Skip to content

fix(network_provisioning): adds more checks for received messages#711

Merged
mahavirj merged 1 commit intoespressif:masterfrom
Ashish285:fix/fix_network_provisioning_possible_null_dereference
Apr 14, 2026
Merged

fix(network_provisioning): adds more checks for received messages#711
mahavirj merged 1 commit intoespressif:masterfrom
Ashish285:fix/fix_network_provisioning_possible_null_dereference

Conversation

@Ashish285
Copy link
Copy Markdown
Collaborator

@Ashish285 Ashish285 commented Mar 26, 2026

Checklist

  • CI passing

Change description

This PR adds in more input validations and fixes some memory issues

  1. Possible NULL dereference in malformed protobuf messages
  2. Possible buffer overflow in Thread cmd_set_config_handler
  3. Memory leak in Wifi scan result cleanup
  4. Possible NULL dereference after malloc failure for network name

@Ashish285 Ashish285 requested a review from Copilot March 26, 2026 03:57
@Ashish285 Ashish285 force-pushed the fix/fix_network_provisioning_possible_null_dereference branch from 6452a90 to 186c4d9 Compare March 26, 2026 03:58
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the network provisioning protobuf handlers by adding input validation for malformed/incorrectly-shaped messages and tightening up memory management during scan/config operations.

Changes:

  • Added payload_case + pointer validation before dereferencing command payloads (WiFi/Thread scan + config set handlers).
  • Prevented Thread dataset copy when the incoming dataset length exceeds the fixed buffer.
  • Fixed a leak in WiFi scan result cleanup by freeing each allocated entry struct.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
network_provisioning/src/network_scan.c Adds request payload validation; adds an OOM return in Thread scan result path; fixes WiFi scan result entry cleanup leak.
network_provisioning/src/network_config.c Adds request payload validation for set-config commands; moves Thread dataset memcpy behind a length check to avoid overflow.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Ashish285 Ashish285 force-pushed the fix/fix_network_provisioning_possible_null_dereference branch from 186c4d9 to dca0077 Compare March 26, 2026 04:25
@Ashish285 Ashish285 requested a review from Copilot March 26, 2026 04:25
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (1)

network_provisioning/src/network_scan.c:259

  • resp_payload->n_entries is set to the requested count before the loop, but the loop can break early on errors, leaving NULL (or partially initialized) entries while n_entries still indicates they are present. protobuf-c will attempt to pack all n_entries elements and can crash when it hits a NULL element or a bytes field with len>0 and data==NULL. Track the number of successfully built entries and set n_entries accordingly; on per-entry failure, free/NULL out the partially built entry and exclude it from n_entries.
        resp_payload->entries = results;
        resp_payload->n_entries = req->cmd_scan_wifi_result->count;

        /* If req->cmd_scan_wifi_result->count is 0, the below loop will
        * be skipped.
        */
        for (uint16_t i = 0; i < req->cmd_scan_wifi_result->count; i++) {
            if (!h->wifi_scan_result) {
                resp->status = STATUS__InternalError;
                break;

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Ashish285 Ashish285 force-pushed the fix/fix_network_provisioning_possible_null_dereference branch from dca0077 to 613560a Compare March 26, 2026 04:54
@Ashish285 Ashish285 requested a review from Copilot March 26, 2026 04:55
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Ashish285 Ashish285 force-pushed the fix/fix_network_provisioning_possible_null_dereference branch from 613560a to d3aa8f4 Compare March 26, 2026 05:18
@Ashish285 Ashish285 requested a review from Copilot March 26, 2026 05:18
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Ashish285 Ashish285 force-pushed the fix/fix_network_provisioning_possible_null_dereference branch from d3aa8f4 to 6c5fe6b Compare March 26, 2026 05:32
@Ashish285 Ashish285 requested a review from Copilot March 26, 2026 05:38
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

AdityaHPatwardhan
AdityaHPatwardhan reviewed Mar 26, 2026
View reviewed changes
@AdityaHPatwardhan
Copy link
Copy Markdown
Collaborator

AdityaHPatwardhan commented Mar 26, 2026

@Ashish285 minor comments, but otherwise MR LGTM.
Thanks for fixing and improving the error messages.

