From b7d599984bc5fc65459e8959d46efc76615ce8d4 Mon Sep 17 00:00:00 2001
From: alanmaxwell <chenjianxing@espressif.com>
Date: Fri, 25 Aug 2023 15:30:33 +0800
Subject: [PATCH 1/2] fix(wifi): optimize wifi bin size and fix some issue

1.Optimize bin size for STA only mode
2.Change fragment threshold to 256
3.Support fragment for LR mode
4.Fix ampdu duration issue
5.Fix rx fragment fail in Open mode.
---
 components/esp_rom/esp32c2/ld/esp32c2.rom.ld  | 12 ++--
 .../esp_rom/esp32c3/ld/esp32c3.rom.eco7.ld    |  8 +--
 components/esp_rom/esp32c3/ld/esp32c3.rom.ld  |  6 +-
 .../esp_rom/esp32c6/ld/esp32c6.rom.pp.ld      |  4 +-
 components/esp_rom/esp32s3/ld/esp32s3.rom.ld  |  6 +-
 components/esp_wifi/lib                       |  2 +-
 components/esp_wifi/src/wifi_init.c           | 70 +++++++++++++++++++
 7 files changed, 89 insertions(+), 19 deletions(-)

diff --git a/components/esp_rom/esp32c2/ld/esp32c2.rom.ld b/components/esp_rom/esp32c2/ld/esp32c2.rom.ld
index 2f1f246dd0..04f99f44e4 100644
--- a/components/esp_rom/esp32c2/ld/esp32c2.rom.ld
+++ b/components/esp_rom/esp32c2/ld/esp32c2.rom.ld
@@ -1536,10 +1536,10 @@ pm_on_tbtt = 0x40001ba8;
 pm_sleep_for = 0x40001bc0;
 /* pm_tbtt_process = 0x40001bc4; */
 ppAMPDU2Normal = 0x40001bc8;
-ppAssembleAMPDU = 0x40001bcc;
+/*ppAssembleAMPDU = 0x40001bcc;*/
 ppCalFrameTimes = 0x40001bd0;
 ppCalSubFrameLength = 0x40001bd4;
-ppCalTxAMPDULength = 0x40001bd8;
+/*ppCalTxAMPDULength = 0x40001bd8;*/
 ppCheckTxAMPDUlength = 0x40001bdc;
 ppDequeueRxq_Locked = 0x40001be0;
 ppDequeueTxQ = 0x40001be4;
@@ -1559,8 +1559,8 @@ ppRecycleAmpdu = 0x40001c18;
 ppRecycleRxPkt = 0x40001c1c;
 ppResortTxAMPDU = 0x40001c20;
 ppResumeTxAMPDU = 0x40001c24;
-ppRxFragmentProc = 0x40001c28;
-ppRxPkt = 0x40001c2c;
+/*ppRxFragmentProc = 0x40001c28;*/
+/* ppRxPkt = 0x40001c2c; */
 ppRxProtoProc = 0x40001c30;
 ppSearchTxQueue = 0x40001c34;
 ppSearchTxframe = 0x40001c38;
@@ -1588,7 +1588,7 @@ rcLowerSched = 0x40001c8c;
 rcSetTxAmpduLimit = 0x40001c90;
 /* rcTxUpdatePer = 0x40001c94;*/
 rcUpdateAckSnr = 0x40001c98;
-rcUpdateRate = 0x40001c9c;
+/*rcUpdateRate = 0x40001c9c;*/
 rcUpdateTxDone = 0x40001ca0;
 rcUpdateTxDoneAmpdu2 = 0x40001ca4;
 rcUpSched = 0x40001ca8;
@@ -1663,7 +1663,7 @@ lmacRetryTxFrame = 0x40001db8;
 lmacProcessCollisions_task = 0x40001dbc;
 /*lmacProcessTxopQComplete = 0x40001dc0;*/
 lmacInitAc = 0x40001dc4;
-lmacInit = 0x40001dc8;
+/*lmacInit = 0x40001dc8;*/
 mac_tx_set_txop_q = 0x40001dcc;
 /*hal_init = 0x40001dd0;*/
 hal_mac_rx_set_policy = 0x40001dd4;
diff --git a/components/esp_rom/esp32c3/ld/esp32c3.rom.eco7.ld b/components/esp_rom/esp32c3/ld/esp32c3.rom.eco7.ld
index 97bcffc8bb..1c265769fd 100644
--- a/components/esp_rom/esp32c3/ld/esp32c3.rom.eco7.ld
+++ b/components/esp_rom/esp32c3/ld/esp32c3.rom.eco7.ld
@@ -19,12 +19,12 @@ pm_parse_beacon = 0x40001688;
 pm_process_tim = 0x4000168c;
 pm_rx_beacon_process = 0x40001690;
 pm_rx_data_process = 0x40001694;
-pm_sleep = 0x40001698;
-pm_tbtt_process = 0x400016a0;
+/* pm_sleep = 0x40001698;*/
+/* pm_tbtt_process = 0x400016a0;*/
 ppMapTxQueue = 0x400016d8;
 ppProcTxSecFrame = 0x400016dc;
-ppRxFragmentProc = 0x40001704;
-rcGetSched = 0x40001764;
+/*ppRxFragmentProc = 0x40001704;*/
+/* rcGetSched = 0x40001764;*/
 rcTxUpdatePer = 0x40001770;
 rcUpdateTxDone = 0x4000177c;
 wDevCheckBlockError = 0x400017b4;
diff --git a/components/esp_rom/esp32c3/ld/esp32c3.rom.ld b/components/esp_rom/esp32c3/ld/esp32c3.rom.ld
index ddbbdb2230..72ca93e15e 100644
--- a/components/esp_rom/esp32c3/ld/esp32c3.rom.ld
+++ b/components/esp_rom/esp32c3/ld/esp32c3.rom.ld
@@ -1559,10 +1559,10 @@ pm_on_tbtt = 0x40001684;
 pm_sleep_for = 0x4000169c;
 /* pm_tbtt_process = 0x400016a0; */
 ppAMPDU2Normal = 0x400016a4;
-ppAssembleAMPDU = 0x400016a8;
+/*ppAssembleAMPDU = 0x400016a8;*/
 ppCalFrameTimes = 0x400016ac;
 ppCalSubFrameLength = 0x400016b0;
-ppCalTxAMPDULength = 0x400016b4;
+/*ppCalTxAMPDULength = 0x400016b4;*/
 ppCheckTxAMPDUlength = 0x400016b8;
 ppDequeueRxq_Locked = 0x400016bc;
 ppDequeueTxQ = 0x400016c0;
@@ -1608,7 +1608,7 @@ rcLowerSched = 0x40001768;
 rcSetTxAmpduLimit = 0x4000176c;
