Skip to content

NULL pointer dereference in subsys/bluetooth/audio/mpl.c in on_obj_selected() #99066

New issue
New issue
Closed
Bug
#99065
Closed
NULL pointer dereference in subsys/bluetooth/audio/mpl.c in on_obj_selected()#99066
Bug
#99065
Labels
area: Bluetootharea: Bluetooth Audioarea: Bluetooth QualificationBluetooth Qualification -related issues and pull requestsbugThe issue is a bug, or the PR is fixing a bug
@sjanc

Description

@sjanc
sjanc
opened on Nov 7, 2025

Describe the bug

There is NULL pointer dereference in on_obj_selected() when performing GMCS qualification tests.

Affected qualification test cases:
GMCS/SR/MCP/BV-38-C
GMCS/SR/MCP/BV-39-C
GMCS/SR/MCP/BV-40-C

Regression

  • This is a regression.

Steps to reproduce

execute GMCS/SR/MCP/BV-39-C qualification test with native_sim target

Relevant log output

==20129==ERROR: AddressSanitizer: SEGV on unknown address 0x00000004 (pc 0x081396f6 bp 0xf27fede8 sp 0xf27fedc0 T7)
==20129==The signal is caused by a READ memory access.
==20129==Hint: address points to the zero page.
    #0 0x081396f6 in on_obj_selected /home/janc/devel/zephyr/zephyr/subsys/bluetooth/audio/mpl.c:725
    #1 0x080a5d4c in bt_gatt_ots_olcp_write /home/janc/devel/zephyr/zephyr/subsys/bluetooth/services/ots/ots_olcp.c:286
    #2 0x080d6abb in write_cb /home/janc/devel/zephyr/zephyr/subsys/bluetooth/host/att.c:2064
    #3 0x080e6df0 in gatt_foreach_iter /home/janc/devel/zephyr/zephyr/subsys/bluetooth/host/gatt.c:2053
    #4 0x080e6df0 in foreach_attr_type_dyndb /home/janc/devel/zephyr/zephyr/subsys/bluetooth/host/gatt.c:2085
    #5 0x080e6df0 in bt_gatt_foreach_attr_type /home/janc/devel/zephyr/zephyr/subsys/bluetooth/host/gatt.c:2134
    #6 0x080d80e2 in bt_gatt_foreach_attr /home/janc/devel/zephyr/zephyr/include/zephyr/bluetooth/gatt.h:743
    #7 0x080dafd0 in att_write_rsp /home/janc/devel/zephyr/zephyr/subsys/bluetooth/host/att.c:2112
    #8 0x080db273 in att_write_req /home/janc/devel/zephyr/zephyr/subsys/bluetooth/host/att.c:2139
    #9 0x080daadc in bt_att_recv /home/janc/devel/zephyr/zephyr/subsys/bluetooth/host/att.c:2968
    #10 0x080d5820 in l2cap_chan_recv /home/janc/devel/zephyr/zephyr/subsys/bluetooth/host/l2cap.c:2851
    #11 0x080d5820 in bt_l2cap_recv /home/janc/devel/zephyr/zephyr/subsys/bluetooth/host/l2cap.c:2885
    #12 0x080b027d in hci_acl /home/janc/devel/zephyr/zephyr/subsys/bluetooth/host/hci_core.c:730
    #13 0x080b027d in rx_work_handler /home/janc/devel/zephyr/zephyr/subsys/bluetooth/host/hci_core.c:4519
    #14 0x0819cce9 in work_queue_main /home/janc/devel/zephyr/zephyr/kernel/work.c:737
    #15 0x0809611e in z_thread_entry /home/janc/devel/zephyr/zephyr/lib/os/thread_entry.c:48
    #16 0x080a9cdf in posix_arch_thread_entry /home/janc/devel/zephyr/zephyr/arch/posix/core/thread.c:96
    #17 0x081a89dd in nct_thread_starter /home/janc/devel/zephyr/zephyr/scripts/native_simulator//common/src/nct.c:291
    #18 0xf786d8fd in asan_thread_start(void*) (/lib/libasan.so.8+0x248fd) (BuildId: 05fd1dd2e1b8ee070f2edf186addec05ce469278)

Impact

Annoyance – Minor irritation; no significant impact on usability or functionality.

Environment

No response

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: Bluetootharea: Bluetooth Audioarea: Bluetooth QualificationBluetooth Qualification -related issues and pull requestsbugThe issue is a bug, or the PR is fixing a bug

    Type

    Bug

    Projects

    Bluetooth LE Audio

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions