search

espressif / esp-idf

Espressif IoT Development Framework. Official development framework for Espressif SoCs.
Apache License 2.0
13.41k stars 7.25k forks source link

[TW#18499] Heap corruption when trying to connect to WAP2-Enterprise AP #1569

Closed itc-jalonso closed 6 years ago

itc-jalonso commented 6 years ago

I'm facing a heap corruption problem when trying to connect to a WPA2-Enterprise that uses a Radius server in "esp-idf v3.1-dev-282-g5b1f869-dirty".

The issue only appears when "Heap corruption detection" is configured as "Comprehensive" and does not appear when connecting to any WPA2 AP without Radius authentication (whatever the "Heap corruption detection" configuration is).

Following is the logged data:

I (11750) wifi: mode : sta (xx:xx:xx:xx:xx:xx)
I (12478) wifi: n:6 2, o:1 0, ap:255 255, sta:6 2, prof:1
I (13137) wifi: state: init -> auth (b0)
I (13140) wifi: state: auth -> assoc (0)
I (13146) wifi: state: assoc -> run (10)
I (13147) wpa: wpa2_task prio:2, stack:6656

I (13346) wpa: EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
I (13355) wpa: >>>>>wpa2 FINISH

I (13367) wpa: wpa2 task delete

CORRUPT HEAP: Invalid data at 0x3ffdbe3c. Expected 0xfefefefe got 0xfefefefd
CORRUPT HEAP: Invalid data at 0x3ffdbe48. Expected 0xfefefefe got 0x3ffdbe44
CORRUPT HEAP: Invalid data at 0x3ffdbe4c. Expected 0xfefefefe got 0x3ffdbe44
assertion "verify_fill_pattern(data, size, true, true, true)" failed: file "/home/user/esp32/esp-idf/components/heap/./multi_heap_poisoning.c", line 185, function: multi_heap_malloc
abort() was called at PC 0x401314e3 on core 0

Backtrace: 0x40088afc:0x3ffcf000 0x40088c97:0x3ffcf020 0x401314e3:0x3ffcf040 0x40088779:0x3ffcf070 0x400828b8:0x3ffcf090 0x400828e9:0x3ffcf0b0 0x40083109:0x3ffcf0d0 0x400832e9:0x3ffcf150 0x40084825:0x3ffcf170 0x400f4db6:0x3ffcf190 0x400f2f2a:0x3ffcf1d0 0x400f425e:0x3ffcf210 0x400e8f02:0x3ffcf2a0 0x400eb1f5:0x3ffcf2d0

CPU halted.

0x40088afc: invoke_abort at /home/user/esp32/esp-idf/components/esp32/./panic.c:648
0x40088c97: abort at /home/user/esp32/esp-idf/components/esp32/./panic.c:648
0x401314e3: __assert_func at /Users/ivan/e/newlib_xtensa-2.2.0-bin/newlib_xtensa-2.2.0/xtensa-esp32-elf/newlib/libc/stdlib/../../../.././newlib/libc/stdlib/assert.c:63 (discriminator 8)
0x40088779: multi_heap_malloc at /home/user/esp32/esp-idf/components/heap/./multi_heap_poisoning.c:353
0x400828b8: heap_caps_malloc at /home/user/esp32/esp-idf/components/heap/./heap_caps.c:136
0x400828e9: heap_caps_malloc_default at /home/user/esp32/esp-idf/components/heap/./heap_caps.c:136
0x40083109: trace_malloc at /home/user/esp32/esp-idf/components/heap/./heap_trace.c:324
0x400832e9: __wrap_malloc at /home/user/esp32/esp-idf/components/heap/./heap_trace.c:392
0x40084825: wifi_malloc at /home/user/esp32/esp-idf/components/esp32/./wifi_internal.c:28
0x400f4db6: ppInstallKey at ??:?
0x400f2f2a: wpa_parse_kde_ies at ??:?
0x400f425e: eapol_txcb at ??:?
0x400e8f02: ppProcTxDone at ??:?
0x400eb1f5: ppTask at ??:?
itc-jalonso commented 6 years ago

Issue also happens with latest commit: "esp-idf v3.1-dev-304-gd8c8050-dirty".

ghost commented 6 years ago

This problem can easily be reproduced with wpa2_enterprise example code and an AP running hostapd. Certs/keys from example code and default ssid, username etc are used.

Attaching hostapd.conf used.

hostapd_conf.tar.gz