Merge branch 'bugfix/invalid_memory_access_supplicant_v5.3' into 'release/v5.3'

fix(esp_wifi): Fix some invalid memory access (v5.3)

See merge request espressif/esp-idf!44276

Author: kapilkedawat

components/esp_wifi/wifi_apps/roaming_app/src/roaming_app.c

@@ -696,6 +696,7 @@ static void periodic_scan_roam(struct timeval *now)
     roaming_app_get_ap_info(&g_roaming_app.current_bss.ap);
     ESP_LOGD(ROAMING_TAG, "Connected AP's RSSI=%d", g_roaming_app.current_bss.ap.rssi);
     if (g_roaming_app.current_bss.ap.rssi > g_roaming_app.config.scan_rssi_threshold) {
+        ESP_LOGD(ROAMING_TAG, "Not going for scan, Scan RSSI threshold=%d", g_roaming_app.config.scan_rssi_threshold);
         return;
     }
 

components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-bignum.c

@@ -252,31 +252,6 @@ int crypto_bignum_legendre(const struct crypto_bignum *a,
     return res;
 }
 
-int crypto_bignum_to_string(const struct crypto_bignum *a,
-                            u8 *buf, size_t buflen, size_t padlen)
-{
-    int num_bytes, offset;
-    size_t outlen;
-
-    if (padlen > buflen) {
-        return -1;
-    }
-
-    num_bytes = mbedtls_mpi_size((mbedtls_mpi *) a);
-
-    if (padlen > (size_t) num_bytes) {
-        offset = padlen - num_bytes;
-    } else {
-        offset = 0;
-    }
-
-    os_memset(buf, 0, offset);
-    mbedtls_mpi_write_string((mbedtls_mpi *) a, 16, (char *)(buf + offset),
-                             mbedtls_mpi_size((mbedtls_mpi *)a), &outlen);
-
-    return outlen;
-}
-
 int crypto_bignum_addmod(const struct crypto_bignum *a,
                          const struct crypto_bignum *b,
                          const struct crypto_bignum *c,

components/wpa_supplicant/esp_supplicant/src/esp_common.c

@@ -167,6 +167,9 @@ static int handle_assoc_frame(u8 *frame, size_t len,
                               u8 *sender, int8_t rssi, u8 channel)
 {
     if (gWpaSm.key_mgmt == WPA_KEY_MGMT_FT_PSK) {
+        if (len < 6) { /* Cap info + status code */
+            return -1;
+        }
         if (gWpaSm.ft_protocol) {
             if (wpa_ft_validate_reassoc_resp(&gWpaSm, frame + 6, len - 6, sender)) {
                 wpa_sm_set_ft_params(&gWpaSm, NULL, 0);

components/wpa_supplicant/esp_supplicant/src/esp_dpp.c

@@ -302,6 +302,10 @@ static esp_err_t esp_dpp_rx_peer_disc_resp(struct action_rx_param *rx_param)
         return ESP_ERR_INVALID_ARG;
     }
 
+    if (rx_param->vendor_data_len < 2) {
+        wpa_printf(MSG_INFO, "DPP: Too short vendor specific data");
+        return ESP_FAIL;
+    }
     size_t len = rx_param->vendor_data_len - 2;
 
     buf = rx_param->action_frm->u.public_action.v.pa_vendor_spec.vendor_data;
@@ -437,25 +441,36 @@ static void gas_query_resp_rx(struct action_rx_param *rx_param)
 {
     struct dpp_authentication *auth = s_dpp_ctx.dpp_auth;
     uint8_t *pos = rx_param->action_frm->u.public_action.v.pa_gas_resp.data;
-    uint8_t *resp = &pos[10];
+    uint8_t *resp = &pos[10];  /* first byte of DPP attributes */
+    size_t vendor_len = rx_param->vendor_data_len;
     int i, res;
 
-    if (pos[1] == WLAN_EID_VENDOR_SPECIFIC && pos[2] == 5 &&
-            WPA_GET_BE24(&pos[3]) == OUI_WFA && pos[6] == 0x1a && pos[7] == 1 && auth) {
-        if (dpp_conf_resp_rx(auth, resp, rx_param->vendor_data_len - 2) < 0) {
-            wpa_printf(MSG_DEBUG, "DPP: Configuration attempt failed");
-            goto fail;
-        }
+    /* Basic structural checks on the Advertisement Protocol payload */
+    if (!(pos[1] == WLAN_EID_VENDOR_SPECIFIC && pos[2] == 5 &&
+            WPA_GET_BE24(&pos[3]) == OUI_WFA && pos[6] == 0x1a && pos[7] == 1 && auth)) {
+        wpa_hexdump(MSG_INFO, "DPP: Failed, Configuration Response adv_proto", pos, 8);
+        return;
+    }
 
