1010#include < ets_sys.h>
1111#include < pgmspace.h>
1212#include " coredecls.h"
13- #if 0
13+
14+ #ifdef DEBUG_WPA2_EAP_PATCH
1415#include " esp8266_undocumented.h"
1516#define DEBUG_PRINTF ets_uart_printf
1617#else
6768 * While some insight can be gained from the ESP32 repo for this structure.
6869 * It does not match exactly. This alternate structure focuses on correct offset
6970 * rather than trying to exactly reconstruct the original labels.
71+ * These offset were found in libwpa2.a:eap.o .text.eap_peer_config_init
7072 */
7173struct StateMachine { // size 200 bytes
7274 void * beforeConfig[16 ];
7375 void * config[26 ];
74- // 0 - mov a2, a12, 64 // username / Identity
75- // 1 - mov a2, a12, 68
76- // 2 - mov a2, a12, 72 // anonymous Identity
77- // 3 - mov a2, a12, 76
78- // 4 - mov a2, a12, 80 // password
79- // 21 - mov a2, a12, 148 // ??
76+ // 0 - s32i a2, a12, 64 // username / Identity
77+ // 1 - s32i a2, a12, 68 // length
78+ // 2 - s32i a2, a12, 72 // anonymous Identity
79+ // 3 - s32i a2, a12, 76
80+ // 4 - s32i a2, a12, 80 // password
81+ // 5 - s32i a2, a12, 84
82+ //
83+ // "new password" - From wifi_station_set_enterprise_new_password(), we see
84+ // global saved value .bss+32 and .bss+36 which are later used to populate
85+ // ".config" in eap_peer_config_init(). I do not have an environment to
86+ // exercise this parameter. In my tests, the "new password" element in the
87+ // ".config" is never initialized. At the moment, I don't see any code that
88+ // would free the allocation.
89+ // allocated via pvPortZalloc from line 0x30f, 783
90+ // 21 - s32i a2, a12, 148 // new password
91+ // 22 - s32i a2, a12, 152
92+
8093 void * afterConfig[8 ];
8194};
8295
@@ -88,6 +101,7 @@ struct StateMachine { // size 200 bytes
88101 */
89102void patch_wpa2_eap_vPortFree_a12 (void *ptr, const char * file, int line, void * a12) {
90103 if (799 == line) {
104+ // This caller is eap_peer_config_deinit()
91105 struct StateMachine * sm = (struct StateMachine *)a12;
92106 if (ptr == sm->config [0 ]) {
93107 // Fix leaky frunction - eap.o only frees one out of 4 config items
@@ -97,8 +111,31 @@ void patch_wpa2_eap_vPortFree_a12(void *ptr, const char* file, int line, void* a
97111 vPortFree (sm->config [21 ], file, line);
98112 // ptr is sm->config[0], let fall through handle it
99113 }
100- DEBUG_PRINTF (" \n z2EapFree/vPortFree patch working\n "
114+ #ifdef DEBUG_WPA2_EAP_PATCH
115+ DEBUG_PRINTF (" \n z2EapFree/vPortFree patch struct StateMachine * = %8p\n "
116+ DEBUG_PRINTF (" config[0] vPortFree(%8p, file, line);\n "
117+ DEBUG_PRINTF (" config[2] vPortFree(%8p, file, line);\n " config [2 ]);
118+ DEBUG_PRINTF (" config[4] vPortFree(%8p, file, line);\n " config [4 ]);
119+ DEBUG_PRINTF (" config[21] vPortFree(%8p, file, line);\n " config [21 ]);
120+ if (a12) {
121+ void ** pw = (void **)a12;
122+ DEBUG_PRINTF (" \n hexdump struct StateMachine:\n "
123+ for (size_t i=0 ; i<200 /4 ; i+=4 ) {
124+ DEBUG_PRINTF (" %03u: %8p %8p %8p %8p\n " 4 , pw[i], pw[i+1 ], pw[i+2 ], pw[i+3 ]);
125+ }
126+ }
127+ #endif
128+ }
129+ #if 0
130+ // This is not needed because the call was NO-OPed in the library. This code
131+ // snippit is just to show how a future memory free issue might be resolved.
132+ else if (672 == line) {
133+ // This caller is wpa2_sm_rx_eapol()
134+ // 1st of a double free
135+ // let the 2nd free handle it.
136+ return;
101137 }
138+ #endif
102139 vPortFree (ptr, file, line);
103140}
104141
0 commit comments