zephyrproject-rtos/zephyr

Bluetooth: Audio: Add checks for bt_conn_ref return value where applicable

Open

#95,148 opened on Aug 29, 2025

View on GitHub
 (1 comment) (0 reactions) (2 assignees)C (15,249 stars) (9,144 forks)batch import
EnhancementGood first issuearea: Bluetootharea: Bluetooth Audio

Description

Summary

If the connection pointer supplied to an API call is not connected (e.g. if the application has cached it incorrectly), then when we perform a bt_conn_ref in the LE Audio code to take a reference, it can return NULL, which indicates a non-connected bt_conn pointer.

Describe the solution you'd like

For each call of bt_conn_ref in LE Audio from a struct bt_conn * from the higher layers, we need to verify that the return value is non-NULL.

Alternatives

Alternatively, we should check early in the function if the struct bt_conn is in the connected state. If a user attempts to perform any operation that expects the connection to be connected, and it is not, then we should return early to avoid unncessary memory copies etc. to generate the PDUs.

No response

Additional Context

This may also be an issue in other non-LE Audio places.

Contributor guide

Tech stack
c
Domain
security
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
half day
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
blocked
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
C programmingPointer managementBluetooth LE Audio concepts
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
Locate all calls to bt conn ref in the LE Audio subsystem (likely under subsys/bluetooth/audio/). For each call, verify if the return value is checked for NULL and add a null check with an early return or appropriate error handling. Consider also adding a state check on the bt conn pointer to confirm it is connected, as suggested in the issue. Look at existing implementations in other Bluetooth profiles (e.g., HFP, A2DP) for patterns of reference counting and error handling. Since this issue has assignees, it is recommended to coordinate or check if any work is already in progress.