From 8a47c4875b814f1c7d9ef9f7b8de1d162ed4b945 Mon Sep 17 00:00:00 2001
From: alanmaxwell <chenjianxing@espressif.com>
Date: Fri, 25 Aug 2023 15:30:33 +0800
Subject: [PATCH 1/2] fix(wifi): optimize wifi bin size and fix some issue

1.Optimize bin size for STA only mode
2.Change fragment threshold to 256
3.Support fragment for LR mode
4.Fix ampdu duration issue
5.Fix rx fragment fail in Open mode.
---
 components/esp_rom/esp32c2/ld/esp32c2.rom.ld  | 12 ++--
 .../esp_rom/esp32c3/ld/esp32c3.rom.eco7.ld    |  2 +-
 components/esp_rom/esp32c3/ld/esp32c3.rom.ld  |  6 +-
 .../esp_rom/esp32c6/ld/esp32c6.rom.pp.ld      |  4 +-
 components/esp_rom/esp32s3/ld/esp32s3.rom.ld  |  6 +-
 components/esp_wifi/lib                       |  2 +-
 components/esp_wifi/src/wifi_init.c           | 70 +++++++++++++++++++
 7 files changed, 86 insertions(+), 16 deletions(-)

diff --git a/components/esp_rom/esp32c2/ld/esp32c2.rom.ld b/components/esp_rom/esp32c2/ld/esp32c2.rom.ld
index d4b3ac80e1..ca52f97582 100644
--- a/components/esp_rom/esp32c2/ld/esp32c2.rom.ld
+++ b/components/esp_rom/esp32c2/ld/esp32c2.rom.ld
@@ -1540,10 +1540,10 @@ pm_on_tbtt = 0x40001ba8;
 pm_sleep_for = 0x40001bc0;
 /* pm_tbtt_process = 0x40001bc4; */
 ppAMPDU2Normal = 0x40001bc8;
-ppAssembleAMPDU = 0x40001bcc;
+/*ppAssembleAMPDU = 0x40001bcc;*/
 ppCalFrameTimes = 0x40001bd0;
 ppCalSubFrameLength = 0x40001bd4;
-ppCalTxAMPDULength = 0x40001bd8;
+/*ppCalTxAMPDULength = 0x40001bd8;*/
 ppCheckTxAMPDUlength = 0x40001bdc;
 ppDequeueRxq_Locked = 0x40001be0;
 ppDequeueTxQ = 0x40001be4;
@@ -1563,8 +1563,8 @@ ppRecycleAmpdu = 0x40001c18;
 ppRecycleRxPkt = 0x40001c1c;
 ppResortTxAMPDU = 0x40001c20;
 ppResumeTxAMPDU = 0x40001c24;
-ppRxFragmentProc = 0x40001c28;
-ppRxPkt = 0x40001c2c;
+/*ppRxFragmentProc = 0x40001c28;*/
+/* ppRxPkt = 0x40001c2c; */
 ppRxProtoProc = 0x40001c30;
 ppSearchTxQueue = 0x40001c34;
 ppSearchTxframe = 0x40001c38;
@@ -1592,7 +1592,7 @@ rcLowerSched = 0x40001c8c;
 rcSetTxAmpduLimit = 0x40001c90;
 /* rcTxUpdatePer = 0x40001c94;*/
 rcUpdateAckSnr = 0x40001c98;
-rcUpdateRate = 0x40001c9c;
+/*rcUpdateRate = 0x40001c9c;*/
 rcUpdateTxDone = 0x40001ca0;
 rcUpdateTxDoneAmpdu2 = 0x40001ca4;
 rcUpSched = 0x40001ca8;
@@ -1667,7 +1667,7 @@ lmacRetryTxFrame = 0x40001db8;
 lmacProcessCollisions_task = 0x40001dbc;
 /*lmacProcessTxopQComplete = 0x40001dc0;*/
 lmacInitAc = 0x40001dc4;
-lmacInit = 0x40001dc8;
+/*lmacInit = 0x40001dc8;*/
 mac_tx_set_txop_q = 0x40001dcc;
 /*hal_init = 0x40001dd0;*/
 hal_mac_rx_set_policy = 0x40001dd4;
diff --git a/components/esp_rom/esp32c3/ld/esp32c3.rom.eco7.ld b/components/esp_rom/esp32c3/ld/esp32c3.rom.eco7.ld
index 3aacbb3819..84490150e8 100644
--- a/components/esp_rom/esp32c3/ld/esp32c3.rom.eco7.ld
+++ b/components/esp_rom/esp32c3/ld/esp32c3.rom.eco7.ld
@@ -23,7 +23,7 @@ pm_rx_data_process = 0x40001694;
 /* pm_tbtt_process = 0x400016a0;*/
 ppMapTxQueue = 0x400016d8;
 ppProcTxSecFrame = 0x400016dc;
-ppRxFragmentProc = 0x40001704;
+/*ppRxFragmentProc = 0x40001704;*/
 /* rcGetSched = 0x40001764;*/
 rcTxUpdatePer = 0x40001770;
 rcUpdateTxDone = 0x4000177c;
diff --git a/components/esp_rom/esp32c3/ld/esp32c3.rom.ld b/components/esp_rom/esp32c3/ld/esp32c3.rom.ld
index 742786df59..c7a7a94beb 100644
--- a/components/esp_rom/esp32c3/ld/esp32c3.rom.ld
+++ b/components/esp_rom/esp32c3/ld/esp32c3.rom.ld
@@ -1559,10 +1559,10 @@ pm_on_tbtt = 0x40001684;
 pm_sleep_for = 0x4000169c;
 /* pm_tbtt_process = 0x400016a0; */
 ppAMPDU2Normal = 0x400016a4;
-ppAssembleAMPDU = 0x400016a8;
+/*ppAssembleAMPDU = 0x400016a8;*/
 ppCalFrameTimes = 0x400016ac;
 ppCalSubFrameLength = 0x400016b0;
-ppCalTxAMPDULength = 0x400016b4;
+/*ppCalTxAMPDULength = 0x400016b4;*/
 ppCheckTxAMPDUlength = 0x400016b8;
 ppDequeueRxq_Locked = 0x400016bc;
 ppDequeueTxQ = 0x400016c0;
@@ -1608,7 +1608,7 @@ rcLowerSched = 0x40001768;
 rcSetTxAmpduLimit = 0x4000176c;
 /* rcTxUpdatePer = 0x40001770;*/
 rcUpdateAckSnr = 0x40001774;
-rcUpdateRate = 0x40001778;
+/*rcUpdateRate = 0x40001778;*/
 /* rcUpdateTxDone = 0x4000177c; */
 rcUpdateTxDoneAmpdu2 = 0x40001780;
 rcUpSched = 0x40001784;
diff --git a/components/esp_rom/esp32c6/ld/esp32c6.rom.pp.ld b/components/esp_rom/esp32c6/ld/esp32c6.rom.pp.ld
index 8a75b13a06..e9256ac1fd 100644
--- a/components/esp_rom/esp32c6/ld/esp32c6.rom.pp.ld
+++ b/components/esp_rom/esp32c6/ld/esp32c6.rom.pp.ld
@@ -100,7 +100,7 @@ ppRecycleAmpdu = 0x40000d10;
 ppRecycleRxPkt = 0x40000d14;
 //ppResortTxAMPDU = 0x40000d18;
 ppResumeTxAMPDU = 0x40000d1c;
-ppRxFragmentProc = 0x40000d20;
+/*ppRxFragmentProc = 0x40000d20;*/
 //ppRxPkt = 0x40000d24;
 ppRxProtoProc = 0x40000d28;
 ppSearchTxQueue = 0x40000d2c;
@@ -129,7 +129,7 @@ rcLowerSched = 0x40000d84;
 rcSetTxAmpduLimit = 0x40000d88;
 rcTxUpdatePer = 0x40000d8c;
 rcUpdateAckSnr = 0x40000d90;
-rcUpdateRate = 0x40000d94;
+/*rcUpdateRate = 0x40000d94;*/
 rcUpdateTxDone = 0x40000d98;
 rcUpdateTxDoneAmpdu2 = 0x40000d9c;
 rcUpSched = 0x40000da0;
diff --git a/components/esp_rom/esp32s3/ld/esp32s3.rom.ld b/components/esp_rom/esp32s3/ld/esp32s3.rom.ld
index 6ca2ab5010..d5c010fa2f 100644
--- a/components/esp_rom/esp32s3/ld/esp32s3.rom.ld
+++ b/components/esp_rom/esp32s3/ld/esp32s3.rom.ld
@@ -1861,10 +1861,10 @@ pm_on_tbtt = 0x400054cc;
 pm_sleep_for = 0x40005514;
 /* pm_tbtt_process = 0x40005520; */
 ppAMPDU2Normal = 0x4000552c;
-ppAssembleAMPDU = 0x40005538;
+/*ppAssembleAMPDU = 0x40005538;*/
 ppCalFrameTimes = 0x40005544;
 ppCalSubFrameLength = 0x40005550;
-ppCalTxAMPDULength = 0x4000555c;
+/*ppCalTxAMPDULength = 0x4000555c;*/
 ppCheckTxAMPDUlength = 0x40005568;
 ppDequeueRxq_Locked = 0x40005574;
 ppDequeueTxQ = 0x40005580;
@@ -1912,7 +1912,7 @@ rcLowerSched = 0x40005778;
 rcSetTxAmpduLimit = 0x40005784;
 /* rcTxUpdatePer = 0x40005790;*/
 rcUpdateAckSnr = 0x4000579c;
-rcUpdateRate = 0x400057a8;
+/*rcUpdateRate = 0x400057a8;*/
 /* rcUpdateTxDone = 0x400057b4; */
 rcUpdateTxDoneAmpdu2 = 0x400057c0;
 rcUpSched = 0x400057cc;
diff --git a/components/esp_wifi/lib b/components/esp_wifi/lib
index a0a9c8b783..6c2a80c3ab 160000
--- a/components/esp_wifi/lib
+++ b/components/esp_wifi/lib
@@ -1 +1 @@
-Subproject commit a0a9c8b7838adc81975f09bc7b4e1296dfcd27d8
+Subproject commit 6c2a80c3abb091e9c4434b5bebaf7df76c97daae
diff --git a/components/esp_wifi/src/wifi_init.c b/components/esp_wifi/src/wifi_init.c
index 4473cfc438..ac2dd2f2cc 100644
--- a/components/esp_wifi/src/wifi_init.c
+++ b/components/esp_wifi/src/wifi_init.c
@@ -355,7 +355,77 @@ void ieee80211_ftm_attach(void)
 #ifndef CONFIG_ESP_WIFI_SOFTAP_SUPPORT
 void net80211_softap_funcs_init(void)
 {
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
 }
+
+bool ieee80211_ap_try_sa_query(void *p)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return false;
+}
+
+bool ieee80211_ap_sa_query_timeout(void *p)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return false;
+}
+
+int add_mic_ie_bip(void *p)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return 0;
+}
+
+void ieee80211_free_beacon_eb(void)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+}
+
+int ieee80211_pwrsave(void *p1, void *p2)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return 0;
+}
+
+void cnx_node_remove(void *p)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+}
+
+int ieee80211_set_tim(void *p, int arg)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return 0;
+}
+
+bool ieee80211_is_bufferable_mmpdu(void *p)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return false;
+}
+
+void cnx_node_leave(void *p, uint8_t arg)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+}
+
+void ieee80211_beacon_construct(void *p1, void *p2, void *p3, void *p4)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+}
+
+void * ieee80211_assoc_resp_construct(void *p, int arg)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return NULL;
+}
+
+void * ieee80211_alloc_proberesp(void *p, int arg)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return NULL;
+}
+
 #endif
 
