From 7999489c6e7d7ad37b9cf169c28c45c896d60c85 Mon Sep 17 00:00:00 2001
From: Sarvesh Bodakhe <sarvesh.bodakhe@espressif.com>
Date: Thu, 2 Feb 2023 18:48:06 +0530
Subject: [PATCH 1/2] Combine improvements in sa query and buffer deauth,
 disassoc, action frames for connected station in sleep mode

---
 components/esp_rom/esp32c2/ld/esp32c2.rom.ld | 1 -
 components/esp_wifi/lib                      | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/components/esp_rom/esp32c2/ld/esp32c2.rom.ld b/components/esp_rom/esp32c2/ld/esp32c2.rom.ld
index 56bfc2418c..c97e5a392a 100644
--- a/components/esp_rom/esp32c2/ld/esp32c2.rom.ld
+++ b/components/esp_rom/esp32c2/ld/esp32c2.rom.ld
@@ -1980,7 +1980,6 @@ ieee80211_encap_null_data = 0x4000211c;
 ieee80211_send_deauth = 0x40002120;
 ieee80211_alloc_deauth = 0x40002124;
 ieee80211_send_proberesp = 0x40002128;
-ieee80211_tx_mgt_cb = 0x4000212c;
 ieee80211_getcapinfo = 0x40002130;
 sta_rx_csa = 0x40002134;
 sta_recv_sa_query_resp = 0x40002144;
diff --git a/components/esp_wifi/lib b/components/esp_wifi/lib
index 41d098bdad..88b2729cbf 160000
--- a/components/esp_wifi/lib
+++ b/components/esp_wifi/lib
@@ -1 +1 @@
-Subproject commit 41d098bdad1d854e2cb90062d50a1aacb8fb8061
+Subproject commit 88b2729cbf3e653b08c3cc9a7a59689f439f53a3

From cad044a3b6faf57087724985ae7fd6c7c227a1e8 Mon Sep 17 00:00:00 2001
From: gauri patankar <gauri.patankar@espressif.com>
Date: Fri, 16 Dec 2022 18:38:03 +0530
Subject: [PATCH 2/2] wpa_supplicant:Fix potential null pointer dereference

---
 components/wpa_supplicant/src/rsn_supp/wpa.c | 23 ++++++++++++++------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/components/wpa_supplicant/src/rsn_supp/wpa.c b/components/wpa_supplicant/src/rsn_supp/wpa.c
index 5a2c0d4813..b1b84091ed 100644
--- a/components/wpa_supplicant/src/rsn_supp/wpa.c
+++ b/components/wpa_supplicant/src/rsn_supp/wpa.c
@@ -52,6 +52,7 @@
 struct wpa_sm gWpaSm;
 /* fix buf for tx for now */
 #define WPA_TX_MSG_BUFF_MAXLEN 200
+#define MIN_DH_LEN 4
 
 #define ASSOC_IE_LEN 24 + 2 + PMKID_LEN + RSN_SELECTOR_LEN
 #define MAX_EAPOL_RETRIES 3
@@ -2914,7 +2915,6 @@ int owe_process_assoc_resp(const u8 *rsn_ie, size_t rsn_len, const uint8_t *dh_i
 {
     size_t prime_len=0,hash_len=0;
     struct wpabuf * sh_secret = NULL, *pub = NULL, *hkey = NULL;
-    int res;
     const char *info = "OWE Key Generation";
     u8 pmkid[SHA256_MAC_LEN], prk[SHA256_MAC_LEN], pmk[SHA256_MAC_LEN];
     const u8 *addr[2];
@@ -2924,8 +2924,6 @@ int owe_process_assoc_resp(const u8 *rsn_ie, size_t rsn_len, const uint8_t *dh_i
     struct wpa_sm *sm;
     sm = get_wpa_sm();
 
-    (void)res;
-
     wpabuf_free(sm->owe_ie); //free the dh ie constructed in owe_build_assoc_req
     sm->owe_ie = NULL;
 
@@ -2933,14 +2931,14 @@ int owe_process_assoc_resp(const u8 *rsn_ie, size_t rsn_len, const uint8_t *dh_i
     parsed_rsn_data = os_zalloc(sizeof(struct wpa_ie_data));
     if (!parsed_rsn_data) {
         wpa_printf(MSG_ERROR, "Memory allocation failed");
-        goto fail;
+        return -1;
     }
 
     if (rsn_ie && rsn_len && wpa_parse_wpa_ie_rsn(rsn_ie, rsn_len + 2, parsed_rsn_data) != 0) {
         goto fail;
     }
-    if (!dh_ie && !dh_len && parsed_rsn_data->num_pmkid == 0) {
-        wpa_printf(MSG_ERROR, "OWE: No diffie hellman parameter in response");
+    if (!dh_ie || dh_len < MIN_DH_LEN || parsed_rsn_data->num_pmkid == 0) {
+        wpa_printf(MSG_ERROR, "OWE: Invalid parameter");
         goto fail;
     }
 
@@ -2981,7 +2979,11 @@ int owe_process_assoc_resp(const u8 *rsn_ie, size_t rsn_len, const uint8_t *dh_i
         addr[1] = dh_ie + 2;
         len[1] = dh_len - 2;
 
-        res = sha256_vector(2, addr, len, pmkid);
+        int res = sha256_vector(2, addr, len, pmkid);
+        if (res < 0 ) {
+            goto fail;
+        }
+
         hash_len = SHA256_MAC_LEN;
 
         pub = wpabuf_zeropad(pub, prime_len);
@@ -2996,6 +2998,10 @@ int owe_process_assoc_resp(const u8 *rsn_ie, size_t rsn_len, const uint8_t *dh_i
         wpabuf_put_le16(hkey, sm->owe_group); /* group */
 
         res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey), wpabuf_head(sh_secret), wpabuf_len(sh_secret), prk);
+        if (res < 0 ) {
+            goto fail;
+        }
+
         hash_len = SHA256_MAC_LEN;
 
         wpabuf_free(hkey);
@@ -3006,6 +3012,9 @@ int owe_process_assoc_resp(const u8 *rsn_ie, size_t rsn_len, const uint8_t *dh_i
         /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
         res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *)info,
         os_strlen(info), pmk, hash_len);
+        if (res < 0 ) {
+            goto fail;
+        }
 
         forced_memzero(prk, SHA256_MAC_LEN);
         wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, OWE_PMKID_LEN);