From c91b718fc0c0646e4695c26a2f2b4ece1cd4ac11 Mon Sep 17 00:00:00 2001 From: Mariusz Skamra Date: Thu, 17 Jul 2025 09:04:24 +0200 Subject: [PATCH] nimble/ll: Fix NULL pointer dereference This fixes possible NULL pointer dereference in ble_ll_sched_rmv_elem_type that could happen if 'g_ble_ll_sched_q' queue is empty. Uninitialized 'first_removed' variable has been fixed as well. --- nimble/controller/src/ble_ll_sched.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/nimble/controller/src/ble_ll_sched.c b/nimble/controller/src/ble_ll_sched.c index 7f1ac96054..c2ec46a434 100644 --- a/nimble/controller/src/ble_ll_sched.c +++ b/nimble/controller/src/ble_ll_sched.c @@ -930,10 +930,13 @@ ble_ll_sched_rmv_elem_type(uint8_t type, sched_remove_cb_func remove_cb) OS_ENTER_CRITICAL(sr); first = TAILQ_FIRST(&g_ble_ll_sched_q); - if (first->sched_type == type) { - first_removed = 1; + if (!first) { + OS_EXIT_CRITICAL(sr); + return; } + first_removed = first->sched_type == type; + TAILQ_FOREACH(entry, &g_ble_ll_sched_q, link) { if (entry->sched_type != type) { continue;