@Ashish285 Ashish285 force-pushed the fix/fix_network_provisioning_possible_null_dereference branch 2 times, most recently from 30b9c4f to 55b82a2 Compare March 26, 2026 10:10
@Ashish285 Ashish285 requested a review from Copilot March 26, 2026 10:11
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Ashish285 Ashish285 force-pushed the fix/fix_network_provisioning_possible_null_dereference branch from 55b82a2 to 156da7f Compare March 26, 2026 10:32
@Ashish285 Ashish285 requested a review from Copilot March 26, 2026 10:32
@Ashish285
Copy link
Copy Markdown
Collaborator Author

Ashish285 commented Mar 26, 2026

I did some tests to check if the memory leak was indeed there. To create "memory leaks", I just set one buffer check after malloc to be always true, so it thinks that the malloc failed. These are the results

On current master:

  1. First session: Heap before: 196448 after: 196400 delta: -48
  2. Second: Heap before: 196328 after: 196284 delta: -44
  3. Third: Heap before: 196232 after: 196172 delta: -60
Complete Logs

I (16177) app: Secured session established!
I (21417) proto_network_scan: Heap before: 197220 after: 196552 delta: -668
I (21587) proto_network_scan: Heap before: 196476 after: 196508 delta: 32
E (21787) proto_network_scan: Failed to allocate memory for scan result entry SSID
E (21787) proto_network_scan: Error executing command handler
E (21787) proto_network_scan: Command dispatcher error -1
E (21787) proto_network_scan: Unsupported response type in cleanup_handler
I (21797) proto_network_scan: Heap before: 196448 after: 196400 delta: -48
E (21807) protocomm: Request handler for prov-scan failed
E (21807) protocomm_nimble: Invalid content received, killing connection
W (25587) security2: Invalid state of session 0 (expected 2). Restarting session.
E (25587) security2: Closing old session with id 1
I (25587) security2: Using salt and verifier to generate public key...
I (26217) app: Secured session established!
I (31457) proto_network_scan: Heap before: 196344 after: 196392 delta: 48
I (31627) proto_network_scan: Heap before: 196364 after: 196396 delta: 32
E (31827) proto_network_scan: Failed to allocate memory for scan result entry SSID
E (31827) proto_network_scan: Error executing command handler
E (31827) proto_network_scan: Command dispatcher error -1
E (31837) proto_network_scan: Unsupported response type in cleanup_handler
I (31837) proto_network_scan: Heap before: 196328 after: 196284 delta: -44
E (31847) protocomm: Request handler for prov-scan failed
E (31847) protocomm_nimble: Invalid content received, killing connection
W (35087) security2: Invalid state of session 0 (expected 2). Restarting session.
E (35097) security2: Closing old session with id 1
I (35097) security2: Using salt and verifier to generate public key...
I (35727) app: Secured session established!
I (40967) proto_network_scan: Heap before: 196212 after: 196260 delta: 48
I (41137) proto_network_scan: Heap before: 196240 after: 196272 delta: 32
E (41337) proto_network_scan: Failed to allocate memory for scan result entry SSID
E (41337) proto_network_scan: Error executing command handler
E (41337) proto_network_scan: Command dispatcher error -1
E (41337) proto_network_scan: Unsupported response type in cleanup_handler
I (41347) proto_network_scan: Heap before: 196232 after: 196172 delta: -60
E (41357) protocomm: Request handler for prov-scan failed
E (41357) protocomm_nimble: Invalid content received, killing connection

With current branch

  1. First session: Heap before: 196352 after: 196408 delta: 56
  2. Second: Heap before: 196348 after: 196404 delta: 56
  3. Third: Heap before: 196464 after: 196524 delta: 60
Complete Logs

