From fe741133188bd4eee543670adf116582ba2aeaf8 Mon Sep 17 00:00:00 2001
From: Steve Karg <skarg@users.sourceforge.net>
Date: Wed, 29 Apr 2026 07:27:19 -0500
Subject: [PATCH] bugfix: add null pointer check for value when resetting
 device identifier in bacdevobjpropref (#1321)

* fix: add null pointer check for value when resetting device identifier in bacdevobjpropref

* test: add regression test for bacnet_device_object_reference_decode with null value pointer
---
 src/bacnet/bacdevobjpropref.c           | 6 ++++--
 test/bacnet/bacdevobjpropref/src/main.c | 8 ++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/bacnet/bacdevobjpropref.c b/src/bacnet/bacdevobjpropref.c
index 76f1062f..e228945a 100644
--- a/src/bacnet/bacdevobjpropref.c
+++ b/src/bacnet/bacdevobjpropref.c
@@ -489,8 +489,10 @@ int bacnet_device_object_reference_decode(
         return BACNET_STATUS_ERROR;
     } else {
         /* OPTIONAL - skip apdu_len increment */
-        value->deviceIdentifier.type = BACNET_NO_DEV_TYPE;
-        value->deviceIdentifier.instance = BACNET_NO_DEV_ID;
+        if (value) {
+            value->deviceIdentifier.type = BACNET_NO_DEV_TYPE;
+            value->deviceIdentifier.instance = BACNET_NO_DEV_ID;
+        }
     }
     /* object-identifier [1] BACnetObjectIdentifier */
     len = bacnet_object_id_context_decode(
diff --git a/test/bacnet/bacdevobjpropref/src/main.c b/test/bacnet/bacdevobjpropref/src/main.c
index 9a3ab60a..bf5bb719 100644
--- a/test/bacnet/bacdevobjpropref/src/main.c
+++ b/test/bacnet/bacdevobjpropref/src/main.c
@@ -172,6 +172,14 @@ static void testDevIdRef(void)
     test_len =
         bacnet_device_object_reference_decode(NULL, sizeof(apdu), &test_data);
     zassert_true(test_len <= 0, NULL);
+    /* verify that NULL value pointer does not crash when the optional
+       device-identifier field is absent (regression test for the fix
+       that adds a null check before writing to value->deviceIdentifier) */
+    data.deviceIdentifier.instance = 0;
+    data.deviceIdentifier.type = BACNET_NO_DEV_TYPE;
+    len = bacapp_encode_device_obj_ref(apdu, &data);
+    null_len = bacnet_device_object_reference_decode(apdu, len, NULL);
+    zassert_equal(null_len, len, "null_len=%d len=%d", null_len, len);
 }
 
 #if defined(CONFIG_ZTEST_NEW_API)