From b7d599984bc5fc65459e8959d46efc76615ce8d4 Mon Sep 17 00:00:00 2001
From: alanmaxwell <chenjianxing@espressif.com>
Date: Fri, 25 Aug 2023 15:30:33 +0800
Subject: [PATCH 1/2] fix(wifi): optimize wifi bin size and fix some issue

1.Optimize bin size for STA only mode
2.Change fragment threshold to 256
3.Support fragment for LR mode
4.Fix ampdu duration issue
5.Fix rx fragment fail in Open mode.
---
 components/esp_rom/esp32c2/ld/esp32c2.rom.ld  | 12 ++--
 .../esp_rom/esp32c3/ld/esp32c3.rom.eco7.ld    |  8 +--
 components/esp_rom/esp32c3/ld/esp32c3.rom.ld  |  6 +-
 .../esp_rom/esp32c6/ld/esp32c6.rom.pp.ld      |  4 +-
 components/esp_rom/esp32s3/ld/esp32s3.rom.ld  |  6 +-
 components/esp_wifi/lib                       |  2 +-
 components/esp_wifi/src/wifi_init.c           | 70 +++++++++++++++++++
 7 files changed, 89 insertions(+), 19 deletions(-)

diff --git a/components/esp_rom/esp32c2/ld/esp32c2.rom.ld b/components/esp_rom/esp32c2/ld/esp32c2.rom.ld
index 2f1f246dd0f..04f99f44e4a 100644
--- a/components/esp_rom/esp32c2/ld/esp32c2.rom.ld
+++ b/components/esp_rom/esp32c2/ld/esp32c2.rom.ld
@@ -1536,10 +1536,10 @@ pm_on_tbtt = 0x40001ba8;
 pm_sleep_for = 0x40001bc0;
 /* pm_tbtt_process = 0x40001bc4; */
 ppAMPDU2Normal = 0x40001bc8;
-ppAssembleAMPDU = 0x40001bcc;
+/*ppAssembleAMPDU = 0x40001bcc;*/
 ppCalFrameTimes = 0x40001bd0;
 ppCalSubFrameLength = 0x40001bd4;
-ppCalTxAMPDULength = 0x40001bd8;
+/*ppCalTxAMPDULength = 0x40001bd8;*/
 ppCheckTxAMPDUlength = 0x40001bdc;
 ppDequeueRxq_Locked = 0x40001be0;
 ppDequeueTxQ = 0x40001be4;
@@ -1559,8 +1559,8 @@ ppRecycleAmpdu = 0x40001c18;
 ppRecycleRxPkt = 0x40001c1c;
 ppResortTxAMPDU = 0x40001c20;
 ppResumeTxAMPDU = 0x40001c24;
-ppRxFragmentProc = 0x40001c28;
-ppRxPkt = 0x40001c2c;
+/*ppRxFragmentProc = 0x40001c28;*/
+/* ppRxPkt = 0x40001c2c; */
 ppRxProtoProc = 0x40001c30;
 ppSearchTxQueue = 0x40001c34;
 ppSearchTxframe = 0x40001c38;
@@ -1588,7 +1588,7 @@ rcLowerSched = 0x40001c8c;
 rcSetTxAmpduLimit = 0x40001c90;
 /* rcTxUpdatePer = 0x40001c94;*/
 rcUpdateAckSnr = 0x40001c98;
-rcUpdateRate = 0x40001c9c;
+/*rcUpdateRate = 0x40001c9c;*/
 rcUpdateTxDone = 0x40001ca0;
 rcUpdateTxDoneAmpdu2 = 0x40001ca4;
 rcUpSched = 0x40001ca8;
@@ -1663,7 +1663,7 @@ lmacRetryTxFrame = 0x40001db8;
 lmacProcessCollisions_task = 0x40001dbc;
 /*lmacProcessTxopQComplete = 0x40001dc0;*/
 lmacInitAc = 0x40001dc4;
-lmacInit = 0x40001dc8;
+/*lmacInit = 0x40001dc8;*/
 mac_tx_set_txop_q = 0x40001dcc;
 /*hal_init = 0x40001dd0;*/
 hal_mac_rx_set_policy = 0x40001dd4;
diff --git a/components/esp_rom/esp32c3/ld/esp32c3.rom.eco7.ld b/components/esp_rom/esp32c3/ld/esp32c3.rom.eco7.ld
index 97bcffc8bb6..1c265769fd9 100644
--- a/components/esp_rom/esp32c3/ld/esp32c3.rom.eco7.ld
+++ b/components/esp_rom/esp32c3/ld/esp32c3.rom.eco7.ld
@@ -19,12 +19,12 @@ pm_parse_beacon = 0x40001688;
 pm_process_tim = 0x4000168c;
 pm_rx_beacon_process = 0x40001690;
 pm_rx_data_process = 0x40001694;
-pm_sleep = 0x40001698;
-pm_tbtt_process = 0x400016a0;
+/* pm_sleep = 0x40001698;*/
+/* pm_tbtt_process = 0x400016a0;*/
 ppMapTxQueue = 0x400016d8;
 ppProcTxSecFrame = 0x400016dc;
-ppRxFragmentProc = 0x40001704;
-rcGetSched = 0x40001764;
+/*ppRxFragmentProc = 0x40001704;*/
+/* rcGetSched = 0x40001764;*/
 rcTxUpdatePer = 0x40001770;
 rcUpdateTxDone = 0x4000177c;
 wDevCheckBlockError = 0x400017b4;
diff --git a/components/esp_rom/esp32c3/ld/esp32c3.rom.ld b/components/esp_rom/esp32c3/ld/esp32c3.rom.ld
index ddbbdb2230d..72ca93e15ec 100644
--- a/components/esp_rom/esp32c3/ld/esp32c3.rom.ld
+++ b/components/esp_rom/esp32c3/ld/esp32c3.rom.ld
@@ -1559,10 +1559,10 @@ pm_on_tbtt = 0x40001684;
 pm_sleep_for = 0x4000169c;
 /* pm_tbtt_process = 0x400016a0; */
 ppAMPDU2Normal = 0x400016a4;
-ppAssembleAMPDU = 0x400016a8;
+/*ppAssembleAMPDU = 0x400016a8;*/
 ppCalFrameTimes = 0x400016ac;
 ppCalSubFrameLength = 0x400016b0;
-ppCalTxAMPDULength = 0x400016b4;
+/*ppCalTxAMPDULength = 0x400016b4;*/
 ppCheckTxAMPDUlength = 0x400016b8;
 ppDequeueRxq_Locked = 0x400016bc;
 ppDequeueTxQ = 0x400016c0;
@@ -1608,7 +1608,7 @@ rcLowerSched = 0x40001768;
 rcSetTxAmpduLimit = 0x4000176c;
