[nrf noup] zephyr: Don't use heap for control interface

Relying on heap during OOM is bad, esp. for critical module like WPA
supplicant, this can break the Wi-Fi.

As the WPA supplicant stack is large enough and we have reduced the
control interface sizes, move the buffers for control interface to
stack or use static variable.

The static variable is used to keep the changes to the common code of
the WPA supplicant to a minimum compared to using stack.

Fixes SHEL-2283.

Signed-off-by: Chaitanya Tata <[email protected]>

wpa_supplicant/ctrl_iface.c

@@ -11453,10 +11453,12 @@ static int wpas_ctrl_iface_send_dscp_query(struct wpa_supplicant *wpa_s,
 char * wpa_supplicant_ctrl_iface_process(struct wpa_supplicant *wpa_s,
 					 char *buf, size_t *resp_len)
 {
-	char *reply;
-	const int reply_size = 1024;
+	static char reply[1024];
+	const int reply_size = sizeof(reply);
 	int reply_len;
 
+	os_memset(reply, 0, reply_size);
+
 	if (os_strncmp(buf, WPA_CTRL_RSP, os_strlen(WPA_CTRL_RSP)) == 0 ||
 	    os_strncmp(buf, "SET_NETWORK ", 12) == 0 ||
 	    os_strncmp(buf, "PMKSA_ADD ", 10) == 0 ||
@@ -11480,14 +11482,6 @@ char * wpa_supplicant_ctrl_iface_process(struct wpa_supplicant *wpa_s,
 		wpa_dbg(wpa_s, wpas_ctrl_cmd_debug_level(buf), "Control interface command '%s'", buf);
 	}
 
-	reply = os_malloc(reply_size);
-	if (reply == NULL) {
-		wpa_printf(MSG_ERROR, "ctrl_iface: reply malloc of %d failed",
-			reply_size);
-		*resp_len = 1;
-		return NULL;
-	}
-
 	os_memcpy(reply, "OK\n", 3);
 	reply_len = 3;
 
@@ -13009,10 +13003,13 @@ static int wpas_global_ctrl_iface_fst_detach(struct wpa_global *global,
 char * wpa_supplicant_global_ctrl_iface_process(struct wpa_global *global,
 						char *buf, size_t *resp_len)
 {
-	char *reply;
-	const int reply_size = 2048;
+	static char reply[2048];
+	const int reply_size = sizeof(reply);
 	int reply_len;
 	int level = MSG_DEBUG;
+	char *reply_redir;
+
+	os_memset(reply, 0, reply_size);
 
 	if (os_strncmp(buf, "IFNAME=", 7) == 0) {
 		char *pos = os_strchr(buf + 7, ' ');
@@ -13024,21 +13021,15 @@ char * wpa_supplicant_global_ctrl_iface_process(struct wpa_global *global,
 		}
 	}
 
-	reply = wpas_global_ctrl_iface_redir(global, buf, resp_len);
-	if (reply)
-		return reply;
+	reply_redir = wpas_global_ctrl_iface_redir(global, buf, resp_len);
+	if (reply_redir)
+		return reply_redir;
 
 	if (os_strcmp(buf, "PING") == 0)
 		level = MSG_EXCESSIVE;
 	wpa_hexdump_ascii(level, "RX global ctrl_iface",
 			  (const u8 *) buf, os_strlen(buf));
 
-	reply = os_malloc(reply_size);
-	if (reply == NULL) {
-		*resp_len = 1;
-		return NULL;
-	}
-
 	os_memcpy(reply, "OK\n", 3);
 	reply_len = 3;
 

wpa_supplicant/ctrl_iface_zephyr.c

@@ -120,44 +120,28 @@ static void wpa_supplicant_ctrl_iface_receive(int sock, void *eloop_ctx,
 					      void *sock_ctx)
 {
 	struct wpa_supplicant *wpa_s = eloop_ctx;
-	char *buf, *pos;
+	char buf[CTRL_IFACE_MAX_LEN + 1];
+	char *pos;
 	int res;
 	char *reply = NULL;
 	size_t reply_len = 0;
 
