Skip to content

Commit 4d83458

Browse files
kapilkedawatkapilkedawat
committed
fix(esp_wifi): Fixed memory corruption in wifi enterprise
Closes #15370
1 parent f428a1e commit 4d83458

File tree

1 file changed

+23
-33
lines changed

1 file changed

+23
-33
lines changed

components/wpa_supplicant/esp_supplicant/src/esp_eap_client.c

Lines changed: 23 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -196,7 +196,7 @@ static void wpa2_rxq_deinit(void)
196196

197197
void wpa2_task(void *pvParameters)
198198
{
199-
ETSEvent *e;
199+
ETSEvent e;
200200
struct eap_sm *sm = gEapSm;
201201
bool task_del = false;
202202

@@ -206,16 +206,16 @@ void wpa2_task(void *pvParameters)
206206

207207
for (;;) {
208208
if (TRUE == os_queue_recv(s_wpa2_queue, &e, OS_BLOCK)) {
209-
if (e->sig < SIG_WPA2_MAX) {
209+
if (e.sig < SIG_WPA2_MAX) {
210210
DATA_MUTEX_TAKE();
211-
if (sm->wpa2_sig_cnt[e->sig]) {
212-
sm->wpa2_sig_cnt[e->sig]--;
211+
if (sm->wpa2_sig_cnt[e.sig]) {
212+
sm->wpa2_sig_cnt[e.sig]--;
213213
} else {
214-
wpa_printf(MSG_ERROR, "wpa2_task: invalid sig cnt, sig=%" PRId32 " cnt=%d", e->sig, sm->wpa2_sig_cnt[e->sig]);
214+
wpa_printf(MSG_ERROR, "wpa2_task: invalid sig cnt, sig=%" PRId32 " cnt=%d", e.sig, sm->wpa2_sig_cnt[e.sig]);
215215
}
216216
DATA_MUTEX_GIVE();
217217
}
218-
switch (e->sig) {
218+
switch (e.sig) {
219219
case SIG_WPA2_TASK_DEL:
220220
task_del = true;
221221
break;
@@ -235,12 +235,9 @@ void wpa2_task(void *pvParameters)
235235
default:
236236
break;
237237
}
238-
os_free(e);
239-
}
240-
241-
if (task_del) {
242-
break;
243-
} else {
238+
if (task_del) {
239+
break;
240+
}
244241
if (s_wifi_wpa2_sync_sem) {
245242
wpa_printf(MSG_DEBUG, "EAP: wifi->EAP api completed");
246243
os_semphr_give(s_wifi_wpa2_sync_sem);
@@ -268,6 +265,7 @@ void wpa2_task(void *pvParameters)
268265
int wpa2_post(uint32_t sig, uint32_t par)
269266
{
270267
struct eap_sm *sm = gEapSm;
268+
ETSEvent evt;
271269

272270
if (!sm) {
273271
return ESP_FAIL;
@@ -277,28 +275,20 @@ int wpa2_post(uint32_t sig, uint32_t par)
277275
if (sm->wpa2_sig_cnt[sig]) {
278276
DATA_MUTEX_GIVE();
279277
return ESP_OK;
278+
}
279+
sm->wpa2_sig_cnt[sig]++;
280+
DATA_MUTEX_GIVE();
281+
evt.sig = sig;
282+
evt.par = par;
283+
if (os_queue_send(s_wpa2_queue, &evt, os_task_ms_to_tick(10)) != TRUE) {
284+
wpa_printf(MSG_ERROR, "EAP: Q S E");
285+
return ESP_FAIL;
286+
}
287+
if (s_wifi_wpa2_sync_sem) {
288+
os_semphr_take(s_wifi_wpa2_sync_sem, OS_BLOCK);
289+
wpa_printf(MSG_DEBUG, "EAP: EAP api return, sm->state(%d)", sm->finish_state);
280290
} else {
281-
ETSEvent *evt = (ETSEvent *)os_malloc(sizeof(ETSEvent));
282-
if (evt == NULL) {
283-
wpa_printf(MSG_ERROR, "EAP: E N M");
284-
DATA_MUTEX_GIVE();
285-
return ESP_FAIL;
286-
}
287-
sm->wpa2_sig_cnt[sig]++;
288-
DATA_MUTEX_GIVE();
289-
evt->sig = sig;
290-
evt->par = par;
291-
if (os_queue_send(s_wpa2_queue, &evt, os_task_ms_to_tick(10)) != TRUE) {
292-
wpa_printf(MSG_ERROR, "EAP: Q S E");
293-
return ESP_FAIL;
294-
} else {
295-
if (s_wifi_wpa2_sync_sem) {
296-
os_semphr_take(s_wifi_wpa2_sync_sem, OS_BLOCK);
297-
wpa_printf(MSG_DEBUG, "EAP: EAP api return, sm->state(%d)", sm->finish_state);
298-
} else {
299-
wpa_printf(MSG_ERROR, "EAP: null wifi->EAP sync sem");
300-
}
301-
}
291+
wpa_printf(MSG_ERROR, "EAP: null wifi->EAP sync sem");
302292
}
303293
return ESP_OK;
304294
}

0 commit comments

Comments
 (0)