 /* rcTxUpdatePer = 0x40001770;*/
 rcUpdateAckSnr = 0x40001774;
-rcUpdateRate = 0x40001778;
+/*rcUpdateRate = 0x40001778;*/
 /* rcUpdateTxDone = 0x4000177c; */
 rcUpdateTxDoneAmpdu2 = 0x40001780;
 rcUpSched = 0x40001784;
diff --git a/components/esp_rom/esp32c6/ld/esp32c6.rom.pp.ld b/components/esp_rom/esp32c6/ld/esp32c6.rom.pp.ld
index 61a4f4e10d6..0bd51bb71f2 100644
--- a/components/esp_rom/esp32c6/ld/esp32c6.rom.pp.ld
+++ b/components/esp_rom/esp32c6/ld/esp32c6.rom.pp.ld
@@ -100,7 +100,7 @@ ppRecycleAmpdu = 0x40000d10;
 ppRecycleRxPkt = 0x40000d14;
 //ppResortTxAMPDU = 0x40000d18;
 ppResumeTxAMPDU = 0x40000d1c;
-ppRxFragmentProc = 0x40000d20;
+/*ppRxFragmentProc = 0x40000d20;*/
 //ppRxPkt = 0x40000d24;
 ppRxProtoProc = 0x40000d28;
 ppSearchTxQueue = 0x40000d2c;
@@ -129,7 +129,7 @@ rcLowerSched = 0x40000d84;
 rcSetTxAmpduLimit = 0x40000d88;
 rcTxUpdatePer = 0x40000d8c;
 rcUpdateAckSnr = 0x40000d90;
-rcUpdateRate = 0x40000d94;
+/*rcUpdateRate = 0x40000d94;*/
 rcUpdateTxDone = 0x40000d98;
 rcUpdateTxDoneAmpdu2 = 0x40000d9c;
 rcUpSched = 0x40000da0;
diff --git a/components/esp_rom/esp32s3/ld/esp32s3.rom.ld b/components/esp_rom/esp32s3/ld/esp32s3.rom.ld
index 75d1c3ddbac..15b2cbd52cb 100644
--- a/components/esp_rom/esp32s3/ld/esp32s3.rom.ld
+++ b/components/esp_rom/esp32s3/ld/esp32s3.rom.ld
@@ -1861,10 +1861,10 @@ pm_on_tbtt = 0x400054cc;
 pm_sleep_for = 0x40005514;
 /* pm_tbtt_process = 0x40005520; */
 ppAMPDU2Normal = 0x4000552c;
-ppAssembleAMPDU = 0x40005538;
+/*ppAssembleAMPDU = 0x40005538;*/
 ppCalFrameTimes = 0x40005544;
 ppCalSubFrameLength = 0x40005550;
-ppCalTxAMPDULength = 0x4000555c;
+/*ppCalTxAMPDULength = 0x4000555c;*/
 ppCheckTxAMPDUlength = 0x40005568;
 ppDequeueRxq_Locked = 0x40005574;
 ppDequeueTxQ = 0x40005580;
@@ -1912,7 +1912,7 @@ rcLowerSched = 0x40005778;
 rcSetTxAmpduLimit = 0x40005784;
 /* rcTxUpdatePer = 0x40005790;*/
 rcUpdateAckSnr = 0x4000579c;
-rcUpdateRate = 0x400057a8;
+/*rcUpdateRate = 0x400057a8;*/
 /* rcUpdateTxDone = 0x400057b4; */
 rcUpdateTxDoneAmpdu2 = 0x400057c0;
 rcUpSched = 0x400057cc;
diff --git a/components/esp_wifi/lib b/components/esp_wifi/lib
index b75e61ea71c..8c6662224e3 160000
--- a/components/esp_wifi/lib
+++ b/components/esp_wifi/lib
@@ -1 +1 @@
-Subproject commit b75e61ea71cffae1b9cdea6494e170c980c4317b
+Subproject commit 8c6662224e36879fa33945009641bde405cb4c58
diff --git a/components/esp_wifi/src/wifi_init.c b/components/esp_wifi/src/wifi_init.c
index 37588a0542f..fbe2be440e6 100644
--- a/components/esp_wifi/src/wifi_init.c
+++ b/components/esp_wifi/src/wifi_init.c
@@ -391,7 +391,77 @@ void ieee80211_ftm_attach(void)
 #ifndef CONFIG_ESP_WIFI_SOFTAP_SUPPORT
 void net80211_softap_funcs_init(void)
 {
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+}
+
+bool ieee80211_ap_try_sa_query(void *p)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return false;
+}
+
+bool ieee80211_ap_sa_query_timeout(void *p)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return false;
+}
+
+int add_mic_ie_bip(void *p)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return 0;
+}
+
+void ieee80211_free_beacon_eb(void)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+}
+
+int ieee80211_pwrsave(void *p1, void *p2)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return 0;
+}
+
+void cnx_node_remove(void *p)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
 }
+
+int ieee80211_set_tim(void *p, int arg)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return 0;
+}
+
+bool ieee80211_is_bufferable_mmpdu(void *p)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return false;
+}
+
+void cnx_node_leave(void *p, uint8_t arg)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+}
+
+void ieee80211_beacon_construct(void *p1, void *p2, void *p3, void *p4)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+}
+
+void * ieee80211_assoc_resp_construct(void *p, int arg)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return NULL;
+}
+
+void * ieee80211_alloc_proberesp(void *p, int arg)
+{
+    /* Do not remove, stub to overwrite weak link in Wi-Fi Lib */
+    return NULL;
+}
+
 #endif
 
