You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since merging #11052, any application crashes with a stack smashing protect failure when exiting WiFiGenericClass::mode(), if gcc’s stack protector is set to "strong".
WiFiGenericClass::mode() attempts to disable LR mode if it’s not supposed to be enabled. To find out if LR is enabled, it calls esp_wifi_get_protocol(wifi_interface_t ifx, uint8_t *protocol_bitmap) and passes a pointer to a single uint8_t on the stack. However, esp_wifi_get_protocol writes two protocol bitmap bytes, thereby overwriting whatever comes after that one byte on the stack.
The crash can be fixed by making current_protocol an array of size 2.
The documentation doesn’t specify how many bytes are written to the pointer, so I’m not sure if this an arduino-esp32 bug or an IDF bug. esp_wifi_get_protocol is apparently provided by the closed source WiFi blob, which I cannot debug.
Sketch
staticvoidget_protocols(wifi_interface_t wif)
{
uint8_t buf[16];
memset(buf, 0xaa, sizeof(buf));
esp_wifi_get_protocol(wif, buf + sizeof(buf)/2);
for (size_t i = 0; i < sizeof(buf); i++) {
printf(" %02x", buf[i]);
}
printf("\n");
}
Debug Message
Stack smashing protect failure!
0x40083221: panic_abort at /home/user/idf-5-4-lib-builder/esp-idf/components/esp_system/panic.c:454
0x4008b591: esp_system_abort at /home/user/idf-5-4-lib-builder/esp-idf/components/esp_system/port/esp_system_chip.c:92
0x4008256a: __stack_chk_fail at /home/user/idf-5-4-lib-builder/esp-idf/components/esp_system/stack_check.c:28
0x4017ca6c: WiFiGenericClass::mode(wifi_mode_t) at /home/user/.platformio/packages/framework-arduinoespressif32/libraries/WiFi/src/WiFiGeneric.cpp:650
0x40152a36: Wifi::setup() at /home/user/esp32-firmware/software/src/modules/wifi/wifi.cpp:676
0x400e9215: setup() at /home/user/esp32-firmware/software/.pio/libdeps/esp32test/ArduinoJson/src/ArduinoJson/Json/JsonDeserializer.hpp:520
0x40184973: loopTask(void*) at /home/user/.platformio/packages/framework-arduinoespressif32/cores/esp32/main.cpp:59
0x4008b942: vPortTaskWrapper at /home/user/idf-5-4-lib-builder/esp-idf/components/freertos/FreeRTOS-Kernel/portable/xtensa/port.c:139
Other Steps to Reproduce
To reproduce the crash, use -fstack-protector-strong when compiling a project that uses WiFi.
To observe the bytes written by esp_wifi_get_protocol, paste the sketch into WiFiGeneric.cpp and call it with WIFI_IF_AP or WIFI_IF_STA after the corresponding interface has been enabled in WiFiGeneric::mode(). It should retrieve the enabled protocols into the middle of a prepared buffer and print the buffer.
Expected output: aa aa aa aa aa aa aa aa 07 aa aa aa aa aa aa aa
One byte should be written to the middle of the buffer.
Actual output: aa aa aa aa aa aa aa aa 07 00 aa aa aa aa aa aa
Two bytes have been written to the middle of the buffer.
I have checked existing issues, online documentation and the Troubleshooting Guide
I confirm I have checked existing issues, online documentation and Troubleshooting guide.
The text was updated successfully, but these errors were encountered:
Board
ESP32, custom board
Device Description
n/a
Hardware Configuration
n/a
Version
latest master (checkout manually)
IDE Name
VSCode
Operating System
Linux
Flash frequency
80 MHz
PSRAM enabled
yes
Upload speed
1000000
Description
Since merging #11052, any application crashes with a stack smashing protect failure when exiting
WiFiGenericClass::mode()
, if gcc’s stack protector is set to "strong".WiFiGenericClass::mode()
attempts to disable LR mode if it’s not supposed to be enabled. To find out if LR is enabled, it callsesp_wifi_get_protocol(wifi_interface_t ifx, uint8_t *protocol_bitmap)
and passes a pointer to a single uint8_t on the stack. However,esp_wifi_get_protocol
writes two protocol bitmap bytes, thereby overwriting whatever comes after that one byte on the stack.The crash can be fixed by making
current_protocol
an array of size 2.The documentation doesn’t specify how many bytes are written to the pointer, so I’m not sure if this an arduino-esp32 bug or an IDF bug.
esp_wifi_get_protocol
is apparently provided by the closed source WiFi blob, which I cannot debug.Sketch
Debug Message
Other Steps to Reproduce
To reproduce the crash, use
-fstack-protector-strong
when compiling a project that uses WiFi.To observe the bytes written by
esp_wifi_get_protocol
, paste the sketch into WiFiGeneric.cpp and call it withWIFI_IF_AP
orWIFI_IF_STA
after the corresponding interface has been enabled inWiFiGeneric::mode()
. It should retrieve the enabled protocols into the middle of a prepared buffer and print the buffer.Expected output:
aa aa aa aa aa aa aa aa 07 aa aa aa aa aa aa aa
One byte should be written to the middle of the buffer.
Actual output:
aa aa aa aa aa aa aa aa 07 00 aa aa aa aa aa aa
Two bytes have been written to the middle of the buffer.
I have checked existing issues, online documentation and the Troubleshooting Guide
The text was updated successfully, but these errors were encountered: