From 4933ef780b7d921bd5ddb18853de8611586d5fec Mon Sep 17 00:00:00 2001
From: "J. Nick Koston" <nick@koston.org>
Date: Sun, 27 Jul 2025 18:50:17 -1000
Subject: [PATCH] [bluetooth_proxy] Fix service discovery cache pollution and
 descriptor count parameter bug (#9902)

---
 .../bluetooth_proxy/bluetooth_connection.cpp  | 52 ++++++++++---------
 1 file changed, 27 insertions(+), 25 deletions(-)

diff --git a/esphome/components/bluetooth_proxy/bluetooth_connection.cpp b/esphome/components/bluetooth_proxy/bluetooth_connection.cpp
index 4b84257e27..b3484032b2 100644
--- a/esphome/components/bluetooth_proxy/bluetooth_connection.cpp
+++ b/esphome/components/bluetooth_proxy/bluetooth_connection.cpp
@@ -80,15 +80,10 @@ void BluetoothConnection::send_service_for_discovery_() {
                                                                &service_result, &service_count, this->send_service_);
   this->send_service_++;
 
-  if (service_status != ESP_GATT_OK) {
-    ESP_LOGE(TAG, "[%d] [%s] esp_ble_gattc_get_service error at offset=%d, status=%d", this->connection_index_,
-             this->address_str().c_str(), this->send_service_ - 1, service_status);
-    return;
-  }
-
-  if (service_count == 0) {
-    ESP_LOGE(TAG, "[%d] [%s] esp_ble_gattc_get_service missing, service_count=%d", this->connection_index_,
-             this->address_str().c_str(), service_count);
+  if (service_status != ESP_GATT_OK || service_count == 0) {
+    ESP_LOGE(TAG, "[%d] [%s] esp_ble_gattc_get_service %s, status=%d, service_count=%d, offset=%d",
+             this->connection_index_, this->address_str().c_str(), service_status != ESP_GATT_OK ? "error" : "missing",
+             service_status, service_count, this->send_service_ - 1);
     return;
   }
 
@@ -104,15 +99,20 @@ void BluetoothConnection::send_service_for_discovery_() {
       esp_ble_gattc_get_attr_count(this->gattc_if_, this->conn_id_, ESP_GATT_DB_CHARACTERISTIC,
                                    service_result.start_handle, service_result.end_handle, 0, &total_char_count);
 
-  if (char_count_status == ESP_GATT_OK && total_char_count > 0) {
-    // Only reserve if we successfully got a count
-    service_resp.characteristics.reserve(total_char_count);
-  } else if (char_count_status != ESP_GATT_OK) {
+  if (char_count_status != ESP_GATT_OK) {
     ESP_LOGW(TAG, "[%d] [%s] Error getting characteristic count, status=%d", this->connection_index_,
              this->address_str().c_str(), char_count_status);
+    return;
   }
 
-  // Now process characteristics
+  if (total_char_count == 0) {
+    // No characteristics, just send the service response
+    api_conn->send_message(resp, api::BluetoothGATTGetServicesResponse::MESSAGE_TYPE);
+    return;
+  }
+
+  // Reserve space and process characteristics
+  service_resp.characteristics.reserve(total_char_count);
   uint16_t char_offset = 0;
   esp_gattc_char_elem_t char_result;
   while (true) {  // characteristics
@@ -126,7 +126,7 @@ void BluetoothConnection::send_service_for_discovery_() {
     if (char_status != ESP_GATT_OK) {
       ESP_LOGE(TAG, "[%d] [%s] esp_ble_gattc_get_all_char error, status=%d", this->connection_index_,
                this->address_str().c_str(), char_status);
-      break;
+      return;
     }
     if (char_count == 0) {
       break;
@@ -141,19 +141,21 @@ void BluetoothConnection::send_service_for_discovery_() {
 
     // Get the number of descriptors directly with one call
     uint16_t total_desc_count = 0;
-    esp_gatt_status_t desc_count_status =
-        esp_ble_gattc_get_attr_count(this->gattc_if_, this->conn_id_, ESP_GATT_DB_DESCRIPTOR, char_result.char_handle,
-                                     service_result.end_handle, 0, &total_desc_count);
+    esp_gatt_status_t desc_count_status = esp_ble_gattc_get_attr_count(
+        this->gattc_if_, this->conn_id_, ESP_GATT_DB_DESCRIPTOR, 0, 0, char_result.char_handle, &total_desc_count);
 
-    if (desc_count_status == ESP_GATT_OK && total_desc_count > 0) {
-      // Only reserve if we successfully got a count
-      characteristic_resp.descriptors.reserve(total_desc_count);
-    } else if (desc_count_status != ESP_GATT_OK) {
+    if (desc_count_status != ESP_GATT_OK) {
       ESP_LOGW(TAG, "[%d] [%s] Error getting descriptor count for char handle %d, status=%d", this->connection_index_,
                this->address_str().c_str(), char_result.char_handle, desc_count_status);
+      return;
+    }
+    if (total_desc_count == 0) {
+      // No descriptors, continue to next characteristic
+      continue;
     }
 
-    // Now process descriptors
+    // Reserve space and process descriptors
+    characteristic_resp.descriptors.reserve(total_desc_count);
     uint16_t desc_offset = 0;
     esp_gattc_descr_elem_t desc_result;
     while (true) {  // descriptors
@@ -166,10 +168,10 @@ void BluetoothConnection::send_service_for_discovery_() {
       if (desc_status != ESP_GATT_OK) {
         ESP_LOGE(TAG, "[%d] [%s] esp_ble_gattc_get_all_descr error, status=%d", this->connection_index_,
                  this->address_str().c_str(), desc_status);
-        break;
+        return;
       }
       if (desc_count == 0) {
-        break;
+        break;  // No more descriptors
       }
 
       characteristic_resp.descriptors.emplace_back();