wpa2_enterprise example triggers stack smashing protection (GIT8266O-749)

[gnif]

Environment

• Development Kit: N/A
• IDF version (git rev-parse --short HEAD to get the commit id.): 83517ba1
• Development Env: Make
• Operating System: Debian
• Power Supply: External 3.3V

Problem Description

When connecting to a WPA2-EAP network with the stack smash protection enabled it faults just after/during authentication.

Expected Behavior

Successful authentication and IP address assignment via DHCP.

Actual Behavior

I (42) boot: ESP-IDF v3.4-53-g83517ba1-dirty 2nd stage bootloader
I (43) boot: compile time 03:11:02
I (43) qio_mode: Enabling default flash chip QIO
I (51) boot: SPI Speed      : 40MHz
I (58) boot: SPI Mode       : QIO
I (64) boot: SPI Flash Size : 2MB
I (70) boot: Partition Table:
I (76) boot: ## Label            Usage          Type ST Offset   Length
I (87) boot:  0 nvs              WiFi data        01 02 00009000 00006000
I (98) boot:  1 phy_init         RF data          01 01 0000f000 00001000
I (110) boot:  2 factory          factory app      00 00 00010000 000f0000
I (121) boot: End of partition table
I (128) esp_image: segment 0: paddr=0x00010010 vaddr=0x40210010 size=0x75914 (481556) map
0x40210010: _stext at ??:?

I (305) esp_image: segment 1: paddr=0x0008592c vaddr=0x40285924 size=0x136f0 ( 79600) map
I (333) esp_image: segment 2: paddr=0x00099024 vaddr=0x3ffe8000 size=0x006a4 (  1700) load
I (334) esp_image: segment 3: paddr=0x000996d0 vaddr=0x40100000 size=0x00080 (   128) load
I (345) esp_image: segment 4: paddr=0x00099758 vaddr=0x40100080 size=0x055d8 ( 21976) load
I (365) boot: Loaded app from partition at offset 0x10000
I (387) system_api: Base MAC address is not set, read default base MAC address from EFUSE
I (392) system_api: Base MAC address is not set, read default base MAC address from EFUSE
phy_version: 1166.0, 7f5855b, Aug 19 2021, 15:51:14, RTOS new
I (457) phy_init: phy ver: 1166_0
I (465) example: Setting WiFi configuration SSID example.com...
I (2441) wifi:state: 0 -> 2 (b0)
I (2443) wifi:state: 2 -> 3 (0)
I (2447) wifi:state: 3 -> 5 (10)
I (4470) example: ~~~~~~~~~~~
I (4472) example: IP:0.0.0.0
I (4474) example: MASK:0.0.0.0
I (4476) example: GW:0.0.0.0
I (4478) example: ~~~~~~~~~~~
I (4483) example: free heap:30692

Stack smashing protect failure!

abort() was called at PC 0x4021fe6e on core 0
0x4021fe6e: __stack_chk_fail at /home/geoff/Projects/esp8266/toolchain/ESP8266_RTOS_SDK/components/esp_common/src/stack_check.c:37

Guru Meditation Error: Core  0 panic'ed (StoreProhibited). Exception was unhandled.
Core 0 register dump:
PC      : 0x4022298a  PS      : 0x00000030  A0      : 0x40222988  A1      : 0x3ffec620  
0x4022298a: abort at /home/geoff/Projects/esp8266/toolchain/ESP8266_RTOS_SDK/components/newlib/src/syscall.c:69 (discriminator 1)

0x40222988: abort at /home/geoff/Projects/esp8266/toolchain/ESP8266_RTOS_SDK/components/newlib/src/syscall.c:69 (discriminator 1)

A2      : 0x00000000  A3      : 0x0edadc32  A4      : 0x0edadc32  A5      : 0x00000001  
A6      : 0x00000000  A7      : 0x00000000  A8      : 0x00000000  A9      : 0x00000000  
A10     : 0x00000000  A11     : 0x00000000  A12     : 0x00000001  A13     : 0x00000000  
A14     : 0x00000000  A15     : 0x00000000  SAR     : 0x0000001e  EXCCAUSE: 0x0000001d  

Backtrace: 0x4022298a:0x3ffec620 0x4021fe71:0x3ffec630 0x40221d5c:0x3ffec640 0x40221e65:0x3ffec660 
0x4022298a: abort at /home/geoff/Projects/esp8266/toolchain/ESP8266_RTOS_SDK/components/newlib/src/syscall.c:69 (discriminator 1)

0x4021fe71: __stack_chk_fail at ??:?

