diff --git a/components/bt/host/bluedroid/bta/dm/bta_dm_api.c b/components/bt/host/bluedroid/bta/dm/bta_dm_api.c
index c00c624bc5..da63ae4c98 100644
--- a/components/bt/host/bluedroid/bta/dm/bta_dm_api.c
+++ b/components/bt/host/bluedroid/bta/dm/bta_dm_api.c
@@ -666,6 +666,7 @@ void BTA_DmOobReply(BD_ADDR bd_addr, UINT8 len, UINT8 *p_value)
     if ((p_msg = (tBTA_DM_API_OOB_REPLY *) osi_malloc(sizeof(tBTA_DM_API_OOB_REPLY))) != NULL) {
         p_msg->hdr.event = BTA_DM_API_OOB_REPLY_EVT;
         if(p_value == NULL || len > BT_OCTET16_LEN) {
+            osi_free(p_msg);
             return;
         }
         memcpy(p_msg->bd_addr, bd_addr, BD_ADDR_LEN);
diff --git a/components/bt/host/bluedroid/bta/gatt/bta_gattc_cache.c b/components/bt/host/bluedroid/bta/gatt/bta_gattc_cache.c
index d8af854525..fb48cb9cfa 100644
--- a/components/bt/host/bluedroid/bta/gatt/bta_gattc_cache.c
+++ b/components/bt/host/bluedroid/bta/gatt/bta_gattc_cache.c
@@ -285,6 +285,12 @@ static tBTA_GATT_STATUS bta_gattc_add_srvc_to_cache(tBTA_GATTC_SERV *p_srvc_cb,
         p_srvc_cb->p_srvc_cache = list_new(service_free);
     }
 
+    if(!p_srvc_cb->p_srvc_cache) {
+        APPL_TRACE_WARNING("%s(), no resource.", __func__);
+        osi_free(p_new_srvc);
+        return BTA_GATT_NO_RESOURCES;
+    }
+
     if(is_primary) {
         list_append(p_srvc_cb->p_srvc_cache, p_new_srvc);
     } else {
@@ -549,7 +555,7 @@ void bta_gattc_update_include_service(const list_t *services) {
     }
     for (list_node_t *sn = list_begin(services); sn != list_end(services); sn = list_next(sn)) {
         tBTA_GATTC_SERVICE *service = list_node(sn);
-        if(!service && list_is_empty(service->included_svc)) break;
+        if(!service || !service->included_svc || list_is_empty(service->included_svc)) break;
         for (list_node_t *sn = list_begin(service->included_svc); sn != list_end(service->included_svc); sn = list_next(sn)) {
             tBTA_GATTC_INCLUDED_SVC *include_service = list_node(sn);
             if(include_service && !include_service->included_service) {
diff --git a/components/bt/host/bluedroid/bta/gatt/bta_gattc_co.c b/components/bt/host/bluedroid/bta/gatt/bta_gattc_co.c
index dfac21b568..c5f17d79eb 100644
--- a/components/bt/host/bluedroid/bta/gatt/bta_gattc_co.c
+++ b/components/bt/host/bluedroid/bta/gatt/bta_gattc_co.c
@@ -583,6 +583,9 @@ BOOLEAN bta_gattc_co_cache_append_assoc_addr(BD_ADDR src_addr, BD_ADDR assoc_add
     UINT8 addr_index = 0;
     cache_addr_info_t *addr_info;
     UINT8 *p_assoc_buf = osi_malloc(sizeof(BD_ADDR));
+    if(!p_assoc_buf) {
+        return FALSE;
+    }
     memcpy(p_assoc_buf, assoc_addr, sizeof(BD_ADDR));
     if ((addr_index = bta_gattc_co_find_addr_in_cache(src_addr)) != INVALID_ADDR_NUM) {
         addr_info = &cache_env->cache_addr[addr_index];
@@ -590,6 +593,8 @@ BOOLEAN bta_gattc_co_cache_append_assoc_addr(BD_ADDR src_addr, BD_ADDR assoc_add
             addr_info->assoc_addr =list_new(NULL);
         }
         return list_append(addr_info->assoc_addr, p_assoc_buf);
+    } else {
+        osi_free(p_assoc_buf);
     }
 
     return FALSE;
diff --git a/components/bt/host/bluedroid/stack/btm/btm_sec.c b/components/bt/host/bluedroid/stack/btm/btm_sec.c
index cd61d6388d..e684643db4 100644
--- a/components/bt/host/bluedroid/stack/btm/btm_sec.c
+++ b/components/bt/host/bluedroid/stack/btm/btm_sec.c
@@ -3170,6 +3170,10 @@ void btm_sec_rmt_name_request_complete (UINT8 *p_bd_addr, UINT8 *p_bd_name, UINT
         }
     }
 
+    if(!p_dev_rec) {
+        return;
+    }
+
     /* If this is a bonding procedure can disconnect the link now */
     if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
             && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) {
@@ -3953,6 +3957,10 @@ void btm_sec_auth_complete (UINT16 handle, UINT8 status)
         }
     }
 
+    if(!p_dev_rec) {
+        return;
+    }
+
     p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
 
 #if (CLASSIC_BT_INCLUDED == TRUE)
@@ -4796,6 +4804,10 @@ void btm_sec_link_key_notification (UINT8 *p_bda, UINT8 *p_link_key, UINT8 key_t
         }
     }
 
+    if(!p_dev_rec) {
+        return;
+    }
+
     /* We will save link key only if the user authorized it - BTE report link key in all cases */
 #ifdef BRCM_NONE_BTE
     if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)
diff --git a/components/bt/host/bluedroid/stack/gatt/gatt_db.c b/components/bt/host/bluedroid/stack/gatt/gatt_db.c
index 0c2f0d8f0b..2f78f26d32 100644
--- a/components/bt/host/bluedroid/stack/gatt/gatt_db.c
+++ b/components/bt/host/bluedroid/stack/gatt/gatt_db.c
@@ -976,7 +976,7 @@ tGATT_STATUS gatts_write_attr_value_by_handle(tGATT_SVC_DB *p_db,
                     memcpy(p_attr->p_value->attr_val.attr_val + offset, p_value, len);
                     p_attr->p_value->attr_val.attr_len = len + offset;
                     return GATT_SUCCESS;
-                } else if (p_attr->p_value->attr_val.attr_max_len < offset + len){
+                } else if (p_attr->p_value && p_attr->p_value->attr_val.attr_max_len < offset + len){
                     GATT_TRACE_DEBUG("Remote device try to write with a length larger then attribute's max length\n");
                     return GATT_INVALID_ATTR_LEN;
                 } else if ((p_attr->p_value == NULL) || (p_attr->p_value->attr_val.attr_val == NULL)){