 #ifndef CONFIG_ESP_WIFI_NAN_ENABLE

From b3c712356874183a2c24aa72d4bf58b5ad32730c Mon Sep 17 00:00:00 2001
From: Kapil Gupta <kapil.gupta@espressif.com>
Date: Wed, 18 Oct 2023 18:20:48 +0530
Subject: [PATCH 2/2] fix(esp_wifi): Drop fragmented AMPDU(fixCVE-2020-26142)

---
 components/esp_rom/esp32c3/ld/esp32c3.rom.ld | 2 +-
 components/esp_rom/esp32s3/ld/esp32s3.rom.ld | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/components/esp_rom/esp32c3/ld/esp32c3.rom.ld b/components/esp_rom/esp32c3/ld/esp32c3.rom.ld
index 72ca93e15ec..21d1db799a3 100644
--- a/components/esp_rom/esp32c3/ld/esp32c3.rom.ld
+++ b/components/esp_rom/esp32c3/ld/esp32c3.rom.ld
@@ -1581,7 +1581,7 @@ ppRecycleRxPkt = 0x400016f8;
 ppResortTxAMPDU = 0x400016fc;
 ppResumeTxAMPDU = 0x40001700;
 /* ppRxFragmentProc = 0x40001704; */
-ppRxPkt = 0x40001708;
+/* ppRxPkt = 0x40001708; */
 ppRxProtoProc = 0x4000170c;
 ppSearchTxQueue = 0x40001710;
 ppSearchTxframe = 0x40001714;
diff --git a/components/esp_rom/esp32s3/ld/esp32s3.rom.ld b/components/esp_rom/esp32s3/ld/esp32s3.rom.ld
index 15b2cbd52cb..fc514b44eaa 100644
--- a/components/esp_rom/esp32s3/ld/esp32s3.rom.ld
+++ b/components/esp_rom/esp32s3/ld/esp32s3.rom.ld
@@ -1884,7 +1884,7 @@ ppRecycleRxPkt = 0x40005628;
 ppResortTxAMPDU = 0x40005634;
 ppResumeTxAMPDU = 0x40005640;
 /* ppRxFragmentProc = 0x4000564c; */
-ppRxPkt = 0x40005658;
+/* ppRxPkt = 0x40005658; */
 ppRxProtoProc = 0x40005664;
 ppSearchTxQueue = 0x40005670;
 ppSearchTxframe = 0x4000567c;