- `bootloader_flash_execute_command_common`: whitelist the flash command
opcodes the REE actually uses; reject the rest
- `spi_flash_hal_* services`: a forged `host->driver` could hijack TEE
control flow since the HAL dispatches through it, so swap
`host->driver` to a TEE-rodata vtable around each HAL call
- Deny partition table and bootloader writes by default and permit
bootloader writes only when explicitly enabled via
`CONFIG_SPI_FLASH_DANGEROUS_WRITE_ALLOWED` option
- Protect the TEE-assigned interrupt pin configuration against REE
- Validate nested DS context pointers in start/finish_sign and bound
the result copy to the SoC max signature size
- Fix the stack usage in service dispatcher argument parsing
- Forbid TKIP cipher suites for WPA3-Enterprise scan results
- Use reason 210 (NO_AP_FOUND_W_COMPATIBLE_SECURITY) when an AP is
found during a connecting scan but filtered out for incompatible
security
- Stop NAN timers from re-arming after esp_wifi_stop
httpd_stop() and httpd_req_async_handler_complete() both pushed
messages onto the control mbox via cs_send_to_ctrl_sock() without
reserving a slot in ctrl_sock_semaphore. Once the silent-drop fix
made the semaphore unconditional, the bypass became a real bug:
when the mbox is saturated by pending httpd_queue_work() items the
unguarded sendto() can return ENOBUFS, and even when it succeeds it
leaves the semaphore overstating free slots until the consumer
drains the message — a window during which a concurrent
httpd_queue_work() can take a slot but still find the mbox full.
Acquire the semaphore (portMAX_DELAY) before both sends and give it
back on send failure so the take/give invariant is preserved. The
httpd task is the consumer in both paths, so blocking is bounded
and deadlock-free. Reword the stale "no-op give on full" comment in
httpd_process_ctrl_msg() to reflect that only the recv-error path
relies on the cap behavior now.
The console transport read loop passed &linebuf[i] to uart_read_bytes()
before checking i < LINE_BUF_SIZE, so a line of LINE_BUF_SIZE or more
bytes without a terminator wrote one byte past the 256-byte linebuf
stack array.
Gate the read on the bounds check and reserve the final byte for the NUL
terminator (LINE_BUF_SIZE - 1), so the buffer handed to esp_console_run()
stays terminated even when an overlong line is truncated.
Closes https://github.com/espressif/esp-idf/issues/18638
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The addend in `emac_hal_ptp_start()` was derived from the floating-point
`config->ptp_req_accuracy_ns` instead of the integer `base_increment`
register that actually drives the sub-second update. The cast to
`uint8_t` loses the fractional part, so the un-corrected addend leaves
the PTP clock running off-rate.
Example: with a 40 MHz XTAL and the default `req_accuracy_ns = 40`,
`base_increment` rounds 85.899 up to 86, leaving the clock +1170 ppm
fast — well outside the IEEE 802.1AS neighborRateRatio limit (~±200
ppm), so strict-1AS bridges refuse asCapable.
Compute the addend from the stored `base_increment` for both rollover
modes: `addend = 2^32 * clk_period_ns / increment_ns`.
Measured on ESP32-P4: neighborRateRatio drops from +1147.5 ppm to
+4.2 ppm, and asCapable is granted.
Co-authored-by: Ondrej Kosta <panzer412@gmail.com>