From 623e8d9e0f351cc680e7e1c1094044452fde2bf3 Mon Sep 17 00:00:00 2001
From: Kai Cheng <chengkai@xiaomi.com>
Date: Fri, 18 Jul 2025 19:52:32 +0800
Subject: [PATCH] Bluetooth: SDP: fix sdp record not uninitialized

sdp matching_recs maybe filled with uninitialized record. if
sdp_svc_search_req come from remote with invalid max_rec_count,
which is greater than num_services, matching_recs would response
uninitialized record result.

Signed-off-by: Kai Cheng <chengkai@xiaomi.com>
---
 subsys/bluetooth/host/classic/sdp.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/subsys/bluetooth/host/classic/sdp.c b/subsys/bluetooth/host/classic/sdp.c
index 80d2468a7ef65..fed8eb67d6fce 100644
--- a/subsys/bluetooth/host/classic/sdp.c
+++ b/subsys/bluetooth/host/classic/sdp.c
@@ -604,6 +604,7 @@ static uint16_t sdp_svc_search_req(struct bt_sdp *sdp, struct net_buf *buf,
 	uint8_t cont_state_size, cont_state = 0U, idx = 0U, count = 0U;
 	bool pkt_full = false;
 
+	memset(matching_recs, 0, sizeof(matching_recs));
 	res = find_services(buf, matching_recs);
 	if (res) {
 		/* Error in parsing */
@@ -1220,6 +1221,7 @@ static uint16_t sdp_svc_search_att_req(struct bt_sdp *sdp, struct net_buf *buf,
 	uint8_t cont_state_size, next_svc = 0U, next_att = 0U;
 	bool dry_run = false;
 
+	memset(matching_recs, 0, sizeof(matching_recs));
 	res = find_services(buf, matching_recs);
 	if (res) {
 		return res;