0x40221d5c: prvProcessTimerOrBlockTask at /home/geoff/Projects/esp8266/toolchain/ESP8266_RTOS_SDK/components/freertos/freertos/timers.c:595

0x40221e65: prvTimerTask at /home/geoff/Projects/esp8266/toolchain/ESP8266_RTOS_SDK/components/freertos/freertos/timers.c:533 (discriminator 1)

Steps to repropduce

1. Comment out the ca_cert and cert_key to use plain password only authentication in wpa2_enterprise_main.c

   +//    ESP_ERROR_CHECK(esp_wifi_sta_wpa2_ent_set_ca_cert(ca_pem_start, ca_pem_bytes));
   +//    ESP_ERROR_CHECK(esp_wifi_sta_wpa2_ent_set_cert_key(client_crt_start, client_crt_bytes,
   +//                    client_key_start, client_key_bytes, NULL, 0));

2. run make menuconfig and configure the authentication details and ssid, and set Stack smashing protection mode to Strong or higher. Under ESP-TLS enable Skip server certificate verification.
3. Compile and flash the firmware and observe the stack protection failure using make monitor

Code to reproduce this issue

No code to produce as it's the entirety of the wpa2_enterprise example.

Debug Logs

Output provided above under Actual Behaviour.

Extra

Please note that I am authenticating with an OpenWRT access point configured to use FreeRadius running on pfSense. Tracing everything out and enlarging stacks has had no effect, it seems the fault lies within the closed source binary components/esp8266/lib/libnet80211_dbg.a

[gnif]

Turning on Supplicant debug messages, DPP testing and WPS fixes results in the following output.

I (308) esp_image: segment 1: paddr=0x000874d4 vaddr=0x402874cc size=0x15f64 ( 89956) map
I (339) esp_image: segment 2: paddr=0x0009d440 vaddr=0x3ffe8000 size=0x006a4 (  1700) load
I (340) esp_image: segment 3: paddr=0x0009daec vaddr=0x40100000 size=0x00080 (   128) load
I (351) esp_image: segment 4: paddr=0x0009db74 vaddr=0x40100080 size=0x055d8 ( 21976) load
I (371) boot: Loaded app from partition at offset 0x10000
I (393) system_api: Base MAC address is not set, read default base MAC address from EFUSE
I (397) system_api: Base MAC address is not set, read default base MAC address from EFUSE
phy_version: 1166.0, 7f5855b, Aug 19 2021, 15:51:14, RTOS new
I (459) phy_init: phy ver: 1166_0
I (467) example: Setting WiFi configuration SSID example.com...
I (470) wpa: WPA2 ENTERPRISE VERSION: [v2.0] enable

I (1925) wifi:state: 0 -> 2 (b0)
I (1930) wifi:state: 2 -> 3 (0)
I (1934) wifi:state: 3 -> 5 (10)
I (1935) wpa: wpa2_task prio:2, stack:6144

I (2034) wpa: SSL: Need 1922 bytes more input data
I (2096) wpa: SSL: Need 928 bytes more input data
I (2261) wpa: application data is null, adding one byte for ack
I (4203) wpa: application data is null, adding one byte for ack
I (4302) wpa: EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
I (4475) example: ~~~~~~~~~~~
I (4477) example: IP:0.0.0.0
I (4479) example: MASK:0.0.0.0
I (4480) example: GW:0.0.0.0
I (4482) example: ~~~~~~~~~~~
I (4487) example: free heap:34932

I (5074) wpa: >>>>>wpa2 FINISH

E (5088) wpa: RSN: PMKSA cache entry found - PMKID - hexdump(len=16):
E (5091) wpa: 6e f9 de 99 1e dd 6a c6 51 82 89 e8 c5 04 35 f2 
E (5117) wpa: RSN: PMKSA cache entry found - PMKID - hexdump(len=16):
E (5121) wpa: 6e f9 de 99 1e dd 6a c6 51 82 89 e8 c5 04 35 f2 

Stack smashing protect failure!

