Merge branch 'bugfix/stack_corruption_btm_task_v5.1' into 'release/v5.1'

Jiang Jiang Jian · Jiang Jiang Jian · commit 346d2367ef91 · 2025-02-14T19:00:19.000+08:00
fix(esp_wifi): Fix stack curruption in btm task(v5.1)

See merge request espressif/esp-idf!36972
diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_common.c b/components/wpa_supplicant/esp_supplicant/src/esp_common.c
@@ -116,23 +116,22 @@ static int mgmt_rx_action(u8 *frame, size_t len, u8 *sender, int8_t rssi, u8 cha
 #ifdef CONFIG_SUPPLICANT_TASK
 static void btm_rrm_task(void *pvParameters)
 {
-	supplicant_event_t *evt;
+	supplicant_event_t evt;
 	bool task_del = false;
 
 	while(1) {
 		if (os_queue_recv(s_supplicant_evt_queue, &evt, OS_BLOCK) != TRUE)
 			continue;
 
 		/* event validation failed */
-		if (evt->id >= SIG_SUPPLICANT_MAX) {
-			os_free(evt);
+		if (evt.id >= SIG_SUPPLICANT_MAX) {
 			continue;
 		}
 
-		switch (evt->id) {
+		switch (evt.id) {
 		case SIG_SUPPLICANT_RX_ACTION:
 		{
-			struct ieee_mgmt_frame *frm = (struct ieee_mgmt_frame *)evt->data;
+			struct ieee_mgmt_frame *frm = (struct ieee_mgmt_frame *)evt.data;
 			mgmt_rx_action(frm->payload, frm->len, frm->sender, frm->rssi, frm->channel);
 			os_free(frm);
 			break;
@@ -148,8 +147,6 @@ static void btm_rrm_task(void *pvParameters)
 			break;
 		}
 
-		os_free(evt);
-
 		if (task_del)
 			break;
 	}
@@ -816,27 +813,21 @@ int wpa_drv_send_action(struct wpa_supplicant *wpa_s,
 #ifdef CONFIG_SUPPLICANT_TASK
 int esp_supplicant_post_evt(uint32_t evt_id, uint32_t data)
 {
-	supplicant_event_t *evt = os_zalloc(sizeof(supplicant_event_t));
-	if (!evt) {
-		wpa_printf(MSG_ERROR, "Failed to allocated memory");
-		return -1;
-	}
-	evt->id = evt_id;
-	evt->data = data;
+	supplicant_event_t evt;
+	evt.id = evt_id;
+	evt.data = data;
 
 	/* Make sure lock exists before taking it */
 	SUPPLICANT_API_LOCK();
 
 	/* Make sure no event can be sent when deletion event is sent or task not initialized */
 	if (!s_supplicant_task_init_done) {
 		SUPPLICANT_API_UNLOCK();
-		os_free(evt);
 		return -1;
 	}
 
 	if (os_queue_send(s_supplicant_evt_queue, &evt, os_task_ms_to_tick(10)) != TRUE) {
 		SUPPLICANT_API_UNLOCK();
-		os_free(evt);
 		return -1;
 	}
 	if (evt_id == SIG_SUPPLICANT_DEL_TASK) {
