From f40e875eceb5d121a712edda8808bfa162e547cf Mon Sep 17 00:00:00 2001
From: Kapil Gupta <kapil.gupta@espressif.com>
Date: Fri, 14 Feb 2025 13:00:51 +0530
Subject: [PATCH] fix(esp_wifi): Fix stack curruption in btm task (v5.2)

---
 .../esp_supplicant/src/esp_common.c           | 23 ++++++-------------
 1 file changed, 7 insertions(+), 16 deletions(-)

diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_common.c b/components/wpa_supplicant/esp_supplicant/src/esp_common.c
index 5c84511d87cf..e3990293a15d 100644
--- a/components/wpa_supplicant/esp_supplicant/src/esp_common.c
+++ b/components/wpa_supplicant/esp_supplicant/src/esp_common.c
@@ -116,7 +116,7 @@ static int mgmt_rx_action(u8 *frame, size_t len, u8 *sender, int8_t rssi, u8 cha
 #ifdef CONFIG_SUPPLICANT_TASK
 static void btm_rrm_task(void *pvParameters)
 {
-	supplicant_event_t *evt;
+	supplicant_event_t evt;
 	bool task_del = false;
 
 	while(1) {
@@ -124,15 +124,14 @@ static void btm_rrm_task(void *pvParameters)
 			continue;
 
 		/* event validation failed */
-		if (evt->id >= SIG_SUPPLICANT_MAX) {
-			os_free(evt);
+		if (evt.id >= SIG_SUPPLICANT_MAX) {
 			continue;
 		}
 
-		switch (evt->id) {
+		switch (evt.id) {
 		case SIG_SUPPLICANT_RX_ACTION:
 		{
-			struct ieee_mgmt_frame *frm = (struct ieee_mgmt_frame *)evt->data;
+			struct ieee_mgmt_frame *frm = (struct ieee_mgmt_frame *)evt.data;
 			mgmt_rx_action(frm->payload, frm->len, frm->sender, frm->rssi, frm->channel);
 			os_free(frm);
 			break;
@@ -148,8 +147,6 @@ static void btm_rrm_task(void *pvParameters)
 			break;
 		}
 
-		os_free(evt);
-
 		if (task_del)
 			break;
 	}
@@ -816,13 +813,9 @@ int wpa_drv_send_action(struct wpa_supplicant *wpa_s,
 #ifdef CONFIG_SUPPLICANT_TASK
 int esp_supplicant_post_evt(uint32_t evt_id, uint32_t data)
 {
-	supplicant_event_t *evt = os_zalloc(sizeof(supplicant_event_t));
-	if (!evt) {
-		wpa_printf(MSG_ERROR, "Failed to allocated memory");
-		return -1;
-	}
-	evt->id = evt_id;
-	evt->data = data;
+	supplicant_event_t evt;
+	evt.id = evt_id;
+	evt.data = data;
 
 	/* Make sure lock exists before taking it */
 	SUPPLICANT_API_LOCK();
@@ -830,13 +823,11 @@ int esp_supplicant_post_evt(uint32_t evt_id, uint32_t data)
 	/* Make sure no event can be sent when deletion event is sent or task not initialized */
 	if (!s_supplicant_task_init_done) {
 		SUPPLICANT_API_UNLOCK();
-		os_free(evt);
 		return -1;
 	}
 
 	if (os_queue_send(s_supplicant_evt_queue, &evt, os_task_ms_to_tick(10)) != TRUE) {
 		SUPPLICANT_API_UNLOCK();
-		os_free(evt);
 		return -1;
 	}
 	if (evt_id == SIG_SUPPLICANT_DEL_TASK) {