From 8631f5dafdcb8adf7e9c779895d13b8fcbb72713 Mon Sep 17 00:00:00 2001 From: Sarvesh Bodakhe Date: Wed, 5 Mar 2025 18:07:35 +0530 Subject: [PATCH] fix(wifi): prevent crash in WPS-registrar due to nested 'eap_wsc_reset()' calls When a WPS handshake is already in progress and the enrollee sends another EAPOL-Start (e.g., due to missed packets or timeout), the registrar resets its state by calling 'eap_wsc_reset()'. This function frees 'sm->eap_method_priv' and then calls 'esp_wifi_ap_wps_disable()', which internally triggers another call to 'eap_wsc_reset()'. This results in a double reset where the second invocation accesses the already freed 'sm->eap_method_priv', leading to a crash. This fix sets 'sm->eap_method_priv' to NULL immediately after freeing it to ensure any subsequent calls to eap_wsc_reset() do not access an invalid pointer. --- components/wpa_supplicant/src/eap_server/eap_server_wsc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/components/wpa_supplicant/src/eap_server/eap_server_wsc.c b/components/wpa_supplicant/src/eap_server/eap_server_wsc.c index 653480efcc..e5dac44cc8 100644 --- a/components/wpa_supplicant/src/eap_server/eap_server_wsc.c +++ b/components/wpa_supplicant/src/eap_server/eap_server_wsc.c @@ -104,6 +104,7 @@ static void eap_wsc_reset(struct eap_sm *sm, void *priv) //wps_deinit(data->wps); os_free(data); #ifdef ESP_SUPPLICANT + sm->eap_method_priv = NULL; /* TODO: When wps-registrar is shifted in a separate task other than wifi task, * call esp_wifi_ap_wps_disable() here instead of wifi_ap_wps_disable_internal() * */