From 2ce481ffbd074d6a24e6508319ded1daf446c5a8 Mon Sep 17 00:00:00 2001 From: Kapil Gupta Date: Tue, 20 May 2025 21:31:51 +0530 Subject: [PATCH 1/2] fix(esp_wifi): Disble IP renew skip by default --- components/esp_wifi/wifi_apps/roaming_app/src/Kconfig.roaming | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/esp_wifi/wifi_apps/roaming_app/src/Kconfig.roaming b/components/esp_wifi/wifi_apps/roaming_app/src/Kconfig.roaming index 98e768f899..89ee6b182e 100644 --- a/components/esp_wifi/wifi_apps/roaming_app/src/Kconfig.roaming +++ b/components/esp_wifi/wifi_apps/roaming_app/src/Kconfig.roaming @@ -93,7 +93,7 @@ menu "Roaming Methods" config ESP_WIFI_NETWORK_ASSISTED_ROAMING_IP_RENEW_SKIP bool "Skip IP renew during BTM based roaming" depends on ESP_WIFI_ROAMING_NETWORK_ASSISTED_ROAM - default y + default n help Station will not ask for IP renew after a BTM based roaming. Before enabling please make sure your network supports this. From 17cd200c67844d953bab222a9e7067aa83b5471a Mon Sep 17 00:00:00 2001 From: Kapil Gupta Date: Tue, 20 May 2025 21:29:45 +0530 Subject: [PATCH 2/2] fix(esp_wifi): Fixed static analyzer issues --- .../esp_supplicant/src/crypto/crypto_mbedtls-bignum.c | 11 ++++++++--- .../esp_supplicant/src/crypto/crypto_mbedtls-ec.c | 8 +++++++- .../esp_supplicant/src/crypto/fastpbkdf2.c | 2 +- .../wpa_supplicant/esp_supplicant/src/esp_wps.c | 8 ++++---- components/wpa_supplicant/src/ap/wpa_auth.c | 1 + components/wpa_supplicant/src/crypto/sha256-prf.c | 2 +- components/wpa_supplicant/src/crypto/sha384-prf.c | 2 +- components/wpa_supplicant/src/eap_peer/eap_fast_pac.c | 9 ++++----- components/wpa_supplicant/src/eap_peer/eap_ttls.c | 8 ++++---- components/wpa_supplicant/src/rsn_supp/wpa_ie.c | 10 ++++++++-- components/wpa_supplicant/src/utils/json.c | 3 ++- components/wpa_supplicant/src/wps/wps.h | 2 +- 12 files changed, 42 insertions(+), 24 deletions(-) diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-bignum.c b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-bignum.c index d912c253af..8ef5e37c57 100644 --- a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-bignum.c +++ b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-bignum.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -51,15 +51,20 @@ cleanup: struct crypto_bignum * crypto_bignum_init_uint(unsigned int val) { + int ret; mbedtls_mpi *bn = os_zalloc(sizeof(mbedtls_mpi)); - if (bn == NULL) { + if (!bn) { return NULL; } mbedtls_mpi_init(bn); - mbedtls_mpi_lset(bn, val); + ret = mbedtls_mpi_lset(bn, val); + if (ret) { + crypto_bignum_deinit((struct crypto_bignum *)bn, 0); + bn = NULL; + } return (struct crypto_bignum *)bn; } diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-ec.c b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-ec.c index 4799ab54fb..a08624fbc9 100644 --- a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-ec.c +++ b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-ec.c @@ -1177,6 +1177,7 @@ struct wpabuf * crypto_ecdh_get_pubkey(struct crypto_ecdh *ecdh, int y) { struct wpabuf *public_key = NULL; uint8_t *buf = NULL; + int ret; mbedtls_ecdh_context *ctx = (mbedtls_ecdh_context *)ecdh; size_t prime_len = ACCESS_ECDH(ctx, grp).pbits / 8; @@ -1187,8 +1188,13 @@ struct wpabuf * crypto_ecdh_get_pubkey(struct crypto_ecdh *ecdh, int y) } /* Export an MPI into unsigned big endian binary data of fixed size */ - mbedtls_mpi_write_binary(ACCESS_ECDH(&ctx, Q).MBEDTLS_PRIVATE(X), buf, prime_len); + ret = mbedtls_mpi_write_binary(ACCESS_ECDH(&ctx, Q).MBEDTLS_PRIVATE(X), buf, prime_len); + if (ret) { + goto cleanup; + } public_key = wpabuf_alloc_copy(buf, 32); + +cleanup: os_free(buf); return public_key; } diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/fastpbkdf2.c b/components/wpa_supplicant/esp_supplicant/src/crypto/fastpbkdf2.c index f2bd0cfd3e..c938506e94 100644 --- a/components/wpa_supplicant/esp_supplicant/src/crypto/fastpbkdf2.c +++ b/components/wpa_supplicant/esp_supplicant/src/crypto/fastpbkdf2.c @@ -109,7 +109,7 @@ static inline void md_pad(uint8_t *block, size_t blocksz, size_t used, size_t ms const uint8_t *key, size_t nkey) \ { \ /* Prepare key: */ \ - uint8_t k[_blocksz]; \ + uint8_t k[_blocksz] = {0}; \ \ /* Shorten long keys. */ \ if (nkey > _blocksz) \ diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_wps.c b/components/wpa_supplicant/esp_supplicant/src/esp_wps.c index e6fb8ced74..dc61239d5c 100644 --- a/components/wpa_supplicant/esp_supplicant/src/esp_wps.c +++ b/components/wpa_supplicant/esp_supplicant/src/esp_wps.c @@ -636,11 +636,11 @@ int wps_process_wps_mX_req(u8 *ubuf, int len, enum wps_process_res *res) tlen = frag_len; } + if (tlen > 50000) { + wpa_printf(MSG_ERROR, "EAP-WSC: Invalid Message Length"); + return ESP_FAIL; + } if ((flag & WPS_MSG_FLAG_MORE) || wps_buf != NULL) {//frag msg - if (tlen > 50000) { - wpa_printf(MSG_ERROR, "EAP-WSC: Invalid Message Length"); - return ESP_FAIL; - } wpa_printf(MSG_DEBUG, "rx frag msg id:%d, flag:%d, frag_len: %d, tot_len: %d, be_tot_len:%d", sm->current_identifier, flag, frag_len, tlen, be_tot_len); if (ESP_OK != wps_enrollee_process_msg_frag(&wps_buf, tlen, tbuf, frag_len, flag)) { if (wps_buf) { diff --git a/components/wpa_supplicant/src/ap/wpa_auth.c b/components/wpa_supplicant/src/ap/wpa_auth.c index f5715611a8..f1d4cd08a0 100644 --- a/components/wpa_supplicant/src/ap/wpa_auth.c +++ b/components/wpa_supplicant/src/ap/wpa_auth.c @@ -1629,6 +1629,7 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk); sm->EAPOLKeyReceived = FALSE; sm->update_snonce = FALSE; + os_memset(&PTK, 0, sizeof(PTK)); pmk_len = PMK_LEN; /* WPA with IEEE 802.1X: use the derived PMK from EAP diff --git a/components/wpa_supplicant/src/crypto/sha256-prf.c b/components/wpa_supplicant/src/crypto/sha256-prf.c index d665a9983c..de7394a32a 100644 --- a/components/wpa_supplicant/src/crypto/sha256-prf.c +++ b/components/wpa_supplicant/src/crypto/sha256-prf.c @@ -97,7 +97,7 @@ int sha256_prf_bits(const