From 45ff5afbb74759f97d403ca42628c19a64487f6c Mon Sep 17 00:00:00 2001
From: Lyle Zhu <lyle.zhu@nxp.com>
Date: Thu, 29 Feb 2024 15:57:45 +0800
Subject: [PATCH] Bluetooth: Host: Check conn/channel status of L2CAP BR

For BR/EDR L2CAP, if the function bt_l2cap_br_chan_send_cb
instead of bt_l2cap_chan_send is called, the ACL conn and
L2CAP chennel status will not be checked.

Check conn/channel status before sending data in
function bt_l2cap_br_chan_send_cb.

Signed-off-by: Lyle Zhu <lyle.zhu@nxp.com>
---
 subsys/bluetooth/host/classic/l2cap_br.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/subsys/bluetooth/host/classic/l2cap_br.c b/subsys/bluetooth/host/classic/l2cap_br.c
index f1765105e08..f4f45db481f 100644
--- a/subsys/bluetooth/host/classic/l2cap_br.c
+++ b/subsys/bluetooth/host/classic/l2cap_br.c
@@ -1469,7 +1469,23 @@ static void l2cap_br_conn_rsp(struct bt_l2cap_br *l2cap, uint8_t ident,
 int bt_l2cap_br_chan_send_cb(struct bt_l2cap_chan *chan, struct net_buf *buf, bt_conn_tx_cb_t cb,
 			     void *user_data)
 {
-	struct bt_l2cap_br_chan *br_chan = BR_CHAN(chan);
+	struct bt_l2cap_br_chan *br_chan;
+
+	if (!buf || !chan) {
+		return -EINVAL;
+	}
+
+	br_chan = BR_CHAN(chan);
+
+	LOG_DBG("chan %p buf %p len %zu", chan, buf, net_buf_frags_len(buf));
+
+	if (!chan->conn || chan->conn->state != BT_CONN_CONNECTED) {
+		return -ENOTCONN;
+	}
+
+	if (atomic_test_bit(chan->status, BT_L2CAP_STATUS_SHUTDOWN)) {
+		return -ESHUTDOWN;
+	}
 
 	if (buf->len > br_chan->tx.mtu) {
 		return -EMSGSIZE;