[gnif]

And after enabling WiFi debugging

I (42) boot: ESP-IDF v3.4-53-g83517ba1-dirty 2nd stage bootloader
I (43) boot: compile time 03:47:29
I (43) qio_mode: Enabling default flash chip QIO
I (51) boot: SPI Speed      : 40MHz
I (58) boot: SPI Mode       : QIO
I (64) boot: SPI Flash Size : 2MB
I (70) boot: Partition Table:
I (76) boot: ## Label            Usage          Type ST Offset   Length
I (87) boot:  0 nvs              WiFi data        01 02 00009000 00006000
I (98) boot:  1 phy_init         RF data          01 01 0000f000 00001000
I (110) boot:  2 factory          factory app      00 00 00010000 000f0000
I (121) boot: End of partition table
I (128) esp_image: segment 0: paddr=0x00010010 vaddr=0x40210010 size=0x7a5b4 (501172) map
0x40210010: _stext at ??:?

I (312) esp_image: segment 1: paddr=0x0008a5cc vaddr=0x4028a5c4 size=0x17a1c ( 96796) map
I (346) esp_image: segment 2: paddr=0x000a1ff0 vaddr=0x3ffe8000 size=0x006a4 (  1700) load
I (347) esp_image: segment 3: paddr=0x000a269c vaddr=0x40100000 size=0x00080 (   128) load
I (357) esp_image: segment 4: paddr=0x000a2724 vaddr=0x40100080 size=0x056e8 ( 22248) load
I (378) boot: Loaded app from partition at offset 0x10000
I (399) system_api: Base MAC address is not set, read default base MAC address from EFUSE
I (402) system_api: Base MAC address is not set, read default base MAC address from EFUSE
phy_version: 1166.0, 7f5855b, Aug 19 2021, 15:51:14, RTOS new
I (466) phy_init: phy ver: 1166_0
I (472) example: Setting WiFi configuration SSID example.com...
V (473) wifi: index=0 value=1 flag=0
D (478) wifi: clear blacklist
V (483) wifi: index=13 value=0x3ffe905a flag=0
V (489) wifi: index=5 value=0x3ffe90c7 flag=0
V (495) wifi: index=32 value=0 flag=0
V (500) wifi: index=33 value=0 flag=0
V (506) wifi: index=37 value=0 flag=0
V (511) wifi: index=38 value=0 flag=0
V (516) wifi: index=1 value=0x3ffe905c flag=0
V (522) wifi: index=4 value= flag=0
V (527) wifi: index=6 value=0 flag=0
V (532) wifi: index=14 value=0x3ffe905c flag=0
V (539) wifi: index=8 value=0 flag=0
V (544) wifi: index=15 value=0 flag=0
V (549) wifi: index=16 value=0 flag=0
V (554) wifi: index=10 value=0 flag=0
V (559) wifi: index=18 value=0 flag=0
I (565) wpa: WPA2 ENTERPRISE VERSION: [v2.0] enable

D (574) wifi: PM RF_OFF -> RF_OFF, line: 742
I (580) wifi: mode : sta (18:fe:34:e7:f7:1f)
I (587) wifi: add if0
D (592) wifi: connect status 0 -> 0
D (597) wifi: connect status 0 -> 0
D (601) wifi: nvs=0, ssid=example.com, channel=255
D (609) wifi: ssid=example.com match nvs 0, channel=255
D (617) wifi: first chan=1
D (621) wifi: cnx_start_connect 500
D (626) wifi: connect status 0 -> 1
D (631) wifi: PM RF_OFF -> M5, line: 642
O
D (637) wifi: scan_cancel 0
D (640) wifi: scan start 507407
D (645) wifi: rd: chan=1 active max=11
D (651) wifi: scan_op_start 1
D (654) wifi: rd: chan=1 active max=11
D (660) wifi: scan_send_probe
D (664) wifi: ucast probe
D (668) wifi: send probe req on channel 1 bssid ff:ff:ff:ff:ff:ff ssid example.com
V (682) wifi: rx regdomain, bss=0x3ffe8a14 ie=7 len=6 cc[0]=A cc[1]=U location=  ngroup=1
V (691) wifi: <1 13 43>
V (695) wifi: rx regdomain: <AU , 1, 13>
V (700) wifi: rx regdomain: old <AU , 1, 13> new <
D (800) wifi: scan_op_end 7 0
D (800) wifi: enter scan_done 667266 0
I (801) wifi: scandone
D (803) wifi: first chan=1
D (804) wifi: PM RF_ON -> RF_OFF, line: 678
F
D (808) wifi: cnx_start_handoff_cb
D (812) wifi: PM RF_OFF -> RF_ON, line: 716
O
D (820) wifi: cnx_connect_op
V (1785) wifi: index=14 value=0x3ffe905c flag=0
I (1787) wifi:state: 0 -> 2 (b0)
I (2787) wifi:state: 2 -> 0 (200)
D (2787) wifi: connect status 1 -> 4
D (2788) wifi: PM RF_ON -> RF_OFF, line: 700
F
D (2790) wifi: connect status 4 -> 0
D (2793) wifi: nvs=0, ssid=example.com, channel=255
D (2800) wifi: ssid=example.com match nvs 0, channel=255
D (2809) wifi: first chan=1
D (2813) wifi: cnx_start_connect 500
D (2818) wifi: connect status 0 -> 1
D (2823) wifi: PM RF_OFF -> M5, line: 642
O
D (2829) wifi: scan_cancel 0
D (2833) wifi: scan start 2700417
D (2838) wifi: rd: chan=1 active max=11
D (2843) wifi: scan_op_start 1
D (2847) wifi: rd: chan=1 active max=11
D (2853) wifi: scan_send_probe
D (2857) wifi: ucast probe
D (2861) wifi: send probe req on channel 1 bssid ff:ff:ff:ff:ff:ff ssid example.com
D (2903) wifi: find the 44:01:bb:8a:e4:ba in blacklist.

