Bluetooth: Classic: RFCOMM: Fix NULL pointer access issue

lylezhu2012 · cfriedt · commit 27c245a44df9 · 2025-11-07T06:50:42.000-05:00
When received the DLC disconnect request, after prime the DLC disconnect response, the DLC will be cleared and the `dlc->session` is cleared. If the no DLC is linked in current session, the idle timer of the session will be scheduled. In current implementation, the `dlc->session` is used to get the session pointer, but it is invalid in this time. And the unexpected fault occurs. Fix the issue by getting the session pointer from parameter of the function `rfcomm_handle_disc()` instead of `dlc->session`. Fix issue #99035. Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
diff --git a/subsys/bluetooth/host/classic/rfcomm.c b/subsys/bluetooth/host/classic/rfcomm.c
@@ -1375,8 +1375,7 @@ static void rfcomm_handle_disc(struct bt_rfcomm_session *session, uint8_t dlci)
 
 		if (!session->dlcs) {
 			/* Start a session idle timer */
-			k_work_reschedule(&dlc->session->rtx_work,
-					  RFCOMM_IDLE_TIMEOUT);
+			k_work_reschedule(&session->rtx_work, RFCOMM_IDLE_TIMEOUT);
 		}
 	} else {
 		/* Cancel idle timer */

Original file line number	Diff line number	Diff line change
`@@ -1375,8 +1375,7 @@ static void rfcomm_handle_disc(struct bt_rfcomm_session *session, uint8_t dlci)`
`1375`	`1375`
`1376`	`1376`	`if (!session->dlcs) {`
`1377`	`1377`	`/* Start a session idle timer */`
`1378`		`- k_work_reschedule(&dlc->session->rtx_work,`
`1379`		`- RFCOMM_IDLE_TIMEOUT);`
	`1378`	`+ k_work_reschedule(&session->rtx_work, RFCOMM_IDLE_TIMEOUT);`
`1380`	`1379`	`}`
`1381`	`1380`	`} else {`
`1382`	`1381`	`/* Cancel idle timer */`