-        for (i = 0; i < auth->num_conf_obj; i++) {
-            res = esp_dpp_handle_config_obj(auth, &auth->conf_obj[i]);
-            if (res < 0) {
-                goto fail;
-            }
+    /* DPP attribute length = vendor_data_len - 2, caller validated vendor_data_len
+     * (we skip the 2-byte length field and pass only the attributes). */
+    size_t dpp_data_len = vendor_len - 2;
+
+    if (dpp_conf_resp_rx(auth, resp, dpp_data_len) < 0) {
+        wpa_printf(MSG_INFO, "DPP: Configuration attempt failed");
+        goto fail;
+    }
+
+    for (i = 0; i < auth->num_conf_obj; i++) {
+        res = esp_dpp_handle_config_obj(auth, &auth->conf_obj[i]);
+        if (res < 0) {
+            wpa_printf(MSG_INFO, "DPP: Configuration parsing failed");
+            goto fail;
         }
     }
 
     return;
+
 fail:
     esp_dpp_call_cb(ESP_SUPP_DPP_FAIL, (void *)ESP_ERR_DPP_FAILURE);
 }
@@ -694,11 +709,17 @@ static char *esp_dpp_parse_chan_list(const char *chan_list)
     }
 
     char *uri_ptr = uri_channels;
+    size_t current_offset = 0; // Use an offset to track current position
     params->num_chan = 0;
 
     /* Append " chan=" at the beginning of the URI */
-    strcpy(uri_ptr, " chan=");
-    uri_ptr += strlen(" chan=");
+    int written = os_snprintf(uri_ptr + current_offset, max_uri_len - current_offset, " chan=");
+    if (written < 0 || written >= max_uri_len - current_offset) { // Check for error or truncation
+        wpa_printf(MSG_ERROR, "DPP: URI buffer too small for initial string");
+        os_free(uri_channels);
+        return NULL;
+    }
+    current_offset += written;
 
     while (*chan_list && params->num_chan < ESP_DPP_MAX_CHAN_COUNT) {
         int channel = 0;
@@ -733,16 +754,23 @@ static char *esp_dpp_parse_chan_list(const char *chan_list)
         /* Add the valid channel to the list */
         params->chan_list[params->num_chan++] = channel;
 
-        /* Check if there's space left in uri_channels buffer */
-        size_t remaining_space = max_uri_len - (uri_ptr - uri_channels);
-        if (remaining_space <= 8) {  // Oper class + "/" + channel + "," + null terminator
-            wpa_printf(MSG_ERROR, "DPP: Not enough space in URI buffer");
+        // Calculate space needed for current channel string (e.g., "81/1,")
+        int needed_for_channel = os_snprintf(NULL, 0, "%d/%d,", oper_class, channel);
+
+        if (current_offset + needed_for_channel + 1 > max_uri_len) { // +1 for null terminator
+            wpa_printf(MSG_ERROR, "DPP: Not enough space in URI buffer for channel %d", channel);
             os_free(uri_channels);
             return NULL;
         }
 
         /* Append the operating class and channel to the URI */
-        uri_ptr += sprintf(uri_ptr, "%d/%d,", oper_class, channel);
+        written = os_snprintf(uri_ptr + current_offset, max_uri_len - current_offset, "%d/%d,", oper_class, channel);
+        if (written < 0 || written >= max_uri_len - current_offset) { // Check for error or truncation
+            wpa_printf(MSG_ERROR, "DPP: Error writing channel %d to URI buffer", channel);
+            os_free(uri_channels);
+            return NULL;
+        }
+        current_offset += written;
 
         /* Skip any delimiters (comma or space) */
         while (*chan_list == ',' || *chan_list == ' ') {
@@ -757,8 +785,8 @@ static char *esp_dpp_parse_chan_list(const char *chan_list)
     }
 
     /* Replace the last comma with a space if there was content added */
-    if (uri_ptr > uri_channels && *(uri_ptr - 1) == ',') {
-        *(uri_ptr - 1) = ' ';
+    if (current_offset > strlen(" chan=") && uri_ptr[current_offset - 1] == ',') {
+        uri_ptr[current_offset - 1] = ' ';
     }
 
     return uri_channels;

components/wpa_supplicant/esp_supplicant/src/esp_hostap.c

@@ -193,7 +193,8 @@ void *hostap_init(void)
     }
 #endif /* CONFIG_SAE */
 
-    os_memcpy(hapd->conf->ssid.wpa_passphrase, esp_wifi_ap_get_prof_password_internal(), strlen((char *)esp_wifi_ap_get_prof_password_internal()));
+    os_snprintf(hapd->conf->ssid.wpa_passphrase, WIFI_PASSWORD_LEN_MAX,
+                "%s", esp_wifi_ap_get_prof_password_internal());
     hapd->conf->ssid.wpa_passphrase[WIFI_PASSWORD_LEN_MAX - 1] = '\0';
     hapd->conf->max_num_sta = esp_wifi_ap_get_max_sta_conn();
     auth_conf->transition_disable = esp_wifi_ap_get_transition_disable_internal();

components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c

@@ -319,8 +319,16 @@ static int wpa3_parse_sae_commit(u8 *buf, u32 len, u16 status)
                 wpa_printf(MSG_ERROR, "Invalid SAE anti-clogging token container header");
                 return ESP_FAIL;
             }
+            if (len < 5) {
+                wpa_printf(MSG_ERROR, "Invalid SAE anti-clogging token length");
+                return ESP_FAIL;
+            }
             g_sae_token = wpabuf_alloc_copy(buf + 5, len - 5);
         } else {
+            if (len < 2) {
+                wpa_printf(MSG_ERROR, "Invalid SAE anti-clogging token length");
+                return ESP_FAIL;
+            }
             g_sae_token = wpabuf_alloc_copy(buf + 2, len - 2);
         }
         return ESP_OK;