 #ifndef CONFIG_ESP_WIFI_NAN_ENABLE

From c84b2cbaed7907289b2809a2154c093974db4d4c Mon Sep 17 00:00:00 2001
From: Kapil Gupta <kapil.gupta@espressif.com>
Date: Wed, 18 Oct 2023 18:20:48 +0530
Subject: [PATCH 2/2] fix(esp_wifi): Drop fragmented AMPDU(fixCVE-2020-26142)

---
 components/esp_rom/esp32c3/ld/esp32c3.rom.ld | 2 +-
 components/esp_rom/esp32s3/ld/esp32s3.rom.ld | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/components/esp_rom/esp32c3/ld/esp32c3.rom.ld b/components/esp_rom/esp32c3/ld/esp32c3.rom.ld
index c7a7a94beb..b9661d0785 100644
--- a/components/esp_rom/esp32c3/ld/esp32c3.rom.ld
+++ b/components/esp_rom/esp32c3/ld/esp32c3.rom.ld
@@ -1581,7 +1581,7 @@ ppRecycleRxPkt = 0x400016f8;
 ppResortTxAMPDU = 0x400016fc;
 ppResumeTxAMPDU = 0x40001700;
 /* ppRxFragmentProc = 0x40001704; */
-ppRxPkt = 0x40001708;
+/* ppRxPkt = 0x40001708; */
 ppRxProtoProc = 0x4000170c;
 ppSearchTxQueue = 0x40001710;
 ppSearchTxframe = 0x40001714;
diff --git a/components/esp_rom/esp32s3/ld/esp32s3.rom.ld b/components/esp_rom/esp32s3/ld/esp32s3.rom.ld
index d5c010fa2f..3967479a82 100644
--- a/components/esp_rom/esp32s3/ld/esp32s3.rom.ld
+++ b/components/esp_rom/esp32s3/ld/esp32s3.rom.ld
@@ -1884,7 +1884,7 @@ ppRecycleRxPkt = 0x40005628;
 ppResortTxAMPDU = 0x40005634;
 ppResumeTxAMPDU = 0x40005640;
 /* ppRxFragmentProc = 0x4000564c; */
-ppRxPkt = 0x40005658;
+/* ppRxPkt = 0x40005658; */
 ppRxProtoProc = 0x40005664;
 ppSearchTxQueue = 0x40005670;
 ppSearchTxframe = 0x4000567c;