From 59499c73611c9c338cae97fb0c1fca5894653e1f Mon Sep 17 00:00:00 2001 From: David Gauchard Date: Mon, 27 Jul 2020 00:09:26 +0200 Subject: [PATCH 1/3] backport #7486 --- libraries/ESP8266WiFi/src/ESP8266WiFiGeneric.cpp | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libraries/ESP8266WiFi/src/ESP8266WiFiGeneric.cpp b/libraries/ESP8266WiFi/src/ESP8266WiFiGeneric.cpp index 41d771fb6a..2a5f96cb5d 100644 --- a/libraries/ESP8266WiFi/src/ESP8266WiFiGeneric.cpp +++ b/libraries/ESP8266WiFi/src/ESP8266WiFiGeneric.cpp @@ -233,6 +233,16 @@ void ESP8266WiFiGenericClass::_eventCallback(void* arg) WiFiClient::stopAll(); } + if (event->event == EVENT_STAMODE_AUTHMODE_CHANGE) { + auto& src = event->event_info.auth_change; + if ((src.old_mode != AUTH_OPEN) && (src.new_mode == AUTH_OPEN)) { + // CVE-2020-12638 workaround. When we get a change to AUTH_OPEN from any other mode, drop the WiFi link because it's a downgrade attack + // TODO - When upgrading to 3.x.x with fix, remove this code + DEBUG_WIFI("WIFI_EVENT_STAMODE_AUTHMODE_CHANGE from encrypted(%d) to AUTH_OPEN, potential downgrade attack. Reconnecting WiFi. See CVE-2020-12638 for more details\n", src.old_mode); + WiFi.reconnect(); // Disconnects from STA and then reconnects + } + } + for(auto it = std::begin(sCbEventList); it != std::end(sCbEventList); ) { WiFiEventHandler &handler = *it; if (handler->canExpire() && handler.unique()) { From 4ac1608573b52f92a797c78db5e76b4c3b7feb34 Mon Sep 17 00:00:00 2001 From: David Gauchard Date: Mon, 27 Jul 2020 00:10:09 +0200 Subject: [PATCH 2/3] backport #7487 --- cores/esp8266/Updater.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/cores/esp8266/Updater.cpp b/cores/esp8266/Updater.cpp index 351a57746b..03bc5c3f8f 100644 --- a/cores/esp8266/Updater.cpp +++ b/cores/esp8266/Updater.cpp @@ -35,6 +35,7 @@ UpdaterClass::UpdaterClass() , _startAddress(0) , _currentAddress(0) , _command(U_FLASH) +, _ledPin(-1) , _hash(nullptr) , _verify(nullptr) , _progress_callback(nullptr) From 5d3af165522042a48f6db9b0b920fcb5ad16a69d Mon Sep 17 00:00:00 2001 From: David Gauchard Date: Mon, 27 Jul 2020 00:10:32 +0200 Subject: [PATCH 3/3] backport #7488 --- cores/esp8266/heap.cpp | 2 +- cores/esp8266/umm_malloc/umm_local.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cores/esp8266/heap.cpp b/cores/esp8266/heap.cpp index 2001579ef0..3f549716f4 100644 --- a/cores/esp8266/heap.cpp +++ b/cores/esp8266/heap.cpp @@ -164,7 +164,7 @@ void ICACHE_RAM_ATTR print_loc(size_t size, const char* file, int line) if (inISR && (uint32_t)file >= 0x40200000) { DEBUG_HEAP_PRINTF("File: %p", file); } else if (!inISR && (uint32_t)file >= 0x40200000) { - char buf[ets_strlen(file)] __attribute__ ((aligned(4))); + char buf[ets_strlen(file) + 1] __attribute__((aligned(4))); ets_strcpy(buf, file); DEBUG_HEAP_PRINTF(buf); } else { diff --git a/cores/esp8266/umm_malloc/umm_local.c b/cores/esp8266/umm_malloc/umm_local.c index 8f83f4b4ac..392ef13c8f 100644 --- a/cores/esp8266/umm_malloc/umm_local.c +++ b/cores/esp8266/umm_malloc/umm_local.c @@ -206,7 +206,7 @@ int ICACHE_FLASH_ATTR umm_info_safe_printf_P(const char *fmt, ...) { the PROGMEM address must be word (4 bytes) aligned. The destination address for ets_memcpy must also be word-aligned. */ - char ram_buf[ets_strlen(fmt)] __attribute__ ((aligned(4))); + char ram_buf[ets_strlen(fmt) + 1] __attribute__((aligned(4))); ets_strcpy(ram_buf, fmt); va_list argPtr; va_start(argPtr, fmt);