From 41edf56707305e05967db566cf39ec16227c6a6b Mon Sep 17 00:00:00 2001
From: Jin Cheng <jinCheng@espressif.com>
Date: Mon, 22 Dec 2025 16:47:18 +0800
Subject: [PATCH] fix(bt): validated UUID parameters in BTA_JvStartDiscovery

---
 components/bt/host/bluedroid/bta/jv/bta_jv_api.c          | 5 +++++
 .../bt/host/bluedroid/btc/profile/std/spp/btc_spp.c       | 8 ++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/components/bt/host/bluedroid/bta/jv/bta_jv_api.c b/components/bt/host/bluedroid/bta/jv/bta_jv_api.c
index 7fb74fdfa8..cfa0ff9091 100644
--- a/components/bt/host/bluedroid/bta/jv/bta_jv_api.c
+++ b/components/bt/host/bluedroid/bta/jv/bta_jv_api.c
@@ -283,6 +283,11 @@ tBTA_JV_STATUS BTA_JvStartDiscovery(BD_ADDR bd_addr, UINT16 num_uuid,
     tBTA_JV_API_START_DISCOVERY *p_msg;
 
     APPL_TRACE_API( "BTA_JvStartDiscovery");
+    if ((num_uuid > BTA_JV_MAX_UUIDS) || ((num_uuid > 0) && (p_uuid_list == NULL))) {
+        APPL_TRACE_ERROR("invalid uuid list: num_uuid=%u", num_uuid);
+        return BTA_JV_FAILURE;
+    }
+
     if ((p_msg = (tBTA_JV_API_START_DISCOVERY *)osi_malloc(sizeof(tBTA_JV_API_START_DISCOVERY))) != NULL) {
         p_msg->hdr.event = BTA_JV_API_START_DISCOVERY_EVT;
         bdcpy(p_msg->bd_addr, bd_addr);
diff --git a/components/bt/host/bluedroid/btc/profile/std/spp/btc_spp.c b/components/bt/host/bluedroid/btc/profile/std/spp/btc_spp.c
index 31a71992dc..3426688edd 100644
--- a/components/bt/host/bluedroid/btc/profile/std/spp/btc_spp.c
+++ b/components/bt/host/bluedroid/btc/profile/std/spp/btc_spp.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -652,7 +652,11 @@ static void btc_spp_start_discovery(btc_spp_args_t *arg)
             ret = ESP_SPP_NEED_INIT;
             break;
         }
-        BTA_JvStartDiscovery(arg->start_discovery.bd_addr, arg->start_discovery.num_uuid, arg->start_discovery.p_uuid_list, NULL);
+        tBTA_JV_STATUS status = BTA_JvStartDiscovery(arg->start_discovery.bd_addr, arg->start_discovery.num_uuid, arg->start_discovery.p_uuid_list, NULL);
+        if (status != BTA_JV_SUCCESS) {
+            BTC_TRACE_ERROR("%s SPP failed to start discovery\n", __func__);
+            ret = ESP_SPP_NO_RESOURCE;
+        }
     } while (0);
 
     if (ret != ESP_SPP_SUCCESS) {