 /* rcTxUpdatePer = 0x40001770;*/
 rcUpdateAckSnr = 0x40001774;
-rcUpdateRate = 0x40001778;
+/*rcUpdateRate = 0x40001778;*/
 /* rcUpdateTxDone = 0x4000177c; */
 rcUpdateTxDoneAmpdu2 = 0x40001780;
 rcUpSched = 0x40001784;
diff --git a/components/esp_rom/esp32c6/ld/esp32c6.rom.pp.ld b/components/esp_rom/esp32c6/ld/esp32c6.rom.pp.ld
index 61a4f4e10d..0bd51bb71f 100644
--- a/components/esp_rom/esp32c6/ld/esp32c6.rom.pp.ld
+++ b/components/esp_rom/esp32c6/ld/esp32c6.rom.pp.ld
@@ -100,7 +100,7 @@ ppRecycleAmpdu = 0x40000d10;
 ppRecycleRxPkt = 0x40000d14;
 //ppResortTxAMPDU = 0x40000d18;
 ppResumeTxAMPDU = 0x40000d1c;
-ppRxFragmentProc = 0x40000d20;
+/*ppRxFragmentProc = 0x40000d20;*/
 //ppRxPkt = 0x40000d24;
 ppRxProtoProc = 0x40000d28;
 ppSearchTxQueue = 0x40000d2c;
@@ -129,7 +129,7 @@ rcLowerSched = 0x40000d84;
 rcSetTxAmpduLimit = 0x40000d88;
 rcTxUpdatePer = 0x40000d8c;
 rcUpdateAckSnr = 0x40000d90;
-rcUpdateRate = 0x40000d94;
+/*rcUpdateRate = 0x40000d94;*/
 rcUpdateTxDone = 0x40000d98;
 rcUpdateTxDoneAmpdu2 = 0x40000d9c;
 rcUpSched = 0x40000da0;
diff --git a/components/esp_rom/esp32s3/ld/esp32s3.rom.ld b/components/esp_rom/esp32s3/ld/esp32s3.rom.ld
index 75d1c3ddba..15b2cbd52c 100644
--- a/components/esp_rom/esp32s3/ld/esp32s3.rom.ld
+++ b/components/esp_rom/esp32s3/ld/esp32s3.rom.ld
@@ -1861,10 +1861,10 @@ pm_on_tbtt = 0x400054cc;
 pm_sleep_for = 0x40005514;
 /* pm_tbtt_process = 0x40005520; */
 ppAMPDU2Normal = 0x4000552c;
-ppAssembleAMPDU = 0x40005538;
+/*ppAssembleAMPDU = 0x40005538;*/
 ppCalFrameTimes = 0x40005544;
 ppCalSubFrameLength = 0x40005550;
-ppCalTxAMPDULength = 0x4000555c;
+/*ppCalTxAMPDULength = 0x4000555c;*/
 ppCheckTxAMPDUlength = 0x40005568;
 ppDequeueRxq_Locked = 0x40005574;
 ppDequeueTxQ = 0x40005580;
@@ -1912,7 +1912,7 @@ rcLowerSched = 0x40005778;
 rcSetTxAmpduLimit = 0x40005784;
 /* rcTxUpdatePer = 0x40005790;*/
 rcUpdateAckSnr = 0x4000579c;
-rcUpdateRate = 0x400057a8;
+/*rcUpdateRate = 0x400057a8;*/
 /* rcUpdateTxDone = 0x400057b4; */
 rcUpdateTxDoneAmpdu2 = 0x400057c0;
 rcUpSched = 0x400057cc;
diff --git a/components/esp_wifi/lib b/components/esp_wifi/lib
index b75e61ea71..8c6662224e 160000
--- a/components/esp_wifi/lib
+++ b/components/esp_wifi/lib
@@ -1 +1 @@
-Subproject commit b75e61ea71cffae1b9cdea6494e170c980c4317b
+Subproject commit 8c6662224e36879fa33945009641bde405cb4c58
diff --git a/components/esp_wifi/src/wifi_init.c b/components/esp_wifi/src/wifi_init.c
index 37588a0542..fbe2be440e 100644
--- a/components/esp_wifi/src/wifi_init.c
+++ b/components/esp_wifi/src/wifi_init.c
@@ -391,7 +391,77 @@ void ieee80211_ftm_attach(void)
 #ifndef CONFIG_ESP_WIFI_SOFTAP_SUPPORT
 void net80211_softap_funcs_init(void)
 {
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
 }
+
+bool ieee80211_ap_try_sa_query(void *p)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return false;
+}
+
+bool ieee80211_ap_sa_query_timeout(void *p)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return false;
+}
+
+int add_mic_ie_bip(void *p)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return 0;
+}
+
+void ieee80211_free_beacon_eb(void)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+}
+
+int ieee80211_pwrsave(void *p1, void *p2)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return 0;
+}
+
+void cnx_node_remove(void *p)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+}
+
+int ieee80211_set_tim(void *p, int arg)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return 0;
+}
+
+bool ieee80211_is_bufferable_mmpdu(void *p)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return false;
+}
+
+void cnx_node_leave(void *p, uint8_t arg)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+}
+
+void ieee80211_beacon_construct(void *p1, void *p2, void *p3, void *p4)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+}
+
+void * ieee80211_assoc_resp_construct(void *p, int arg)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return NULL;
+}
+
+void * ieee80211_alloc_proberesp(void *p, int arg)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return NULL;
+}
+
 #endif
 
