B-L475E-IOT01A1 WiFi

Caution
The Issues are strictly limited for the reporting of problem encountered with the software provided in this project.
For any other problem related to the STM32 product, the performance, the hardware characteristics and boards, the tools the environment in general, please post a topic in the ST Community/STM32 MCUs forum.

Describe the set-up

B-L475E-IOT01A1
STM32CubeIDE

Describe the bug
In es_wifi_io.c, absence of bound check in line 213 function SPI_WIFI_ResetModule might cause stack buffer overflow:

STM32CubeL4/Projects/B-L475E-IOT01A/Applications/WiFi/Common/Src/es_wifi_io.c

Lines 211 to 220 in 503ab07

    
           while (WIFI_IS_CMDDATA_READY()) 
        
           { 
        
             Status = HAL_SPI_Receive(&hspi , &Prompt[count], 1, 0xFFFF); 
        
             count += 2; 
        
             if (((HAL_GetTick() - tickstart) > 0xFFFF) || (Status != HAL_OK)) 
        
             { 
        
               WIFI_DISABLE_NSS(); 
        
               return -1; 
        
             } 
        
           }

How To Reproduce

Hardware preparation: a wifi access point, set its SSID and passward as LI_H3C and 1qaz2wsx
Target application: WiFi_Client_Server
Download reproduce.zip, uncompress it and apply the patch. This patch includes the use case injection.
Compile WiFi_Client_Server and run it with debugger. The program would halt at breakpoint __BKPT(0x10) if the buffer overflow arises.

Additional context

Same issue in STM32H7 firmware package v1.11.0: STMicroelectronics/STM32CubeH7#252
A PR regarding this issue will be posted.

Hello @shijiameng,

Thank you for this report. We will get back to you as soon as we analyze it further. This may take some time. Thank you for your comprehension.

With regards,

ST Internal Reference: 158543

	while (WIFI_IS_CMDDATA_READY())
	{
	Status = HAL_SPI_Receive(&hspi , &Prompt[count], 1, 0xFFFF);
	count += 2;
	if (((HAL_GetTick() - tickstart) > 0xFFFF) \|\| (Status != HAL_OK))
	{
	WIFI_DISABLE_NSS();
	return -1;
	}
	}