbe1d52a2 100644
--- a/examples/bluetooth/bluedroid/ble/ble_spp_server/main/ble_spp_server_demo.c
+++ b/examples/bluetooth/bluedroid/ble/ble_spp_server/main/ble_spp_server_demo.c
@@ -277,20 +277,25 @@ static bool store_wr_buffer(esp_ble_gatts_cb_param_t *p_data)
         ESP_LOGI(GATTS_TABLE_TAG, "malloc error %s %d", __func__, __LINE__);
         return false;
     }
+
+    temp_spp_recv_data_node_p1->len = p_data->write.len;
+    temp_spp_recv_data_node_p1->next_node = NULL;
+    temp_spp_recv_data_node_p1->node_buff = (uint8_t *)malloc(p_data->write.len);
+    if (temp_spp_recv_data_node_p1->node_buff == NULL) {
+        ESP_LOGI(GATTS_TABLE_TAG, "malloc error %s %d\n", __func__, __LINE__);
+        // Security fix: Free the node and return false to prevent memory leak
+        free(temp_spp_recv_data_node_p1);
+        temp_spp_recv_data_node_p1 = NULL;
+        return false;
+    }
+    memcpy(temp_spp_recv_data_node_p1->node_buff, p_data->write.value, p_data->write.len);
+
+    // Security fix: Link to list only after successful allocation
     if(temp_spp_recv_data_node_p2 != NULL){
         temp_spp_recv_data_node_p2->next_node = temp_spp_recv_data_node_p1;
     }
-    temp_spp_recv_data_node_p1->len = p_data->write.len;
-    SppRecvDataBuff.buff_size += p_data->write.len;
-    temp_spp_recv_data_node_p1->next_node = NULL;
-    temp_spp_recv_data_node_p1->node_buff = (uint8_t *)malloc(p_data->write.len);
     temp_spp_recv_data_node_p2 = temp_spp_recv_data_node_p1;
-    if (temp_spp_recv_data_node_p1->node_buff == NULL) {
-        ESP_LOGI(GATTS_TABLE_TAG, "malloc error %s %d\n", __func__, __LINE__);
-        temp_spp_recv_data_node_p1->len = 0;
-    } else {
-        memcpy(temp_spp_recv_data_node_p1->node_buff,p_data->write.value,p_data->write.len);
-    }
+    SppRecvDataBuff.buff_size += p_data->write.len;
 
     if(SppRecvDataBuff.node_num == 0){
         SppRecvDataBuff.first_node = temp_spp_recv_data_node_p1;
diff --git a/examples/bluetooth/bluedroid/ble/ble_spp_server/main/ble_spp_server_demo.h b/examples/bluetooth/bluedroid/ble/ble_spp_server/main/ble_spp_server_demo.h
index 9ca8065889..91829ea5df 100644
--- a/examples/bluetooth/bluedroid/ble/ble_spp_server/main/ble_spp_server_demo.h
+++ b/examples/bluetooth/bluedroid/ble/ble_spp_server/main/ble_spp_server_demo.h
@@ -16,7 +16,6 @@
 //#define SUPPORT_HEARTBEAT
 //#define SPP_DEBUG_MODE
 
-#define spp_sprintf(s,...)         sprintf((char*)(s), ##__VA_ARGS__)
 #define SPP_DATA_MAX_LEN           (512)
 #define SPP_CMD_MAX_LEN            (20)
 #define SPP_STATUS_MAX_LEN         (20)