Merge pull request #2 from esp8266/2.7.3

Jason2866 · web-flow · commit f5ea352d903a · 2020-07-27T08:09:49.000+02:00
Backports: Correct stack string buffer length. (esp8266#7488) …
diff --git a/cores/esp8266/Updater.cpp b/cores/esp8266/Updater.cpp
@@ -35,6 +35,7 @@ UpdaterClass::UpdaterClass()
 , _startAddress(0)
 , _currentAddress(0)
 , _command(U_FLASH)
+, _ledPin(-1)
 , _hash(nullptr)
 , _verify(nullptr)
 , _progress_callback(nullptr)
diff --git a/cores/esp8266/heap.cpp b/cores/esp8266/heap.cpp
@@ -164,7 +164,7 @@ void ICACHE_RAM_ATTR print_loc(size_t size, const char* file, int line)
         if (inISR && (uint32_t)file >= 0x40200000) {
             DEBUG_HEAP_PRINTF("File: %p", file);
         } else if (!inISR && (uint32_t)file >= 0x40200000) {
-            char buf[ets_strlen(file)] __attribute__ ((aligned(4)));
+            char buf[ets_strlen(file) + 1] __attribute__((aligned(4)));
             ets_strcpy(buf, file);
             DEBUG_HEAP_PRINTF(buf);
         } else {
diff --git a/cores/esp8266/umm_malloc/umm_local.c b/cores/esp8266/umm_malloc/umm_local.c
@@ -206,7 +206,7 @@ int ICACHE_FLASH_ATTR umm_info_safe_printf_P(const char *fmt, ...) {
       the PROGMEM address must be word (4 bytes) aligned. The destination
       address for ets_memcpy must also be word-aligned.
     */
-    char ram_buf[ets_strlen(fmt)] __attribute__ ((aligned(4)));
+    char ram_buf[ets_strlen(fmt) + 1] __attribute__((aligned(4)));
     ets_strcpy(ram_buf, fmt);
     va_list argPtr;
     va_start(argPtr, fmt);
diff --git a/libraries/ESP8266WiFi/src/ESP8266WiFiGeneric.cpp b/libraries/ESP8266WiFi/src/ESP8266WiFiGeneric.cpp
@@ -233,6 +233,16 @@ void ESP8266WiFiGenericClass::_eventCallback(void* arg)
         WiFiClient::stopAll();
     }
 
+    if (event->event == EVENT_STAMODE_AUTHMODE_CHANGE) {
+        auto& src = event->event_info.auth_change;
+        if ((src.old_mode != AUTH_OPEN) && (src.new_mode == AUTH_OPEN)) {
+            // CVE-2020-12638 workaround.  When we get a change to AUTH_OPEN from any other mode, drop the WiFi link because it's a downgrade attack
+            // TODO - When upgrading to 3.x.x with fix, remove this code
+            DEBUG_WIFI("WIFI_EVENT_STAMODE_AUTHMODE_CHANGE from encrypted(%d) to AUTH_OPEN, potential downgrade attack. Reconnecting WiFi. See CVE-2020-12638 for more details\n", src.old_mode);
+            WiFi.reconnect();  // Disconnects from STA and then reconnects
+        }
+    }
+
     for(auto it = std::begin(sCbEventList); it != std::end(sCbEventList); ) {
         WiFiEventHandler &handler = *it;
         if (handler->canExpire() && handler.unique()) {