-	buf = os_zalloc(CTRL_IFACE_MAX_LEN + 1);
-	if (!buf) {
-		/* Do a dummy read to drain the data from the socket */
-		static unsigned char dummy[512];
-
-		/* This is expected in OOM conditions, so, do not spam the log */
-		wpa_printf(MSG_DEBUG, "Failed to allocate memory for ctrl_iface receive buffer");
-
-		do {
-			res = recv(sock, dummy, sizeof(dummy),
-				   MSG_TRUNC | MSG_DONTWAIT);
-		} while (res > 0);
-		return;
-	}
-
 	res = recv(sock, buf, CTRL_IFACE_MAX_LEN, 0);
 	if (res < 0) {
 		wpa_printf(MSG_ERROR, "recvfrom(ctrl_iface): %s",
 			   strerror(errno));
-		os_free(buf);
 		return;
 	}
+
 	if (!res) {
 		eloop_unregister_sock(sock, EVENT_TYPE_READ);
 		wpa_printf(MSG_DEBUG, "ctrl_iface: Peer unexpectedly shut down "
 			   "socket");
-		os_free(buf);
 		return;
 	}
 
 	if ((size_t) res > CTRL_IFACE_MAX_LEN) {
 		wpa_printf(MSG_ERROR, "recvform(ctrl_iface): input truncated");
-		os_free(buf);
 		return;
 	}
 	buf[res] = '\0';
@@ -189,14 +173,11 @@ static void wpa_supplicant_ctrl_iface_receive(int sock, void *eloop_ctx,
 
 	if (reply) {
 		send(sock, reply, reply_len, 0);
-		os_free(reply);
 	} else if (reply_len == 1) {
 		send(sock, "FAIL\n", 5, 0);
 	} else if (reply_len == 2) {
 		send(sock, "OK\n", 3, 0);
 	}
-
-	os_free(buf);
 }
 
 
@@ -271,44 +252,28 @@ static void wpa_supplicant_global_ctrl_iface_receive(int sock, void *eloop_ctx,
 					      void *sock_ctx)
 {
 	struct wpa_global *global = eloop_ctx;
-	char *buf, *pos;
+	char buf[CTRL_IFACE_MAX_LEN + 1];
+	char *pos;
 	int res;
 	char *reply = NULL;
 	size_t reply_len = 0;
 
-	buf = os_zalloc(CTRL_IFACE_MAX_LEN + 1);
-	if (!buf) {
-		/* Do a dummy read to drain the data from the socket */
-		static unsigned char dummy[512];
-
-		/* This is expected in OOM conditions, so, do not spam the log */
-		wpa_printf(MSG_DEBUG, "Failed to allocate memory for g_ctrl_iface receive buffer");
-
-		do {
-			res = recv(sock, dummy, sizeof(dummy),
-				   MSG_TRUNC | MSG_DONTWAIT);
-		} while (res > 0);
-		return;
-	}
 	res = recv(sock, buf, CTRL_IFACE_MAX_LEN, 0);
 	if (res < 0) {
 		wpa_printf(MSG_ERROR, "recvfrom(g_ctrl_iface): %s",
 			   strerror(errno));
-		os_free(buf);
 		return;
 	}
 
 	if (!res) {
 		eloop_unregister_sock(sock, EVENT_TYPE_READ);
 		wpa_printf(MSG_DEBUG, "g_ctrl_iface: Peer unexpectedly shut down "
 			   "socket");
-		os_free(buf);
 		return;
 	}
 
 	if ((size_t) res > CTRL_IFACE_MAX_LEN) {
 		wpa_printf(MSG_ERROR, "recvform(g_ctrl_iface): input truncated");
-		os_free(buf);
 		return;
 	}
 	buf[res] = '\0';
@@ -340,14 +305,11 @@ static void wpa_supplicant_global_ctrl_iface_receive(int sock, void *eloop_ctx,
 
 	if (reply) {
 		send(sock, reply, reply_len, 0);
-		os_free(reply);
 	} else if (reply_len == 1) {
 		send(sock, "FAIL\n", 5, 0);
 	} else if (reply_len == 2) {
 		send(sock, "OK\n", 3, 0);
 	}
-
-	os_free(buf);
 }
 struct ctrl_iface_global_priv *
 wpa_supplicant_global_ctrl_iface_init(struct wpa_global *global)