D (2993) wifi: scan_op_end 3 0
D (2993) wifi: enter oper channel, 2861347
D (2994) wifi: rd: chan=2 active max=11
D (2996) wifi: scan_op_start 2
D (2997) wifi: rd: chan=2 active max=11
D (3002) wifi: scan_send_probe
D (3006) wifi: ucast probe
D (3010) wifi: send probe req on channel 2 bssid ff:ff:ff:ff:ff:ff ssid example.com
D (3142) wifi: scan_op_end 3 0
D (3142) wifi: enter oper channel, 3010584
D (3143) wifi: rd: chan=3 active max=11
D (3145) wifi: scan_op_start 3
D (3146) wifi: rd: chan=3 active max=11
D (3151) wifi: scan_send_probe
D (3155) wifi: ucast probe
D (3159) wifi: send probe req on channel 3 bssid ff:ff:ff:ff:ff:ff ssid example.com
D (3291) wifi: scan_op_end 3 0
D (3291) wifi: enter oper channel, 3159827
D (3292) wifi: rd: chan=4 active max=11
D (3294) wifi: scan_op_start 4
D (3295) wifi: rd: chan=4 active max=11
D (3300) wifi: scan_send_probe
D (3304) wifi: ucast probe
D (3308) wifi: send probe req on channel 4 bssid ff:ff:ff:ff:ff:ff ssid example.com
D (3440) wifi: scan_op_end 3 0
D (3441) wifi: enter oper channel, 3309086
D (3441) wifi: rd: chan=5 active max=11
D (3443) wifi: scan_op_start 5
D (3444) wifi: rd: chan=5 active max=11
D (3449) wifi: scan_send_probe
D (3453) wifi: ucast probe
D (3457) wifi: send probe req on channel 5 bssid ff:ff:ff:ff:ff:ff ssid example.com
D (3590) wifi: scan_op_end 3 0
D (3590) wifi: enter oper channel, 3458319
D (3591) wifi: rd: chan=6 active max=11
D (3593) wifi: scan_op_start 6
D (3594) wifi: rd: chan=6 active max=11
D (3599) wifi: scan_send_probe
D (3603) wifi: ucast probe
D (3607) wifi: send probe req on channel 6 bssid ff:ff:ff:ff:ff:ff ssid example.com
D (3739) wifi: scan_op_end 3 0
D (3739) wifi: enter oper channel, 3607557
D (3740) wifi: rd: chan=7 active max=11
D (3742) wifi: scan_op_start 7
D (3743) wifi: rd: chan=7 active max=11
D (3748) wifi: scan_send_probe
D (3752) wifi: ucast probe
D (3756) wifi: send probe req on channel 7 bssid ff:ff:ff:ff:ff:ff ssid example.com
D (3888) wifi: scan_op_end 3 0
D (3889) wifi: enter oper channel, 3756810
D (3889) wifi: rd: chan=8 active max=11
D (3891) wifi: scan_op_start 8
D (3892) wifi: rd: chan=8 active max=11
D (3897) wifi: scan_send_probe
D (3901) wifi: ucast probe
D (3905) wifi: send probe req on channel 8 bssid ff:ff:ff:ff:ff:ff ssid example.com
V (3919) wifi: rx regdomain, bss=0x3ffe8a14 ie=7 len=6 cc[0]=A cc[1]=U location=  ngroup=1
V (3929) wifi: <1 13 43>
V (3932) wifi: rx regdomain: <AU , 1, 13>
V (3938) wifi: rx regdomain: old <AU , 1, 13> new <
V (4023) wifi: rx regdomain, bss=0x3ffe8a14 ie=7 len=6 cc[0]=A cc[1]=U location=  ngroup=1
V (4025) wifi: <1 13 43>
V (4025) wifi: rx regdomain: <AU , 1, 13>
D (4037) wifi: scan_op_end 7 0
D (4037) wifi: enter scan_done 3905999 0
I (4039) wifi: scandone
D (4045) wifi: first chan=1
D (4048) wifi: PM RF_ON -> RF_OFF, line: 678
F
D (4054) wifi: cnx_start_handoff_cb
D (4059) wifi: PM RF_OFF -> RF_ON, line: 716
O
D (4067) wifi: cnx_connect_op
I (4070) wifi:state: 0 -> 2 (b0)
I (4078) wifi:state: 2 -> 3 (0)
D (4085) wifi: set addr 94:83:c4:0d:9f:b6
I (4087) wifi:state: 3 -> 5 (10)
D (4093) wifi: PM RF_ON -> M0, line: 729
I (4099) wifi: add 0
I (4103) wifi: aid 1
I (4108) wpa: wpa2_task prio:2, stack:6144

