fix: Enable stack canaries, heap poisoning, WDT panic; remove dead code

- CONFIG_COMPILER_STACK_CHECK_MODE_NORM=y (buffer overflow detection) - CONFIG_HEAP_POISONING_LIGHT=y (use-after-free/corruption detection) - CONFIG_ESP_TASK_WDT_PANIC=y (auto-reboot on hung task) - Remove unused #include "esp_now.h" (CVE-2025-52471 mitigation) - Replace hardcoded default IP 192.168.129.11 with 0.0.0.0 in Kconfig
2026-02-14 22:16:13 +01:00
parent 31724df63f
commit 0bcb5ddf0c
7 changed files with 27 additions and 14 deletions
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -167,8 +167,11 @@ Note: Promiscuous mode (probe/deauth capture) disabled on original ESP32 — bre
 - [x] Serial console AUTH management
 - [x] Auto-generated auth secret on first boot
 - [x] Pentest completed: 50+ tests, all network-facing tests PASS
- [ ] Enable stack canaries (`CONFIG_COMPILER_STACK_CHECK_MODE_NORM`)
- [ ] Enable heap poisoning (`CONFIG_HEAP_POISONING_LIGHT`)
+- [x] Enable stack canaries (`CONFIG_COMPILER_STACK_CHECK_MODE_NORM`)
+- [x] Enable heap poisoning (`CONFIG_HEAP_POISONING_LIGHT`)
+- [x] Enable WDT panic (`CONFIG_ESP_TASK_WDT_PANIC`)
+- [x] Remove unused `#include "esp_now.h"` (CVE-2025-52471 mitigation)
+- [x] Remove hardcoded default IP from Kconfig (use TARGET command)
 - [ ] Multi-target (send data to 2+ UDP destinations)

 ## Web Backend (`~/git/esp32-web/`)
--- a/TASKS.md
+++ b/TASKS.md
@@ -51,8 +51,11 @@ Tracked separately in `~/git/esp32-web/TASKS.md`. Currently at v0.1.5.

 ### P1 - High
 - [x] Test OTA rollback — crasher firmware flashed to amber-maple, bootloader rolled back to v1.11.0 (2026-02-14)
- [ ] Enable stack canaries: `CONFIG_COMPILER_STACK_CHECK_MODE_NORM=y`
- [ ] Enable heap poisoning: `CONFIG_HEAP_POISONING_LIGHT=y`
+- [x] Enable stack canaries: `CONFIG_COMPILER_STACK_CHECK_MODE_NORM=y` (2026-02-14)
+- [x] Enable heap poisoning: `CONFIG_HEAP_POISONING_LIGHT=y` (2026-02-14)
+- [x] Enable WDT panic: `CONFIG_ESP_TASK_WDT_PANIC=y` (2026-02-14)
+- [x] Remove unused `#include "esp_now.h"` (2026-02-14)
+- [x] Remove hardcoded default IP from Kconfig (2026-02-14)

 ### P2 - Normal
 - [ ] Tune presence threshold per room with real-world testing
--- a/TODO.md
+++ b/TODO.md
@@ -3,11 +3,11 @@
 ## Firmware

 ### Security (from pentest findings)
- [ ] Enable `CONFIG_COMPILER_STACK_CHECK_MODE_NORM=y` (stack canaries)
- [ ] Enable `CONFIG_HEAP_POISONING_LIGHT=y` (heap corruption detection)
- [ ] Enable `CONFIG_ESP_TASK_WDT_PANIC=y` (WDT auto-recovery)
- [ ] Remove unused `#include "esp_now.h"` from app_main.c
- [ ] Remove hardcoded default IP `192.168.129.11` from binary
+- [x] Enable `CONFIG_COMPILER_STACK_CHECK_MODE_NORM=y` (stack canaries)
+- [x] Enable `CONFIG_HEAP_POISONING_LIGHT=y` (heap corruption detection)
+- [x] Enable `CONFIG_ESP_TASK_WDT_PANIC=y` (WDT auto-recovery)
+- [x] Remove unused `#include "esp_now.h"` from app_main.c
+- [x] Remove hardcoded default IP `192.168.129.11` from binary
 - [ ] Flash encryption planning (irreversible eFuse burn)
 - [ ] Secure Boot V2 planning (irreversible eFuse burn)
 - [ ] DTLS for UDP command channel (stretch goal)
--- a/get-started/csi_recv_router/main/Kconfig.projbuild
+++ b/get-started/csi_recv_router/main/Kconfig.projbuild
@@ -2,9 +2,10 @@ menu "CSI UDP Configuration"

