From caf4cad3b422be5c2f93afeff4cd07796a262b46 Mon Sep 17 00:00:00 2001 From: Shreyas Sheth Date: Thu, 4 Dec 2025 15:58:54 +0530 Subject: [PATCH] fix(esp_wifi): Backport some wifi fixes - Fix incorrect allocation of eb due to rsn ie len mismatch - Set default NVS sae pwe value to SAE_PWE_BOTH for ap and station - Fix incorrect deauth reason parsing for station - Fix memory corruption by avoiding unncessary encryption of Mgmt frames When wpa_supplicant sends an authentication response for an already connection station (with keys installed after a successful 4-way handshake), the Mgmt packet was encrypted unconditionaly based on 'bss->pmf_enable'. This lead to memory corruption since extra space for the encryption header was assumed even when it was not there. Fix this by verifying that the packet is actually a robust management frame before enabling the encryption. --- components/esp_wifi/include/esp_wifi_types_generic.h | 4 ++-- components/esp_wifi/lib | 2 +- .../wpa_supplicant/esp_supplicant/src/esp_wifi_driver.h | 2 +- components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/components/esp_wifi/include/esp_wifi_types_generic.h b/components/esp_wifi/include/esp_wifi_types_generic.h index 399c0afb59..cc98293dc9 100644 --- a/components/esp_wifi/include/esp_wifi_types_generic.h +++ b/components/esp_wifi/include/esp_wifi_types_generic.h @@ -536,7 +536,7 @@ typedef struct { wifi_cipher_type_t pairwise_cipher; /**< Pairwise cipher of SoftAP, group cipher will be derived using this. Cipher values are valid starting from WIFI_CIPHER_TYPE_TKIP, enum values before that will be considered as invalid and default cipher suites(TKIP+CCMP) will be used. Valid cipher suites in softAP mode are WIFI_CIPHER_TYPE_TKIP, WIFI_CIPHER_TYPE_CCMP, WIFI_CIPHER_TYPE_TKIP_CCMP, WIFI_CIPHER_TYPE_GCMP and WIFI_CIPHER_TYPE_GCMP256. */ bool ftm_responder; /**< Enable FTM Responder mode */ wifi_pmf_config_t pmf_cfg; /**< Configuration for Protected Management Frame */ - wifi_sae_pwe_method_t sae_pwe_h2e; /**< Configuration for SAE PWE derivation method */ + wifi_sae_pwe_method_t sae_pwe_h2e; /**< Configuration for SAE PWE derivation method. Default value :2 (WPA3_SAE_PWE_BOTH) */ uint8_t transition_disable; /**< Whether to enable transition disable feature */ uint8_t sae_ext; /**< Enable SAE EXT feature. SOC_GCMP_SUPPORT is required for this feature. */ wifi_bss_max_idle_config_t bss_max_idle_cfg; /**< Configuration for bss max idle, effective if CONFIG_WIFI_BSS_MAX_IDLE_SUPPORT is enabled */ @@ -566,7 +566,7 @@ typedef struct { uint32_t owe_enabled: 1; /**< Whether OWE is enabled for the connection */ uint32_t transition_disable: 1; /**< Whether to enable transition disable feature */ uint32_t reserved1: 26; /**< Reserved for future feature set */ - wifi_sae_pwe_method_t sae_pwe_h2e; /**< Configuration for SAE PWE derivation method */ + wifi_sae_pwe_method_t sae_pwe_h2e; /**< Configuration for SAE PWE derivation method. Default value :2 (WPA3_SAE_PWE_BOTH) */ wifi_sae_pk_mode_t sae_pk_mode; /**< Configuration for SAE-PK (Public Key) Authentication method */ uint8_t failure_retry_cnt; /**< Number of connection retries station will do before moving to next AP. scan_method should be set as WIFI_ALL_CHANNEL_SCAN to use this config. Note: Enabling this may cause connection time to increase in case best AP doesn't behave properly. */ diff --git a/components/esp_wifi/lib b/components/esp_wifi/lib index d7373a90dc..a4e903fe43 160000 --- a/components/esp_wifi/lib +++ b/components/esp_wifi/lib @@ -1 +1 @@ -Subproject commit d7373a90dc3f0be841b29911e33de5f99988dbff +Subproject commit a4e903fe43bf09a95022f9802db43d39740ccc0b diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_wifi_driver.h b/components/wpa_supplicant/esp_supplicant/src/esp_wifi_driver.h index e99fd88dab..a76ff994e7 100644 --- a/components/wpa_supplicant/esp_supplicant/src/esp_wifi_driver.h +++ b/components/wpa_supplicant/esp_supplicant/src/esp_wifi_driver.h @@ -131,7 +131,7 @@ struct wpa_funcs { bool (*wpa_ap_deinit)(void *data); bool (*wpa_ap_join)(void **sm, u8 *bssid, u8 *wpa_ie, u8 wpa_ie_len, u8* rsnxe, u16 rsnxe_len, bool *pmf_enable, int subtype, uint8_t *pairwise_cipher); bool (*wpa_ap_remove)(u8 *bssid); - uint8_t *(*wpa_ap_get_wpa_ie)(uint8_t *len); + uint8_t *(*wpa_ap_get_wpa_ie)(size_t *len); bool (*wpa_ap_rx_eapol)(void *hapd_data, void *sm, u8 *data, size_t data_len); void (*wpa_ap_get_peer_spp_msg)(void *sm, bool *spp_cap, bool *spp_req); char *(*wpa_config_parse_string)(const char *value, size_t *len); diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c b/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c index b0333289ad..c08cbe2925 100644 --- a/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c +++ b/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c @@ -147,7 +147,7 @@ bool wpa_attach(void) return ret; } -uint8_t *wpa_ap_get_wpa_ie(uint8_t *ie_len) +uint8_t *wpa_ap_get_wpa_ie(size_t *ie_len) { struct hostapd_data *hapd = (struct hostapd_data *)esp_wifi_get_hostap_private_internal();