app: Add runtime safety checks for AT host

SeppoTakalo · SeppoTakalo · commit fa8eb2f57d60 · 2026-03-19T18:18:47.000+02:00
Various functions like:
* check_idle_timer()
* in_at_mode_*()
* is_idle_*()
* is_open_*()

are designed to tolerate NULL for either context or pipe
pointer. This is because sm_at_host_get_current(),
sm_at_host_get_pipe() and sm_at_host_get_current_pipe()
are designed to return NULL when there is no context or pipe
to point to.

However, few of those mentioned were not properly handling the NULL,
especially the internal check_idle_timer() caused NULL pointer
dereference if context was destroyed just before URC message was
send to that pipe.

Signed-off-by: Seppo Takalo &lt;seppo.takalo@nordicsemi.no&gt;
diff --git a/app/src/sm_at_host.c b/app/src/sm_at_host.c
@@ -335,6 +335,9 @@ struct sm_at_host_ctx *sm_at_host_get_urc_ctx(void)
 
 struct modem_pipe *sm_at_host_get_pipe(struct sm_at_host_ctx *ctx)
 {
+	if (!sm_at_ctx_check(ctx)) {
+		return NULL;
+	}
 	return ctx ? atomic_ptr_get(&ctx->pipe) : NULL;
 }
 
@@ -385,6 +388,9 @@ static bool sm_at_ctx_check(struct sm_at_host_ctx *ctx)
 
 static void check_idle_timer(struct sm_at_host_ctx *ctx, bool reschedule)
 {
+	if (!ctx) {
+		return;
+	}
 	if (reschedule || k_timer_remaining_ticks(&ctx->idle_timer) == 0) {
 		k_timeout_t delay = ctx->echo_enabled && (reschedule || ctx->at_cmd_len != 0)
 					    ? K_MSEC(CONFIG_SM_URC_DELAY_WITH_INCOMPLETE_ECHO_MS)
@@ -1016,11 +1022,13 @@ static int sm_at_send_internal(struct sm_at_host_ctx *ctx, const uint8_t *data,
 				sys_slist_append(&ctx->buffered_urcs, &msg->node);
 			}
 		}
-		if (!is_idle(ctx)) {
-			LOG_DBG("AT command in progress, delaying URC processing");
-			check_idle_timer(ctx, false);
-		} else {
-			sm_at_host_event_notify(ctx, SM_EVENT_URC);
+		if (ctx) {
+			if (!is_idle(ctx)) {
+				LOG_DBG("AT command in progress, delaying URC processing");
+				check_idle_timer(ctx, false);
+			} else {
+				sm_at_host_event_notify(ctx, SM_EVENT_URC);
+			}
 		}
 		return 0;
 	}
@@ -1506,20 +1514,20 @@ bool in_at_mode_pipe(struct modem_pipe *pipe)
 {
 	struct sm_at_host_ctx *ctx = sm_at_host_get_ctx_from(pipe);
 
-	return in_at_mode_ctx(ctx);
+	return ctx ? in_at_mode_ctx(ctx) : false;
 }
 
 bool is_idle_ctx(struct sm_at_host_ctx *ctx)
 {
-	return (in_at_mode_ctx(ctx) &&
+	return (sm_at_ctx_check(ctx) && in_at_mode_ctx(ctx) &&
 		k_timer_remaining_ticks(&ctx->idle_timer) == 0);
 }
 
 bool is_idle_pipe(struct modem_pipe *pipe)
 {
 	struct sm_at_host_ctx *ctx = sm_at_host_get_ctx_from(pipe);
 
-	return is_idle_ctx(ctx);
+	return ctx ? is_idle_ctx(ctx) : false;
 }
 
 bool is_open_pipe(struct modem_pipe *pipe)
@@ -1529,7 +1537,7 @@ bool is_open_pipe(struct modem_pipe *pipe)
 
 bool is_open_ctx(struct sm_at_host_ctx *ctx)
 {
-	return sm_at_host_get_pipe(ctx);
+	return ctx ? is_open_pipe(sm_at_host_get_pipe(ctx)) : false;
 }
 
 void exit_datamode_handler(int result)

