espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-10-02 01:50:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix(wifi): prevent crash in WPS-registrar due to nested 'eap_wsc_reset()' calls

Browse Source 
When a WPS handshake is already in progress and the enrollee sends another EAPOL-Start
(e.g., due to missed packets or timeout), the registrar resets its state by calling
'eap_wsc_reset()'. This function frees 'sm->eap_method_priv' and then calls
'esp_wifi_ap_wps_disable()', which internally triggers another call to 'eap_wsc_reset()'.

This results in a double reset where the second invocation accesses the already freed
'sm->eap_method_priv', leading to a crash.

This fix sets 'sm->eap_method_priv' to NULL immediately after freeing it to ensure
any subsequent calls to eap_wsc_reset() do not access an invalid pointer.
This commit is contained in:
Sarvesh Bodakhe
2025-03-05 18:07:35 +05:30
committed by BOT
parent 96512006c0
commit 8631f5dafd
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
components/wpa_supplicant/src/eap_server/eap_server_wsc.c
View File

@@ -104,6 +104,7 @@ static void eap_wsc_reset(struct eap_sm *sm, void *priv)
//wps_deinit(data->wps);
os_free(data);
#ifdef ESP_SUPPLICANT
sm->eap_method_priv = NULL;
/* TODO: When wps-registrar is shifted in a separate task other than wifi task,
* call esp_wifi_ap_wps_disable() here instead of wifi_ap_wps_disable_internal()
* */