    config CSI_UDP_TARGET_IP
        string "UDP target IP address"
-        default "192.168.129.11"
+        default "0.0.0.0"
        help
            IP address of the host receiving CSI data (e.g., Raspberry Pi).
+            Set to 0.0.0.0 to disable sending until configured via TARGET command.

    config CSI_UDP_TARGET_PORT
        int "UDP target port"
--- a/get-started/csi_recv_router/main/app_main.c
+++ b/get-started/csi_recv_router/main/app_main.c
@@ -28,7 +28,6 @@
 #include "esp_log.h"
 #include "esp_wifi.h"
 #include "esp_netif.h"
-#include "esp_now.h"
 #include "esp_timer.h"
 #include "esp_task_wdt.h"
 #include "esp_pm.h"
@@ -819,8 +818,12 @@ static void udp_socket_init(void)
    s_dest_addr.sin_port = htons(s_target_port);
    inet_pton(AF_INET, s_target_ip, &s_dest_addr.sin_addr);

-    ESP_LOGI(TAG, "UDP socket initialized, sending to %s:%d",
-             s_target_ip, s_target_port);
+    if (strcmp(s_target_ip, "0.0.0.0") == 0) {
+        ESP_LOGW(TAG, "No UDP target configured — use TARGET command to set destination");
+    } else {
+        ESP_LOGI(TAG, "UDP socket initialized, sending to %s:%d",
+                 s_target_ip, s_target_port);
+    }
 }

 /* --- Ping --- */
--- a/get-started/csi_recv_router/sdkconfig.defaults
+++ b/get-started/csi_recv_router/sdkconfig.defaults
@@ -14,6 +14,7 @@ CONFIG_ESP_CONSOLE_UART_NUM=0
 CONFIG_CONSOLE_UART_BAUDRATE=921600

 CONFIG_ESP_TASK_WDT_TIMEOUT_S=30
+CONFIG_ESP_TASK_WDT_PANIC=y

 CONFIG_ESPTOOLPY_MONITOR_BAUD_921600B=y
 CONFIG_ESPTOOLPY_MONITOR_BAUD=921600
@@ -30,6 +31,8 @@ CONFIG_ESP32_WIFI_AMPDU_RX_ENABLED=
 # Compiler options (size optimization saves ~75 KB)
 #
 CONFIG_COMPILER_OPTIMIZATION_SIZE=y
+CONFIG_COMPILER_STACK_CHECK_MODE_NORM=y
+CONFIG_HEAP_POISONING_LIGHT=y

 #
 # FreeRTOS
--- a/get-started/csi_recv_router/sdkconfig.sample
+++ b/get-started/csi_recv_router/sdkconfig.sample
@@ -435,7 +435,7 @@ CONFIG_PARTITION_TABLE_MD5=y
 #
 # CSI UDP Configuration
 #
-CONFIG_CSI_UDP_TARGET_IP="192.168.129.11"
+CONFIG_CSI_UDP_TARGET_IP="0.0.0.0"
 CONFIG_CSI_UDP_TARGET_PORT=5500
 CONFIG_CSI_CMD_PORT=5501
 CONFIG_CSI_HOSTNAME="your-hostname"