Original file line number	Diff line number	Diff line change
`@@ -335,6 +335,9 @@ struct sm_at_host_ctx *sm_at_host_get_urc_ctx(void)`
`335`	`335`
`336`	`336`	`struct modem_pipe sm_at_host_get_pipe(struct sm_at_host_ctx ctx)`
`337`	`337`	`{`
	`338`	`+ if (!sm_at_ctx_check(ctx)) {`
	`339`	`+ return NULL;`
	`340`	`+ }`
`338`	`341`	`return ctx ? atomic_ptr_get(&ctx->pipe) : NULL;`
`339`	`342`	`}`
`340`	`343`
`@@ -385,6 +388,9 @@ static bool sm_at_ctx_check(struct sm_at_host_ctx *ctx)`
`385`	`388`
`386`	`389`	`static void check_idle_timer(struct sm_at_host_ctx *ctx, bool reschedule)`
`387`	`390`	`{`
	`391`	`+ if (!ctx) {`
	`392`	`+ return;`
	`393`	`+ }`
`388`	`394`	`if (reschedule \|\| k_timer_remaining_ticks(&ctx->idle_timer) == 0) {`
`389`	`395`	`k_timeout_t delay = ctx->echo_enabled && (reschedule \|\| ctx->at_cmd_len != 0)`
`390`	`396`	`? K_MSEC(CONFIG_SM_URC_DELAY_WITH_INCOMPLETE_ECHO_MS)`
`@@ -1016,11 +1022,13 @@ static int sm_at_send_internal(struct sm_at_host_ctx ctx, const uint8_t data,`
`1016`	`1022`	`sys_slist_append(&ctx->buffered_urcs, &msg->node);`
`1017`	`1023`	`}`
`1018`	`1024`	`}`
`1019`		`- if (!is_idle(ctx)) {`
`1020`		`- LOG_DBG("AT command in progress, delaying URC processing");`
`1021`		`- check_idle_timer(ctx, false);`
`1022`		`- } else {`
`1023`		`- sm_at_host_event_notify(ctx, SM_EVENT_URC);`
	`1025`	`+ if (ctx) {`
	`1026`	`+ if (!is_idle(ctx)) {`
	`1027`	`+ LOG_DBG("AT command in progress, delaying URC processing");`
	`1028`	`+ check_idle_timer(ctx, false);`
	`1029`	`+ } else {`
	`1030`	`+ sm_at_host_event_notify(ctx, SM_EVENT_URC);`
	`1031`	`+ }`
`1024`	`1032`	`}`
`1025`	`1033`	`return 0;`
`1026`	`1034`	`}`
`@@ -1506,20 +1514,20 @@ bool in_at_mode_pipe(struct modem_pipe *pipe)`
`1506`	`1514`	`{`
`1507`	`1515`	`struct sm_at_host_ctx *ctx = sm_at_host_get_ctx_from(pipe);`
`1508`	`1516`
`1509`		`- return in_at_mode_ctx(ctx);`
	`1517`	`+ return ctx ? in_at_mode_ctx(ctx) : false;`
`1510`	`1518`	`}`
`1511`	`1519`
`1512`	`1520`	`bool is_idle_ctx(struct sm_at_host_ctx *ctx)`
`1513`	`1521`	`{`
`1514`		`- return (in_at_mode_ctx(ctx) &&`
	`1522`	`+ return (sm_at_ctx_check(ctx) && in_at_mode_ctx(ctx) &&`
`1515`	`1523`	`k_timer_remaining_ticks(&ctx->idle_timer) == 0);`
`1516`	`1524`	`}`
`1517`	`1525`
`1518`	`1526`	`bool is_idle_pipe(struct modem_pipe *pipe)`
`1519`	`1527`	`{`
`1520`	`1528`	`struct sm_at_host_ctx *ctx = sm_at_host_get_ctx_from(pipe);`
`1521`	`1529`
`1522`		`- return is_idle_ctx(ctx);`
	`1530`	`+ return ctx ? is_idle_ctx(ctx) : false;`
`1523`	`1531`	`}`
`1524`	`1532`
`1525`	`1533`	`bool is_open_pipe(struct modem_pipe *pipe)`
`@@ -1529,7 +1537,7 @@ bool is_open_pipe(struct modem_pipe *pipe)`
`1529`	`1537`
`1530`	`1538`	`bool is_open_ctx(struct sm_at_host_ctx *ctx)`
`1531`	`1539`	`{`
`1532`		`- return sm_at_host_get_pipe(ctx);`
	`1540`	`+ return ctx ? is_open_pipe(sm_at_host_get_pipe(ctx)) : false;`
`1533`	`1541`	`}`
`1534`	`1542`
`1535`	`1543`	`void exit_datamode_handler(int result)`