components/wpa_supplicant/esp_supplicant/src/esp_wps.c

@@ -569,8 +569,8 @@ int wps_enrollee_process_msg_frag(struct wpabuf **buf, int tot_len, u8 *frag_dat
     }
 
     if (*buf == NULL) {
-        if (0 == (flag & WPS_MSG_FLAG_LEN) || tot_len < frag_len) {
-            wpa_printf(MSG_ERROR, "fun:%s. line:%d, flag error:%02x", __FUNCTION__, __LINE__, flag);
+        if (frag_len < 0 || tot_len < frag_len) {
+            wpa_printf(MSG_ERROR, "WPS: Invalid first fragment length");
             return ESP_FAIL;
         }
 
@@ -584,10 +584,18 @@ int wps_enrollee_process_msg_frag(struct wpabuf **buf, int tot_len, u8 *frag_dat
     }
 
     if (flag & WPS_MSG_FLAG_LEN) {
-        wpa_printf(MSG_ERROR, "fun:%s. line:%d, flag error:%02x", __FUNCTION__, __LINE__, flag);
+        wpa_printf(MSG_ERROR, "WPS: %s: Invalid fragment flag: 0x%02x", __func__, flag);
+        wpabuf_free(*buf);
+        *buf = NULL;
         return ESP_FAIL;
     }
 
+    if (frag_len < 0 || wpabuf_len(*buf) + frag_len > tot_len) {
+        wpa_printf(MSG_ERROR, "WPS: Invalid subsequent fragment length");
+        wpabuf_free(*buf);
+        *buf = NULL;
+        return ESP_FAIL;
+    }
     wpabuf_put_data(*buf, frag_data, frag_len);
 
     if (flag & WPS_MSG_FLAG_MORE) {
@@ -612,6 +620,10 @@ int wps_process_wps_mX_req(u8 *ubuf, int len, enum wps_process_res *res)
         return ESP_FAIL;
     }
 
+    if (len < (int)(sizeof(struct eap_expand) + 1)) {
+        wpa_printf(MSG_ERROR, "WPS: Truncated EAP-Expanded header");
+        return ESP_FAIL;
+    }
     expd = (struct eap_expand *) ubuf;
     wpa_printf(MSG_DEBUG, "wps process mX req: len %d, tlen %d", len, tlen);
 
@@ -631,7 +643,11 @@ int wps_process_wps_mX_req(u8 *ubuf, int len, enum wps_process_res *res)
 
     flag = *(u8 *)(ubuf + sizeof(struct eap_expand));
     if (flag & WPS_MSG_FLAG_LEN) {
-        tbuf = ubuf + sizeof(struct eap_expand) + 1 + 2;//two bytes total length
+        if (len < (int)(sizeof(struct eap_expand) + 1 + 2)) {
+            wpa_printf(MSG_ERROR, "WPS: Missing total length field");
+            return ESP_FAIL;
+        }
+        tbuf = ubuf + sizeof(struct eap_expand) + 1 + 2; // includes 2-byte total length
         frag_len = len - (sizeof(struct eap_expand) + 1 + 2);
         be_tot_len = *(u16 *)(ubuf + sizeof(struct eap_expand) + 1);
         tlen = ((be_tot_len & 0xff) << 8) | ((be_tot_len >> 8) & 0xff);
@@ -641,6 +657,15 @@ int wps_process_wps_mX_req(u8 *ubuf, int len, enum wps_process_res *res)
         tlen = frag_len;
     }
 
+    if (frag_len < 0 || tlen < 0 || ((flag & WPS_MSG_FLAG_LEN) && tlen < frag_len)) {
+        wpa_printf(MSG_ERROR, "WPS: Invalid fragment sizes");
+        if (wps_buf) {
+            wpabuf_free(wps_buf);
+            wps_buf = NULL;
+        }
+        return ESP_FAIL;
+    }
+
     if (tlen > 50000) {
         wpa_printf(MSG_ERROR, "EAP-WSC: Invalid Message Length");
         return ESP_FAIL;

components/wpa_supplicant/src/crypto/crypto.h

@@ -1135,17 +1135,6 @@ void crypto_free_buffer(unsigned char *buf);
  */
 int crypto_ec_get_priv_key_der(struct crypto_ec_key *key, unsigned char **key_data, int *key_len);
 
-/**
- * crypto_bignum_to_string: get big number in ascii format
- * @a: big number
- * @buf: buffer in which number will written to
- * @buflen: buffer length
- * @padlen: padding length
- * Return : 0 if success
- */
-int crypto_bignum_to_string(const struct crypto_bignum *a,
-                         u8 *buf, size_t buflen, size_t padlen);
-
 struct crypto_ecdh;
 
 void crypto_ecdh_deinit(struct crypto_ecdh *ecdh);