pioduino/esp-idf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'fix/fix_an_ot_trel_risk_v5.5' into 'release/v5.5'

Browse Source 
fix(openthread): fix a potential stack overflow in TREL (v5.5)

See merge request espressif/esp-idf!43932
This commit is contained in:
Jiang Jiang Jian
2025-12-11 16:42:26 +08:00
parent 871ec2c1ef 8a70704be6
commit 332c73b20b
5 changed files with 51 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
components/ieee802154/driver/esp_ieee802154_dev.c
+1 -1
View File
@@ -651,7 +651,7 @@ static IRAM_ATTR void isr_handle_ed_done(void)
if (s_ieee802154_state == IEEE802154_STATE_CCA) {
esp_ieee802154_cca_done(ieee802154_ll_is_cca_busy());
} else if (s_ieee802154_state == IEEE802154_STATE_ED) {
ieee802154_inner_energy_detect_done(ieee802154_ll_get_ed_rss());
ieee802154_inner_energy_detect_done(ieee802154_ll_get_ed_rss() + IEEE802154_RSSI_COMPENSATION_VALUE);
}
NEEDS_NEXT_OPT(true);
components/openthread/Kconfig
+4 -3
View File
@@ -45,9 +45,9 @@ menu "OpenThread"
endmenu
menu "Thread Console"
depends on OPENTHREAD_ENABLED
config OPENTHREAD_CONSOLE_ENABLE
bool "Enable OpenThread console"
depends on OPENTHREAD_ENABLED
default y
help
Enable the OpenThread-specific console provided by the SDK. This only controls whether
@@ -430,7 +430,7 @@ menu "OpenThread"
config OPENTHREAD_PLATFORM_MSGPOOL_MANAGEMENT
bool 'Allocate message pool buffer from PSRAM'
default n
default y
help
If enabled, the message pool is managed by platform defined logic.
endmenu
@@ -464,7 +464,8 @@ menu "OpenThread"
config OPENTHREAD_NUM_MESSAGE_BUFFERS
int "The number of openthread message buffers"
default 65
default 65 if !OPENTHREAD_PLATFORM_MSGPOOL_MANAGEMENT
default 1024 if OPENTHREAD_PLATFORM_MSGPOOL_MANAGEMENT
config OPENTHREAD_XTAL_ACCURACY
int "The accuracy of the XTAL"
components/openthread/lib
+1 -1
Submodule components/openthread/lib updated: 755f91eb8a...e9980c5655
components/openthread/src/port/esp_openthread_settings.c
+11 -2
View File
@@ -130,9 +130,18 @@ static esp_err_t erase_all_key(uint16_t aKey)
void otPlatSettingsInit(otInstance *aInstance, const uint16_t *aSensitiveKeys, uint16_t aSensitiveKeysLength)
{
esp_err_t err = nvs_open(OT_NAMESPACE, NVS_READWRITE, &s_ot_nvs_handle);
OT_UNUSED_VARIABLE(aInstance);
OT_UNUSED_VARIABLE(aSensitiveKeys);
OT_UNUSED_VARIABLE(aSensitiveKeysLength);
esp_err_t err = ESP_OK;
if (s_storage_name != NULL) {
err = nvs_open_from_partition(s_storage_name, OT_NAMESPACE, NVS_READWRITE, &s_ot_nvs_handle);
} else {
err = nvs_open(OT_NAMESPACE, NVS_READWRITE, &s_ot_nvs_handle);
}
if (err != ESP_OK) {
ESP_LOGE(OT_PLAT_LOG_TAG, "Failed to open NVS namespace (0x%x)", err);
ESP_LOGE(OT_PLAT_LOG_TAG, "Failed to open %s namespace (0x%x)", s_storage_name == NULL ? "nvs" : s_storage_name, err);
assert(0);
}
}
components/openthread/src/port/esp_openthread_trel.c
+34 -13
View File
@@ -66,30 +66,51 @@ static void trel_browse_notifier(mdns_result_t *result)
while (result) {
if (result->addr && result->addr->addr.type == IPADDR_TYPE_V6) {
otPlatTrelPeerInfo info;
uint8_t trel_txt[1024] = {0};
uint16_t trel_txt_len = 0;
size_t index = 0;
while (index < result->txt_count) {
trel_txt[trel_txt_len++] = strlen(result->txt[index].key) + result->txt_value_len[index] + 1;
memcpy((trel_txt + trel_txt_len), (void *)result->txt[index].key, strlen(result->txt[index].key));
trel_txt_len += (strlen(result->txt[index].key));
trel_txt[trel_txt_len++] = '=';
memcpy((trel_txt + trel_txt_len), (void *)result->txt[index].value, result->txt_value_len[index]);
trel_txt_len += result->txt_value_len[index];
index++;
}
uint8_t *trel_txt = NULL;
size_t trel_txt_len = 0;
if (!s_trel_netif) {
s_trel_netif = result->esp_netif;
} else if (s_trel_netif != result->esp_netif) {
result = result->next;
continue;
}
for (size_t index = 0; index < result->txt_count; index++) {
size_t key_len = strlen(result->txt[index].key);
size_t value_len = result->txt_value_len[index];
trel_txt_len += 1 + key_len + 1 + value_len; // txt_len + key + `=` + value
}
if (trel_txt_len == 0) {
result = result->next;
continue;
}
trel_txt = malloc(trel_txt_len);
ESP_RETURN_ON_FALSE(trel_txt != NULL, , OT_PLAT_LOG_TAG, "Failed to malloc buffer for TREL TXT");
size_t offset = 0;
for (size_t index = 0; index < result->txt_count; index++) {
size_t key_len = strlen(result->txt[index].key);
size_t value_len = result->txt_value_len[index];
trel_txt[offset++] = key_len + value_len + 1;
memcpy(trel_txt + offset, result->txt[index].key, key_len);
offset += key_len;
trel_txt[offset++] = '=';
memcpy(trel_txt + offset, result->txt[index].value, value_len);
offset += value_len;
}
info.mTxtData = trel_txt;
info.mTxtLength = trel_txt_len;
info.mSockAddr.mPort = result->port;
memcpy(info.mSockAddr.mAddress.mFields.m32, result->addr->addr.u_addr.ip6.addr, OT_IP6_ADDRESS_SIZE);
info.mRemoved = (result->ttl == 0);
ESP_LOGI(OT_PLAT_LOG_TAG, "%s TREL peer: address: %s, port:%d", info.mRemoved ? "Remove" : "Found", ip6addr_ntoa(((ip6_addr_t*)(&result->addr->addr.u_addr.ip6))), info.mSockAddr.mPort);
ESP_LOGI(OT_PLAT_LOG_TAG, "%s TREL peer: address: %s, port:%d", info.mRemoved ? "Remove" : "Found", ip6addr_ntoa((ip6_addr_t*)(&result->addr->addr.u_addr.ip6)), info.mSockAddr.mPort);
esp_openthread_task_switching_lock_acquire(portMAX_DELAY);
otPlatTrelHandleDiscoveredPeerInfo(esp_openthread_get_instance(), &info);
esp_openthread_task_switching_lock_release();
free(trel_txt);
}
result = result->next;
}