Bluetooth: gatt: Fix notification cleanup on disconnection

This fixes GATT notification buffer missing cleanup on ACL disconnection. Fixes potential NULL pointer dereference trying to use invalid conn object in `notify_mult_process` work queue task handler and/or missing free of pending notification buffer. Signed-off-by: Mariusz Skamra <[email protected]>
ryangenz · Nov 5, 2022 · 7a65812 · 7a65812
1 parent e42d9d8
commit 7a65812
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/subsys/bluetooth/host/gatt.c b/subsys/bluetooth/host/gatt.c
@@ -2157,6 +2157,16 @@ static int gatt_notify_flush(struct bt_conn *conn)
 	return err;
 }
 
+static void cleanup_notify(struct bt_conn *conn)
+{
+	struct net_buf **buf = &nfy_mult[bt_conn_index(conn)];
+
+	if (*buf) {
+		net_buf_unref(*buf);
+		*buf = NULL;
+	}
+}
+
 static void gatt_add_nfy_to_buf(struct net_buf *buf,
 				uint16_t handle,
 				struct bt_gatt_notify_params *params)
@@ -6056,6 +6066,11 @@ void bt_gatt_disconnected(struct bt_conn *conn)
 	BT_DBG("conn %p", conn);
 	bt_gatt_foreach_attr(0x0001, 0xffff, disconnected_cb, conn);
 
+#if defined(CONFIG_BT_GATT_NOTIFY_MULTIPLE)
+	/* Clear pending notifications */
+	cleanup_notify(conn);
+#endif /* CONFIG_BT_GATT_NOTIFY_MULTIPLE */
+
 #if defined(CONFIG_BT_SETTINGS_CCC_STORE_ON_WRITE)
 	gatt_ccc_conn_unqueue(conn);