I (4116) wifi: cnt 
D (4120) wifi: wpa2ep start...

D (4128) wifi: wpa2ep start...

D (4133) wifi: wpa2ep start...

D (4148) wifi: wait idle:b:2, u:4, t:0
D (4168) wifi: wpa2ep start...

I (4203) wpa: SSL: Need 1922 bytes more input data
D (4205) wifi: wait idle:b:2, u:4, t:0
D (4218) wifi: wpa2ep start...

I (4253) wpa: SSL: Need 928 bytes more input data
D (4255) wifi: PM M0 -> M4, line: 1265
D (4256) wifi: can not from M0 to M4
D (4257) wifi: air: 25984, recv: 191446
V (4262) wifi: rx regdomain, bss=0x3ffe8a14 ie=7 len=6 cc[0]=A cc[1]=U location=  ngroup=1
V (4273) wifi: <1 13 43>
V (4277) wifi: rx regdomain: <AU , 1, 13>
D (4283) wifi: wait idle:b:2, u:4, t:0
D (4299) wifi: wpa2ep start...

I (4437) wpa: application data is null, adding one byte for ack
D (4439) wifi: PM M0 -> M4, line: 1265
D (4440) wifi: can not from M0 to M4
D (4442) wifi: air: 25984, recv: 376301
V (4448) wifi: rx regdomain, bss=0x3ffe8a14 ie=7 len=6 cc[0]=A cc[1]=U location=  ngroup=1
V (4459) wifi: <1 13 43>
V (4463) wifi: rx regdomain: <AU , 1, 13>
D (4469) wifi: wait idle:b:2, u:4, t:0
D (4478) wifi: wpa2ep start...

I (4747) example: ~~~~~~~~~~~
I (4748) example: IP:0.0.0.0
I (4749) example: MASK:0.0.0.0
I (4749) example: GW:0.0.0.0
I (4753) example: ~~~~~~~~~~~
I (4758) example: free heap:32528

