espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-07-30 10:47:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'bugfix/stack_corruption_btm_task' into 'release/v5.3'

Browse Source 
fix(esp_wifi): Fix stack curruption in btm task (v5.3)

See merge request espressif/esp-idf!36970
This commit is contained in:
Jiang Jiang Jian
2025-02-14 19:02:01 +08:00
parent f62b178a65 746abfa199
commit 68556198ff
1 changed files with 7 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
components/wpa_supplicant/esp_supplicant/src/esp_common.c
View File

@ -119,7 +119,7 @@ static int mgmt_rx_action(u8 *frame, size_t len, u8 *sender, int8_t rssi, u8 cha
#ifdef CONFIG_SUPPLICANT_TASK #ifdef CONFIG_SUPPLICANT_TASK
static void btm_rrm_task(void *pvParameters) static void btm_rrm_task(void *pvParameters)
{ {
supplicant_event_t *evt; supplicant_event_t evt;
bool task_del = false; bool task_del = false;
while (1) { while (1) {
@ -128,14 +128,13 @@ static void btm_rrm_task(void *pvParameters)
} }
/* event validation failed */ /* event validation failed */
if (evt->id >= SIG_SUPPLICANT_MAX) { if (evt.id >= SIG_SUPPLICANT_MAX) {
os_free(evt);
continue; continue;
} }
switch (evt->id) { switch (evt.id) {
case SIG_SUPPLICANT_RX_ACTION: { case SIG_SUPPLICANT_RX_ACTION: {
struct ieee_mgmt_frame *frm = (struct ieee_mgmt_frame *)evt->data; struct ieee_mgmt_frame *frm = (struct ieee_mgmt_frame *)evt.data;
mgmt_rx_action(frm->payload, frm->len, frm->sender, frm->rssi, frm->channel); mgmt_rx_action(frm->payload, frm->len, frm->sender, frm->rssi, frm->channel);
os_free(frm); os_free(frm);
break; break;
@ -151,8 +150,6 @@ static void btm_rrm_task(void *pvParameters)
break; break;
} }
os_free(evt);
if (task_del) { if (task_del) {
break; break;
} }
@ -877,13 +874,9 @@ int wpa_drv_send_action(struct wpa_supplicant *wpa_s,
#ifdef CONFIG_SUPPLICANT_TASK #ifdef CONFIG_SUPPLICANT_TASK
int esp_supplicant_post_evt(uint32_t evt_id, uint32_t data) int esp_supplicant_post_evt(uint32_t evt_id, uint32_t data)
{ {
supplicant_event_t *evt = os_zalloc(sizeof(supplicant_event_t)); supplicant_event_t evt;
if (!evt) { evt.id = evt_id;
wpa_printf(MSG_ERROR, "Failed to allocated memory"); evt.data = data;
return -1;
}
evt->id = evt_id;
evt->data = data;
/* Make sure lock exists before taking it */ /* Make sure lock exists before taking it */
SUPPLICANT_API_LOCK(); SUPPLICANT_API_LOCK();
@ -891,13 +884,11 @@ int esp_supplicant_post_evt(uint32_t evt_id, uint32_t data)
/* Make sure no event can be sent when deletion event is sent or task not initialized */ /* Make sure no event can be sent when deletion event is sent or task not initialized */
if (!s_supplicant_task_init_done) { if (!s_supplicant_task_init_done) {
SUPPLICANT_API_UNLOCK(); SUPPLICANT_API_UNLOCK();
os_free(evt);
return -1; return -1;
} }
if (os_queue_send(s_supplicant_evt_queue, &evt, os_task_ms_to_tick(10)) != TRUE) { if (os_queue_send(s_supplicant_evt_queue, &evt, os_task_ms_to_tick(10)) != TRUE) {
SUPPLICANT_API_UNLOCK(); SUPPLICANT_API_UNLOCK();
os_free(evt);
return -1; return -1;
} }
if (evt_id == SIG_SUPPLICANT_DEL_TASK) { if (evt_id == SIG_SUPPLICANT_DEL_TASK) {