u8 *key, size_t key_len, const char *label, * Mask out unused bits in the last octet if it does not use all the * bits. */ - if (buf_len_bits % 8) { + if (pos > 0 && (buf_len_bits % 8)) { u8 mask = 0xff << (8 - buf_len_bits % 8); buf[pos - 1] &= mask; } diff --git a/components/wpa_supplicant/src/crypto/sha384-prf.c b/components/wpa_supplicant/src/crypto/sha384-prf.c index 420e78c380..fdf3316550 100644 --- a/components/wpa_supplicant/src/crypto/sha384-prf.c +++ b/components/wpa_supplicant/src/crypto/sha384-prf.c @@ -97,7 +97,7 @@ int sha384_prf_bits(const u8 *key, size_t key_len, const char *label, * Mask out unused bits in the last octet if it does not use all the * bits. */ - if (buf_len_bits % 8) { + if (pos > 0 && (buf_len_bits % 8)) { u8 mask = 0xff << (8 - buf_len_bits % 8); buf[pos - 1] &= mask; } diff --git a/components/wpa_supplicant/src/eap_peer/eap_fast_pac.c b/components/wpa_supplicant/src/eap_peer/eap_fast_pac.c index 39821ddb1a..940eeb7f81 100644 --- a/components/wpa_supplicant/src/eap_peer/eap_fast_pac.c +++ b/components/wpa_supplicant/src/eap_peer/eap_fast_pac.c @@ -426,11 +426,9 @@ int eap_fast_load_pac(struct eap_sm *sm, struct eap_fast_pac **pac_root, if (eap_fast_read_line(&rc, &pos) < 0) { /* empty file - assume it is fine to overwrite */ - printf("\n\nassuming it is fine to overwrite... \n\n"); eap_fast_deinit_pac_data(&rc); return 0; } - printf("\n\nPAC FILE =\n%s", rc.pos); if (os_strcmp(pac_file_hdr, rc.buf) != 0) err = "Unrecognized header line"; @@ -546,11 +544,13 @@ static int eap_fast_write_pac(struct eap_sm *sm, const char *pac_file, blob->data = (u8 *) buf; blob->len = len; buf = NULL; +#ifndef ESP_SUPPLICANT blob->name = os_strdup(pac_file + 7); if (blob->name == NULL) { os_free(blob); return -1; } +#endif eap_set_config_blob(sm, blob); os_free(blob); } else { @@ -657,7 +657,6 @@ int eap_fast_save_pac(struct eap_sm *sm, struct eap_fast_pac *pac_root, return -1; } - wpa_printf(MSG_DEBUG, "PAC file: %s", (sm->blob[3].data)); wpa_printf(MSG_DEBUG, "EAP-FAST: Wrote %d PAC entries into '%s'", count, pac_file); @@ -755,8 +754,7 @@ int eap_fast_load_pac_bin(struct eap_sm *sm, struct eap_fast_pac **pac_root, { const struct wpa_config_blob *blob = NULL; u8 *buf, *end, *pos; - size_t len = 0; - size_t count = 0; + size_t len, count = 0; struct eap_fast_pac *pac, *prev; *pac_root = NULL; @@ -776,6 +774,7 @@ int eap_fast_load_pac_bin(struct eap_sm *sm, struct eap_fast_pac **pac_root, len = blob->len; } else { buf = (u8 *) sm->blob[3].data; //(u8 *) os_readfile(pac_file, &len); + len = sm->blob[3].len; if (buf == NULL) { wpa_printf(MSG_INFO, "EAP-FAST: No PAC file '%s' - " "assume no PAC entries have been " diff --git a/components/wpa_supplicant/src/eap_peer/eap_ttls.c b/components/wpa_supplicant/src/eap_peer/eap_ttls.c index fd7949513e..af80fe049b 100644 --- a/components/wpa_supplicant/src/eap_peer/eap_ttls.c +++ b/components/wpa_supplicant/src/eap_peer/eap_ttls.c @@ -117,7 +117,7 @@ static void * eap_ttls_init(struct eap_sm *sm) static void eap_ttls_phase2_eap_deinit(struct eap_sm *sm, - struct eap_ttls_data *data) + struct eap_ttls_data *data) { if (data->phase2_priv && data->phase2_method) { data->phase2_method->deinit(sm, data->phase2_priv); @@ -130,7 +130,7 @@ static void eap_ttls_phase2_eap_deinit(struct eap_sm *sm, static void eap_ttls_free_key(struct eap_ttls_data *data) { if (data->key_data) { - bin_clear_free(data->key_data, EAP_TLS_KEY_LEN); + bin_clear_free(data->key_data, EAP_TLS_KEY_LEN + EAP_EMSK_LEN); data->key_data = NULL; } } @@ -153,7 +153,7 @@ static void eap_ttls_deinit(struct eap_sm *sm, void *priv) static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id, - int mandatory, size_t len) + int mandatory, size_t len) { struct ttls_avp_vendor *avp; u8 flags; @@ -170,7 +170,7 @@ static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id, } avp->avp_code = host_to_be32(avp_code); - avp->avp_length = host_to_be32(((u32) (flags << 24)) | + avp->avp_length = host_to_be32(((u32) flags << 24) | (u32) (hdrlen + len)); return avphdr + hdrlen; diff --git a/components/wpa_supplicant/src/rsn_supp/wpa_ie.c b/components/wpa_supplicant/src/rsn_supp/wpa_ie.c index 789c0958c6..3b885af4ce 100644 --- a/components/wpa_supplicant/src/rsn_supp/wpa_ie.c +++ b/components/wpa_supplicant/src/rsn_supp/wpa_ie.c @@ -297,7 +297,7 @@ int wpa_gen_wpa_ie(struct wpa_sm *sm, u8 *wpa_ie, size_t wpa_ie_len) int wpa_gen_rsnxe(struct wpa_sm *sm, u8 *rsnxe, size_t rsnxe_len) { u8 *pos = rsnxe; - u16 capab = 0; + u16 capab = 0, tmp; size_t flen; if (wpa_key_mgmt_sae(sm->key_mgmt) && @@ -311,9 +311,15 @@ int wpa_gen_rsnxe(struct wpa_sm *sm, u8 *rsnxe, size_t rsnxe_len) #endif /* CONFIG_SAE_PK */ } - flen = (capab & 0xff00) ? 2 : 1; if (!capab) return 0; /* no supported extended RSN capabilities */ + + tmp = capab; + flen = 0; + while (tmp) { + flen++; + tmp >>= 8; + } if (rsnxe_len < 2 + flen) return -1; capab |= flen - 1; /* bit 0-3 = Field length (n - 1) */ diff --git a/components/wpa_supplicant/src/utils/json.c b/components/wpa_supplicant/src/utils/json.c index 5a0edf2114..37a27e2fc6 100644 --- a/components/wpa_supplicant/src/utils/json.c +++ b/components/wpa_supplicant/src/utils/json.c @@ -269,7 +269,8 @@ struct json_token * json_parse(const char *data, size_t data_len) case ']': /* end array */ case '}': /* end object */ if (!curr_token || !curr_token->parent || - curr_token->parent->state != JSON_STARTED) { + curr_token->parent->state != JSON_STARTED || + depth == 0) { wpa_printf(MSG_DEBUG, "JSON: Invalid state for end array/object"); goto fail; diff --git a/components/wpa_supplicant/src/wps/wps.h b/components/wpa_supplicant/src/wps/wps.h index 2800566782..082045824b 100644 --- a/components/wpa_supplicant/src/wps/wps.h +++ b/components/wpa_supplicant/src/wps/wps.h @@ -121,7 +121,7 @@ struct wps_config { /** * pin - Enrollee Device Password (%NULL for Registrar or PBC) */ - const u8 pin[9]; + u8 pin[9]; /** * pin_len - Length on pin in octets