D (6472) wifi: PM M0 -> M4, line: 1265
D (6473) wifi: can not from M0 to M4
D (6474) wifi: air: 25984, recv: 2409221
V (6475) wifi: rx regdomain, bss=0x3ffe8a14 ie=7 len=6 cc[0]=A cc[1]=U location=  ngroup=1
V (6484) wifi: <1 13 43>
V (6488) wifi: rx regdomain: <AU , 1, 13>
D (6494) wifi: PM M0 -> M4, line: 1265
D (6499) wifi: can not from M0 to M4
D (6504) wifi: air: 25984, recv: 2439161
V (6510) wifi: rx regdomain, bss=0x3ffe8a14 ie=7 len=6 cc[0]=A cc[1]=U location=  ngroup=1
V (6522) wifi: <1 13 43>
V (6525) wifi: rx regdomain: <AU , 1, 13>
D (6531) wifi: PM M0 -> M4, line: 1265
D (6536) wifi: can not from M0 to M4
D (6541) wifi: air: 25984, recv: 2476675
V (6547) wifi: rx regdomain, bss=0x3ffe8a14 ie=7 len=6 cc[0]=A cc[1]=U location=  ngroup=1
V (6559) wifi: <1 13 43>
V (6563) wifi: rx regdomain: <AU , 1, 13>
D (6569) wifi: PM M0 -> M4, line: 1265
D (6574) wifi: can not from M0 to M4
D (6579) wifi: air: 25984, recv: 2514188
V (6585) wifi: rx regdomain, bss=0x3ffe8a14 ie=7 len=6 cc[0]=A cc[1]=U location=  ngroup=1
V (6597) wifi: <1 13 43>
V (6600) wifi: rx regdomain: <AU , 1, 13>
D (6606) wifi: PM M0 -> M4, line: 1265
D (6611) wifi: can not from M0 to M4
D (6616) wifi: air: 25984, recv: 2551701
V (6622) wifi: rx regdomain, bss=0x3ffe8a14 ie=7 len=6 cc[0]=A cc[1]=U location=  ngroup=1
V (6634) wifi: <1 13 43>
V (6638) wifi: rx regdomain: <AU , 1, 13>
D (6644) wifi: PM M0 -> M4, line: 1265
D (6649) wifi: can not from M0 to M4
D (6654) wifi: air: 25984, recv: 2589215
V (6660) wifi: rx regdomain, bss=0x3ffe8a14 ie=7 len=6 cc[0]=A cc[1]=U location=  ngroup=1
V (6672) wifi: <1 13 43>
V (6675) wifi: rx regdomain: <AU , 1, 13>
D (6681) wifi: PM M0 -> M4, line: 1265
D (6686) wifi: can not from M0 to M4
D (6691) wifi: air: 25984, recv: 2626729
V (6697) wifi: rx regdomain, bss=0x3ffe8a14 ie=7 len=6 cc[0]=A cc[1]=U location=  ngroup=1
V (6709) wifi: <1 13 43>
V (6713) wifi: rx regdomain: <AU , 1, 13>
D (6719) wifi: PM M0 -> M4, line: 1265
D (6724) wifi: can not from M0 to M4
D (6729) wifi: air: 25984, recv: 2664242
V (6735) wifi: rx regdomain, bss=0x3ffe8a14 ie=7 len=6 cc[0]=A cc[1]=U location=  ngroup=1
V (6747) wifi: <1 13 43>
V (6750) wifi: rx regdomain: <AU , 1, 13>
D (6756) wifi: PM M0 -> M4, line: 1265
D (6761) wifi: can not from M0 to M4
D (6766) wifi: air: 25984, recv: 2701757
V (6772) wifi: rx regdomain, bss=0x3ffe8a14 ie=7 len=6 cc[0]=A cc[1]=U location=  ngroup=1
V (6784) wifi: <1 13 43>
V (6788) wifi: rx regdomain: <AU , 1, 13>
D (6794) wifi: wait idle:b:2, u:4, t:0
I (6800) example: ~~~~~~~~~~~
D (6804) wifi: wpa2ep start...

I (6809) example: IP:0.0.0.0
I (6814) example: MASK:0.0.0.0
I (6820) example: GW:0.0.0.0
I (6826) example: ~~~~~~~~~~~
I (6831) example: free heap:30064

I (6845) wpa: application data is null, adding one byte for ack
D (6865) wifi: wait idle:b:2, u:4, t:0
D (6870) wifi: wpa2ep start...

D (6880) wifi: wpa2ep start...

D (6899) wifi: PM M0 -> M4, line: 1265
D (6901) wifi: can not from M0 to M4
D (6901) wifi: air: 25984, recv: 2835810
V (6903) wifi: rx regdomain, bss=0x3ffe8a14 ie=7 len=6 cc[0]=A cc[1]=U location=  ngroup=1
V (6912) wifi: <1 13 43>
V (6915) wifi: rx regdomain: <AU , 1, 13>
D (6921) wifi: wait idle:b:2, u:4, t:0
D (6931) wifi: wpa2ep start...

D (6945) wifi: wpa2ep start...

I (6950) wpa: EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
D (6954) wifi: wait idle:b:2, u:4, t:0
D (6959) wifi: wpa2ep start...

I (6961) wpa: >>>>>wpa2 FINISH

D (6963) wifi: wpa2ep start...

