Out-of-bound memory read on ESP32, ESP32S2 and ESP32S3 in WiFi driver (IDFGH-17466)

[vvb333007]

Answers checklist.

• I have read the documentation ESP-IDF Programming Guide and the issue is not addressed there.
• I have updated my IDF branch (master or release) to the latest version and checked that the issue is present there.
• I have searched the issue tracker for a similar issue and not found a similar issue.

IDF version.

5.x and up

Espressif SoC revision.

ESP32-S3

Operating System used.

Windows

How did you build your project?

Command line with Make

If you are using Windows, please specify command line type.

None

Development Kit.

Generic ESP32-S3 Dev Kit

Power Supply used.

USB

What is the expected behavior?

I expect it to use strlcpy instead of memcpy

What is the actual behavior?

Good day,

There is code in the WiFi implementation of the ESP32-S3 (and, I suspect, in the WiFi code of other Espressif processors as well) that reads uninitialized memory.

The circumstances are such that this does not currently lead to any serious consequences, but it is still not a good practice and may become problematic in other environments.

int wifi_nvs_cfg_item_init(const char *key_name, uint8_t key_index, ..... /* more args, unimportant for the bug */) {

    wifi_nvs_key_t *k;

    if (key_index < WIFI_NVS_KEY_INDEX_MAX) {
        if (min <= max) {
            k = &g_wifi_nvs_cfg[key_index];

            memcpy(k->name, key_name, 0x20);

            k->index = key_index;
            k->def_val = def_val;
            k->data_type = data_type;
            ...
            ...
            ...

Please note the memcpy() call: the key_name (an ASCIIZ string) is copied into a structure field.
The destination field itself is fine and has sufficient space allocated.

However, the calls to wifi_nvs_cfg_item_init() raise concerns:

err = wifi_nvs_cfg_item_init("opmode", WIFI_NVS_KEY_OPMODE, 0, 1, 0, 4, 1, &s_wifi_nvs);
err = wifi_nvs_cfg_item_init("sta.ssid", ...);
err = wifi_nvs_cfg_item_init("sta.authmode", ...);

And so on - this pattern appears throughout net80211/ieee80211_nvs.c during WiFi startup sequence.

The issue is that memcpy(..., key_name, 0x20) always copies 32 bytes from key_name, while the provided string literals are significantly shorter. As a result, the code reads bytes past the terminating null character, effectively accessing unrelated adjacent memory contents.

It is fortunate that on the ESP32-S3 there is, by default, no strict memory protection or memory separation, so this does not immediately cause crashes or faults.

Nevertheless, this is still incorrect behavior and should ideally be replaced with a bounded string copy or a copy length based on strlen(key_name) + 1.

Steps to reproduce.

No steps to reproduce since no side effects.

Debug Logs.

Diagnostic report archive.

No response

More Information.

No response

[MayureshKodape]

I looked into this issue further and wanted to share my findings.
The root cause is clear — memcpy(k->name, key_name, 0x20) always reads exactly 32 bytes regardless of the actual string length. For short strings like "opmode" (6 chars) or "sta.ssid" (8 chars), this reads 25+ bytes of unrelated memory past the null terminator.
The fix would be straightforward — replacing memcpy with strlcpy:
strlcpy(k->name, key_name, sizeof(k->name));