I (16197) app: Secured session established!
I (21437) proto_network_scan: Heap before: 197220 after: 196456 delta: -764
I (21607) proto_network_scan: Heap before: 196380 after: 196412 delta: 32
E (21807) proto_network_scan: Failed to allocate memory for scan result entry SSID
E (21807) proto_network_scan: Error executing command handler
E (21807) proto_network_scan: Command dispatcher error -1
I (21807) proto_network_scan: Heap before: 196352 after: 196408 delta: 56
E (21817) protocomm: Request handler for prov-scan failed
E (21827) protocomm_nimble: Invalid content received, killing connection
W (28387) security2: Invalid state of session 0 (expected 2). Restarting session.
E (28387) security2: Closing old session with id 1
I (28387) security2: Using salt and verifier to generate public key...
I (29067) app: Secured session established!
I (34307) proto_network_scan: Heap before: 196352 after: 196384 delta: 32
I (34477) proto_network_scan: Heap before: 196348 after: 196392 delta: 44
E (34677) proto_network_scan: Failed to allocate memory for scan result entry SSID
E (34677) proto_network_scan: Error executing command handler
E (34677) proto_network_scan: Command dispatcher error -1
I (34677) proto_network_scan: Heap before: 196348 after: 196404 delta: 56
E (34687) protocomm: Request handler for prov-scan failed
E (34697) protocomm_nimble: Invalid content received, killing connection
W (45887) security2: Invalid state of session 0 (expected 2). Restarting session.
E (45887) security2: Closing old session with id 1
I (45887) security2: Using salt and verifier to generate public key...
I (46517) app: Secured session established!
I (51807) proto_network_scan: Heap before: 196360 after: 196508 delta: 148
I (51977) proto_network_scan: Heap before: 196464 after: 196508 delta: 44
E (52177) proto_network_scan: Failed to allocate memory for scan result entry SSID
E (52177) proto_network_scan: Error executing command handler
E (52177) proto_network_scan: Command dispatcher error -1
I (52177) proto_network_scan: Heap before: 196464 after: 196524 delta: 60
E (52187) protocomm: Request handler for prov-scan failed
E (52197) protocomm_nimble: Invalid content received, killing connection

Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Ashish285 Ashish285 force-pushed the fix/fix_network_provisioning_possible_null_dereference branch from 156da7f to f6e20a1 Compare March 26, 2026 10:50
@Ashish285 Ashish285 requested a review from Copilot March 26, 2026 10:50
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Ashish285 Ashish285 force-pushed the fix/fix_network_provisioning_possible_null_dereference branch from f6e20a1 to be42203 Compare March 27, 2026 02:15
@Ashish285 Ashish285 requested a review from Copilot March 27, 2026 02:15
Copilot AI reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (1)

network_provisioning/src/network_config.c:445

  • In the Thread status cleanup path, ThreadAttachState.ext_pan_id.data is allocated in cmd_get_status_handler when attached, but it is never freed here. This will leak memory each time an attached Thread status response is built/cleaned up. Free thread_attached->ext_pan_id.data (when non-NULL) before freeing thread_attached itself.
        if (!resp->resp_get_thread_status) {
            break;
        }
#ifdef CONFIG_NETWORK_PROV_NETWORK_TYPE_THREAD
        switch (resp->resp_get_thread_status->thread_state) {
        case THREAD_NETWORK_STATE__Attaching:
            break;
        case THREAD_NETWORK_STATE__Attached:
            if (resp->resp_get_thread_status->thread_attached) {
                if (resp->resp_get_thread_status->thread_attached->name) {
                    free(resp->resp_get_thread_status->thread_attached->name);
                }
                free(resp->resp_get_thread_status->thread_attached);
            }

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Harshal5
Harshal5 approved these changes Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@Harshal5 Harshal5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!!

@mahavirj mahavirj requested review from chshu and wqx6 March 30, 2026 06:13
@mahavirj
Copy link
Copy Markdown
Member

mahavirj commented Mar 30, 2026

@wqx6 PTAL

@mahavirj
Copy link
Copy Markdown
Member

mahavirj commented Mar 30, 2026

@Ashish285 Please add change-log entry, bump component version

@Ashish285 Ashish285 force-pushed the fix/fix_network_provisioning_possible_null_dereference branch from be42203 to 18ff4af Compare April 2, 2026 03:16
@Ashish285 Ashish285 requested a review from Copilot April 2, 2026 03:16
Copilot AI reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@mahavirj mahavirj merged commit 6e3f923 into espressif:master Apr 14, 2026
89 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mahavirj mahavirj mahavirj approved these changes

@chshu chshu chshu approved these changes

+3 more reviewers

@AdityaHPatwardhan AdityaHPatwardhan AdityaHPatwardhan left review comments

@wqx6 wqx6 wqx6 approved these changes

@Harshal5 Harshal5 Harshal5 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@Ashish285 @AdityaHPatwardhan @mahavirj @chshu @wqx6 @Harshal5