E (6975) wpa: RSN: PMKSA cache entry found - PMKID - hexdump(len=16):
E (6978) wpa: ee 65 cd a0 2c ad ec 38 56 4a b0 8c 8b 0c 7a 00 
D (6998) wifi: wait idle:b:2, u:4, t:0

Stack smashing protect failure!

abort() was called at PC 0x40222D (7003) wifi: wpa2ep start...

[gnif]

Further to this, eventually the device falls off the wireless due to the following re-authentication if I operate without stack smash protection.

D (2872441) wifi: wpa2ep start...                                                                                                                           

D (2872442) wpa: IEEE 802.1X RX: version=2 type=0 length=934     

V (2872444) wpa: WPA2: RX EAPOL-EAP PACKET - hexdump(len=938):                                                                                              
V (2872447) wpa: 02 00 03 a6 01 0c 03 a6 19 00 f9 9e a2 0c ff 72                                                                                            
V (2872453) wpa: f1 80 64 91 fd 9a 20 4a 06 b6 43 8d d5 d7 92 57                                                                                            
V (2872458) wpa: ff 8b 6c 48 92 01 5e cc c9 ad 7f d5 f6 b0 a8 4f                                                                                            
V (2872464) wpa: 02 03 01 00 01 a3 82 01 02 30 81 ff 30 1d 06 03                                                                                            
V (2872470) wpa: 55 1d 0e 04 16 04 14 09 c1 01 76 a0 36 20 8f 5d                                                                                            
V (2872476) wpa: 34 3b b2 4c be db 8b 07 1d 05 cd 30 81 c2 06 03                                                                                            
V (2872482) wpa: 55 1d 23 04 81 ba 30 81 b7 80 14 09 c1 01 76 a0                                                                                            
V (2872488) wpa: 36 20 8f 5d 34 3b b2 4c be db 8b 07 1d 05 cd a1                                                                                            
V (2872493) wpa: 81 9b a4 81 98 30 81 95 31 0b 30 09 06 03 55 04                                                                                            
V (2872499) wpa: 06 13 02 55 53 31 0e 30 0c 06 03 55 04 08 13 05                                                                                            
V (2872505) wpa: 54 65 78 61 73 31 0f 30 0d 06 03 55 04 07 13 06                                                                                            
V (2872511) wpa: 41 75 73 74 69 6e 31 26 30 24 06 03 55 04 0a 13                                                                                            
V (2872517) wpa: 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69                                                                                            
V (2872522) wpa: 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 31 20                                                                                            
V (2872528) wpa: 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 63                                                                                            
V (2872534) wpa: 65 72 74 73 40 65 78 61 6d 70 6c 65 2e 63 6f 6d                                                                                            
V (2872540) wpa: 31 1b 30 19 06 03 55 04 03 13 12 66 72 65 65 72                                                                                            
V (2872546) wpa: 61 64 69 75 73 2d 74 65 6d 70 2d 63 61 82 01 00                                                                                            
V (2872551) wpa: 30 0c 06 03 55 1d 13 04 05 30 03 01 01 ff 30 0b                                                                                            
V (2872557) wpa: 06 03 55 1d 0f 04 04 03 02 01 06 30 0d 06 09 2a                                                                                            
V (2872563) wpa: 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 4b                                                                                            
V (2872569) wpa: 79 ae 36 36 41 d7 7e 96 eb 28 9a 29 00 59 99 67                                                                                            
V (2872575) wpa: 78 74 ae 27 7b 68 52 70 05 62 85 97 c8 8d 8e ee                                                                                            
V (2872580) wpa: b4 d4 98 24 3b 74 3a a8 99 64 f7 87 7b d5 16 19                                                                                            
V (2872586) wpa: df d5 71 54 f1 8f ab 16 79 c0 db c5 ac 21 af 0c                                                                                            
V (2872592) wpa: c8 15 83 00 5f 05 ca 8f 9f 1e df 78 43 8f 1e de                                                                                            
V (2872598) wpa: ca e4 93 15 a3 5f d3 cb d9 c5 f7 22 04 ac d2 cc                                                                                            
V (2872604) wpa: c1 34 94 c6 76 bc 3b d2 d1 2e 0b 5a d3 c9 05 06                                                                                            
V (2872610) wpa: 85 39 a3 50 02 58 3b c9 89 e4 c2 56 d7 d2 28 5e                                                                                            