 #ifndef CONFIG_ESP_WIFI_NAN_ENABLE

From b3c712356874183a2c24aa72d4bf58b5ad32730c Mon Sep 17 00:00:00 2001
From: Kapil Gupta <kapil.gupta@espressif.com>
Date: Wed, 18 Oct 2023 18:20:48 +0530
Subject: [PATCH 2/2] fix(esp_wifi): Drop fragmented AMPDU(fixCVE-2020-26142)

---
 components/esp_rom/esp32c3/ld/esp32c3.rom.ld | 2 +-
 components/esp_rom/esp32s3/ld/esp32s3.rom.ld | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/components/esp_rom/esp32c3/ld/esp32c3.rom.ld b/components/esp_rom/esp32c3/ld/esp32c3.rom.ld
index 72ca93e15e..21d1db799a 100644
--- a/components/esp_rom/esp32c3/ld/esp32c3.rom.ld
+++ b/components/esp_rom/esp32c3/ld/esp32c3.rom.ld
@@ -1581,7 +1581,7 @@ ppRecycleRxPkt = 0x400016f8;
 ppResortTxAMPDU = 0x400016fc;
 ppResumeTxAMPDU = 0x40001700;
 /* ppRxFragmentProc = 0x40001704; */
-ppRxPkt = 0x40001708;
+/* ppRxPkt = 0x40001708; */
 ppRxProtoProc = 0x4000170c;
 ppSearchTxQueue = 0x40001710;
 ppSearchTxframe = 0x40001714;
diff --git a/components/esp_rom/esp32s3/ld/esp32s3.rom.ld b/components/esp_rom/esp32s3/ld/esp32s3.rom.ld
index 15b2cbd52c..fc514b44ea 100644
--- a/components/esp_rom/esp32s3/ld/esp32s3.rom.ld
+++ b/components/esp_rom/esp32s3/ld/esp32s3.rom.ld
@@ -1884,7 +1884,7 @@ ppRecycleRxPkt = 0x40005628;
 ppResortTxAMPDU = 0x40005634;
 ppResumeTxAMPDU = 0x40005640;
 /* ppRxFragmentProc = 0x4000564c; */
-ppRxPkt = 0x40005658;
+/* ppRxPkt = 0x40005658; */
 ppRxProtoProc = 0x40005664;
 ppSearchTxQueue = 0x40005670;
 ppSearchTxframe = 0x4000567c;