nimble/ll: Fix NULL pointer dereference in ble_ll_sched_rmv_elem_type

MariuszSkamra · MariuszSkamra · commit bad6ab884370 · 2025-07-17T09:11:46.000+02:00
This fixes possible NULL pointer dereference in ble_ll_sched_rmv_elem_type
that could happen if 'g_ble_ll_sched_q' queue is empty.
Uninitialized 'first_removed' variable has been fixed as well.
diff --git a/nimble/controller/src/ble_ll_sched.c b/nimble/controller/src/ble_ll_sched.c
@@ -930,10 +930,13 @@ ble_ll_sched_rmv_elem_type(uint8_t type, sched_remove_cb_func remove_cb)
     OS_ENTER_CRITICAL(sr);
 
     first = TAILQ_FIRST(&g_ble_ll_sched_q);
-    if (first->sched_type == type) {
-        first_removed = 1;
+    if (!first) {
+        OS_EXIT_CRITICAL(sr);
+        return;
     }
 
+    first_removed = first->sched_type == type;
+
     TAILQ_FOREACH(entry, &g_ble_ll_sched_q, link) {
         if (entry->sched_type != type) {
             continue;