V (2872615) wpa: 05 61 0a a3 0f 19 ea 0c d8 2c 51 5d 4f c6 5f 45                                                                                            
V (2872621) wpa: ae b6 1e 85 80 ce f5 ce fa ef fc 91 42 e5 b5 9a                                                                                            
V (2872627) wpa: e3 fd d2 e5 92 2b b6 e1 47 d5 87 c7 04 1c d3 9c                                                                                            
V (2872633) wpa: 0f 6b a8 17 15 ef 7b 32 de be 73 b8 5e 69 b1 f4                                                                                            
V (2872639) wpa: dc ac 12 dc 9e b9 3b 92 13 ae 63 cf 63 99 35 9d                                                                                            
V (2872644) wpa: f8 64 5a bd a0 ba d8 61 9a 70 22 8c 1d 8a f1 c2                                                                                            
V (2872650) wpa: eb 8c 8a 50 a7 6c 23 62 06 e4 a1 78 81 6b 44 ec                                                                                            
V (2872656) wpa: 51 ea 92 f9 6d a1 75 d5 ba 19 ba 13 f2 a1 9e 16                                                                                            
V (2872662) wpa: 03 03 01 4d 0c 00 01 49 03 00 17 41 04 33 20 be                                                                                            
V (2872668) wpa: a2 1e ff 78 a3 40 04 f3 df 98 3a 6d 81 fe 9a 5a                                                                                            
V (2872673) wpa: 9d 59 1e 28 59 09 a5 cc dc dc 36 e6 e4 00 c1 df                                                                                            
V (2872679) wpa: f6 e5 21 4f fd 45 9e 67 9f 36 d0 37 6d 59 b7 a9                                                                                            
V (2872685) wpa: 9e ca a0 90 b1 5a 58 db 9e 72 f4 f9 e9 06 01 01                                                                                            
V (2872691) wpa: 00 9d d0 6c cf c6 fa cf f7 87 fc 6d 74 42 76 5f                                                                                            
V (2872697) wpa: e4 2c 6f 30 8f 7c ca 40 23 81 eb 73 d5 43 06 c8                                                                                            
V (2872702) wpa: ee f5 93 e3 f0 b9 99 c3 30 47 82 eb 32 c3 9a 57                                                                                            
V (2872708) wpa: e2 b6 ee b2 23 7c 05 84 34 78 d7 39 1f 9c df 08                                                                                            
V (2872714) wpa: 01 29 e3 1b 65 86 d3 26 1c 68 6b 76 3f 64 71 fb                                                                                            
V (2872720) wpa: 5c 09 41 46 3a 29 6e 0e 07 5c 7f f5 35 f9 78 f0                                                                                            
V (2872726) wpa: d6 35 22 8e 7f 7a 07 32 07 ec f7 6c a5 19 51 cf                                                                                            
V (2872732) wpa: bb aa e8 90 ce 41 49 a2 14 ad 9e 62 6b bf 0f 24                                                                                            
V (2872737) wpa: f9 27 06 f2 f9 30 34 45 ba e7 a5 64 29 a9 43 4b                                                                                            
V (2872743) wpa: 0a ca 30 14 02 30 ff 91 6d aa 67 bc a9 84 dd 54                                                                                            
V (2872749) wpa: df a5 22 4e d6 10 1b 95 68 e2 e2 e7 fa 20 28 39                                                                                            
V (2872755) wpa: 5d c4 e6 a0 7e a3 39 a3 52 ef 19 80 30 9c aa 06                                                                                            
V (2872761) wpa: 6d 9f cf 1b c4 4c 84 9e a5 c8 99 16 e0 ad 44 4a                                                                                            
V (2872766) wpa: 96 0d 3d 96 5a c0 f4 fa ab d4 5d b6 3e e9 54 ac                                                                                            
V (2872772) wpa: e5 f1 d9 ba 37 79 6a b2 48 4a 3a a6 d8 d2 f3 30                                                                                            
V (2872778) wpa: ec 55 df 99 50 fe 19 0d d3 8c 9d 91 9c d6 82 90                                                                                            
V (2872783) wpa: 27 16 03 03 00 04 0e 00 00 00                                                                                                              
D (2872787) wpa: SSL: Received packet(len=934) - Flags 0x00                                                                                                 
I (2872792) wpa: SSL: Could not allocate memory for TLS data                                                                                                
E (2872798) wpa: Response build fail, return.                                                                                                               
D (2872803) wpa: WPA2: wifi->wpa2 api completed sig(1)                                                                                                      
D (2872808) wpa: WPA2: wpa2 api return, sm->state(1)